Skip to content

Commit

Permalink
#3689 Updating code
Browse files Browse the repository at this point in the history
  • Loading branch information
@Alex-developer
Alex-developer committed Jan 18, 2025
1 parent c7016ed commit 674053b
Show file tree
Hide file tree
Showing 50 changed files with 60,518 additions and 15,433 deletions.
169 changes: 90 additions & 79 deletions html/includes/admin.php
View file
Original file line number Diff line number Diff line change
@@ -1,86 +1,97 @@
<?php

function DisplayAuthConfig($username, $password) {
global $page;
$myStatus = new StatusMessages();

if (isset($_POST['UpdateAdminPassword'])) {
// Update the password
if (CSRFValidate()) {
$new_username=trim($_POST['username']);
$old = $_POST['oldpass'];
$new1 = $_POST['newpass'];
$new2 = $_POST['newpassagain'];
if ($new_username == "") {
$myStatus->addMessage('You must enter the username.', 'danger');
}
if ($old == "" || $new1 == "" || $new2 == "") {
$myStatus->addMessage('You must enter the old (current) password, and the new password twice.', 'danger');
} else if (password_verify($old, $password)) {
if ($new1 != $new2) {
$myStatus->addMessage('New passwords do not match.', 'danger');
} else if ($new_username == '') {
$myStatus->addMessage('Username must not be empty.', 'danger');
} else {
$contents = $new_username.PHP_EOL;
$contents .= password_hash($new1, PASSWORD_BCRYPT).PHP_EOL;
$ret = updateFile(RASPI_ADMIN_DETAILS, $contents, "admin password file", true);
if ($ret === "") {
$username = $new_username;
$myStatus->addMessage("$new_username password updated.", 'success');
} else {
$myStatus->addMessage($ret, 'danger');
}
}
} else {
$myStatus->addMessage('Old password does not match.', 'danger');
}
} else {
error_log('CSRF violation');
}
}
?>

<div class="row">
<div class="col-lg-12">
<div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-lock fa-fw"></i> Change Admin Username and/or Password</div>
<div class="panel-body">
<?php if ($myStatus->isMessage()) echo "<p>" . $myStatus->showMessages() . "</p>"; ?>
<style>
.as-admin-error {
font-size: 2rem;
}
</style>

