diff --git a/api/v1/authorization.php b/api/v1/authorization.php index 7bfd7b2..bb5fb69 100644 --- a/api/v1/authorization.php +++ b/api/v1/authorization.php @@ -9,9 +9,13 @@ $user_credentials = json_decode(decode_payload($input),true); $pdo = dbConnect($dbname); $username = $user_credentials['username'] ?? ''; //Define Query -$stmt = $pdo->prepare('SELECT id, username, password, salesID, partnerhierarchy, view, service, settings, lastlogin, userkey, language FROM users WHERE username = ?'); +$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?'); //Excute Query $stmt->execute([$username]); + +//SETUP SQL FOR LOGIN_COUNT +$sql_login = 'UPDATE users SET login_count = ? WHERE id = ?'; + // Check if username exists. Verify user exists then verify if ($stmt->rowCount() == 1) { $user_data = $stmt->fetch(); @@ -19,47 +23,71 @@ if ($stmt->rowCount() == 1) { $profile = getProfile($user_data['settings'],$permission); $password = $user_credentials['password']; - if (array_key_exists('resetkey', $user_credentials)){ - - if ($user_credentials['resetkey'] == ''){ - //Reset procedure - //STEP 1.A- Create resetkey - $headers = array('alg'=>'HS256','typ'=>'JWT'); - $payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800)); - $resetkey = generate_jwt($headers, $payload); - //STEP 1.B Store in DB - $sql = 'UPDATE users SET resetkey = ? WHERE id = ?'; - $stmt = $pdo->prepare($sql); - $stmt->execute([$resetkey,$user_data['id']]); - //STEP 2- Send to user - include_once './assets/mail/email_template_reset.php'; - send_mail($user_data['username'],$subject,$message,'',''); - } + if ($user_data['login_count'] < 5){ + if (array_key_exists('resetkey', $user_credentials)){ + + if ($user_credentials['resetkey'] == ''){ + //Reset procedure + //STEP 1.A- Create resetkey + $headers = array('alg'=>'HS256','typ'=>'JWT'); + $payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800)); + $resetkey = generate_jwt($headers, $payload); + //STEP 1.B Store in DB + $sql = 'UPDATE users SET resetkey = ? WHERE id = ?'; + $stmt = $pdo->prepare($sql); + $stmt->execute([$resetkey,$user_data['id']]); + //STEP 2- Send to user + include_once './assets/mail/email_template_reset.php'; + send_mail($user_data['email'],$subject,$message,'',''); + //STEP 3- Update Login count + $login_attempt = $user_data['login_count'] + 1; + $stmt_login = $pdo->prepare($sql_login); + $stmt_login->execute([$login_attempt, $user_data['id']]); + } - } else { //STANDARD LOGIN - if (password_verify($password, $user_data['password'])) { - $token = createCommunicationToken($user_data['service']); + } else { //STANDARD LOGIN + if (password_verify($password, $user_data['password'])) { + $token = createCommunicationToken($user_data['service']); - $user = array( - 'id' => $user_data['id'], - 'username' => $user_data['username'], - 'salesID' => $user_data['salesID'], - 'partnerhierarchy' => $user_data['partnerhierarchy'], - 'permission' => $permission, - 'profile' => $profile, - 'service' => $user_data['service'], - 'userkey' => $user_data['userkey'], - 'language' => $user_data['language'], - 'token' => $token - ); - //Encrypt results - $messages = generate_payload($user); - //Send results - print_r($messages); - } else { - http_response_code(403); //Not authorized + $user = array( + 'id' => $user_data['id'], + 'username' => $user_data['username'], + 'salesID' => $user_data['salesID'], + 'partnerhierarchy' => $user_data['partnerhierarchy'], + 'permission' => $permission, + 'profile' => $profile, + 'service' => $user_data['service'], + 'userkey' => $user_data['userkey'], + 'language' => $user_data['language'], + 'token' => $token + ); + + //Reset login count after succesfull attempt + $login_attempt = 0; + $stmt_login = $pdo->prepare($sql_login); + $stmt_login->execute([$login_attempt, $user_data['id']]); + + //Encrypt results + $messages = generate_payload($user); + //Send results + print_r($messages); + } else { + //Update Login count with failed attempt + $login_attempt = $user_data['login_count'] + 1; + $stmt_login = $pdo->prepare($sql_login); + $stmt_login->execute([$login_attempt, $user_data['id']]); + //Send Response + http_response_code(403); //Not authorized + } } - } + } else { + //User is blocked & send error + $messages = generate_payload('1'); + //------------------------------------------ + //Send results + //------------------------------------------ + echo $messages; + } } elseif (array_key_exists('resetkey', $user_credentials)) { if ($user_credentials['resetkey'] != ''){ //UPDATE PASSWORD BASED ON RESETKEY @@ -67,6 +95,8 @@ if ($stmt->rowCount() == 1) { $passwordvalid = password_hash($password, PASSWORD_DEFAULT); $stmt = $pdo->prepare('UPDATE users SET password = ? WHERE resetkey = ? '); $stmt->execute([$passwordvalid, $user_credentials['resetkey']]); + + // } else { http_response_code(403);//Not authorized } diff --git a/api/v1/get/users.php b/api/v1/get/users.php index c779285..06c5071 100644 --- a/api/v1/get/users.php +++ b/api/v1/get/users.php @@ -68,7 +68,7 @@ if(isset($criterias['totals']) && $criterias['totals'] ==''){ } else { //SQL for Paging - $sql = 'SELECT id,username,salesID, partnerhierarchy, view, created, service, settings, lastlogin, userkey, language FROM users '.