Compare commits
	
		
			29 Commits
		
	
	
		
			f9664eab18
			...
			developmen
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| c0ffd0a7ba | |||
| 3b43538f90 | |||
| 2d73384e17 | |||
| 69bb1368cb | |||
| aabc6cf196 | |||
| f7760ab568 | |||
| f14f3866e6 | |||
| 3111185c10 | |||
| 5c2ae98afb | |||
| 6f53abf521 | |||
| 018b74e140 | |||
| 160784c912 | |||
| ad20071a86 | |||
| 0a6d0bf329 | |||
| 2f1beb47c7 | |||
| e520108237 | |||
| c94b736062 | |||
| e17aed8297 | |||
| 2a56efd353 | |||
| 55413d20c5 | |||
| ba6b6f277a | |||
| 75e8640439 | |||
| dca8f74f25 | |||
| 21f272e9f0 | |||
| 5a2d3313e7 | |||
| 6081e42d14 | |||
| 0675ad8512 | |||
| ee35696cd4 | |||
| e3405369ca | 
							
								
								
									
										121
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										121
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,32 +1,91 @@ | ||||
| # lucidAuth | ||||
| [](#) [ ](#)   | ||||
|  | ||||
| Forward Authentication for use with proxies (caddy, nginx, traefik, etc) | ||||
|  | ||||
| ## Usage | ||||
| - Create a new folder, navigate to it in a commandprompt and run the following command:   | ||||
|   `git clone https://code.spamasaurus.com/djpbessems/lucidAuth.git`   | ||||
| - Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php`   | ||||
| - Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder   | ||||
| - Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on)   | ||||
| - Edit your proxy's configuration to use the new website as forward proxy:   | ||||
|   - #### ~~in Caddy/nginx~~    <small>(planned for a later stage)</small> | ||||
|  | ||||
|   - #### in Traefik   | ||||
|   Add the following lines (change to reflect your existing configuration):   | ||||
|   ``` | ||||
|   [frontends.server1] | ||||
|     entrypoints = ["https"] | ||||
|     backend = "server1" | ||||
|     [frontends.server1.auth.forward] | ||||
|       address = "https://<fqdn>/lucidAuth.validateRequest.php" | ||||
|     [frontends.server1.routes] | ||||
|       [frontends.server1.routes.ext] | ||||
|         rule = "Host:<fqdn>" | ||||
|   ``` | ||||
|  | ||||
| - #### Important!   | ||||
|   The domainname of the website made in step 3, needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing this authentication proxy. | ||||
|  | ||||
| ## Questions or bugs | ||||
| # lucidAuth [](#) [ ](#)   | ||||
| > *Respect* the unexpected, mitigate your risks   | ||||
|  | ||||
| Forward Authentication for use with loadbalancers/proxies/webservers (Apache, ~~Caddy~~, Lighttpd, NGINX, Traefik, etc) | ||||
|  | ||||
| ## Usage | ||||
| - Create a new folder, navigate to it in a commandprompt and run the following command:   | ||||
|   `git clone https://code.spamasaurus.com/djpbessems/lucidAuth.git`   | ||||
| - Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php`   | ||||
| - Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder   | ||||
| - Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on)   | ||||
| - Edit your webserver's/proxy's configuration to use the new website for forward authentication:   | ||||
|   - #### ~~in Apache~~    <small>(Soon™)</small>   | ||||
|  | ||||
|   - #### ~~in Caddy~~    <small>(Never, due to lacking functionality)</small>   | ||||
|  | ||||
|   - #### ~~in Lighttpd~~    <small>(Soon™)</small>   | ||||
|  | ||||
|   - #### in NGINX | ||||
|   Add the following lines (adjust to reflect your existing configuration - more [details](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/)):   | ||||
|   ``` | ||||
|   http { | ||||
|           #... | ||||
|           server { | ||||
|           #... | ||||
|             location /private/ { | ||||
|               auth_request     /auth; | ||||
|               auth_request_set $auth_status $upstream_status; | ||||
|             } | ||||
|  | ||||
|             location = /auth { | ||||
|               internal; | ||||
|               proxy_pass              https://<fqdn>/lucidAuth.validateRequest.php; | ||||
|               proxy_pass_request_body off; | ||||
|               proxy_set_header        Content-Length ""; | ||||
|               proxy_set_header        X-Original-URI $request_uri; | ||||
|             } | ||||
|           } | ||||
|   } | ||||
|   ``` | ||||
|  | ||||
|   - #### in Traefik   | ||||
|   Add the following lines (change to reflect your existing configuration):   | ||||
| #####   1.7.x (more [details](https://docs.traefik.io/v1.7/configuration/entrypoints/#forward-authentication))   | ||||
|   ``` | ||||
|   [frontends.server1] | ||||
|           entrypoints = ["https"] | ||||
|           backend = "server1" | ||||
|           [frontends.server1.auth.forward] | ||||
|             address = "https://<fqdn>/lucidAuth.validateRequest.php" | ||||
|           [frontends.server1.routes] | ||||
|             [frontends.server1.routes.ext] | ||||
|               rule = "Host:<fqdn>" | ||||
|   ``` | ||||
| #####   2.x (more [details](https://docs.traefik.io/middlewares/forwardauth/))   | ||||
|   Either whitelist IP's which should be trusted to send `HTTP_X-Forwarded-*` headers, ór enable insecure-mode in your static configuration:   | ||||
|   ``` | ||||
|   entryPoints: | ||||
|           https: | ||||
|             address: :443 | ||||
|             forwardedHeaders: | ||||
|               trustedIPs: | ||||
|                 - "127.0.0.1/32" | ||||
|                 - "192.168.1.0/24" | ||||
|         #      insecure: true | ||||
|   ``` | ||||
|   Define a middleware that tells Traefik to forward requests for authentication in your dynamic file provider:   | ||||
|   ``` | ||||
|   https: | ||||
|           middlewares: | ||||
|             ldap-authentication: | ||||
|               forwardAuth: | ||||
|                 address: "https://<fqdn>/lucidAuth.validateRequest.php" | ||||
|                 trustForwardHeader: true | ||||
|   ``` | ||||
|   And finally add the new middleware to your service (different methods; this depends on your configuration):   | ||||
|   ``` | ||||
|   # as a label (when using Docker provider) | ||||
|   traefik.http.routers.router1.middlewares: "ldap-authentication@file" | ||||
|   # as yaml (when using file provider) | ||||
|   routers: | ||||
|           router1: | ||||
|             middlewares: | ||||
|               - "ldap-authentication" | ||||
|   ``` | ||||
|  | ||||
| - #### Important!   | ||||
|   The domainname of the website made in step 3, needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing this authentication proxy. | ||||
|  | ||||
| ## Questions or bugs | ||||
| Feel free to open issues in this repository. | ||||
| @@ -35,13 +35,36 @@ function authenticateLDAP (string $username, string $password) { | ||||
| 		if (@ldap_bind($ds, $qualifiedUsername, utf8_encode($_POST['password']))) { | ||||
