djpbessems/lucidAuth
1
0
Fork 0
Code Issues Pull Requests Releases 2 Wiki Activity

Compare commits

base: djpbessems:a049bdbd24ad0661a94b90664fd3353b00029f18
Branches Tags
djpbessems:master djpbessems:development
djpbessems:0.6 djpbessems:0.5
..
compare: djpbessems:development
Branches Tags
djpbessems:development djpbessems:master
djpbessems:0.6 djpbessems:0.5

37 Commits
a049bdbd24 ... developmen

Author SHA1 Message Date
Danny Bessems
c0ffd0a7ba Enable secure for JWT-cookie 2020-06-05 15:09:43 +00:00
Danny Bessems
3b43538f90 Minor edits and documentation 2020-01-07 15:41:36 +00:00
Danny Bessems
2d73384e17 Session management for admins now includes delete capabilities 2020-01-07 13:15:03 +00:00
Danny Bessems
69bb1368cb Periodic merge upstream 2019-12-30 12:18:42 +00:00
Danny Bessems
aabc6cf196 Pulled changes from master 2019-12-30 11:58:51 +00:00
Danny Bessems
f7760ab568 Added UI elements for managing sessions 2019-12-30 11:44:35 +00:00
Danny Bessems
f14f3866e6 Added session details/fingerprint (w/ icons) 2019-12-24 12:58:01 +00:00
Danny Bessems
3111185c10 Added garbage collection for expired and defunct tokens in database. 2019-12-10 15:57:06 +00:00
Danny Bessems
5c2ae98afb Update 'README.md' 2019-12-09 09:27:59 +00:00
Danny Bessems
6f53abf521 First draft of session management for admins 2019-12-06 15:15:38 +00:00
Danny Bessems
018b74e140 Update 'README.md' 2019-12-06 14:08:19 +00:00
Danny Bessems
160784c912 Merge branch 'development' of https://code.spamasaurus.com/djpbessems/lucidAuth into development 2019-12-06 13:13:49 +00:00
Danny Bessems
ad20071a86 Added CrossDomain logging to console 2019-12-06 13:13:35 +00:00
Danny Bessems
0a6d0bf329 Resolved mergeconflicts 2019-12-06 12:58:24 +00:00
Danny Bessems
2f1beb47c7 Resolved mergeconflict 2019-12-06 12:56:31 +00:00
Danny Bessems
e520108237 Added CrossDomain logging to console 2019-12-06 12:55:10 +00:00
Danny Bessems
c94b736062 Added CrossDomain logging to console 2019-12-04 12:04:20 +00:00
Danny Bessems
e17aed8297 Added initial config for TOTP; for use with the Spomky-Labs/otphp class 2019-08-20 11:48:40 +00:00
Danny Bessems
2a56efd353 added placeholders for error handling in CrossDomainLogin 2019-06-20 08:02:42 +00:00
Danny Bessems
55413d20c5 Merge branch 'development' of djpbessems/lucidAuth into master 2019-06-20 07:50:15 +00:00
Danny Bessems
ba6b6f277a Added external library NProgress and ajax-timeouts 2019-06-19 13:27:00 +00:00
Danny Bessems
75e8640439 Merge branch 'development' of djpbessems/lucidAuth into master 2019-06-19 10:57:55 +00:00
Danny Bessems
dca8f74f25 Minor edits (housekeeping) 2019-06-19 10:55:01 +00:00
Danny Bessems
21f272e9f0 Renamed file to reflect actual purpose 2019-06-19 10:37:20 +00:00
Danny Bessems
5a2d3313e7 Added missing CORS headers and xhrFields 2019-06-19 10:34:31 +00:00
Danny Bessems
6081e42d14 Resolved merge conflicts 2019-06-19 10:14:04 +00:00
Danny Bessems
0675ad8512 Controller for cross-domain iframes added 2019-06-19 10:09:46 +00:00
Danny Bessems
ee35696cd4 Controller for cross-domain iframes added 2019-06-18 13:21:44 +00:00
Danny Bessems
e3405369ca Delete 'public/misc/script.theme.js' 2019-03-13 10:53:22 +00:00
Danny Bessems
f9664eab18 Periodic merge upstream 
Resolved merge conflicts
 2019-03-13 10:44:00 +00:00
Danny Bessems
a20f13ab7c Babysteps towards cross-domain-cookies-in-iframes 2019-03-13 09:59:12 +00:00
Danny Bessems
0a5384f6a8 Authentication failed due to case sensitive SQL-queries 2019-03-07 19:50:04 +00:00
Danny Bessems
3dbb6b9932 Implemented GUI aspect of usermanagement page 
TODO: add ajax-call that will update database
 2019-03-06 14:21:47 +01:00
Danny Bessems
958897dc0a Implemented GUI aspect of usermanagement page 
TODO: add ajax-call that will update database
 2019-03-06 14:18:07 +01:00
Danny Bessems
efc66fc3d8 Refactored template; make main content scrollable without overflow 
Switched to Flexbox CSS based layout
Removed theme-easteregg.
 2019-03-05 10:12:26 +01:00
Danny Bessems
b5df954322 Managementinterface retrieves data from database; 
Table on interface is editable; replaced library.
 2019-03-03 17:06:41 +01:00
Danny Bessems
ac546633d1 Periodic merge upstream (#1) 2019-02-28 14:31:10 +00:00
21 changed files with 738 additions and 161 deletions
Expand all files Collapse all files

