diff options
| author | RaindropsSys <contact@minteck.org> | 2023-07-07 22:09:19 +0200 |
|---|---|---|
| committer | RaindropsSys <contact@minteck.org> | 2023-07-07 22:09:19 +0200 |
| commit | a5c8dce987df2f59f4605c8a34033b120b449db5 (patch) | |
| tree | b1e3e839ba15423bfbd047bc6f323575b1de5831 | |
| parent | 7da33614f1a8708bebcb4f04ee99224c5d6db1d3 (diff) | |
| download | pluralconnect-a5c8dce987df2f59f4605c8a34033b120b449db5.tar.gz pluralconnect-a5c8dce987df2f59f4605c8a34033b120b449db5.tar.bz2 pluralconnect-a5c8dce987df2f59f4605c8a34033b120b449db5.zip | |
Updated 6 files (automated)
| -rw-r--r-- | auth/callback/index.php | 11 | ||||
| -rw-r--r-- | includes/util/session.inc | 40 | ||||
| -rw-r--r-- | pages/api/rename.php | 4 | ||||
| -rw-r--r-- | pages/api/session.php | 6 | ||||
| -rw-r--r-- | pages/home.inc | 2 | ||||
| -rw-r--r-- | pages/sessions.inc | 8 |
6 files changed, 38 insertions, 33 deletions
diff --git a/auth/callback/index.php b/auth/callback/index.php index f48912c..1ff53f7 100644 --- a/auth/callback/index.php +++ b/auth/callback/index.php @@ -37,7 +37,7 @@ if (isset($result["access_token"])) { "Accept: application/json" ]); - $result = curl_exec($crl); + $result = $result_orig = curl_exec($crl); $result = json_decode($result, true); if (!in_array($result["id"], $appdata["oauth"]["allowed"]["admin"]) && !in_array($result["id"], $appdata["oauth"]["allowed"]["lower"])) { @@ -45,27 +45,32 @@ if (isset($result["access_token"])) { die(); } + if (!file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions")) mkdir($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions"); if (!file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens")) mkdir($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens"); if (!file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens")) mkdir($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens"); $token = generateToken(); if (in_array($result["id"], $appdata["oauth"]["allowed"]["admin"])) { - file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token, json_encode([ + file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . $token, json_encode([ "created" => time(), "last" => time(), "profile" => $result, "addresses" => [], "name" => "Cold Haze Web (" . get_browser(null, true)["browser"] . " on " . str_replace("Windows dows", "Windows", str_replace("Win", "Windows ", str_replace("MacOSX", "macOS", get_browser(null, true)["platform"]))) . ")" ])); + + file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token, $result_orig); } else { - file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . $token, json_encode([ + file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/session/" . $token, json_encode([ "created" => time(), "last" => time(), "profile" => $result, "addresses" => [], "name" => "Cold Haze Web (" . get_browser(null, true)["browser"] . " on " . get_browser(null, true)["platform"] . ")" ])); + + file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . $token, $result_orig); } header("Set-Cookie: PEH2_SESSION_TOKEN=" . $token . "; SameSite=None; Path=/; Secure; HttpOnly; Expires=" . date("r", time() + (86400 * 730))); diff --git a/includes/util/session.inc b/includes/util/session.inc index e3af58b..6449ee9 100644 --- a/includes/util/session.inc +++ b/includes/util/session.inc @@ -36,13 +36,13 @@ $token = $authorization ?? $post ?? $_POST["_session"] ?? $_GET["_session"] ?? $ if (isset($token)) { if (!(str_contains($token, "/") || trim($token) === "" || trim($token) === "." || trim($token) === "..")) { if (file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token))) { - $data = json_decode(pf_utf8_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token))), true); + $data = json_decode(pf_utf8_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token))), true); if (isset($data["profile"])) { - $_PROFILE = $data["profile"]; + $_PROFILE = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)), true); if (time() - $data["last"] > 86400 * 30) { - unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)); + unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)); unset($_PROFILE); $isLoggedIn = false; $isLowerLoggedIn = false; @@ -52,18 +52,18 @@ if (isset($token)) { if (!isset($data["addresses"])) $data["addresses"] = []; $data["addresses"][$_SERVER["HTTP_X_FORWARDED_FOR"] ?? $_SERVER["REMOTE_ADDR"]] = time(); - copy($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token), $_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token) . ".old"); + copy($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token), $_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token) . ".old"); - file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token), pf_utf8_encode(json_encode($data))); + file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token), pf_utf8_encode(json_encode($data))); - if (trim(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)) === "")) { - unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)); - copy($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token) . ".old", $_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)); + if (trim(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)) === "")) { + unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)); + copy($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token) . ".old", $_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)); } - unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token) . ".old"); + unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token) . ".old"); } else { - $_PROFILE = $data; + $_PROFILE = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)), true); } if (isset($_GET['invert'])) { @@ -73,13 +73,13 @@ if (isset($token)) { $isLoggedIn = true; } elseif (file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token))) { - $data = json_decode(pf_utf8_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token))), true); + $data = json_decode(pf_utf8_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token))), true); if (isset($data["profile"])) { - $_PROFILE = $data["profile"]; + $_PROFILE = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token)), true); if (time() - $data["last"] > 86400 * 30) { - unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)); + unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)); unset($_PROFILE); $isLoggedIn = false; $isLowerLoggedIn = false; @@ -89,18 +89,18 @@ if (isset($token)) { if (!isset($data["addresses"])) $data["addresses"] = []; $data["addresses"][$_SERVER["HTTP_X_FORWARDED_FOR"] ?? $_SERVER["REMOTE_ADDR"]] = time(); - copy($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token), $_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token) . ".old"); + copy($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token), $_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token) . ".old"); - file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token), pf_utf8_encode(json_encode($data))); + file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token), pf_utf8_encode(json_encode($data))); - if (trim(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token)) === "")) { - unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token)); - copy($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token) . ".old", $_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token)); + if (trim(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)) === "")) { + unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)); + copy($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token) . ".old", $_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)); } - unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token) . ".old"); + unlink($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token) . ".old"); } else { - $_PROFILE = $data; + $_PROFILE = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . str_replace("/", "", $token)), true); } $isLowerLoggedIn = true; diff --git a/pages/api/rename.php b/pages/api/rename.php index 3aab034..4e01b06 100644 --- a/pages/api/rename.php +++ b/pages/api/rename.php @@ -15,7 +15,7 @@ $obj = [ ]; global $token; -$data = json_decode(pf_utf8_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token))), true); +$data = json_decode(pf_utf8_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token))), true); $data["name"] = $_POST["name"] ?? $_GET["name"] ?? $data["name"]; $obj["pre_name"] = $data["name"]; @@ -33,5 +33,5 @@ if (json_last_error() === JSON_ERROR_NONE) { $obj["new_name"] = $data["name"]; -file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token), pf_utf8_encode(json_encode($data))); +file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token), pf_utf8_encode(json_encode($data))); die(json_encode($obj));
\ No newline at end of file diff --git a/pages/api/session.php b/pages/api/session.php index d410c10..25d833d 100644 --- a/pages/api/session.php +++ b/pages/api/session.php @@ -7,9 +7,9 @@ header("Content-Type: application/json"); global $token; if (isset($_GET["raw"])) { - die(json_encode(json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)), true), JSON_PRETTY_PRINT)); + die(json_encode(json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)), true), JSON_PRETTY_PRINT)); } else { - if (!$isLoggedIn || $isLowerLoggedIn) { + if (!$isLoggedIn || $isLowerLoggedIn) { die(json_encode([ "name" => null, "created" => null, @@ -18,7 +18,7 @@ if (isset($_GET["raw"])) { ], JSON_PRETTY_PRINT)); } - $data = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . str_replace("/", "", $token)), true); + $data = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . str_replace("/", "", $token)), true); die(json_encode([ "name" => $data["name"], diff --git a/pages/home.inc b/pages/home.inc index 6e2c073..8ea2879 100644 --- a/pages/home.inc +++ b/pages/home.inc @@ -184,7 +184,7 @@ function members() { global $isLoggedIn; global $isLowerLoggedIn; global $app; ? <?php if (isset($_COOKIE["PEH2_SESSION_TOKEN"]) && $_COOKIE["PEH2_SESSION_TOKEN"] !== "" && !$isLoggedIn && !$isLowerLoggedIn): ?> <div class="alert alert-warning" style="margin-top:20px;"> - <b>You were previously logged in to Cold Haze, </b>however you have been logged out due to inactivity, due to your device being removed, or due to switching to a new authentication system. Please log in again. <a href="https://bugs.equestria.dev/issue/CH-56/Better-session-security" target="_blank">Learn more.</a> + <b>You were previously logged in to Cold Haze, </b>however you have been logged out due to inactivity, due to your device being removed, or due to switching to a new authentication system (such as the v3). Please log in again. <a href="https://bugs.equestria.dev/issue/CH-56/Better-session-security" target="_blank">Learn more.</a> </div> <?php endif; ?> diff --git a/pages/sessions.inc b/pages/sessions.inc index e24a78f..f324494 100644 --- a/pages/sessions.inc +++ b/pages/sessions.inc @@ -37,13 +37,13 @@ $verifiedNames = [ $list = array_filter([...scandir($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens"), ...scandir($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens")], function ($token) { if ($token === "." || $token === "..") return false; - $session = file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token) ? json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token), true) : json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . $token), true); + $session = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . $token), true); return isset($session["last"]) && isset($session["profile"]); }); usort($list, function ($token1, $token2) { - $session1 = file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token1) ? json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token1), true) : json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . $token1), true); - $session2 = file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token2) ? json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token2), true) : json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . $token2), true); + $session1 = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . $token1), true); + $session2 = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . $token2), true); if (isset($session1["last"]) && isset($session2["last"])) { return $session2["last"] - $session1["last"]; @@ -54,7 +54,7 @@ $verifiedNames = [ $addressFetchIndex = 0; - foreach ($list as $token): $session = file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token) ? json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token), true) : json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/lowertokens/" . $token), true); if (isset($session["profile"]) && isset($session["name"]) && ($session["profile"]["id"] ?? "") === ($_PROFILE["id"] ?? "")): uasort($session["addresses"], function ($a, $b) { + foreach ($list as $token): $session = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/sessions/" . $token), true); if (isset($session["profile"]) && isset($session["name"]) && ($session["profile"]["id"] ?? "") === ($_PROFILE["id"] ?? "")): uasort($session["addresses"], function ($a, $b) { return $b - $a; }); ?> <a class="list-group-item list-group-item-action" onclick="logOut("<?= sha1($token) . md5($token) ?>");"> |