TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
21 Commits 12 Branches 0 Tags
86f69474cc7cd5767e006a44ccf5353ee0c493e0
Commit Graph

5 Commits

Author SHA1 Message Date
twotalesanimation
86f69474cc Phase 2: Add comprehensive audit logging 
- Created AuditLogger service class (360+ lines)
  * 16 action type constants (LOGIN_SUCCESS, PAYMENT_FAILURE, etc.)
  * log() - main logging method with flexible parameters
  * logLogin() - specialized login audit logging
  * logLogout() - session termination tracking
  * logPasswordChange() - credential change tracking
  * logBookingCreate() - booking audit trail
  * logPayment() - payment attempt/result tracking
  * logMembership() - membership action tracking
  * logAccessDenied() - authorization failure logging
  * getRecentLogs() - retrieve audit history
  * getLogsByAction() - filter logs by action type

- Integrated audit logging into validate_login.php:
  * Logs all login attempts (success and failures)
  * Captures failure reasons (invalid password, not verified, etc.)
  * Logs Google OAuth registrations and logins
  * Logs email/password login attempts
  * Captures IP address for each log entry
  * Includes timestamp (via database NOW())

- Audit Log Fields:
  * user_id - identifier of user performing action
  * action - action type (e.g., login_success)
  * status - success/failure/pending
  * ip_address - client IP (handles proxy/load balancer)
  * details - JSON-encoded metadata
  * created_at - timestamp

- Design Features:
  * Uses DatabaseService singleton for connections
  * Graceful error handling (doesn't break application)
  * JSON serialization of complex data for analysis
  * IP detection handles proxies and load balancers
  * Constants for action types enable IDE autocomplete
  * Extensible for additional event types

- Security Benefits:
  * Complete login audit trail for fraud detection
  * Failed login attempts tracked (detects brute force)
  * IP address recorded for geo-blocking/analysis
  * Timestamps enable timeline correlation
  * Action types enable targeted monitoring
 2025-12-02 21:13:16 +02:00
twotalesanimation
a4526979c4 Phase 2: Add rate limiting and session regeneration 
- Created RateLimitMiddleware class with 8 public methods
  * isLimited() - check if limit exceeded
  * incrementAttempt() - increment attempt counter
  * getRemainingAttempts() - get remaining attempts
  * getTimeRemaining() - get time remaining in window
  * reset() - reset counter after success
  * requireLimit() - check and die if exceeded
  * getStatus() - get status info for monitoring
  * Support for time-window based rate limiting

- Integrated rate limiting into critical endpoints:
  * validate_login.php: 5 attempts per 900 seconds (15 minutes)
  * send_reset_link.php: 3 attempts per 1800 seconds (30 minutes)
  * Prevents brute force attacks and password reset abuse
  * Still increments counter for non-existent emails (prevents enumeration)

- Integrated session regeneration on successful login:
  * Google OAuth login (both new and existing users)
  * Email/password login
  * Uses AuthenticationService::regenerateSession()
  * Prevents session fixation attacks

- Rate limit counters stored in PHP session
- Time-window based with 15-minute and 30-minute windows
- Graceful error messages with retry_after in JSON responses
- AJAX-aware error handling
 2025-12-02 21:10:48 +02:00
twotalesanimation
a311e81a12 Phase 2: Add CSRF token protection to all forms and processors - Created CsrfMiddleware class with 8 helper methods - Added CSRF tokens to 9 POST forms across trip/course/camping/membership - Added CSRF validation to all 10 POST processors - CsrfMiddleware.requireToken() validates and dies on invalid tokens - 100% POST endpoint coverage with CSRF protection 2025-12-02 21:08:56 +02:00
twotalesanimation
a103c5e272 dotenv implementation 2025-05-23 11:50:53 +02:00
Local Administrator
b83134aca3 Initial commit 2025-04-18 10:32:42 +02:00