$whereclause.' ORDER BY lastlogin DESC LIMIT :page,:num_products'; + $sql = 'SELECT id,username, email, salesID, partnerhierarchy, view, created, service, settings, lastlogin, userkey, language,login_count FROM users '.$whereclause.' ORDER BY lastlogin DESC LIMIT :page,:num_products'; } $stmt = $pdo->prepare($sql); diff --git a/assets/readdevice.js b/assets/readdevice.js index af8cc1c..1d33d10 100644 --- a/assets/readdevice.js +++ b/assets/readdevice.js @@ -369,6 +369,8 @@ async function closePort(){ } maintenanceRun = 0; // reset maintenanceRun + // Refresh the page + location.reload(); } async function updateHistory(){ diff --git a/login.php b/login.php index e24f0d0..0a55f31 100644 --- a/login.php +++ b/login.php @@ -50,6 +50,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { if ($responses === 'NOK'){ $retry++; $password_err = 'Not authorized, please retry'; + } elseif ($responses == 1){ + $password_err = 'Too many login attempts. User blocked, please contact your administrator'; } else { // Start a new session session_start(); diff --git a/profile.php b/profile.php index 236ed65..0e73033 100644 --- a/profile.php +++ b/profile.php @@ -16,6 +16,7 @@ $create_allowed = isAllowed($page ,$_SESSION['profile'],$_SESSION['permission'], $user = [ 'id' => '', 'username' => '', + 'email' => '', 'partnerhierarchy' => '', 'view' => 3, 'service' => 0, @@ -103,6 +104,8 @@ $view .= '
+ + diff --git a/settings/translations/translations_NL.php b/settings/translations/translations_NL.php index ac7c03e..08ae7d1 100644 --- a/settings/translations/translations_NL.php +++ b/settings/translations/translations_NL.php @@ -263,12 +263,15 @@ $users_search = 'Zoek gebruiker'; $User_service = 'Service'; $User_update = 'Actief'; $User_username = 'Gebruikersnaam'; +$User_email = 'Email'; $User_partnerhierarchy = 'Hierarchy'; $User_permission = 'Toestemming'; $User_profile = 'Profiel'; $User_lastlogin = 'Laatste inlog'; $User_language = 'Taal'; $User_pw_reset = 'Password reset'; +$User_pw_login_count = 'Mislukte inlog pogingen'; +$User_block = 'Geblokkeerd'; $reset_message = 'Password reset started => See your email inbox for further instructions, you will be redirected to the login page.'; diff --git a/settings/translations/translations_US.php b/settings/translations/translations_US.php index ac31257..aa4a315 100644 --- a/settings/translations/translations_US.php +++ b/settings/translations/translations_US.php @@ -263,12 +263,15 @@ $users_search = 'Search user'; $User_service = 'Service'; $User_update = 'Active'; $User_username = 'Username'; +$User_email = 'Email'; $User_partnerhierarchy = 'Hierarchy'; $User_permission = 'Permission'; $User_profile = 'Profile'; $User_lastlogin = 'Lastlogin'; $User_language = 'Language'; $User_pw_reset = 'Password reset'; +$User_pw_login_count = 'Failed login attempts'; +$User_block = 'Blocked'; $reset_message = 'Password reset started => See your email inbox for further instructions, you will be redirected to the login page.'; diff --git a/user.php b/user.php index 2186c47..9678a57 100644 --- a/user.php +++ b/user.php @@ -16,6 +16,7 @@ $create_allowed = isAllowed($page ,$_SESSION['profile'],$_SESSION['permission'], $user = [ 'id' => '', 'username' => '', + 'email' => '', 'partnerhierarchy' => '', 'view' => 3, 'service' => 0, @@ -23,7 +24,8 @@ $user = [ 'userkey' => 1, 'created' => '', 'lastlogin' => '', - 'language' => 'US' + 'language' => 'US', + 'login_count' => 0 ]; $user_ID = $_GET['id'] ?? ''; @@ -174,6 +176,8 @@ $view .= '
+ + + +
'; diff --git a/users.php b/users.php index d9a4002..7b3a1cb 100644 --- a/users.php +++ b/users.php @@ -135,7 +135,7 @@ $view .= ' $permission_user = 'permission'.$response->view; $view .= ' - + '.(($response->login_count > 4)? ''.$User_block:'').' '.(($response->userkey && $response->userkey !='')? ''.$enabled:''.$disabled).' '.(($response->service && $response->service !='')? ''.$enabled:''.$disabled).' '.$response->username.'