From e0802f582b4ecf124cf006c35cf03a8433220d1d Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Wed, 26 Dec 2018 16:22:09 -0700
Subject: [PATCH 1/5] Remove unneeded index.css

---
 static/css/index.css | 15 ---------------
 1 file changed, 15 deletions(-)
 delete mode 100644 static/css/index.css

diff --git a/static/css/index.css b/static/css/index.css
deleted file mode 100644
index 81e0ba0..0000000
--- a/static/css/index.css
+++ /dev/null
@@ -1,15 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-.banner-image {
-    max-height: 100px;
-    margin: 2em auto;
-    border: 1px solid grey;
-    border-radius: 15%;
-}
-
-.footer {
-    margin-top: 10em;
-    text-align: center;
-}
\ No newline at end of file

From 106e697fc38dcbc0f347598cb4e99ccde8719c81 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Wed, 26 Dec 2018 16:25:48 -0700
Subject: [PATCH 2/5] Remove captcha-related code, since login is done by
 AccountHub now

---
 langs/en/core.json    |  1 -
 lib/Login.lib.php     | 23 -----------------------
 required.php          |  9 ++++-----
 settings.template.php | 15 ---------------
 4 files changed, 4 insertions(+), 44 deletions(-)

diff --git a/langs/en/core.json b/langs/en/core.json
index 20eac0a..c9a9d0b 100644
--- a/langs/en/core.json
+++ b/langs/en/core.json
@@ -11,6 +11,5 @@
     "invalid parameters": "Invalid request parameters.",
     "login server error": "The login server returned an error: {arg}",
     "login server user data error": "The login server refused to provide account information.  Try again or contact technical support.",
-    "captcha error": "There was a problem with the CAPTCHA (robot test).  Try again.",
     "no access permission": "You do not have permission to access this system."
 }
diff --git a/lib/Login.lib.php b/lib/Login.lib.php
index b136c6c..219cfea 100644
--- a/lib/Login.lib.php
+++ b/lib/Login.lib.php
@@ -45,29 +45,6 @@ class Login {
         return Login::LOGIN_OK;
     }
 
-    public static function verifyCaptcha(string $session, string $answer, string $url): bool {
-        $data = [
-            'session_id' => $session,
-            'answer_id' => $answer,
-            'action' => "verify"
-        ];
-        $options = [
-            'http' => [
-                'header' => "Content-type: application/x-www-form-urlencoded\r\n",
-                'method' => 'POST',
-                'content' => http_build_query($data)
-            ]
-        ];
-        $context = stream_context_create($options);
-        $result = file_get_contents($url, false, $context);
-        $resp = json_decode($result, TRUE);
-        if (!$resp['result']) {
-            return false;
-        } else {
-            return true;
-        }
-    }
-
     /**
      * Check the login server API for sanity
      * @return boolean true if OK, else false
diff --git a/required.php b/required.php
index 3fe1060..3cfa346 100644
--- a/required.php
+++ b/required.php
@@ -32,7 +32,6 @@ session_start(); // stick some cookies in it
 // renew session cookie
 setcookie(session_name(), session_id(), time() + $session_length, "/", false, false);
 
-$captcha_server = ($SETTINGS['captcha']['enabled'] === true ? preg_replace("/http(s)?:\/\//", "", $SETTINGS['captcha']['server']) : "");
 if ($_SESSION['mobile'] === TRUE) {
     header("Content-Security-Policy: "
             . "default-src 'self';"
@@ -42,8 +41,8 @@ if ($_SESSION['mobile'] === TRUE) {
             . "frame-src 'none'; "
             . "font-src 'self'; "
             . "connect-src *; "
-            . "style-src 'self' 'unsafe-inline' $captcha_server; "
-            . "script-src 'self' 'unsafe-inline' $captcha_server");
+            . "style-src 'self' 'unsafe-inline'; "
+            . "script-src 'self' 'unsafe-inline'");
 } else {
     header("Content-Security-Policy: "
             . "default-src 'self';"
@@ -53,8 +52,8 @@ if ($_SESSION['mobile'] === TRUE) {
             . "frame-src 'none'; "
             . "font-src 'self'; "
             . "connect-src *; "
-            . "style-src 'self' 'nonce-$SECURE_NONCE' $captcha_server; "
-            . "script-src 'self' 'nonce-$SECURE_NONCE' $captcha_server");
+            . "style-src 'self' 'nonce-$SECURE_NONCE'; "
+            . "script-src 'self' 'nonce-$SECURE_NONCE'");
 }
 
