webinterface.git

@@ -111,6 +111,10 @@ function __ensure_connected()

             if ($debugmode) {

                 die("MySQL-Fehler: " . $e->getMessage());

             } else {

+                // log errors

+                $f = fopen("../dberror.log", "a");

+                fwrite($f, date('Y-m-d H:i:s') . ' ' . $_SERVER['PHP_SELF'] . ' DB exception: ' . $e->getMessage() . "\n");

+                fclose($f);

                 die("Fehler bei der Datenbankverbindung!");

             }

         }

@@ -135,6 +139,10 @@ function db_query($stmt, $params = null, $allowempty = false)

         if ($debugmode) {

             system_failure("MySQL-Fehler: " . $e->getMessage() . "\nQuery:\n" . $stmt . "\nParameters:\n" . print_r($params, true));

         } else {

+            // log errors

+            $f = fopen("../dberror.log", "a");

+            fwrite($f, date('Y-m-d H:i:s') . ' ' . $_SERVER['PHP_SELF'] . ' DB exception: ' . $e->getMessage() . "\n");

+            fclose($f);

             system_failure("Datenbankfehler");

         }

     }

@@ -3,6 +3,7 @@

     "description": "Webinterface running at config.schokokeks.org",

     "license": "0BSD",

     "require": {

+        "lbuchs/webauthn": "^2.1.0",

         "bjeavons/zxcvbn-php": "^1.2",

         "giggsey/libphonenumber-for-php": "^8.8",

         "globalcitizen/php-iban": "^2.7.1",

@@ -4,7 +4,7 @@

         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",

         "This file is @generated automatically"

     ],

-    "content-hash": "2ddcdd91f6d49f93b298d93060d37034",

+    "content-hash": "b0c98221403e75acf2b0b6fe680d633b",

     "packages": [

         {

             "name": "bjeavons/zxcvbn-php",

@@ -63,16 +63,16 @@

         },

         {

             "name": "giggsey/libphonenumber-for-php",

-            "version": "8.12.43",

+            "version": "8.13.26",

             "source": {

                 "type": "git",

                 "url": "https://github.com/giggsey/libphonenumber-for-php.git",

-                "reference": "27bc97a4941f42d320fb6da3de0dcaaf7db69f5d"

+                "reference": "1d730fe40d5f32641c12ca143a086757c95cfccf"

             },

             "dist": {

                 "type": "zip",

-                "url": "https://api.github.com/repos/giggsey/libphonenumber-for-php/zipball/27bc97a4941f42d320fb6da3de0dcaaf7db69f5d",

-                "reference": "27bc97a4941f42d320fb6da3de0dcaaf7db69f5d",

+                "url": "https://api.github.com/repos/giggsey/libphonenumber-for-php/zipball/1d730fe40d5f32641c12ca143a086757c95cfccf",

+                "reference": "1d730fe40d5f32641c12ca143a086757c95cfccf",

                 "shasum": ""

             },

             "require": {

@@ -128,24 +128,23 @@

                 "validation"

             ],

             "support": {

-                "irc": "irc://irc.appliedirc.com/lobby",

                 "issues": "https://github.com/giggsey/libphonenumber-for-php/issues",

                 "source": "https://github.com/giggsey/libphonenumber-for-php"

             },

-            "time": "2022-02-09T07:46:55+00:00"

+            "time": "2023-11-23T07:57:25+00:00"

         },

         {

             "name": "giggsey/locale",

-            "version": "2.1",

+            "version": "2.5",

             "source": {

                 "type": "git",

                 "url": "https://github.com/giggsey/Locale.git",

-                "reference": "8d324583b5899e6280a875c43bf1fc9658bc6962"

+                "reference": "e6d4540109a01dd2bc7334cdc842d6a6a67cf239"

             },

             "dist": {

                 "type": "zip",

-                "url": "https://api.github.com/repos/giggsey/Locale/zipball/8d324583b5899e6280a875c43bf1fc9658bc6962",

-                "reference": "8d324583b5899e6280a875c43bf1fc9658bc6962",

+                "url": "https://api.github.com/repos/giggsey/Locale/zipball/e6d4540109a01dd2bc7334cdc842d6a6a67cf239",

+                "reference": "e6d4540109a01dd2bc7334cdc842d6a6a67cf239",

                 "shasum": ""

