Apps/NotePost
2
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

Add reCAPTCHA support, fix bug that allowed logins with only a username and 2fa code

Browse Source
This commit is contained in:
Skylar Ittner 2017-05-02 19:17:59 -06:00
parent c6941c7bd3
commit dcd495f4e4
4 changed files with 80 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
index.php
View File

@ -3,11 +3,17 @@ require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/login.php"; require_once __DIR__ . "/lib/login.php";
// if we're logged in, we don't need to be here.
if ($_SESSION['loggedin']) {
header('Location: app.php');
}
/* Authenticate user */ /* Authenticate user */
$userpass_ok = false; $userpass_ok = false;
$multiauth = false; $multiauth = false;
if (checkLoginServer()) { if (checkLoginServer()) {
if ($VARS['progress'] == "1") { if ($VARS['progress'] == "1") {
if (!RECAPTCHA_ENABLED || (RECAPTCHA_ENABLED && verifyReCaptcha($VARS['g-recaptcha-response']))) {
if (authenticate_user($VARS['username'], $VARS['password'])) { if (authenticate_user($VARS['username'], $VARS['password'])) {
switch (get_account_status($VARS['username'])) { switch (get_account_status($VARS['username'])) {
case "LOCKED_OR_DISABLED": case "LOCKED_OR_DISABLED":
@ -27,6 +33,7 @@ if (checkLoginServer()) {
break; break;
} }
if ($userpass_ok) { if ($userpass_ok) {
$_SESSION['passok'] = true; // stop logins using only username and authcode
if (userHasTOTP($VARS['username'])) { if (userHasTOTP($VARS['username'])) {
$multiauth = true; $multiauth = true;
} else { } else {
@ -38,7 +45,14 @@ if (checkLoginServer()) {
} else { } else {
$alert = lang("login incorrect", false); $alert = lang("login incorrect", false);
} }
} else {
$alert = lang("captcha error", false);
}
} else if ($VARS['progress'] == "2") { } else if ($VARS['progress'] == "2") {
if ($_SESSION['passok'] !== true) {
// stop logins using only username and authcode
sendError("Password integrity check failed!");
}
if (verifyTOTP($VARS['username'], $VARS['authcode'])) { if (verifyTOTP($VARS['username'], $VARS['authcode'])) {
if (doLoginUser($VARS['username'])) { if (doLoginUser($VARS['username'])) {
header('Location: app.php'); header('Location: app.php');
@ -66,6 +80,9 @@ if (checkLoginServer()) {
<link href="static/css/bootstrap.min.css" rel="stylesheet"> <link href="static/css/bootstrap.min.css" rel="stylesheet">
<link href="static/css/font-awesome.min.css" rel="stylesheet"> <link href="static/css/font-awesome.min.css" rel="stylesheet">
<link href="static/css/app.css" rel="stylesheet"> <link href="static/css/app.css" rel="stylesheet">
<?php if (RECAPTCHA_ENABLED) { ?>
<script src='https://www.google.com/recaptcha/api.js'></script>
<?php } ?>
</head> </head>
<body> <body>
<div class="container"> <div class="container">
@ -97,6 +114,10 @@ if (checkLoginServer()) {
?> ?>
<input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autofocus /><br /> <input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autofocus /><br />
<input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" /><br /> <input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" /><br />
<?php if (RECAPTCHA_ENABLED) { ?>
<div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div>
<br />
<?php } ?>
<input type="hidden" name="progress" value="1" /> <input type="hidden" name="progress" value="1" />
<?php <?php
} else if ($multiauth) { } else if ($multiauth) {

1
lang/en_us.php
View File

@ -23,5 +23,6 @@ define("STRINGS", [
"invalid parameters" => "Invalid request parameters.", "invalid parameters" => "Invalid request parameters.",
"login server error" => "The login server returned an error: {arg}", "login server error" => "The login server returned an error: {arg}",
"login server user data error" => "The login server refused to provide account information. Try again or contact technical support.", "login server user data error" => "The login server refused to provide account information. Try again or contact technical support.",
"captcha error" => "There was a problem with the CAPTCHA (robot test). Try again.",
"home" => "Home", "home" => "Home",
]); ]);

26
lib/login.php
View File

@ -192,6 +192,32 @@ function simLogin($username, $password) {
} }
} }
function verifyReCaptcha($code) {
try {
$client = new GuzzleHttp\Client();
$response = $client
->request('POST', "https://www.google.com/recaptcha/api/siteverify", [
'form_params' => [
'secret' => RECAPTCHA_SECRET_KEY,
'response' => $code
]
]);
if ($response->getStatusCode() != 200) {
return false;
}
$resp = json_decode($response->getBody(), TRUE);
if ($resp['success'] === true) {
return true;
}
return false;
} catch (Exception $e) {
return false;
}
}
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
// 2-factor authentication // // 2-factor authentication //
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////

6
settings.template.php
View File

@ -38,6 +38,12 @@ define("TIMEZONE", "America/Denver");
// Base URL for site links. // Base URL for site links.
define('URL', 'http://localhost:8000/'); define('URL', 'http://localhost:8000/');
// Use reCAPTCHA on login screen
// https://www.google.com/recaptcha/
define("RECAPTCHA_ENABLED", FALSE);
define('RECAPTCHA_SITE_KEY', '');
define('RECAPTCHA_SECRET_KEY', '');
// See lang folder for language options // See lang folder for language options
define('LANGUAGE', "en_us"); define('LANGUAGE', "en_us");