ulogger-server/auth.php

<?php
/* μlogger
 *
 * Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)
 *
 * This is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

if (defined('headless')) {
  if (ob_get_level()) {
    ob_end_clean();
  }
  error_reporting(0);
}
define('ROOT_DIR', __DIR__);
require_once(ROOT_DIR . "/helpers/config.php");
require_once(ROOT_DIR . "/lang.php");
require_once(ROOT_DIR . "/helpers/user.php");

session_name('ulogger');
session_start();
$sid = session_id();

// check for forced login to authorize admin in case of public access
$force_login = isset($_REQUEST['force_login']) ? $_REQUEST['force_login'] : false;
if ($force_login) {
  uConfig::$require_authentication = true;
}

$user = new uUser();
$user->getFromSession();
if (!$user->isValid && (uConfig::$require_authentication || defined('client'))) {
  /* authentication */
  $login = isset($_REQUEST['user']) ? $_REQUEST['user'] : NULL;
  $pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;
  $ssl = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "" || $_SERVER['HTTPS'] == "off") ? "http" : "https";
  $auth_error = isset($_REQUEST['auth_error']) ? $_REQUEST['auth_error'] : false;

  if (!$login) {
    // not authenticated and username not submited
    // load form
    if (defined('headless')) {
      header('WWW-Authenticate: OAuth realm="users@ulogger"');
      header('HTTP/1.1 401 Unauthorized', true, 401);
    } else {
      print
    '<!DOCTYPE html>
    <html>
      <head>
        <title>' . $lang["title"] . '</title>
        <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
        <meta name="viewport" content="initial-scale=1.0, user-scalable=no">
        <link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">
        <link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">
        <link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">
        <link rel="manifest" href="manifest.json">
        <link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">
        <link rel="shortcut icon" href="icons/favicon.ico">
        <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&amp;subset=cyrillic" rel="stylesheet">
        <meta name="msapplication-config" content="browserconfig.xml">
        <meta name="theme-color" content="#ffffff">
        <link rel="stylesheet" type="text/css" href="css/main.css">
        <script type="text/javascript">
        function focus() {
          document.forms[0].elements[0].focus();
        }
        </script>
      </head>
      <body onload="focus()">
        <div id="login">
          <div id="title">' . $lang["title"] . '</div>
          <div id="subtitle">' . $lang["private"] . '</div>
          <form action="index.php" method="post">
          ' . $lang["username"] . ':<br>
          <input type="text" name="user"><br>
          ' . $lang["password"] . ':<br>
          <input type="password" name="pass"><br>
          <br>
          <input type="submit" value="' . $lang["login"] . '">
          ' . (($force_login) ? '<input type="hidden" name="force_login" value="1">
          <div id="cancel"><a href="index.php">' . $lang["cancel"] . '</a></div>' : '') . '
          </form>
          <div id="error">' . (($auth_error) ? $lang["authfail"] : "") . '</div>
        </div>
      </body>
    </html>';
    }
    exit();
  } else {
    // username submited
    $user = new uUser($login);

    //correct pass
    if ($user->isValid && $user->validPassword($pass)) {
      // login successful
      //delete old session
      $_SESSION = NULL;
      session_destroy();
      // start new session
      session_name('ulogger');
      session_start();
      $user->storeInSession();
      $url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");
      header("Location: $ssl://$url");
    } else {
      // unsuccessful
      $error = "?auth_error=1";
      if ($force_login) { $error .= "&force_login=1"; }
      // destroy session
      $_SESSION = NULL;
      if (isset($_COOKIE[session_name('ulogger')])) {
        setcookie(session_name('ulogger'), '', time() - 42000, '/');
      }
      session_destroy();
      if (defined('headless')) {
        header('WWW-Authenticate: OAuth realm="users@ulogger"');
        header('HTTP/1.1 401 Unauthorized', true, 401);
      } else {
        $url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");
        header("Location: $ssl://$url$error");
      }
    }
    exit();
  }
  /* end of authentication */
}
?>
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`<?php`
ulogger beta version 2017-01-30 21:36:44 +01:00			`/* μlogger`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`*`
ulogger beta version 2017-01-30 21:36:44 +01:00			`* Copyright(C) 2017 Bartek Fabiszewski (www.fabiszewski.net)`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`*`
			`* This is free software; you can redistribute it and/or modify it under`
Fix copyright notice 2017-04-07 00:05:28 +02:00			`* the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 3 of the License, or`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful, but`
			`* WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`* General Public License for more details.`
			`*`
Fix copyright notice 2017-04-07 00:05:28 +02:00			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, see <http://www.gnu.org/licenses/>.`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`*/`
Update phpdoc, minor formatting 2017-04-09 23:35:55 +02:00
Import: improve error handling 2017-05-09 15:25:16 +02:00			`if (defined('headless')) {`
Prevent warnings when buffering is disabled 2017-06-24 11:58:40 +02:00			`if (ob_get_level()) {`
			`ob_end_clean();`
			`}`
Import: improve error handling 2017-05-09 15:25:16 +02:00			`error_reporting(0);`
			`}`
			`define('ROOT_DIR', __DIR__);`
Reorganize files into subfolders 2017-04-11 17:00:40 +02:00			`require_once(ROOT_DIR . "/helpers/config.php");`
			`require_once(ROOT_DIR . "/lang.php");`
			`require_once(ROOT_DIR . "/helpers/user.php");`
Fix: some resources were insecure when using ssl 2016-10-29 14:05:13 +02:00
Allow for authentication in case of public access 2017-03-16 14:11:01 +01:00			`session_name('ulogger');`
			`session_start();`
			`$sid = session_id();`

