From 57dab27169b6a657b6df8bdef5609d7e31679ecd Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 17 Jun 2023 15:09:01 +0100
Subject: [PATCH 1/4] Login page enhancements

- Default to secure cookies (in case var is not defined in config.php)
- Enable content security policy
- Return HTTP 401 response code for invalid username/password combinations
---
 js/login_prevent_resubmit.js |  3 +++
 login.php                    | 17 ++++++++---------
 2 files changed, 11 insertions(+), 9 deletions(-)
 create mode 100644 js/login_prevent_resubmit.js

diff --git a/js/login_prevent_resubmit.js b/js/login_prevent_resubmit.js
new file mode 100644
index 00000000..de13d0e9
--- /dev/null
+++ b/js/login_prevent_resubmit.js
@@ -0,0 +1,3 @@
+if (window.history.replaceState) {
+    window.history.replaceState(null,null,window.location.href);
+}
diff --git a/login.php b/login.php
index 148a2dfe..b9281d86 100644
--- a/login.php
+++ b/login.php
@@ -1,6 +1,7 @@
 <?php
 
 header("X-Frame-Options: DENY");
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
 
 if (!file_exists('config.php')) {
     header("Location: setup.php");
@@ -66,7 +67,7 @@ if ($config_login_key_required) {
 ini_set("session.cookie_httponly", true);
 
 // Tell client to only send cookie(s) over HTTPS
-if ($config_https_only) {
+if ($config_https_only || !isset($config_https_only)) {
     ini_set("session.cookie_secure", true);
 }
 
@@ -227,6 +228,8 @@ if (isset($_POST['login'])) {
 
         // Password incorrect or user doesn't exist - show generic error
 
+        header("HTTP/1.1 401 Unauthorized");
+
         mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent'");
 
         $response = "
@@ -309,21 +312,17 @@ if (isset($_POST['login'])) {
 
 <!-- jQuery -->
 <script src="plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="dist/js/adminlte.min.js"></script>
 
-<script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
+<!-- <script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script> -->
 
 <!-- Prevents resubmit on refresh or back -->
-<script>
-
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-
-</script>
+<script src="js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>

From 95cd0ebdc8b7706819af42c8cc6cf9043e0a3812 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 17 Jun 2023 16:01:15 +0100
Subject: [PATCH 2/4] Adjust CSP

---
 login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/login.php b/login.php
index b9281d86..46071699 100644
--- a/login.php
+++ b/login.php
@@ -1,7 +1,7 @@
 <?php
 
 header("X-Frame-Options: DENY");
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 if (!file_exists('config.php')) {
     header("Location: setup.php");

From a966bf02825939771d26012e95c2a7ef34c4642d Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 17 Jun 2023 16:13:02 +0100
Subject: [PATCH 3/4] Adjust content security policy

---
 login.php               |  1 -
 portal/document.php     |  4 ++--
 portal/documents.php    |  2 +-
 portal/index.php        |  2 +-
 portal/invoices.php     |  2 +-
 portal/login.php        | 14 ++++----------
 portal/login_create.php |  0
 portal/login_reset.php  | 12 +++++-------
 portal/profile.php      |  2 +-
 portal/quotes.php       |  2 +-
 portal/tickets.php      |  2 +-
 11 files changed, 17 insertions(+), 26 deletions(-)
 delete mode 100644 portal/login_create.php

diff --git a/login.php b/login.php
index 46071699..91884b10 100644
--- a/login.php
+++ b/login.php
@@ -1,6 +1,5 @@
 <?php
 
-header("X-Frame-Options: DENY");
 header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 if (!file_exists('config.php')) {
diff --git a/portal/document.php b/portal/document.php
index d17e6909..fd1fb431 100644
--- a/portal/document.php
+++ b/portal/document.php
@@ -4,7 +4,7 @@
  * Docs for PTC / technical contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
@@ -57,7 +57,7 @@ $document_content = $purifier->purify($row['document_content']);
     </div>
 
