AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,664 Commits 7 Branches 15 Tags 167 MiB
Commit Graph

56 Commits

Author SHA1 Message Date
johnnyq 6f6d737e64 Added meta no index to all headers so pages dont get indexed by Google this only affects people that dont have a robots.txt at HTRoot hence people that are running itflow in a subdir like example.com/itflow 2022-09-21 12:38:22 -04:00
Marcus Hill 7bb68a36d9 Add user role in PHP Session to remove dependency on check_login - will require you to logout & back in to take effect after the update 2022-05-07 17:44:04 +01:00
Marcus Hill 61777116a9 CSRF Token 
Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.)

Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
 2022-05-01 18:43:53 +01:00
Marcus Hill edcdf9a0a8 Only set encryption/extension key if user is tech/admin 2022-04-24 12:35:14 +01:00
Marcus Hill 76b965ec20 Adjust brute force notification to be in notifications, not alerts 2022-04-24 10:52:05 +01:00
Marcus Hill fca1627c33 Remove delete user post.php code. Deleting users means we'll lose all tickets/replies which isn't great. 
Correct user archive behaviour so when users are archived they can no longer login. Need to add ability for quick disable/enable of user accounts, as using archive as permanent.
Refactor "You are not permitted to do that!" wording into a constant instead.
 2022-04-15 13:29:27 +01:00
Marcus Hill 4b149edfd9 Fix client portal link 2022-03-21 21:12:57 +00:00
Marcus Hill 34d6caa016 Client portal updates 2022-03-20 16:02:58 +00:00
johnnyq a7e8f8d2d8 Fixed current_code error on login page 2022-02-13 15:19:45 -05:00
johnnyq 278b243e7c Finished File Entity Renaming process 2022-02-05 13:24:57 -05:00
johnnyq bb972e8de3 Store full user agent, we can always parse it later 2022-02-04 17:04:28 -05:00
johnnyq 270120c7fc Set login back to 10 failed attempts 2022-01-22 17:08:26 -05:00
johnnyq efd0d28556 Used MySQL count function to count number of failed login attempts 2022-01-22 17:05:15 -05:00
Johnny c47eac328d
Merge pull request #320 from wrongecho/brute-force-login 
Add basic IP login brute force protection
 2022-01-22 16:45:36 -05:00
Marcus Hill c819309fc4 Add basic IP login brute force protection 2022-01-22 19:54:39 +00:00
johnnyq a3c63b0649 Added Export Expenses Records with custom from and to Date, Fixed Advanced Search under expenses some other minor code formatting fixups 2022-01-22 14:37:45 -05:00
Marcus Hill 2b3a7171b3 Session management 2022-01-15 21:26:22 +00:00
Marcus Hill 272bf52d62 Note re https 2022-01-15 21:17:31 +00:00
Marcus Hill cee1faf082 Add extension key cookie to login. Add support for storing the php session id in DB so we can access it (without passing the session ID over a cross-domain query). 2022-01-15 20:54:56 +00:00
Marcus Hill 951b03f712 Allow for encryption scheme upgrade 2022-01-11 14:03:34 +00:00
Marcus Hill 13d83f6e3b Add session key setup 2022-01-10 21:47:12 +00:00
Marcus Hill 25b58c21c8 Add Secure flag (HTTPS only) to cookies 2022-01-09 13:56:45 +00:00
Marcus Hill 6609e5065a Set php session cookie to be httponly 2022-01-07 19:10:29 +00:00
johnnyq cf3c0a6410 Fixed a vulnerability in the setup.php file and other code cleanups. Thanks to the person that wishes to remain anonymous for reporting and providing a patch Also added a notice to readme to not use this web app during beta for production use 2022-01-01 17:02:31 -05:00
johnnyq e978cd142e More Audit Logging work, fixed a bunch of small bugs along the way 2021-12-31 15:33:41 -05:00
johnnyq 33400894d5 Updates and Fixings to Audit Logs, added client tag selection for mass email campaigns 2021-12-28 18:16:54 -05:00
johnnyq 25b5cb3d40 Moved Functions above check login so that check login can use some of the functions, Moved Fingerprinting to check login instead of in functions as its a more appropriate place 2021-12-22 17:24:54 -05:00