 //
diff --git a/settings.template.php b/settings.template.php
index 75a1896..22c1b16 100644
--- a/settings.template.php
+++ b/settings.template.php
@@ -15,7 +15,6 @@ $SETTINGS = [
     // Turning this on in production is a security risk and can sometimes break
     // things, such as JSON output where extra content is not expected.
     "debug" => false,
-
     // Database connection settings
     // See http://medoo.in/api/new for info
     "database" => [
@@ -26,10 +25,8 @@ $SETTINGS = [
         "password" => "",
         "charset" => "utf8"
     ],
-
     // Name of the app.
     "site_title" => "Web App Template",
-
     // Settings for connecting to the AccountHub server.
     "accounthub" => [
         // URL for the API endpoint
@@ -39,26 +36,14 @@ $SETTINGS = [
         // API key
         "key" => "123"
     ],
-
     // For supported values, see http://php.net/manual/en/timezones.php
     "timezone" => "America/Denver",
-
-    // Use Captcheck on login screen to slow down bots
-    // https://captcheck.netsyms.com
-    "captcha" => [
-        "enabled" => false,
-        "server" => "https://captcheck.netsyms.com"
-    ],
-
     // Language to use for localization. See langs folder to add a language.
     "language" => "en",
-
     // Shown in the footer of all the pages.
     "footer_text" => "",
-
     // Also shown in the footer, but with "Copyright <current_year>" in front.
     "copyright" => "Netsyms Technologies",
-
     // Base URL for building links relative to the location of the app.
     // Only used when there's no good context for the path.
     // The default is almost definitely fine.

From 4d2b78bdba36427dfdfdee86b824d82e7cb69704 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Wed, 26 Dec 2018 16:28:32 -0700
Subject: [PATCH 3/5] Remove unused strings

---
 langs/en/core.json | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/langs/en/core.json b/langs/en/core.json
index c9a9d0b..6121060 100644
--- a/langs/en/core.json
+++ b/langs/en/core.json
@@ -2,14 +2,10 @@
     "You have been logged out.": "You have been logged out.",
     "Log in again": "Log in again",
     "login server unavailable": "Login server unavailable.  Try again later or contact technical support.",
-    "welcome user": "Welcome, {user}!",
     "sign out": "Sign out",
-    "settings": "Settings",
-    "options": "Options",
     "404 error": "404 Error",
     "page not found": "Page not found.",
     "invalid parameters": "Invalid request parameters.",
     "login server error": "The login server returned an error: {arg}",
-    "login server user data error": "The login server refused to provide account information.  Try again or contact technical support.",
     "no access permission": "You do not have permission to access this system."
 }

From 1729b842ba410a84058dcc8f755d7943b0666cd4 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Wed, 26 Dec 2018 16:32:43 -0700
Subject: [PATCH 4/5] Add permission check during login

---
 index.php             | 5 +++++
 settings.template.php | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/index.php b/index.php
index e4cafd8..5cac7ba 100644
--- a/index.php
+++ b/index.php
@@ -82,6 +82,11 @@ if (empty($_SESSION["login_code"])) {
         }
         if (is_numeric($uidinfo['uid'])) {
             $user = new User($uidinfo['uid'] * 1);
+            foreach ($SETTINGS['permissions'] as $perm) {
+                if (!$user->hasPermission($perm)) {
+                    die($Strings->get("no access permission", false));
+                }
+            }
             Session::start($user);
             $_SESSION["login_code"] = null;
             header('Location: app.php');
diff --git a/settings.template.php b/settings.template.php
index 22c1b16..94686c0 100644
--- a/settings.template.php
+++ b/settings.template.php
@@ -36,6 +36,9 @@ $SETTINGS = [
         // API key
         "key" => "123"
     ],
+    // List of required user permissions to access this app.
+    "permissions" => [
+    ],
     // For supported values, see http://php.net/manual/en/timezones.php
     "timezone" => "America/Denver",
     // Language to use for localization. See langs folder to add a language.

From d7ca7125ce500d220f20b30d8317c54f73dc9c99 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Thu, 27 Dec 2018 00:15:27 -0700
Subject: [PATCH 5/5] Nicer access denied message

---
 index.php           | 43 +++++++++++++++++++++++++++----------------
 langs/en/core.json  |  6 +-----
 langs/en/index.json |  8 ++++++++
 3 files changed, 36 insertions(+), 21 deletions(-)
 create mode 100644 langs/en/index.json

diff --git a/index.php b/index.php
index 5cac7ba..1bdd70d 100644
--- a/index.php
+++ b/index.php
@@ -13,8 +13,19 @@ if (!empty($_SESSION['loggedin']) && $_SESSION['loggedin'] === true && !isset($_
     die();
 }
 