121
README.md
View File

@ -1,32 +1,91 @@
# lucidAuth
[![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#)
Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
## Usage
- Create a new folder, navigate to it in a commandprompt and run the following command:
`git clone https://code.spamasaurus.com/djpbessems/lucidAuth.git`
- Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php`
- Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder
- Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on)
- Edit your proxy's configuration to use the new website as forward proxy:
- #### ~~in Caddy/nginx~~ <small>(planned for a later stage)</small>
- #### in Traefik
Add the following lines (change to reflect your existing configuration):
```
[frontends.server1]
entrypoints = ["https"]
backend = "server1"
[frontends.server1.auth.forward]
address = "https://<fqdn>/lucidAuth.validateRequest.php"
[frontends.server1.routes]
[frontends.server1.routes.ext]
rule = "Host:<fqdn>"
```
- #### Important!
The domainname of the website made in step 3, needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing this authentication proxy.
## Questions or bugs
# lucidAuth [![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#)
> *Respect* the unexpected, mitigate your risks
Forward Authentication for use with loadbalancers/proxies/webservers (Apache, ~~Caddy~~, Lighttpd, NGINX, Traefik, etc)
## Usage
- Create a new folder, navigate to it in a commandprompt and run the following command:
`git clone https://code.spamasaurus.com/djpbessems/lucidAuth.git`
- Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php`
- Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder
- Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on)
- Edit your webserver's/proxy's configuration to use the new website for forward authentication:
- #### ~~in Apache~~ <small>(Soon™)</small>
- #### ~~in Caddy~~ <small>(Never, due to lacking functionality)</small>
- #### ~~in Lighttpd~~ <small>(Soon™)</small>
- #### in NGINX
Add the following lines (adjust to reflect your existing configuration - more [details](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/)):
```
http {
#...
server {
#...
location /private/ {
auth_request /auth;
auth_request_set $auth_status $upstream_status;
}
location = /auth {
internal;
proxy_pass https://<fqdn>/lucidAuth.validateRequest.php;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
}
}
```
- #### in Traefik
Add the following lines (change to reflect your existing configuration):
##### 1.7.x (more [details](https://docs.traefik.io/v1.7/configuration/entrypoints/#forward-authentication))
```
[frontends.server1]
entrypoints = ["https"]
backend = "server1"
[frontends.server1.auth.forward]
address = "https://<fqdn>/lucidAuth.validateRequest.php"
[frontends.server1.routes]
[frontends.server1.routes.ext]
rule = "Host:<fqdn>"
```
##### 2.x (more [details](https://docs.traefik.io/middlewares/forwardauth/))
Either whitelist IP's which should be trusted to send `HTTP_X-Forwarded-*` headers, ór enable insecure-mode in your static configuration:
```
entryPoints:
https:
address: :443
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.0/24"
# insecure: true
```
Define a middleware that tells Traefik to forward requests for authentication in your dynamic file provider:
```
https:
middlewares:
ldap-authentication:
forwardAuth:
address: "https://<fqdn>/lucidAuth.validateRequest.php"
trustForwardHeader: true
```
And finally add the new middleware to your service (different methods; this depends on your configuration):
```
# as a label (when using Docker provider)
traefik.http.routers.router1.middlewares: "ldap-authentication@file"
# as yaml (when using file provider)
routers:
router1:
middlewares:
- "ldap-authentication"
```
- #### Important!
The domainname of the website made in step 3, needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing this authentication proxy.
## Questions or bugs
Feel free to open issues in this repository.

