mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
feat: items #9-13 — password change, webmail SSO, DKIM live, file manager security, cache busting
#9 auth.php: add self-service change-password action (current+new+confirm) accounts.php: fix admin change-password — accept account_id, fetch username for chpasswd (was using int ID), add Auth::require('admin') guard user.js: add Change Password page + navItem + submitChangePassword() #10 EmailManager: store AES-256-CBC enc_password alongside SHA512-CRYPT hash webmail.php: rewrite login-url to use webmail_sso_tokens table novacpx-sso.php: Roundcube SSO bridge (validate token, decrypt, autosubmit) Migration 005: add enc_password column + webmail_sso_tokens table #11 opendkim: installed, configured (/etc/opendkim.conf, signing.table, key.table, trusted.hosts), socket at /var/spool/postfix/opendkim/, Postfix milter wired, service enabled+running, key generation verified #12 files.php: fix safe_path() for non-existent paths (write/mkdir), add safe_path_new() helper using parent-dir realpath check, fix delete guard (block deleting account root dirs), fix rename destination, clamp chmod to 0777 #13 nova.js: api() handles network errors, 429 rate-limit with retry-after, non-JSON responses (PHP fatal pages) — graceful error instead of throw admin/user/reseller index.php: filemtime-based cache-busting on all assets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -6,11 +6,12 @@
|
||||
class EmailManager {
|
||||
|
||||
public static function createAccount(int $accountId, string $email, string $password, int $quotaMb = 500): int {
|
||||
$db = DB::getInstance();
|
||||
$db = DB::getInstance();
|
||||
$hashed = self::hashPassword($password);
|
||||
$enc = self::encryptPassword($password);
|
||||
$id = (int)$db->insert(
|
||||
"INSERT INTO email_accounts (account_id, email, password, quota_mb) VALUES (?,?,?,?)",
|
||||
[$accountId, $email, $hashed, $quotaMb]
|
||||
"INSERT INTO email_accounts (account_id, email, password, enc_password, quota_mb) VALUES (?,?,?,?,?)",
|
||||
[$accountId, $email, $hashed, $enc, $quotaMb]
|
||||
);
|
||||
self::syncPostfix();
|
||||
novacpx_log('info', "Email account created: $email");
|
||||
@@ -27,7 +28,10 @@ class EmailManager {
|
||||
|
||||
public static function changePassword(int $id, string $newPassword): void {
|
||||
$db = DB::getInstance();
|
||||
$db->execute("UPDATE email_accounts SET password = ? WHERE id = ?", [self::hashPassword($newPassword), $id]);
|
||||
$db->execute(
|
||||
"UPDATE email_accounts SET password = ?, enc_password = ? WHERE id = ?",
|
||||
[self::hashPassword($newPassword), self::encryptPassword($newPassword), $id]
|
||||
);
|
||||
}
|
||||
|
||||
public static function suspend(int $id): void {
|
||||
@@ -56,9 +60,21 @@ class EmailManager {
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypt stored IMAP password for SSO use only.
|
||||
*/
|
||||
public static function decryptPassword(string $enc): ?string {
|
||||
$key = substr(hash('sha256', SECRET_KEY, true), 0, 32);
|
||||
$data = base64_decode($enc);
|
||||
if (strlen($data) <= 16) return null;
|
||||
$iv = substr($data, 0, 16);
|
||||
$encrypted = substr($data, 16);
|
||||
$plain = openssl_decrypt($encrypted, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
|
||||
return $plain !== false ? $plain : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sync Postfix virtual_mailbox_maps + virtual_alias_maps files from DB
|
||||
* Postfix reads these files (postmap creates .db hash)
|
||||
*/
|
||||
private static function syncPostfix(): void {
|
||||
$db = DB::getInstance();
|
||||
@@ -93,7 +109,13 @@ class EmailManager {
|
||||
}
|
||||
|
||||
private static function hashPassword(string $password): string {
|
||||
// Dovecot SHA512-CRYPT compatible
|
||||
return '{SHA512-CRYPT}' . crypt($password, '$6$' . bin2hex(random_bytes(8)) . '$');
|
||||
}
|
||||
|
||||
private static function encryptPassword(string $password): string {
|
||||
$key = substr(hash('sha256', SECRET_KEY, true), 0, 32);
|
||||
$iv = random_bytes(16);
|
||||
$enc = openssl_encrypt($password, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
|
||||
return base64_encode($iv . $enc);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user