You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
AccountHub/pages/security.php

230 lines
12 KiB
PHP

<?php
/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
use OTPHP\Factory;
use Endroid\QrCode\ErrorCorrectionLevel;
use Endroid\QrCode\QrCode;
$user = new User($_SESSION['uid']);
if (!empty($_GET['delpass'])) {
if ($database->has("apppasswords", ["AND" => ["uid" => $_SESSION['uid'], "passid" => $_GET['delpass']]])) {
$database->delete("apppasswords", ["AND" => ["uid" => $_SESSION['uid'], "passid" => $_GET['delpass']]]);
}
}
?>
<div class="row justify-content-center">
<div class="col-sm-6 col-lg-4">
<div class="card mb-4">
<div class="card-body">
<h5 class="card-title"><i class="fas fa-key"></i> <?php $Strings->get("change password"); ?></h5>
<hr />
<form action="action.php" method="POST">
<input type="password" class="form-control" name="oldpass" placeholder="<?php $Strings->get("current password"); ?>" />
<input type="password" class="form-control" name="newpass" placeholder="<?php $Strings->get("new password"); ?>" />
<input type="password" class="form-control" name="conpass" placeholder="<?php $Strings->get("confirm password"); ?>" />
<input type="hidden" name="action" value="chpasswd" />
<input type="hidden" name="source" value="security" />
<br />
<button type="submit" class="btn btn-success btn-block"><?php $Strings->get("change password"); ?></button>
</form>
</div>
</div>
</div>
<?php
if ($SETTINGS['station_kiosk']) {
?>
<div class="col-sm-6 col-lg-4">
<div class="card mb-4">
<div class="card-body">
<h5 class="card-title"><i class="fas fa-th"></i> <?php $Strings->get("change pin"); ?></h5>
<hr />
<?php $Strings->get("pin explanation"); ?>
<hr />
<form action="action.php" method="POST">
<input type="password" class="form-control" name="newpin" placeholder="<?php $Strings->get("new pin"); ?>" maxlength="8" pattern="[0-9]*" inputmode="numeric" />
<input type="password" class="form-control" name="conpin" placeholder="<?php $Strings->get("confirm pin"); ?>" maxlength="8" pattern="[0-9]*" inputmode="numeric" />
<input type="hidden" name="action" value="chpin" />
<input type="hidden" name="source" value="security" />
<br />
<button type="submit" class="btn btn-success btn-block"><?php $Strings->get("change pin"); ?></button>
</form>
</div>
</div>
</div>
<?php
}
?>
<div class="col-sm-6 col-lg-4">
<div class="card mb-4">
<div class="card-body pb-0">
<h5 class="card-title"><i class="fas fa-mobile-alt"></i> <?php $Strings->get("setup 2fa"); ?></h5>
<hr />
</div>
<?php
if ($user->has2fa()) {
?>
<div class="card-body pt-0">
<?php $Strings->get("2fa active") ?>
<hr />
<form action="action.php" method="POST">
<input type="hidden" name="action" value="rm2fa" />
<input type="hidden" name="source" value="security" />
<button type="submit" class="btn btn-info btn-block"><?php $Strings->get("remove 2fa") ?></button>
</form>
</div>
<?php
} else if (!empty($_GET['2fa']) && $_GET['2fa'] == "generate") {
$codeuri = $user->generate2fa();
$label = $SETTINGS['system_name'] . ":" . is_null($user->getEmail()) ? $user->getName() : $user->getEmail();
$issuer = $SETTINGS['system_name'];
$qrCode = new QrCode($codeuri);
$qrCode->setWriterByName('svg');
$qrCode->setSize(550);
$qrCode->setErrorCorrectionLevel(ErrorCorrectionLevel::HIGH());
$qrcode = $qrCode->writeDataUri();
$totp = Factory::loadFromProvisioningUri($codeuri);
$codesecret = $totp->getSecret();
$chunk_secret = trim(chunk_split($codesecret, 4, ' '));
?>
<div class="card-body pt-0">
<div class="card-text">
<?php $Strings->get("scan 2fa qrcode") ?>
</div>
</div>
<img src="<?php echo $qrcode; ?>" class="card-img px-4" />
<div class="card-body">
<form action="action.php" method="POST">
<input type="text" name="totpcode" class="form-control" placeholder="<?php $Strings->get("enter otp code"); ?>" minlength=6 maxlength=6 required />
<br />
<input type="hidden" name="action" value="add2fa" />
<input type="hidden" name="source" value="security" />
<input type="hidden" name="secret" value="<?php echo $codesecret; ?>" />