     <br>
-    
+
     <div class="card">
         <div class="card-body">
             <h3><?php echo $document_name; ?></h3>
diff --git a/portal/documents.php b/portal/documents.php
index 5d950689..e6cfa819 100644
--- a/portal/documents.php
+++ b/portal/documents.php
@@ -4,7 +4,7 @@
  * Docs for PTC / technical contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/index.php b/portal/index.php
index 78528659..6e1ad752 100644
--- a/portal/index.php
+++ b/portal/index.php
@@ -4,7 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/invoices.php b/portal/invoices.php
index 5b74f2a4..590de567 100644
--- a/portal/invoices.php
+++ b/portal/invoices.php
@@ -4,7 +4,7 @@
  * Invoices for PTC
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/login.php b/portal/login.php
index 0400159b..f4eae805 100644
--- a/portal/login.php
+++ b/portal/login.php
@@ -4,9 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
-
-header("X-Frame-Options: DENY");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 $session_company_id = 1;
 require_once('../config.php');
@@ -162,19 +160,15 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
 
 <!-- jQuery -->
 <script src="../plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="../dist/js/adminlte.min.js"></script>
 
-<script src="../plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
-
 <!-- Prevents resubmit on refresh or back -->
-<script>
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-</script>
+<script src="../js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>
diff --git a/portal/login_create.php b/portal/login_create.php
deleted file mode 100644
index e69de29b..00000000
diff --git a/portal/login_reset.php b/portal/login_reset.php
index ba4ca8de..87b07b47 100644
--- a/portal/login_reset.php
+++ b/portal/login_reset.php
@@ -4,6 +4,8 @@
  * Password reset page
  */
 
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
+
 $session_company_id = 1;
 require_once('../config.php');
 require_once('../functions.php');
@@ -274,19 +276,15 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
 
 <!-- jQuery -->
 <script src="../plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="../dist/js/adminlte.min.js"></script>
 
-<script src="../plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
-
 <!-- Prevents resubmit on refresh or back -->
-<script>
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-</script>
+<script src="../js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>
diff --git a/portal/profile.php b/portal/profile.php
index cac8630a..0a938abf 100644
--- a/portal/profile.php
+++ b/portal/profile.php
@@ -4,7 +4,7 @@
  * User profile
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once('inc_portal.php');
 ?>
diff --git a/portal/quotes.php b/portal/quotes.php
index f89d5f31..3562ad12 100644
--- a/portal/quotes.php
+++ b/portal/quotes.php
@@ -4,7 +4,7 @@
  * Quotes for PTC / billing contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/tickets.php b/portal/tickets.php
index c207f83b..24b1b92d 100644
--- a/portal/tickets.php
+++ b/portal/tickets.php
@@ -4,7 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 

From 7f5e63e518f5cf95ac237c67abae341bdc721210 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 17 Jun 2023 16:16:10 +0100
Subject: [PATCH 4/4] Fix undefined error for company name

---
 portal/portal_header.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/portal/portal_header.php b/portal/portal_header.php
index e800f367..c87dab96 100644
--- a/portal/portal_header.php
+++ b/portal/portal_header.php
@@ -12,7 +12,7 @@ header("X-Frame-Options: DENY"); // Legacy
 <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <title><?php echo nullable_htmlentities($company_name); ?> | Client Portal</title>
+    <title><?php echo nullable_htmlentities($session_company_name); ?> | Client Portal</title>
 
     <!-- Tell the browser to be responsive to screen width -->
     <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -32,7 +32,7 @@ header("X-Frame-Options: DENY"); // Legacy
 
 <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
     <div class="container">
-        <a class="navbar-brand" href="index.php"><?php echo nullable_htmlentities($company_name); ?></a>
+        <a class="navbar-brand" href="index.php"><?php echo nullable_htmlentities($session_company_name); ?></a>
         <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
             <span class="navbar-toggler-icon"></span>
         </button>