142
include/lucidAuth.functions.php
View File

@ -35,13 +35,36 @@ function authenticateLDAP (string $username, string $password) {
if (@ldap_bind($ds, $qualifiedUsername, utf8_encode($_POST['password']))) {
// Successful authentication; get additional userdetails from authenticationsource
$ldapSearchResults = ldap_search($ds, $settings->LDAP['BaseDN'], "sAMAccountName=$sanitizedUsername");
$commonName = ldap_get_entries($ds, $ldapSearchResults)[0]['cn'][0];
// Create JWT-payload
$commonName = ldap_get_entries($ds, $ldapSearchResults)[0]['cn'][0];
$browserDetails = get_browser(null, True);
$geoLocation = json_decode(file_get_contents("http://ip-api.com/json/{$_SERVER['HTTP_X_REAL_IP']}"));
if ($geoLocation->status === 'fail') {
switch ($geoLocation->message) {
case 'private range':
case 'reserved range':
$geoLocation = json_decode(file_get_contents("http://ip-api.com/json/" . trim(file_get_contents('https://api.ipify.org')) ));
break;
case 'invalid query':
default:
$geoLocation->city = null;
$geoLocation->countryCode = null;
break;
}
}
// Create JWT-payload
$jwtPayload = [
'iat' => time(), // Issued at: time when the token was generated
'iss' => $_SERVER['SERVER_NAME'], // Issuer
'sub' => $qualifiedUsername, // Subject (ie. username)
'name' => $commonName // Common name (as retrieved from AD)
'iat' => time(), // Issued at: time when the token was generated
'iss' => $_SERVER['SERVER_NAME'], // Issuer
'sub' => $qualifiedUsername, // Subject (ie. username)
'name' => $commonName, // Common name (as retrieved from AD)
'fp' => base64_encode(json_encode((object) [ // Fingerprint
'browser' => $browserDetails['browser'],
'platform' => $browserDetails['platform'],
'city' => $geoLocation->city,
'countrycode' => $geoLocation->countryCode
]))
];
$secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64']));
@ -66,24 +89,24 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt
INSERT INTO SecureToken (UserId, Value)
SELECT User.Id, :securetoken
FROM User
WHERE User.Username = :qualifiedusername
WHERE LOWER(User.Username) = :qualifiedusername
');
$pdoQuery->execute([
':securetoken' => $secureToken,
':qualifiedusername' => $qualifiedUsername
':qualifiedusername' => strtolower($qualifiedUsername)
]);
}
catch (Exception $e) {
return ['status' => 'Fail', 'reason' => $e];
}
// Save authentication token in cookie clientside
$cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) {
// Check if $_SERVER['HTTP_HOST'] matches any of the configured domains (either explicitly or as a subdomain)
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
}))[0];
if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain, TRUE)) {
return ['status' => 'Success'];
} else {
return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)'];
@ -114,18 +137,19 @@ function validateToken (string $secureToken) {
// Retrieve all authentication tokens from database matching username
$pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Value
SELECT User.Id, SecureToken.Value
FROM SecureToken
LEFT JOIN User
LEFT JOIN User
ON (User.Id=SecureToken.UserId)
WHERE User.Username = :username
WHERE LOWER(User.Username) = :username
');
$pdoQuery->execute([
':username' => (string)$jwtPayload->sub
]);
':username' => (string) strtolower($jwtPayload->sub)
]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
try {
$storedTokens[] = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
$currentUserId = $row['Id'];
} catch (Exception $e) {
continue;
}
@ -135,9 +159,12 @@ function validateToken (string $secureToken) {
if (!empty($storedTokens) && sizeof(array_filter($storedTokens, function ($value) use ($jwtPayload) {
return $value->iat === $jwtPayload->iat;
})) === 1) {
return [
purgeTokens($currentUserId, $settings->Session['Duration']);
return [
'status' => 'Success',
'name' => $jwtPayload->name
'name' => $jwtPayload->name,
'uid' => $currentUserId
];
} else {
if ($settings->Debug['LogToFile']) {
@ -147,4 +174,85 @@ function validateToken (string $secureToken) {
}
}
function purgeTokens(int $userID, int $maximumTokenAge) {
global $settings, $pdoDB;
$defunctTokens = []; $expiredTokens = [];
$pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Id, SecureToken.Value
FROM SecureToken
WHERE SecureToken.UserId = :userid
');
$pdoQuery->execute([
':userid' => (int) $userID
]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
try {
$token = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
if ($token->iat < (time() - $maximumTokenAge)) {
$expiredTokens[] = $row['Id'];
}
} catch (Exception $e) {
$defunctTokens[] = $row['Id'];
}
}
try {
// Sadly, PDO does not support named parameters in constructions like 'IN ( :array )'
// instead, the supported syntax is unnamed placeholders like 'IN (?, ?, ?, ...)'
$pdoQuery = $pdoDB->prepare('
DELETE FROM SecureToken
WHERE SecureToken.Id IN (' . implode( ',', array_fill(0, count(array_merge($defunctTokens, $expiredTokens)), '?')) . ')
');
$pdoQuery->execute(array_merge($defunctTokens, $expiredTokens));
if ($settings->Debug['LogToFile']) {
file_put_contents('../purgeToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Garbage collection succeeded (' . $userID . ' => #' . $pdoQuery->rowCount() . ')' . PHP_EOL, FILE_APPEND);
}
return [
'status' => 'Success',
'amount' => $pdoQuery->rowCount()
];
} catch (Exception $e) {
if ($settings->Debug['LogToFile']) {
file_put_contents('../purgeToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Garbage collection failed (' . $userID . ' => ' . $e . ')' . PHP_EOL, FILE_APPEND);
}
return ['status' => 'Fail', 'reason' => $e];
}
}
function deleteToken(array $tokenIDs, int $userID) {
try {
// Sadly, PDO does not support named parameters in constructions like 'IN ( :array )'
// instead, the supported syntax is unnamed placeholders like 'IN (?, ?, ?, ...)'
$pdoQuery = $pdoDB->prepare('
DELETE FROM SecureToken
WHERE SecureToken.Id IN (' . implode( ',', array_fill(0, count($tokenIDs), '?')) . ')
AND SecureToken.UserId = :userid
');
$pdoQuery->execute($tokenIDs,[
':userid' => (int) $userID
]);
if ($settings->Debug['LogToFile']) {
file_put_contents('../deleteToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Successfully deleted specific token(s) (' . $userID . ' => #' . $pdoQuery->rowCount() . ')' . PHP_EOL, FILE_APPEND);
}
return [
'status' => 'Success',
'amount' => $pdoQuery->rowCount()
];
} catch (Exception $e) {
if ($settings->Debug['LogToFile']) {
file_put_contents('../deleteToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Failed deleting specific token(s) (' . $userID . ' => ' . $e . ')' . PHP_EOL, FILE_APPEND);
}
return ['status' => 'Fail', 'reason' => $e];
}
}
?>

