Merge pull request #928 from wrongecho/login-tidy

Login related tidying
itflow-org · Mar 31, 2024 · dac5fb1 · dac5fb1
2 parents 2c22c73 + d94b9ce
commit dac5fb1
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 26 deletions.
diff --git a/admin_users.php b/admin_users.php
@@ -161,7 +161,7 @@
                                         <i class="fas fa-fw fa-user-edit mr-2"></i>Edit
                                     </a>
                                     <?php if ($remember_token_count > 0) { ?>
-                                    <a class="dropdown-item" href="post.php?revoke_remember_me=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>"><i class="fas fa-fw fa-ban mr-2"></i>Revoke <?php echo $remmeber_token_count; ?> Remember Tokens
+                                    <a class="dropdown-item" href="post.php?revoke_remember_me=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>"><i class="fas fa-fw fa-ban mr-2"></i>Revoke <?php echo $remember_token_count; ?> Remember Tokens
                                     </a>
                                     <?php } ?>
                                     <?php if ($user_status == 0) { ?>

diff --git a/login.php b/login.php
@@ -116,32 +116,50 @@
         $user_extension_key = $row['user_extension_key'];
         if($force_mfa == 1 && $token == NULL) {
             $config_start_page = "user_security.php";
+            $_SESSION['alert_message'] = "Please set up MFA.";
         }
 
-        // Get remember tokens less than 2 days old
-        $remember_tokens = mysqli_query($mysqli, "SELECT remember_token_token FROM remember_tokens WHERE remember_token_user_id = $user_id AND remember_token_created_at > (NOW() - INTERVAL 2 DAY)");
+        $mfa_is_complete = false; // Default to requiring MFA
+        $extended_log = ''; // Default value
 
-        $bypass_2fa = false;
+        if (empty($token)) {
+            // MFA is not configured
+            $mfa_is_complete = true;
+        }
+
+        // Validate MFA via a remember-me cookie
         if (isset($_COOKIE['rememberme'])) {
+            // Get remember tokens less than 2 days old
+            $remember_tokens = mysqli_query($mysqli, "SELECT remember_token_token FROM remember_tokens WHERE remember_token_user_id = $user_id AND remember_token_created_at > (NOW() - INTERVAL 2 DAY)");
             while ($row = mysqli_fetch_assoc($remember_tokens)) {
                 if (hash_equals($row['remember_token_token'], $_COOKIE['rememberme'])) {
-                    $bypass_2fa = true;
+                    $mfa_is_complete = true;
+                    $extended_log = 'with 2FA remember-me cookie';
                     break;
                 }
             }
-        } elseif (empty($token) || TokenAuth6238::verify($token, $current_code)) {
-            $bypass_2fa = true;
         }
 
-        if ($bypass_2fa) {
+        // Validate MFA code
+        if (TokenAuth6238::verify($token, $current_code)) {
+            $mfa_is_complete = true;
+            $extended_log = 'with 2FA';
+        }
+
+        if ($mfa_is_complete) {
+            // MFA Completed successfully
+
+            // FULL LOGIN SUCCESS
+
+            // Create a remember me token, if requested
             if (isset($_POST['remember_me'])) {
+                // TODO: Record the UA and IP a token is generated from so that can be shown later on
                 $newRememberToken = bin2hex(random_bytes(64));
                 setcookie('rememberme', $newRememberToken, time() + 86400*2, "/", null, true, true);
-                $updateTokenQuery = "INSERT INTO remember_tokens (remember_token_user_id, remember_token_token) VALUES ($user_id, '$newRememberToken')";
-                mysqli_query($mysqli, $updateTokenQuery);
-            }
+                mysqli_query($mysqli, "INSERT INTO remember_tokens SET remember_token_user_id = $user_id, remember_token_token = '$newRememberToken'");
 
-            // FULL LOGIN SUCCESS - 2FA not configured or was successful
+                $extended_log .= ", generated a new remember-me token";
+            }
 
