WKVS_gitea/WKVS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Überarbeitete Version der 1. Version. Es bestehen noch grosse Feher in einzelnen Skripten.

Browse Source
This commit is contained in:
Fabio Herzig
2026-04-18 23:45:17 +02:00
parent a51fd9dbeb
commit 3731183654
85 changed files with 2965 additions and 3371 deletions
Download Patch File Download Diff File Expand all files Collapse all files

551
www/intern/otlogin.php
View File

@@ -6,190 +6,317 @@ error_reporting(E_ALL);
use Dotenv\Dotenv;
if (session_status() !== PHP_SESSION_ACTIVE) session_start();
if (!isset($baseDir)) {
$baseDir = $_SERVER['DOCUMENT_ROOT'];
}
require_once $baseDir . '/../scripts/session_functions.php';
ini_wkvs_session(true);
$oturl = $_GET['otl'] ?? '';
if (!$oturl) {
http_response_code(403);
http_response_code(404);
exit;
}
if (!isset($baseDir)) {
$baseDir = $_SERVER['DOCUMENT_ROOT'];
}
require $baseDir . '/../scripts/db/db-functions.php';
require $baseDir . '/../scripts/db/db-tables.php';
$error = '';
function logIn() {
class otl {
global $baseDir;
private function connectToDB() {
$iduser = intval($_POST['user_id']);
global $mysqli, $baseDir;
if (isset($mysqli)) { return $mysqli; }
// security: user must have passed one-time-login first
if (empty($_SESSION['set_new_password_id_user']) || empty($_SESSION['set_new_password_granted']) || $_SESSION['set_new_password_id_user'] !== $iduser || $_SESSION['set_new_password_granted'] !== true) {
http_response_code(403);
exit;
$_SESSION['access_granted_db_otl'] = true;
$type = 'otl';
// DB
$dbconnection = require $baseDir .'/../scripts/db/db-verbindung-script.php';
if ($dbconnection['success'] !== true){
return "DB Error";
}
$_SESSION['access_granted_db_otl'] = false;
return $mysqli;
}
$type = 'otl';
// DB
$dbconnection = require $baseDir .'/../scripts/db/db-verbindung-script.php';
if ($dbconnection['success'] !== true){
return "DB Error";
}
require $baseDir . '/../scripts/db/db-tables.php';
require $baseDir . '/../composer/vendor/autoload.php';
$envFile = realpath($baseDir . '/../config/.env.pw-encryption-key');
if ($envFile === false) {
http_response_code(500);
echo json_encode([
'success' => false,
'message' => "Environment file not found"
]);
exit;
}
try {
$envDir = dirname($envFile);
private function pwProcessing() {
$dotenv = Dotenv::createImmutable($envDir, '.env.pw-encryption-key');
$dotenv->load();
} catch (Throwable $e) {
http_response_code(500);
echo json_encode([
'success' => false,
'message' => "Dotenv error"
]);
global $baseDir;
require $baseDir . '/../composer/vendor/autoload.php';
$envFile = realpath($baseDir . '/../config/.env.pw-encryption-key');
if ($envFile === false) {
http_response_code(500);
echo json_encode([
'success' => false,
'message' => "Environment file not found"
]);
exit;
}
try {
$envDir = dirname($envFile);
$dotenv = Dotenv::createImmutable($envDir, '.env.pw-encryption-key');
$dotenv->load();
} catch (Throwable $e) {
http_response_code(500);
echo json_encode([
'success' => false,
'message' => "Dotenv error"
]);
}
$password = trim($_POST['password1']);
$passwordRep = trim($_POST['password2']);
if ($password === '' || $passwordRep === '') {
return 'Beide Felder müssen ausgefüllt sein';
}
if ($password !== $passwordRep) {
return 'Beide Passwörter müssen identisch sein';
}
$hash = password_hash($password, PASSWORD_ARGON2ID);
