boris/Ecobuddy
1
0
Fork 0
Code Issues 12 Pull Requests Packages Projects 1 Releases Wiki Activity
Files
main
Ecobuddy/auth.php
boris 78508a7cbd erm 
Signed-off-by: boris <boris@borishub.co.uk>
2025-04-20 16:49:23 +01:00

177 lines
6.0 KiB
PHP
Raw Permalink Blame History

<?php
require_once('Models/AuthService.php');
require_once('Models/UserDataSet.php');
require_once('Models/User.php');
// Enable CORS with more restrictive settings
header('Access-Control-Allow-Origin: *'); // Would be set to domain. Move to .env file
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
header('Content-Type: application/json');
// Add security headers
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Content-Security-Policy: default-src \'self\'');
// Handle OPTIONS request
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
http_response_code(200);
exit;
}
try {
$auth = new AuthService();
$userDataSet = new UserDataSet();
// Handle POST request for login
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$data = json_decode(file_get_contents('php://input'), true);
// Handle CAPTCHA generation
if (isset($data['action']) && $data['action'] === 'generateCaptcha') {
// Generate a random 6-character CAPTCHA
$captcha = substr(str_shuffle('0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 6);
// Store CAPTCHA in session with timestamp
session_start();
$_SESSION['captcha'] = [
'code' => $captcha,
'timestamp' => time()
];
echo json_encode(['captcha' => $captcha]);
exit;
}
// Handle token refresh
if (isset($data['action']) && $data['action'] === 'refresh') {
if (!isset($data['refreshToken'])) {
http_response_code(400);
echo json_encode(['error' => 'Refresh token is required']);
exit;
}
$refreshToken = $data['refreshToken'];
$newToken = $auth->refreshToken($refreshToken);
if (!$newToken) {
http_response_code(401);
echo json_encode(['error' => 'Invalid or expired refresh token']);
exit;
}
echo json_encode([
'success' => true,
'token' => $newToken
]);
exit;
}
// Handle login
if (!isset($data['username']) || !isset($data['password'])) {
http_response_code(400);
echo json_encode(['error' => 'Username and password are required']);
exit;
}
// Check if CAPTCHA is required
session_start();
$loginAttempts = $_SESSION['login_attempts'] ?? 0;
if ($loginAttempts >= 3) {
// Verify CAPTCHA if required
if (!isset($data['captchaInput']) || !isset($_SESSION['captcha'])) {
http_response_code(400);
echo json_encode(['error' => 'CAPTCHA is required', 'captcha' => true]);
exit;
}
// Check if CAPTCHA is expired (5 minutes)
if (time() - $_SESSION['captcha']['timestamp'] > 300) {
unset($_SESSION['captcha']);
http_response_code(400);
echo json_encode(['error' => 'CAPTCHA expired', 'captcha' => true]);
exit;
}
// Verify CAPTCHA code
if (strtoupper($data['captchaInput']) !== $_SESSION['captcha']['code']) {
unset($_SESSION['captcha']);
http_response_code(400);
echo json_encode(['error' => 'Invalid CAPTCHA', 'captcha' => true]);
exit;
}
// Clear CAPTCHA after successful verification
unset($_SESSION['captcha']);
}
// Authenticate user
$user = new User();
$token = $user->Authenticate($data['username'], hash('sha256', $data['password']));
if ($token) {
// Reset login attempts on successful login
$_SESSION['login_attempts'] = 0;
// Generate refresh token
$refreshToken = $auth->generateRefreshToken([
'id' => $user->getUserId(),
'username' => $user->getUsername(),
'accessLevel' => $user->getAccessLevel()
]);
echo json_encode([
'success' => true,
'token' => $token,
'refreshToken' => $refreshToken,
'user' => [
'id' => $user->getUserId(),
'username' => $user->getUsername(),
'accessLevel' => $user->getAccessLevel()
]
]);
} else {
// Increment login attempts
$_SESSION['login_attempts'] = ($loginAttempts ?? 0) + 1;
http_response_code(401);
echo json_encode([
'error' => 'Invalid credentials',
'captcha' => $_SESSION['login_attempts'] >= 3
]);
}
exit;
}
// Handle GET request for token validation
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$auth = User::checkAuth(false);
if ($auth) {
echo json_encode([
'valid' => true,
'user' => [
'id' => $auth['uid'],
'username' => $auth['username'],
'accessLevel' => $auth['accessLevel']
]
]);
} else {
http_response_code(401);
echo json_encode(['valid' => false, 'error' => 'Invalid or expired token']);
}
exit;
}
http_response_code(405);
echo json_encode(['error' => 'Method not allowed']);
} catch (Exception $e) {
error_log('Auth error: ' . $e->getMessage());
http_response_code(500);
echo json_encode(['error' => 'Server error', 'message' => $e->getMessage()]);
}
Reference in New Issue View Git Blame Copy Permalink