| 			// Successful authentication; get additional userdetails from authenticationsource | ||||
| 			$ldapSearchResults = ldap_search($ds, $settings->LDAP['BaseDN'], "sAMAccountName=$sanitizedUsername"); | ||||
| 			$commonName = ldap_get_entries($ds, $ldapSearchResults)[0]['cn'][0]; | ||||
| 			// Create JWT-payload | ||||
|             $commonName = ldap_get_entries($ds, $ldapSearchResults)[0]['cn'][0]; | ||||
|  | ||||
|             $browserDetails = get_browser(null, True); | ||||
|             $geoLocation = json_decode(file_get_contents("http://ip-api.com/json/{$_SERVER['HTTP_X_REAL_IP']}")); | ||||
|             if ($geoLocation->status === 'fail') { | ||||
|                 switch ($geoLocation->message) { | ||||
|                     case 'private range': | ||||
|                     case 'reserved range': | ||||
|                         $geoLocation = json_decode(file_get_contents("http://ip-api.com/json/" . trim(file_get_contents('https://api.ipify.org')) )); | ||||
|                         break; | ||||
|                     case 'invalid query': | ||||
|                     default: | ||||
|                         $geoLocation->city = null; | ||||
|                         $geoLocation->countryCode = null; | ||||
|                         break; | ||||
|                 } | ||||
|             } | ||||
|  | ||||
|             // Create JWT-payload | ||||
| 			$jwtPayload = [ | ||||
| 				'iat'	=> time(),					// Issued at: time when the token was generated | ||||
| 				'iss'	=> $_SERVER['SERVER_NAME'],	// Issuer | ||||
| 				'sub'	=> $qualifiedUsername,		// Subject (ie. username) | ||||
| 				'name'	=> $commonName				// Common name (as retrieved from AD) | ||||
| 				'iat'	=> time(),                                  // Issued at: time when the token was generated | ||||
| 				'iss'	=> $_SERVER['SERVER_NAME'],                 // Issuer | ||||
| 				'sub'	=> $qualifiedUsername,                      // Subject (ie. username) | ||||
|                 'name'	=> $commonName,                             // Common name (as retrieved from AD) | ||||
|                 'fp'    => base64_encode(json_encode((object) [     // Fingerprint | ||||
|                     'browser'       => $browserDetails['browser'], | ||||
|                     'platform'      => $browserDetails['platform'], | ||||
|                     'city'          => $geoLocation->city, | ||||
|                     'countrycode'   => $geoLocation->countryCode | ||||
|                 ])) | ||||
| 			]; | ||||
|  | ||||
| 			$secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64'])); | ||||
| @@ -83,7 +106,7 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt | ||||
| 		//   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks | ||||
| 		return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); | ||||
| 	}))[0]; | ||||
| 	if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) { | ||||
| 	if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain, TRUE)) { | ||||
| 		return ['status' => 'Success']; | ||||
| 	} else { | ||||
| 		return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)']; | ||||
| @@ -121,8 +144,8 @@ function validateToken (string $secureToken) { | ||||
| 		WHERE LOWER(User.Username) = :username | ||||
| 	'); | ||||
| 	$pdoQuery->execute([ | ||||
| 			':username'	=>	(string) strtolower($jwtPayload->sub) | ||||
| 		]); | ||||
| 		':username'	=>	(string) strtolower($jwtPayload->sub) | ||||
| 	]); | ||||
| 	foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { | ||||
| 		try { | ||||
| 			$storedTokens[] = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); | ||||
| @@ -136,7 +159,9 @@ function validateToken (string $secureToken) { | ||||
| 	if (!empty($storedTokens) && sizeof(array_filter($storedTokens, function ($value) use ($jwtPayload) { | ||||
| 		return $value->iat === $jwtPayload->iat; | ||||
| 	})) === 1) { | ||||
| 		return [ | ||||
|         purgeTokens($currentUserId, $settings->Session['Duration']); | ||||
|  | ||||
|         return [ | ||||
| 			'status'	=> 'Success', | ||||
| 			'name'		=> $jwtPayload->name, | ||||
|             'uid'       => $currentUserId | ||||
| @@ -149,4 +174,85 @@ function validateToken (string $secureToken) { | ||||
| 	} | ||||
| } | ||||
|  | ||||
| function purgeTokens(int $userID, int $maximumTokenAge) { | ||||
| 	global $settings, $pdoDB; | ||||
|  | ||||
|     $defunctTokens = []; $expiredTokens = []; | ||||
|  | ||||
|     $pdoQuery = $pdoDB->prepare(' | ||||
| 		SELECT SecureToken.Id, SecureToken.Value | ||||
| 		FROM SecureToken | ||||
| 		WHERE SecureToken.UserId = :userid | ||||
| 	'); | ||||
| 	$pdoQuery->execute([ | ||||
| 		':userid'	=>	(int) $userID | ||||
| 	]); | ||||
| 	foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { | ||||
| 		try { | ||||
|             $token = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); | ||||
|             if ($token->iat < (time() - $maximumTokenAge)) { | ||||
|                 $expiredTokens[] = $row['Id']; | ||||
|             } | ||||
| 		} catch (Exception $e) { | ||||
| 			$defunctTokens[] = $row['Id']; | ||||
| 		} | ||||
|     } | ||||
|  | ||||
|     try { | ||||
|         // Sadly, PDO does not support named parameters in constructions like 'IN ( :array )' | ||||
|         //   instead, the supported syntax is unnamed placeholders like 'IN (?, ?, ?, ...)' | ||||
|         $pdoQuery = $pdoDB->prepare(' | ||||
|             DELETE FROM SecureToken | ||||
|             WHERE SecureToken.Id IN (' . implode( ',', array_fill(0, count(array_merge($defunctTokens, $expiredTokens)), '?')) . ') | ||||
|         '); | ||||
|         $pdoQuery->execute(array_merge($defunctTokens, $expiredTokens)); | ||||
|  | ||||
|         if ($settings->Debug['LogToFile']) { | ||||
|             file_put_contents('../purgeToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Garbage collection succeeded (' . $userID . ' => #' . $pdoQuery->rowCount() . ')' . PHP_EOL, FILE_APPEND); | ||||
|         } | ||||
|  | ||||
|         return [ | ||||
|             'status'    => 'Success', | ||||
|             'amount'    => $pdoQuery->rowCount() | ||||
|         ]; | ||||
|     } catch (Exception $e) { | ||||
|         if ($settings->Debug['LogToFile']) { | ||||
|             file_put_contents('../purgeToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Garbage collection failed (' . $userID . ' => ' . $e . ')' . PHP_EOL, FILE_APPEND); | ||||
|         } | ||||
|  | ||||
|         return ['status' => 'Fail', 'reason' => $e]; | ||||
|     } | ||||
| } | ||||
|  | ||||
| function deleteToken(array $tokenIDs, int $userID) { | ||||
|     try { | ||||
|         // Sadly, PDO does not support named parameters in constructions like 'IN ( :array )' | ||||
