Encrypt display username, with key in cookie
This commit is contained in:
Miraty
parent
a3da268ead
commit
4f84025baf
8 changed files with 60 additions and 11 deletions
26
fn/auth.php
26
fn/auth.php
|
|
@ -62,6 +62,32 @@ function logout() {
|
|||
redir();
|
||||
}
|
||||
|
||||
function setupDisplayUsername($display_username) {
|
||||
$iv = random_bytes(12);
|
||||
$key = random_bytes(64);
|
||||
$cyphertext = openssl_encrypt(
|
||||
htmlspecialchars($display_username),
|
||||
'chacha20-poly1305',
|
||||
$key,
|
||||
0,
|
||||
$iv
|
||||
);
|
||||
|
||||
$_SESSION['display-username-iv'] = $iv;
|
||||
setcookie(
|
||||
'display-username-decryption-key',
|
||||
base64_encode($key),
|
||||
[
|
||||
'expires' => time() + 432000,
|
||||
'path' => '/' . CONF['common']['prefix'],
|
||||
'secure' => true,
|
||||
'httponly' => true,
|
||||
'samesite' => 'Strict'
|
||||
]
|
||||
);
|
||||
$_SESSION['display-username-cyphertext'] = $cyphertext;
|
||||
}
|
||||
|
||||
function rateLimit() {
|
||||
if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
|
||||
rateLimitAccount(PAGE_METADATA['tokens_account_cost']);
|
||||
|
|
|
|||
|
|
@ -78,14 +78,16 @@ function redirUrl($pageId) {
|
|||
return CONF['common']['prefix'] . '/' . $pageId . '?redir=' . PAGE_URL;
|
||||
}
|
||||
|
||||
function redir() {
|
||||
if (isset($_GET['redir'])) {
|
||||
if (preg_match('/^[0-9a-z\/-]{0,128}$/D', $_GET['redir']) !== 1)
|
||||
output(403, 'Wrong character in <code>redir</code>.');
|
||||
header('Location: ' . CONF['common']['prefix'] . '/' . $_GET['redir']);
|
||||
} else {
|
||||
function redir($redir_to = NULL) {
|
||||
$redir_to ??= $_GET['redir'] ?? NULL;
|
||||
|
||||
if ($redir_to === NULL) {
|
||||
header('Location: ' . CONF['common']['prefix'] . '/');
|
||||
exit();
|
||||
}
|
||||
if (preg_match('/^[0-9a-z\/-]{0,128}$/D', $redir_to) !== 1)
|
||||
output(403, 'Wrong character in <code>redir</code>.');
|
||||
header('Location: ' . CONF['common']['prefix'] . '/' . $redir_to);
|
||||
exit();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -21,8 +21,9 @@ stopSession();
|
|||
startSession();
|
||||
|
||||
$_SESSION['id'] = $id;
|
||||
$_SESSION['display-username'] = htmlspecialchars($_POST['username']);
|
||||
$_SESSION['type'] = query('select', 'users', ['id' => $id], 'type')[0];
|
||||
|
||||
setupDisplayUsername($_POST['username']);
|
||||
|
||||
redir();
|
||||
|
||||
|
|
|
|||
|
|
@ -44,7 +44,8 @@ stopSession();
|
|||
startSession();
|
||||
|
||||
$_SESSION['id'] = $id;
|
||||
$_SESSION['display-username'] = htmlspecialchars($_POST['username']);
|
||||
$_SESSION['type'] = 'testing';
|
||||
|
||||
setupDisplayUsername($_POST['username']);
|
||||
|
||||
redir();
|
||||
|
|
|
|||
|
|
@ -10,6 +10,8 @@ if (usernameExists($username) !== false)
|
|||
DB->prepare('UPDATE users SET username = :username WHERE id = :id')
|
||||
->execute([':username' => $username, ':id' => $_SESSION['id']]);
|
||||
|
||||
$_SESSION['display-username'] = htmlspecialchars($_POST['new-username']);
|
||||
setupDisplayUsername($_POST['new-username']);
|
||||
|
||||
redir('auth/username');
|
||||
|
||||
output(200, 'Identifiant changé.');
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ else {
|
|||
|
||||
<p>
|
||||
Vous avez accès à un espace <abbr title="SSH File Transfert Protocol">SFTP</abbr>, limité à <?php
|
||||
$quotaSize = ($_SESSION['type'] === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'];
|
||||
$quotaSize = ($_SESSION['type'] ?? '' === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'];
|
||||
echo (($quotaSize >> 30) >= 1) ? $quotaSize >> 30 . ' ' . linkToDocs('units', '<abbr title="gibioctet">Gio</abbr>') : $quotaSize >> 20 . ' ' . linkToDocs('units', '<abbr title="mébioctet">Mio</abbr>')
|
||||
?>. Indiquez les données ci-dessous à votre client <abbr title="SSH File Transfert Protocol">SFTP</abbr> pour y accéder.
|
||||
</p>
|
||||
|
|
|
|||
16
router.php
16
router.php
|
|
@ -108,7 +108,23 @@ if ($_POST !== []) {
|
|||
require 'pg-act/' . PAGE_ADDRESS . '.php';
|
||||
}
|
||||
|
||||
if (isset($_SESSION['id'])) {
|
||||
if (!isset($_COOKIE['display-username-decryption-key']))
|
||||
output(403, 'The display username decryption key has not been sent.');
|
||||
$decryption_result = openssl_decrypt(
|
||||
$_SESSION['display-username-cyphertext'],
|
||||
'chacha20-poly1305',
|
||||
base64_decode($_COOKIE['display-username-decryption-key']),
|
||||
0,
|
||||
$_SESSION['display-username-iv']
|
||||
);
|
||||
if ($decryption_result === false)
|
||||
output(403, 'Unable to decrypt display username.');
|
||||
define('DISPLAY_USERNAME', $decryption_result);
|
||||
}
|
||||
|
||||
function displayPage($data) {
|
||||
|
||||
require 'view.php';
|
||||
exit();
|
||||
}
|
||||
|
|
|
|||
3
view.php
3
view.php
|
|
@ -16,7 +16,8 @@
|
|||
<header>
|
||||
<p>
|
||||
<?php if (isset($_SESSION['id'])) { ?>
|
||||
<?= ($_SESSION['type'] === 'approved') ? '<span title="Compte approuvé">👤 </span>' : '<span title="Compte de test">⏳ </span>' ?><strong><?= $_SESSION['display-username'] ?></strong> <a class="auth" href="<?= CONF['common']['prefix'] ?>/auth/logout">Se déconnecter</a>
|
||||
<?= ($_SESSION['type'] === 'approved') ? '<span title="Compte approuvé">👤 </span>' : '<span title="Compte de test">⏳ </span>' ?><strong><?= (defined('DISPLAY_USERNAME')
|
||||
? DISPLAY_USERNAME : '<em>?</em>') ?></strong> <a class="auth" href="<?= CONF['common']['prefix'] ?>/auth/logout">Se déconnecter</a>
|
||||
<?php } else { ?>
|
||||
<span aria-hidden="true">👻 </span><em>Anonyme</em> <a class="auth" href="<?= redirUrl('auth/login') ?>">Se connecter</a>
|
||||
<?php } ?>
|
||||
|
|
|
|||
Loading…
Reference in a new issue