-if (!empty($_GET['logout'])) {
-    // Show a logout message instead of immediately redirecting to login flow
+/**
+ * Show a simple HTML page with a line of text and a button.  Matches the UI of
+ * the AccountHub login flow.
+ *
+ * @global type $SETTINGS
+ * @global type $SECURE_NONCE
+ * @global type $Strings
+ * @param string $title Text to show, passed through i18n
+ * @param string $button Button text, passed through i18n
+ * @param string $url URL for the button
+ */
+function showHTML(string $title, string $button, string $url) {
+    global $SETTINGS, $SECURE_NONCE, $Strings;
     ?>
     <!DOCTYPE html>
     <meta charset="UTF-8">
@@ -26,7 +37,6 @@ if (!empty($_GET['logout'])) {
     <link rel="icon" href="static/img/logo.svg">
 
     <link href="static/css/bootstrap.min.css" rel="stylesheet">
-    <link href="static/css/svg-with-js.min.css" rel="stylesheet">
     <style nonce="<?php echo $SECURE_NONCE; ?>">
         .display-5 {
             font-size: 2.5rem;
@@ -40,11 +50,6 @@ if (!empty($_GET['logout'])) {
             border: 1px solid grey;
             border-radius: 15%;
         }
-
-        .blank-image {
-            height: 100px;
-            margin: 2em auto;
-        }
     </style>
 
     <div class="container mt-4">
@@ -54,24 +59,25 @@ if (!empty($_GET['logout'])) {
             </div>
 
             <div class="col-12 text-center">
-                <h1 class="display-5 mb-4"><?php $Strings->get("You have been logged out.") ?></h1>
+                <h1 class="display-5 mb-4"><?php $Strings->get($title); ?></h1>
             </div>
 
             <div class="col-12 col-sm-8 col-lg-6">
                 <div class="card mt-4">
                     <div class="card-body">
-                        <a href="./index.php" class="btn btn-primary btn-block"><?php $Strings->get("Log in again"); ?></a>
+                        <a href="<?php echo $url; ?>" class="btn btn-primary btn-block"><?php $Strings->get($button); ?></a>
                     </div>
                 </div>
             </div>
         </div>
     </div>
-
-    <script src="static/js/fontawesome-all.min.js"></script>
     <?php
-    die();
 }
 
+if (!empty($_GET['logout'])) {
+    showHTML("You have been logged out.", "Log in again", "./index.php");
+    die();
+}
 if (empty($_SESSION["login_code"])) {
     $redirecttologin = true;
 } else {
@@ -84,13 +90,15 @@ if (empty($_SESSION["login_code"])) {
             $user = new User($uidinfo['uid'] * 1);
             foreach ($SETTINGS['permissions'] as $perm) {
                 if (!$user->hasPermission($perm)) {
-                    die($Strings->get("no access permission", false));
+                    showHTML("no access permission", "sign out", "./action.php?action=signout");
+                    die();
                 }
             }
             Session::start($user);
             $_SESSION["login_code"] = null;
             header('Location: app.php');
-            die("Logged in, go to app.php");
+            showHTML("Logged in", "Continue", "./app.php");
+            die();
         } else {
             throw new Exception();
         }
@@ -113,7 +121,10 @@ if ($redirecttologin) {
 
         $_SESSION["login_code"] = $codedata["code"];
 
-        header("Location: " . $codedata["loginurl"] . "?code=" . htmlentities($codedata["code"]) . "&redirect=" . htmlentities($redirecturl));
+        $locationurl = $codedata["loginurl"] . "?code=" . htmlentities($codedata["code"]) . "&redirect=" . htmlentities($redirecturl);
+        header("Location: $locationurl");
+        showHTML("Continue", "Continue", $locationurl);
+        die();
     } catch (Exception $ex) {
         sendError($ex->getMessage());
     }
diff --git a/langs/en/core.json b/langs/en/core.json
index 6121060..f2d85fb 100644
--- a/langs/en/core.json
+++ b/langs/en/core.json
@@ -1,11 +1,7 @@
 {
-    "You have been logged out.": "You have been logged out.",
-    "Log in again": "Log in again",
-    "login server unavailable": "Login server unavailable.  Try again later or contact technical support.",
     "sign out": "Sign out",
     "404 error": "404 Error",
     "page not found": "Page not found.",
     "invalid parameters": "Invalid request parameters.",
-    "login server error": "The login server returned an error: {arg}",
-    "no access permission": "You do not have permission to access this system."
+    "login server error": "The login server returned an error: {arg}"
 }
diff --git a/langs/en/index.json b/langs/en/index.json
new file mode 100644
index 0000000..c516bbb
--- /dev/null
+++ b/langs/en/index.json
@@ -0,0 +1,8 @@
+{
+    "You have been logged out.": "You have been logged out.",
+    "Log in again": "Log in again",
+    "login server unavailable": "Login server unavailable.  Try again later or contact technical support.",
+    "no access permission": "You do not have permission to access this system.",
+    "Logged in": "Logged in",
+    "Continue": "Continue"
+}