|         //   instead, the supported syntax is unnamed placeholders like 'IN (?, ?, ?, ...)' | ||||
|         $pdoQuery = $pdoDB->prepare(' | ||||
|             DELETE FROM SecureToken | ||||
|             WHERE SecureToken.Id IN (' . implode( ',', array_fill(0, count($tokenIDs), '?')) . ') | ||||
|                 AND SecureToken.UserId = :userid | ||||
|         '); | ||||
|         $pdoQuery->execute($tokenIDs,[ | ||||
|     		':userid'	=>	(int) $userID | ||||
|         ]); | ||||
|  | ||||
|         if ($settings->Debug['LogToFile']) { | ||||
|             file_put_contents('../deleteToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Successfully deleted specific token(s) (' . $userID . ' => #' . $pdoQuery->rowCount() . ')' . PHP_EOL, FILE_APPEND); | ||||
|         } | ||||
|  | ||||
|         return [ | ||||
|             'status'    => 'Success', | ||||
|             'amount'    => $pdoQuery->rowCount() | ||||
|         ]; | ||||
|     } catch (Exception $e) { | ||||
|         if ($settings->Debug['LogToFile']) { | ||||
|             file_put_contents('../deleteToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Failed deleting specific token(s) (' . $userID . ' => ' . $e . ')' . PHP_EOL, FILE_APPEND); | ||||
|         } | ||||
|  | ||||
|         return ['status' => 'Fail', 'reason' => $e]; | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
| ?> | ||||
| @@ -15,6 +15,8 @@ $pageLayout['full'] = <<<'FULL' | ||||
|     <link href="misc/style.button.css" rel="stylesheet" /> | ||||
|     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.js"></script> | ||||
|     <script src="misc/script.translation.js"></script> | ||||
|     <script src="https://unpkg.com/nprogress@0.2.0/nprogress.js"></script> | ||||
|     <link href="https://unpkg.com/nprogress@0.2.0/nprogress.css" rel="stylesheet" /> | ||||
|   </head> | ||||
|   <body> | ||||
|     <div id="horizon"> | ||||
| @@ -72,22 +74,6 @@ $pageLayout['full_alt'] = <<<'FULL_ALT' | ||||
| </html> | ||||
| FULL_ALT; | ||||
|  | ||||
| $pageLayout['bare'] = <<<'BARE' | ||||
| <!DOCTYPE html> | ||||
| <html lang="nl"> | ||||
|   <head> | ||||
|     <meta charset="utf-8" /> | ||||
|     <title>lucidAuth</title> | ||||
| 	<meta name="application-name" content="lucidAuth" /> | ||||
|     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.js"></script> | ||||
|     <script src="misc/script.iframe.js"></script> | ||||
|   </head> | ||||
|   <body> | ||||
|   	%1$s | ||||
|   </body> | ||||
| </html> | ||||
| BARE; | ||||
|  | ||||
| $contentLayout['login'] = <<<'LOGIN' | ||||
| 		  <script src="misc/script.index.js"></script> | ||||
|           <section> | ||||
| @@ -144,6 +130,22 @@ $contentLayout['manage']['section'] = <<<'MANAGE_SECTION' | ||||
|                     %1$s | ||||
|                   </tbody> | ||||
|                 </table> | ||||
|                 <div id="sessions"> | ||||
|                   <span data-translation="label_sessions" style="float: left; margin-left: 5px;">Sessions</span> | ||||
|                   <br> | ||||
|                   <table id="sessiontable"> | ||||
|                     <thead> | ||||
|                       <tr> | ||||
|                         <th data-translation="th_timestamp">Timestamp</th> | ||||
|                         <th data-translation="th_origin"><origin></th> | ||||
|                         <th data-translation="th_description">Description</th> | ||||
|                         <th data-translation="th_manage">Manage</th> | ||||
|                       </tr> | ||||
|                     </thead> | ||||
|                     <tbody> | ||||
|                     </tbody> | ||||
|                   </table> | ||||
|                 </div> | ||||
|               </li> | ||||
|             </ul> | ||||
| MANAGE_SECTION; | ||||
|   | ||||
| @@ -18,6 +18,16 @@ return (object) array( | ||||
| 		// Specify the NetBios name of the domain; to allow users to log on with just their usernames. | ||||
| 	], | ||||
|  | ||||
|     '2FA'   => [ | ||||
|         'Protocol'  => 'TOTP',      // Possible options are HOTP (sequential codes) and TOTP (timebased codes) | ||||
|         'TOTP'  => [ | ||||
|             'Secret'    => 'NULL',  // By default, a 512 bits secret is generated. If you need, you can provide your own secret here. | ||||
|             'Age'       => '30',    // The duration that each OTP code is valid for. | ||||
|             'Length'    => '6',     // Number of digits the OTP code will consist of. | ||||
|             'Algorithm' => 'SHA256' // The hashing algorithm used. | ||||
|         ], | ||||
|     ], | ||||
|  | ||||
| 	'Sqlite'	=> [ | ||||
| 		'Path'	=> '../data/lucidAuth.sqlite.db' | ||||
| 		// Relative path to the location where the database should be stored | ||||
| @@ -37,6 +47,9 @@ return (object) array( | ||||
| 		'CrossDomainLogin'	=> False, | ||||
| 		// Set this to True if SingleSignOn (albeit rudementary) is desired | ||||
| 		//   (cookies are inheritently unaware of each other; clearing cookies for one domain does not affect other domains) | ||||
|         // Important! | ||||
|         // If you leave this set to False, the domainname where lucidAuth will be running on, | ||||
|         // needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing the authentication proxy. | ||||
| 		'CookieDomains'	=> [ | ||||
| 			'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld' | ||||
| 		] | ||||
|   | ||||
| @@ -1,27 +0,0 @@ | ||||
| <?php | ||||
|  | ||||
| // Basic example of PHP script to handle with jQuery-Tabledit plug-in. | ||||
| // Note that is just an example. Should take precautions such as filtering the input data. | ||||
|  | ||||
| header('Content-Type: application/json'); | ||||
|  | ||||
| $input = filter_input_array(INPUT_POST); | ||||
|  | ||||
| $mysqli = new mysqli('localhost', 'user', 'password', 'database'); | ||||
|  | ||||
| if (mysqli_connect_errno()) { | ||||
|   echo json_encode(array('mysqli' => 'Failed to connect to MySQL: ' . mysqli_connect_error())); | ||||
|   exit; | ||||
| } | ||||
|  | ||||
| if ($input['action'] === 'edit') { | ||||
|     $mysqli->query("UPDATE users SET username='" . $input['username'] . "', email='" . $input['email'] . "', avatar='" . $input['avatar'] . "' WHERE id='" . $input['id'] . "'"); | ||||
| } else if ($input['action'] === 'delete') { | ||||
|     $mysqli->query("UPDATE users SET deleted=1 WHERE id='" . $input['id'] . "'"); | ||||
| } else if ($input['action'] === 'restore') { | ||||
|     $mysqli->query("UPDATE users SET deleted=0 WHERE id='" . $input['id'] . "'"); | ||||
| } | ||||
|  | ||||
| mysqli_close($mysqli); | ||||
|  | ||||
| echo json_encode($input); | ||||
							
