Merge pull request #2 from zigazajc007/dev

Added login system with captcha and option to remove entries.
zigazajc007 · Apr 17, 2023 · 1bf6c1b · 1bf6c1b
2 parents ada55d4 + 27f4f34
commit 1bf6c1b
Show file tree

Hide file tree

Showing 10 changed files with 289 additions and 57 deletions.
diff --git a/website/Settings.php b/website/Settings.php
@@ -13,12 +13,15 @@ class Settings{
 	public static $mysql_password = "";
 
 	// Login data for Admin Bans panel (Please don't use default password)
-	public static $login_username = "admin";
-	public static $login_password = "d45HKmyHkQkNPGNoZxz7Dwz7i";
-	// Do you want to use hCaptcha for login?
-	public static $login_hcaptcha = false;
-	public static $login_hcaptcha_sitekey = "Site Key Here";
-	public static $login_hcaptcha_privatekey = "Private Key Here";
+	public static $admin_accounts = [
+		"admin" => "d45HKmyHkQkNPGNoZxz7Dwz7i",
+		"admin2" => "vn5QkeDq3AkVzP8vpCP84bW8m",
+	];
+
+	// Do you want to use Turnstile (Captcha) for admin logins (Mitigate brute force attacks)?
+	public static $turnstile = false;
+	public static $turnstile_sitekey = "1x00000000000000000000AA";
+	public static $turnstile_privatekey = "1x0000000000000000000000000000000AA";
 
 	//Choose default theme
 	public static $default_theme = "dark";

diff --git a/website/Utils.php b/website/Utils.php
@@ -36,6 +36,13 @@ public static function chatColor($text){
 		return $text;
 	}
 
+	public static function getUserIpAddress() : string {
+		if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) return $_SERVER['HTTP_CF_CONNECTING_IP'];
+		if(!empty($_SERVER['HTTP_CLIENT_IP'])) return $_SERVER['HTTP_CLIENT_IP'];
+		if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) return $_SERVER['HTTP_X_FORWARDED_FOR'];
+		return $_SERVER['REMOTE_ADDR'];
+	}
+
 	public static function createConnection(){
 		$conn = null;
 		try{
@@ -90,6 +97,19 @@ public static function getRowCount($table = 'adminbans_banned_players'){
 		}
 	}
 
+	public static function deleteEntry($table = 'adminbans_banned_players', $id){
+		try{
+			$conn = Utils::createConnection();
+
+			$stmt = $conn->prepare("DELETE FROM " . $table . " WHERE id = :id");
+			$stmt->bindParam(':id', $id, PDO::PARAM_INT);
+
+			return $stmt->execute();
+		}catch(PDOException $e) {
+			return false;
+		}
+	}
+
 	public static function executeQuery($query, $parms = []){
 
 		$queryHash = hash('sha256', $query);

diff --git a/website/check_login.php b/website/check_login.php
@@ -1,47 +1,51 @@
 <?php
-require "settings.php";
+include_once "Settings.php";
+include_once "Utils.php";
 
 session_start();
 
-if (isset($_POST['username']) && isset($_POST["password"])) {
-
-	$_SESSION["msg"] = "";
-
-if($login_hcaptcha){
-	$responseKey = $_POST['h-captcha-response'];
-
-	$url = 'https://hcaptcha.com/siteverify?secret='.$login_hcaptcha.'&response='.$responseKey;
-	$response = file_get_contents($url);
-	$response = json_decode($response);
-
-	if($response->success){
-
-
+if(!isset($_POST['username']) || !isset($_POST["password"])){
+	$_SESSION["msg"] = "Missing login creditions!";
+	header("Location: login.php");
+	return;
+}
 
