From c0ffd0a7ba7a9705c6e2b3c901fcc9b9a09b813c Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Fri, 5 Jun 2020 15:09:43 +0000 Subject: [PATCH] Enable `secure` for JWT-cookie --- include/lucidAuth.functions.php | 2 +- public/lucidAuth.manage.php | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/lucidAuth.functions.php b/include/lucidAuth.functions.php index bf022e8..1924efb 100644 --- a/include/lucidAuth.functions.php +++ b/include/lucidAuth.functions.php @@ -106,7 +106,7 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt // This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); }))[0]; - if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) { + if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain, TRUE)) { return ['status' => 'Success']; } else { return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)']; diff --git a/public/lucidAuth.manage.php b/public/lucidAuth.manage.php index 7dfc55f..2fad95b 100644 --- a/public/lucidAuth.manage.php +++ b/public/lucidAuth.manage.php @@ -10,7 +10,16 @@ if ($validateTokenResult['status'] === "Success") { switch ($_REQUEST['do']) { case 'mutateusers': + if (isset($_REQUEST['new']) && isset($_REQUEST['removed'])) { // Do magic! + } + else { + header('Content-Type: application/json'); + echo json_encode([ + "Result" => "Failure", + "Reason" => "Incomplete request data" + ]); + } break; case 'retrievesessions': $storedTokens = [];