$iv_length = openssl_cipher_iv_length('aes-256-cbc');
$iv = random_bytes($iv_length);
$encrypted = openssl_encrypt(
'SET_BY_OTL',
'aes-256-cbc',
$_ENV['PW_ENCRYPTION_KEY'],
0,
$iv
);
$cipher_store = base64_encode($iv . $encrypted);
return ['success' => true, 'hash' => $hash, 'encpw' => $cipher_store];
}
public function logIn(int $id) {
$password = trim($_POST['password1']);
$password2 = trim($_POST['password2']);
if ($password === '' || $password2 === '') {
return 'Beide Felder müssen ausgefüllt sein';
global $baseDir;
$mysqli = $this->connectToDB();
require $baseDir . '/../scripts/db/db-tables.php';
// delete the one-time token
if (!isset($_SESSION['otl_dbid'])) {
return 'Interner Fehler';
}
$dbid = intval($_SESSION['otl_dbid']);
$stmt = $mysqli->prepare("DELETE FROM $tableOTL WHERE id = ?");
$stmt->bind_param("i", $dbid);
if (!$stmt->execute()) {
return "DB Error";
}
$stmt->close();
$sql = "SELECT freigabe FROM $tableInternUsers WHERE id = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
$freigabe = $row['freigabe'];
$stmt->close();
$mysqli->close();
unset($_SESSION['set_new_password_id_user'], $_SESSION['set_new_password_granted'], $_SESSION['otl_dbid']);
$freigabenArray = json_decode($freigabe, true) ?? [];
$freigabenTypeArray = $freigabenArray['types'] ?? [];
if (count($freigabenTypeArray) > 0) {
$_SESSION = array();
session_destroy();
session_start();
}
foreach ($freigabenTypeArray as $freigabeType){
$_SESSION['access_granted_'.$freigabeType] = true;
$_SESSION['user_id_'.$freigabeType] = $id;
}
var_dump($_SESSION);
if (in_array('wk_leitung', $freigabenTypeArray)) {
header("Location: /intern/wk-leitung/logindata");
exit;
} elseif (in_array('trainer', $freigabenTypeArray)) {
header("Location: /intern/trainer");
exit;
} elseif (in_array('kampfrichter', $freigabenTypeArray)) {
header("Location: /intern/kampfrichter");
exit;
} else {
return 'Dieser Benutzer hat keine Berechtigungen.';
}
}
if ($password !== $password2) {
return 'Beide Passwörter müssen identisch sein';
}
public function resetPW() {
$hash = password_hash($password, PASSWORD_ARGON2ID);
global $baseDir;
$iv_length = openssl_cipher_iv_length('aes-256-cbc');
$iv = random_bytes($iv_length);
$iduser = intval($_POST['user_id']);
$encrypted = openssl_encrypt(
'SET_BY_OTL',
'aes-256-cbc',
$_ENV['PW_ENCRYPTION_KEY'],
0,
$iv
);
$cipher_store = base64_encode($iv . $encrypted);
// security: user must have passed one-time-login first
if (empty($_SESSION['set_new_password_id_user']) || empty($_SESSION['set_new_password_granted']) || $_SESSION['set_new_password_id_user'] !== $iduser || $_SESSION['set_new_password_granted'] !== true) {
http_response_code(403);
exit;
}
// update password
$updateResult = db_update($mysqli, $tableInternUsers, ['password_hash' => $hash, 'password_cipher' => $cipher_store, 'edited_by' => 'otlogin'], ['id' => $iduser]);
if ($updateResult === false) {
return 'Passwork konnte nicht neu gesetzt werden';
require $baseDir . '/../scripts/db/db-tables.php';
$mysqli = $this->connectToDB();
$pwArray = $this->pwProcessing();
if (!isset($pwArray['success']) || !$pwArray['success']) {
return 'Passwort konnte nicht verarbeitet werden';
}
// update password
$updateResult = db_update($mysqli, $tableInternUsers, ['password_hash' => $pwArray['hash'] ?? '', 'password_cipher' => $pwArray['encpw'] ?? '', 'edited_by' => 'otlogin'], ['id' => $iduser]);