-	}else{
-		$_SESSION["msg"] = "Please complete the captcha!";
-		$_SESSION["color"] = "alert-danger";
-		header("Location: panel.php");
-	}
-}else{
-	if($_POST['username'] == $login_username){
-		if($_POST["password"] == $login_password){
-			$_SESSION["username"] = $_POST['username'];
-			header("Location: panel.php");
-		}else{
-			$_SESSION["msg"] = "Password is incorrect!";
-			$_SESSION["color"] = "alert-danger";
-			header("Location: panel.php");
-		}
-	}else{
-		$_SESSION["msg"] = "Username is incorrect!";
-		$_SESSION["color"] = "alert-danger";
-		header("Location: panel.php");
+if(Settings::$turnstile){
+	$data = array(
+		'secret' => Settings::$turnstile_privatekey,
+		'response' => $_POST['cf-turnstile-response'],
+		'remoteip' => Utils::getUserIpAddress()
+	);
+
+	$verify = curl_init();
+	curl_setopt($verify, CURLOPT_URL, "https://challenges.cloudflare.com/turnstile/v0/siteverify");
+	curl_setopt($verify, CURLOPT_POST, true);
+	curl_setopt($verify, CURLOPT_POSTFIELDS, http_build_query($data));
+	curl_setopt($verify, CURLOPT_RETURNTRANSFER, true);
+	$response = curl_exec($verify);
+
+	$responseData = json_decode($response);
+	if(!$responseData->success){
+		$_SESSION["msg"] = "Captcha is invalid!";
+		header("Location: login.php");
+		return;
 	}
 }
-}else{
-	$_SESSION["msg"] = "Missing login creditions!";
-	$_SESSION["color"] = "alert-danger";
-	header("Location: panel.php");
+
+if(!array_key_exists($_POST['username'], Settings::$admin_accounts)){
+	$_SESSION["msg"] = "Username is incorrect!";
+	header("Location: login.php");
+	return;
 }
+
+if(Settings::$admin_accounts[$_POST['username']] !== $_POST["password"]){
+	$_SESSION["msg"] = "Password is incorrect!";
+	header("Location: login.php");
+	return;
+}
+
+unset($_SESSION["msg"]);
+$_SESSION["username"] = $_POST['username'];
+$_SESSION["token"] = bin2hex(random_bytes(64));
+header("Location: index.php");
 ?>
diff --git a/website/css/tailwind.min.css b/website/css/tailwind.min.css
diff --git a/website/delete_entry.php b/website/delete_entry.php
@@ -0,0 +1,36 @@
+<?php
+include_once "Settings.php";
+include_once "Utils.php";
+
+session_start();
+
+if(!isset($_SESSION["username"])){
+	header("Location: index.php");
+	return;
+}
+
+if(!isset($_GET['type']) || !isset($_GET['id']) || !isset($_GET['token'])){
+	header("Location: index.php");
+	return;
+}
+
+if(strlen($_GET['token']) !== 128 || $_GET['token'] !== $_SESSION["token"]){
+	header("Location: index.php");
+	return;
+}
+
+$validTypes = ['bans', 'mutes', 'warns', 'kicks'];
+if(!in_array($_GET['type'], $validTypes)){
+	header("Location: index.php");
+	return;
+}
+
+$table = 'adminbans_banned_players';
+if($_GET['type'] === 'mutes') $table = 'adminbans_muted_players';
+if($_GET['type'] === 'warns') $table = 'adminbans_warned_players';
+if($_GET['type'] === 'kicks') $table = 'adminbans_kicked_players';
+
+if(Utils::deleteEntry($table, $_GET['id'])){
+	unlink('cache.json');
+}
+header("Location: " .$_GET['redirect']);
diff --git a/website/index.php b/website/index.php
@@ -2,6 +2,8 @@
 include_once "Settings.php";
 include_once "Utils.php";
 
