We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
servnest
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Encrypt display username, with key in cookie

Miraty 2 years ago
parent
a3da268ead
commit
4f84025baf
8 changed files with 60 additions and 11 deletions
Split View Show Diff Stats
  1. 26 0
      fn/auth.php
  2. 8 6
      fn/common.php
  3. 2 1
      pg-act/auth/login.php
  4. 2 1
      pg-act/auth/register.php
  5. 3 1
      pg-act/auth/username.php
  6. 1 1
      pg-view/ht/index.php
  7. 16 0
      router.php
  8. 2 1
      view.php

+ 26 - 0
fn/auth.php
View File 

@@ -62,6 +62,32 @@ function logout() {
 
 	redir();
 
 }
 
 
+function setupDisplayUsername($display_username) {
 
+	$iv = random_bytes(12);
 
+	$key = random_bytes(64);
 
+	$cyphertext = openssl_encrypt(
 
+		htmlspecialchars($display_username),
 
+		'chacha20-poly1305',
 
+		$key,
 
+		0,
 
+		$iv
 
+	);
 
+
 
+	$_SESSION['display-username-iv'] = $iv;
 
+	setcookie(
 
+		'display-username-decryption-key',
 
+		base64_encode($key),
 
+		[
 
+			'expires' => time() + 432000,
 
+			'path' => '/' . CONF['common']['prefix'],
 
+			'secure' => true,
 
+			'httponly' => true,
 
+			'samesite' => 'Strict'
 
+		]
 
+	);
 
+	$_SESSION['display-username-cyphertext'] = $cyphertext;
 
+}
 
+
 
 function rateLimit() {
 
 	if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
 
 		rateLimitAccount(PAGE_METADATA['tokens_account_cost']);

+ 8 - 6
fn/common.php
View File 

@@ -78,14 +78,16 @@ function redirUrl($pageId) {
 
 	return CONF['common']['prefix'] . '/' . $pageId . '?redir=' . PAGE_URL;
 
 }
 
 
-function redir() {
 
-	if (isset($_GET['redir'])) {
 
-		if (preg_match('/^[0-9a-z\/-]{0,128}$/D', $_GET['redir']) !== 1)
 
-			output(403, 'Wrong character in <code>redir</code>.');
 
-		header('Location: ' . CONF['common']['prefix'] . '/' . $_GET['redir']);
 
-	} else {
 
+function redir($redir_to = NULL) {
 
+	$redir_to ??= $_GET['redir'] ?? NULL;
 
+
 
+	if ($redir_to === NULL) {
 
 		header('Location: ' . CONF['common']['prefix'] . '/');
 
+		exit();
 
 	}
 
+	if (preg_match('/^[0-9a-z\/-]{0,128}$/D', $redir_to) !== 1)
 
+		output(403, 'Wrong character in <code>redir</code>.');
 
+	header('Location: ' . CONF['common']['prefix'] . '/' . $redir_to);
 
 	exit();
 
 }

+ 2 - 1
pg-act/auth/login.php
View File 

@@ -21,8 +21,9 @@ stopSession();
 
 startSession();
 
 
 $_SESSION['id'] = $id;
 
-$_SESSION['display-username'] = htmlspecialchars($_POST['username']);
 
 $_SESSION['type'] = query('select', 'users', ['id' => $id], 'type')[0];
 
 
+setupDisplayUsername($_POST['username']);
 
+
 
 redir();

+ 2 - 1
pg-act/auth/register.php
View File 

@@ -44,7 +44,8 @@ stopSession();
 
 startSession();
 
 
 $_SESSION['id'] = $id;
 
-$_SESSION['display-username'] = htmlspecialchars($_POST['username']);
 
 $_SESSION['type'] = 'testing';
 
 
+setupDisplayUsername($_POST['username']);
 
+
 
 redir();

+ 3 - 1
pg-act/auth/username.php
View File 

@@ -10,6 +10,8 @@ if (usernameExists($username) !== false)
 
 DB->prepare('UPDATE users SET username = :username WHERE id = :id')
 
 ->execute([':username' => $username, ':id' => $_SESSION['id']]);
 
 
-$_SESSION['display-username'] = htmlspecialchars($_POST['new-username']);
 
+setupDisplayUsername($_POST['new-username']);
 
+
 
+redir('auth/username');
 
 
 output(200, 'Identifiant changé.');

+ 1 - 1
pg-view/ht/index.php
View File 

@@ -46,7 +46,7 @@ else {
 
 
 	<p>
 
 		Vous avez accès à un espace <abbr title="SSH File Transfert Protocol">SFTP</abbr>, limité à <?php
 
-$quotaSize = ($_SESSION['type'] === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'];
 
+$quotaSize = ($_SESSION['type'] ?? '' === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'];
 
 echo (($quotaSize >> 30) >= 1) ? $quotaSize >> 30 . ' ' . linkToDocs('units', '<abbr title="gibioctet">Gio</abbr>') : $quotaSize >> 20 . ' ' . linkToDocs('units', '<abbr title="mébioctet">Mio</abbr>')
 
 ?>. Indiquez les données ci-dessous à votre client <abbr title="SSH File Transfert Protocol">SFTP</abbr> pour y accéder.
 
 	</p>

+ 16 - 0
router.php
View File 

@@ -108,7 +108,23 @@ if ($_POST !== []) {
 
 		require 'pg-act/' . PAGE_ADDRESS . '.php';
 
 }
 
 
+if (isset($_SESSION['id'])) {
 
+	if (!isset($_COOKIE['display-username-decryption-key']))
 
+		output(403, 'The display username decryption key has not been sent.');
 
+	$decryption_result = openssl_decrypt(
 
+		$_SESSION['display-username-cyphertext'],
 
+		'chacha20-poly1305',
 
+		base64_decode($_COOKIE['display-username-decryption-key']),
 
+		0,
 
+		$_SESSION['display-username-iv']
 
+	);
 
+	if ($decryption_result === false)
 
+		output(403, 'Unable to decrypt display username.');
 
+	define('DISPLAY_USERNAME', $decryption_result);
 
+}
 
+
 
 function displayPage($data) {
 
+
 
 	require 'view.php';
 
 	exit();
 
 }

+ 2 - 1
view.php
View File 

@@ -16,7 +16,8 @@
 
 		<header>
 
 			<p>
 
 <?php if (isset($_SESSION['id'])) { ?>
 
-				<?= ($_SESSION['type'] === 'approved') ? '<span title="Compte approuvé">👤 </span>' : '<span title="Compte de test">⏳ </span>' ?><strong><?= $_SESSION['display-username'] ?></strong> <a class="auth" href="<?= CONF['common']['prefix'] ?>/auth/logout">Se déconnecter</a>
 
+				<?= ($_SESSION['type'] === 'approved') ? '<span title="Compte approuvé">👤 </span>' : '<span title="Compte de test">⏳ </span>' ?><strong><?= (defined('DISPLAY_USERNAME')
 
+				? DISPLAY_USERNAME : '<em>?</em>') ?></strong> <a class="auth" href="<?= CONF['common']['prefix'] ?>/auth/logout">Se déconnecter</a>
 
 <?php } else { ?>
 
 				<span aria-hidden="true">👻 </span><em>Anonyme</em> <a class="auth" href="<?= redirUrl('auth/login') ?>">Se connecter</a>
 
 <?php } ?>

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5