AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-07 22:34:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial WIP: Allow decrypting logins/credentials via the API

Browse Source
This commit is contained in:
wrongecho
2024-08-19 21:23:43 +01:00
parent 86e3f377ab
commit 63feff03d2
7 changed files with 129 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
admin_api_key_add_modal.php
View File

@@ -1,5 +1,6 @@
<?php <?php
$key = randomString(156); $key = randomString(156);
$decryptPW = randomString(160);
?> ?>
<div class="modal" id="addApiKeyModal" tabindex="-1"> <div class="modal" id="addApiKeyModal" tabindex="-1">
<div class="modal-dialog"> <div class="modal-dialog">
@@ -13,64 +14,103 @@ $key = randomString(156);
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<div class="modal-body bg-white"> <div class="modal-body bg-white">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>"> <ul class="nav nav-pills nav-justified mb-3">
<input type="hidden" name="key" value="<?php echo $key ?>"> <li class="nav-item">
<a class="nav-link active" data-toggle="pill" href="#pills-api-details">Details</a>
<div class="form-group"> </li>
<label>API Key <strong class="text-danger">*</strong></label> <li class="nav-item">
<div class="input-group"> <a class="nav-link" data-toggle="pill" href="#pills-api-keys">Keys</a>
<div class="input-group-prepend"> </li>
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span> </ul>
</div>
<input type="text" class="form-control" value="<?php echo $key ?>" required disabled>
<div class="input-group-append">
<button class="btn btn-default clipboardjs" type="button" data-clipboard-text="<?php echo $key; ?>"><i class="fa fa-fw fa-copy"></i></button>
</div>
</div>
</div>
<hr> <hr>
<div class="form-group"> <div class="tab-content">
<label>Name <strong class="text-danger">*</strong></label>
<div class="input-group"> <div class="tab-pane fade show active" id="pills-api-details">
<div class="input-group-prepend"> <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<span class="input-group-text"><i class="fa fa-fw fa-sticky-note"></i></span> <input type="hidden" name="key" value="<?php echo $key ?>">
<input type="hidden" name="password" value="<?php echo $decryptPW ?>">
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-sticky-note"></i></span>
</div>
<input type="text" class="form-control" name="name" placeholder="Key Name" required autofocus>
</div>
</div>
<div class="form-group">
<label>Expiration Date <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
</div>
<input type="date" class="form-control" name="expire" min="<?php echo date('Y-m-d')?>" max="2999-12-31" required>
</div>
</div>
<div class="form-group">
<label>Client Access <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-user"></i></span>
</div>
<select class="form-control select2" name="client" required>
<option value="0"> ALL CLIENTS </option>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM clients ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql)) {
$client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); ?>
<option value="<?php echo $client_id; ?>"><?php echo "$client_name (Client ID: $client_id)"; ?></option>
<?php } ?>
</select>
</div>
</div> </div>
<input type="text" class="form-control" name="name" placeholder="Key Name" required autofocus>
</div> </div>
<div class="tab-pane fade" id="pills-api-keys">
<div class="form-group">
<label>API Key <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
</div>
<input type="text" class="form-control" value="<?php echo $key ?>" required disabled>
<div class="input-group-append">
<button class="btn btn-default clipboardjs" type="button" data-clipboard-text="<?php echo $key; ?>"><i class="fa fa-fw fa-copy"></i></button>
</div>
</div>
</div>
<div class="form-group">
<label>Login credential decryption password <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-unlock-alt"></i></span>
</div>
<input type="text" class="form-control" value="<?php echo $decryptPW ?>" required disabled>
<div class="input-group-append">
<button class="btn btn-default clipboardjs" type="button" data-clipboard-text="<?php echo $decryptPW; ?>"><i class="fa fa-fw fa-copy"></i></button>
</div>
</div>
</div>
<br>
<div class="form-group">
<label>I have made a copy of the key(s)<strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<input type="checkbox" name="ack" value="1" required>
</div>
</div>
</div>
</div>
</div> </div>
<div class="form-group">
<label>Expiration Date <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
</div>
<input type="date" class="form-control" name="expire" min="<?php echo date('Y-m-d')?>" max="2999-12-31" required>
</div>
</div> </div>
<div class="form-group">
<label>Client Access <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-user"></i></span>
</div>
<select class="form-control select2" name="client" required>
<option value="0"> ALL CLIENTS </option>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM clients ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql)) {
$client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); ?>
<option value="<?php echo $client_id; ?>"><?php echo "$client_name (Client ID: $client_id)"; ?></option>
<?php } ?>
</select>
</div>
</div>
</div>
<div class="modal-footer bg-white"> <div class="modal-footer bg-white">
<button type="submit" name="add_api_key" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Create</button> <button type="submit" name="add_api_key" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Create</button>
<button type="button" class="btn btn-light" data-dismiss="modal"><i class="fas fa-times mr-2"></i>Cancel</button> <button type="button" class="btn btn-light" data-dismiss="modal"><i class="fas fa-times mr-2"></i>Cancel</button>

