Bladeren bron

Clean up clutter and unneeded code

master
Skylar Ittner 2 jaren geleden
bovenliggende
commit
e28d3a93ac
10 gewijzigde bestanden met toevoegingen van 79 en 1053 verwijderingen
  1. 0
    36
      action.php
  2. 1
    1
      app.php
  3. 2
    3
      composer.json
  4. 1
    389
      composer.lock
  5. 41
    36
      index.php
  6. 1
    0
      lang/en_us.php
  7. 0
    28
      lang/messages.php
  8. 32
    0
      lib/login.php
  9. 0
    522
      lib/worst_passwords.php
  10. 1
    38
      required.php

+ 0
- 36
action.php Bestand weergeven

@@ -3,16 +3,11 @@
3 3
 /**
4 4
  * Make things happen when buttons are pressed and forms submitted.
5 5
  */
6
-use LdapTools\LdapManager;
7
-use LdapTools\Object\LdapObjectType;
8 6
 
9 7
 require_once __DIR__ . "/required.php";
10 8
 
11 9
 dieifnotloggedin();
12 10
 
13
-require_once __DIR__ . "/lib/login.php";
14
-require_once __DIR__ . "/lib/worst_passwords.php";
15
-
16 11
 function returnToSender($msg, $arg = "") {
17 12
     global $VARS;
18 13
     if ($arg == "") {
@@ -28,35 +23,4 @@ switch ($VARS['action']) {
28 23
         session_destroy();
29 24
         header('Location: index.php');
30 25
         die("Logged out.");
31
-    case "chpasswd":
32
-        if ($_SESSION['password'] == $VARS['oldpass']) {
33
-            if ($VARS['newpass'] == $VARS['conpass']) {
34
-                $passrank = checkWorst500List($VARS['newpass']);
35
-                if ($passrank !== FALSE) {
36
-                    returnToSender("password_500", $passrank);
37
-                }
38
-                if (strlen($VARS['newpass']) < MIN_PASSWORD_LENGTH) {
39
-                    returnToSender("weak_password");
40
-                }
41
-
42
-                $database->update('accounts', ['password' => encryptPassword($VARS['newpass'])], ['uid' => $_SESSION['uid']]);
43
-                $_SESSION['password'] = $VARS['newpass'];
44
-                returnToSender("password_updated");
45
-            } else {
46
-                returnToSender("new_password_mismatch");
47
-            }
48
-        } else {
49
-            returnToSender("old_password_mismatch");
50
-        }
51
-        break;
52
-    case "add2fa":
53
-        if (is_empty($VARS['secret'])) {
54
-            returnToSender("invalid_parameters");
55
-        }
56
-        $database->update('accounts', ['authsecret' => $VARS['secret']], ['uid' => $_SESSION['uid']]);
57
-        returnToSender("2fa_enabled");
58
-    case "rm2fa":
59
-        $database->update('accounts', ['authsecret' => ""], ['uid' => $_SESSION['uid']]);
60
-        returnToSender("2fa_removed");
61
-        break;
62 26
 }

+ 1
- 1
app.php Bestand weergeven

@@ -125,7 +125,7 @@ if (!is_empty($_GET['page'])) {
125 125
                 if (is_empty($_GET['arg'])) {
126 126
                     $alertmsg = lang(MESSAGES[$_GET['msg']]['string'], false);
127 127
                 } else {
128
-                    $alertmsg = lang2(MESSAGES[$_GET['msg']]['string'], ["arg" => $_GET['arg']], false);
128
+                    $alertmsg = lang2(MESSAGES[$_GET['msg']]['string'], ["arg" => strip_tags($_GET['arg'])], false);
129 129
                 }
130 130
                 $alerttype = MESSAGES[$_GET['msg']]['type'];
131 131
                 $alerticon = "square-o";

+ 2
- 3
composer.json Bestand weergeven

@@ -1,10 +1,9 @@
1 1
 {
2
-    "name": "netsyms/web-app-template",
3
-    "description": "Simple framework for rapid webapp development",
2
+    "name": "netsyms/business-app-template",
3
+    "description": "Template for a webapp integrated with a Portal server for authentication.",
4 4
     "type": "project",
5 5
     "require": {
6 6
         "catfan/medoo": "^1.2",
7
-        "spomky-labs/otphp": "^8.3",
8 7
         "guzzlehttp/guzzle": "^6.2"
9 8
     },
10 9
     "license": "MIT",

