Version 1.4.9: Password recovery and security middleware

2025-08-06 14:16:46 +02:00 · 2021-09-28 12:56:29 +02:00
parent eb16fe52a4
commit f279afe888
27 changed files with 1027 additions and 269 deletions
--- a/system/Models/Helpers.php
+++ b/system/Models/Helpers.php
@@ -2,27 +2,51 @@

 namespace Typemill\Models;

+use Typemill\Models\Write;
+
 class Helpers{

-	public static function printTimer($timer)
+	public static function getUserIP()
 	{
-		$lastTime = NULL;
-		$table = '<html><body><table>';
-		$table .= '<tr><th>Breakpoint</th><th>Time</th><th>Duration</th></tr>';
-		foreach($timer as $breakpoint => $time)
+		$client  = @$_SERVER['HTTP_CLIENT_IP'];
+		$forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
+		$remote  = $_SERVER['REMOTE_ADDR'];
+
+		if(filter_var($client, FILTER_VALIDATE_IP))
 		{
-			$duration = $time - $lastTime;
-			
-			$table .= '<tr>';
-			$table .= '<td>' . $breakpoint . '</td>';
-			$table .= '<td>' . $time . '</td>';
-			$table .= '<td>' . $duration . '</td>';
-			$table .= '</tr>';
-			
-			$lastTime = $time;
+			$ip = $client;
 		}
-		$table .= '</table></body></html>';
-		echo $table;
+		elseif(filter_var($forward, FILTER_VALIDATE_IP))
+		{
+			$ip = $forward;
+		}
+		else
+		{
+			$ip = $remote;
+		}
+
+		return $ip;
+	}
+
+	public static function addLogEntry($action)
+	{
+		$line 		= self::getUserIP();
+		$line 		.= ';' . date("Y-m-d H:i:s");
+		$line 		.= ';' . $action;
+
+		$write 		= new Write();
+		$logfile 	= $write->getFile('cache', 'securitylog.txt');
+
+		if($logfile)
+		{
+			$logfile .= $line . PHP_EOL;
+		}
+		else
+		{
+			$logfile = $line . PHP_EOL;
+		}
+		
+		$write->writeFile('cache', 'securitylog.txt', $logfile);
 	}

 	public static function array_sort($array, $on, $order=SORT_ASC)
@@ -59,4 +83,25 @@ class Helpers{

 		return $new_array;
 	}
+
+	public static function printTimer($timer)
+	{
+		$lastTime = NULL;
+		$table = '<html><body><table>';
+		$table .= '<tr><th>Breakpoint</th><th>Time</th><th>Duration</th></tr>';
+		foreach($timer as $breakpoint => $time)
+		{
+			$duration = $time - $lastTime;
+			
+			$table .= '<tr>';
+			$table .= '<td>' . $breakpoint . '</td>';
+			$table .= '<td>' . $time . '</td>';
+			$table .= '<td>' . $duration . '</td>';
+			$table .= '</tr>';
+			
+			$lastTime = $time;
+		}
+		$table .= '</table></body></html>';
+		echo $table;
+	}	
 }
--- a/system/Models/User.php
+++ b/system/Models/User.php
@@ -21,12 +21,11 @@ class User extends WriteYaml
 			$usernames[] = str_replace('.yaml', '', $userfile);
 		}

-
 		usort($usernames, 'strnatcasecmp');

 		return $usernames;
 	}
-	
+
 	public function getUser($username)
 	{
 		$user = $this->getYaml('settings/users', $username . '.yaml');
@@ -39,7 +38,7 @@ class User extends WriteYaml
 		unset($user['password']);
 		return $user;
 	}
-	
+
 	public function createUser($params)
 	{
 		$params['password'] = $this->generatePassword($params['password']);
@@ -52,6 +51,34 @@ class User extends WriteYaml
 		}
 		return false;
 	}
+
+	public function unsetFromUser($username, $keys)
+	{
+		if(empty($keys))
+		{
+			return false;
+		}
+
+		$userdata = $this->getUser($username);
+
+		if(!$userdata)
+		{
+			return false;
+		}
+		
+		foreach($keys as $key)
+		{
+			if(isset($userdata[$key]))
+			{
+				unset($userdata[$key]);
+			}
+		}
+	
+		$this->updateYaml('settings/users', $userdata['username'] . '.yaml', $userdata);
+		
+		return true;
+	}
+
 	
 	public function updateUser($params)
 	{
@@ -75,7 +102,6 @@ class User extends WriteYaml

 		# cleanup data here
 		
-		
 		$this->updateYaml('settings/users', $userdata['username'] . '.yaml', $update);

 		$this->deleteUserIndex();
@@ -110,12 +136,11 @@ class User extends WriteYaml
 	
 	public function login($username)
 	{
-		$user = $this->getUser($username);
+		$user = $this->getSecureUser($username);

 		if($user)
 		{
 			$user['lastlogin'] = time();
-			unset($user['password']);

 			$_SESSION['user'] 	= $user['username'];
 			$_SESSION['role'] 	= $user['userrole'];
@@ -132,6 +157,11 @@ class User extends WriteYaml
 			
 			# update user last login
 			$this->updateUser($user);
+
+			if(isset($user['recovertoken']) OR isset($user['recoverdate']))
+			{
+				$this->unsetFromUser($user['username'], ['recovertoken', 'recoverdate']);
+			}
 		}
 	}
 	
--- a/system/Models/Validation.php
+++ b/system/Models/Validation.php
@@ -261,6 +261,23 @@ class Validation
 		return $this->validationResult($v);
 	}

+	/**
+	* validation for password recovery
+	* 
+	* @param array $params with form data.
+	* @return obj $v the validation object passed to a result method.
+	*/
+	
+	public function recoverPassword(array $params)
+	{
+		$v = new Validator($params);
+		$v->rule('required', ['password', 'passwordrepeat']);
+		$v->rule('lengthBetween', 'password', 5, 20);
+		$v->rule('equals', 'passwordrepeat', 'password');
+		
+		return $this->validationResult($v);
+	}
+
 	/**
 	* validation for system settings
 	* 
@@ -285,6 +302,11 @@ class Validation
 		$v->rule('in', 'copyright', $copyright);
 		$v->rule('noHTML', 'restrictionnotice');
 		$v->rule('lengthBetween', 'restrictionnotice', 2, 1000 );
+		$v->rule('email', 'recoverfrom');
+		$v->rule('noHTML', 'recoversubject');
+		$v->rule('lengthBetween', 'recoversubject', 2, 80 );
+		$v->rule('noHTML', 'recovermessage');
+		$v->rule('lengthBetween', 'recovermessage', 2, 1000 );
 		$v->rule('iplist', 'trustedproxies');

 		return $this->validationResult($v, $name);