AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-10 15:54:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change remember me tokens to a many:many table to allow for multiple devices to be remembered.

Browse Source
This commit is contained in:
o-psi
2024-02-22 17:45:09 +00:00
parent 4fddeb88b7
commit c2cf0bb448
4 changed files with 38 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
database_updates.php
View File

@@ -1607,10 +1607,17 @@ if (LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION) {
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.6'"); mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.6'");
} }
// if (CURRENT_DATABASE_VERSION == '1.0.6') { if (CURRENT_DATABASE_VERSION == '1.0.6') {
// // Insert queries here required to update to DB version 1.0.7 // Insert queries here required to update to DB version 1.0.7
mysqli_query($mysqli, "CREATE TABLE `remember_tokens` (`remember_token_id` int(11) NOT NULL AUTO_INCREMENT,`remember_token_token` varchar(255) NOT NULL,`remember_token_user_id` int(11) NOT NULL,`remember_token_created_at` datetime NOT NULL DEFAULT current_timestamp()");
// Then, update the database to the next sequential version
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.7'");
}
// if (CURRENT_DATABASE_VERSION == '1.0.7') {
// // Insert queries here required to update to DB version 1.0.8
// // Then, update the database to the next sequential version // // Then, update the database to the next sequential version
// mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.7'"); // mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.8'");
// } // }
} else { } else {

2
database_version.php
View File

@@ -5,5 +5,5 @@
* It is used in conjunction with database_updates.php * It is used in conjunction with database_updates.php
*/ */
DEFINE("LATEST_DATABASE_VERSION", "1.0.6"); DEFINE("LATEST_DATABASE_VERSION", "1.0.7");

16
db.sql
View File

@@ -1041,6 +1041,22 @@ CREATE TABLE `recurring_expenses` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci; ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci;
/*!40101 SET character_set_client = @saved_cs_client */; /*!40101 SET character_set_client = @saved_cs_client */;
--
-- Table structure for table remember_tokens
--
DROP TABLE IF EXISTS `remember_tokens`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `remember_tokens` (
`remember_token_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`remember_token_user_id` int(10) unsigned NOT NULL,
`remember_token_token` varchar(100) NOT NULL,
`remember_token_created_at` timestamp NOT NULL DEFAULT current_timestamp(),
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
-- --
-- Table structure for table `revenues` -- Table structure for table `revenues`
-- --

15
login.php
View File

@@ -111,14 +111,21 @@ if (isset($_POST['login'])) {
$user_email = sanitizeInput($row['user_email']); $user_email = sanitizeInput($row['user_email']);
$token = sanitizeInput($row['user_token']); $token = sanitizeInput($row['user_token']);
$force_mfa = intval($row['user_config_force_mfa']); $force_mfa = intval($row['user_config_force_mfa']);
$remember_token = $row['user_config_remember_me_token'];
if($force_mfa == 1 && $token == NULL) { if($force_mfa == 1 && $token == NULL) {
$config_start_page = "user_security.php"; $config_start_page = "user_security.php";
} }
// Get remember tokens less than 2 days old
$remember_tokens = mysqli_query($mysqli, "SELECT remember_token_token FROM remember_tokens WHERE remember_token_user_id = $user_id AND remember_token_created_at > (NOW() - INTERVAL 2 DAY)");
$bypass_2fa = false; $bypass_2fa = false;
if (isset($_COOKIE['rememberme']) && $_COOKIE['rememberme'] == $remember_token) { if (isset($_COOKIE['rememberme'])) {
$bypass_2fa = true; while ($row = mysqli_fetch_assoc($remember_tokens)) {
if (hash_equals($row['remember_token_token'], $_COOKIE['rememberme'])) {
$bypass_2fa = true;
break;
}
}
} elseif (empty($token) || TokenAuth6238::verify($token, $current_code)) { } elseif (empty($token) || TokenAuth6238::verify($token, $current_code)) {
$bypass_2fa = true; $bypass_2fa = true;
} }
@@ -127,7 +134,7 @@ if (isset($_POST['login'])) {
if (isset($_POST['remember_me'])) { if (isset($_POST['remember_me'])) {
$newRememberToken = bin2hex(random_bytes(64)); $newRememberToken = bin2hex(random_bytes(64));
setcookie('rememberme', $newRememberToken, time() + 86400*2, "/", null, true, true); setcookie('rememberme', $newRememberToken, time() + 86400*2, "/", null, true, true);
$updateTokenQuery = "UPDATE user_settings SET user_config_remember_me_token = '$newRememberToken' WHERE user_id = $user_id"; $updateTokenQuery = "INSERT INTO remember_tokens (remember_token_user_id, remember_token_token) VALUES ($user_id, '$newRememberToken')";
mysqli_query($mysqli, $updateTokenQuery); mysqli_query($mysqli, $updateTokenQuery);
} }