<button type="submit" class="btn btn-success btn-block">
<?php $Strings->get("confirm 2fa") ?>
</button>
</form>
</div>
<div class="list-group list-group-flush">
<div class="list-group-item">
<b><?php $Strings->get("manual setup"); ?></b>
</div>
<div class="list-group-item d-flex justify-content-between align-items-baseline">
<div><?php $Strings->get("secret key"); ?></div>
<div class="text-monospace text-right"><?php echo $chunk_secret; ?></div>
</div>
<div class="list-group-item d-flex justify-content-between align-items-baseline">
<div><?php $Strings->get("label"); ?></div>
<div class="text-monospace text-right"><?php echo $label; ?></div>
</div>
<div class="list-group-item d-flex justify-content-between align-items-baseline">
<div><?php $Strings->get("issuer"); ?></div>
<div class="text-monospace text-right"><?php echo $issuer; ?></div>
</div>
</div>
<?php
} else {
?>
<div class="card-body pt-0">
<?php $Strings->get("2fa explained"); ?>
<hr />
<a class="btn btn-success btn-block" href="app.php?page=security&2fa=generate">
<?php $Strings->get("enable 2fa"); ?>
</a>
</div>
<?php
}
?>
</div>
</div>
<div class="col-sm-10 col-md-6 col-lg-4 col-xl-4">
<div class="card mb-4">
<?php
if (!empty($_GET['apppassword']) && $_GET['apppassword'] == "generate" && !empty($_POST['desc'])) {
$code = strtoupper(substr(md5(mt_rand() . uniqid("", true)), 0, 20));
$desc = htmlspecialchars($_POST['desc']);
$chunk_code = str_replace(" ", "-", trim(chunk_split($code, 5, ' ')));
$database->insert('apppasswords', ['uid' => $_SESSION['uid'], 'hash' => password_hash($chunk_code, PASSWORD_DEFAULT), 'description' => $desc]);
?>
<div class="card-body">
<h5 class="card-title"><i class="fas fa-shield-alt"></i> <?php $Strings->get("App Passwords"); ?></h5>
<hr />
<?php $Strings->build("app password setup instructions", ["app_name" => $desc]); ?>
</div>
<div class="list-group list-group-flush">
<div class="list-group-item d-flex justify-content-between align-items-baseline">
<div><?php $Strings->get("username"); ?>:</div>
<div class="text-monospace text-right"><?php echo $_SESSION['username']; ?></div>
</div>
<div class="list-group-item d-flex justify-content-between align-items-baseline">
<div><?php $Strings->get("password"); ?></div>
<div class="text-monospace text-right"><?php echo $chunk_code; ?></div>
</div>
</div>
<div class="card-body">
<a class="btn btn-success btn-block" href="app.php?page=security"><?php $Strings->get("Done"); ?></a>
</div>
<?php
} else {
$activecodes = $database->select("apppasswords", ["passid", "description"], ["uid" => $_SESSION['uid']]);
?>
<div class="card-body">
<h5 class="card-title"><i class="fas fa-shield-alt"></i> <?php $Strings->get("App Passwords"); ?></h5>
<hr />
<p class="card-text">
<?php $Strings->build("app passwords explained", ["site_name" => $SETTINGS['site_title']]); ?>
</p>
<form action="app.php?page=security&apppassword=generate" method="POST">
<input type="text" name="desc" class="form-control" placeholder="<?php $Strings->get("App name"); ?>" required />
<button class="btn btn-success btn-block mt-2" type="submit">
<?php $Strings->get("Generate password"); ?>
</button>
</form>
</div>
<div class="list-group list-group-flush">
<div class="list-group-item">
<b><?php $Strings->get("App Passwords"); ?></b>
</div>
<?php
if (count($activecodes) > 0) {
foreach ($activecodes as $c) {
?>
<div class="list-group-item d-flex justify-content-between align-items-center">
<div>
<div class="">
<?php echo $c['description']; ?>
</div>
</div>
<div>
<a class="btn btn-danger btn-sm m-1" href="app.php?page=security&delpass=<?php echo $c['passid']; ?>" data-toggle="tooltip" data-placement="bottom" title="<?php $Strings->get("Revoke password"); ?>">
<i class='fas fa-trash'></i><noscript> <?php $Strings->get("Revoke password"); ?></noscript>
</a>
</div>
</div>
<?php
}
} else {
?>
<div class="list-group-item">
<?php $Strings->get("You don't have any app passwords."); ?>
</div>
<?php
}
?>
</div>
<?php
}
?>
</div>
</div>
</div>