182 lines
5.6 KiB
PHP
182 lines
5.6 KiB
PHP
<?php
|
|
/**
|
|
* Authentication handler for Ziti Router Enrollment UI
|
|
*/
|
|
|
|
require_once 'config.php';
|
|
|
|
class AuthManager {
|
|
|
|
/**
|
|
* Authenticate user with username and password
|
|
*/
|
|
public static function authenticate($username, $password) {
|
|
$username = sanitizeInput($username);
|
|
|
|
if ($username === ADMIN_USERNAME && password_verify($password, ADMIN_PASSWORD_HASH)) {
|
|
$_SESSION['authenticated'] = true;
|
|
$_SESSION['username'] = $username;
|
|
$_SESSION['last_activity'] = time();
|
|
$_SESSION['login_time'] = time();
|
|
|
|
// Check if this is first login with default credentials
|
|
if (USER_FIRST_LOGIN) {
|
|
$_SESSION['requires_setup'] = true;
|
|
}
|
|
|
|
// Generate new CSRF token
|
|
generateCSRFToken();
|
|
|
|
logMessage('INFO', "User '$username' logged in successfully from " . $_SERVER['REMOTE_ADDR']);
|
|
return true;
|
|
}
|
|
|
|
logMessage('WARNING', "Failed login attempt for user '$username' from " . $_SERVER['REMOTE_ADDR']);
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Logout user
|
|
*/
|
|
public static function logout() {
|
|
if (isset($_SESSION['username'])) {
|
|
logMessage('INFO', "User '{$_SESSION['username']}' logged out");
|
|
}
|
|
|
|
session_destroy();
|
|
session_start();
|
|
}
|
|
|
|
/**
|
|
* Check if user is authenticated and session is valid
|
|
*/
|
|
public static function requireAuth() {
|
|
if (!isAuthenticated() || !isSessionValid()) {
|
|
header('Location: index.php?error=session_expired');
|
|
exit;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get current user info
|
|
*/
|
|
public static function getCurrentUser() {
|
|
if (!isAuthenticated()) {
|
|
return null;
|
|
}
|
|
|
|
return [
|
|
'username' => $_SESSION['username'] ?? '',
|
|
'login_time' => $_SESSION['login_time'] ?? 0,
|
|
'last_activity' => $_SESSION['last_activity'] ?? 0
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Check CSRF token for forms
|
|
*/
|
|
public static function requireCSRF() {
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
$token = $_POST[CSRF_TOKEN_NAME] ?? '';
|
|
if (!verifyCSRFToken($token)) {
|
|
http_response_code(403);
|
|
die('CSRF token validation failed');
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Change user credentials (username and/or password)
|
|
*/
|
|
public static function changeCredentials($currentPassword, $newUsername, $newPassword) {
|
|
// Verify current password
|
|
if (!password_verify($currentPassword, ADMIN_PASSWORD_HASH)) {
|
|
return ['success' => false, 'error' => 'Current password is incorrect'];
|
|
}
|
|
|
|
// Validate new username
|
|
$newUsername = sanitizeInput($newUsername);
|
|
if (strlen($newUsername) < 3 || strlen($newUsername) > 20) {
|
|
return ['success' => false, 'error' => 'Username must be between 3 and 20 characters'];
|
|
}
|
|
|
|
if (!preg_match('/^[a-zA-Z0-9_]+$/', $newUsername)) {
|
|
return ['success' => false, 'error' => 'Username can only contain letters, numbers, and underscores'];
|
|
}
|
|
|
|
// Validate new password
|
|
if (strlen($newPassword) < 6) {
|
|
return ['success' => false, 'error' => 'Password must be at least 6 characters long'];
|
|
}
|
|
|
|
try {
|
|
// Load current user config
|
|
$userConfig = loadUserConfig();
|
|
|
|
// Update credentials
|
|
$userConfig['username'] = $newUsername;
|
|
$userConfig['password_hash'] = password_hash($newPassword, PASSWORD_DEFAULT);
|
|
$userConfig['first_login'] = false;
|
|
$userConfig['last_updated'] = time();
|
|
|
|
// Save updated config
|
|
saveUserConfig($userConfig);
|
|
|
|
logMessage('INFO', "User credentials changed successfully. New username: '$newUsername'");
|
|
|
|
return ['success' => true, 'message' => 'Credentials updated successfully'];
|
|
|
|
} catch (Exception $e) {
|
|
logMessage('ERROR', "Failed to update user credentials: " . $e->getMessage());
|
|
return ['success' => false, 'error' => 'Failed to save new credentials'];
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Check if user requires setup (first login)
|
|
*/
|
|
public static function requiresSetup() {
|
|
return isset($_SESSION['requires_setup']) && $_SESSION['requires_setup'] === true;
|
|
}
|
|
|
|
/**
|
|
* Complete initial setup
|
|
*/
|
|
public static function completeSetup($currentPassword, $newUsername, $newPassword) {
|
|
$result = self::changeCredentials($currentPassword, $newUsername, $newPassword);
|
|
|
|
if ($result['success']) {
|
|
// Clear setup requirement
|
|
unset($_SESSION['requires_setup']);
|
|
logMessage('INFO', "Initial setup completed for user: '$newUsername'");
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Handle login form submission
|
|
*/
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'login') {
|
|
$username = $_POST['username'] ?? '';
|
|
$password = $_POST['password'] ?? '';
|
|
|
|
if (AuthManager::authenticate($username, $password)) {
|
|
header('Location: dashboard.php');
|
|
exit;
|
|
} else {
|
|
$loginError = 'Invalid username or password';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Handle logout
|
|
*/
|
|
if (isset($_GET['action']) && $_GET['action'] === 'logout') {
|
|
AuthManager::logout();
|
|
header('Location: index.php?message=logged_out');
|
|
exit;
|
|
}
|
|
?>
|