+ 1
- 389
composer.lock Bestand weergeven

@@ -4,63 +4,8 @@
4 4
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
5 5
         "This file is @generated automatically"
6 6
     ],
7
-    "content-hash": "e0730a4c33d1a1cbf8738481ba9a1f1e",
7
+    "content-hash": "1c8b61c5d506ae016285b99b20040cf0",
8 8
     "packages": [
9
-        {
10
-            "name": "beberlei/assert",
11
-            "version": "v2.7.4",
12
-            "source": {
13
-                "type": "git",
14
-                "url": "https://github.com/beberlei/assert.git",
15
-                "reference": "3ee3bc468a3ce4bbfc3d74f53c6cdb5242d39d1a"
16
-            },
17
-            "dist": {
18
-                "type": "zip",
19
-                "url": "https://api.github.com/repos/beberlei/assert/zipball/3ee3bc468a3ce4bbfc3d74f53c6cdb5242d39d1a",
20
-                "reference": "3ee3bc468a3ce4bbfc3d74f53c6cdb5242d39d1a",
21
-                "shasum": ""
22
-            },
23
-            "require": {
24
-                "ext-mbstring": "*",
25
-                "php": ">=5.3"
26
-            },
27
-            "require-dev": {
28
-                "friendsofphp/php-cs-fixer": "^2.1.1",
29
-                "phpunit/phpunit": "^4|^5"
30
-            },
31
-            "type": "library",
32
-            "autoload": {
33
-                "psr-4": {
34
-                    "Assert\\": "lib/Assert"
35
-                },
36
-                "files": [
37
-                    "lib/Assert/functions.php"
38
-                ]
39
-            },
40
-            "notification-url": "https://packagist.org/downloads/",
41
-            "license": [
42
-                "BSD-2-Clause"
43
-            ],
44
-            "authors": [
45
-                {
46
-                    "name": "Benjamin Eberlei",
47
-                    "email": "kontakt@beberlei.de",
48
-                    "role": "Lead Developer"
49
-                },
50
-                {
51
-                    "name": "Richard Quadling",
52
-                    "email": "rquadling@gmail.com",
53
-                    "role": "Collaborator"
54
-                }
55
-            ],
56
-            "description": "Thin assertion library for input validation in business models.",
57
-            "keywords": [
58
-                "assert",
59
-                "assertion",
60
-                "validation"
61
-            ],
62
-            "time": "2017-03-14T18:06:52+00:00"
63
-        },
64 9
         {
65 10
             "name": "catfan/medoo",
66 11
             "version": "v1.2.1",
@@ -116,60 +61,6 @@
116 61
             ],
117 62
             "time": "2017-02-17T16:05:35+00:00"
118 63
         },
119
-        {
120
-            "name": "christian-riesen/base32",
121
-            "version": "1.3.1",
122
-            "source": {
123
-                "type": "git",
124
-                "url": "https://github.com/ChristianRiesen/base32.git",
125
-                "reference": "0a31e50c0fa9b1692d077c86ac188eecdcbaf7fa"
126
-            },
127
-            "dist": {
128
-                "type": "zip",
129
-                "url": "https://api.github.com/repos/ChristianRiesen/base32/zipball/0a31e50c0fa9b1692d077c86ac188eecdcbaf7fa",
130
-                "reference": "0a31e50c0fa9b1692d077c86ac188eecdcbaf7fa",
131
-                "shasum": ""
132
-            },
133
-            "require": {
134
-                "php": ">=5.3.0"
135
-            },
136
-            "require-dev": {
137
-                "phpunit/phpunit": "4.*",
138
-                "satooshi/php-coveralls": "0.*"
139
-            },
140
-            "type": "library",
141
-            "extra": {
142
-                "branch-alias": {
143
-                    "dev-master": "1.1.x-dev"
144
-                }
145
-            },
146
-            "autoload": {
147
-                "psr-4": {
148
-                    "Base32\\": "src/"
149
-                }
150
-            },
151
-            "notification-url": "https://packagist.org/downloads/",
152
-            "license": [
153
-                "MIT"
154
-            ],
155
-            "authors": [
156
-                {
157
-                    "name": "Christian Riesen",
158
-                    "email": "chris.riesen@gmail.com",
159
-                    "homepage": "http://christianriesen.com",
160
-                    "role": "Developer"
161
-                }
162
-            ],
163
-            "description": "Base32 encoder/decoder according to RFC 4648",
164
-            "homepage": "https://github.com/ChristianRiesen/base32",
165
-            "keywords": [
166
-                "base32",
167
-                "decode",
168
-                "encode",
169
-                "rfc4648"
170
-            ],
171
-            "time": "2016-05-05T11:49:03+00:00"
172
-        },
173 64
         {
174 65
             "name": "guzzlehttp/guzzle",
175 66
             "version": "6.2.3",
@@ -348,54 +239,6 @@
348 239
             ],
349 240
             "time": "2017-03-20T17:10:46+00:00"
350 241
         },
351
-        {
352
-            "name": "paragonie/random_compat",
353
-            "version": "v2.0.10",
354
-            "source": {
355
-                "type": "git",
356
-                "url": "https://github.com/paragonie/random_compat.git",
357
-                "reference": "634bae8e911eefa89c1abfbf1b66da679ac8f54d"
358
-            },
359
-            "dist": {
360
-                "type": "zip",
361
