mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
feat: items #9-13 — password change, webmail SSO, DKIM live, file manager security, cache busting
#9 auth.php: add self-service change-password action (current+new+confirm) accounts.php: fix admin change-password — accept account_id, fetch username for chpasswd (was using int ID), add Auth::require('admin') guard user.js: add Change Password page + navItem + submitChangePassword() #10 EmailManager: store AES-256-CBC enc_password alongside SHA512-CRYPT hash webmail.php: rewrite login-url to use webmail_sso_tokens table novacpx-sso.php: Roundcube SSO bridge (validate token, decrypt, autosubmit) Migration 005: add enc_password column + webmail_sso_tokens table #11 opendkim: installed, configured (/etc/opendkim.conf, signing.table, key.table, trusted.hosts), socket at /var/spool/postfix/opendkim/, Postfix milter wired, service enabled+running, key generation verified #12 files.php: fix safe_path() for non-existent paths (write/mkdir), add safe_path_new() helper using parent-dir realpath check, fix delete guard (block deleting account root dirs), fix rename destination, clamp chmod to 0777 #13 nova.js: api() handles network errors, 429 rate-limit with retry-after, non-JSON responses (PHP fatal pages) — graceful error instead of throw admin/user/reseller index.php: filemtime-based cache-busting on all assets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -4,11 +4,15 @@ $body = json_decode(file_get_contents('php://input'), true) ?? [];
|
||||
|
||||
match ($action) {
|
||||
'login' => (function() use ($body) {
|
||||
$username = trim($body['username'] ?? '');
|
||||
$password = $body['password'] ?? '';
|
||||
$username = trim($body['username'] ?? '');
|
||||
$password = $body['password'] ?? '';
|
||||
$totpCode = isset($body['totp_code']) ? trim($body['totp_code']) : null;
|
||||
if (!$username || !$password) Response::error('Username and password required');
|
||||
$auth = Auth::getInstance();
|
||||
$token = $auth->attempt($username, $password);
|
||||
$token = $auth->attempt($username, $password, $totpCode);
|
||||
if ($token === Auth::TOTP_REQUIRED) {
|
||||
Response::json(['success' => false, 'totp_required' => true, 'message' => 'Enter your 2FA code'], 200);
|
||||
}
|
||||
if (!$token) {
|
||||
// Log failure for Fail2Ban to detect
|
||||
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
|
||||
@@ -53,5 +57,23 @@ match ($action) {
|
||||
]);
|
||||
})(),
|
||||
|
||||
'change-password' => (function() use ($body) {
|
||||
$auth = Auth::getInstance();
|
||||
if (!$auth->check()) Response::error('Unauthorized', 401);
|
||||
$user = $auth->user();
|
||||
$current = $body['current_password'] ?? '';
|
||||
$new = $body['new_password'] ?? '';
|
||||
$confirm = $body['confirm_password'] ?? '';
|
||||
if (!$current || !$new) Response::error('current_password and new_password required');
|
||||
if (strlen($new) < 8) Response::error('Password must be at least 8 characters');
|
||||
if ($new !== $confirm) Response::error('Passwords do not match');
|
||||
$db = DB::getInstance();
|
||||
$full = $db->fetchOne("SELECT password FROM users WHERE id = ?", [$user['uid']]);
|
||||
if (!$full || !password_verify($current, $full['password'])) Response::error('Current password is incorrect', 400);
|
||||
$db->execute("UPDATE users SET password = ? WHERE id = ?", [password_hash($new, PASSWORD_BCRYPT), $user['uid']]);
|
||||
audit('auth.change-password', 'user:' . $user['uid']);
|
||||
Response::success(null, 'Password changed');
|
||||
})(),
|
||||
|
||||
default => Response::error('Unknown auth action', 404),
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user