Business
/
AccountHub
2
0
Fork 2
Code Issues 3 Pull Requests Releases 3 Wiki Activity

Improve mobile integration, fix some upper/lower case bugs

Browse Source
V2_Rewrite
Skylar Ittner 7 years ago
parent bee707be8a
commit 14f401f355
10 changed files with 68 additions and 59 deletions
Show Stats Download Patch File Download Diff File

45
api.php
Unescape Escape View File

@ -43,10 +43,10 @@ switch ($VARS['action']) {
case "auth":
$errmsg = "";
if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) {
insertAuthLog(12, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(12, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "OK", "msg" => lang("login successful", false)]));
} else {
insertAuthLog(13, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(13, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
if (!is_empty($errmsg)) {
exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)]));
}
@ -70,7 +70,7 @@ switch ($VARS['action']) {
case "userinfo":
if (!is_empty($VARS['username'])) {
if (user_exists_local($VARS['username'])) {
$data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => $VARS['username']])[0];
$data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => strtolower($VARS['username'])])[0];
exit(json_encode(["status" => "OK", "data" => $data]));
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
@ -112,7 +112,7 @@ switch ($VARS['action']) {
if (verifyTOTP($VARS['username'], $VARS['code'])) {
exit(json_encode(["status" => "OK", "valid" => true]));
} else {
insertAuthLog(7, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(7, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("2fa incorrect", false), "valid" => false]));
}
break;
@ -123,30 +123,30 @@ switch ($VARS['action']) {
// simulate a login, checking account status and alerts
$errmsg = "";
if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) {
$uid = $database->select('accounts', 'uid', ['username' => $VARS['username']])[0];
$uid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])])[0];
switch (get_account_status($VARS['username'])) {
case "LOCKED_OR_DISABLED":
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("account locked", false)]));
case "TERMINATED":
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("account terminated", false)]));
case "CHANGE_PASSWORD":
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("password expired", false)]));
case "NORMAL":
insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "OK"]));
case "ALERT_ON_ACCESS":
sendLoginAlertEmail($VARS['username']);
insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "OK", "alert" => true]));
default:
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("account state error", false)]));
}
} else {
insertAuthLog(5, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
if (!is_empty($errmsg)) {
exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)]));
}
@ -168,13 +168,13 @@ switch ($VARS['action']) {
} else {
if (user_exists_local($VARS['manager'])) {
if (user_exists_local($VARS['employee'])) {
$managerid = $database->select('accounts', 'uid', ['username' => $VARS['manager']]);
$employeeid = $database->select('accounts', 'uid', ['username' => $VARS['employee']]);
$managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['manager'])]);
$employeeid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['employee'])]);
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['employee']]));
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['employee'])]));
}
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['manager']]));
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['manager'])]));
}
}
if ($database->has('managers', ['AND' => ['managerid' => $managerid, 'employeeid' => $employeeid]])) {
@ -191,8 +191,8 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
} else if ($VARS['username']) {
if ($database->has("accounts", ['username' => $VARS['username']])) {
$managerid = $database->select('accounts', 'uid', ['username' => $VARS['username']]);
if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
$managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]);
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
@ -211,8 +211,8 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
} else if ($VARS['username']) {
if ($database->has("accounts", ['username' => $VARS['username']])) {
$empid = $database->select('accounts', 'uid', ['username' => $VARS['username']]);
if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
$empid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]);
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
@ -243,7 +243,7 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
} else if ($VARS['username']) {
if ($database->has("accounts", ['username' => $VARS['username']])) {
if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
$user = $VARS['username'];
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
@ -262,7 +262,8 @@ switch ($VARS['action']) {
http_response_code(400);
die("\"400 Bad Request\"");
}
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['code'], 'accounts.username' => $VARS['username']]]);
$code = strtoupper($VARS['code']);
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $code, 'accounts.username' => strtolower($VARS['username'])]]);
exit(json_encode(["status" => "OK", "valid" => $user_key_valid]));
case "alertemail":
engageRateLimit();

2
apps/inventory_link.php
Unescape Escape View File

@ -10,6 +10,6 @@ $APPS["inventory_link"]["i18n"] = TRUE;
$APPS["inventory_link"]["title"] = "inventory";
$APPS["inventory_link"]["icon"] = "cubes";
$APPS["inventory_link"]["type"] = "teal";
$content = "<p>" . lang("open inventory system", false) . '</p><a href="' . INVENTORY_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content = "<p class='mobile-app-hide'>" . lang("open inventory system", false) . '</p><a href="' . INVENTORY_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["inventory_link"]["content"] = $content;
?>