if ($updateResult === false) {
return 'Passwork konnte nicht neu gesetzt werden';
}
// delete the one-time token
if (!isset($_SESSION['otl_dbid'])) {
return 'Interner Fehler';
}
$dbid = intval($_SESSION['otl_dbid']);
$stmt = $mysqli->prepare("DELETE FROM $tableOTL WHERE id = ?");
$stmt->bind_param("i", $dbid);
if (!$stmt->execute()) {
return "DB Error";
}
$stmt->close();
$this->logIn($iduser);
}
// delete the one-time token
if (!isset($_SESSION['otl_dbid'])) {
return 'Interner Fehler';
}
public function createUser() {
$dbid = intval($_SESSION['otl_dbid']);
global $baseDir;
$stmt = $mysqli->prepare("DELETE FROM $tableOTL WHERE id = ?");
$stmt->bind_param("i", $dbid);
$iduser = intval($_POST['user_id']);
if (!$stmt->execute()) {
return "DB Error";
}
if (empty($_SESSION['set_new_user_id_user']) || empty($_SESSION['set_new_user_granted']) || $_SESSION['set_new_user_id_user'] !== $iduser || $_SESSION['set_new_user_granted'] !== true) {
http_response_code(403);
exit;
}
$stmt->close();
require $baseDir . '/../scripts/db/db-tables.php';
$sql = "SELECT freigabe FROM $tableInternUsers WHERE id = ?";
$mysqli = $this->connectToDB();
$stmt = $mysqli->prepare($sql);
$stmt->bind_param("i", $iduser);
$stmt->execute();
$arrayDB = [];
$result = $stmt->get_result();
$row = $result->fetch_assoc();
if (isset($_POST['password1'], $_POST['password2'])) {
$pwArray = $this->pwProcessing();
$freigabe = $row['freigabe'];
$stmt->close();
if (!isset($pwArray['success']) || !$pwArray['success']) {
return 'Passwort konnte nicht verarbeitet werden';
}
$mysqli->close();
$arrayDB[] = ["name" => 'password_hash', "value" => $pwArray['hash']];
$arrayDB[] = ["name" => 'password_cipher', "value" => $pwArray['encpw']];
}
unset($_SESSION['set_new_password_id_user'], $_SESSION['set_new_password_granted'], $_SESSION['otl_dbid']);
if (isset($_POST['username'])) {
$arrayDB[] = ["name" => 'username', "value" => htmlspecialchars(trim($_POST['username']))];
}
$freigabenArray = json_decode($freigabe, true) ?? [];
$freigabenTypeArray = $freigabenArray['types'] ?? [];
if (isset($_POST['name_person'])) {
$arrayDB[] = ["name" => 'name_person', "value" => htmlspecialchars(trim($_POST['name_person']))];
}
if (count($freigabenTypeArray) > 0) {
$_SESSION = array();
session_destroy();
session_start();
}
// --- NEW LOGIC TO UTILIZE $arrayDB ---
foreach ($freigabenTypeArray as $freigabeType){
$_SESSION['access_granted_'.$freigabeType] = true;
$_SESSION['passcode'.$freigabeType.'_id'] = $iduser;
}
$updateData = [
'edited_by' => 'otlogin',
'login_active' => 1
];
if (in_array('wk_leitung', $freigabenTypeArray)) {
header("Location: /intern/wk-leitung/logindata");
exit;
} elseif (in_array('trainer', $freigabenTypeArray)) {
header("Location: /intern/trainer");
exit;
} elseif (in_array('kampfrichter', $freigabenTypeArray)) {
header("Location: /intern/kampfrichter");
exit;
} else {
return 'Dieser Benutzer hat keine Berechtigungen.';
// Convert the $arrayDB list into a flat associative array
if (!empty($arrayDB)) {
foreach ($arrayDB as $entry) {
$updateData[$entry['name']] = $entry['value'];
}
}
// Execute update using the dynamically built array
$updateResult = db_update(
$mysqli,
$tableInternUsers,
$updateData,
['id' => $iduser]
);
if ($updateResult === false) {
return 'Nutzer konnte nicht aktualisiert werden';
}
$this->logIn($iduser);
}
}
