Business/AccountHub
2
0
Fork 2
Code Issues 3 Pull Requests Releases 3 Wiki Activity

Improve mobile integration, fix some upper/lower case bugs

Browse Source
This commit is contained in:
Skylar Ittner 2017-07-03 03:00:23 -06:00
parent bee707be8a
commit 14f401f355
10 changed files with 68 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
api.php
View File

@ -43,10 +43,10 @@ switch ($VARS['action']) {
case "auth":
$errmsg = "";
if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) {
insertAuthLog(12, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(12, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "OK", "msg" => lang("login successful", false)]));
} else {
insertAuthLog(13, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(13, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
if (!is_empty($errmsg)) {
exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)]));
}
@ -70,7 +70,7 @@ switch ($VARS['action']) {
case "userinfo":
if (!is_empty($VARS['username'])) {
if (user_exists_local($VARS['username'])) {
$data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => $VARS['username']])[0];
$data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => strtolower($VARS['username'])])[0];
exit(json_encode(["status" => "OK", "data" => $data]));
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
@ -112,7 +112,7 @@ switch ($VARS['action']) {
if (verifyTOTP($VARS['username'], $VARS['code'])) {
exit(json_encode(["status" => "OK", "valid" => true]));
} else {
insertAuthLog(7, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(7, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("2fa incorrect", false), "valid" => false]));
}
break;
@ -123,30 +123,30 @@ switch ($VARS['action']) {
// simulate a login, checking account status and alerts
$errmsg = "";
if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) {
$uid = $database->select('accounts', 'uid', ['username' => $VARS['username']])[0];
$uid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])])[0];
switch (get_account_status($VARS['username'])) {
case "LOCKED_OR_DISABLED":
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("account locked", false)]));
case "TERMINATED":
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("account terminated", false)]));
case "CHANGE_PASSWORD":
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("password expired", false)]));
case "NORMAL":
insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "OK"]));
case "ALERT_ON_ACCESS":
sendLoginAlertEmail($VARS['username']);
insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "OK", "alert" => true]));
default:
insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
exit(json_encode(["status" => "ERROR", "msg" => lang("account state error", false)]));
}
} else {
insertAuthLog(5, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
insertAuthLog(5, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
if (!is_empty($errmsg)) {
exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)]));
}
@ -168,13 +168,13 @@ switch ($VARS['action']) {
} else {
if (user_exists_local($VARS['manager'])) {
if (user_exists_local($VARS['employee'])) {
$managerid = $database->select('accounts', 'uid', ['username' => $VARS['manager']]);
$employeeid = $database->select('accounts', 'uid', ['username' => $VARS['employee']]);
$managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['manager'])]);
$employeeid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['employee'])]);
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['employee']]));
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['employee'])]));
}
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['manager']]));
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['manager'])]));
}
}
if ($database->has('managers', ['AND' => ['managerid' => $managerid, 'employeeid' => $employeeid]])) {
@ -191,8 +191,8 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
} else if ($VARS['username']) {
if ($database->has("accounts", ['username' => $VARS['username']])) {
$managerid = $database->select('accounts', 'uid', ['username' => $VARS['username']]);
if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
$managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]);
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
@ -211,8 +211,8 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
} else if ($VARS['username']) {
if ($database->has("accounts", ['username' => $VARS['username']])) {
$empid = $database->select('accounts', 'uid', ['username' => $VARS['username']]);
if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
$empid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]);
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
@ -243,7 +243,7 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
}
} else if ($VARS['username']) {
if ($database->has("accounts", ['username' => $VARS['username']])) {
if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
$user = $VARS['username'];
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
@ -262,7 +262,8 @@ switch ($VARS['action']) {
http_response_code(400);
die("\"400 Bad Request\"");
}
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['code'], 'accounts.username' => $VARS['username']]]);
$code = strtoupper($VARS['code']);
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $code, 'accounts.username' => strtolower($VARS['username'])]]);
exit(json_encode(["status" => "OK", "valid" => $user_key_valid]));
case "alertemail":
engageRateLimit();

2
apps/inventory_link.php
View File

@ -10,6 +10,6 @@ $APPS["inventory_link"]["i18n"] = TRUE;
$APPS["inventory_link"]["title"] = "inventory";
$APPS["inventory_link"]["icon"] = "cubes";
$APPS["inventory_link"]["type"] = "teal";
$content = "<p>" . lang("open inventory system", false) . '</p><a href="' . INVENTORY_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content = "<p class='mobile-app-hide'>" . lang("open inventory system", false) . '</p><a href="' . INVENTORY_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["inventory_link"]["content"] = $content;
?>