             },

             "require": {

@@ -159,10 +158,10 @@

                 "phing/phing": "^2.7",

                 "php-coveralls/php-coveralls": "^2.0",

                 "phpunit/phpunit": "^8.5|^9.5",

-                "symfony/console": "^5.0",

-                "symfony/filesystem": "^5.0",

-                "symfony/finder": "^5.0",

-                "symfony/process": "^5.0"

+                "symfony/console": "^5.0|^6.0",

+                "symfony/filesystem": "^5.0|^6.0",

+                "symfony/finder": "^5.0|^6.0",

+                "symfony/process": "^5.0|^6.0"

             },

             "type": "library",

             "autoload": {

@@ -184,9 +183,9 @@

             "description": "Locale functions required by libphonenumber-for-php",

             "support": {

                 "issues": "https://github.com/giggsey/Locale/issues",

-                "source": "https://github.com/giggsey/Locale/tree/2.1"

+                "source": "https://github.com/giggsey/Locale/tree/2.5"

             },

-            "time": "2021-11-04T19:12:22+00:00"

+            "time": "2023-11-01T17:19:48+00:00"

         },

         {

             "name": "globalcitizen/php-iban",

@@ -220,34 +219,82 @@

             },

             "time": "2020-05-03T19:46:35+00:00"

         },

+        {

+            "name": "lbuchs/webauthn",

+            "version": "v2.1.0",

+            "source": {

+                "type": "git",

+                "url": "https://github.com/lbuchs/WebAuthn.git",

+                "reference": "1cc44fbd61d41aec55d0f21f386a1fdd7df1459a"

+            },

+            "dist": {

+                "type": "zip",

+                "url": "https://api.github.com/repos/lbuchs/WebAuthn/zipball/1cc44fbd61d41aec55d0f21f386a1fdd7df1459a",

+                "reference": "1cc44fbd61d41aec55d0f21f386a1fdd7df1459a",

+                "shasum": ""

+            },

+            "require": {

+                "php": ">=8.0.0"

+            },

+            "type": "library",

+            "autoload": {

+                "psr-4": {

+                    "lbuchs\\WebAuthn\\": "src"

+                }

+            },

+            "notification-url": "https://packagist.org/downloads/",

+            "license": [

+                "MIT"

+            ],

+            "authors": [

+                {

+                    "name": "Lukas Buchs",

+                    "role": "Developer"

+                }

+            ],

+            "description": "A simple PHP WebAuthn (FIDO2) server library",

+            "homepage": "https://github.com/lbuchs/webauthn",

+            "keywords": [

+                "Authentication",

+                "webauthn"

+            ],

+            "support": {

+                "issues": "https://github.com/lbuchs/WebAuthn/issues",

+                "source": "https://github.com/lbuchs/WebAuthn/tree/v2.1.0"

+            },

+            "time": "2023-10-23T10:19:40+00:00"

+        },

         {

             "name": "mpdf/mpdf",

-            "version": "v8.0.17",

+            "version": "v8.2.2",

             "source": {

                 "type": "git",

                 "url": "https://github.com/mpdf/mpdf.git",

-                "reference": "5f64118317c8145c0abc606b310aa0a66808398a"

+                "reference": "596a87b876d7793be7be060a8ac13424de120dd5"

             },

             "dist": {

                 "type": "zip",

-                "url": "https://api.github.com/repos/mpdf/mpdf/zipball/5f64118317c8145c0abc606b310aa0a66808398a",

-                "reference": "5f64118317c8145c0abc606b310aa0a66808398a",

+                "url": "https://api.github.com/repos/mpdf/mpdf/zipball/596a87b876d7793be7be060a8ac13424de120dd5",

+                "reference": "596a87b876d7793be7be060a8ac13424de120dd5",

                 "shasum": ""

             },

             "require": {

                 "ext-gd": "*",

                 "ext-mbstring": "*",

+                "mpdf/psr-http-message-shim": "^1.0 || ^2.0",

+                "mpdf/psr-log-aware-trait": "^2.0 || ^3.0",

                 "myclabs/deep-copy": "^1.7",

                 "paragonie/random_compat": "^1.4|^2.0|^9.99.99",

-                "php": "^5.6 || ^7.0 || ~8.0.0 || ~8.1.0",

-                "psr/log": "^1.0 || ^2.0",

+                "php": "^5.6 || ^7.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0",

+                "psr/http-message": "^1.0 || ^2.0",

+                "psr/log": "^1.0 || ^2.0 || ^3.0",

                 "setasign/fpdi": "^2.1"

