added session revocation and settings menu for security measures
This commit is contained in:
@ -1,5 +1,8 @@
|
||||
<?php
|
||||
|
||||
require_once __DIR__ . '/../lib/settings.php';
|
||||
require_once __DIR__ . '/../lib/login_rate_limit.php';
|
||||
|
||||
switch ($route) {
|
||||
|
||||
case 'auth/login':
|
||||
@ -15,6 +18,12 @@ case 'auth/login':
|
||||
json_error('MISSING_FIELDS', 'Username and password are required', 400);
|
||||
}
|
||||
|
||||
$securitySettings = qdb_settings_get();
|
||||
[$allowed, $retryAfter] = qdb_login_rate_limit_check($username, $securitySettings);
|
||||
if (!$allowed) {
|
||||
qdb_login_rate_limit_deny($retryAfter);
|
||||
}
|
||||
|
||||
try {
|
||||
[$pdo, $tmpDb, $lockFp] = qdb_open_read_or_fail();
|
||||
$stmt = $pdo->prepare(
|
||||
@ -26,9 +35,15 @@ case 'auth/login':
|
||||
|
||||
if (!$user || !password_verify($password, $user['passwordHash'])) {
|
||||
qdb_discard($tmpDb, $lockFp);
|
||||
$retryAfter = qdb_login_rate_limit_record_failure($username, $securitySettings);
|
||||
if ($retryAfter > 0) {
|
||||
qdb_login_rate_limit_deny($retryAfter);
|
||||
}
|
||||
json_error('INVALID_CREDENTIALS', 'Invalid username or password', 401);
|
||||
}
|
||||
|
||||
qdb_login_rate_limit_clear($username);
|
||||
|
||||
$assignedClients = [];
|
||||
if (($user['role'] ?? '') === 'coach' && ($user['entityID'] ?? '') !== '') {
|
||||
$cStmt = $pdo->prepare(
|
||||
@ -47,7 +62,7 @@ case 'auth/login':
|
||||
|
||||
if ((int)$user['mustChangePassword'] === 1) {
|
||||
$tempToken = bin2hex(random_bytes(32));
|
||||
token_add($tempToken, 10 * 60, [
|
||||
token_add($tempToken, qdb_session_ttl_seconds($securitySettings, true), [
|
||||
'role' => $user['role'],
|
||||
'entityID' => $user['entityID'],
|
||||
'userID' => $user['userID'],
|
||||
@ -62,7 +77,7 @@ case 'auth/login':
|
||||
}
|
||||
|
||||
$token = bin2hex(random_bytes(32));
|
||||
token_add($token, 30 * 24 * 60 * 60, [
|
||||
token_add($token, qdb_session_ttl_seconds($securitySettings, false), [
|
||||
'role' => $user['role'],
|
||||
'entityID' => $user['entityID'],
|
||||
'userID' => $user['userID'],
|
||||
@ -149,9 +164,11 @@ case 'auth/change-password':
|
||||
|
||||
qdb_save($tmpDb, $lockFp);
|
||||
|
||||
$securitySettings = qdb_settings_get();
|
||||
|
||||
// Issue a fresh session for this browser only
|
||||
$newToken = bin2hex(random_bytes(32));
|
||||
token_add($newToken, 30 * 24 * 60 * 60, [
|
||||
token_add($newToken, qdb_session_ttl_seconds($securitySettings, false), [
|
||||
'role' => $user['role'],
|
||||
'entityID' => $user['entityID'],
|
||||
'userID' => $user['userID'],
|
||||
|
||||
Reference in New Issue
Block a user