								
								
									
										1
									
								
								public/images/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								public/images/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| Browser logo's obtained from [alrra/browser-logos](https://github.com/alrra/browser-logos). | ||||
							
								
								
									
										
											BIN
										
									
								
								public/images/chrome_256x256.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								public/images/chrome_256x256.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 26 KiB | 
							
								
								
									
										
											BIN
										
									
								
								public/images/edge_256x256.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								public/images/edge_256x256.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 26 KiB | 
							
								
								
									
										
											BIN
										
									
								
								public/images/firefox_256x256.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								public/images/firefox_256x256.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 37 KiB | 
							
								
								
									
										
											BIN
										
									
								
								public/images/opera_256x256.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								public/images/opera_256x256.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 12 KiB | 
							
								
								
									
										
											BIN
										
									
								
								public/images/safari_256x256.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								public/images/safari_256x256.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 64 KiB | 
							
								
								
									
										
											BIN
										
									
								
								public/images/tor_256x256.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								public/images/tor_256x256.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 24 KiB | 
| @@ -3,7 +3,7 @@ | ||||
|  | ||||
| 	include_once('../include/lucidAuth.functions.php'); | ||||
|  | ||||
| 	if ($_POST['do'] == 'login') { | ||||
| 	if ($_POST['do'] === 'login') { | ||||
| 		$result = authenticateLDAP($_POST['username'], $_POST['password']); | ||||
| 		if ($result['status'] === 'Success') { | ||||
| 			// Store authentication token; in database serverside & in cookie clientside | ||||
| @@ -14,10 +14,9 @@ | ||||
| 					"Result"			=>	"Failure", | ||||
| 					"Reason"			=>	"Failed storing authentication token in database and/or cookie" | ||||
| 				]); | ||||
| #				echo '{"Result":"Fail","Reason":"Failed storing authentication token in database and/or cookie"}' . PHP_EOL; | ||||
| 				exit; | ||||
| 			} | ||||
|              | ||||
|  | ||||
| 			// Convert base64 encoded string back from JSON; | ||||
| 			//   forcing it into an associative array (instead of javascript's default StdClass object) | ||||
| 			try { | ||||
| @@ -30,7 +29,6 @@ | ||||
| 					"Result"			=>	"Failure", | ||||
| 					"Reason"			=>	"Original request-URI lost in transition" | ||||
| 				]); | ||||
| #				echo '{"Result":"Fail","Reason":"Original request URI lost in transition"}' . PHP_EOL; | ||||
| 				exit; | ||||
| 			} | ||||
| 			$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php'; | ||||
| @@ -40,7 +38,9 @@ | ||||
| 			echo json_encode([ | ||||
| 				"Result"			=>	"Success", | ||||
| 				"Location"			=>	$originalUri, | ||||
| 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'] | ||||
| 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'], | ||||
|                 "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], [$_SERVER['HTTP_HOST']])), | ||||
|                 "SecureToken"       =>  $result['token'] | ||||
| 			]); | ||||
| 		} else { | ||||
| 			switch ($result['reason']) { | ||||
| @@ -63,8 +63,8 @@ | ||||
| 	} else { | ||||
| 		include_once('../include/lucidAuth.template.php'); | ||||
|  | ||||
| 		echo sprintf($pageLayout['full'],  | ||||
| 			sprintf($contentLayout['login'],  | ||||
| 		echo sprintf($pageLayout['full'], | ||||
| 			sprintf($contentLayout['login'], | ||||
| 				$_GET['ref'] | ||||
| 			) | ||||
| 		); | ||||
|   | ||||
| @@ -8,37 +8,124 @@ | ||||
| 	} | ||||
|  | ||||
| 	if ($validateTokenResult['status'] === "Success") { | ||||
| 		include_once('../include/lucidAuth.template.php'); | ||||
|         switch ($_REQUEST['do']) { | ||||
|             case 'mutateusers': | ||||
|                 if (isset($_REQUEST['new']) && isset($_REQUEST['removed'])) { | ||||
| // Do magic! | ||||
|                 } | ||||
|                 else { | ||||
|                     header('Content-Type: application/json'); | ||||
|                     echo json_encode([ | ||||
|                         "Result"	=>	"Failure", | ||||
|                         "Reason"	=>	"Incomplete request data" | ||||
|                     ]); | ||||
|                 } | ||||
|                 break; | ||||
|             case 'retrievesessions': | ||||
|                 $storedTokens = []; | ||||
|  | ||||
|         try { | ||||
|         	$allUsers = $pdoDB->query(' | ||||
|                 SELECT User.Id, User.Username, Role.Rolename | ||||
| 		        FROM User | ||||
| 	            LEFT JOIN Role | ||||
|                     ON (Role.Id = User.RoleId) | ||||
|     	    ')->fetchAll(PDO::FETCH_ASSOC); | ||||
|         } catch (Exception $e) { | ||||
|                 $pdoQuery = $pdoDB->prepare(' | ||||
|                     SELECT SecureToken.Id, SecureToken.UserId, SecureToken.Value | ||||
|                     FROM SecureToken | ||||
|                     WHERE SecureToken.UserId = :userid | ||||
|                 '); | ||||
|                 $pdoQuery->execute([ | ||||
|                     ':userid'	=>	(int) $_REQUEST['userid'] | ||||
|                 ]); | ||||
|                 foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { | ||||
|                     try { | ||||
|                         $JWTPayload = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); | ||||
|                         $storedTokens[] = [ | ||||
|                             'tid'   => $row['Id'], | ||||
|                             'iat'	=> $JWTPayload->iat, | ||||