+session_start();
+
 $ban_count = Utils::getRowCount('adminbans_banned_players');
 $mute_count = Utils::getRowCount('adminbans_muted_players');
 $warn_count = Utils::getRowCount('adminbans_warned_players');
@@ -60,15 +62,21 @@
               </span>
             </div>
           </div>
-					<?php }else{ ?>
-					<!--
-					<div class="hidden flex-1 flex items-center justify-center px-2 lg:ml-6 lg:flex lg:justify-end">
-						<div id="login-nav" class="flex-shrink-0">
-							<a href="panel.php" class="primaryButton px-3 py-2 rounded-md text-sm font-medium">Log in</a>
-						</div>
-					</div>
-					-->
-					<?php } ?>
+					<?php }else{
+						if(isset($_SESSION["username"])){ ?>
+							<div class="hidden flex-1 flex items-center justify-center px-2 lg:ml-6 lg:flex lg:justify-end">
+								<div class="flex-shrink-0">
+									<a href="logout.php" class="tertiaryColor px-3 py-2 rounded-md text-sm font-medium">Log out</a>
+								</div>
+							</div>
+						<?php }else{ ?>
+							<div class="hidden flex-1 flex items-center justify-center px-2 lg:ml-6 lg:flex lg:justify-end">
+								<div class="flex-shrink-0">
+									<a href="login.php" class="primaryButton px-3 py-2 rounded-md text-sm font-medium">Log in</a>
+								</div>
+							</div>
+						<?php }
+					} ?>
 					<div class="flex items-center lg:hidden">
 						<button id="menu-toggle-btn" type="button" class="main-menu-toggle-btn inline-flex items-center justify-center p-2 rounded-md focus:outline-none" aria-controls="mobile-menu" aria-expanded="false">
 							<span class="sr-only">Open main menu</span>
@@ -177,6 +185,7 @@
 								echo Utils::generateHeader('bans', 'date', 'Date', $order);
 								echo Utils::generateHeader('bans', 'expires', 'Expires', $order);
 								if(Settings::$show_servers) echo Utils::generateHeader('bans', 'server', 'Server', $order);
+								if(isset($_SESSION["username"])) echo '<th scope="col" class="secondaryColor px-4 py-3 text-left text-xs font-medium uppercase tracking-wider">Delete</th>';
 							?>
 						</tr>
 					</thead>
@@ -192,6 +201,9 @@
 								<?php if(Settings::$show_servers){ ?>
 									<td class="tertiaryColor py-4 px-4 whitespace-nowrap"><a href="/?page=bans&server=<?= $result[$i]['server'] ?>"><?php if($result[$i]['server'] != ""){ echo $result[$i]['server']; }else{ echo "-"; } ?></a></td>
 								<?php } ?>
+								<?php
+								if(isset($_SESSION["username"])) echo "<td class='px-4 py-4 whitespace-nowrap'><a href='delete_entry.php?type=bans&id=" . $result[$i]['id'] . "&token=" . $_SESSION["token"] . "&redirect=" . urlencode($_SERVER['REQUEST_URI']) . "' class='dangerButton cursor-pointer px-3 py-2 rounded-md text-sm font-medium'>Delete</a></td>";
+								?>
 							</tr>
 							<?php
 						}?>
@@ -276,6 +288,7 @@
 								echo Utils::generateHeader('mutes', 'date', 'Date', $order);
 								echo Utils::generateHeader('mutes', 'expires', 'Expires', $order);
 								if(Settings::$show_servers) echo Utils::generateHeader('mutes', 'server', 'Server', $order);
+								if(isset($_SESSION["username"])) echo '<th scope="col" class="secondaryColor px-4 py-3 text-left text-xs font-medium uppercase tracking-wider">Delete</th>';
 							?>
 						</tr>
 					</thead>
@@ -291,6 +304,9 @@
 								<?php if(Settings::$show_servers){ ?>
 									<td class="tertiaryColor py-4 px-4 whitespace-nowrap"><a href="/?page=mutes&server=<?= $result[$i]['server'] ?>"><?php if($result[$i]['server'] != ""){ echo $result[$i]['server']; }else{ echo "-"; } ?></a></td>
 								<?php } ?>
+								<?php
+								if(isset($_SESSION["username"])) echo "<td class='px-4 py-4 whitespace-nowrap'><a href='delete_entry.php?type=mutes&id=" . $result[$i]['id'] . "&token=" . $_SESSION["token"] . "&redirect=" . urlencode($_SERVER['REQUEST_URI']) . "' class='dangerButton cursor-pointer px-3 py-2 rounded-md text-sm font-medium'>Delete</a></td>";
+								?>
 							</tr>
 							<?php
 						}?>
@@ -368,6 +384,7 @@
 								echo Utils::generateHeader('warns', 'reason', 'Reason', $order, 0);
 								echo Utils::generateHeader('warns', 'date', 'Date', $order);
 								if(Settings::$show_servers) echo Utils::generateHeader('warns', 'server', 'Server', $order);
+								if(isset($_SESSION["username"])) echo '<th scope="col" class="secondaryColor px-4 py-3 text-left text-xs font-medium uppercase tracking-wider">Delete</th>';
 							?>
 						</tr>
 					</thead>
@@ -382,6 +399,9 @@
 								<?php if(Settings::$show_servers){ ?>
 									<td class="tertiaryColor py-4 px-4 whitespace-nowrap"><a href="/?page=warns&server=<?= $result[$i]['server'] ?>"><?php if($result[$i]['server'] != ""){ echo $result[$i]['server']; }else{ echo "-"; } ?></a></td>
 								<?php } ?>
+								<?php
+								if(isset($_SESSION["username"])) echo "<td class='px-4 py-4 whitespace-nowrap'><a href='delete_entry.php?type=warns&id=" . $result[$i]['id'] . "&token=" . $_SESSION["token"] . "&redirect=" . urlencode($_SERVER['REQUEST_URI']) . "' class='dangerButton cursor-pointer px-3 py-2 rounded-md text-sm font-medium'>Delete</a></td>";
+								?>
 							</tr>
 							<?php
 						}?>
@@ -459,6 +479,7 @@
 								echo Utils::generateHeader('kicks', 'reason', 'Reason', $order, 0);
 								echo Utils::generateHeader('kicks', 'date', 'Date', $order);
 								if(Settings::$show_servers) echo Utils::generateHeader('kicks', 'server', 'Server', $order);
+								if(isset($_SESSION["username"])) echo '<th scope="col" class="secondaryColor px-4 py-3 text-left text-xs font-medium uppercase tracking-wider">Delete</th>';
 							?>
 						</tr>
 					</thead>
@@ -473,6 +494,9 @@
 								<?php if(Settings::$show_servers){ ?>
 									<td class="tertiaryColor py-4 px-4 whitespace-nowrap"><a href="/?page=kicks&server=<?= $result[$i]['server'] ?>"><?php if($result[$i]['server'] != ""){ echo $result[$i]['server']; }else{ echo "-"; } ?></a></td>
 								<?php } ?>
+								<?php
+								if(isset($_SESSION["username"])) echo "<td class='px-4 py-4 whitespace-nowrap'><a href='delete_entry.php?type=kicks&id=" . $result[$i]['id'] . "&token=" . $_SESSION["token"] . "&redirect=" . urlencode($_SERVER['REQUEST_URI']) . "' class='dangerButton cursor-pointer px-3 py-2 rounded-md text-sm font-medium'>Delete</a></td>";
+								?>
 							</tr>
 							<?php
 						}?>
@@ -489,6 +513,34 @@
 	  </div>
 		</div>
 
