1ef4d06627
Major security improvements: - Added CSRF token generation, validation, and cleanup functions - Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads) - Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout) - Implemented session fixation protection with session_regenerate_id() and 30-min timeout - Fixed SQL injection in getResultFromTable() with whitelisted columns/tables - Added audit logging for security events - Applied CSRF validation to all 7 process_*.php files - Applied input validation to critical endpoints (login, registration, bookings, application) - Created database migration for login_attempts, audit_log tables and locked_until column Modified files: - functions.php: +500 lines of security functions - validate_login.php: Added CSRF, rate limiting, session hardening - register_user.php: Added CSRF, input validation, registration rate limiting - process_*.php (7 files): Added CSRF token validation - Created migration: 001_phase1_security_schema.sql Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist
222 lines
9.1 KiB
PHP
222 lines
9.1 KiB
PHP
<?php
|
|
require_once("env.php");
|
|
require_once("session.php");
|
|
require_once("connection.php");
|
|
require_once("functions.php");
|
|
require_once 'google-client/vendor/autoload.php'; // Add this line for Google Client
|
|
|
|
// Check if connection is established
|
|
if (!$conn) {
|
|
json_encode(['status' => 'error', 'message' => 'Database connection failed.']);
|
|
exit();
|
|
}
|
|
|
|
// Google Client Setup
|
|
$client = new Google_Client();
|
|
$client->setClientId($_ENV['GOOGLE_CLIENT_ID']);
|
|
$client->setClientSecret($_ENV['GOOGLE_CLIENT_SECRET']);
|
|
$client->setRedirectUri($_ENV['HOST'] . '/validate_login.php');
|
|
$client->addScope("email");
|
|
$client->addScope("profile");
|
|
// 👇 Add this to force the account picker
|
|
$client->setPrompt('select_account');
|
|
|
|
// Check if Google login code is set
|
|
if (isset($_GET['code'])) {
|
|
$token = $client->fetchAccessTokenWithAuthCode($_GET['code']);
|
|
if (!isset($token["error"])) {
|
|
$client->setAccessToken($token['access_token']);
|
|
$google_oauth = new Google_Service_Oauth2($client);
|
|
$google_account_info = $google_oauth->userinfo->get();
|
|
|
|
// Get user info from Google
|
|
$email = $google_account_info->email;
|
|
$name = $google_account_info->name;
|
|
$first_name = $google_account_info->given_name;
|
|
$last_name = $google_account_info->family_name;
|
|
$picture = $google_account_info->picture;
|
|
|
|
// Check if the user exists in the database
|
|
$query = "SELECT * FROM users WHERE email = ?";
|
|
$stmt = $conn->prepare($query);
|
|
$stmt->bind_param("s", $email);
|
|
$stmt->execute();
|
|
$result = $stmt->get_result();
|
|
|
|
if ($result->num_rows == 0) {
|
|
// User does not exist, so register them
|
|
$password = null; // No password for Google login
|
|
$query = "INSERT INTO users (email, first_name, last_name, profile_pic, password, is_verified) VALUES (?, ?, ?, ?, ?, ?)";
|
|
$stmt = $conn->prepare($query);
|
|
$is_verified = 1; // Assuming Google users are considered verified
|
|
$stmt->bind_param("sssssi", $email, $first_name, $last_name, $picture, $password, $is_verified);
|
|
if ($stmt->execute()) {
|
|
// User successfully registered, set session and redirect
|
|
sendEmail('chrispintoza@gmail.com', '4WDCSA: New User Login', $name.' has just created an account using Google Login.');
|
|
$_SESSION['user_id'] = $conn->insert_id;
|
|
$_SESSION['first_name'] = $first_name;
|
|
$_SESSION['profile_pic'] = $picture;
|
|
processLegacyMembership($_SESSION['user_id']);
|
|
// echo json_encode(['status' => 'success', 'message' => 'Google login successful']);
|
|
header("Location: index.php");
|
|
exit();
|
|
} else {
|
|
// echo json_encode(['status' => 'error', 'message' => 'Failed to register user.']);
|
|
header("Location: index.php");
|
|
exit();
|
|
}
|
|
} else {
|
|
// User exists, set session and redirect
|
|
$row = $result->fetch_assoc();
|
|
$_SESSION['user_id'] = $row['user_id'];
|
|
$_SESSION['first_name'] = $row['first_name'];
|
|
$_SESSION['profile_pic'] = $row['profile_pic'];
|
|
sendEmail('chrispintoza@gmail.com', '4WDCSA: New User Login', $name.' has just logged in using Google Login.');
|
|
// echo json_encode(['status' => 'success', 'message' => 'Google login successful']);
|
|
header("Location: index.php");
|
|
exit();
|
|
}
|
|
|
|
$stmt->close();
|
|
} else {
|
|
echo "Login failed.";
|
|
exit();
|
|
}
|
|
}
|
|
|
|
// Check if email and password login is requested
|
|
if (isset($_POST['email']) && isset($_POST['password'])) {
|
|
// CSRF Token Validation
|
|
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
|
|
auditLog(null, 'CSRF_VALIDATION_FAILED', 'users', null, ['endpoint' => 'validate_login.php']);
|
|
echo json_encode(['status' => 'error', 'message' => 'Security token validation failed. Please try again.']);
|
|
exit();
|
|
}
|
|
|
|
// Retrieve and validate email input
|
|
$email = validateEmail($_POST['email']);
|
|
if ($email === false) {
|
|
auditLog(null, 'INVALID_EMAIL_FORMAT', 'users', null, ['email' => $_POST['email']]);
|
|
echo json_encode(['status' => 'error', 'message' => 'Invalid email format.']);
|
|
exit();
|
|
}
|
|
|
|
// Retrieve and sanitize password
|
|
$password = isset($_POST['password']) ? trim($_POST['password']) : '';
|
|
|
|
// Basic validation
|
|
if (empty($email) || empty($password)) {
|
|
echo json_encode(['status' => 'error', 'message' => 'Please enter both email and password.']);
|
|
exit();
|
|
}
|
|
|
|
// Check for account lockout
|
|
$lockoutStatus = checkAccountLockout($email);
|
|
if ($lockoutStatus['is_locked']) {
|
|
auditLog(null, 'LOGIN_ATTEMPT_LOCKED_ACCOUNT', 'users', null, [
|
|
'email' => $email,
|
|
'locked_until' => $lockoutStatus['locked_until']
|
|
]);
|
|
echo json_encode([
|
|
'status' => 'error',
|
|
'message' => 'Account is temporarily locked due to multiple failed login attempts. Please try again in ' . $lockoutStatus['minutes_remaining'] . ' minutes.'