johnnyq ba584a57e0 BREAKING CHANGES - Many DB Updates - NOT POSSIBLE TO EASILY UPGRADE TO THIS - Completely reworked User Company Access Permssions, started working on Client Role so Clients can access their data and a bunch of other small fixes 2021-12-22 13:08:24 -05:00
johnnyq 4604280efe This Update will break your login as we updated the password hash from MD5 to a salted hash using hash_password and password_verify techniques, fixed an unauthenticated persistent XSS Vulnerbility which would affect if someone spoofed their IP with a javascript code and then a logged in read the logs. The flaw was discovered by @bambilol #214 also fixed some other bugs. 2021-12-13 12:21:55 -05:00
johnnyq f02e94d585 Started adding IP and User agent to audit logs, log when a user logs out, Merged logout into post.php 2021-12-09 16:12:57 -05:00
johnnyq e36739297d Fixed broken TOTP 2FA 2021-12-04 17:59:40 -05:00
johnnyq e9336c1866 Fix Recent Logins Log front not updating due to VAR name 2021-08-31 13:24:33 -04:00
johnnyq f3053ffbd4 BREAKING CHANGES: Major Backend Code Changes Updated Foreign keys to prepend their table names ex invoice_client_id, switched most queries over to JOIN instead of = Combined contacts and location into client removed client email, phone etc fields, tons of small bug fixes, and other small UI changes all across the board 2021-08-27 23:14:06 -04:00
johnnyq f1828a11a9 Added Boostrap Password Reveal Library and clipboardJS library added copy to clipboard to client logins 2021-08-08 15:04:39 -04:00
johnny@pittpc.com f8166bdc81 Fixed more php errors empty vars updated more ui search headers 2021-02-04 17:42:21 -05:00
johnny@pittpc.com abf7a3b381 updated UI of the login screen, app name. changed username to email changed button from back to blue 2020-03-31 17:42:15 -04:00
johnny@pittpc.com f84e3c4b6b Refactored Login UI to reduce clutter, minimise and increase security also 2FA Box will appear when enabled 2020-01-04 23:44:04 -05:00
johnny@pittpc.com e5036253ed Migrated from sbadmin to AdminLTE CSS framework 2019-11-19 18:29:02 -05:00
johnny@pittpc.com bc61b59244 Fixed password issue causing SQL escape characters to add slashes remove mysqli_real_escape_string as its not needs, md5 produces no sql escape characters by default so it it does not need santized 2019-09-24 14:52:53 -04:00
johnny@pittpc.com 62b088e79d GUI Touchups in Invoice, Quote, clients, vendors, client. Added 2 new fields to client mobile and contact_name, added more pictyure extension in file jpeg anb JPEG and other fixesincluding a new DB dump 2019-09-14 20:40:22 -04:00
johnny@pittpc.com ca427ab763 Updated User Settings Page and added logging to most functions 2019-09-06 03:03:16 -04:00
johnny@pittpc.com d259d1b3dc Started Logs: Login attempts are now logged, created a logs list in the side nav 2019-09-06 00:16:19 -04:00
johnny@pittpc.com 2d5ac7c2e6 Security Mysql Escaped current_code POST var under login 2019-08-28 21:56:45 -04:00
johnny@pittpc.com 0e451056b4 Added get OS Browser Device and IP functions, added these functions to guest view invoice, also added invoice view alert and other minor fixes 2019-08-28 21:47:40 -04:00
root 2984f0ec6c Login and Top Nav Refinements 2019-08-16 00:28:54 -04:00
johnny@pittpc.com 5ca8d201b0 Remove some old files, updated guest urls to work with the new multi company features, and some other multi company update 2019-08-15 18:29:28 -04:00
johnny@pittpc.com bc07fe0090 Started work on multi-company feature 2019-08-14 11:05:54 -04:00
johnny@pittpc.com 0c4021fd23 reworked transfers, added revenues to add income in other ways besides just invoices, reports now uses a compact table to see all data clearly and some other minor fixes. 2019-08-11 13:42:35 -04:00
johnny@pittpc.com bf250cd1fe Fixed Login Software relation, fixed asset logins etc 2019-08-03 19:41:58 -04:00
root b65739bfc3 Updated 2FA UI 2019-06-16 23:56:40 -04:00