]>
Commit | Line | Data |
---|---|---|
ea27475b VP |
1 | <?php |
2 | ||
3 | require_once "SQL/sql.php"; | |
ce9cf366 | 4 | require_once "SQL/settings.php"; |
4d634d0a | 5 | |
ea27475b VP |
6 | class sql_auth |
7 | { | |
b44a2e97 | 8 | public $name = "SQLAuth"; |
ea27475b VP |
9 | public $author = "Valware"; |
10 | public $version = "1.0"; | |
11 | public $description = "Provides a User Auth and Management Panel with an SQL backend"; | |
12 | ||
13 | function __construct() | |
14 | { | |
5015c85c | 15 | self::create_tables(); |
b44a2e97 VP |
16 | Hook::func(HOOKTYPE_NAVBAR, 'sql_auth::add_navbar'); |
17 | Hook::func(HOOKTYPE_PRE_HEADER, 'sql_auth::session_start'); | |
aec8a198 | 18 | Hook::func(HOOKTYPE_OVERVIEW_CARD, 'sql_auth::add_overview_card'); |
33f512fa | 19 | Hook::func(HOOKTYPE_FOOTER, 'sql_auth::add_footer_info'); |
6930484c VP |
20 | Hook::func(HOOKTYPE_USER_LOOKUP, 'sql_auth::get_user'); |
21 | Hook::func(HOOKTYPE_USERMETA_ADD, 'sql_auth::add_usermeta'); | |
22 | Hook::func(HOOKTYPE_USERMETA_DEL, 'sql_auth::del_usermeta'); | |
23 | Hook::func(HOOKTYPE_USERMETA_GET, 'sql_auth::get_usermeta'); | |
4d634d0a VP |
24 | |
25 | if (defined('SQL_DEFAULT_USER')) // we've got a default account | |
26 | { | |
6930484c | 27 | $lkup = new PanelUser(SQL_DEFAULT_USER['username']); |
4d634d0a VP |
28 | |
29 | if (!$lkup->id) // doesn't exist, add it with full privileges | |
30 | { | |
31 | create_new_user(["user_name" => SQL_DEFAULT_USER['username'], "user_pass" => SQL_DEFAULT_USER['password']]); | |
32 | } | |
33 | } | |
ea27475b VP |
34 | } |
35 | ||
36 | public static function add_navbar(&$pages) | |
37 | { | |
06369f59 VP |
38 | $user = unreal_get_current_user(); |
39 | if (!$user) | |
ce9cf366 VP |
40 | { |
41 | $pages = NULL; | |
42 | return; | |
43 | } | |
4225314c VP |
44 | $pages["Panel Access"] = "plugins/sql_auth/"; |
45 | if (isset($_SESSION['id'])) | |
b44a2e97 | 46 | { |
321b7b81 | 47 | $pages["Logout"] = "login/?logout=true"; |
b44a2e97 | 48 | } |
ea27475b VP |
49 | } |
50 | ||
33f512fa VP |
51 | public static function add_footer_info($empty) |
52 | { | |
53 | if (!($user = unreal_get_current_user())) | |
54 | return; | |
55 | ||
56 | else { | |
57 | echo "<code>Admin Panel v" . WEBPANEL_VERSION . "</code>"; | |
58 | } | |
59 | } | |
60 | ||
3a8ffab8 | 61 | /* pre-Header hook */ |
b44a2e97 VP |
62 | public static function session_start($n) |
63 | { | |
06369f59 VP |
64 | if (!isset($_SESSION)) |
65 | { | |
66 | session_set_cookie_params(3600); | |
67 | session_start(); | |
68 | } | |
454379e3 VP |
69 | do_log($_SESSION); |
70 | if (!isset($_SESSION['id']) || empty($_SESSION)) | |
b44a2e97 | 71 | { |
3a8ffab8 VP |
72 | $secure = ($_SERVER['HTTPS'] == 'on') ? "https://" : "http://"; |
73 | $current_url = "$secure$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; | |
ce9cf366 VP |
74 | $tok = split($_SERVER['SCRIPT_FILENAME'], "/"); |
75 | if ($check = security_check() && $tok[count($tok) - 1] !== "error.php") { | |
76 | header("Location: " . BASE_URL . "plugins/sql_auth/error.php"); | |
77 | die(); | |
78 | } | |
321b7b81 | 79 | header("Location: ".BASE_URL."login/?redirect=".urlencode($current_url)); |
454379e3 | 80 | die(); |
b44a2e97 | 81 | } |
08ce3aa7 VP |
82 | else |
83 | { | |
f5e3ecee | 84 | if (!unreal_get_current_user()->id) // user no longer exists |
08ce3aa7 VP |
85 | { |
86 | session_destroy(); | |
321b7b81 | 87 | header("Location: ".BASE_URL."login"); |
f5e3ecee | 88 | die(); |
08ce3aa7 | 89 | } |
e3e93dde | 90 | // you'll be automatically logged out after one hour of inactivity |
08ce3aa7 | 91 | } |
b44a2e97 | 92 | } |
ea27475b | 93 | |
ce9cf366 VP |
94 | /** |
95 | * Create the tables we'll be using in the SQLdb | |
96 | * @return void | |
97 | */ | |
