Overview: use the live feed only, don't initially set anything.
This avoids duplicate code and also makes the page load faster
on high latency connections.
Channel list: Run StripControlCharacters() on the topic
The alternative would be irc2html() from
https://github.com/unrealircd/unrealircd-webpanel/pull/24
but not so sure about that... it makes colors and other markup
done by random users show quite prominently on an admin panel.
Make API pages return empty data / die when server is not available.
This fixes annoying JS popup in "Users" and "Server bans" when the
IRC server is down.
Add simple way to deal with IRC server configuration required.
This handles the "no_irc_server_required" property on $pages.
Also renames "url" property to "script" in $pages in previous commit,
since it points to the script page (eg server-bans/index.php).
It will automatically strip /index.php if possible.
Use responsive datatables in Users view: automatic column priority etc.
* Actually in mobile this seems to have a glitch, it shows one column too
much, which corrects itself as soon as you scroll.
* On a big screen the "Oper" and "Secure" columns are still not shown
even though they could be. Then again, those columns are not really
important so may be scratched altogether.
* If all this turns out not to work too well, then we can always revert
revert the changes to users/index.php, i guess.
Disable autocomplete in setup pages for user/password of SQL and RPC as these
have nothing to do with the web login so it is only confusing.
Still allow autocomplete for the "Create account" thing though, eg for devs
doing repeated setups.
unrealircd::rpc_password is now encrypted with secret::key (XChaCha20-Poly1305-IETF)
Again, the purpose is so if any bad person gets a copy of your DB then the
stored RPC password is still useless since they also need your config/config.php.
Old unencrypted unrealircd::rpc_password entries are automatically
encrypted (upgraded).
Similar to previous commit 6b08fcb99e66665e7e4f345702915d7192fcd27b
this means you cannot blindly 'rm config/config.php' and then expect
your existing DB to still work with a random new (and different) key.
The config file now contains 'secrets' with 'pepper' that is used for
hashing passwords in the database. This means a hacker now needs to
have config.php to attack the (hashed) passwords in the database.
This may not be very meaningful if the DB backend is file_auth, but
can be useful for example if the backend is sql_auth and your database
backup (mysqldump) gets leaked.
We automatically create the secrets (like pepper) and automatically
upgrade password hashes to use pepper while each user logs in.
This does need write access to config/config.php while upgrading, though.
The hashed passwords in the database will have the prefix "peppered:"
if they have been upgraded to use pepper.
A side-effect of this is that you cannot blindly 'rm config/config.php'
and start the installation over again while keeping your old database.
This because the hashed passwords in the existing database were created
with an old pepper value and the new setup would create a random new
pepper value, making the hashes worthless (and wrong).
This mostly matters for devs though, but it is something for testers
to be aware of as well.
Move all the rest of session management outside sqlauth/fileauth as well.
This may also mean we now require either module loaded, have not checked,
but that is the plan anyway ;)
If there is a special page that should be accessed without being logged
in, add it to page_requires_no_login(). Similar to page_requires_no_config().
Add per-user session timeout setting (under Settings 'Accounts' -> select acc).
There's a small catch-22 with sessions in the sense that we must set the cookie
timeout before we start the session, and thus before we know which user it is,
and thus before we know the preferred maximum session time.
So we set the cookie with a timeout of 86400 (1 day), since we don't really use
the cookie anyway, we use the /api/timeout.php script and the
$_SESSION['last-activity'] and $_SESSION['session_timeout'] variables
This also moves all the session_start() stuff to a single function that is
called only called at two places (in upper layer, not like by sql or file auth)
Settings - Accounts - acc: horizontally align the settings fields.
For table user_meta: ADD CONSTRAINT meta_key_user_id UNIQUE(meta_key,user_id)
So we can use INSERT INTO ... ON DUPLICATE KEY UPDATE ....
at a later stage.
Move RPC config to DB instead of in config.php.
This so later we can easily manage multiple servers etc. and also
simply because it technically is not required to be in config.php ;).
Setup major reshuffle: split up in pre-auth: backend & user creation, and
the rest in post-auth (after user is logged in).
This because:
1) It is safer, the process without a user configured is kept short
2) Easier for the user, so they can have the first step go well,
even if they are stuck at the post-auth step (RPC).
This is even more important if we would later expand the setup step
with more questions/options/etc.
This ALSO mutilates Valware's magnificient on both JS and the dialogs ;P
Minimize config/config.php and put settings in DB. This is work in progress.
config/config.php is no longer meant to be edited by hand and will
only contain the bare minimum of config that needs to be in a file.
All the rest will be in the DB (either SQL or db file).
Various todo items and actual db-based settings read/write untested.
Fix issue in installation page that leads to failed SQL table creation at the end.
We now don't use placeholder but set a value for 127.0.0.1 and port 8600.
TODO: detect if empty in the form and give an error ;)
Make the overview a little tidier as discussed on IRC
this pulls the cards over to the left which I feel looks neater aligned with the sidebar.
also made the cards on each row match the max size to look more aligned