9 months ago · 106e697fc3
--- a/langs/en/core.json
+++ b/langs/en/core.json
@@ -11,6 +11,5 @@
    "invalid parameters": "Invalid request parameters.",
    "login server error": "The login server returned an error: {arg}",
    "login server user data error": "The login server refused to provide account information.  Try again or contact technical support.",
    "captcha error": "There was a problem with the CAPTCHA (robot test).  Try again.",
    "no access permission": "You do not have permission to access this system."
 }
--- a/lib/Login.lib.php
+++ b/lib/Login.lib.php
@@ -45,29 +45,6 @@ class Login {
        return Login::LOGIN_OK;
    }

    public static function verifyCaptcha(string $session, string $answer, string $url): bool {
        $data = [
            'session_id' => $session,
            'answer_id' => $answer,
            'action' => "verify"
        ];
        $options = [
            'http' => [
                'header' => "Content-type: application/x-www-form-urlencoded\r\n",
                'method' => 'POST',
                'content' => http_build_query($data)
            ]
        ];
        $context = stream_context_create($options);
        $result = file_get_contents($url, false, $context);
        $resp = json_decode($result, TRUE);
        if (!$resp['result']) {
            return false;
        } else {
            return true;
        }
    }

    /**
     * Check the login server API for sanity
     * @return boolean true if OK, else false
--- a/required.php
+++ b/required.php
@@ -32,7 +32,6 @@ session_start(); // stick some cookies in it
 // renew session cookie
 setcookie(session_name(), session_id(), time() + $session_length, "/", false, false);

 $captcha_server = ($SETTINGS['captcha']['enabled'] === true ? preg_replace("/http(s)?:\/\//", "", $SETTINGS['captcha']['server']) : "");
 if ($_SESSION['mobile'] === TRUE) {
    header("Content-Security-Policy: "
            . "default-src 'self';"
@@ -42,8 +41,8 @@ if ($_SESSION['mobile'] === TRUE) {
            . "frame-src 'none'; "
            . "font-src 'self'; "
            . "connect-src *; "
            . "style-src 'self' 'unsafe-inline' $captcha_server; "
            . "script-src 'self' 'unsafe-inline' $captcha_server");
            . "style-src 'self' 'unsafe-inline'; "
            . "script-src 'self' 'unsafe-inline'");
 } else {
    header("Content-Security-Policy: "
            . "default-src 'self';"
@@ -53,8 +52,8 @@ if ($_SESSION['mobile'] === TRUE) {
            . "frame-src 'none'; "
            . "font-src 'self'; "
            . "connect-src *; "
            . "style-src 'self' 'nonce-$SECURE_NONCE' $captcha_server; "
            . "script-src 'self' 'nonce-$SECURE_NONCE' $captcha_server");
            . "style-src 'self' 'nonce-$SECURE_NONCE'; "
            . "script-src 'self' 'nonce-$SECURE_NONCE'");
 }

 //
--- a/settings.template.php
+++ b/settings.template.php
@@ -15,7 +15,6 @@ $SETTINGS = [
    // Turning this on in production is a security risk and can sometimes break
    // things, such as JSON output where extra content is not expected.
    "debug" => false,

    // Database connection settings
    // See http://medoo.in/api/new for info
    "database" => [
@@ -26,10 +25,8 @@ $SETTINGS = [
        "password" => "",
        "charset" => "utf8"
    ],

    // Name of the app.
    "site_title" => "Web App Template",

    // Settings for connecting to the AccountHub server.
    "accounthub" => [
        // URL for the API endpoint
@@ -39,26 +36,14 @@ $SETTINGS = [
        // API key
        "key" => "123"
    ],

    // For supported values, see http://php.net/manual/en/timezones.php
    "timezone" => "America/Denver",

    // Use Captcheck on login screen to slow down bots
    // https://captcheck.netsyms.com
    "captcha" => [
        "enabled" => false,
        "server" => "https://captcheck.netsyms.com"
    ],

    // Language to use for localization. See langs folder to add a language.
    "language" => "en",

    // Shown in the footer of all the pages.
    "footer_text" => "",

    // Also shown in the footer, but with "Copyright <current_year>" in front.
    "copyright" => "Netsyms Technologies",

    // Base URL for building links relative to the location of the app.
    // Only used when there's no good context for the path.
    // The default is almost definitely fine.