myron/novacpx
1
0
Fork 0
mirror of https://github.com/myronblair/novacpx synced 2026-06-30 17:50:41 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
6fdccc6dbdde76fda7c674b8bb735f6fa63f5be2
novacpx/panel/api/endpoints/auth.php
T
myron 6fdccc6dbd feat: items #9-13 — password change, webmail SSO, DKIM live, file manager security, cache busting 
#9  auth.php: add self-service change-password action (current+new+confirm)
    accounts.php: fix admin change-password — accept account_id, fetch username
    for chpasswd (was using int ID), add Auth::require('admin') guard
    user.js: add Change Password page + navItem + submitChangePassword()

#10 EmailManager: store AES-256-CBC enc_password alongside SHA512-CRYPT hash
    webmail.php: rewrite login-url to use webmail_sso_tokens table
    novacpx-sso.php: Roundcube SSO bridge (validate token, decrypt, autosubmit)
    Migration 005: add enc_password column + webmail_sso_tokens table

#11 opendkim: installed, configured (/etc/opendkim.conf, signing.table,
    key.table, trusted.hosts), socket at /var/spool/postfix/opendkim/,
    Postfix milter wired, service enabled+running, key generation verified

#12 files.php: fix safe_path() for non-existent paths (write/mkdir),
    add safe_path_new() helper using parent-dir realpath check,
    fix delete guard (block deleting account root dirs),
    fix rename destination, clamp chmod to 0777

#13 nova.js: api() handles network errors, 429 rate-limit with retry-after,
    non-JSON responses (PHP fatal pages) — graceful error instead of throw
    admin/user/reseller index.php: filemtime-based cache-busting on all assets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 01:19:33 +00:00

80 lines
3.6 KiB
PHP
Raw Blame History

<?php
$method = $_SERVER['REQUEST_METHOD'];
$body = json_decode(file_get_contents('php://input'), true) ?? [];
match ($action) {
'login' => (function() use ($body) {
$username = trim($body['username'] ?? '');
$password = $body['password'] ?? '';
$totpCode = isset($body['totp_code']) ? trim($body['totp_code']) : null;
if (!$username || !$password) Response::error('Username and password required');
$auth = Auth::getInstance();
$token = $auth->attempt($username, $password, $totpCode);
if ($token === Auth::TOTP_REQUIRED) {
Response::json(['success' => false, 'totp_required' => true, 'message' => 'Enter your 2FA code'], 200);
}
if (!$token) {
// Log failure for Fail2Ban to detect
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$port = (int)($_SERVER['SERVER_PORT'] ?? 0);
$portal = $port === PORT_ADMIN ? 'admin' : ($port === PORT_RESELLER ? 'reseller' : ($port === PORT_WEBMAIL ? 'webmail' : 'user'));
$logLine = date('Y-m-d H:i:s') . " FAILED LOGIN from {$ip} [{$portal}] user:{$username}\n";
@file_put_contents('/var/log/novacpx/access.log', $logLine, FILE_APPEND | LOCK_EX);
novacpx_log('warn', "Failed login for '$username' from $ip");
Response::error('Invalid credentials', 401);
}
$user = $auth->user();
audit('login', 'auth');
Response::success([
'token' => $token,
'portal_url' => Auth::portalUrl($user['role']),
'user' => [
'id' => $user['id'],
'username' => $user['username'],
'email' => $user['email'],
'role' => $user['role'],
'theme' => $user['theme'],
],
], 'Login successful');
})(),
'logout' => (function() {
Auth::getInstance()->logout();
audit('logout', 'auth');
Response::success(null, 'Logged out');
})(),
'me' => (function() {
$auth = Auth::getInstance();
if (!$auth->check()) Response::error('Unauthorized', 401);
$u = $auth->user();
Response::success([
'id' => $u['uid'] ?? $u['id'],
'username' => $u['username'],
'email' => $u['email'],
'role' => $u['role'],
'theme' => $u['theme'],
]);
})(),
'change-password' => (function() use ($body) {
$auth = Auth::getInstance();
if (!$auth->check()) Response::error('Unauthorized', 401);
$user = $auth->user();
$current = $body['current_password'] ?? '';
$new = $body['new_password'] ?? '';
$confirm = $body['confirm_password'] ?? '';
if (!$current || !$new) Response::error('current_password and new_password required');
if (strlen($new) < 8) Response::error('Password must be at least 8 characters');
if ($new !== $confirm) Response::error('Passwords do not match');
$db = DB::getInstance();
$full = $db->fetchOne("SELECT password FROM users WHERE id = ?", [$user['uid']]);
if (!$full || !password_verify($current, $full['password'])) Response::error('Current password is incorrect', 400);
$db->execute("UPDATE users SET password = ? WHERE id = ?", [password_hash($new, PASSWORD_BCRYPT), $user['uid']]);
audit('auth.change-password', 'user:' . $user['uid']);
Response::success(null, 'Password changed');
})(),
default => Response::error('Unknown auth action', 404),
};
Reference in New Issue View Git Blame Copy Permalink