1
api/v1/credentials/credential_model.php Normal file
View File

@@ -0,0 +1 @@
<?php

20
api/v1/credentials/read.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
require_once '../validate_api_key.php';
require_once '../require_get_method.php';
// Specific credential/login via ID (single)
if (isset($_GET['login_id'])) {
$id = intval($_GET['login_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id'");
} else {
// All credentials ("logins")
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id LIKE '$client_id' ORDER BY login_id LIMIT $limit OFFSET $offset");
}
// Output
require_once "../read_output.php";

13
database_updates.php
View File

@@ -2123,13 +2123,18 @@ if (LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION) {
// DB Version // DB Version
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.4'"); mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.4'");
} }
// if (CURRENT_DATABASE_VERSION == '1.4.4') { if (CURRENT_DATABASE_VERSION == '1.4.4') {
// // Insert queries here required to update to DB version 1.4.5 mysqli_query($mysqli, "ALTER TABLE `api_keys` ADD `api_key_credential_decryption_password` VARCHAR(200) NOT NULL AFTER `api_key_secret`");
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.5'");
}
// if (CURRENT_DATABASE_VERSION == '1.4.5') {
// // Insert queries here required to update to DB version 1.4.6
// // Then, update the database to the next sequential version // // Then, update the database to the next sequential version
// mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.5'"); // mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.6'");
// } // }
} else { } else {

1
db.sql
View File

@@ -66,6 +66,7 @@ CREATE TABLE `api_keys` (
`api_key_id` int(11) NOT NULL AUTO_INCREMENT, `api_key_id` int(11) NOT NULL AUTO_INCREMENT,
`api_key_name` varchar(255) NOT NULL, `api_key_name` varchar(255) NOT NULL,
`api_key_secret` varchar(255) NOT NULL, `api_key_secret` varchar(255) NOT NULL,
`api_key_credential_decryption_password` varchar(255) NULL,
`api_key_created_at` datetime NOT NULL DEFAULT current_timestamp(), `api_key_created_at` datetime NOT NULL DEFAULT current_timestamp(),
`api_key_expire` date NOT NULL, `api_key_expire` date NOT NULL,
`api_key_client_id` int(11) NOT NULL DEFAULT 0, `api_key_client_id` int(11) NOT NULL DEFAULT 0,

4
functions.php
View File

@@ -271,7 +271,7 @@ function setupFirstUserSpecificKey($user_password, $site_encryption_master_key)
} }
/* /*
* For additional users / password changes * For additional users / password changes (and now the API)
* New Users: Requires the admin setting up their account have a Specific/Session key configured * New Users: Requires the admin setting up their account have a Specific/Session key configured
* Password Changes: Will use the current info in the session. * Password Changes: Will use the current info in the session.
*/ */
@@ -282,7 +282,7 @@ function encryptUserSpecificKey($user_password)
// Get the session info. // Get the session info.
$user_encryption_session_ciphertext = $_SESSION['user_encryption_session_ciphertext']; $user_encryption_session_ciphertext = $_SESSION['user_encryption_session_ciphertext'];
$user_encryption_session_iv = $_SESSION['user_encryption_session_iv']; $user_encryption_session_iv = $_SESSION['user_encryption_session_iv'];
$user_encryption_session_key = $_COOKIE['user_encryption_session_key']; $user_encryption_session_key = $_COOKIE['user_encryption_session_key'];
// Decrypt the session key to get the master key // Decrypt the session key to get the master key

6
post/api.php
View File

@@ -11,10 +11,14 @@ if (isset($_POST['add_api_key'])) {
// CSRF Check // CSRF Check
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);
$secret = sanitizeInput($_POST['key']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$expire = sanitizeInput($_POST['expire']); $expire = sanitizeInput($_POST['expire']);
$client = intval($_POST['client']); $client = intval($_POST['client']);
$secret = sanitizeInput($_POST['key']); // API Key
// Credential decryption password
$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
$apikey_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password']));
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_client_id = $client"); mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_client_id = $client");