Add logic for checking/getting extension key/php session id

get_credential.php

@@ -1,5 +1,4 @@
 <?php
-/*
 
 // Headers to allow extensions access (CORS)
 $chrome_id = "chrome-extension://afgpakhonllnmnomchjhidealcpmnegc";
@@ -16,24 +15,55 @@ if (isset($_SERVER['HTTP_ORIGIN'])) {
 include("config.php");
 include("functions.php");
 
-session_start();
+// Check user is logged in & has extension access
-
+// We're not using the PHP session as we don't want to potentially expose the session cookie with SameSite None
-// Check user is logged in
+if(!isset($_COOKIE['user_extension_key'])){
-// We do this manually, using check_login will break CORS due to the redirect.
-if(!(isset($_SESSION['logged']))){
     $data['found'] = "FALSE";
-    $data['message'] = "ITFlow - You are not logged into ITFlow.";
+    $data['message'] = "ITFlow - You are not logged into ITFlow, do not have, or did not send the correct extension key cookie.";
     echo(json_encode($data));
     exit();
 }
 
-// User is logged in!
+// User has a cookie set with that name, let's verify it.
+$user_extension_key = $_COOKIE['user_extension_key'];
 
-// Get user info:
+// Check the key isn't empty, less than 17 characters or the word "disabled".
-$session_user_id = $_SESSION['user_id'];
+if(empty($user_extension_key) OR strlen($user_extension_key) < 17 OR strtolower($user_extension_key) == "disabled"){
+    $data['found'] = "FALSE";
+    $data['message'] = "ITFlow - You are not logged into ITFlow, do not have, or did not send the correct extension key cookie.";
+    echo(json_encode($data));
+    exit();
+}
 
-$sql = mysqli_query($mysqli,"SELECT * FROM users, user_settings WHERE users.user_id = user_settings.user_id AND users.user_id = $session_user_id");
+
-$row = mysqli_fetch_array($sql);
+// Cookie seems valid, see if we can associate it with a user ID
+$user_extension_key = mysqli_real_escape_string($mysqli, $_COOKIE['user_extension_key']);
+$auth_user = mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_extension_key = '$user_extension_key' LIMIT 1");
+$row = mysqli_fetch_array($auth_user);
+
+// Check SQL query state
+if(mysqli_num_rows($auth_user) < 1 OR !$auth_user){
+    $data['found'] = "FALSE";
+    $data['message'] = "ITFlow - You are not logged into ITFlow, do not have, or did not send the correct extension key cookie.";
+    echo(json_encode($data));
+    exit();
+}
+
+// Sanity check
+if(hash('sha256', $row['user_extension_key']) !== hash('sha256', $_COOKIE['user_extension_key'])){
+    $data['found'] = "FALSE";
+    $data['message'] = "ITFlow - Validation failed.";
+    echo(json_encode($data));
+    exit();
+}
+
+// Success - validated user cookie
+
+// Get the current session from the database so we can decrypt passwords
+session_id($row['user_php_session']);
+session_start();
+
+$session_user_id = $row['user_id'];
 $session_name = $row['user_name'];
 $session_email = $row['user_email'];
 $session_avatar = $row['user_avatar'];
@@ -54,7 +84,7 @@ if($session_user_role == 6){
     $session_user_role_display = "Accountant";
 }
 
-// Check user access level
+// Check user access level is correct
 if($session_user_role < 4){
     $data['found'] = "FALSE";
     $data['message'] = "ITFlow - You are not authorised to use this application.";
@@ -62,6 +92,8 @@ if($session_user_role < 4){
     exit();
 }
 
+// Lets go!
+
 if(isset($_GET['host'])){
 
     if(!empty($_GET['host'])){
@@ -75,6 +107,11 @@ if(isset($_GET['host'])){
             $data['username'] = htmlentities($row['login_username']);
             $data['password'] = decryptLoginEntry($row['login_password']);
             echo json_encode($data);
+
+            // Logging
+            $login_name = mysqli_real_escape_string($mysqli, $row['login_name']);
+            mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension requested', log_description = '$login_name' , log_created_at = NOW(), company_id = $session_company_id, log_user_id = $session_user_id");
+
         }
     }
 }