2
apps/qwikclock_inout.php
View File

@ -38,6 +38,6 @@ $content .= <<<END
<a href="home.php?&qwikclock=punchin" class="btn btn-block btn-success btn-lg"><i class="fa fa-play"></i> $lang_punchin</a>
<a href="home.php?qwikclock=punchout" class="btn btn-block btn-danger btn-lg"><i class="fa fa-stop"></i> $lang_punchout</a>
END;
$content .= '<br /><a href="' . QWIKCLOCK_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content .= '<br /><a href="' . QWIKCLOCK_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["qwikclock_inout"]["content"] = $content;
?>

6
apps/sync_mobile.php
View File

@ -31,8 +31,9 @@ if ($_GET['mobilecode'] == "generate") {
$code = strtoupper(substr(md5(mt_rand() . uniqid("", true)), 0, 20));
$database->insert('mobile_codes', ['uid' => $_SESSION['uid'], 'code' => $code]);
}
$url = str_replace("/", "\\", URL . "mobile/index.php");
$codeuri = "bizsync://" . $url . "/" . $_SESSION['username'] . "/" . $code;
$url = URL . "mobile/index.php";
$encodedurl = str_replace("/", "\\", $url);
$codeuri = "bizsync://" . $encodedurl . "/" . $_SESSION['username'] . "/" . $code;
$qrCode = new QrCode($codeuri);
$qrCode->setSize(200);
$qrCode->setErrorCorrection("H");
@ -42,6 +43,7 @@ if ($_GET['mobilecode'] == "generate") {
$APPS["sync_mobile"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan sync qrcode", false) . '</div>' . <<<END
<img src="$qrcode" class="img-responsive qrcode" />
<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_code</div>
<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$url</div>
<a class="btn btn-success btn-sm btn-block" href="home.php?page=security">$lang_done</a>
END;
} else {

2
apps/taskfloor_messages.php
View File

@ -49,6 +49,6 @@ END;
} catch (Exception $e) {
$content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . " " . $e->getMessage() . "</div>";
}
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["taskfloor_messages"]["content"] = $content;
?>

2
apps/taskfloor_tasks.php
View File

@ -37,6 +37,6 @@ try {
} catch (Exception $e) {
$content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . " " . $e->getMessage() . "</div>";
}
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
$APPS["taskfloor_tasks"]["content"] = $content;
?>

4
home.php
View File

@ -83,7 +83,7 @@ if (!is_empty($_GET['page'])) {
<ul class="dropdown-menu" role="menu">
<li><a href="home.php?page=security"><i class="fa fa-gears fa-fw"></i> <?php lang("options") ?></a></li>
<li class="divider"></li>
<li><a href="action.php?action=signout"><i class="fa fa-sign-out fa-fw"></i> <?php lang("sign out") ?></a></li>
<li class="mobile-app-hide"><a href="action.php?action=signout"><i class="fa fa-sign-out fa-fw"></i> <?php lang("sign out") ?></a></li>
</ul>
</li>
</ul>
@ -91,7 +91,7 @@ if (!is_empty($_GET['page'])) {
</div>
</nav>
<div class="app-dock-container">
<div class="app-dock-container mobile-app-hide">
<div class="app-dock">
<?php
foreach (EXTERNAL_APPS as $a) {

12
index.php
View File

@ -190,8 +190,8 @@ if ($VARS['progress'] == "1") {
if (!$multiauth && !$change_password) {
?>
<input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autofocus /><br />
<input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" /><br />
<input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<?php if (RECAPTCHA_ENABLED) { ?>
<div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div>
<br />
@ -203,15 +203,15 @@ if ($VARS['progress'] == "1") {
<div class="alert alert-info">
<?php lang("2fa prompt"); ?>
</div>
<input type="text" class="form-control" name="authcode" placeholder="<?php lang("authcode"); ?>" required="required" autocomplete="off" autofocus /><br />
<input type="text" class="form-control" name="authcode" placeholder="<?php lang("authcode"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="hidden" name="progress" value="2" />
<input type="hidden" name="username" value="<?php echo $VARS['username']; ?>" />
<?php
} else if ($change_password) {
?>
<input type="password" class="form-control" name="oldpass" placeholder="Current password" required="required" autocomplete="new-password" autofocus /><br />
<input type="password" class="form-control" name="newpass" placeholder="New password" required="required" autocomplete="off" /><br />
<input type="password" class="form-control" name="conpass" placeholder="New password (again)" required="required" autocomplete="off" /><br />
<input type="password" class="form-control" name="oldpass" placeholder="Current password" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="password" class="form-control" name="newpass" placeholder="New password" required="required" autocomplete="new-password" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<input type="password" class="form-control" name="conpass" placeholder="New password (again)" required="required" autocomplete="new-password" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<input type="hidden" name="progress" value="chpasswd" />
<?php
}