<form role="form" action="?page=<?php echo $page ?>" method="POST">
<?php CSRFToken() ?>
<div class="row">
<div class="form-group col-md-4">
<label for="username">Username</label>
<input type="text" class="form-control" name="username" value="<?php echo $username; ?>"/>
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="password">Old password</label>
<input type="password" class="form-control" name="oldpass"/>
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="password">New password</label>
<input type="password" class="form-control" name="newpass"/>
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="password">Repeat new password</label>
<input type="password" class="form-control" name="newpassagain"/>
<div class="container">
<div class="col-md-6 col-md-offset-2 panel-style">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<strong>
<i class="fa fa-lock fa-fw"></i> Update WebUI User/Password
</strong>
</h3>
</div>
<div class="panel-body">
<div class="row">
<div class="col-md-12">
<div class="alert alert-success" role="alert">If you intend to allow access to this Pi from the internet please select the checkbox below. This will enusre that a more secure password is used for the WebUI.</div>
</div>
</div>
<form role="form" action="includes/adminutils.php?request=Validate" method="POST" id="as-admin-user-password">
<?php CSRFToken() ?>
<div class="form-group">
<div class="checkbox">
<div class="row">
<div class="col-md-7">Enable WebUI login</div>
<div class="col-md-5">
<div class='switch-field boxShadow as-enable-webui-login-wrapper'>
<input id='switch_no_as-enable-webui-login' class='form-control' type='radio' name='as-enable-webui-login' value='false' <?php echo ($useLogin==false)?'checked':'' ?> >
<label style='margin-bottom: 0px;' for='switch_no_as-enable-webui-login'>No</label>
<input id='switch_yes_as-enable-webui-login' class='form-control' type='radio' name='as-enable-webui-login' value='true' <?php echo ($useLogin==true)?'checked':'' ?> >
<label style='margin-bottom: 0px;' for='switch_yes_as-enable-webui-login'>Yes</label>
</div>
</div>
</div>
</div>
</div>
<div id="as-admin-user-password-fields-container">
<div id="as-admin-user-password-fields">
<div class="form-group">
<div class="checkbox">
<div class="row">
<div class="col-md-7">Will this Pi will have remote access from the internet?</div>
<div class="col-md-5">
<div class='switch-field boxShadow as-use-online-wrapper'>
<input id='switch_no_as-use-online' class='form-control' type='radio' name='as-use-online' value='false' checked>
<label style='margin-bottom: 0px;' for='switch_no_as-use-online'>No</label>
<input id='switch_yes_as-use-online' class='form-control' type='radio' name='as-use-online' value='true'>
<label style='margin-bottom: 0px;' for='switch_yes_as-use-online'>Yes</label>
</div>
</div>
</div>
</div>
</div>
<div class="form-group">
<label for="username">Username</label>
<input type="text" name="username" id="username" class="form-control" required="required" value="<?php echo $adminUser; ?>">
</div>
<div class="form-group">
<label for="oldpass">Old Password</label>
<input type="password" name="oldpass" id="oldpass" class="form-control" required="required">
</div>
<div class="form-group">
<label for="newpass">New Password</label>
<input type="password" name="newpass" id="newpass" class="form-control" required="required">
<div class="alert alert-info mt-3" role="alert" id="as-admin-password-format">Loading Password Format</div>
</div>
<div class="form-group">
<label for="newpassagain">Confirm Password</label>
<input type="password" name="newpassagain" id="newpassagain" class="form-control" required="required">
</div>
<div class="form-group">
<button type="submit" class="btn btn-primary btn-block"><i class="fa-regular fa-paper-plane"></i> Update Username/Password</button>
</div>
</div>
<div id="as-admin-user-password-fields-overlay"></div>
</div>
<input type="submit" class="btn btn-primary" name="UpdateAdminPassword" value="Save settings" />
</form>
</div><!-- /.panel-body -->
</div><!-- /.panel panel-primary -->
</div><!-- /.col-lg-12 -->
</div><!-- /.row -->
</form>
</div>
</div>
</div>

<?php
}
?>
<script>
$(document).ready(function() {
let adminManager = new ALLSKYADMIN()
});
</script>

<script src="/js/allsky-admin/allsky-admin.js?c=<?php echo ALLSKY_VERSION; ?>"></script>
<script src="/js/jquery-loading-overlay/dist/loadingoverlay.min.js?c=<?php echo ALLSKY_VERSION; ?>"></script>
<script src="/js/bootbox/bootbox.all.js?c=<?php echo ALLSKY_VERSION; ?>"></script>
<script src="/js/bootbox/bootbox.locales.min.js?c=<?php echo ALLSKY_VERSION; ?>"></script>
205 changes: 205 additions & 0 deletions html/includes/adminutils.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
<?php

include_once('functions.php');
initialize_variables();

include_once('authenticate.php');

class ADMINUTIL
{
private $request;
private $method;
private $jsonResponse = false;
private $adminUser;
private $adminPassword;

function __construct() {
session_start();

$privateVars = get_decoded_json_file(ALLSKY_ENV, true, '');
$this->adminUser = $privateVars['WEBUI_USERNAME'];
$this->adminPassword = $privateVars['WEBUI_PASSWORD'];
}

public function run()
{
$this->checkXHRRequest();
$this->sanitizeRequest();
$this->runRequest();
}

private function checkXHRRequest()
{
if (empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest') {
$this->send404();
}
}

private function sanitizeRequest()
{
$this->request = $_GET['request'];
$this->method = strtolower($_SERVER['REQUEST_METHOD']);