2
apps/qwikclock_inout.php
Unescape Escape View File

@ -38,6 +38,6 @@ $content .= <<<END
<a href="home.php?&qwikclock=punchin" class="btn btn-block btn-success btn-lg"><i class="fa fa-play"></i> $lang_punchin</a>
<a href="home.php?qwikclock=punchout" class="btn btn-block btn-danger btn-lg"><i class="fa fa-stop"></i> $lang_punchout</a>
END;
$content .= '<br /><a href="' . QWIKCLOCK_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content .= '<br /><a href="' . QWIKCLOCK_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["qwikclock_inout"]["content"] = $content;
?>

6
apps/sync_mobile.php
Unescape Escape View File

@ -31,8 +31,9 @@ if ($_GET['mobilecode'] == "generate") {
$code = strtoupper(substr(md5(mt_rand() . uniqid("", true)), 0, 20));
$database->insert('mobile_codes', ['uid' => $_SESSION['uid'], 'code' => $code]);
}
$url = str_replace("/", "\\", URL . "mobile/index.php");
$codeuri = "bizsync://" . $url . "/" . $_SESSION['username'] . "/" . $code;
$url = URL . "mobile/index.php";
$encodedurl = str_replace("/", "\\", $url);
$codeuri = "bizsync://" . $encodedurl . "/" . $_SESSION['username'] . "/" . $code;
$qrCode = new QrCode($codeuri);
$qrCode->setSize(200);
$qrCode->setErrorCorrection("H");
@ -42,6 +43,7 @@ if ($_GET['mobilecode'] == "generate") {
$APPS["sync_mobile"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan sync qrcode", false) . '</div>' . <<<END
<img src="$qrcode" class="img-responsive qrcode" />
<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_code</div>
<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$url</div>
<a class="btn btn-success btn-sm btn-block" href="home.php?page=security">$lang_done</a>
END;
} else {

2
apps/taskfloor_messages.php
Unescape Escape View File

@ -49,6 +49,6 @@ END;
} catch (Exception $e) {
$content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . " " . $e->getMessage() . "</div>";
}
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["taskfloor_messages"]["content"] = $content;
?>

2
apps/taskfloor_tasks.php
Unescape Escape View File

@ -37,6 +37,6 @@ try {
} catch (Exception $e) {
$content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . " " . $e->getMessage() . "</div>";
}
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["taskfloor_tasks"]["content"] = $content;
?>

4
home.php
Unescape Escape View File

@ -83,7 +83,7 @@ if (!is_empty($_GET['page'])) {
<ul class="dropdown-menu" role="menu">
<li><a href="home.php?page=security"><i class="fa fa-gears fa-fw"></i> <?php lang("options") ?></a></li>
<li class="divider"></li>
<li><a href="action.php?action=signout"><i class="fa fa-sign-out fa-fw"></i> <?php lang("sign out") ?></a></li>
<li class="mobile-app-hide"><a href="action.php?action=signout"><i class="fa fa-sign-out fa-fw"></i> <?php lang("sign out") ?></a></li>
</ul>
</li>
</ul>
@ -91,7 +91,7 @@ if (!is_empty($_GET['page'])) {
</div>
</nav>
<div class="app-dock-container">
<div class="app-dock-container mobile-app-hide">
<div class="app-dock">
<?php
foreach (EXTERNAL_APPS as $a) {

12
index.php
Unescape Escape View File

@ -190,8 +190,8 @@ if ($VARS['progress'] == "1") {
if (!$multiauth && !$change_password) {
?>
<input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autofocus /><br />
<input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" /><br />
<input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<?php if (RECAPTCHA_ENABLED) { ?>
<div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div>
<br />
@ -203,15 +203,15 @@ if ($VARS['progress'] == "1") {
<div class="alert alert-info">
<?php lang("2fa prompt"); ?>
</div>
<input type="text" class="form-control" name="authcode" placeholder="<?php lang("authcode"); ?>" required="required" autocomplete="off" autofocus /><br />
<input type="text" class="form-control" name="authcode" placeholder="<?php lang("authcode"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="hidden" name="progress" value="2" />
<input type="hidden" name="username" value="<?php echo $VARS['username']; ?>" />
<?php
} else if ($change_password) {
?>
<input type="password" class="form-control" name="oldpass" placeholder="Current password" required="required" autocomplete="new-password" autofocus /><br />
<input type="password" class="form-control" name="newpass" placeholder="New password" required="required" autocomplete="off" /><br />
<input type="password" class="form-control" name="conpass" placeholder="New password (again)" required="required" autocomplete="off" /><br />
<input type="password" class="form-control" name="oldpass" placeholder="Current password" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="password" class="form-control" name="newpass" placeholder="New password" required="required" autocomplete="new-password" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<input type="password" class="form-control" name="conpass" placeholder="New password (again)" required="required" autocomplete="new-password" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<input type="hidden" name="progress" value="chpasswd" />
<?php
}