8
lib/login.php
View File

@ -190,7 +190,7 @@ function authenticate_user($username, $password, &$errormsg, &$errorcode) {
}
function user_exists($username) {
return account_location($username) !== "NONE";
return account_location(strtolower($username)) !== "NONE";
}
/**
@ -285,12 +285,14 @@ function doLoginUser($username, $password) {
*/
function sendLoginAlertEmail($username, $appname = SITE_TITLE) {
if (is_empty(ADMIN_EMAIL) || filter_var(ADMIN_EMAIL, FILTER_VALIDATE_EMAIL) === FALSE) {
return "false";
return "invalid_to_email";
}
if (is_empty(FROM_EMAIL) || filter_var(FROM_EMAIL, FILTER_VALIDATE_EMAIL) === FALSE) {
return "false";
return "invalid_from_email";
}
$username = strtolower($username);
$mail = new PHPMailer;
if (DEBUG) {

44
mobile/index.php
View File

@ -26,12 +26,15 @@ if (is_empty($VARS['username']) || is_empty($VARS['key'])) {
die(json_encode(["status" => "ERROR", "msg" => "Missing username and/or access key."]));
}
$username = strtolower($VARS['username']);
$key = strtoupper($VARS['key']);
// Make sure the username and key are actually legit
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['key'], 'accounts.username' => $VARS['username']]]);
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $key, 'accounts.username' => $username]]);
if ($user_key_valid !== TRUE) {
engageRateLimit();
http_response_code(401);
insertAuthLog(21, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(21, null, "Username: " . $username . ", Key: " . $key);
die(json_encode(["status" => "ERROR", "msg" => "Invalid username and/or access key."]));
}
@ -44,53 +47,54 @@ switch ($VARS['action']) {
case "check_password":
// Check if the user-supplied password is valid.
engageRateLimit();
if (get_account_status($VARS['username']) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
if (get_account_status($username) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
}
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
$uid = $database->get("accounts", "uid", ["username" => $VARS['username']]);
insertAuthLog(19, $uid, "Key: " . $VARS['key']);
if (authenticate_user($username, $VARS['password'], $autherror)) {
$uid = $database->get("accounts", "uid", ["username" => $username]);
insertAuthLog(19, $uid, "Key: " . $key);
exit(json_encode(["status" => "OK", "uid" => $uid]));
} else {
if (!is_empty($autherror)) {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
} else {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
}
}
case "user_info":
engageRateLimit();
if (get_account_status($VARS['username']) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
if (get_account_status($username) != "NORMAL") {
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
}
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
$userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $VARS['username']]);
insertAuthLog(19, $userinfo['uid'], "Key: " . $VARS['key']);
if (authenticate_user($username, $VARS['password'], $autherror)) {
$userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $username]);
insertAuthLog(19, $userinfo['uid'], "Key: " . $key);
exit(json_encode(["status" => "OK", "info" => $userinfo]));
} else {
if (!is_empty($autherror)) {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
} else {
insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
}
}
case "start_session":
// Do a web login.
engageRateLimit();
if (user_exists($VARS['username'])) {
if (get_account_status($VARS['username']) == "NORMAL") {
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
doLoginUser($VARS['username'], $VARS['password']);
if (user_exists($username)) {
if (get_account_status($username) == "NORMAL") {
if (authenticate_user($username, $VARS['password'], $autherror)) {
doLoginUser($username, $VARS['password']);
exit(json_encode(["status" => "OK"]));
}
}
}
insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
case "listapps":
exit(json_encode(["status" => "OK", "apps" => EXTERNAL_APPS]));