             },

             "require-dev": {

                 "mockery/mockery": "^1.3.0",

                 "mpdf/qrcode": "^1.1.0",

                 "squizlabs/php_codesniffer": "^3.5.0",

-                "tracy/tracy": "^2.4",

+                "tracy/tracy": "~2.5",

                 "yoast/phpunit-polyfills": "^1.0"

             },

             "suggest": {

@@ -257,6 +304,9 @@

             },

             "type": "library",

             "autoload": {

+                "files": [

+                    "src/functions.php"

+                ],

                 "psr-4": {

                     "Mpdf\\": "src/"

                 }

@@ -293,32 +343,125 @@

                     "type": "custom"

                 }

             ],

-            "time": "2022-01-20T10:51:40+00:00"

+            "time": "2023-11-07T13:52:14+00:00"

+        },

+        {

+            "name": "mpdf/psr-http-message-shim",

+            "version": "v2.0.1",

+            "source": {

+                "type": "git",

+                "url": "https://github.com/mpdf/psr-http-message-shim.git",

+                "reference": "f25a0153d645e234f9db42e5433b16d9b113920f"

+            },

+            "dist": {

+                "type": "zip",

+                "url": "https://api.github.com/repos/mpdf/psr-http-message-shim/zipball/f25a0153d645e234f9db42e5433b16d9b113920f",

+                "reference": "f25a0153d645e234f9db42e5433b16d9b113920f",

+                "shasum": ""

+            },

+            "require": {

+                "psr/http-message": "^2.0"

+            },

+            "type": "library",

+            "autoload": {

+                "psr-4": {

+                    "Mpdf\\PsrHttpMessageShim\\": "src/"

+                }

+            },

+            "notification-url": "https://packagist.org/downloads/",

+            "license": [

+                "MIT"

+            ],

+            "authors": [

+                {

+                    "name": "Mark Dorison",

+                    "email": "mark@chromatichq.com"

+                },

+                {

+                    "name": "Kristofer Widholm",

+                    "email": "kristofer@chromatichq.com"

+                },

+                {

+                    "name": "Nigel Cunningham",

+                    "email": "nigel.cunningham@technocrat.com.au"

+                }

+            ],

+            "description": "Shim to allow support of different psr/message versions.",

+            "support": {

+                "issues": "https://github.com/mpdf/psr-http-message-shim/issues",

+                "source": "https://github.com/mpdf/psr-http-message-shim/tree/v2.0.1"

+            },

+            "time": "2023-10-02T14:34:03+00:00"

+        },

+        {

+            "name": "mpdf/psr-log-aware-trait",

+            "version": "v3.0.0",

+            "source": {

+                "type": "git",

+                "url": "https://github.com/mpdf/psr-log-aware-trait.git",

+                "reference": "a633da6065e946cc491e1c962850344bb0bf3e78"

+            },

+            "dist": {

+                "type": "zip",

+                "url": "https://api.github.com/repos/mpdf/psr-log-aware-trait/zipball/a633da6065e946cc491e1c962850344bb0bf3e78",

+                "reference": "a633da6065e946cc491e1c962850344bb0bf3e78",

+                "shasum": ""

+            },

+            "require": {

+                "psr/log": "^3.0"

+            },

+            "type": "library",

+            "autoload": {

+                "psr-4": {

+                    "Mpdf\\PsrLogAwareTrait\\": "src/"

+                }

+            },

+            "notification-url": "https://packagist.org/downloads/",

+            "license": [

+                "MIT"

+            ],

+            "authors": [

+                {

+                    "name": "Mark Dorison",

+                    "email": "mark@chromatichq.com"

+                },

+                {

+                    "name": "Kristofer Widholm",

+                    "email": "kristofer@chromatichq.com"

+                }

+            ],

+            "description": "Trait to allow support of different psr/log versions.",

+            "support": {

+                "issues": "https://github.com/mpdf/psr-log-aware-trait/issues",

+                "source": "https://github.com/mpdf/psr-log-aware-trait/tree/v3.0.0"

+            },

+            "time": "2023-05-03T06:19:36+00:00"

         },

         {

             "name": "myclabs/deep-copy",

-            "version": "1.10.2",

+            "version": "1.11.1",

             "source": {

                 "type": "git",

                 "url": "https://github.com/myclabs/DeepCopy.git",

-                "reference": "776f831124e9c62e1a2c601ecc52e776d8bb7220"

+                "reference": "7284c22080590fb39f2ffa3e9057f10a4ddd0e0c"