$accepts = $_SERVER['HTTP_ACCEPT'];
if (stripos($accepts, 'application/json') !== false) {
$this->jsonResponse = true;
}
}

private function send400($message="Unknown Error")
{
header('HTTP/1.0 400 Unauthorized');
die($message);
}

private function send401()
{
header('HTTP/1.0 401 Unauthorized');
die();
}

private function send404()
{
header('HTTP/1.0 404 Not Found');
die();
}

private function send500()
{
header('HTTP/1.0 500 Internal Server Error');
die();
}

private function sendResponse($response = 'ok')
{
echo ($response);
die();
}

private function runRequest()
{
$action = $this->method . $this->request;
if (is_callable(array('ADMINUTIL', $action))) {
call_user_func(array($this, $action));
} else {
$this->send404();
}
}

private function validatePassword($secure, $password) {
$result = [
'error' => true,
'message' => 'Error running password validation'
];
$useSecure = '--nosecure';
if ($secure == 'on') {
$useSecure = '';
}
$command = ALLSKY_UTILITIES . '/validatePassword.sh ' . $useSecure . ' --password ' . $password;

return $this->runShellCommand($command);
}

private function runShellCommand($command) {
$descriptors = [
1 => ['pipe', 'w'],
2 => ['pipe', 'w'],
];
$process = proc_open($command, $descriptors, $pipes);

if (is_resource($process)) {
$stdout = stream_get_contents($pipes[1]);
$stderr = stream_get_contents($pipes[2]);
fclose($pipes[1]);
fclose($pipes[2]);

$returnCode = proc_close($process);
if ($returnCode > 0) {
$result = [
'error' => true,
'message' => ($stdout !== '') ? $stdout : $stderr
];
} else {
$result = [
'error' => false,
'message' => $stdout
];
}
}

return $result;
}

public function postPasswordFormat() {
$useonline=filter_input(INPUT_POST, 'useonline', FILTER_VALIDATE_BOOLEAN);
$useSecure = ($useonline) ? '' : '--nosecure';
$command = ALLSKY_UTILITIES . '/validatePassword.sh --getformat ' . $useSecure;
$result = $this->runShellCommand($command);

if ($result['error']) {
$this->send400('Unable to get password format');
} else {
$this->sendResponse($result['message']);
}
}

public function postValidate()
{
if (CSRFValidate()) {
$new_username=trim(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING));
$old=trim(filter_input(INPUT_POST, 'oldpass', FILTER_SANITIZE_STRING));
$new1=trim(filter_input(INPUT_POST, 'newpass', FILTER_SANITIZE_STRING));
$new2=trim(filter_input(INPUT_POST, 'newpassagain', FILTER_SANITIZE_STRING));
$useWebUILogin=filter_input(INPUT_POST, 'as-enable-webui-login', FILTER_VALIDATE_BOOLEAN);
$useonline=filter_input(INPUT_POST, 'as-use-online', FILTER_VALIDATE_BOOLEAN);

if ($new_username == '') {
$this->send400('You must enter the username.');
}
if ($old == "" || $new1 == "" || $new2 == "") {
$this->send400('You must enter the old (current) password, and the new password twice.');
} else if (password_verify($old, $this->adminPassword)) {
if ($new1 != $new2) {
$this->send400('New passwords do not match.');
} else if ($new_username == '') {
$this->send400('Username must not be empty.');
} else {

$result = $this->validatePassword($useonline, $new1);
if ($result['error']) {
$this->send400($result['message']);
} else {
$privateVars = get_decoded_json_file(ALLSKY_ENV, true, "");
$privateVars['WEBUI_USERNAME'] = $new_username;
$privateVars['WEBUI_PASSWORD'] = password_hash($new1, PASSWORD_BCRYPT);

$ret = file_put_contents(ALLSKY_ENV, json_encode($privateVars, JSON_PRETTY_PRINT));
if ($ret !== false) {
$content = readSettingsFile();
if ($useWebUILogin) {
if ($content['uselogin'] !== $useWebUILogin) {
$content['uselogin'] = $useWebUILogin;
$settings_file = getSettingsFile();
$mode = JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_PRESERVE_ZERO_FRACTION;
$content = json_encode($content, $mode);
$msg = updateFile($settings_file, $content, "settings", false);
}
}
$username = $new_username;
$this->sendResponse("$new_username password updated. Click ok to refresh the page and enable the user/password.");
} else {
$this->send400('Failed to update password saving to file failed.');
}
}
}
} else {
$this->send400('The old password is incorrect.');
}
} else {
$this->send401();
}
}
}

$supportUtil = new ADMINUTIL();
$supportUtil->run();
Loading

0 comments on commit 674053b

Please sign in to comment.