-                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/634bae8e911eefa89c1abfbf1b66da679ac8f54d",
362
-                "reference": "634bae8e911eefa89c1abfbf1b66da679ac8f54d",
363
-                "shasum": ""
364
-            },
365
-            "require": {
366
-                "php": ">=5.2.0"
367
-            },
368
-            "require-dev": {
369
-                "phpunit/phpunit": "4.*|5.*"
370
-            },
371
-            "suggest": {
372
-                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
373
-            },
374
-            "type": "library",
375
-            "autoload": {
376
-                "files": [
377
-                    "lib/random.php"
378
-                ]
379
-            },
380
-            "notification-url": "https://packagist.org/downloads/",
381
-            "license": [
382
-                "MIT"
383
-            ],
384
-            "authors": [
385
-                {
386
-                    "name": "Paragon Initiative Enterprises",
387
-                    "email": "security@paragonie.com",
388
-                    "homepage": "https://paragonie.com"
389
-                }
390
-            ],
391
-            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
392
-            "keywords": [
393
-                "csprng",
394
-                "pseudorandom",
395
-                "random"
396
-            ],
397
-            "time": "2017-03-13T16:27:32+00:00"
398
-        },
399 242
         {
400 243
             "name": "psr/http-message",
401 244
             "version": "1.0.1",
@@ -445,237 +288,6 @@
445 288
                 "response"
446 289
             ],
447 290
             "time": "2016-08-06T14:39:51+00:00"
448
-        },
449
-        {
450
-            "name": "spomky-labs/otphp",
451
-            "version": "v8.3.0",
452
-            "source": {
453
-                "type": "git",
454
-                "url": "https://github.com/Spomky-Labs/otphp.git",
455
-                "reference": "8c90e16ba48fe7c306832611e22c5bad2d663a98"
456
-            },
457
-            "dist": {
458
-                "type": "zip",
459
-                "url": "https://api.github.com/repos/Spomky-Labs/otphp/zipball/8c90e16ba48fe7c306832611e22c5bad2d663a98",
460
-                "reference": "8c90e16ba48fe7c306832611e22c5bad2d663a98",
461
-                "shasum": ""
462
-            },
463
-            "require": {
464
-                "beberlei/assert": "^2.4",
465
-                "christian-riesen/base32": "^1.1",
466
-                "paragonie/random_compat": "^2.0",
467
-                "php": "^5.5|^7.0",
468
-                "symfony/polyfill-mbstring": "^1.1",
469
-                "symfony/polyfill-php56": "^1.1"
470
-            },
471
-            "require-dev": {
472
-                "phpunit/phpunit": "~4.0|^5.0",
473
-                "satooshi/php-coveralls": "^1.0"
474
-            },
475
-            "type": "library",
476
-            "extra": {
477
-                "branch-alias": {
478
-                    "dev-master": "8.2.x-dev"
479
-                }
480
-            },
481
-            "autoload": {
482
-                "psr-4": {
483
-                    "OTPHP\\": "src/"
484
-                }
485
-            },
486
-            "notification-url": "https://packagist.org/downloads/",
487
-            "license": [
488
-                "MIT"
489
-            ],
490
-            "authors": [
491
-                {
492
-                    "name": "Florent Morselli",
493
-                    "homepage": "https://github.com/Spomky"
494
-                },
495
-                {
496
-                    "name": "All contributors",
497
-                    "homepage": "https://github.com/Spomky-Labs/otphp/contributors"
498
-                }
499
-            ],
500
-            "description": "A PHP library for generating one time passwords according to RFC 4226 (HOTP Algorithm) and the RFC 6238 (TOTP Algorithm) and compatible with Google Authenticator",
501
-            "homepage": "https://github.com/Spomky-Labs/otphp",
502
-            "keywords": [
503
-                "FreeOTP",
504
-                "RFC 4226",
505
-                "RFC 6238",
506
-                "google authenticator",
507
-                "hotp",
508
-                "otp",
509
-                "totp"
510
-            ],
511
-            "time": "2016-12-08T10:46:02+00:00"
512
-        },
513
-        {
514
-            "name": "symfony/polyfill-mbstring",
515
-            "version": "v1.3.0",
516
-            "source": {
517
-                "type": "git",
518
-                "url": "https://github.com/symfony/polyfill-mbstring.git",
519
-                "reference": "e79d363049d1c2128f133a2667e4f4190904f7f4"
520
-            },
521
-            "dist": {
522
-                "type": "zip",
523
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/e79d363049d1c2128f133a2667e4f4190904f7f4",
524
-                "reference": "e79d363049d1c2128f133a2667e4f4190904f7f4",
525
-                "shasum": ""
526
-            },
527
-            "require": {
528
-                "php": ">=5.3.3"
529
-            },
530
-            "suggest": {
531
-                "ext-mbstring": "For best performance"
532
-            },
533
-            "type": "library",
534
-            "extra": {
535
-                "branch-alias": {
536
-                    "dev-master": "1.3-dev"
537
-                }
538
-            },
539