67
include/lucidAuth.template.php
View File

@ -13,9 +13,10 @@ $pageLayout['full'] = <<<'FULL'
<link href="misc/style.css" rel="stylesheet" />
<link href="misc/style.theme.css" rel="stylesheet" />
<link href="misc/style.button.css" rel="stylesheet" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.js"></script>
<script src="misc/script.theme.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.js"></script>
<script src="misc/script.translation.js"></script>
<script src="https://unpkg.com/nprogress@0.2.0/nprogress.js"></script>
<link href="https://unpkg.com/nprogress@0.2.0/nprogress.css" rel="stylesheet" />
</head>
<body>
<div id="horizon">
@ -33,7 +34,7 @@ $pageLayout['full'] = <<<'FULL'
</html>
FULL;
$pageLayout['full2'] = <<<'FULL2'
$pageLayout['full_alt'] = <<<'FULL_ALT'
<!DOCTYPE html>
<html lang="nl">
<head>
@ -47,7 +48,6 @@ $pageLayout['full2'] = <<<'FULL2'
<link href="misc/style.theme.css" rel="stylesheet" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.js"></script>
<script src="misc/script.translation.js"></script>
<script src="misc/script.index.js"></script>
</head>
<body>
<div class="wrapper">
@ -72,23 +72,7 @@ $pageLayout['full2'] = <<<'FULL2'
</div>
</body>
</html>
FULL2;
$pageLayout['bare'] = <<<'BARE'
<!DOCTYPE html>
<html lang="nl">
<head>
<meta charset="utf-8" />
<title>lucidAuth</title>
<meta name="application-name" content="lucidAuth" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.js"></script>
<script src="misc/script.iframe.js"></script>
</head>
<body>
%1$s
</body>
</html>
BARE;
FULL_ALT;
$contentLayout['login'] = <<<'LOGIN'
<script src="misc/script.index.js"></script>
@ -98,12 +82,12 @@ $contentLayout['login'] = <<<'LOGIN'
<span class="indent">&nbsp;</span>
</li>
<li>
<label class="pre" for="username" data-translation="label_username">Gebruikersnaam:</label>
<label class="pre" for="username" data-translation="label_username">Username:</label>
<input type="text" id="username" name="username" tabindex="100" />
<label for="username">@lucidAuth</label>
</li>
<li>
<label class="pre" for="password" data-translation="label_password">Wachtwoord:</label>
<label class="pre" for="password" data-translation="label_password">Password:</label>
<input type="password" id="password" name="password" tabindex="200" />
</li>
<li>
@ -111,7 +95,7 @@ $contentLayout['login'] = <<<'LOGIN'
<button id="btnlogin" class="bttn-simple bttn-xs bttn-primary" tabindex="300" data-translation="button_login">login</button>
</li>
<li class="misc">
<span class="indent" data-translation="span_credentialsavailable">Inloggegevens verkrijgbaar op aanvraag!</span>
<span class="indent" data-translation="span_credentialsavailable">Login credentials available upon request!</span>
</li>
</ul>
</section>
@ -121,16 +105,13 @@ LOGIN;
$contentLayout['manage']['header'] = <<<'MANAGE_HEADER'
<script src="misc/script.editable.table.js"></script>
<script src="misc/script.manage.js"></script>
<span id="user"><span data-translation="span_loggedinas">Ingelogd als</span>&nbsp;%1$s&nbsp;---&nbsp;[<a id="linklanguage-en" href="#" tabindex="700">EN</a>&nbsp;<a id="linklanguage-nl" class="current" href="#" tabindex="700">NL</a>]&nbsp;[<a href="#" tabindex="800" data-translation="link_logout">Log uit</a>]</span>
<span id="user"><span data-translation="span_loggedinas">Logged in as</span>&nbsp;%1$s&nbsp;---&nbsp;[<a id="linklanguage-en" class="current" href="#" tabindex="700">EN</a>&nbsp;<a id="linklanguage-nl" href="#" tabindex="700">NL</a>]&nbsp;[<a id="linklogout" href="#" tabindex="800" data-translation="link_logout">Logout</a>]</span>
<ul style="clear: both; margin-top: 20px;">
<li class="buttons">
<button id="btnnewuser" class="bttn-simple bttn-xs bttn-primary" data-translation="button_new">nieuw</button>
<button id="btnfoo" class="bttn-simple bttn-xs bttn-primary" data-translation="button_foo">foo</button>
<button id="btnbar" class="bttn-simple bttn-xs bttn-primary" data-translation="button_bar">bar</button>
</li>
<li class="buttons">
<button id="btnsync" class="bttn-simple bttn-xs bttn-primary" data-translation="button_save">opslaan</button>
<button id="btncancel" class="bttn-simple bttn-xs bttn-primary" data-translation="button_cancel">annuleren</button>
<button id="btnnewuser" class="bttn-simple bttn-xs bttn-primary" data-translation="button_new">new</button>
&nbsp;
<button id="btnsave" class="bttn-simple bttn-xs bttn-primary" data-translation="button_save">save</button>
<button id="btncancel" class="bttn-simple bttn-xs bttn-primary" data-translation="button_cancel">cancel</button>
</li>
</ul>
MANAGE_HEADER;
@ -140,15 +121,31 @@ $contentLayout['manage']['section'] = <<<'MANAGE_SECTION'
<table id="usertable">
<thead>
<tr>
<th class="immutable">Username</th>
<th class="immutable">Role</th>
<th class="immutable">Sessions</th>
<th class="immutable" data-translation="th_username">Username</th>
<th class="immutable" data-translation="th_role">Role</th>
<th class="immutable" data-translation="th_manage">Manage</th>
</tr>
</thead>
<tbody>
%1$s
</tbody>
</table>
<div id="sessions">
<span data-translation="label_sessions" style="float: left; margin-left: 5px;">Sessions</span>
<br>
<table id="sessiontable">
<thead>
<tr>
<th data-translation="th_timestamp">Timestamp</th>
<th data-translation="th_origin">&lt;origin&gt;</th>
<th data-translation="th_description">Description</th>
<th data-translation="th_manage">Manage</th>
</tr>
</thead>
<tbody>
</tbody>
</table>
</div>
</li>
</ul>
MANAGE_SECTION;

13
lucidAuth.config.php.example
View File

@ -18,6 +18,16 @@ return (object) array(
// Specify the NetBios name of the domain; to allow users to log on with just their usernames.
],
'2FA' => [
'Protocol' => 'TOTP', // Possible options are HOTP (sequential codes) and TOTP (timebased codes)
'TOTP' => [
'Secret' => 'NULL', // By default, a 512 bits secret is generated. If you need, you can provide your own secret here.
'Age' => '30', // The duration that each OTP code is valid for.
'Length' => '6', // Number of digits the OTP code will consist of.
'Algorithm' => 'SHA256' // The hashing algorithm used.
],
],
'Sqlite' => [
'Path' => '../data/lucidAuth.sqlite.db'
// Relative path to the location where the database should be stored
@ -37,6 +47,9 @@ return (object) array(
'CrossDomainLogin' => False,
// Set this to True if SingleSignOn (albeit rudementary) is desired
// (cookies are inheritently unaware of each other; clearing cookies for one domain does not affect other domains)
// Important!
// If you leave this set to False, the domainname where lucidAuth will be running on,
// needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing the authentication proxy.
'CookieDomains' => [
'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld'
]

1
public/images/README.md Normal file
View File

@ -0,0 +1 @@
Browser logo's obtained from [alrra/browser-logos](https://github.com/alrra/browser-logos).

