From 57dab27169b6a657b6df8bdef5609d7e31679ecd Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 17 Jun 2023 15:09:01 +0100
Subject: [PATCH] Login page enhancements

- Default to secure cookies (in case var is not defined in config.php)
- Enable content security policy
- Return HTTP 401 response code for invalid username/password combinations
---
 js/login_prevent_resubmit.js |  3 +++
 login.php                    | 17 ++++++++---------
 2 files changed, 11 insertions(+), 9 deletions(-)
 create mode 100644 js/login_prevent_resubmit.js

diff --git a/js/login_prevent_resubmit.js b/js/login_prevent_resubmit.js
new file mode 100644
index 00000000..de13d0e9
--- /dev/null
+++ b/js/login_prevent_resubmit.js
@@ -0,0 +1,3 @@
+if (window.history.replaceState) {
+    window.history.replaceState(null,null,window.location.href);
+}
diff --git a/login.php b/login.php
index 148a2dfe..b9281d86 100644
--- a/login.php
+++ b/login.php
@@ -1,6 +1,7 @@
 <?php
 
 header("X-Frame-Options: DENY");
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
 
 if (!file_exists('config.php')) {
     header("Location: setup.php");
@@ -66,7 +67,7 @@ if ($config_login_key_required) {
 ini_set("session.cookie_httponly", true);
 
 // Tell client to only send cookie(s) over HTTPS
-if ($config_https_only) {
+if ($config_https_only || !isset($config_https_only)) {
     ini_set("session.cookie_secure", true);
 }
 
@@ -227,6 +228,8 @@ if (isset($_POST['login'])) {
 
         // Password incorrect or user doesn't exist - show generic error
 
+        header("HTTP/1.1 401 Unauthorized");
+
         mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent'");
 
         $response = "
@@ -309,21 +312,17 @@ if (isset($_POST['login'])) {
 
 <!-- jQuery -->
 <script src="plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="dist/js/adminlte.min.js"></script>
 
-<script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
+<!-- <script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script> -->
 
 <!-- Prevents resubmit on refresh or back -->
-<script>
-
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-
-</script>
+<script src="js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>