mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
feat: items #9-13 — password change, webmail SSO, DKIM live, file manager security, cache busting
#9 auth.php: add self-service change-password action (current+new+confirm) accounts.php: fix admin change-password — accept account_id, fetch username for chpasswd (was using int ID), add Auth::require('admin') guard user.js: add Change Password page + navItem + submitChangePassword() #10 EmailManager: store AES-256-CBC enc_password alongside SHA512-CRYPT hash webmail.php: rewrite login-url to use webmail_sso_tokens table novacpx-sso.php: Roundcube SSO bridge (validate token, decrypt, autosubmit) Migration 005: add enc_password column + webmail_sso_tokens table #11 opendkim: installed, configured (/etc/opendkim.conf, signing.table, key.table, trusted.hosts), socket at /var/spool/postfix/opendkim/, Postfix milter wired, service enabled+running, key generation verified #12 files.php: fix safe_path() for non-existent paths (write/mkdir), add safe_path_new() helper using parent-dir realpath check, fix delete guard (block deleting account root dirs), fix rename destination, clamp chmod to 0777 #13 nova.js: api() handles network errors, 429 rate-limit with retry-after, non-JSON responses (PHP fatal pages) — graceful error instead of throw admin/user/reseller index.php: filemtime-based cache-busting on all assets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,57 @@
|
||||
<?php
|
||||
/**
|
||||
* Sessions endpoint — admin session management
|
||||
* GET sessions/list — all active sessions with user info
|
||||
* DELETE sessions/revoke — {session_id} revoke one session
|
||||
* DELETE sessions/revoke-user — {user_id} revoke all sessions for a user
|
||||
* DELETE sessions/revoke-all — revoke all sessions except current
|
||||
*/
|
||||
|
||||
Auth::getInstance()->require('admin');
|
||||
$body = json_decode(file_get_contents('php://input'), true) ?? [];
|
||||
$db = DB::getInstance();
|
||||
$me = Auth::getInstance()->user();
|
||||
$method = $_SERVER['REQUEST_METHOD'];
|
||||
|
||||
match (true) {
|
||||
|
||||
$action === 'list' && $method === 'GET' => (function() use ($db) {
|
||||
$rows = $db->fetchAll(
|
||||
"SELECT s.id, s.user_id, s.ip_address, s.user_agent, s.created_at, s.expires_at,
|
||||
u.username, u.email, u.role
|
||||
FROM sessions s
|
||||
JOIN users u ON u.id = s.user_id
|
||||
WHERE s.expires_at > NOW()
|
||||
ORDER BY s.created_at DESC
|
||||
LIMIT 200"
|
||||
) ?: [];
|
||||
Response::json(['success' => true, 'data' => $rows]);
|
||||
})(),
|
||||
|
||||
$action === 'revoke' && $method === 'DELETE' => (function() use ($db, $body) {
|
||||
$sid = trim($body['session_id'] ?? '');
|
||||
if (!$sid) Response::error('session_id required', 400);
|
||||
$db->execute("DELETE FROM sessions WHERE id = ?", [$sid]);
|
||||
Response::json(['success' => true]);
|
||||
})(),
|
||||
|
||||
$action === 'revoke-user' && $method === 'DELETE' => (function() use ($db, $body) {
|
||||
$uid = (int)($body['user_id'] ?? 0);
|
||||
if (!$uid) Response::error('user_id required', 400);
|
||||
$count = $db->execute("DELETE FROM sessions WHERE user_id = ?", [$uid]);
|
||||
Response::json(['success' => true, 'data' => ['revoked' => $count]]);
|
||||
})(),
|
||||
|
||||
$action === 'revoke-all' && $method === 'DELETE' => (function() use ($db, $me, $body) {
|
||||
// Keep current session if provided
|
||||
$keepId = $body['keep_session'] ?? null;
|
||||
if ($keepId) {
|
||||
$db->execute("DELETE FROM sessions WHERE id != ?", [hash('sha256', $keepId)]);
|
||||
} else {
|
||||
$db->execute("DELETE FROM sessions");
|
||||
}
|
||||
Response::json(['success' => true]);
|
||||
})(),
|
||||
|
||||
default => Response::error('Not found', 404),
|
||||
};
|
||||
Reference in New Issue
Block a user