BIN
public/images/chrome_256x256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
public/images/edge_256x256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
public/images/firefox_256x256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
public/images/opera_256x256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
public/images/safari_256x256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
public/images/tor_256x256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

14
public/lucidAuth.login.php
View File

@ -3,7 +3,7 @@
include_once('../include/lucidAuth.functions.php');
if ($_POST['do'] == 'login') {
if ($_POST['do'] === 'login') {
$result = authenticateLDAP($_POST['username'], $_POST['password']);
if ($result['status'] === 'Success') {
// Store authentication token; in database serverside & in cookie clientside
@ -14,10 +14,9 @@
"Result" => "Failure",
"Reason" => "Failed storing authentication token in database and/or cookie"
]);
# echo '{"Result":"Fail","Reason":"Failed storing authentication token in database and/or cookie"}' . PHP_EOL;
exit;
}
// Convert base64 encoded string back from JSON;
// forcing it into an associative array (instead of javascript's default StdClass object)
try {
@ -30,7 +29,6 @@
"Result" => "Failure",
"Reason" => "Original request-URI lost in transition"
]);
# echo '{"Result":"Fail","Reason":"Original request URI lost in transition"}' . PHP_EOL;
exit;
}
$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php';
@ -40,7 +38,9 @@
echo json_encode([
"Result" => "Success",
"Location" => $originalUri,
"CrossDomainLogin" => $settings->Session['CrossDomainLogin']
"CrossDomainLogin" => $settings->Session['CrossDomainLogin'],
"CookieDomains" => json_encode(array_diff($settings->Session['CookieDomains'], [$_SERVER['HTTP_HOST']])),
"SecureToken" => $result['token']
]);
} else {
switch ($result['reason']) {
@ -63,8 +63,8 @@
} else {
include_once('../include/lucidAuth.template.php');
echo sprintf($pageLayout['full'],
sprintf($contentLayout['login'],
echo sprintf($pageLayout['full'],
sprintf($contentLayout['login'],
$_GET['ref']
)
);

145
public/lucidAuth.manage.php
View File

@ -8,39 +8,124 @@
}
if ($validateTokenResult['status'] === "Success") {
include_once('../include/lucidAuth.template.php');
switch ($_REQUEST['do']) {
case 'mutateusers':
if (isset($_REQUEST['new']) && isset($_REQUEST['removed'])) {
// Do magic!
}
else {
header('Content-Type: application/json');
echo json_encode([
"Result" => "Failure",
"Reason" => "Incomplete request data"
]);
}
break;
case 'retrievesessions':
$storedTokens = [];
try {
$allUsers = $pdoDB->query('
SELECT User.Id, User.Username, Role.Rolename, COUNT(DISTINCT SecureToken.Value) AS Sessions
FROM User
LEFT JOIN Role
ON (User.RoleId=Role.Id)
LEFT JOIN SecureToken
ON (User.Id=SecureToken.UserId)
')->fetchAll(PDO::FETCH_ASSOC);
} catch (Exception $e) {
$pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Id, SecureToken.UserId, SecureToken.Value
FROM SecureToken
WHERE SecureToken.UserId = :userid
');
$pdoQuery->execute([
':userid' => (int) $_REQUEST['userid']
]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
try {
$JWTPayload = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
$storedTokens[] = [
'tid' => $row['Id'],
'iat' => $JWTPayload->iat,
'iss' => $JWTPayload->iss,
'fp' => $JWTPayload->fp
];
} catch (Exception $e) {
// Invalid token
continue;
}
}
// Return JSON object
header('Content-Type: application/json');
echo json_encode([
"Result" => "Success",
"SessionCount" => sizeof($storedTokens),
"UserSessions" => json_encode($storedTokens)
]);
break;
case 'deletesession':
if (isset($_REQUEST['userid']) && isset($_REQUEST['tokenid'])) {
try {
$pdoQuery = $pdoDB->prepare('
DELETE FROM SecureToken
WHERE SecureToken.UserId = :userid AND SecureToken.Id = :tokenid
');
$pdoQuery->execute([
':userid' => (int) $_REQUEST['userid'],
':tokenid' => (int) $_REQUEST['tokenid']
]);
// Return JSON object
header('Content-Type: application/json');
echo json_encode([
"Result" => "Success",
"RowCount" => $pdoQuery->RowCount()
]);
}
catch (Exception $e) {
// Return JSON object
header('Content-Type: application/json');
echo json_encode([
"Result" => "Failure",
"Reason" => "Failed deleting tokens from database"
]);
exit;
}
} else {
header('Content-Type: application/json');
echo json_encode([
"Result" => "Failure",
"Reason" => "Incomplete request data"
]);
}
break;
default:
// No action requested, default action
include_once('../include/lucidAuth.template.php');
try {
$allUsers = $pdoDB->query('
SELECT User.Id, User.Username, Role.Rolename
FROM User
LEFT JOIN Role
ON (Role.Id = User.RoleId)
')->fetchAll(PDO::FETCH_ASSOC);
} catch (Exception $e) {
// Should really do some actual errorhandling here
throw new Exception($e);
throw new Exception($e);
}
foreach($allUsers as $row) {
$tableRows[] = sprintf('<tr%1$s><td data-userid="%2$s">%3$s</td><td>%4$s</td><td class="immutable">%5$s</td></tr>',
$validateTokenResult['uid'] === $row['Id'] ? ' class="currentuser"': null,
$row['Id'],
explode('\\', $row['Username'])[1],
$row['Rolename'],
'<button class="bttn-simple bttn-xs bttn-primary session" data-translation="button_sessions">Sessions</button>' . ($validateTokenResult['uid'] === $row['Id'] ? null : '&nbsp;<button class="bttn-simple bttn-xs bttn-primary delete" data-translation="button_delete">Delete</button>')
);
}
echo sprintf($pageLayout['full_alt'],
sprintf($contentLayout['manage']['header'],
$validateTokenResult['name']
),
sprintf($contentLayout['manage']['section'],
implode($tableRows)
)
);
break;
}
foreach($allUsers as $row) {
$tableRows[] = sprintf('<tr><td data-userid="%1$s">%2$s</td><td>%3$s</td><td class="immutable"><a href="?">%4$s</a></td></tr>',
$row['Id'],
explode('\\', $row['Username'])[1],
$row['Rolename'],
$row['Sessions']
);
}
echo sprintf($pageLayout['full2'],
sprintf($contentLayout['manage']['header'],
$validateTokenResult['name']
),
sprintf($contentLayout['manage']['section'],
implode($tableRows)
)
);
} else {
// No cookie containing valid authentication token found;
// explicitly deleting any remaining cookie, then redirecting to loginpage

