Merge pull request #1393 from RaspAP/maint/authenticate

Refactors existing auth mechanism
RaspAP · Sep 16, 2023 · 4f2a433 · 4f2a433
2 parents 7831afa + 33c5961
commit 4f2a433
Show file tree

Hide file tree

Showing 32 changed files with 552 additions and 856 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@ yarn-error.log
 *.swp
 includes/config.php
 rootCA.pem
+vendor
diff --git a/ajax/bandwidth/get_bandwidth.php b/ajax/bandwidth/get_bandwidth.php
@@ -3,12 +3,6 @@
 require '../../includes/csrf.php';
 
 require_once '../../includes/config.php';
-require_once RASPI_CONFIG.'/raspap.php';
-
-header('X-Frame-Options: DENY');
-header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
-require_once '../../includes/authenticate.php';
-
 
 $interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS);
 if (empty($interface)) {

diff --git a/app/css/all.css b/app/css/all.css
@@ -228,3 +228,8 @@ button > i.fas {
   pointer-events: none;
 }
 
+.close {
+  font-weight: 400;
+  font-size: 1.3rem;
+}
+
diff --git a/app/js/custom.js b/app/js/custom.js
@@ -18,7 +18,8 @@ function createNetmaskAddr(bitCount) {
 }
 
 function loadSummary(strInterface) {
-    $.post('ajax/networking/get_ip_summary.php',{interface:strInterface},function(data){
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    $.post('ajax/networking/get_ip_summary.php',{'interface': strInterface, 'csrf_token': csrfToken},function(data){
         jsonData = JSON.parse(data);
         if(jsonData['return'] == 0) {
             $('#'+strInterface+'-summary').html(jsonData['output'].join('<br />'));
@@ -122,21 +123,24 @@ $(document).on("click", "#gen_wpa_passphrase", function(e) {
 });
 
 $(document).on("click", "#js-clearhostapd-log", function(e) {
-    $.post('ajax/logging/clearlog.php?',{'logfile':'/tmp/hostapd.log'},function(data){
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    $.post('ajax/logging/clearlog.php?',{'logfile':'/tmp/hostapd.log', 'csrf_token': csrfToken},function(data){
         jsonData = JSON.parse(data);
         $("#hostapd-log").val("");
     });
 });
 
 $(document).on("click", "#js-cleardnsmasq-log", function(e) {
-    $.post('ajax/logging/clearlog.php?',{'logfile':'/var/log/dnsmasq.log'},function(data){
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    $.post('ajax/logging/clearlog.php?',{'logfile':'/var/log/dnsmasq.log', 'csrf_token': csrfToken},function(data){
         jsonData = JSON.parse(data);
         $("#dnsmasq-log").val("");
     });
 });
 
 $(document).on("click", "#js-clearopenvpn-log", function(e) {
-    $.post('ajax/logging/clearlog.php?',{'logfile':'/tmp/openvpn.log'},function(data){
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    $.post('ajax/logging/clearlog.php?',{'logfile':'/tmp/openvpn.log', 'csrf_token': csrfToken},function(data){
         jsonData = JSON.parse(data);
         $("#openvpn-log").val("");
     });
@@ -286,7 +290,8 @@ $('#configureClientModal').on('shown.bs.modal', function (e) {
 
 $('#ovpn-confirm-delete').on('click', '.btn-delete', function (e) {
     var cfg_id = $(this).data('recordId');
-    $.post('ajax/openvpn/del_ovpncfg.php',{'cfg_id':cfg_id},function(data){
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    $.post('ajax/openvpn/del_ovpncfg.php',{'cfg_id':cfg_id, 'csrf_token': csrfToken},function(data){
         jsonData = JSON.parse(data);
         $("#ovpn-confirm-delete").modal('hide');
         var row = $(document.getElementById("openvpn-client-row-" + cfg_id));
@@ -303,7 +308,8 @@ $('#ovpn-confirm-delete').on('show.bs.modal', function (e) {
 