-            "autoload": {
540
-                "psr-4": {
541
-                    "Symfony\\Polyfill\\Mbstring\\": ""
542
-                },
543
-                "files": [
544
-                    "bootstrap.php"
545
-                ]
546
-            },
547
-            "notification-url": "https://packagist.org/downloads/",
548
-            "license": [
549
-                "MIT"
550
-            ],
551
-            "authors": [
552
-                {
553
-                    "name": "Nicolas Grekas",
554
-                    "email": "p@tchwork.com"
555
-                },
556
-                {
557
-                    "name": "Symfony Community",
558
-                    "homepage": "https://symfony.com/contributors"
559
-                }
560
-            ],
561
-            "description": "Symfony polyfill for the Mbstring extension",
562
-            "homepage": "https://symfony.com",
563
-            "keywords": [
564
-                "compatibility",
565
-                "mbstring",
566
-                "polyfill",
567
-                "portable",
568
-                "shim"
569
-            ],
570
-            "time": "2016-11-14T01:06:16+00:00"
571
-        },
572
-        {
573
-            "name": "symfony/polyfill-php56",
574
-            "version": "v1.3.0",
575
-            "source": {
576
-                "type": "git",
577
-                "url": "https://github.com/symfony/polyfill-php56.git",
578
-                "reference": "1dd42b9b89556f18092f3d1ada22cb05ac85383c"
579
-            },
580
-            "dist": {
581
-                "type": "zip",
582
-                "url": "https://api.github.com/repos/symfony/polyfill-php56/zipball/1dd42b9b89556f18092f3d1ada22cb05ac85383c",
583
-                "reference": "1dd42b9b89556f18092f3d1ada22cb05ac85383c",
584
-                "shasum": ""
585
-            },
586
-            "require": {
587
-                "php": ">=5.3.3",
588
-                "symfony/polyfill-util": "~1.0"
589
-            },
590
-            "type": "library",
591
-            "extra": {
592
-                "branch-alias": {
593
-                    "dev-master": "1.3-dev"
594
-                }
595
-            },
596
-            "autoload": {
597
-                "psr-4": {
598
-                    "Symfony\\Polyfill\\Php56\\": ""
599
-                },
600
-                "files": [
601
-                    "bootstrap.php"
602
-                ]
603
-            },
604
-            "notification-url": "https://packagist.org/downloads/",
605
-            "license": [
606
-                "MIT"
607
-            ],
608
-            "authors": [
609
-                {
610
-                    "name": "Nicolas Grekas",
611
-                    "email": "p@tchwork.com"
612
-                },
613
-                {
614
-                    "name": "Symfony Community",
615
-                    "homepage": "https://symfony.com/contributors"
616
-                }
617
-            ],
618
-            "description": "Symfony polyfill backporting some PHP 5.6+ features to lower PHP versions",
619
-            "homepage": "https://symfony.com",
620
-            "keywords": [
621
-                "compatibility",
622
-                "polyfill",
623
-                "portable",
624
-                "shim"
625
-            ],
626
-            "time": "2016-11-14T01:06:16+00:00"
627
-        },
628
-        {
629
-            "name": "symfony/polyfill-util",
630
-            "version": "v1.3.0",
631
-            "source": {
632
-                "type": "git",
633
-                "url": "https://github.com/symfony/polyfill-util.git",
634
-                "reference": "746bce0fca664ac0a575e465f65c6643faddf7fb"
635
-            },
636
-            "dist": {
637
-                "type": "zip",
638
-                "url": "https://api.github.com/repos/symfony/polyfill-util/zipball/746bce0fca664ac0a575e465f65c6643faddf7fb",
639
-                "reference": "746bce0fca664ac0a575e465f65c6643faddf7fb",
640
-                "shasum": ""
641
-            },
642
-            "require": {
643
-                "php": ">=5.3.3"
644
-            },
645
-            "type": "library",
646
-            "extra": {
647
-                "branch-alias": {
648
-                    "dev-master": "1.3-dev"
649
-                }
650
-            },
651
-            "autoload": {
652
-                "psr-4": {
653
-                    "Symfony\\Polyfill\\Util\\": ""
654
-                }
655
-            },
656
-            "notification-url": "https://packagist.org/downloads/",
657
-            "license": [
658
-                "MIT"
659
-            ],
660
-            "authors": [
661
-                {
662
-                    "name": "Nicolas Grekas",
663
-                    "email": "p@tchwork.com"
664
-                },
665
-                {
666
-                    "name": "Symfony Community",
667
-                    "homepage": "https://symfony.com/contributors"
668
-                }
669
-            ],
670
-            "description": "Symfony utilities for portability of PHP codes",
671
-            "homepage": "https://symfony.com",
672
-            "keywords": [
673
-                "compat",
674
-                "compatibility",
675
-                "polyfill",
676
-                "shim"
677
-            ],
678
-            "time": "2016-11-14T01:06:16+00:00"
679 291
         }
680 292
     ],
681 293
     "packages-dev": [],

