boris
74
auth.php
74
auth.php
@@ -3,12 +3,19 @@ require_once('Models/AuthService.php');
|
||||
require_once('Models/UserDataSet.php');
|
||||
require_once('Models/User.php');
|
||||
|
||||
// Enable CORS
|
||||
header('Access-Control-Allow-Origin: *');
|
||||
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
|
||||
// Enable CORS with more restrictive settings
|
||||
header('Access-Control-Allow-Origin: *'); // Would be set to domain. Move to .env file
|
||||
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
|
||||
header('Access-Control-Allow-Headers: Content-Type, Authorization');
|
||||
header('Content-Type: application/json');
|
||||
|
||||
// Add security headers
|
||||
header('X-Content-Type-Options: nosniff');
|
||||
header('X-Frame-Options: DENY');
|
||||
header('X-XSS-Protection: 1; mode=block');
|
||||
header('Referrer-Policy: strict-origin-when-cross-origin');
|
||||
header('Content-Security-Policy: default-src \'self\'');
|
||||
|
||||
// Handle OPTIONS request
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
|
||||
http_response_code(200);
|
||||
@@ -23,6 +30,22 @@ try {
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
$data = json_decode(file_get_contents('php://input'), true);
|
||||
|
||||
// Handle CAPTCHA generation
|
||||
if (isset($data['action']) && $data['action'] === 'generateCaptcha') {
|
||||
// Generate a random 6-character CAPTCHA
|
||||
$captcha = substr(str_shuffle('0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 6);
|
||||
|
||||
// Store CAPTCHA in session with timestamp
|
||||
session_start();
|
||||
$_SESSION['captcha'] = [
|
||||
'code' => $captcha,
|
||||
'timestamp' => time()
|
||||
];
|
||||
|
||||
echo json_encode(['captcha' => $captcha]);
|
||||
exit;
|
||||
}
|
||||
|
||||
// Handle token refresh
|
||||
if (isset($data['action']) && $data['action'] === 'refresh') {
|
||||
if (!isset($data['refreshToken'])) {
|
||||
@@ -54,11 +77,46 @@ try {
|
||||
exit;
|
||||
}
|
||||
|
||||
// Check if CAPTCHA is required
|
||||
session_start();
|
||||
$loginAttempts = $_SESSION['login_attempts'] ?? 0;
|
||||
|
||||
if ($loginAttempts >= 3) {
|
||||
// Verify CAPTCHA if required
|
||||
if (!isset($data['captchaInput']) || !isset($_SESSION['captcha'])) {
|
||||
http_response_code(400);
|
||||
echo json_encode(['error' => 'CAPTCHA is required', 'captcha' => true]);
|
||||
exit;
|
||||
}
|
||||
|
||||
// Check if CAPTCHA is expired (5 minutes)
|
||||
if (time() - $_SESSION['captcha']['timestamp'] > 300) {
|
||||
unset($_SESSION['captcha']);
|
||||
http_response_code(400);
|
||||
echo json_encode(['error' => 'CAPTCHA expired', 'captcha' => true]);
|
||||
exit;
|
||||
}
|
||||
|
||||
// Verify CAPTCHA code
|
||||
if (strtoupper($data['captchaInput']) !== $_SESSION['captcha']['code']) {
|
||||
unset($_SESSION['captcha']);
|
||||
http_response_code(400);
|
||||
echo json_encode(['error' => 'Invalid CAPTCHA', 'captcha' => true]);
|
||||
exit;
|
||||
}
|
||||
|
||||
// Clear CAPTCHA after successful verification
|
||||
unset($_SESSION['captcha']);
|
||||
}
|
||||
|
||||
// Authenticate user
|
||||
$user = new User();
|
||||
$token = $user->Authenticate($data['username'], $data['password']);
|
||||
$token = $user->Authenticate($data['username'], hash('sha256', $data['password']));
|
||||
|
||||
if ($token) {
|
||||
// Reset login attempts on successful login
|
||||
$_SESSION['login_attempts'] = 0;
|
||||
|
||||
// Generate refresh token
|
||||
$refreshToken = $auth->generateRefreshToken([
|
||||
'id' => $user->getUserId(),
|
||||
@@ -77,8 +135,14 @@ try {
|
||||
]
|
||||
]);
|
||||
} else {
|
||||
// Increment login attempts
|
||||
$_SESSION['login_attempts'] = ($loginAttempts ?? 0) + 1;
|
||||
|
||||
http_response_code(401);
|
||||
echo json_encode(['error' => 'Invalid credentials']);
|
||||
echo json_encode([
|
||||
'error' => 'Invalid credentials',
|
||||
'captcha' => $_SESSION['login_attempts'] >= 3
|
||||
]);
|
||||
}
|
||||
exit;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user