$pwClass = New otl();
/* ============================================================
PASSWORD SET ON POST
============================================================ */
if (isset($_POST['password1'], $_POST['password2'], $_POST['setpasswordbtn'], $_POST['user_id'])) { $error = logIn() ?? ''; }
/* ============================================================
ONE-TIME-LOGIN VALIDATION (GET)
============================================================ */
$token = "QQa2UMbEYW8oOL7wz9DjtqECVCikSZsDuSdmzxiadEXFsKyujEUyQOW1AYMD2OqU8VXxClIRweRuWLzvBrZpPYL41e89Rs96tM7Lq1KpjA5E2mg2UfgvztheGRV";
require $baseDir .'/../scripts/db/db-verbindung-script-guest.php';
// fetch one-time login record
$result = db_select(
$guest,
$tableOTL,
'id, user_id',
'id, user_id, `type`',
'url = ? AND timestamp >= NOW() - INTERVAL 24 HOUR',
[$oturl]
);
if (!$result || count($result) !== 1) {
echo 'forbidden';
http_response_code(403);
exit;
}
@@ -197,26 +324,56 @@ if (!$result || count($result) !== 1) {
$dbid = intval($result[0]['id']);
$iduser = intval($result[0]['user_id']);
if (isset($_POST['password1'], $_POST['password2'], $_POST['setpasswordbtn'], $_POST['user_id']) && $result[0]['type'] === 'pwreset') { $error = $pwClass->resetPW() ?? ''; }
elseif (isset($_POST['setpasswordbtn'], $_POST['user_id']) && $result[0]['type'] === 'create_profile') { $error = $pwClass->createUser() ?? ''; }
// store dbid for later deletion
$_SESSION['otl_dbid'] = $dbid;
$tableusers = 'wp_secure_lock';
// fetch user
$userinfo = db_select($guest, $tableInternUsers, 'username', 'id = ?', [$iduser]);
$guest->close();
if (!$userinfo || count($userinfo) !== 1) {
echo 'Ungültige Benutzerinformationen';
exit;
if ($result[0]['type'] === 'login') {
$pwClass->logIn($iduser);
}
$username = $userinfo[0]['username'];
if ($result[0]['type'] === 'pwreset') {
$userinfo = db_select($guest, $tableInternUsers, 'username', 'id = ?', [$iduser]);
$username = $userinfo[0]['username'];
if (!$userinfo || count($userinfo) !== 1) {
echo 'Ungültige Benutzerinformationen';
exit;
}
// set session token that grants password reset
$_SESSION['set_new_password_id_user'] = $iduser;
$_SESSION['set_new_password_granted'] = true;
$hasUsername = true;
$hasName = true;
// set session token that grants password reset
$_SESSION['set_new_password_id_user'] = $iduser;
$_SESSION['set_new_password_granted'] = true;
} elseif ($result[0]['type'] === 'create_profile') {
$userinfo = db_select($guest, $tableInternUsers, 'username, `password_hash`, `name_person`', 'id = ?', [$iduser]);
if (!$userinfo || count($userinfo) !== 1) {
echo 'Ungültige Benutzerinformationen';
exit;
}
$hasPW = $userinfo[0]['password_hash'] !== null;
$hasUsername = $userinfo[0]['username'] !== '';
$username = $userinfo[0]['username'];
$hasName = $userinfo[0]['name_person'] !== '';
unset($userinfo);
// set session token that grants password reset
$_SESSION['set_new_user_id_user'] = $iduser;
$_SESSION['set_new_user_granted'] = true;
}
// fetch user
$guest->close();
?>
@@ -230,6 +387,7 @@ $_SESSION['set_new_password_granted'] = true;
<script src="/intern/js/jquery/jquery-3.7.1.min.js"></script>
<link href="/files/fonts/fonts.css" rel="stylesheet">
<link href="/intern/css/otl.css" rel="stylesheet">
<script src="/intern/js/custom-msg-display.js"></script>
</head>
@@ -244,6 +402,18 @@ $_SESSION['set_new_password_granted'] = true;