+		<div id="dialog" class="hidden h-screen w-full fixed left-0 top-0 flex justify-center items-center z-10 inset-0 overflow-y-auto" aria-labelledby="dialog-title" role="dialog" aria-modal="true">
+			<div class="fixed inset-0 bg-gray-500 bg-opacity-75 transition-opacity" aria-hidden="true"></div>
+			<span class="hidden sm:inline-block sm:align-middle sm:h-screen" aria-hidden="true">&#8203;</span>
+			<div class="secondaryBackgroundColor inline-block align-bottom rounded-lg px-4 pt-5 pb-4 text-left overflow-hidden shadow-xl transform transition-all m-8 sm:align-middle sm:max-w-lg sm:w-full sm:p-6">
+				<div class="sm:flex sm:items-start">
+					<div id="dialog-icon" class="mx-auto flex-shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+						<svg class="h-6 w-6 text-red-600" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+						</svg>
+					</div>
+					<div class="mt-3 text-center sm:mt-0 sm:ml-4 sm:text-left">
+						<h3 class="tertiaryColor text-lg leading-6 font-medium" id="dialog-title"></h3>
+						<div class="mt-2">
+							<p class="secondaryColor text-sm" id="dialog-text"></p>
+						</div>
+					</div>
+				</div>
+				<div class="mt-5 sm:mt-4 sm:ml-10 sm:pl-4 sm:flex">
+					<button id="dialog-button" type="button" class="dangerButton inline-flex justify-center w-full rounded-md border border-transparent shadow-sm px-4 py-2 text-base font-medium focus:outline-none sm:w-auto sm:text-sm">
+						Okay
+					</button>
+					<button id="dialog-button-cancel" type="button" class="cancelButton mt-2 w-full inline-flex justify-center rounded-md border px-4 py-2 text-base font-medium shadow-sm focus:outline-none sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm">
+						Cancel
+					</button>
+				</div>
+			</div>
+		</div>
+
 		<script type="module" src="js/index.js"></script>
   </body>
 </html>
diff --git a/website/js/index.js b/website/js/index.js
@@ -6,6 +6,10 @@ document.getElementById("menu-toggle-btn").addEventListener('click', () => {
 	Utils.toggleMenu();
 });
 
+document.getElementById('dialog-button-cancel').addEventListener('click', () => {
+	Utils.hide('dialog');
+});
+
 try{
 	if(parms.get('player') !== null){
 		document.getElementById("search").value = parms.get('player');

diff --git a/website/js/login.js b/website/js/login.js
@@ -0,0 +1,3 @@
+document.getElementById('dialog-button').addEventListener('click', () => {
+	document.getElementById('dialog').style.display = 'none';
+});