AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,948 Commits 6 Branches 15 Tags 166 MiB
Commit Graph

71 Commits

Author SHA1 Message Date
Marcus Hill efecab179b General cleanups, add HTML lang element to match header.php 2023-01-25 23:04:41 +00:00
wrongecho b19c7a6f49
Merge branch 'master' into code-tidy 2023-01-23 19:21:43 +00:00
Marcus Hill d73b3cb960 Correct typos 2023-01-21 17:22:27 +00:00
Marcus Hill 2c3ebb3bbb Tidy codestyle - spaces between parenthesis and curly braces 2023-01-21 17:09:39 +00:00
Marcus Hill 6f900269d7 Add notifications for unusual logins. A login is considered "unusual" if both the user agent and IP address used haven't appeared in the user's sign-in logs before. 2023-01-21 15:16:11 +00:00
Marcus Hill 3973a0dd00 Adjust hardcoded ITFlow to config_app_name 2023-01-21 14:27:40 +00:00
Marcus Hill 2c1f760ce0 - Move brute force login protection before the page loads 
- Increased the threshold to 15 attempts, but over 10 mins instead
 2023-01-21 13:42:54 +00:00
Marcus Hill b9b0440186 - Add email notification to agents if their 2FA code is entered incorrectly (this may be a sign of account compromise) 
- Tidy login code flow so that the "logged" session variable only has to be set in one place, rather than in two (both for 2fa and non-2fa logins)
 2023-01-21 13:25:16 +00:00
Marcus Hill b2ccb53c44 Re-add fix from chandachewe10 to prevent offset array error when entering invalid credentials 2023-01-18 21:21:58 +00:00
johnnyq c0399a2c42 Added Disable and Activate Users, fixes #539 2023-01-13 18:24:50 -05:00
Johnny b91ead19ce
Revert "removed warning" 2023-01-08 14:00:16 -05:00
chandachewe10 e0b314e5a9 removed warning 2023-01-08 00:01:52 +00:00
Marcus Hill 24f825ca08 SQL Escape tech username in session. The username is added to most log entries meaning that a simple apostrophe in the name breaks all logging for the user 2023-01-02 19:22:21 +00:00
Marcus Hill 07986954f5 Redirect/show techs to technical dashboard on login/navbar 2023-01-01 13:41:29 +00:00
johnnyq 29a9d6ef8f Generate longer more secure Key for logins 2022-12-29 18:23:11 -05:00
johnnyq 6f6d737e64 Added meta no index to all headers so pages dont get indexed by Google this only affects people that dont have a robots.txt at HTRoot hence people that are running itflow in a subdir like example.com/itflow 2022-09-21 12:38:22 -04:00
Marcus Hill 7bb68a36d9 Add user role in PHP Session to remove dependency on check_login - will require you to logout & back in to take effect after the update 2022-05-07 17:44:04 +01:00
Marcus Hill 61777116a9 CSRF Token 
Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.)

Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
 2022-05-01 18:43:53 +01:00
Marcus Hill edcdf9a0a8 Only set encryption/extension key if user is tech/admin 2022-04-24 12:35:14 +01:00
Marcus Hill 76b965ec20 Adjust brute force notification to be in notifications, not alerts 2022-04-24 10:52:05 +01:00
Marcus Hill fca1627c33 Remove delete user post.php code. Deleting users means we'll lose all tickets/replies which isn't great. 
Correct user archive behaviour so when users are archived they can no longer login. Need to add ability for quick disable/enable of user accounts, as using archive as permanent.
Refactor "You are not permitted to do that!" wording into a constant instead.
 2022-04-15 13:29:27 +01:00
Marcus Hill 4b149edfd9 Fix client portal link 2022-03-21 21:12:57 +00:00
Marcus Hill 34d6caa016 Client portal updates 2022-03-20 16:02:58 +00:00
johnnyq a7e8f8d2d8 Fixed current_code error on login page 2022-02-13 15:19:45 -05:00
johnnyq 278b243e7c Finished File Entity Renaming process 2022-02-05 13:24:57 -05:00
johnnyq bb972e8de3 Store full user agent, we can always parse it later 2022-02-04 17:04:28 -05:00
johnnyq 270120c7fc Set login back to 10 failed attempts 2022-01-22 17:08:26 -05:00
johnnyq efd0d28556 Used MySQL count function to count number of failed login attempts 2022-01-22 17:05:15 -05:00
Johnny c47eac328d
Merge pull request #320 from wrongecho/brute-force-login 
Add basic IP login brute force protection
 2022-01-22 16:45:36 -05:00
Marcus Hill c819309fc4 Add basic IP login brute force protection 2022-01-22 19:54:39 +00:00
johnnyq a3c63b0649 Added Export Expenses Records with custom from and to Date, Fixed Advanced Search under expenses some other minor code formatting fixups 2022-01-22 14:37:45 -05:00
Marcus Hill 2b3a7171b3 Session management 2022-01-15 21:26:22 +00:00
Marcus Hill 272bf52d62 Note re https 2022-01-15 21:17:31 +00:00
Marcus Hill cee1faf082 Add extension key cookie to login. Add support for storing the php session id in DB so we can access it (without passing the session ID over a cross-domain query). 2022-01-15 20:54:56 +00:00
Marcus Hill 951b03f712 Allow for encryption scheme upgrade 2022-01-11 14:03:34 +00:00
Marcus Hill 13d83f6e3b Add session key setup 2022-01-10 21:47:12 +00:00
Marcus Hill 25b58c21c8 Add Secure flag (HTTPS only) to cookies 2022-01-09 13:56:45 +00:00
Marcus Hill 6609e5065a Set php session cookie to be httponly 2022-01-07 19:10:29 +00:00
johnnyq cf3c0a6410 Fixed a vulnerability in the setup.php file and other code cleanups. Thanks to the person that wishes to remain anonymous for reporting and providing a patch Also added a notice to readme to not use this web app during beta for production use 2022-01-01 17:02:31 -05:00
johnnyq e978cd142e More Audit Logging work, fixed a bunch of small bugs along the way 2021-12-31 15:33:41 -05:00
johnnyq 33400894d5 Updates and Fixings to Audit Logs, added client tag selection for mass email campaigns 2021-12-28 18:16:54 -05:00
johnnyq 25b5cb3d40 Moved Functions above check login so that check login can use some of the functions, Moved Fingerprinting to check login instead of in functions as its a more appropriate place 2021-12-22 17:24:54 -05:00
johnnyq ba584a57e0 BREAKING CHANGES - Many DB Updates - NOT POSSIBLE TO EASILY UPGRADE TO THIS - Completely reworked User Company Access Permssions, started working on Client Role so Clients can access their data and a bunch of other small fixes 2021-12-22 13:08:24 -05:00
johnnyq 4604280efe This Update will break your login as we updated the password hash from MD5 to a salted hash using hash_password and password_verify techniques, fixed an unauthenticated persistent XSS Vulnerbility which would affect if someone spoofed their IP with a javascript code and then a logged in read the logs. The flaw was discovered by @bambilol #214 also fixed some other bugs. 2021-12-13 12:21:55 -05:00
johnnyq f02e94d585 Started adding IP and User agent to audit logs, log when a user logs out, Merged logout into post.php 2021-12-09 16:12:57 -05:00
johnnyq e36739297d Fixed broken TOTP 2FA 2021-12-04 17:59:40 -05:00
johnnyq e9336c1866 Fix Recent Logins Log front not updating due to VAR name 2021-08-31 13:24:33 -04:00
johnnyq f3053ffbd4 BREAKING CHANGES: Major Backend Code Changes Updated Foreign keys to prepend their table names ex invoice_client_id, switched most queries over to JOIN instead of = Combined contacts and location into client removed client email, phone etc fields, tons of small bug fixes, and other small UI changes all across the board 2021-08-27 23:14:06 -04:00
johnnyq f1828a11a9 Added Boostrap Password Reveal Library and clipboardJS library added copy to clipboard to client logins 2021-08-08 15:04:39 -04:00
johnny@pittpc.com f8166bdc81 Fixed more php errors empty vars updated more ui search headers 2021-02-04 17:42:21 -05:00