 $('#ovpn-confirm-activate').on('click', '.btn-activate', function (e) {
     var cfg_id = $(this).data('record-id');
-    $.post('ajax/openvpn/activate_ovpncfg.php',{'cfg_id':cfg_id},function(data){
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    $.post('ajax/openvpn/activate_ovpncfg.php',{'cfg_id':cfg_id, 'csrf_token': csrfToken},function(data){
         jsonData = JSON.parse(data);
         $("#ovpn-confirm-activate").modal('hide');
         setTimeout(function(){
@@ -419,11 +425,12 @@ function loadChannelSelect(selected) {
 function setHardwareModeTooltip() {
     var iface = $('#cbxinterface').val();
     var hwmodeText = '';
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
     // Explanatory text if 802.11ac is disabled
     if ($('#cbxhwmode').find('option[value="ac"]').prop('disabled') == true ) {
         var hwmodeText = $('#hwmode').attr('data-tooltip');
     }
-    $.post('ajax/networking/get_frequencies.php?',{'interface': iface},function(data){
+    $.post('ajax/networking/get_frequencies.php?',{'interface': iface, 'csrf_token': csrfToken},function(data){
         var responseText = JSON.parse(data);
         $('#tiphwmode').attr('data-original-title', responseText + '\n' + hwmodeText );
     });
@@ -435,10 +442,11 @@ function setHardwareModeTooltip() {
  */
 function updateBlocklist() {
     var blocklist_id = $('#cbxblocklist').val();
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
     if (blocklist_id == '') { return; }
     $('#cbxblocklist-status').find('i').removeClass('fas fa-check').addClass('fas fa-cog fa-spin');
     $('#cbxblocklist-status').removeClass('check-hidden').addClass('check-progress');
-    $.post('ajax/adblock/update_blocklist.php',{ 'blocklist_id':blocklist_id },function(data){
+    $.post('ajax/adblock/update_blocklist.php',{ 'blocklist_id':blocklist_id, 'csrf_token': csrfToken},function(data){
         var jsonData = JSON.parse(data);
         if (jsonData['return'] == '0') {
             $('#cbxblocklist-status').find('i').removeClass('fas fa-cog fa-spin').addClass('fas fa-check');
@@ -457,7 +465,8 @@ $('.wg-keygen').click(function(){
     var entity_pub = $(this).parent('div').prev('input[type="text"]');
     var entity_priv = $(this).parent('div').next('input[type="hidden"]');
     var updated = entity_pub.attr('name')+"-pubkey-status";
-    $.post('ajax/networking/get_wgkey.php',{'entity':entity_pub.attr('name') },function(data){
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    $.post('ajax/networking/get_wgkey.php',{'entity':entity_pub.attr('name'), 'csrf_token': csrfToken},function(data){
         var jsonData = JSON.parse(data);
         entity_pub.val(jsonData.pubkey);
         $('#' + updated).removeClass('check-hidden').addClass('check-updated').delay(500).animate({ opacity: 1 }, 700);

diff --git a/includes/adblock.php b/includes/adblock.php
@@ -1,6 +1,5 @@
 <?php
 
-require_once 'includes/status_messages.php';
 require_once 'config.php';
 
 /**
@@ -9,7 +8,7 @@
  */
 function DisplayAdBlockConfig()
 {
-    $status = new StatusMessages();
+    $status = new \RaspAP\Messages\StatusMessage;
     $enabled = false;
     $custom_enabled = false;
 

diff --git a/includes/admin.php b/includes/admin.php
@@ -1,10 +1,12 @@
 <?php
 
-require_once 'includes/status_messages.php';
-
-function DisplayAuthConfig($username, $password)
+function DisplayAuthConfig($username)
 {
-    $status = new StatusMessages();
+    $status = new \RaspAP\Messages\StatusMessage;
+    $auth = new \RaspAP\Auth\HTTPAuth;
+    $config = $auth->getAuthConfig();
+    $password = $config['admin_pass'];
+
     if (isset($_POST['UpdateAdminPassword'])) {
         if (password_verify($_POST['oldpass'], $password)) {
             $new_username=trim($_POST['username']);
@@ -33,5 +35,10 @@ function DisplayAuthConfig($username, $password)
         }
     }
 