             // Check this login isn't suspicious
             $sql_ip_prev_logins = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS ip_previous_logins FROM logs WHERE log_type = 'Login' AND log_action = 'Success' AND log_ip = '$ip' AND log_user_id = $user_id"));
@@ -169,12 +187,6 @@
             }
 
 
-            // Determine whether 2FA was used (for logs)
-            $extended_log = ''; // Default value
-            if ($current_code !== 0) {
-                $extended_log = 'with 2FA';
-            }
-
             // Logging successful login
             mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in $extended_log', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id");
 
@@ -191,15 +203,15 @@
                 generateUserSessionKey($site_encryption_master_key);
 
                 // Setup extension - currently unused
-                if (is_null($user_extension_key)) {
+                //if (is_null($user_extension_key)) {
                     // Extension cookie
                     // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS.
-                    setcookie("user_extension_key", "$user_extension_key", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']);
+                    //setcookie("user_extension_key", "$user_extension_key", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']);
 
                     // Set PHP session in DB, so we can access the session encryption data (above)
-                    $user_php_session = session_id();
-                    mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = $user_id");
-                }
+                    //$user_php_session = session_id();
+                    //mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = $user_id");
+                //}
 
             }
 

diff --git a/post/profile.php b/post/profile.php
@@ -250,6 +250,24 @@
 
 }
 
+if (isset($_POST['revoke_your_2fa_remember_tokens'])) {
+
+    // CSRF
+    validateCSRFToken($_POST['csrf_token']);
+
+    // Delete tokens
+    mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
+
+    //Logging
+    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name revoked all their remember-me tokens', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $session_user_id");
+
+    $_SESSION['alert_type'] = "error";
+    $_SESSION['alert_message'] = "Remember me tokens revoked";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
 if (isset($_GET['logout'])) {
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Logout', log_action = 'Success', log_description = '$session_name logged out', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
     mysqli_query($mysqli, "UPDATE users SET user_php_session = '' WHERE user_id = $session_user_id");

diff --git a/post/user.php b/post/user.php
@@ -229,14 +229,13 @@
     $user_id = intval($_GET['revoke_remember_me']);
 
     // Get User Name
-    $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id");
-    $row = mysqli_fetch_array($sql);
+    $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id"));
     $user_name = sanitizeInput($row['user_name']);
 
     mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $user_id");
 
     //Logging
-    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name revoked all remember me tokens', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
+    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name revoked all remember me tokens for user $user_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
 
     $_SESSION['alert_type'] = "error";
     $_SESSION['alert_message'] = "User <strong>$user_name</strong> remember me tokens revoked";

diff --git a/user_security.php b/user_security.php
@@ -1,6 +1,10 @@
 <?php
 require_once "inc_all_user.php";
 
+// User remember me tokens
+$sql_remember_tokens = mysqli_query($mysqli, "SELECT * FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
+$remember_token_count = mysqli_num_rows($sql_remember_tokens);
+
 ?>
 
 <div class="card card-dark">
@@ -85,6 +89,34 @@
             </form>
         <?php } ?>
     </div>
+</div>
+
+<?php if ($remember_token_count > 0) { ?>
+    <div class="card card-dark">
+        <div class="card-header py-3">
+            <h3 class="card-title"><i class="fas fa-fw fa-clock mr-2"></i>2FA Remember-Me Tokens</h3>
+        </div>
+        <div class="card-body">
+
+            <ul>
+                <?php while ($row = mysqli_fetch_array($sql_remember_tokens)) {
+                    $token_id = intval($row['remember_token_id']);
+                    $token_created = nullable_htmlentities($row['remember_token_created_at']);
+
+                    echo "<li>ID: $token_id | Created: $token_created</li>";
+                } ?>
+            </ul>
+
+            <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+
+                <button type="submit" name="revoke_your_2fa_remember_tokens" class="btn btn-danger btn-block mt-3"><i class="fas fa-exclamation-triangle mr-2"></i>Revoke Remember-Me Tokens</button>
+
+            </form>
+
+        </div>
+    </div>
+<?php } ?>
 
 <?php
 require_once "footer.php";