+ 41
- 36
index.php Bestand weergeven

@@ -6,48 +6,52 @@ require_once __DIR__ . "/lib/login.php";
6 6
 /* Authenticate user */
7 7
 $userpass_ok = false;
8 8
 $multiauth = false;
9
-if ($VARS['progress'] == "1") {
10
-    if (authenticate_user($VARS['username'], $VARS['password'])) {
11
-        switch (get_account_status($VARS['username'])) {
12
-            case "LOCKED_OR_DISABLED":
13
-                $alert = lang("account locked", false);
14
-                break;
15
-            case "TERMINATED":
16
-                $alert = lang("account terminated", false);
17
-                break;
18
-            case "CHANGE_PASSWORD":
19
-                $alert = lang("password expired", false);
20
-            case "NORMAL":
21
-                $userpass_ok = true;
22
-                break;
23
-            case "ALERT_ON_ACCESS":
24
-                sendLoginAlertEmail($VARS['username']);
25
-                $userpass_ok = true;
26
-                break;
9
+if (checkLoginServer()) {
10
+    if ($VARS['progress'] == "1") {
11
+        if (authenticate_user($VARS['username'], $VARS['password'])) {
12
+            switch (get_account_status($VARS['username'])) {
13
+                case "LOCKED_OR_DISABLED":
14
+                    $alert = lang("account locked", false);
15
+                    break;
16
+                case "TERMINATED":
17
+                    $alert = lang("account terminated", false);
18
+                    break;
19
+                case "CHANGE_PASSWORD":
20
+                    $alert = lang("password expired", false);
21
+                case "NORMAL":
22
+                    $userpass_ok = true;
23
+                    break;
24
+                case "ALERT_ON_ACCESS":
25
+                    sendLoginAlertEmail($VARS['username']);
26
+                    $userpass_ok = true;
27
+                    break;
28
+            }
29
+            if ($userpass_ok) {
30
+                if (userHasTOTP($VARS['username'])) {
31
+                    $multiauth = true;
32
+                } else {
33
+                    doLoginUser($VARS['username'], $VARS['password']);
34
+                    header('Location: app.php');
35
+                    die("Logged in, go to app.php");
36
+                }
37
+            }
38
+        } else {
39
+            $alert = lang("login incorrect", false);
27 40
         }
28
-        if ($userpass_ok) {
29
-            if (userHasTOTP($VARS['username'])) {
30
-                $multiauth = true;
31
-            } else {
32
-                doLoginUser($VARS['username'], $VARS['password']);
41
+    } else if ($VARS['progress'] == "2") {
42
+        if (verifyTOTP($VARS['username'], $VARS['authcode'])) {
43
+            if (doLoginUser($VARS['username'])) {
33 44
                 header('Location: app.php');
34 45
                 die("Logged in, go to app.php");
46
+            } else {
47
+                $alert = lang("login server user data error", false);
35 48
             }
36
-        }
37
-    } else {
38
-        $alert = lang("login incorrect", false);
39
-    }
40
-} else if ($VARS['progress'] == "2") {
41
-    if (verifyTOTP($VARS['username'], $VARS['authcode'])) {
42
-        if (doLoginUser($VARS['username'])) {
43
-            header('Location: app.php');
44
-            die("Logged in, go to app.php");
45 49
         } else {
46
-            $alert = lang("login server user data error", false);
50
+            $alert = lang("2fa incorrect", false);
47 51
         }
48
-    } else {
49
-        $alert = lang("2fa incorrect", false);
50 52
     }
53
+} else {
54
+    $alert = lang("login server unavailable", false);
51 55
 }
52 56
 ?>
53 57
 <!DOCTYPE html>
@@ -60,6 +64,7 @@ if ($VARS['progress'] == "1") {
60 64
         <title><?php echo SITE_TITLE; ?></title>
61 65
 
62 66
         <link href="static/css/bootstrap.min.css" rel="stylesheet">
67
+        <link href="static/css/font-awesome.min.css" rel="stylesheet">
63 68
         <link href="static/css/app.css" rel="stylesheet">
64 69
     </head>
65 70
     <body>
@@ -83,7 +88,7 @@ if ($VARS['progress'] == "1") {
83 88
                                 if (!is_empty($alert)) {
84 89
                                     ?>
85 90
                                     <div class="alert alert-danger">
86
-                                        <?php echo $alert; ?>
91
+                                        <i class="fa fa-fw fa-exclamation-triangle"></i> <?php echo $alert; ?>
87 92
                                     </div>
88 93
                                     <?php
89 94
                                 }

+ 1
- 0
lang/en_us.php Bestand weergeven

@@ -9,6 +9,7 @@ define("STRINGS", [
9 9
     "2fa prompt" => "Enter the six-digit code from your mobile authenticator app.",
10 10
     "2fa incorrect" => "Authentication code incorrect.",
11 11
     "login incorrect" => "Login incorrect.",
12
+    "login server unavailable" => "Login server unavailable.  Try again later or contact technical support.",
12 13
     "account locked" => "This account has been disabled. Contact technical support.",
13 14
     "password expired" => "You must change your password before continuing.",
14 15
     "account terminated" => "Account terminated.  Access denied.",

+ 0
- 28
lang/messages.php Bestand weergeven

@@ -1,38 +1,10 @@
1 1
 <?php
2 2
 
3 3
 define("MESSAGES", [
4
-    "old_password_mismatch" => [
5
-        "string" => "current password incorrect",
6
-        "type" => "danger"
7
-    ],
8
-    "new_password_mismatch" => [
9
-        "string" => "new password mismatch",
10
-        "type" => "danger"
11
-    ],
12
-    "weak_password" => [
13
-        "string" => "weak password",
14
-        "type" => "danger"
15
-    ],
16
-    "password_updated" => [
17
-        "string" => "password updated",
18
-        "type" => "success"
19
-    ],
20
-    "2fa_removed" => [
21
-        "string" => "2fa removed",
22
-        "type" => "success"
23
-    ],
24
-    "2fa_enabled" => [
25
-        "string" => "2fa enabled",
26
-        "type" => "success"
27
-    ],
28 4
     "invalid_parameters" => [
29 5
         "string" => "invalid parameters",
30 6
         "type" => "danger"
31 7
     ],
32
-    "password_500" => [
33
-        "string" => "password on 500 list",
34
-        "type" => "danger"
35
-    ],
36 8
     "account_state_error" => [
37 9
         "string" => "account state error",
38 10
         "type" => "danger"

