Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve session init and timeout handling #915

Open
wants to merge 24 commits into
base: develop
Choose a base branch
from
Open

Improve session init and timeout handling #915

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
9620eab
404 to 401, Auth interceptor
neddllly Sep 13, 2023
c09675e
404 to 401, Auth interceptor
neddllly Sep 13, 2023
7927373
Fixed TS errors
neddllly Sep 14, 2023
8c51798
Fix Administrator123
neddllly Sep 14, 2023
d09de35
Fix Administrator123 for other roles
neddllly Sep 14, 2023
130730a
Fix Administrator123 for other roles #2
neddllly Sep 14, 2023
2eae2f1
Minor update to dev tools.
GhaziTriki Sep 14, 2023
6ac53ee
Update PHP composer dependencies.
GhaziTriki Sep 14, 2023
ebf5418
Automatic code formatting.
GhaziTriki Sep 14, 2023
e5f65f6
Move getuser function from Edit action to a new Session Action and be…
GhaziTriki Sep 14, 2023
00920f3
Session checking refactoring
neddllly Sep 14, 2023
9b2635c
Session checking refactoring
neddllly Sep 14, 2023
b03458e
Session checking refactoring
neddllly Sep 14, 2023
812ff4e
Merge branch 'develop' into main
neddllly Sep 14, 2023
bb71332
Revert "Session checking refactoring"
GhaziTriki Sep 14, 2023
ed29eda
Session checking refactoring
neddllly Sep 14, 2023
fa2acbe
Updates to invalidated session logic.
GhaziTriki Sep 14, 2023
aa4786e
Session checking refactoring
neddllly Sep 14, 2023
703a668
deny rules
neddllly Sep 14, 2023
7b678b0
deny rules
neddllly Sep 14, 2023
65ddf57
Merge branch 'develop' into neddllly-main
GhaziTriki Sep 18, 2023
96430b3
Fix reset password
hanazarraa Sep 19, 2023
f34cff3
Fix bugs
CherifAmine Sep 19, 2023
d6287f2
Merge remote-tracking branch 'hanazarraa/reset-password' into neddlll…
GhaziTriki Sep 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions bbbeasy-backend/app/config/access.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,9 @@ allow GET @settings_collect = *
allow PUT @recording_publish = *
allow POST @settings_save_logo = *


allow GET @getuser = *



allow GET @file = *

; notification routes
Expand Down
2 changes: 1 addition & 1 deletion bbbeasy-backend/app/config/routes.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,10 @@ GET @roles_permissions_collect : /api/roles-permissions = Actions\RolesPermissio

; users routes
GET @users_index : /api/users = Actions\Users\Index->show
GET @users_getuser : /api/getuser = Actions\Users\Edit->getuser
POST @users_add : /api/users = Actions\Users\Add->save
PUT @users_edit : /api/users/@id = Actions\Users\Edit->save
DELETE @user_delete : /api/users/@id = Actions\Users\Delete->execute

; presets routes
GET @presets_index : /api/presets/@user_id = Actions\Presets\Index->show
POST @presets_add : /api/presets = Actions\Presets\Add->save
Expand Down
10 changes: 5 additions & 5 deletions bbbeasy-backend/app/src/Actions/Account/Login.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,22 +94,22 @@ private function login($email, $password, $errorMessage): void
--$user->password_attempts;
$user->save();
$this->logger->error($errorMessage, ['email' => $email]);
$this->renderJson(['message' => 'Invalid credentials provided, try again'], ResponseCode::HTTP_BAD_REQUEST);
$this->renderJson(['message' => 'Invalid credentials provided, try again'], ResponseCode::HTTP_OK);
} elseif ($user->valid() && 0 === $user->password_attempts || 1 === $user->password_attempts) {
$user->password_attempts = 0;
$user->status = UserStatus::INACTIVE;
$user->save();
$this->logger->error($errorMessage, ['email' => $email]);
$this->renderJson(['message' => 'Your account has been locked because you have reached the maximum number of invalid sign-in attempts. You can contact the administrator or click here to receive an email containing instructions on how to unlock your account'], ResponseCode::HTTP_BAD_REQUEST);
$this->renderJson(['message' => 'Your account has been locked because you have reached the maximum number of invalid sign-in attempts. You can contact the administrator or click here to receive an email containing instructions on how to unlock your account'], ResponseCode::HTTP_OK);
} elseif ($user->valid() && (UserStatus::PENDING === $user->status || UserStatus::INACTIVE === $user->status)) {
$this->logger->error($errorMessage, ['email' => $email]);
$this->renderJson(['message' => 'Your account is not active. Please contact your administrator'], ResponseCode::HTTP_BAD_REQUEST);
$this->renderJson(['message' => 'Your account is not active. Please contact your administrator'], ResponseCode::HTTP_OK);
} elseif ($user->valid() && UserStatus::DELETED === $user->status) {
$this->logger->error($errorMessage, ['email' => $email]);
$this->renderJson(['message' => 'Your account has been disabled for violating our terms'], ResponseCode::HTTP_BAD_REQUEST);
$this->renderJson(['message' => 'Your account has been disabled for violating our terms'], ResponseCode::HTTP_OK);
} elseif (!$user->valid()) {
$this->logger->error($errorMessage, ['email' => $email]);
$this->renderJson(['message' => 'Invalid credentials provided, try again'], ResponseCode::HTTP_BAD_REQUEST);
$this->renderJson(['message' => 'Invalid credentials provided, try again'], ResponseCode::HTTP_OK);
}
}
}
14 changes: 13 additions & 1 deletion bbbeasy-backend/app/src/Actions/Base.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,15 @@ public function __construct()

public function beforeroute(): void
{


if($this->session->isLoggedIn()&&!$this->session->getSession(session_id())){

$this->session->revokeUser();

