pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CIM67 - Block Users after 5 failed login attempts

Browse Source
This commit is contained in:
“VeLiTi”
2024-04-16 11:03:00 +02:00
parent aebeb88b68
commit 32965b319f
9 changed files with 91 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
api/v1/authorization.php
View File

@@ -9,9 +9,13 @@ $user_credentials = json_decode(decode_payload($input),true);
$pdo = dbConnect($dbname);
$username = $user_credentials['username'] ?? '';
//Define Query
$stmt = $pdo->prepare('SELECT id, username, password, salesID, partnerhierarchy, view, service, settings, lastlogin, userkey, language FROM users WHERE username = ?');
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
//Excute Query
$stmt->execute([$username]);
//SETUP SQL FOR LOGIN_COUNT
$sql_login = 'UPDATE users SET login_count = ? WHERE id = ?';
// Check if username exists. Verify user exists then verify
if ($stmt->rowCount() == 1) {
$user_data = $stmt->fetch();
@@ -19,47 +23,71 @@ if ($stmt->rowCount() == 1) {
$profile = getProfile($user_data['settings'],$permission);
$password = $user_credentials['password'];
if (array_key_exists('resetkey', $user_credentials)){
if ($user_credentials['resetkey'] == ''){
//Reset procedure
//STEP 1.A- Create resetkey
$headers = array('alg'=>'HS256','typ'=>'JWT');
$payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800));
$resetkey = generate_jwt($headers, $payload);
//STEP 1.B Store in DB
$sql = 'UPDATE users SET resetkey = ? WHERE id = ?';
$stmt = $pdo->prepare($sql);
$stmt->execute([$resetkey,$user_data['id']]);
//STEP 2- Send to user
include_once './assets/mail/email_template_reset.php';
send_mail($user_data['username'],$subject,$message,'','');
}
if ($user_data['login_count'] < 5){
if (array_key_exists('resetkey', $user_credentials)){
if ($user_credentials['resetkey'] == ''){
//Reset procedure
//STEP 1.A- Create resetkey
$headers = array('alg'=>'HS256','typ'=>'JWT');
$payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800));
$resetkey = generate_jwt($headers, $payload);
//STEP 1.B Store in DB
$sql = 'UPDATE users SET resetkey = ? WHERE id = ?';
$stmt = $pdo->prepare($sql);
$stmt->execute([$resetkey,$user_data['id']]);
//STEP 2- Send to user
include_once './assets/mail/email_template_reset.php';
send_mail($user_data['email'],$subject,$message,'','');
//STEP 3- Update Login count
$login_attempt = $user_data['login_count'] + 1;
$stmt_login = $pdo->prepare($sql_login);
$stmt_login->execute([$login_attempt, $user_data['id']]);
}
} else { //STANDARD LOGIN
if (password_verify($password, $user_data['password'])) {
$token = createCommunicationToken($user_data['service']);
} else { //STANDARD LOGIN
if (password_verify($password, $user_data['password'])) {
$token = createCommunicationToken($user_data['service']);
$user = array(
'id' => $user_data['id'],
'username' => $user_data['username'],
'salesID' => $user_data['salesID'],
'partnerhierarchy' => $user_data['partnerhierarchy'],
'permission' => $permission,
'profile' => $profile,
'service' => $user_data['service'],
'userkey' => $user_data['userkey'],
'language' => $user_data['language'],
'token' => $token
);
//Encrypt results
$messages = generate_payload($user);
//Send results
print_r($messages);
} else {
http_response_code(403); //Not authorized
$user = array(
'id' => $user_data['id'],
'username' => $user_data['username'],
'salesID' => $user_data['salesID'],
'partnerhierarchy' => $user_data['partnerhierarchy'],
'permission' => $permission,
'profile' => $profile,
'service' => $user_data['service'],
'userkey' => $user_data['userkey'],
'language' => $user_data['language'],
'token' => $token
);
//Reset login count after succesfull attempt
$login_attempt = 0;
$stmt_login = $pdo->prepare($sql_login);
$stmt_login->execute([$login_attempt, $user_data['id']]);
//Encrypt results
$messages = generate_payload($user);
//Send results
print_r($messages);
} else {
//Update Login count with failed attempt
$login_attempt = $user_data['login_count'] + 1;
$stmt_login = $pdo->prepare($sql_login);
$stmt_login->execute([$login_attempt, $user_data['id']]);
//Send Response
http_response_code(403); //Not authorized
}
}
}
} else {
//User is blocked & send error
$messages = generate_payload('1');
//------------------------------------------
//Send results
//------------------------------------------
echo $messages;
}
} elseif (array_key_exists('resetkey', $user_credentials)) {
if ($user_credentials['resetkey'] != ''){
//UPDATE PASSWORD BASED ON RESETKEY
@@ -67,6 +95,8 @@ if ($stmt->rowCount() == 1) {
$passwordvalid = password_hash($password, PASSWORD_DEFAULT);
$stmt = $pdo->prepare('UPDATE users SET password = ? WHERE resetkey = ? ');
$stmt->execute([$passwordvalid, $user_credentials['resetkey']]);
//
} else {
http_response_code(403);//Not authorized
}

2
api/v1/get/users.php
View File

@@ -68,7 +68,7 @@ if(isset($criterias['totals']) && $criterias['totals'] ==''){
}
else {
//SQL for Paging
$sql = 'SELECT id,username,salesID, partnerhierarchy, view, created, service, settings, lastlogin, userkey, language FROM users '.$whereclause.' ORDER BY lastlogin DESC LIMIT :page,:num_products';
$sql = 'SELECT id,username, email, salesID, partnerhierarchy, view, created, service, settings, lastlogin, userkey, language,login_count FROM users '.$whereclause.' ORDER BY lastlogin DESC LIMIT :page,:num_products';
}
$stmt = $pdo->prepare($sql);