+ 32
- 0
lib/login.php Bestand weergeven

@@ -3,6 +3,38 @@
3 3
 /**
4 4
  * Authentication and account functions.  Connects to a Portal instance.
5 5
  */
6
+
7
+/**
8
+ * Check the login server API for sanity
9
+ * @return boolean true if OK, else false
10
+ */
11
+function checkLoginServer() {
12
+    try {
13
+        $client = new GuzzleHttp\Client();
14
+
15
+        $response = $client
16
+                ->request('POST', PORTAL_API, [
17
+            'form_params' => [
18
+                'key' => PORTAL_KEY,
19
+                'action' => "ping"
20
+            ]
21
+        ]);
22
+
23
+        if ($response->getStatusCode() != 200) {
24
+            return false;
25
+        }
26
+
27
+        $resp = json_decode($response->getBody(), TRUE);
28
+        if ($resp['status'] == "OK") {
29
+            return true;
30
+        } else {
31
+            return false;
32
+        }
33
+    } catch (Exception $e) {
34
+        return false;
35
+    }
36
+}
37
+
6 38
 ////////////////////////////////////////////////////////////////////////////////
7 39
 //                           Account handling                                 //
8 40
 ////////////////////////////////////////////////////////////////////////////////

+ 0
- 522
lib/worst_passwords.php Bestand weergeven

@@ -1,522 +0,0 @@
1
-<?php
2
-/*
3
- * 500 most common passwords, to be used in stopping idiots from having really bad passwords.
4
- * Source: https://github.com/danielmiessler/SecLists/blob/master/Passwords/500-worst-passwords.txt
5
- */
6
-
7
-
8
-/**
9
- * Checks a given password against the list of the 500 most common passwords.
10
- * @param string $search the password to check
11
- * @return false if not found, the password ranking if found
12
- */
13
-function checkWorst500List($search) {
14
-    $worst_password_list = [
15
-        "123456",
16
-        "password",
17
-        "12345678",
18
-        "1234",
19
-        "pussy",
20
-        "12345",
21
-        "dragon",
22
-        "qwerty",
23
-        "696969",
24
-        "mustang",
25
-        "letmein",
26
-        "baseball",
27
-        "master",
28
-        "michael",
29
-        "football",
30
-        "shadow",
31
-        "monkey",
32
-        "abc123",
33
-        "pass",
34
-        "fuckme",
35
-        "6969",
36
-        "jordan",
37
-        "harley",
38
-        "ranger",
39
-        "iwantu",
40
-        "jennifer",
41
-        "hunter",
42
-        "fuck",
43
-        "2000",
44
-        "test",
45
-        "batman",
46
-        "trustno1",
47
-        "thomas",
48
-        "tigger",
49
-        "robert",
50
-        "access",
51
-        "love",
52
-        "buster",
53
-        "1234567",
54
-        "soccer",
55
-        "hockey",
56
-        "killer",
57
-        "george",
58
-        "sexy",
59
-        "andrew",
60
-        "charlie",
61
-        "superman",
62
-        "asshole",
63
-        "fuckyou",
64
-        "dallas",
65
-        "jessica",
66
-        "panties",
67
-        "pepper",
68
-        "1111",
69
-        "austin",
70
-        "william",
71
-        "daniel",
72
-        "golfer",
73
-        "summer",
74
-        "heather",
75
-        "hammer",
76
-        "yankees",
77
-        "joshua",
78
-        "maggie",
79
-        "biteme",
80
-        "enter",
81
-        "ashley",
82
-        "thunder",
83
-        "cowboy",
84
-        "silver",
85
-        "richard",
86
-        "fucker",
87
-        "orange",
88
-        "merlin",
89
-        "michelle",
90
-        "corvette",
91
-        "bigdog",
92
-        "cheese",
93
-        "matthew",
94
-        "121212",
95
-        "patrick",
96
-        "martin",
97
-        "freedom",
98
-        "ginger",
99
-        "blowjob",
100
-        "nicole",
101
-        "sparky",
102
-        "yellow",
103
-        "camaro",
104
-        "secret",
105
-        "dick",
106
-        "falcon",
107
-        "taylor",
108
-        "111111",
109
-        "131313",
110
-        "123123",
111
-        "bitch",
112
-        "hello",
113
-        "scooter",
114
-        "please",
115
-        "porsche",
116
-        "guitar",
117
-        "chelsea",
118
-        "black",
119
-        "diamond",
120
-        "nascar",
121
-        "jackson",
122
-        "cameron",
123
-        "654321",
124
-        "computer",
125
-        "amanda",
126
-        "wizard",
127
-        "xxxxxxxx",
128
-        "money",
129
-        "phoenix",
130
-        "mickey",
131
-        "bailey",
132
-        "knight",
133
-        "iceman",
134
-        "tigers",
135
-        "purple",
136
-        "andrea",
137
-        "horny",
138
-        "dakota",
139
-        "aaaaaa",
140
-        "player",
141
-        "sunshine",
142
-        "morgan",
143
-        "starwars",
144
-        "boomer",
145
-        "cowboys",
146
-        "edward",
147
-        "charles",
148
-        "girls",
149
-        "booboo",
150
-        "coffee",
151
-        "xxxxxx",
152
-        "bulldog",
153
-        "ncc1701",
154
-        "rabbit",
155
-        "peanut",
156
-        "john",
157
-        "johnny",
158
-        "gandalf",
159
-        "spanky",
160
-        "winter",
161
-        "brandy",
162
-        "compaq",
163
-        "carlos",
164
-        "tennis",
165
-        "james",
166
-        "mike",
167
-        "brandon",
168
-        "fender",
169
-        "anthony",
170
-        "blowme",
171
-        "ferrari",
172
-        "cookie",
173
-        "chicken",
174
-        "maverick",
175
-        "chicago",
176
-        "joseph",
177
-        "diablo",
178
-        "sexsex",
179
-        "hardcore",
180
-        "666666",
181
-        "willie",
182
-        "welcome",
183
-        "chris",
184
-        "panther",
185
-        "yamaha",
186
-        "justin",
187
-        "banana",
188
-        "driver",
189
-        "marine",
190
-        "angels",
191
-        "fishing",
192
-        "david",
193
-        "maddog",
194
-        "hooters",
195
-        "wilson",
196
-        "butthead",
197
-        "dennis",
198
-        "fucking",
199
-        "captain",
200
-        "bigdick",
201
-        "chester",
202
-        "smokey",
203
-        "xavier",
204
-        "steven",
205
-        "viking",
206
-        "snoopy",
207
-        "blue",
208
-        "eagles",
209
-        "winner",
210
-        "samantha",
211
-        "house",
212
-        "miller",
213
-        "flower",
214
-        "jack",
215
-        "firebird",
216
-        "butter",
217
-        "united",
218
-        "turtle",
219
-        "steelers",
220
-        "tiffany",
221
-        "zxcvbn",
222
-        "tomcat",
223
-        "golf",
224
-        "bond007",
225
-        "bear",
226
-        "tiger",
227
-        "doctor",
228
-        "gateway",
229