8
lib/login.php
Unescape Escape View File

@ -190,7 +190,7 @@ function authenticate_user($username, $password, &$errormsg, &$errorcode) {
}
function user_exists($username) {
return account_location($username) !== "NONE";
return account_location(strtolower($username)) !== "NONE";
}
/**
@ -285,12 +285,14 @@ function doLoginUser($username, $password) {
*/
function sendLoginAlertEmail($username, $appname = SITE_TITLE) {
if (is_empty(ADMIN_EMAIL) || filter_var(ADMIN_EMAIL, FILTER_VALIDATE_EMAIL) === FALSE) {
return "false";
return "invalid_to_email";
}
if (is_empty(FROM_EMAIL) || filter_var(FROM_EMAIL, FILTER_VALIDATE_EMAIL) === FALSE) {
return "false";
return "invalid_from_email";
}
$username = strtolower($username);
$mail = new PHPMailer;
if (DEBUG) {

44
mobile/index.php
Unescape Escape View File

@ -26,12 +26,15 @@ if (is_empty($VARS['username']) || is_empty($VARS['key'])) {
die(json_encode(["status" => "ERROR", "msg" => "Missing username and/or access key."]));
}
$username = strtolower($VARS['username']);
$key = strtoupper($VARS['key']);
// Make sure the username and key are actually legit
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['key'], 'accounts.username' => $VARS['username']]]);
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $key, 'accounts.username' => $username]]);
if ($user_key_valid !== TRUE) {
engageRateLimit();
http_response_code(401);
insertAuthLog(21, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(21, null, "Username: " . $username . ", Key: " . $key);
die(json_encode(["status" => "ERROR", "msg" => "Invalid username and/or access key."]));
}
@ -44,53 +47,54 @@ switch ($VARS['action']) {
case "check_password":
// Check if the user-supplied password is valid.
engageRateLimit();
if (get_account_status($VARS['username']) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
if (get_account_status($username) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
}
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
$uid = $database->get("accounts", "uid", ["username" => $VARS['username']]);
insertAuthLog(19, $uid, "Key: " . $VARS['key']);
if (authenticate_user($username, $VARS['password'], $autherror)) {
$uid = $database->get("accounts", "uid", ["username" => $username]);
insertAuthLog(19, $uid, "Key: " . $key);
exit(json_encode(["status" => "OK", "uid" => $uid]));
} else {
if (!is_empty($autherror)) {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
} else {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
}
}
case "user_info":
engageRateLimit();
if (get_account_status($VARS['username']) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
if (get_account_status($username) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
}
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
$userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $VARS['username']]);
insertAuthLog(19, $userinfo['uid'], "Key: " . $VARS['key']);
if (authenticate_user($username, $VARS['password'], $autherror)) {
$userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $username]);
insertAuthLog(19, $userinfo['uid'], "Key: " . $key);
exit(json_encode(["status" => "OK", "info" => $userinfo]));
} else {
if (!is_empty($autherror)) {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
} else {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
}
}
case "start_session":
// Do a web login.
engageRateLimit();
if (user_exists($VARS['username'])) {
if (get_account_status($VARS['username']) == "NORMAL") {
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
doLoginUser($VARS['username'], $VARS['password']);
if (user_exists($username)) {
if (get_account_status($username) == "NORMAL") {
if (authenticate_user($username, $VARS['password'], $autherror)) {
doLoginUser($username, $VARS['password']);
exit(json_encode(["status" => "OK"]));
}
}
}
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
case "listapps":
exit(json_encode(["status" => "OK", "apps" => EXTERNAL_APPS]));

Write Preview
Loading…
Cancel
Save