Merge branch '0.1.8.4' of https://github.com/twetech/itflow into 0.1.8.4

itflow-org · Feb 22, 2024 · 1d4271d · 1d4271d
2 parents 3947c3a + d2c33c2
commit 1d4271d
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 14 deletions.
diff --git a/client_assets.php b/client_assets.php
@@ -311,18 +311,17 @@
                                                                     <span class="input-group-text"><i class="fa fa-user"></i></span>
                                                                 </div>
                                                                 <input type="text" class="form-control" value="<?php echo $login_username; ?>" readonly>
+                                                                <div class="input-group-append">
+                                                                    <button class="btn btn-default clipboardjs" type="button" data-clipboard-text="<?php echo $login_username; ?>"><i class="fa fa-fw fa-copy"></i></button>
+                                                                </div>
                                                             </div>
                                                         </div>
                                                         <div class="form-group">
                                                             <div class="input-group">
                                                                 <div class="input-group-prepend">
                                                                     <span class="input-group-text"><i class="fa fa-lock"></i></span>
                                                                 </div>
-                                                                <input type="password" name="fakePassword" style="display:none"> <!-- Prevents Password Managers from asking -->
-                                                                <input type="password" class="form-control" data-toggle="password" value="<?php echo $login_password; ?>" readonly autocomplete="off">
-                                                                <div class="input-group-append">
-                                                                    <span class="input-group-text"><i class="fa fa-fw fa-eye"></i></span>
-                                                                </div>
+                                                                <input type="text" class="form-control" value="<?php echo $login_password; ?>" readonly autocomplete="off">
                                                                 <div class="input-group-append">
                                                                     <button class="btn btn-default clipboardjs" type="button" data-clipboard-text="<?php echo $login_password; ?>"><i class="fa fa-fw fa-copy"></i></button>
                                                                 </div>

diff --git a/database_updates.php b/database_updates.php
@@ -1607,10 +1607,17 @@
         mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.6'");
     }
 
-    // if (CURRENT_DATABASE_VERSION == '1.0.6') {
-    //     // Insert queries here required to update to DB version 1.0.7
+    if (CURRENT_DATABASE_VERSION == '1.0.6') {
+        // Insert queries here required to update to DB version 1.0.7
+        mysqli_query($mysqli, "CREATE TABLE `remember_tokens` (`remember_token_id` int(11) NOT NULL AUTO_INCREMENT,`remember_token_token` varchar(255) NOT NULL,`remember_token_user_id` int(11) NOT NULL,`remember_token_created_at` datetime NOT NULL DEFAULT current_timestamp()");
+        // Then, update the database to the next sequential version
+        mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.7'");
+    }
+
+    // if (CURRENT_DATABASE_VERSION == '1.0.7') {
+    //     // Insert queries here required to update to DB version 1.0.8
     //     // Then, update the database to the next sequential version
-    //     mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.7'");
+    //     mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.8'");
     // }
 
 } else {

diff --git a/database_version.php b/database_version.php
@@ -5,5 +5,5 @@
  * It is used in conjunction with database_updates.php
  */
 
-DEFINE("LATEST_DATABASE_VERSION", "1.0.6");
+DEFINE("LATEST_DATABASE_VERSION", "1.0.7");
 
diff --git a/db.sql b/db.sql
@@ -1041,6 +1041,22 @@ CREATE TABLE `recurring_expenses` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
+--
+-- Table structure for table remember_tokens
+--
+
+DROP TABLE IF EXISTS `remember_tokens`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `remember_tokens` (
+  `remember_token_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `remember_token_user_id` int(10) unsigned NOT NULL,
+  `remember_token_token` varchar(100) NOT NULL,
+  `remember_token_created_at` timestamp NOT NULL DEFAULT current_timestamp(),
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+
+
 --
 -- Table structure for table `revenues`
 --

diff --git a/login.php b/login.php
@@ -111,23 +111,30 @@
         $user_email = sanitizeInput($row['user_email']);
         $token = sanitizeInput($row['user_token']);
         $force_mfa = intval($row['user_config_force_mfa']);
-        $remember_token = $row['user_config_remember_me_token'];
         if($force_mfa == 1 && $token == NULL) {
             $config_start_page = "user_security.php";
         }
 
+        // Get remember tokens less than 2 days old
+        $remember_tokens = mysqli_query($mysqli, "SELECT remember_token_token FROM remember_tokens WHERE remember_token_user_id = $user_id AND remember_token_created_at > (NOW() - INTERVAL 2 DAY)");
+
         $bypass_2fa = false;
-        if (isset($_COOKIE['rememberme']) && $_COOKIE['rememberme'] == $remember_token) {
-            $bypass_2fa = true;
+        if (isset($_COOKIE['rememberme'])) {
+            while ($row = mysqli_fetch_assoc($remember_tokens)) {
+                if (hash_equals($row['remember_token_token'], $_COOKIE['rememberme'])) {
+                    $bypass_2fa = true;
+                    break;
+                }
+            }
         } elseif (empty($token) || TokenAuth6238::verify($token, $current_code)) {
             $bypass_2fa = true;
         }
 
         if ($bypass_2fa) {
             if (isset($_POST['remember_me'])) {
                 $newRememberToken = bin2hex(random_bytes(64));
-                setcookie('rememberme', $newRememberToken, time() + 86400*14, "/", null, true, true);
-                $updateTokenQuery = "UPDATE user_settings SET user_config_remember_me_token = '$newRememberToken' WHERE user_id = $user_id";
+                setcookie('rememberme', $newRememberToken, time() + 86400*2, "/", null, true, true);
+                $updateTokenQuery = "INSERT INTO remember_tokens (remember_token_user_id, remember_token_token) VALUES ($user_id, '$newRememberToken')";
                 mysqli_query($mysqli, $updateTokenQuery);
             }