-        "gators",
230
-        "angel",
231
-        "junior",
232
-        "thx1138",
233
-        "porno",
234
-        "badboy",
235
-        "debbie",
236
-        "spider",
237
-        "melissa",
238
-        "booger",
239
-        "1212",
240
-        "flyers",
241
-        "fish",
242
-        "porn",
243
-        "matrix",
244
-        "teens",
245
-        "scooby",
246
-        "jason",
247
-        "walter",
248
-        "cumshot",
249
-        "boston",
250
-        "braves",
251
-        "yankee",
252
-        "lover",
253
-        "barney",
254
-        "victor",
255
-        "tucker",
256
-        "princess",
257
-        "mercedes",
258
-        "5150",
259
-        "doggie",
260
-        "zzzzzz",
261
-        "gunner",
262
-        "horney",
263
-        "bubba",
264
-        "2112",
265
-        "fred",
266
-        "johnson",
267
-        "xxxxx",
268
-        "tits",
269
-        "member",
270
-        "boobs",
271
-        "donald",
272
-        "bigdaddy",
273
-        "bronco",
274
-        "penis",
275
-        "voyager",
276
-        "rangers",
277
-        "birdie",
278
-        "trouble",
279
-        "white",
280
-        "topgun",
281
-        "bigtits",
282
-        "bitches",
283
-        "green",
284
-        "super",
285
-        "qazwsx",
286
-        "magic",
287
-        "lakers",
288
-        "rachel",
289
-        "slayer",
290
-        "scott",
291
-        "2222",
292
-        "asdf",
293
-        "video",
294
-        "london",
295
-        "7777",
296
-        "marlboro",
297
-        "srinivas",
298
-        "internet",
299
-        "action",
300
-        "carter",
301
-        "jasper",
302
-        "monster",
303
-        "teresa",
304
-        "jeremy",
305
-        "11111111",
306
-        "bill",
307
-        "crystal",
308
-        "peter",
309
-        "pussies",
310
-        "cock",
311
-        "beer",
312
-        "rocket",
313
-        "theman",
314
-        "oliver",
315
-        "prince",
316
-        "beach",
317
-        "amateur",
318
-        "7777777",
319
-        "muffin",
320
-        "redsox",
321
-        "star",
322
-        "testing",
323
-        "shannon",
324
-        "murphy",
325
-        "frank",
326
-        "hannah",
327
-        "dave",
328
-        "eagle1",
329
-        "11111",
330
-        "mother",
331
-        "nathan",
332
-        "raiders",
333
-        "steve",
334
-        "forever",
335
-        "angela",
336
-        "viper",
337
-        "ou812",
338
-        "jake",
339
-        "lovers",
340
-        "suckit",
341
-        "gregory",
342
-        "buddy",
343
-        "whatever",
344
-        "young",
345
-        "nicholas",
346
-        "lucky",
347
-        "helpme",
348
-        "jackie",
349
-        "monica",
350
-        "midnight",
351
-        "college",
352
-        "baby",
353
-        "cunt",
354
-        "brian",
355
-        "mark",
356
-        "startrek",
357
-        "sierra",
358
-        "leather",
359
-        "232323",
360
-        "4444",
361
-        "beavis",
362
-        "bigcock",
363
-        "happy",
364
-        "sophie",
365
-        "ladies",
366
-        "naughty",
367
-        "giants",
368
-        "booty",
369
-        "blonde",
370
-        "fucked",
371
-        "golden",
372
-        "0",
373
-        "fire",
374
-        "sandra",
375
-        "pookie",
376
-        "packers",
377
-        "einstein",
378
-        "dolphins",
379
-        "chevy",
380
-        "winston",
381
-        "warrior",
382
-        "sammy",
383
-        "slut",
384
-        "8675309",
385
-        "zxcvbnm",
386
-        "nipples",
387
-        "power",
388
-        "victoria",
389
-        "asdfgh",
390
-        "vagina",
391
-        "toyota",
392
-        "travis",
393
-        "hotdog",
394
-        "paris",
395
-        "rock",
396
-        "xxxx",
397
-        "extreme",
398
-        "redskins",
399
-        "erotic",
400
-        "dirty",
401
-        "ford",
402
-        "freddy",
403
-        "arsenal",
404
-        "access14",
405
-        "wolf",
406
-        "nipple",
407
-        "iloveyou",
408
-        "alex",
409
-        "florida",
410
-        "eric",
411
-        "legend",
412
-        "movie",
413
-        "success",
414
-        "rosebud",
415
-        "jaguar",
416
-        "great",
417
-        "cool",
418
-        "cooper",
419
-        "1313",
420
-        "scorpio",
421
-        "mountain",
422
-        "madison",
423
-        "987654",
424
-        "brazil",
425
-        "lauren",
426
-        "japan",
427
-        "naked",
428
-        "squirt",
429
-        "stars",
430
-        "apple",
431
-        "alexis",
432
-        "aaaa",
433
-        "bonnie",
434
-        "peaches",
435
-        "jasmine",
436
-        "kevin",
437
-        "matt",
438
-        "qwertyui",
439
-        "danielle",
440
-        "beaver",
441
-        "4321",
442
-        "4128",
443
-        "runner",
444
-        "swimming",
445
-        "dolphin",
446
-        "gordon",
447
-        "casper",
448
-        "stupid",
449
-        "shit",
450
-        "saturn",
451
-        "gemini",
452
-        "apples",
453
-        "august",
454
-        "3333",
455
-        "canada",
456
-        "blazer",
457
-        "cumming",
458
-        "hunting",
459
-        "kitty",
460
-        "rainbow",
461
-        "112233",
462
-        "arthur",
463
-        "cream",
464
-        "calvin",
465
-        "shaved",
466
-        "surfer",
467
-        "samson",
468
-        "kelly",
469
-        "paul",
470
-        "mine",
471
-        "king",
472
-        "racing",
473
-        "5555",
474
-        "eagle",
475
-        "hentai",
476
-        "newyork",
477
-        "little",
478
-        "redwings",
479
-        "smith",
480
-        "sticky",
481
-        "cocacola",
482
-        "animal",
483
-        "broncos",
484
-        "private",
485
-        "skippy",
486
-        "marvin",
487
-        "blondes",
488
-        "enjoy",
489
-        "girl",
490
-        "apollo",
491
-        "parker",
492
-        "qwert",
493
-        "time",
494
-        "sydney",
495
-        "women",
496
-        "voodoo",
497
-        "magnum",
498
-        "juice",
499
-        "abgrtyu",
500
-        "777777",
501
-        "dreams",
502
-        "maxwell",
503
-        "music",
504
-        "rush2112",
505
-        "russia",
506
-        "scorpion",
507
-        "rebecca",
508
-        "tester",
509
-        "mistress",
510
-        "phantom",
511
-        "billy",
512
-        "6666",
513
-        "albert"
514
-    ];
515
-    
516
-    $index = array_search($search, $worst_password_list);
517
-    if ($index === FALSE) {
518
-        return false;
519
-    } else {
520
-        return $index + 1;
521
-    }
522
-}