			`// check for forced login to authorize admin in case of public access`
Better handle ajax errors 2017-05-19 10:59:27 +02:00			`$force_login = isset($_REQUEST['force_login']) ? $_REQUEST['force_login'] : false;`
Allow for authentication in case of public access 2017-03-16 14:11:01 +01:00			`if ($force_login) {`
Use static initializer in uConfig class 2017-04-18 09:25:21 +02:00			`uConfig::$require_authentication = true;`
Allow for authentication in case of public access 2017-03-16 14:11:01 +01:00			`}`

Refactor user handling to use helper classes 2017-04-06 18:07:15 +02:00			`$user = new uUser();`
			`$user->getFromSession();`
Fix regression: ajax calls require authentication with public access 2017-05-09 21:54:43 +02:00			`if (!$user->isValid && (uConfig::$require_authentication \|\| defined('client'))) {`
Allow for authentication in case of public access 2017-03-16 14:11:01 +01:00			`/* authentication */`
Better handle ajax errors 2017-05-19 10:59:27 +02:00			`$login = isset($_REQUEST['user']) ? $_REQUEST['user'] : NULL;`
			`$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : NULL;`
			`$ssl = (!isset($_SERVER['HTTPS']) \|\| $_SERVER['HTTPS'] == "" \|\| $_SERVER['HTTPS'] == "off") ? "http" : "https";`
			`$auth_error = isset($_REQUEST['auth_error']) ? $_REQUEST['auth_error'] : false;`
Fix: some resources were insecure when using ssl 2016-10-29 14:05:13 +02:00
Code cleanup 2017-04-10 22:46:56 +02:00			`if (!$login) {`
Refactor user handling to use helper classes 2017-04-06 18:07:15 +02:00			`// not authenticated and username not submited`
Update phpdoc, minor formatting 2017-04-09 23:35:55 +02:00			`// load form`
ulogger beta version 2017-01-30 21:36:44 +01:00			`if (defined('headless')) {`
Include WWW-Authenticate header with 401 response 2017-04-24 14:47:25 +02:00			`header('WWW-Authenticate: OAuth realm="users@ulogger"');`
ulogger beta version 2017-01-30 21:36:44 +01:00			`header('HTTP/1.1 401 Unauthorized', true, 401);`
			`} else {`
			`print`
			`'<!DOCTYPE html>`
			`<html>`
			`<head>`
Code cleanup 2017-04-10 22:46:56 +02:00			`<title>' . $lang["title"] . '</title>`
			`<meta http-equiv="Content-type" content="text/html;charset=UTF-8">`
			`<meta name="viewport" content="initial-scale=1.0, user-scalable=no">`
Add icon links to login page 2017-04-13 08:58:40 +02:00			`<link rel="apple-touch-icon" sizes="180x180" href="icons/apple-touch-icon.png">`
			`<link rel="icon" type="image/png" href="icons/favicon-32x32.png" sizes="32x32">`
			`<link rel="icon" type="image/png" href="icons/favicon-16x16.png" sizes="16x16">`
			`<link rel="manifest" href="manifest.json">`
			`<link rel="mask-icon" href="icons/safari-pinned-tab.svg" color="#5bbad5">`
			`<link rel="shortcut icon" href="icons/favicon.ico">`
Small interface tweaks 2017-04-15 13:41:21 +02:00			`<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i&subset=cyrillic" rel="stylesheet">`
Add icon links to login page 2017-04-13 08:58:40 +02:00			`<meta name="msapplication-config" content="browserconfig.xml">`
			`<meta name="theme-color" content="#ffffff">`
Reorganize files into subfolders 2017-04-11 17:00:40 +02:00			`<link rel="stylesheet" type="text/css" href="css/main.css">`
ulogger beta version 2017-01-30 21:36:44 +01:00			`<script type="text/javascript">`
			`function focus() {`
			`document.forms[0].elements[0].focus();`
			`}`
			`</script>`
			`</head>`
			`<body onload="focus()">`
			`<div id="login">`
Code cleanup 2017-04-10 22:46:56 +02:00			`<div id="title">' . $lang["title"] . '</div>`
			`<div id="subtitle">' . $lang["private"] . '</div>`