59
public/lucidAuth.requestCookie.php Normal file
View File

@ -0,0 +1,59 @@
<?php
error_reporting(E_ALL ^ E_NOTICE);
include_once('../include/lucidAuth.functions.php');
// Start with checking $_REQUEST['ref']
if (!empty($_REQUEST['ref'])) {
try {
$queryString = json_decode(base64_decode($_REQUEST['ref']), JSON_OBJECT_AS_ARRAY);
}
catch (Exception $e) {
// Silently fail, unless explicitly specified otherwise
header("HTTP/1.1 400 Bad Request");
if ($settings->Debug['Verbose']) throw new Exception($e);
exit;
}
switch ($queryString['action']) {
case 'login':
if (validateToken($queryString['token'])['status'] === "Success") {
// This request appears valid; try storing a cookie
$httpHost = $_SERVER['HTTP_HOST'];
$httpOrigin = $_SERVER['HTTP_ORIGIN'];
// Check if $_SERVER['HTTP_HOST'] and $_SERVER['HTTP_ORIGIN'] match any of the configured domains (either explicitly or as a subdomain)
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
$cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) {
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
}))[0];
$originDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpOrigin) {
return (strlen($value) > strlen($httpOrigin)) ? false : (0 === substr_compare($httpOrigin, $value, -strlen($value)));
}))[0];
if (($cookieDomain && (is_null($httpOrigin) || $originDomain)) && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
header("HTTP/1.1 202 Accepted");
exit;
}
else {
header("HTTP/1.1 400 Bad Request");
exit;
}
}
else {
header("HTTP/1.1 401 Unauthorized");
exit;
}
break;
default:
header("HTTP/1.1 400 Bad Request");
exit;
break;
}
}
else {
header("HTTP/1.1 400 Bad Request");
exit;
}
?>

24
public/lucidAuth.setXDomainCookie.php
View File

@ -1,24 +0,0 @@
<?php
error_reporting(E_ALL ^ E_NOTICE);
include_once('../include/lucidAuth.functions.php');
// Start with checking $_REQUEST['ref']
// What do we need?
// token again?
// approach 1:
// origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already)
// this might be slower because it means one additional roundtrip between client and server
// approach 2:
// let the client setup multiple iframes for all domains other than origin domains
// this requires passing an array of domains to the client in asynchronous reply; which feels insecure
include_once('../include/lucidAuth.template.php');
echo sprintf($pageLayout['bare'],
'// iFrames go here'
);
?>

4
public/lucidAuth.validateRequest.php
View File

@ -14,7 +14,7 @@
$proxyHeaders = array_filter($proxyHeaders, function ($key) {
return substr($key, 0, 10) === 'XForwarded';
}, ARRAY_FILTER_USE_KEY);
// For debugging purposes - enable it in ../lucidAuth.config.php
if ($settings->Debug['LogToFile']) {
file_put_contents('../requestHeaders.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- ' . (json_encode($proxyHeaders, JSON_FORCE_OBJECT)) . PHP_EOL, FILE_APPEND);
@ -22,7 +22,7 @@
if (sizeof($proxyHeaders) === 0) {
// Non-proxied request; this is senseless, go fetch!
header("HTTP/1.1 403 Forbidden");
header("HTTP/1.1 400 Bad Request");
exit;
}

38
public/misc/script.index.js
View File

@ -31,11 +31,41 @@ $(document).ready(function(){
'color': '#FFF'
});
if (data.CrossDomainLogin) {
// Create iframes for other domains
console.log('CrossDomainLogin initiated');
var cookieDomains = JSON.parse(data.CookieDomains);
var XHR = [];
cookieDomains.forEach(function(domain) {
XHR.push($.get({
url: "https://auth." + domain + "/lucidAuth.requestCookie.php",
crossDomain: true,
xhrFields: {
withCredentials: true,
},
timeout: 750,
// origin domain should be exempted from timeout
// (because origin domain can/will be different from current domain --due to traefik design).
data: {
ref: btoa(JSON.stringify({
action: 'login',
token: data.SecureToken
}))
}
}).done(function(_data, _textStatus, jqXHR) {
NProgress.inc(1 / XHR.length);
console.log('CrossDomain login succeeded for domain `' + domain + '` [' + JSON.stringify(jqXHR) + ']');
}).fail(function(jqXHR) {
console.log('CrossDomain login failed for domain `' + domain + '` [' + JSON.stringify(jqXHR) + ')]');
// Should check why this failed (timeout or bad request?), and if this is the origin domain, take action
}));
});
$.when.apply($, XHR).then(function(){
$.each(arguments, function(_index, _arg) {
// Finished cross-domain logins (either successfully or through timeout)
NProgress.done();
console.log('CrossDomain login completed; forwarding to `' + data.Location + '`');
window.location.replace(data.Location);
});
});
}
console.log("Navigating to :" + data.Location);
window.location.replace(data.Location);
}, 2250);
} else {
$('#btnlogin').css({

