AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,568 Commits 6 Branches 15 Tags 166 MiB
Commit Graph

92 Commits

Author SHA1 Message Date
Marcus Hill 57dab27169 Login page enhancements 
- Default to secure cookies (in case var is not defined in config.php)
- Enable content security policy
- Return HTTP 401 response code for invalid username/password combinations
 2023-06-17 15:09:01 +01:00
johnnyq 25f85486d4 Client Portal can now be enabled or disabled in settings > Modules > Enable Client Portal, it is enabled by default 2023-06-14 19:07:39 -04:00
Marcus Hill 1175cc4ade Enable login key code (see #680) 2023-06-03 21:04:43 +01:00
Marcus Hill 5d6d7e389e Add database structure for 'login key' protection concept 2023-05-13 21:49:09 +01:00
johnnyq 37fb696e63 Replace the remaining php files with nullable_htmlentites() 2023-05-11 18:27:48 -04:00
johnnyq 48fe49cf77 BREAKING CHANGES - MAKE FULL BACKUP BEFORE PROCEEDING - Requires Manual Intervention on files see Forum Post Make sure you run the Database update directly after update. This Removes Multi-Company Functionality. Fixes issues with Reponsive tables and bunch of other UI and small Fixes 2023-03-11 16:16:46 -05:00
johnnyq f7552cd25a Finished up santizeInput Conv and UI updates 2023-02-23 16:09:37 -05:00
johnnyq 8a91ae0e46 More updating with new sanitize function and more logging and alerting cont 2023-02-16 22:26:38 -05:00
Marcus Hill 5bb4296f14 Adjust core files to 4 spaces 2023-02-12 14:40:10 +00:00
Marcus Hill c219324bb8 General cleanup/formatting 2023-02-09 11:42:57 +00:00
Marcus Hill b36719eb99 General cleanup/tidying 2023-02-09 11:32:40 +00:00
Marcus Hill e8c9e63a7b Add X-Frame-Options to login pages & client portal 2023-02-05 18:43:50 +00:00
Marcus Hill d2124b92f1 Hide the username and password field (via CSS) when prompting for 2FA code 2023-01-30 18:55:30 +00:00
Johnny 4fd6d752c6
Merge pull request #580 from wrongecho/function-standardise 
Convert custom function names to camelCase
 2023-01-26 18:20:33 -05:00
Marcus Hill 531bd25f27 Convert custom function names to camelCase 2023-01-26 22:03:31 +00:00
Marcus Hill 10362f86ef Convert custom function names to camelCase 2023-01-26 21:58:27 +00:00
Marcus Hill 23e3a2e8fc - Create custom function (randomString()) for generating cryptographically (and URL) safe strings. 
- Replace usages of keygen and bin2hex(random_bytes()) with this function.
 2023-01-26 21:35:06 +00:00
Marcus Hill cffde0fbbd Tidy 2023-01-25 23:07:37 +00:00
Marcus Hill 0f3b6b5d23 Add alt-text to logo 2023-01-25 23:04:45 +00:00
Marcus Hill 67e1fb7021 Show the 'default' company logo (if configured) on the client login page instead of the ITFlow/company name text 2023-01-25 23:04:45 +00:00
Marcus Hill 95aa46cd52 Show the 'default' company logo (if configured) on the agent login page instead of the ITFlow text 2023-01-25 23:04:45 +00:00
Marcus Hill efecab179b General cleanups, add HTML lang element to match header.php 2023-01-25 23:04:41 +00:00
wrongecho b19c7a6f49
Merge branch 'master' into code-tidy 2023-01-23 19:21:43 +00:00
Marcus Hill d73b3cb960 Correct typos 2023-01-21 17:22:27 +00:00
Marcus Hill 2c3ebb3bbb Tidy codestyle - spaces between parenthesis and curly braces 2023-01-21 17:09:39 +00:00
Marcus Hill 6f900269d7 Add notifications for unusual logins. A login is considered "unusual" if both the user agent and IP address used haven't appeared in the user's sign-in logs before. 2023-01-21 15:16:11 +00:00
Marcus Hill 3973a0dd00 Adjust hardcoded ITFlow to config_app_name 2023-01-21 14:27:40 +00:00
Marcus Hill 2c1f760ce0 - Move brute force login protection before the page loads 
- Increased the threshold to 15 attempts, but over 10 mins instead
 2023-01-21 13:42:54 +00:00
Marcus Hill b9b0440186 - Add email notification to agents if their 2FA code is entered incorrectly (this may be a sign of account compromise) 
- Tidy login code flow so that the "logged" session variable only has to be set in one place, rather than in two (both for 2fa and non-2fa logins)
 2023-01-21 13:25:16 +00:00
Marcus Hill b2ccb53c44 Re-add fix from chandachewe10 to prevent offset array error when entering invalid credentials 2023-01-18 21:21:58 +00:00
johnnyq c0399a2c42 Added Disable and Activate Users, fixes #539 2023-01-13 18:24:50 -05:00
Johnny b91ead19ce
Revert "removed warning" 2023-01-08 14:00:16 -05:00
chandachewe10 e0b314e5a9 removed warning 2023-01-08 00:01:52 +00:00
Marcus Hill 24f825ca08 SQL Escape tech username in session. The username is added to most log entries meaning that a simple apostrophe in the name breaks all logging for the user 2023-01-02 19:22:21 +00:00
Marcus Hill 07986954f5 Redirect/show techs to technical dashboard on login/navbar 2023-01-01 13:41:29 +00:00
johnnyq 29a9d6ef8f Generate longer more secure Key for logins 2022-12-29 18:23:11 -05:00
johnnyq 6f6d737e64 Added meta no index to all headers so pages dont get indexed by Google this only affects people that dont have a robots.txt at HTRoot hence people that are running itflow in a subdir like example.com/itflow 2022-09-21 12:38:22 -04:00
Marcus Hill 7bb68a36d9 Add user role in PHP Session to remove dependency on check_login - will require you to logout & back in to take effect after the update 2022-05-07 17:44:04 +01:00
Marcus Hill 61777116a9 CSRF Token 
Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.)

Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
 2022-05-01 18:43:53 +01:00
Marcus Hill edcdf9a0a8 Only set encryption/extension key if user is tech/admin 2022-04-24 12:35:14 +01:00
Marcus Hill 76b965ec20 Adjust brute force notification to be in notifications, not alerts 2022-04-24 10:52:05 +01:00
Marcus Hill fca1627c33 Remove delete user post.php code. Deleting users means we'll lose all tickets/replies which isn't great. 
Correct user archive behaviour so when users are archived they can no longer login. Need to add ability for quick disable/enable of user accounts, as using archive as permanent.
Refactor "You are not permitted to do that!" wording into a constant instead.
 2022-04-15 13:29:27 +01:00
Marcus Hill 4b149edfd9 Fix client portal link 2022-03-21 21:12:57 +00:00
Marcus Hill 34d6caa016 Client portal updates 2022-03-20 16:02:58 +00:00
johnnyq a7e8f8d2d8 Fixed current_code error on login page 2022-02-13 15:19:45 -05:00
johnnyq 278b243e7c Finished File Entity Renaming process 2022-02-05 13:24:57 -05:00
johnnyq bb972e8de3 Store full user agent, we can always parse it later 2022-02-04 17:04:28 -05:00
johnnyq 270120c7fc Set login back to 10 failed attempts 2022-01-22 17:08:26 -05:00
johnnyq efd0d28556 Used MySQL count function to count number of failed login attempts 2022-01-22 17:05:15 -05:00
Johnny c47eac328d
Merge pull request #320 from wrongecho/brute-force-login 
Add basic IP login brute force protection
 2022-01-22 16:45:36 -05:00