             },

             "dist": {

                 "type": "zip",

-                "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/776f831124e9c62e1a2c601ecc52e776d8bb7220",

-                "reference": "776f831124e9c62e1a2c601ecc52e776d8bb7220",

+                "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/7284c22080590fb39f2ffa3e9057f10a4ddd0e0c",

+                "reference": "7284c22080590fb39f2ffa3e9057f10a4ddd0e0c",

                 "shasum": ""

             },

             "require": {

                 "php": "^7.1 || ^8.0"

             },

-            "replace": {

-                "myclabs/deep-copy": "self.version"

+            "conflict": {

+                "doctrine/collections": "<1.6.8",

+                "doctrine/common": "<2.13.3 || >=3,<3.2.2"

             },

             "require-dev": {

-                "doctrine/collections": "^1.0",

-                "doctrine/common": "^2.6",

-                "phpunit/phpunit": "^7.1"

+                "doctrine/collections": "^1.6.8",

+                "doctrine/common": "^2.13.3 || ^3.2.2",

+                "phpunit/phpunit": "^7.5.20 || ^8.5.23 || ^9.5.13"

             },

             "type": "library",

             "autoload": {

@@ -343,7 +486,7 @@

             ],

             "support": {

                 "issues": "https://github.com/myclabs/DeepCopy/issues",

-                "source": "https://github.com/myclabs/DeepCopy/tree/1.10.2"

+                "source": "https://github.com/myclabs/DeepCopy/tree/1.11.1"

             },

             "funding": [

                 {

@@ -351,7 +494,7 @@

                     "type": "tidelift"

                 }

             ],

-            "time": "2020-11-13T09:40:50+00:00"

+            "time": "2023-03-08T13:26:56+00:00"

         },

         {

             "name": "paragonie/random_compat",

@@ -451,18 +594,71 @@

             },

             "time": "2019-03-20T00:55:58+00:00"

         },

+        {

+            "name": "psr/http-message",

+            "version": "2.0",

+            "source": {

+                "type": "git",

+                "url": "https://github.com/php-fig/http-message.git",

+                "reference": "402d35bcb92c70c026d1a6a9883f06b2ead23d71"

+            },

+            "dist": {

+                "type": "zip",

+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/402d35bcb92c70c026d1a6a9883f06b2ead23d71",

+                "reference": "402d35bcb92c70c026d1a6a9883f06b2ead23d71",

+                "shasum": ""

+            },

+            "require": {

+                "php": "^7.2 || ^8.0"

+            },

+            "type": "library",

+            "extra": {

+                "branch-alias": {

+                    "dev-master": "2.0.x-dev"

+                }

+            },

+            "autoload": {

+                "psr-4": {

+                    "Psr\\Http\\Message\\": "src/"

+                }

+            },

+            "notification-url": "https://packagist.org/downloads/",

+            "license": [

+                "MIT"

+            ],

+            "authors": [

+                {

+                    "name": "PHP-FIG",

+                    "homepage": "https://www.php-fig.org/"

+                }

+            ],

+            "description": "Common interface for HTTP messages",

+            "homepage": "https://github.com/php-fig/http-message",

+            "keywords": [

+                "http",

+                "http-message",

+                "psr",

+                "psr-7",

+                "request",

+                "response"

+            ],

+            "support": {

+                "source": "https://github.com/php-fig/http-message/tree/2.0"

+            },

+            "time": "2023-04-04T09:54:51+00:00"

+        },

         {

             "name": "psr/log",

-            "version": "2.0.0",

+            "version": "3.0.0",

             "source": {

                 "type": "git",

                 "url": "https://github.com/php-fig/log.git",

-                "reference": "ef29f6d262798707a9edd554e2b82517ef3a9376"

+                "reference": "fe5ea303b0887d5caefd3d431c3e61ad47037001"

             },

             "dist": {

                 "type": "zip",

-                "url": "https://api.github.com/repos/php-fig/log/zipball/ef29f6d262798707a9edd554e2b82517ef3a9376",

-                "reference": "ef29f6d262798707a9edd554e2b82517ef3a9376",

+                "url": "https://api.github.com/repos/php-fig/log/zipball/fe5ea303b0887d5caefd3d431c3e61ad47037001",

+                "reference": "fe5ea303b0887d5caefd3d431c3e61ad47037001",

                 "shasum": ""

             },

             "require": {

@@ -471,7 +667,7 @@

             "type": "library",

             "extra": {

                 "branch-alias": {

-                    "dev-master": "2.0.x-dev"