201
public/misc/script.manage.js
View File

@ -1,14 +1,209 @@
jQuery.fn.ConfirmDelete = function() {
return this.on('click', function() {
var sessionID = $(this).data('sessionid');
$(this).off('click').parent().empty()
.append($('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_yes'],
class: 'bttn-simple bttn-xs bttn-primary sessiondeleteconfirm',
style: 'margin-right: 3px;',
'data-translation': 'button_yes',
'data-sessionid': sessionID
}).on('click', function() {
// Move this out of 'ConfirmDelete()'
var pressedButton = $(this);
$(pressedButton).prop('disabled', true).css({
'background': '#999 url(data:image/gif;base64,R0lGODlhEAAQAPIAAJmZmf///7CwsOPj4////9fX18rKysPDwyH+GkNyZWF0ZWQgd2l0aCBhamF4bG9hZC5pbmZvACH5BAAKAAAAIf8LTkVUU0NBUEUyLjADAQAAACwAAAAAEAAQAAADMwi63P4wyklrE2MIOggZnAdOmGYJRbExwroUmcG2LmDEwnHQLVsYOd2mBzkYDAdKa+dIAAAh+QQACgABACwAAAAAEAAQAAADNAi63P5OjCEgG4QMu7DmikRxQlFUYDEZIGBMRVsaqHwctXXf7WEYB4Ag1xjihkMZsiUkKhIAIfkEAAoAAgAsAAAAABAAEAAAAzYIujIjK8pByJDMlFYvBoVjHA70GU7xSUJhmKtwHPAKzLO9HMaoKwJZ7Rf8AYPDDzKpZBqfvwQAIfkEAAoAAwAsAAAAABAAEAAAAzMIumIlK8oyhpHsnFZfhYumCYUhDAQxRIdhHBGqRoKw0R8DYlJd8z0fMDgsGo/IpHI5TAAAIfkEAAoABAAsAAAAABAAEAAAAzIIunInK0rnZBTwGPNMgQwmdsNgXGJUlIWEuR5oWUIpz8pAEAMe6TwfwyYsGo/IpFKSAAAh+QQACgAFACwAAAAAEAAQAAADMwi6IMKQORfjdOe82p4wGccc4CEuQradylesojEMBgsUc2G7sDX3lQGBMLAJibufbSlKAAAh+QQACgAGACwAAAAAEAAQAAADMgi63P7wCRHZnFVdmgHu2nFwlWCI3WGc3TSWhUFGxTAUkGCbtgENBMJAEJsxgMLWzpEAACH5BAAKAAcALAAAAAAQABAAAAMyCLrc/jDKSatlQtScKdceCAjDII7HcQ4EMTCpyrCuUBjCYRgHVtqlAiB1YhiCnlsRkAAAOwAAAAAAAAAAAA==) no-repeat center',
'color': 'transparent',
'transform': 'rotateX(180deg)',
'cursor': 'default'
}).next().prop('disabled', true).addClass('disabled');
$.post("lucidAuth.manage.php", {
do: "deletesession",
tokenid: sessionID,
userid: $(pressedButton).closest('tr').data('userid')
})
.done(function(data,_status) {
if (data.Result === 'Success') {
$(pressedButton).css({
'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center',
'transform': 'rotateX(0deg)'
});
setTimeout(function() {
$(pressedButton).closest('tr').fadeOut(500, function() {
$(this).remove()});
}, 2250);
} else {
$(pressedButton).css({
'background': 'red url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAv0lEQVQ4jaWT0Q3CMAxELwh1BEag87AJ6hcLlE/KBLABrNEV2h26QaXHj4NMGgpS7sfJJXd24kQqRMiRQC3pIKk2apD0DCEMq25ABZyBmSVmW6vWxH1GmKLPmph7xJQReq5dnNmVPQE7oHOCzrhoMts9vQ1OSbYOCBb92OPkDe6ZkqMwJwa4SdJmtS1/YGsx7e9VUiPpYvPG4tHtGUsvcf+RkpI2mkHZQ3ImLd+fcpuKf32meM5R0iOEMOb2F+EF33vgCePVr8UAAAAASUVORK5CYII=) no-repeat center',
'transform': 'rotateX(0deg)'
});
setTimeout(function() {
$(pressedButton).closest('td').empty()
.append(
$('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'],
class: 'bttn-simple bttn-xs bttn-primary sessiondelete',
'data-translation': 'button_delete',
'data-sessionid': sessionID
}).ConfirmDelete())
}, 2250);
}
});
}))
.append($('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_no'],
class: 'bttn-simple bttn-xs bttn-primary sessiondeletecancel',
'data-translation': 'button_no',
'data-sessionid': sessionID
}).on('click', function() {
// Move this out of 'ConfirmDelete()'
var pressedButton = $(this);
$(pressedButton).closest('td').empty()
.append(
$('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'],
class: 'bttn-simple bttn-xs bttn-primary sessiondelete',
'data-translation': 'button_delete',
'data-sessionid': sessionID
}).ConfirmDelete())
}))
});
};
$(document).ready(function(){
// Initialize the editable-table functionality
$('#usertable').editableTableWidget();
// Prevent clicking *through* popup-screens
$('#sessions').click(function(event) {
event.stopPropagation();
});
// Add eventhandlers to buttons
$('#usertable button.session').click(function() {
event.stopPropagation();
$('#sessions tbody').empty();
$('#sessions').fadeToggle();
var userID = $(this).closest('tr').find('td:nth-child(1)').data('userid');
$.post("lucidAuth.manage.php", {
do: "retrievesessions",
userid: userID
})
.done(function(data,_status) {
if (data.Result === 'Success') {
var Sessions = JSON.parse(data.UserSessions);
for (var i = 0; i < data.SessionCount; i++) {
try {
var fingerPrint = JSON.parse(atob(Sessions[i]['fp']));
var sessionDetails = '<img class="browsericon" src="/images/' + fingerPrint['browser'] + '_256x256.png">';
sessionDetails += fingerPrint['browser'] + ' -- ' + fingerPrint['platform'];
sessionDetails += '<br>' + fingerPrint['city'] + ' (' + fingerPrint['countrycode'] + ')';
} catch(e) {
// Do nothing
}
$('#sessiontable tbody').append($('<tr>', {
'data-userid': userID
})
.append($('<td>', {
text: new Date(Sessions[i]['iat'] * 1000).toLocaleString('en-GB')
}))
.append($('<td>', {
text: Sessions[i]['iss']
}))
.append($('<td>', {
html: sessionDetails ? sessionDetails : ''
}))
.append($('<td>', {
html: $('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'],
class: 'bttn-simple bttn-xs bttn-primary sessiondelete',
'data-translation': 'button_delete',
'data-sessionid': Sessions[i]['tid']})
}))
);
}
$('#sessiontable .sessiondelete').ConfirmDelete();
} else {
}
});
});
$('#usertable button.delete').click(function() {
$(this).closest('tr').addClass('removed');
});
$('#btnnewuser').click(function() {
// Create a new user; generate pseudo-random username
var newUser = 'User' + String(Math.floor(Math.random() * Math.floor(9999))).padStart(4, '0');
$('#usertable tbody').append($('<tr class="new"><td>' + newUser + '</td><td>User</td><td class="immutable"><a href="?">0</a></td></tr>'));
// Add new user to the interface
// (new `<tr>` in `<table id="usertable">`)
$('#usertable tbody').append($('<tr>', {class: 'new'})
.append($('<td>', {
text: newUser
}))
.append($('<td>', {
text: 'User'
}))
.append($('<td>', {
class: 'immutable',
html: '<button class="bttn-simple bttn-xs bttn-primary disabled" data-translation="button_sessions" disabled="true">' +
locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_sessions'] + '</button>&nbsp;' +
'<button class="bttn-simple bttn-xs bttn-primary delete" data-translation="button_delete">' +
locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'] +
'</button>'
}))
);
// Call `editableTableWidget()` again to include the newly added `<tr>`
// To prevent recreating multiple new editors; reference the already existing `<input>`
$('#usertable').editableTableWidget({editor: $('#editor')});
// Add eventhandlers to buttons of newly added `<tr>`
$('#usertable .new button.session').unbind().click(function() {
console.log('New user, unlikely to have sessions already, lets do nothing for now');
});
$('#usertable .new button.delete').unbind().click(function() {
$(this).closest('tr').remove();
});
});
$('#btnsave').click(function() {
var newEntries = [];
$('#usertable .new').each(function() {
newEntries.push({
'userName': $(this).find('td:nth-child(1)').text(),
'roleName': $(this).find('td:nth-child(2)').text()
});
});
var removedEntries = [];
$('#usertable .removed').each(function() {
removedEntries.push({
'userId': $(this).find('td:nth-child(1)').data('userid'),
'userName': $(this).find('td:nth-child(1)').text(),
'roleName': $(this).find('td:nth-child(2)').text()
});
});
console.log({'new': newEntries, 'removed': removedEntries});
/*
$.post("lucidAuth.manage.php", {
do: "mutateusers",
new: newEntries,
removed: removedEntries
})
.done(function(data,_status) {
}
*/
});
$('#btncancel').click(function() {
window.location.reload();
});
$('#linklogout').click(function() {
console.log('Logging out!');
});
if (localStorage.getItem('theme') !== null) {
@ -30,4 +225,8 @@ $(document).ready(function(){
}
});
});
$(document).click(function () {
$('#sessions').fadeOut();
});

