myron/novacpx
1
0
Fork 0
mirror of https://github.com/myronblair/novacpx synced 2026-06-30 17:50:41 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
6fdccc6dbdde76fda7c674b8bb735f6fa63f5be2
novacpx/panel/api/endpoints/webmail.php
T
myron 6fdccc6dbd feat: items #9-13 — password change, webmail SSO, DKIM live, file manager security, cache busting 
#9  auth.php: add self-service change-password action (current+new+confirm)
    accounts.php: fix admin change-password — accept account_id, fetch username
    for chpasswd (was using int ID), add Auth::require('admin') guard
    user.js: add Change Password page + navItem + submitChangePassword()

#10 EmailManager: store AES-256-CBC enc_password alongside SHA512-CRYPT hash
    webmail.php: rewrite login-url to use webmail_sso_tokens table
    novacpx-sso.php: Roundcube SSO bridge (validate token, decrypt, autosubmit)
    Migration 005: add enc_password column + webmail_sso_tokens table

#11 opendkim: installed, configured (/etc/opendkim.conf, signing.table,
    key.table, trusted.hosts), socket at /var/spool/postfix/opendkim/,
    Postfix milter wired, service enabled+running, key generation verified

#12 files.php: fix safe_path() for non-existent paths (write/mkdir),
    add safe_path_new() helper using parent-dir realpath check,
    fix delete guard (block deleting account root dirs),
    fix rename destination, clamp chmod to 0777

#13 nova.js: api() handles network errors, 429 rate-limit with retry-after,
    non-JSON responses (PHP fatal pages) — graceful error instead of throw
    admin/user/reseller index.php: filemtime-based cache-busting on all assets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 01:19:33 +00:00

67 lines
2.8 KiB
PHP
Raw Blame History

<?php
/**
* Webmail endpoint — Roundcube integration + SSO
*/
require_once NOVACPX_LIB . '/EmailManager.php';
$db = DB::getInstance();
$body = json_decode(file_get_contents('php://input'), true) ?? [];
$user = Auth::getInstance()->user();
match ($action) {
'url' => (function() use ($db, $body, $user) {
$accountId = $user['role'] === 'user'
? (int)($db->fetchOne("SELECT id FROM accounts WHERE user_id = ?", [$user['uid']])['id'] ?? 0)
: (int)($body['account_id'] ?? 0);
$acct = $db->fetchOne("SELECT * FROM accounts WHERE id = ?", [$accountId]);
if (!$acct) Response::error("Account not found");
$host = $_SERVER['HTTP_HOST'] ?? 'localhost';
$hostname = preg_replace('/:\d+$/', '', $host);
$rcUrl = "https://{$hostname}:" . PORT_WEBMAIL . "/";
$installed = file_exists('/usr/share/roundcube/index.php');
Response::success([
'url' => $rcUrl,
'installed' => $installed,
]);
})(),
'install' => (function() {
Auth::getInstance()->require('admin');
$logFile = '/var/log/novacpx/webmail-install.log';
$cmd = 'apt-get install -y roundcube roundcube-mysql php8.3-intl > ' . escapeshellarg($logFile) . ' 2>&1';
shell_exec("nohup bash -c " . escapeshellarg($cmd) . " &");
Response::success(['log' => $logFile], 'Webmail install started');
})(),
'login-url' => (function() use ($db, $body, $user) {
$emailAccount = $db->fetchOne(
"SELECT ea.*, a.user_id FROM email_accounts ea JOIN accounts a ON a.id = ea.account_id WHERE ea.id = ?",
[(int)($body['email_id'] ?? 0)]
);
if (!$emailAccount) Response::error("Email account not found");
// Users can only SSO into their own email accounts
if ($user['role'] === 'user' && (int)$emailAccount['user_id'] !== (int)$user['uid']) {
Response::error('Forbidden', 403);
}
if (empty($emailAccount['enc_password'])) Response::error("SSO not available for this account — password must be reset");
// Create short-lived SSO token
$token = bin2hex(random_bytes(24));
$db->execute(
"DELETE FROM webmail_sso_tokens WHERE expires_at < NOW()"
);
$db->execute(
"INSERT INTO webmail_sso_tokens (token, email, enc_pass, expires_at) VALUES (?,?,?,DATE_ADD(NOW(), INTERVAL 60 SECOND))",
[hash('sha256', $token), $emailAccount['email'], $emailAccount['enc_password']]
);
$host = $_SERVER['HTTP_HOST'] ?? 'localhost';
$hostname = preg_replace('/:\d+$/', '', $host);
Response::success([
'url' => "https://{$hostname}:" . PORT_WEBMAIL . "/novacpx-sso.php?t=" . urlencode($token),
]);
})(),
default => Response::error("Unknown webmail action: $action", 404),
};
Reference in New Issue View Git Blame Copy Permalink