|                             'iss'	=> $JWTPayload->iss, | ||||
|                             'fp'    => $JWTPayload->fp | ||||
|                         ]; | ||||
|                     } catch (Exception $e) { | ||||
|                         // Invalid token | ||||
|                         continue; | ||||
|                     } | ||||
|                 } | ||||
|  | ||||
|                 // Return JSON object | ||||
|                 header('Content-Type: application/json'); | ||||
|                 echo json_encode([ | ||||
|                     "Result"       => "Success", | ||||
|                     "SessionCount" => sizeof($storedTokens), | ||||
|                     "UserSessions" => json_encode($storedTokens) | ||||
|                 ]); | ||||
|                 break; | ||||
|             case 'deletesession': | ||||
|                 if (isset($_REQUEST['userid']) && isset($_REQUEST['tokenid'])) { | ||||
|                     try { | ||||
|                         $pdoQuery = $pdoDB->prepare(' | ||||
|                             DELETE FROM SecureToken | ||||
|                             WHERE SecureToken.UserId = :userid AND SecureToken.Id = :tokenid | ||||
|                         '); | ||||
|                         $pdoQuery->execute([ | ||||
|                             ':userid'	=>	(int) $_REQUEST['userid'], | ||||
|                             ':tokenid'  =>  (int) $_REQUEST['tokenid'] | ||||
|                         ]); | ||||
|                          | ||||
|                         // Return JSON object | ||||
|                         header('Content-Type: application/json'); | ||||
|                         echo json_encode([ | ||||
|                             "Result"			=>	"Success", | ||||
|                             "RowCount"			=>	$pdoQuery->RowCount() | ||||
|                         ]); | ||||
|                     } | ||||
|                     catch (Exception $e) { | ||||
|                         // Return JSON object | ||||
|                         header('Content-Type: application/json'); | ||||
|                         echo json_encode([ | ||||
|                             "Result"			=>	"Failure", | ||||
|                             "Reason"			=>	"Failed deleting tokens from database" | ||||
|                         ]); | ||||
|                         exit; | ||||
|                     } | ||||
|                 } else { | ||||
|                     header('Content-Type: application/json'); | ||||
|                     echo json_encode([ | ||||
|                         "Result"	=>	"Failure", | ||||
|                         "Reason"	=>	"Incomplete request data" | ||||
|                     ]); | ||||
|                 } | ||||
|                 break; | ||||
|             default: | ||||
|                 // No action requested, default action | ||||
|                 include_once('../include/lucidAuth.template.php'); | ||||
|  | ||||
|                 try { | ||||
|                     $allUsers = $pdoDB->query(' | ||||
|                         SELECT User.Id, User.Username, Role.Rolename | ||||
|                         FROM User | ||||
|                         LEFT JOIN Role | ||||
|                             ON (Role.Id = User.RoleId) | ||||
|                     ')->fetchAll(PDO::FETCH_ASSOC); | ||||
|                 } catch (Exception $e) { | ||||
| // Should really do some actual errorhandling here | ||||
|             throw new Exception($e); | ||||
|         } | ||||
|     	foreach($allUsers as $row) { | ||||
|             $tableRows[] = sprintf('<tr%1$s><td data-userid="%2$s">%3$s</td><td>%4$s</td><td class="immutable">%5$s</td></tr>', | ||||
|                 $validateTokenResult['uid'] === $row['Id'] ? ' class="currentuser"': null, | ||||
|                 $row['Id'], | ||||
|                 explode('\\', $row['Username'])[1], | ||||
|                 $row['Rolename'], | ||||
|                 '<button class="bttn-simple bttn-xs bttn-primary" data-translation="button_sessions">Sessions</button>' . ($validateTokenResult['uid'] === $row['Id'] ? null : ' <button class="bttn-simple bttn-xs bttn-primary delete" data-translation="button_delete">Delete</button>') | ||||
|             ); | ||||
|     	} | ||||
|                     throw new Exception($e); | ||||
|                 } | ||||
|                 foreach($allUsers as $row) { | ||||
|                     $tableRows[] = sprintf('<tr%1$s><td data-userid="%2$s">%3$s</td><td>%4$s</td><td class="immutable">%5$s</td></tr>', | ||||
|                         $validateTokenResult['uid'] === $row['Id'] ? ' class="currentuser"': null, | ||||
|                         $row['Id'], | ||||
|                         explode('\\', $row['Username'])[1], | ||||
|                         $row['Rolename'], | ||||
|                         '<button class="bttn-simple bttn-xs bttn-primary session" data-translation="button_sessions">Sessions</button>' . ($validateTokenResult['uid'] === $row['Id'] ? null : ' <button class="bttn-simple bttn-xs bttn-primary delete" data-translation="button_delete">Delete</button>') | ||||
|                     ); | ||||
|                 } | ||||
|  | ||||
|         echo sprintf($pageLayout['full_alt'], | ||||
|             sprintf($contentLayout['manage']['header'], | ||||
|                 $validateTokenResult['name'] | ||||
|             ), | ||||
|             sprintf($contentLayout['manage']['section'], | ||||
|                 implode($tableRows) | ||||
|             ) | ||||
|         ); | ||||
|                 echo sprintf($pageLayout['full_alt'], | ||||
|                     sprintf($contentLayout['manage']['header'], | ||||
|                         $validateTokenResult['name'] | ||||
|                     ), | ||||
|                     sprintf($contentLayout['manage']['section'], | ||||
|                         implode($tableRows) | ||||
|                     ) | ||||
|                 ); | ||||
|                 break; | ||||
|         } | ||||
| 	} else { | ||||
| 		// No cookie containing valid authentication token found; | ||||
| 		//   explicitly deleting any remaining cookie, then redirecting to loginpage | ||||
|   | ||||
							