$this->f3->error(401);
die();
}
$this->access->authorize($this->getRole(), function($route, $subject): void {
$this->onAccessAuthorizeDeny($route, $subject);
});
Expand All @@ -125,12 +134,15 @@ public function beforeroute(): void
$uri = preg_replace('/\/' . $this->f3->get('PARAMS.page') . '$/', '/1', $uri);
$this->f3->reroute($uri);
}

}

public function onAccessAuthorizeDeny($route, $subject): void
{
$this->logger->warning('Access denied to route ' . $route . ' for subject ' . ($subject ?: 'unknown'));
$this->f3->error(404);
$this->session->revokeUser();
$this->f3->error(401);
die();
}

/**
Expand Down
22 changes: 21 additions & 1 deletion bbbeasy-backend/app/src/Actions/Roles/Add.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,27 @@
class Add extends BaseAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

if(!is_array($permissions)||!isset($permissions['roles'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}

}
}
/**
* @param mixed $f3
* @param mixed $params
Expand Down
22 changes: 21 additions & 1 deletion bbbeasy-backend/app/src/Actions/Roles/Delete.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,26 @@
class Delete extends DeleteAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

if(!is_array($permissions)||!isset($permissions['roles'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}

}
}
protected $deleteMethodName = 'delete';
}
22 changes: 21 additions & 1 deletion bbbeasy-backend/app/src/Actions/Roles/Edit.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,27 @@
class Edit extends BaseAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

if(!is_array($permissions)||!isset($permissions['roles'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}

}
}
/**
* @param mixed $f3
* @param mixed $params
Expand Down
24 changes: 22 additions & 2 deletions bbbeasy-backend/app/src/Actions/Roles/Index.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,34 @@
use Actions\Base as BaseAction;
use Actions\RequirePrivilegeTrait;
use Models\Role;

use Models\User;
/**
* Class Index.
*/
class Index extends BaseAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

if(!is_array($permissions)||!isset($permissions['roles'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}

}
}
/**
* @param mixed $f3
* @param mixed $params
Expand Down
22 changes: 21 additions & 1 deletion bbbeasy-backend/app/src/Actions/Users/Add.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,27 @@
class Add extends BaseAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

if(!is_array($permissions)||!isset($permissions['users'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}

}
}
/**
* @param \Base $f3
* @param array $params
Expand Down
22 changes: 21 additions & 1 deletion bbbeasy-backend/app/src/Actions/Users/Delete.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,26 @@
class Delete extends DeleteAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

if(!is_array($permissions)||!isset($permissions['users'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}

}
}
protected $deleteMethodName = 'delete';
}
48 changes: 46 additions & 2 deletions bbbeasy-backend/app/src/Actions/Users/Edit.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,34 @@
use Models\User;
use Respect\Validation\Validator;
use Validation\DataChecker;

use Models\UserSession;
/**
* Class Edit.
*/
class Edit extends BaseAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

/*if(!is_array($permissions)||!isset($permissions['users'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}*/

}
}
/**
* @param \Base $f3
* @param array $params
Expand Down Expand Up @@ -125,4 +145,28 @@ public function loadData($id): User

return $user;
}
public function getuser($f3, $params)
{

$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$userInfos = [
'id' => $Infos->id,
'username' => $Infos->username,
'email' => $Infos->email,
'role' => $Infos->role->name,
'avatar' => $Infos->avatar,
'permissions' => $Infos->role->getRolePermissions(),
];
$userSession = new UserSession();
$sessionInfos = [
'PHPSESSID' => session_id(),
'expires' => $userSession->getSessionExpirationTime(session_id()),
];

$this->renderJson(['user' => $userInfos, 'session' => $sessionInfos]);
}
}
23 changes: 22 additions & 1 deletion bbbeasy-backend/app/src/Actions/Users/Index.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,27 @@
class Index extends BaseAction
{
use RequirePrivilegeTrait;

public function beforeroute(): void
{
if ( null === $this->session->get('user')) {
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}
else{
$user = new User();
$user_id = $this->session->get('user.id');

$Infos=$user->getById($user_id);

$permissions = $Infos->role->getRolePermissions();

if(!is_array($permissions)||!isset($permissions['users'])){
$this->logger->warning('Access denied to route ');
$this->f3->error(401);
}

}
}
/**
* @param \Base $f3
* @param array $params
Expand All @@ -49,4 +69,5 @@ public function show($f3, $params): void
$this->logger->debug('collecting users', ['users' => json_encode($users)]);
$this->renderJson(['users' => $users, 'states' => $states]);
}

}
12 changes: 12 additions & 0 deletions bbbeasy-backend/app/src/Core/Session.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ class Session extends \Prefab
*/
public function __construct(SQL $db = null, $table = 'sessions', $force = false, $onsuspect = null, $key = null)
{
$this->db = $db ?: \Registry::get('db');
$this->f3 = \Base::instance();
$this->initLogger();
if ('CACHE' === $table) {
Expand Down Expand Up @@ -99,7 +100,18 @@ public function set($key, $value): void
$this->f3->set('SESSION.' . $key, $value);
$this->f3->sync('SESSION');
}
public function getSession($sessionId)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still problematic in production mode since session data is stored in redis in production environment.

{

$result = $this->db->exec('SELECT expires FROM users_sessions where session_id = :session', [':session' => $sessionId]);


if (count($result)<1) {
return false;
}

return true;
}
/**
* @param mixed $key
*
Expand Down
Loading