ulogger beta version 2017-01-30 21:36:44 +01:00			`<form action="index.php" method="post">`
Code cleanup 2017-04-10 22:46:56 +02:00			`' . $lang["username"] . ':<br>`
			`<input type="text" name="user"><br>`
			`' . $lang["password"] . ':<br>`
			`<input type="password" name="pass"><br>`
			`<br>`
			`<input type="submit" value="' . $lang["login"] . '">`
Better handle ajax errors 2017-05-19 10:59:27 +02:00			`' . (($force_login) ? '<input type="hidden" name="force_login" value="1">`
			`<div id="cancel"><a href="index.php">' . $lang["cancel"] . '</a></div>' : '') . '`
ulogger beta version 2017-01-30 21:36:44 +01:00			`</form>`
Better handle ajax errors 2017-05-19 10:59:27 +02:00			`<div id="error">' . (($auth_error) ? $lang["authfail"] : "") . '</div>`
ulogger beta version 2017-01-30 21:36:44 +01:00			`</div>`
			`</body>`
			`</html>';`
			`}`
			`exit();`
Refactor user handling to use helper classes 2017-04-06 18:07:15 +02:00			`} else {`
			`// username submited`
			`$user = new uUser($login);`
add admin user 2014-04-01 17:28:27 +11:00
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`//correct pass`
Refactor user handling to use helper classes 2017-04-06 18:07:15 +02:00			`if ($user->isValid && $user->validPassword($pass)) {`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`// login successful`
			`//delete old session`
			`$_SESSION = NULL;`
Fix: some resources were insecure when using ssl 2016-10-29 14:05:13 +02:00			`session_destroy();`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`// start new session`
ulogger beta version 2017-01-30 21:36:44 +01:00			`session_name('ulogger');`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`session_start();`
Refactor user handling to use helper classes 2017-04-06 18:07:15 +02:00			`$user->storeInSession();`
Code cleanup 2017-04-10 22:46:56 +02:00			`$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");`
Features: simple admin menu, public tracks 2017-02-17 16:41:39 +01:00			`header("Location: $ssl://$url");`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`} else {`
			`// unsuccessful`
			`$error = "?auth_error=1";`
Better handle ajax errors 2017-05-19 10:59:27 +02:00			`if ($force_login) { $error .= "&force_login=1"; }`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`// destroy session`
			`$_SESSION = NULL;`
ulogger beta version 2017-01-30 21:36:44 +01:00			`if (isset($_COOKIE[session_name('ulogger')])) {`
Code cleanup 2017-04-10 22:46:56 +02:00			`setcookie(session_name('ulogger'), '', time() - 42000, '/');`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`}`
Fix: some resources were insecure when using ssl 2016-10-29 14:05:13 +02:00			`session_destroy();`
ulogger beta version 2017-01-30 21:36:44 +01:00			`if (defined('headless')) {`
Include WWW-Authenticate header with 401 response 2017-04-24 14:47:25 +02:00			`header('WWW-Authenticate: OAuth realm="users@ulogger"');`
ulogger beta version 2017-01-30 21:36:44 +01:00			`header('HTTP/1.1 401 Unauthorized', true, 401);`
			`} else {`
Code cleanup 2017-04-10 22:46:56 +02:00			`$url = str_replace("//", "/", $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME']) . "/index.php");`
ulogger beta version 2017-01-30 21:36:44 +01:00			`header("Location: $ssl://$url$error");`
			`}`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`}`
Refactor user handling to use helper classes 2017-04-06 18:07:15 +02:00			`exit();`
add admin user 2014-04-01 17:28:27 +11:00			`}`
phpTrackme 1.0 2013-06-19 13:27:14 +02:00			`/* end of authentication */`
			`}`
			`?>`