-    echo renderTemplate("admin", compact("status", "username"));
+    echo renderTemplate(
+        "admin", compact(
+            "status",
+            "username"
+        )
+    );
 }
diff --git a/includes/authenticate.php b/includes/authenticate.php
@@ -1,22 +1,16 @@
 <?php
-$user = $_SERVER['PHP_AUTH_USER'] ?? "";
-$pass = $_SERVER['PHP_AUTH_PW'] ?? "";
-
-require_once RASPI_CONFIG.'/raspap.php';
-$config = getConfig();
 
 if (RASPI_AUTH_ENABLED) {
-    $validated = ($user == $config['admin_user']) && password_verify($pass, $config['admin_pass']);
-    if (!$validated) {
-        header('WWW-Authenticate: Basic realm="RaspAP"');
-        if (function_exists('http_response_code')) {
-            // http_response_code will respond with proper HTTP version back.
-            http_response_code(401);
+    $user = $_SERVER['PHP_AUTH_USER'] ?? '';
+    $pass = $_SERVER['PHP_AUTH_PW'] ?? '';
+
+    $auth = new \RaspAP\Auth\HTTPAuth;
+
+    if (!$auth->isLogged()) {
+        if ($auth->login($user, $pass)) {
+            $config = $auth->getAuthConfig();
         } else {
-            header('HTTP/1.0 401 Unauthorized');
+            $auth->authenticate();
         }
-        exit('Not authorized'.PHP_EOL);
     }
-} else {
-    $validated = true;
 }
diff --git a/includes/autoload.php b/includes/autoload.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ * PSR-4 compliant class autoloader
+ *
+ * @see https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-4-autoloader.md
+ * @link https://www.php.net/manual/en/function.spl-autoload-register.php
+ * @param string $class fully-qualified class name
+ * @return void
+ */
+spl_autoload_register(function ($class) {
+
+    // project-specific namespace prefix
+    $prefix = '';
+
+    // base directory for the namespace prefix
+    $base_dir = 'src/';
+
+    // normalize the base directory with a trailing separator
+    $base_dir = rtrim($base_dir, DIRECTORY_SEPARATOR) . '/';
+
+    // does the class use the namespace prefix?
+    $len = strlen($prefix);
+    if (strncmp($prefix, $class, $len) !== 0) {
+        // no, move to the next registered autoloader
+        return;
+    }
+
+    // get the relative class name
+    $relative_class = substr($class, $len);
+
+    // replace the namespace prefix with the base directory, replace namespace
+    // separators with directory separators in the relative class name, append
+    // with .php
+    $file = $base_dir . str_replace('\\', '/', $relative_class) . '.php';
+
+    // if the file exists, require it
+    if (file_exists($file)) {
+        require $file;
+    }
+});
+
diff --git a/includes/configure_client.php b/includes/configure_client.php
@@ -1,6 +1,5 @@
 <?php
 
-require_once 'includes/status_messages.php';
 require_once 'includes/wifi_functions.php';
 
 /**
@@ -9,7 +8,7 @@
  */
 function DisplayWPAConfig()
 {
-    $status = new StatusMessages();
+    $status = new \RaspAP\Messages\StatusMessage;
     $networks = [];
 
     getWifiInterface();

diff --git a/includes/dashboard.php b/includes/dashboard.php
@@ -10,7 +10,7 @@
 function DisplayDashboard(&$extraFooterScripts)
 {
     getWifiInterface();
-    $status = new StatusMessages();
+    $status = new \RaspAP\Messages\StatusMessage;
     // Need this check interface name for proper shell execution.
     if (!preg_match('/^([a-zA-Z0-9]+)$/', $_SESSION['wifi_client_interface'])) {
         $status->addMessage(_('Interface name invalid.'), 'danger');

diff --git a/includes/dhcp.php b/includes/dhcp.php
@@ -1,14 +1,13 @@
 <?php
 
-require_once 'includes/status_messages.php';
 require_once 'config.php';
 
 /**
  * Manage DHCP configuration
  */
 function DisplayDHCPConfig()
 {
-    $status = new StatusMessages();
+    $status = new \RaspAP\Messages\StatusMessage;
     if (!RASPI_MONITOR_ENABLED) {
         if (isset($_POST['savedhcpdsettings'])) {
             saveDHCPConfig($status);