28
public/misc/script.translation.js
View File

@ -3,27 +3,41 @@ var locales = {
button_new: "new",
button_save: "save",
button_cancel: "cancel",
button_sessions: "sessions",
button_delete: "delete",
button_login: "login",
button_yes: "yes",
button_no: "no",
button_login: "login",
heading_error: "ERROR!",
label_password: "Password:",
label_password: "Password:",
label_sessions: "Sessions",
label_username: "Username:",
link_logout: "Logout",
span_credentialsavailable: "Login credentials available upon request!",
span_loggedinas: "Logged in as"
span_loggedinas: "Logged in as",
th_username: "Username",
th_role: "Role",
th_manage: "Manage"
},
nl: {
button_new: "nieuw",
button_save: "opslaan",
button_cancel: "annuleren",
button_sessions: "sessies",
button_delete: "verwijder",
button_yes: "ja",
button_no: "nee",
button_login: "log in",
heading_error: "FOUT!",
label_password: "Wachtwoord:",
label_password: "Wachtwoord:",
label_sessions: "Sessies",
label_username: "Gebruikersnaam:",
link_logout: "Log uit",
span_credentialsavailable: "Inloggegevens verkrijgbaar op aanvraag!",
span_loggedinas: "Ingelogd als"
span_loggedinas: "Ingelogd als",
th_username: "Gebruikersnaam",
th_role: "Rol",
th_manage: "Beheer"
} // ... etc.
};
@ -31,7 +45,7 @@ $(document).ready(function(){
$('[id^=linklanguage-]').click(function() {
var selectedlang = $(this).attr('id').split('-')[1];
// Replace text of each element with translated value
$('[data-translation]').each(function(index) {
$('[data-translation]').each(function() {
$(this).text(locales[selectedlang][$(this).data('translation')]);
});
// Enable/disable (toggle) anchors
@ -43,7 +57,7 @@ $(document).ready(function(){
});
if (localStorage.getItem('language') !== null) {
$('[data-translation]').each(function(index) {
$('[data-translation]').each(function() {
$(this).text(locales[localStorage.getItem('language')][$(this).data('translation')]);
});
$('span#user a.current').removeClass('current');

38
public/misc/style.css
View File

@ -129,6 +129,35 @@ body {
.main section .buttons button {
margin-left: inherit;
}
.main section #sessions {
display: none;
position: absolute;
top: calc(50% - 160px);
right: 20%;
height: 320px;
width: 60%;
border: 1px solid rgb(0, 51, 153);
box-shadow: black 0px 0px 20px;
box-sizing: border-box;
padding-top: 5px;
background: white;
font-size: inherit;
z-index: 99;
overflow-y: auto;
}
.main section #sessions .browsericon {
height: 30px;
float: left;
margin-right: 5px;
border: none;
filter: drop-shadow(0px 0px 1px #000);
}
.main section #sessions .sessiondeleteconfirm {
background: crimson linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.33) 51%) no-repeat center;
}
.main section #sessions .sessiondeletecancel {
background: green linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center;
}
.main section table {
width: 100%;
}
@ -137,6 +166,13 @@ body {
padding: 2px;
margin: 0;
}
.main section table .new {
font-weight: bold;
}
.main section table .removed td:nth-child(-n+2) {
text-decoration: line-through;
color: grey;
}
.main section table tbody tr:nth-child(odd) {
background-color: rgb(215, 215, 215);
}
@ -202,4 +238,4 @@ body {
}
.main span#user nav {
display: inline;
}
}

4
public/misc/style.panes.css
View File

@ -8,7 +8,7 @@ body{
flex-direction: column;
}
.header {
height: 125px;
height: 100px;
background: #FFFFFF;
color: #000000;
}
@ -36,7 +36,7 @@ body{
}
.main section {
overflow-y: scroll;
height: calc(100% - 125px);
height: calc(100% - 100px);
}
.sidebar-first{
width: 25%;