5015c85c VP |
98 | public static function create_tables() |
99 | { | |
100 | $conn = sqlnew(); | |
101 | $conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "users ( | |
102 | user_id int AUTO_INCREMENT NOT NULL, | |
103 | user_name VARCHAR(255) NOT NULL, | |
104 | user_pass VARCHAR(255) NOT NULL, | |
105 | ||
106 | user_fname VARCHAR(255), | |
107 | user_lname VARCHAR(255), | |
108 | user_bio VARCHAR(255), | |
109 | created VARCHAR(255), | |
110 | PRIMARY KEY (user_id) | |
111 | )"); | |
112 | $conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "user_meta ( | |
113 | meta_id int AUTO_INCREMENT NOT NULL, | |
114 | user_id int NOT NULL, | |
115 | meta_key VARCHAR(255) NOT NULL, | |
116 | meta_value VARCHAR(255), | |
117 | PRIMARY KEY (meta_id) | |
118 | )"); | |
ce9cf366 VP |
119 | $conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "auth_settings ( |
120 | id int AUTO_INCREMENT NOT NULL, | |
121 | setting_key VARCHAR(255) NOT NULL, | |
122 | setting_value VARCHAR(255), | |
123 | PRIMARY KEY (id) | |
124 | )"); | |
33f512fa VP |
125 | $conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "fail2ban ( |
126 | id int AUTO_INCREMENT NOT NULL, | |
127 | ip VARCHAR(255) NOT NULL, | |
128 | count VARCHAR(255), | |
129 | PRIMARY KEY (id) | |
130 | )"); | |
9c643401 | 131 | new AuthSettings(); |
5015c85c VP |
132 | } |
133 | ||
ce9cf366 VP |
134 | /** |
135 | * Summary of add_overview_card | |
136 | * @param mixed $stats | |
137 | * @return void | |
138 | */ | |
139 | public static function add_overview_card(object &$stats) : void | |
aec8a198 VP |
140 | { |
141 | $num_of_panel_admins = sqlnew()->query("SELECT COUNT(*) FROM " . SQL_PREFIX . "users")->fetchColumn(); | |
142 | ?> | |
143 | ||
144 | <div class="container mt-5"> | |
145 | ||
146 | <div class="row"> | |
147 | <div class="col-sm-3"> | |
148 | <div class="card text-center"> | |
149 | <div class="card-header bg-success text-white"> | |
150 | <div class="row"> | |
151 | <div class="col"> | |
152 | <i class="fa fa-lock-open fa-3x"></i> | |
153 | </div> | |
154 | <div class="col"> | |
155 | <h3 class="display-4"><?php echo $num_of_panel_admins; ?></h3> | |
156 | </div> | |
157 | </div> | |
158 | </div> | |
159 | <div class="card-body"> | |
160 | <div class="row"> | |
161 | <div class="col"> | |
162 | <h6>Panel Users</h6> | |
163 | </div> | |
164 | <div class="col"> <a class="btn btn-primary" href="<?php echo BASE_URL; ?>plugins/sql_auth/">View</a></div> | |
165 | </div> | |
166 | </div> | |
167 | </div> | |
168 | </div> | |
169 | </div> | |
170 | </div> | |
171 | <?php | |
172 | } | |
173 | ||
6930484c VP |
174 | /* We convert $u with a full user as an object ;D*/ |
175 | public static function get_user(&$u) | |
176 | { | |
177 | $id = $u['id']; | |
178 | $name = $u['name']; | |
179 | $conn = sqlnew(); | |
180 | ||
181 | if ($id) | |
182 | { | |
183 | $prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE user_id = :id LIMIT 1"); | |
184 | $prep->execute(["id" => strtolower($id)]); | |
185 | } | |
186 | elseif ($name) | |
187 | { | |
188 | $prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE LOWER(user_name) = :name LIMIT 1"); | |
189 | $prep->execute(["name" => strtolower($name)]); | |
190 | } | |
191 | $data = NULL; | |
192 | $obj = (object) []; | |
193 | if ($prep) | |
194 | $data = $prep->fetchAll(); | |
195 | if (isset($data[0]) && $data = $data[0]) | |
196 | { | |
197 | $obj->id = $data['user_id']; | |
198 | $obj->username = $data['user_name']; | |
199 | $obj->passhash = $data['user_pass']; | |
200 | $obj->first_name = $data['user_fname'] ?? NULL; | |
201 | $obj->last_name = $data['user_lname'] ?? NULL; | |
202 | $obj->created = $data['created']; | |
203 | $obj->bio = $data['user_bio']; | |