								
								
									
										59
									
								
								public/lucidAuth.requestCookie.php
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										59
									
								
								public/lucidAuth.requestCookie.php
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,59 @@ | ||||
| <?php | ||||
| 	error_reporting(E_ALL ^ E_NOTICE); | ||||
|  | ||||
| 	include_once('../include/lucidAuth.functions.php'); | ||||
|  | ||||
|     // Start with checking $_REQUEST['ref'] | ||||
| 	if (!empty($_REQUEST['ref'])) { | ||||
| 		try { | ||||
| 			$queryString = json_decode(base64_decode($_REQUEST['ref']), JSON_OBJECT_AS_ARRAY); | ||||
| 		} | ||||
| 		catch (Exception $e) { | ||||
| 			// Silently fail, unless explicitly specified otherwise | ||||
|             header("HTTP/1.1 400 Bad Request"); | ||||
| 			if ($settings->Debug['Verbose']) throw new Exception($e); | ||||
|             exit; | ||||
| 		} | ||||
|  | ||||
|         switch ($queryString['action']) { | ||||
|             case 'login': | ||||
|                 if (validateToken($queryString['token'])['status'] === "Success") { | ||||
|                     // This request appears valid; try storing a cookie | ||||
|                     $httpHost = $_SERVER['HTTP_HOST']; | ||||
|                     $httpOrigin = $_SERVER['HTTP_ORIGIN']; | ||||
|                     // Check if $_SERVER['HTTP_HOST'] and $_SERVER['HTTP_ORIGIN'] match any of the configured domains (either explicitly or as a subdomain) | ||||
|                     //   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks | ||||
|                     $cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) { | ||||
|                         return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); | ||||
|                     }))[0]; | ||||
|                     $originDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpOrigin) { | ||||
|                         return (strlen($value) > strlen($httpOrigin)) ? false : (0 === substr_compare($httpOrigin, $value, -strlen($value))); | ||||
|                     }))[0]; | ||||
|                     if (($cookieDomain && (is_null($httpOrigin) || $originDomain)) && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) { | ||||
|                         header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); | ||||
|                         header('Access-Control-Allow-Credentials: true'); | ||||
|                         header('Access-Control-Max-Age: 86400'); | ||||
|                         header("HTTP/1.1 202 Accepted"); | ||||
|                         exit; | ||||
|                     } | ||||
|                     else { | ||||
|                         header("HTTP/1.1 400 Bad Request"); | ||||
|                         exit; | ||||
|                     } | ||||
|                 } | ||||
|                 else { | ||||
|                     header("HTTP/1.1 401 Unauthorized"); | ||||
|                     exit; | ||||
|                 } | ||||
|                 break; | ||||
|             default: | ||||
|                 header("HTTP/1.1 400 Bad Request"); | ||||
|                 exit; | ||||
|                 break; | ||||
|         } | ||||
| 	} | ||||
|     else { | ||||
|         header("HTTP/1.1 400 Bad Request"); | ||||
|         exit; | ||||
|     } | ||||
| ?> | ||||
| @@ -1,41 +0,0 @@ | ||||
| <?php | ||||
| 	error_reporting(E_ALL ^ E_NOTICE); | ||||
|  | ||||
| 	include_once('../include/lucidAuth.functions.php'); | ||||
|  | ||||
|     // Start with checking $_REQUEST['ref'] | ||||
| 	// What do we need? | ||||
| 	//   token again? | ||||
|  | ||||
| 	// approach 1: | ||||
| 	//   origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already) | ||||
| 	//   this might be slower because it means one additional roundtrip between client and server | ||||
|  | ||||
| 	// approach 2: | ||||
| 	//   let the client setup multiple iframes for all domains other than origin domains | ||||
| 	//   this requires passing an array of domains to the client in asynchronous reply; which feels insecure | ||||
|  | ||||
| 	if (!empty($_REQUEST['ref'])) { | ||||
| 		try { | ||||
| 			$queryString = json_decode(base64_decode($_REQUEST['ref']), JSON_OBJECT_AS_ARRAY); | ||||
| 		} | ||||
| 		catch (Exception $e) { | ||||
| 			// Silently fail, unless explicitly specified otherwise | ||||
| 			if ($settings->Debug['Verbose']) throw new Exception($e); | ||||
|             exit; | ||||
| 		} | ||||
|  | ||||
|         switch ($queryString['action']) { | ||||
|             case 'login': | ||||
|                 break; | ||||
|             default: | ||||
|                 break; | ||||
|         } | ||||
| 	} | ||||
|  | ||||
| 	include_once('../include/lucidAuth.template.php'); | ||||
|  | ||||
| 	echo sprintf($pageLayout['bare'], | ||||
| 		'// iFrames go here' | ||||
| 	); | ||||
| ?> | ||||
| @@ -14,7 +14,7 @@ | ||||
| 	$proxyHeaders = array_filter($proxyHeaders, function ($key) { | ||||
| 		return substr($key, 0, 10) === 'XForwarded'; | ||||
| 	}, ARRAY_FILTER_USE_KEY); | ||||
| 	 | ||||
|  | ||||
| 	// For debugging purposes - enable it in ../lucidAuth.config.php | ||||
| 	if ($settings->Debug['LogToFile']) { | ||||
| 		file_put_contents('../requestHeaders.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- ' . (json_encode($proxyHeaders, JSON_FORCE_OBJECT)) . PHP_EOL, FILE_APPEND); | ||||
| @@ -22,7 +22,7 @@ | ||||
|  | ||||
| 	if (sizeof($proxyHeaders) === 0) { | ||||
| 		// Non-proxied request; this is senseless, go fetch! | ||||
| 		header("HTTP/1.1 403 Forbidden"); | ||||
| 		header("HTTP/1.1 400 Bad Request"); | ||||
| 		exit; | ||||
| 	} | ||||
|  | ||||
|   | ||||
| @@ -31,11 +31,41 @@ $(document).ready(function(){ | ||||
| 						'color':		'#FFF' | ||||
| 					}); | ||||
| 					if (data.CrossDomainLogin) { | ||||
| 						// Create iframes for other domains | ||||
| console.log('CrossDomainLogin initiated'); | ||||
|                         var cookieDomains = JSON.parse(data.CookieDomains); | ||||
|                         var XHR = []; | ||||
|                         cookieDomains.forEach(function(domain) { | ||||
|                             XHR.push($.get({ | ||||
|                                 url: "https://auth." + domain + "/lucidAuth.requestCookie.php", | ||||
|                                 crossDomain: true, | ||||
|                                 xhrFields: { | ||||
|                                     withCredentials: true, | ||||
|                                 }, | ||||
|                                 timeout: 750, | ||||
| // origin domain should be exempted from timeout | ||||
| //   (because origin domain can/will be different from current domain --due to traefik design). | ||||
|                                 data: { | ||||
|                                     ref: btoa(JSON.stringify({ | ||||
|                                         action: 'login', | ||||
|                                         token: data.SecureToken | ||||
|                                     })) | ||||
|                                 } | ||||
|                             }).done(function(_data, _textStatus, jqXHR) { | ||||
|                                 NProgress.inc(1 / XHR.length); | ||||
|                                 console.log('CrossDomain login succeeded for domain `' + domain + '` [' + JSON.stringify(jqXHR) + ']'); | ||||
|                             }).fail(function(jqXHR) { | ||||
|                                 console.log('CrossDomain login failed for domain `' + domain + '` [' + JSON.stringify(jqXHR) + ')]'); | ||||