<p style="font-weight:400; line-height: 1.5; margin-bottom: 50px;">
</p>
<form method="post">
<?php if (!$hasUsername) : ?>
<label for="username">Benutzername</label><br>
<div class="divShowPw">
<input type="text" name="username" id="username" placeholder="Benutzername" required>
</div><br>
<?php endif; ?>
<?php if (!$hasName) : ?>
<label for="name_person">Name</label><br>
<div class="divShowPw">
<input type="text" name="name_person" id="name_person" placeholder="Max Muster" required>
</div><br>
<?php endif; ?>
<label for="password1">Neues Passwort eingeben</label><br>
<div class="divShowPw">
<input type="password" name="password1" id="password1" placeholder="Passwort" required>
@@ -277,129 +447,6 @@ $_SESSION['set_new_password_granted'] = true;
<a class="seclog_home_link" href="/"><img src="/intern/img/logo-normal.png" width="64" height="64"></a>
<style>
body{
overflow: hidden;
}
.page-secure-login{
display: flex;
}
.bg-picture-secure-login{
width: calc(100vw - 450px);
height: 100vh;
position: absolute;
left: 0px;
top: 0px;
}
.bg-picture-secure-login img{
width: 100%;
height: 100vh;
object-fit: cover;
}
.bg-secure-login{
display: flex;
width: 100vw;
max-width: 450px;
height: 100vh;
background-color: #fff;
position: absolute;
right: 0px;
top: 0px;
align-items: center;
padding: 30px;
}
.bg-secure-login-form > h1{
color: #000 !important;
font-size: 32px;
}
.bg-secure-login-form input[type=password], .bg-secure-login-form input[type=text]{
padding: 5px;
width: 100%;
max-width: 300px;
border-top: none !important;
border-left: none !important;
border-right: none !important;
font-size: 16px;
border-bottom: 1px solid #000 !important;
border-radius: 0px !important;
}
.divShowPw:not(#lastDivShowPw) {
margin-bottom: 20px;
}
.bg-secure-login-form input[type=password]:focus, .bg-secure-login-form input[type=text]:focus{
outline: none;
border-bottom: 1px solid #000 !important;
}
.bg-secure-login-form input[type=password]::placeholder, .bg-secure-login-form input[type=text]::placeholder {
color: #ccc !important;
}
.bg-secure-login-form input[type=submit]{
background-color: #fff !important;
padding: 10px 20px !important;
margin-top: 25px !important;
border: 1px solid #000 !important;
color: #000 !important;
transition: all 0.3s ease-out !important;
border-radius: 0px !important;
}
body {
color: #000 !important;
}
* {
box-sizing: border-box;
}
.bg-secure-login-form input[type=submit]:hover{
background-color: #000 !important;
color: #fff !important;
}
.bg-secure-login-form > p{
margin-bottom: 30px;
}
.seclog_home_link{
position: fixed;
z-index: 1000;
top: 30px;
right: 30px;
}
.divShowPw {
margin-top: 10px;
position: relative;
display: inline-block;
width: 100%;
max-width: 300px;
}
.togglePassword {
position: absolute;
right: 10px;
top: 50%;
transform: translateY(-50%);
background: none;
border: none;
cursor: pointer;
transition: all 0.5s ease;
}
.togglePassword:hover {
transform: translateY(-50%) scale(1.15);
}
input:-webkit-autofill,
input:-webkit-autofill:hover,
input:-webkit-autofill:focus,
input:-webkit-autofill:active {
-webkit-box-shadow: 0 0 0 1000px #ffffff inset !important;
box-shadow: 0 0 0 1000px #ffffff inset !important;
-webkit-text-fill-color: #000000 !important;
transition: background-color 5000s ease-in-out 0s;
}
</style>
<script>
const toggleButtons = document.querySelectorAll('.togglePassword');