204 | $obj->user_meta = (new PanelUser_Meta($obj->id))->list; | |
205 | } | |
206 | $u['object'] = $obj; | |
207 | } | |
208 | ||
209 | public static function get_usermeta(&$u) | |
210 | { | |
211 | //do_log($u); | |
212 | $list = &$u['meta']; | |
213 | $id = $u['id']; | |
214 | $conn = sqlnew(); | |
215 | if (isset($id)) | |
216 | { | |
217 | $prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id"); | |
218 | $prep->execute(["id" => $id]); | |
219 | } | |
220 | foreach ($prep->fetchAll() as $row) | |
221 | { | |
222 | $list[$row['meta_key']] = $row['meta_value']; | |
223 | } | |
224 | } | |
225 | ||
226 | public static function add_usermeta(&$meta) | |
227 | { | |
228 | $conn = sqlnew(); | |
229 | /* check if it exists first, update it if it does */ | |
230 | $query = "SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key"; | |
231 | $stmt = $conn->prepare($query); | |
232 | $stmt->execute(["id" => $meta['id'], "key" => $meta['key']]); | |
233 | if ($stmt->rowCount()) // it exists, update instead of insert | |
234 | { | |
235 | $query = "UPDATE " . SQL_PREFIX . "user_meta SET meta_value = :value WHERE user_id = :id AND meta_key = :key"; | |
236 | $stmt = $conn->prepare($query); | |
237 | $stmt->execute($meta); | |
238 | if ($stmt->rowCount()) | |
239 | return true; | |
240 | return false; | |
241 | } | |
242 | ||
243 | else | |
244 | { | |
245 | $query = "INSERT INTO " . SQL_PREFIX . "user_meta (user_id, meta_key, meta_value) VALUES (:id, :key, :value)"; | |
246 | $stmt = $conn->prepare($query); | |
247 | $stmt->execute($meta); | |
248 | if ($stmt->rowCount()) | |
249 | return true; | |
250 | return false; | |
251 | } | |
252 | } | |
253 | public static function del_usermeta(&$u) | |
254 | { | |
255 | $conn = sqlnew(); | |
256 | $query = "DELETE FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key"; | |
257 | $stmt = $conn->prepare($query); | |
258 | $stmt->execute($u['meta']); | |
259 | if ($stmt->rowCount()) | |
260 | return true; | |
261 | return false; | |
262 | } | |
ce9cf366 VP |
263 | } |
264 | ||
265 | ||
266 | function security_check() | |
267 | { | |
268 | $ip = $_SERVER['REMOTE_ADDR']; | |
269 | if (dnsbl_check($ip)) | |
270 | return true; | |
271 | ||
272 | else if (fail2ban_check($ip)) | |
273 | { | |
274 | ||
275 | } | |
276 | } | |
277 | ||
278 | function dnsbl_check($ip) | |
279 | { | |
280 | $dnsbl_lookup = DNSBL; | |
281 | ||
282 | // clear variable just in case | |
283 | $listed = NULL; | |
284 | ||
285 | // if the IP was not given because you're an idiot, stop processing | |
286 | if (!$ip) { return; } | |
287 | ||
288 | // get the first two segments of the IPv4 | |
289 | $because = split($ip, "."); // why you | |
290 | $you = $because[1]; // gotta play | |
291 | $want = $because[2]; // that song | |
292 | $to = $you.".".$want."."; // so loud? | |
293 | ||
294 | // exempt local connections because sometimes they get a false positive | |
295 | if ($to == "192.168." || $to == "127.0.") { return NULL; } | |
296 | ||
297 | // you spin my IP right round, right round, to check the records baby, right round-round-round | |
298 | $reverse_ip = glue(array_reverse(split($ip, ".")), "."); | |
299 | ||
300 | // checkem | |
301 | foreach ($dnsbl_lookup as $host) { | |
302 | ||
303 | //if it was listed | |
304 | if (checkdnsrr($reverse_ip . "." . $host . ".", "A")) { | |
305 | ||
306 | //take note | |
307 | $listed = $host; | |
308 | } | |
309 | } | |
310 | ||
311 | // if it was safe, return NOTHING | |
312 | if (!$listed) { | |
313 | return NULL; | |
314 | } | |
315 | ||
316 | // else, you guessed it, return where it was listed | |
317 | else { | |
318 | return $listed; | |
319 | } | |
320 | } | |
321 | ||
322 | function fail2ban_check($ip) | |
33f512fa VP |
323 | { |
324 | ||
325 | } |