|
|
]);
|
|
exit();
|
|
}
|
|
|
|
// Check recent failed attempts
|
|
$recentFailedAttempts = countRecentFailedAttempts($email);
|
|
if ($recentFailedAttempts >= 5) {
|
|
// Lock account for 15 minutes
|
|
lockAccount($email, 15);
|
|
auditLog(null, 'ACCOUNT_LOCKED_THRESHOLD', 'users', null, [
|
|
'email' => $email,
|
|
'failed_attempts' => $recentFailedAttempts
|
|
]);
|
|
echo json_encode([
|
|
'status' => 'error',
|
|
'message' => 'Account locked due to multiple failed login attempts. Please try again in 15 minutes.'
|
|
]);
|
|
exit();
|
|
}
|
|
|
|
// Prepare SQL statement to fetch user details
|
|
$query = "SELECT * FROM users WHERE email = ?";
|
|
$stmt = $conn->prepare($query);
|
|
|
|
if (!$stmt) {
|
|
echo json_encode(['status' => 'error', 'message' => 'Database query preparation failed.']);
|
|
exit();
|
|
}
|
|
|
|
$stmt->bind_param("s", $email);
|
|
$stmt->execute();
|
|
$result = $stmt->get_result();
|
|
|
|
// Check if user exists and verify password
|
|
if ($result->num_rows == 1) {
|
|
$row = $result->fetch_assoc();
|
|
|
|
// Check if the user is verified
|
|
if ($row['is_verified'] == 0) {
|
|
recordLoginAttempt($email, false);
|
|
auditLog(null, 'LOGIN_ATTEMPT_UNVERIFIED_ACCOUNT', 'users', $row['user_id']);
|
|
echo json_encode(['status' => 'error', 'message' => 'Your account is not verified. Please check your email for the verification link.']);
|
|
exit();
|
|
}
|
|
|
|
if (password_verify($password, $row['password'])) {
|
|
// Record successful attempt
|
|
recordLoginAttempt($email, true);
|
|
|
|
// Regenerate session ID to prevent session fixation attacks
|
|
session_regenerate_id(true);
|
|
|
|
// Password is correct, set up session
|
|
$_SESSION['user_id'] = $row['user_id'];
|
|
$_SESSION['first_name'] = $row['first_name'];
|
|
$_SESSION['profile_pic'] = $row['profile_pic'];
|
|
|
|
// Set session timeout (30 minutes)
|
|
$_SESSION['login_time'] = time();
|
|
$_SESSION['session_timeout'] = 1800; // 30 minutes in seconds
|
|
|
|
auditLog($row['user_id'], 'LOGIN_SUCCESS', 'users', $row['user_id']);
|
|
echo json_encode(['status' => 'success', 'message' => 'Successful Login']);
|
|
} else {
|
|
// Password is incorrect - record failed attempt
|
|
recordLoginAttempt($email, false);
|
|
auditLog(null, 'LOGIN_FAILED_INVALID_PASSWORD', 'users', null, ['email' => $email]);
|
|
|
|
// Check if this was the threshold failure
|
|
$newFailureCount = countRecentFailedAttempts($email);
|
|
if ($newFailureCount >= 5) {
|
|
lockAccount($email, 15);
|
|
echo json_encode([
|
|
'status' => 'error',
|
|
'message' => 'Too many failed login attempts. Account locked for 15 minutes.'
|
|
]);
|
|
} else {
|
|
$attemptsRemaining = 5 - $newFailureCount;
|
|
echo json_encode([
|
|
'status' => 'error',
|
|
'message' => 'Invalid password. ' . $attemptsRemaining . ' attempts remaining before account lockout.'
|
|
]);
|
|
}
|
|
}
|
|
} else {
|
|
// User does not exist - still record attempt
|
|
recordLoginAttempt($email, false);
|
|
auditLog(null, 'LOGIN_FAILED_USER_NOT_FOUND', 'users', null, ['email' => $email]);
|
|
echo json_encode(['status' => 'error', 'message' => 'User with that email does not exist.']);
|
|
}
|
|
|
|
// Close the statement and connection
|
|
$stmt->close();
|
|
}
|
|
|
|
// Close connection
|
|
$conn->close();
|
|
exit();
|
|
?>
|