|                                 // Should check why this failed (timeout or bad request?), and if this is the origin domain, take action | ||||
|                             })); | ||||
|                         }); | ||||
|                         $.when.apply($, XHR).then(function(){ | ||||
|                             $.each(arguments, function(_index, _arg) { | ||||
|                                 // Finished cross-domain logins (either successfully or through timeout) | ||||
|                                 NProgress.done(); | ||||
|                                 console.log('CrossDomain login completed; forwarding to `' + data.Location + '`'); | ||||
|                                 window.location.replace(data.Location); | ||||
|                             }); | ||||
|                         }); | ||||
| 					} | ||||
| console.log("Navigating to :" + data.Location); | ||||
| 					window.location.replace(data.Location); | ||||
| 				}, 2250); | ||||
| 			} else { | ||||
| 				$('#btnlogin').css({ | ||||
|   | ||||
| @@ -1,7 +1,136 @@ | ||||
| jQuery.fn.ConfirmDelete = function() { | ||||
|     return this.on('click', function() { | ||||
|         var sessionID = $(this).data('sessionid'); | ||||
|  | ||||
|         $(this).off('click').parent().empty() | ||||
|             .append($('<button>', { | ||||
|                 text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_yes'], | ||||
|                 class: 'bttn-simple bttn-xs bttn-primary sessiondeleteconfirm', | ||||
|                 style: 'margin-right: 3px;', | ||||
|                 'data-translation': 'button_yes', | ||||
|                 'data-sessionid': sessionID | ||||
|             }).on('click', function() { | ||||
| // Move this out of 'ConfirmDelete()' | ||||
|                 var pressedButton = $(this); | ||||
|                 $(pressedButton).prop('disabled', true).css({ | ||||
|                     'background':	'#999 url(data:image/gif;base64,R0lGODlhEAAQAPIAAJmZmf///7CwsOPj4////9fX18rKysPDwyH+GkNyZWF0ZWQgd2l0aCBhamF4bG9hZC5pbmZvACH5BAAKAAAAIf8LTkVUU0NBUEUyLjADAQAAACwAAAAAEAAQAAADMwi63P4wyklrE2MIOggZnAdOmGYJRbExwroUmcG2LmDEwnHQLVsYOd2mBzkYDAdKa+dIAAAh+QQACgABACwAAAAAEAAQAAADNAi63P5OjCEgG4QMu7DmikRxQlFUYDEZIGBMRVsaqHwctXXf7WEYB4Ag1xjihkMZsiUkKhIAIfkEAAoAAgAsAAAAABAAEAAAAzYIujIjK8pByJDMlFYvBoVjHA70GU7xSUJhmKtwHPAKzLO9HMaoKwJZ7Rf8AYPDDzKpZBqfvwQAIfkEAAoAAwAsAAAAABAAEAAAAzMIumIlK8oyhpHsnFZfhYumCYUhDAQxRIdhHBGqRoKw0R8DYlJd8z0fMDgsGo/IpHI5TAAAIfkEAAoABAAsAAAAABAAEAAAAzIIunInK0rnZBTwGPNMgQwmdsNgXGJUlIWEuR5oWUIpz8pAEAMe6TwfwyYsGo/IpFKSAAAh+QQACgAFACwAAAAAEAAQAAADMwi6IMKQORfjdOe82p4wGccc4CEuQradylesojEMBgsUc2G7sDX3lQGBMLAJibufbSlKAAAh+QQACgAGACwAAAAAEAAQAAADMgi63P7wCRHZnFVdmgHu2nFwlWCI3WGc3TSWhUFGxTAUkGCbtgENBMJAEJsxgMLWzpEAACH5BAAKAAcALAAAAAAQABAAAAMyCLrc/jDKSatlQtScKdceCAjDII7HcQ4EMTCpyrCuUBjCYRgHVtqlAiB1YhiCnlsRkAAAOwAAAAAAAAAAAA==) no-repeat center', | ||||
|                     'color':		'transparent', | ||||
|                     'transform':	'rotateX(180deg)', | ||||
|                     'cursor':       'default' | ||||
|                 }).next().prop('disabled', true).addClass('disabled'); | ||||
|  | ||||
|                 $.post("lucidAuth.manage.php", { | ||||
|                     do: "deletesession", | ||||
|                     tokenid: sessionID, | ||||
|                     userid: $(pressedButton).closest('tr').data('userid') | ||||
|                 }) | ||||
|                 .done(function(data,_status) { | ||||
|                     if (data.Result === 'Success') { | ||||
|                         $(pressedButton).css({ | ||||
|                             'background':	'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center', | ||||
|                             'transform':	'rotateX(0deg)' | ||||
|                         }); | ||||
|                         setTimeout(function() { | ||||
|                             $(pressedButton).closest('tr').fadeOut(500, function() { | ||||
|                                 $(this).remove()}); | ||||
|                         }, 2250); | ||||
|                     } else { | ||||
|                         $(pressedButton).css({ | ||||
|         					'background':	'red url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAv0lEQVQ4jaWT0Q3CMAxELwh1BEag87AJ6hcLlE/KBLABrNEV2h26QaXHj4NMGgpS7sfJJXd24kQqRMiRQC3pIKk2apD0DCEMq25ABZyBmSVmW6vWxH1GmKLPmph7xJQReq5dnNmVPQE7oHOCzrhoMts9vQ1OSbYOCBb92OPkDe6ZkqMwJwa4SdJmtS1/YGsx7e9VUiPpYvPG4tHtGUsvcf+RkpI2mkHZQ3ImLd+fcpuKf32meM5R0iOEMOb2F+EF33vgCePVr8UAAAAASUVORK5CYII=) no-repeat center', | ||||
|                             'transform':	'rotateX(0deg)' | ||||
|                         }); | ||||
|                         setTimeout(function() { | ||||
|                             $(pressedButton).closest('td').empty() | ||||
|                                 .append( | ||||
|                                     $('<button>', { | ||||
|                                         text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'], | ||||
|                                         class: 'bttn-simple bttn-xs bttn-primary sessiondelete', | ||||
|                                         'data-translation': 'button_delete', | ||||
|                                         'data-sessionid': sessionID | ||||
|                                     }).ConfirmDelete()) | ||||
|                         }, 2250); | ||||
|                     } | ||||
|                 }); | ||||
|             })) | ||||
|             .append($('<button>', { | ||||
|                 text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_no'], | ||||
|                 class: 'bttn-simple bttn-xs bttn-primary sessiondeletecancel', | ||||
|                 'data-translation': 'button_no', | ||||
|                 'data-sessionid': sessionID | ||||
|             }).on('click', function() { | ||||
| // Move this out of 'ConfirmDelete()' | ||||
|                 var pressedButton = $(this); | ||||
|                 $(pressedButton).closest('td').empty() | ||||
|                 .append( | ||||
|                     $('<button>', { | ||||
|                         text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'], | ||||
|                         class: 'bttn-simple bttn-xs bttn-primary sessiondelete', | ||||
|                         'data-translation': 'button_delete', | ||||
|                         'data-sessionid': sessionID | ||||
|                     }).ConfirmDelete()) | ||||
|             })) | ||||
|     }); | ||||
| }; | ||||
|  | ||||
| $(document).ready(function(){ | ||||
|     // Initialize the editable-table functionality | ||||
|     $('#usertable').editableTableWidget(); | ||||
|  | ||||
|     // Prevent clicking *through* popup-screens | ||||
|     $('#sessions').click(function(event) { | ||||
|         event.stopPropagation(); | ||||
|     }); | ||||
|      | ||||
|     // Add eventhandlers to buttons | ||||
|     $('#usertable button.session').click(function() { | ||||
|         event.stopPropagation(); | ||||
|         $('#sessions tbody').empty(); | ||||
|         $('#sessions').fadeToggle(); | ||||
|  | ||||
|         var userID = $(this).closest('tr').find('td:nth-child(1)').data('userid'); | ||||
|  | ||||
|         $.post("lucidAuth.manage.php", { | ||||
| 			do: "retrievesessions", | ||||
| 			userid: userID | ||||
| 		}) | ||||
| 		.done(function(data,_status) { | ||||
| 			if (data.Result === 'Success') { | ||||