+ 1
- 38
required.php Bestand weergeven

@@ -10,7 +10,6 @@ header('Content-Type: text/html; charset=utf-8');
10 10
 // l33t $ecurity h4x
11 11
 header('X-Content-Type-Options: nosniff');
12 12
 header('X-XSS-Protection: 1; mode=block');
13
-header('X-Powered-By: Late-night coding frenzies (plz send caffeine, thx)');
14 13
 $session_length = 60 * 60; // 1 hour
15 14
 session_set_cookie_params($session_length, "/", null, false, true);
16 15
 
@@ -127,35 +126,6 @@ function lang2($key, $replace, $echo = true) {
127 126
     }
128 127
 }
129 128
 
130
-/**
131
- * Checks if an email address is valid.
132
- * @param string $email Email to check
133
- * @return boolean True if email passes validation, else false.
134
- */
135
-function isValidEmail($email) {
136
-    return filter_var($email, FILTER_VALIDATE_EMAIL);
137
-}
138
-
139
-
140
-/**
141
- * Hashes the given plaintext password
142
- * @param String $password
143
- * @return String the hash, using bcrypt
144
- */
145
-function encryptPassword($password) {
146
-    return password_hash($password, PASSWORD_BCRYPT);
147
-}
148
-
149
-/**
150
- * Securely verify a password and its hash
151
- * @param String $password
152
- * @param String $hash the hash to compare to
153
- * @return boolean True if password OK, else false
154
- */
155
-function comparePassword($password, $hash) {
156
-    return password_verify($password, $hash);
157
-}
158
-
159 129
 function dieifnotloggedin() {
160 130
     if ($_SESSION['loggedin'] != true) {
161 131
         sendError("Session expired.  Please log out and log in again.");
@@ -211,16 +181,9 @@ if (!function_exists('base_url')) {
211 181
 
212 182
 }
213 183
 
214
-function redirectToPageId($id, $args, $dontdie) {
215
-    header('Location: ' . URL . '?id=' . $id . $args);
216
-    if (is_null($dontdie)) {
217
-        die("Please go to " . URL . '?id=' . $id . $args);
218
-    }
219
-}
220
-
221 184
 function redirectIfNotLoggedIn() {
222 185
     if ($_SESSION['loggedin'] !== TRUE) {
223
-        header('Location: ' . URL . '/login.php');
186
+        header('Location: ' . URL . '/index.php');
224 187
         die();
225 188
     }
226 189
 }

Laden…
Annuleren
Opslaan