|                 var Sessions = JSON.parse(data.UserSessions); | ||||
|                 for (var i = 0; i < data.SessionCount; i++) { | ||||
|                     try { | ||||
|                         var fingerPrint = JSON.parse(atob(Sessions[i]['fp'])); | ||||
|                         var sessionDetails = '<img class="browsericon" src="/images/' + fingerPrint['browser'] + '_256x256.png">'; | ||||
|                         sessionDetails += fingerPrint['browser'] + ' -- ' + fingerPrint['platform']; | ||||
|                         sessionDetails += '<br>' + fingerPrint['city'] + ' (' + fingerPrint['countrycode'] + ')'; | ||||
|                     } catch(e) { | ||||
|                         // Do nothing | ||||
|                     }  | ||||
|                     $('#sessiontable tbody').append($('<tr>', { | ||||
|                             'data-userid': userID | ||||
|                         }) | ||||
|                         .append($('<td>', { | ||||
|                             text: new Date(Sessions[i]['iat'] * 1000).toLocaleString('en-GB') | ||||
|                         })) | ||||
|                         .append($('<td>', { | ||||
|                             text: Sessions[i]['iss'] | ||||
|                         })) | ||||
|                         .append($('<td>', { | ||||
|                             html: sessionDetails ? sessionDetails : '' | ||||
|                         })) | ||||
|                         .append($('<td>', { | ||||
|                             html: $('<button>', { | ||||
|                                 text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'], | ||||
|                                 class: 'bttn-simple bttn-xs bttn-primary sessiondelete', | ||||
|                                 'data-translation': 'button_delete', | ||||
|                                 'data-sessionid': Sessions[i]['tid']}) | ||||
|                         })) | ||||
|                     ); | ||||
|                 } | ||||
|                 $('#sessiontable .sessiondelete').ConfirmDelete(); | ||||
| 			} else { | ||||
| 			} | ||||
| 		}); | ||||
|     }); | ||||
|     $('#usertable button.delete').click(function() { | ||||
|         $(this).closest('tr').addClass('removed'); | ||||
|     }); | ||||
| @@ -32,6 +161,9 @@ $(document).ready(function(){ | ||||
|         //   To prevent recreating multiple new editors; reference the already existing `<input>` | ||||
|         $('#usertable').editableTableWidget({editor: $('#editor')}); | ||||
|         // Add eventhandlers to buttons of newly added `<tr>` | ||||
|         $('#usertable .new button.session').unbind().click(function() { | ||||
|             console.log('New user, unlikely to have sessions already, lets do nothing for now'); | ||||
|         }); | ||||
|         $('#usertable .new button.delete').unbind().click(function() { | ||||
|             $(this).closest('tr').remove(); | ||||
|         }); | ||||
| @@ -55,14 +187,15 @@ $(document).ready(function(){ | ||||
|         }); | ||||
|  | ||||
| console.log({'new': newEntries, 'removed': removedEntries}); | ||||
|  | ||||
| /*        $.get("psworker.php", { | ||||
| 			do: "mutate", | ||||
| 			mutations: { | ||||
| 				new: newEntries, | ||||
| 				removed: removedEntries | ||||
| 			} | ||||
| 		})*/ | ||||
| /* | ||||
|         $.post("lucidAuth.manage.php", { | ||||
|             do: "mutateusers", | ||||
|             new: newEntries, | ||||
|             removed: removedEntries | ||||
|         }) | ||||
|         .done(function(data,_status) { | ||||
|         } | ||||
| */ | ||||
|     }); | ||||
|  | ||||
|     $('#btncancel').click(function() { | ||||
| @@ -92,4 +225,8 @@ console.log({'new': newEntries, 'removed': removedEntries}); | ||||
| 		} | ||||
| 	}); | ||||
|  | ||||
| }); | ||||
|  | ||||
| $(document).click(function () { | ||||
|     $('#sessions').fadeOut(); | ||||
| }); | ||||
| @@ -1,19 +0,0 @@ | ||||
| $(document).ready(function() { | ||||
| 	if (localStorage.getItem('theme') != '') { | ||||
| 		$('html').addClass(localStorage.getItem('theme')); | ||||
| 	} | ||||
|  | ||||
| 	$('.logo .sub').on('click', function(event) { | ||||
| 		if (event.ctrlKey) { | ||||
| 			var classes = ["tablecloth", "weave", "madras", "tartan", "seigaiha"]; | ||||
| 			var selectedTheme = classes[~~(Math.random()*classes.length)]; | ||||
| 			 | ||||
| 			$('html').removeClass().addClass(selectedTheme); | ||||
| 			localStorage.setItem('theme', selectedTheme); | ||||
| 		} | ||||
| 		if (event.altKey) { | ||||
| 			$('html').removeClass(); | ||||
| 			localStorage.removeItem('theme'); | ||||
| 		} | ||||
| 	}); | ||||
| }); | ||||
| @@ -5,9 +5,12 @@ var locales = { | ||||
| 		button_cancel:				"cancel", | ||||
|         button_sessions:            "sessions", | ||||
| 		button_delete:				"delete", | ||||
| 		button_login:				"login", | ||||
| 		button_yes:	    			"yes", | ||||
| 		button_no:			    	"no", | ||||
|         button_login:				"login", | ||||
| 		heading_error:				"ERROR!", | ||||
| 		label_password:				"Password:", | ||||
|         label_password:				"Password:", | ||||
|         label_sessions:				"Sessions", | ||||
| 		label_username:				"Username:", | ||||
| 		link_logout:				"Logout", | ||||
| 		span_credentialsavailable:	"Login credentials available upon request!", | ||||
| @@ -22,9 +25,12 @@ var locales = { | ||||
| 		button_cancel:				"annuleren", | ||||
|         button_sessions:            "sessies", | ||||
| 		button_delete:				"verwijder", | ||||
| 		button_yes:	    			"ja", | ||||
| 		button_no:			    	"nee", | ||||
| 		button_login:				"log in", | ||||
| 		heading_error:				"FOUT!", | ||||
| 		label_password:				"Wachtwoord:", | ||||
|         label_password:				"Wachtwoord:", | ||||
|         label_sessions:				"Sessies", | ||||
| 		label_username:				"Gebruikersnaam:", | ||||
| 		link_logout:				"Log uit", | ||||
| 		span_credentialsavailable:	"Inloggegevens verkrijgbaar op aanvraag!", | ||||
|   | ||||
| @@ -129,6 +129,35 @@ body { | ||||
|             .main section .buttons button { | ||||
|                 margin-left: inherit; | ||||
|             } | ||||
|         .main section #sessions { | ||||
| 			display: none; | ||||
| 			position: absolute; | ||||
| 			top: calc(50% - 160px); | ||||
| 			right: 20%; | ||||
| 			height: 320px; | ||||
| 			width: 60%; | ||||
| 			border: 1px solid rgb(0, 51, 153); | ||||
| 			box-shadow: black 0px 0px 20px; | ||||
| 			box-sizing: border-box; | ||||
| 	    	padding-top: 5px; | ||||
| 			background: white; | ||||
| 	    	font-size: inherit; | ||||
|             z-index: 99; | ||||
|             overflow-y: auto; | ||||
|         } | ||||
|             .main section #sessions .browsericon { | ||||
|                 height: 30px; | ||||
|                 float: left; | ||||
|                 margin-right: 5px; | ||||
|                 border: none; | ||||
|                 filter: drop-shadow(0px 0px 1px #000); | ||||
|             } | ||||
|             .main section #sessions .sessiondeleteconfirm { | ||||
|                 background: crimson linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.33) 51%) no-repeat center; | ||||
|             } | ||||
|             .main section #sessions .sessiondeletecancel { | ||||
|                 background: green linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center; | ||||
|             } | ||||
|         .main section table { | ||||
|             width: 100%; | ||||
|         } | ||||
|   | ||||
		Reference in New Issue
	
	Block a user