+                    "dev-master": "3.x-dev"

                 }

             },

             "autoload": {

@@ -497,22 +693,22 @@

                 "psr-3"

             ],

             "support": {

-                "source": "https://github.com/php-fig/log/tree/2.0.0"

+                "source": "https://github.com/php-fig/log/tree/3.0.0"

             },

-            "time": "2021-07-14T16:41:46+00:00"

+            "time": "2021-07-14T16:46:02+00:00"

         },

         {

             "name": "setasign/fpdi",

-            "version": "v2.3.6",

+            "version": "v2.5.0",

             "source": {

                 "type": "git",

                 "url": "https://github.com/Setasign/FPDI.git",

-                "reference": "6231e315f73e4f62d72b73f3d6d78ff0eed93c31"

+                "reference": "ecf0459643ec963febfb9a5d529dcd93656006a4"

             },

             "dist": {

                 "type": "zip",

-                "url": "https://api.github.com/repos/Setasign/FPDI/zipball/6231e315f73e4f62d72b73f3d6d78ff0eed93c31",

-                "reference": "6231e315f73e4f62d72b73f3d6d78ff0eed93c31",

+                "url": "https://api.github.com/repos/Setasign/FPDI/zipball/ecf0459643ec963febfb9a5d529dcd93656006a4",

+                "reference": "ecf0459643ec963febfb9a5d529dcd93656006a4",

                 "shasum": ""

             },

             "require": {

@@ -525,7 +721,7 @@

             "require-dev": {

                 "phpunit/phpunit": "~5.7",

                 "setasign/fpdf": "~1.8",

-                "setasign/tfpdf": "1.31",

+                "setasign/tfpdf": "~1.31",

                 "squizlabs/php_codesniffer": "^3.5",

                 "tecnickcom/tcpdf": "~6.2"

             },

@@ -563,7 +759,7 @@

             ],

             "support": {

                 "issues": "https://github.com/Setasign/FPDI/issues",

-                "source": "https://github.com/Setasign/FPDI/tree/v2.3.6"

+                "source": "https://github.com/Setasign/FPDI/tree/v2.5.0"

             },

             "funding": [

                 {

@@ -571,20 +767,20 @@

                     "type": "tidelift"

                 }

             ],

-            "time": "2021-02-11T11:37:01+00:00"

+            "time": "2023-09-28T10:46:27+00:00"

         },

         {

             "name": "symfony/polyfill-mbstring",

-            "version": "v1.24.0",

+            "version": "v1.28.0",

             "source": {

                 "type": "git",

                 "url": "https://github.com/symfony/polyfill-mbstring.git",

-                "reference": "0abb51d2f102e00a4eefcf46ba7fec406d245825"

+                "reference": "42292d99c55abe617799667f454222c54c60e229"

             },

             "dist": {

                 "type": "zip",

-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/0abb51d2f102e00a4eefcf46ba7fec406d245825",

-                "reference": "0abb51d2f102e00a4eefcf46ba7fec406d245825",

+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/42292d99c55abe617799667f454222c54c60e229",

+                "reference": "42292d99c55abe617799667f454222c54c60e229",

                 "shasum": ""

             },

             "require": {

@@ -599,7 +795,7 @@

             "type": "library",

             "extra": {

                 "branch-alias": {

-                    "dev-main": "1.23-dev"

+                    "dev-main": "1.28-dev"

                 },

                 "thanks": {

                     "name": "symfony/polyfill",

@@ -638,7 +834,7 @@

                 "shim"

             ],

             "support": {

-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.24.0"

+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.28.0"

             },

             "funding": [

                 {

@@ -654,7 +850,7 @@

                     "type": "tidelift"

                 }

             ],

-            "time": "2021-11-30T18:21:41+00:00"

+            "time": "2023-07-28T09:04:16+00:00"

         }

     ],

     "packages-dev": [],

@@ -667,5 +863,5 @@

     "prefer-lowest": false,

     "platform": [],

     "platform-dev": [],

-    "plugin-api-version": "2.0.0"

+    "plugin-api-version": "2.1.0"

 }

@@ -25,7 +25,7 @@ $config['db_user'] = 'username';

 $config['db_pass'] = 'password';

-$config['modules'] = ["index", "domains", "imap", "mysql", "jabber", "vhosts", "register", "systemuser", "su"];

+$config['modules'] = ["index", "domains", "imap", "mysql", "jabber", "vhosts", "register", "systemuser", "su", "loginsecurity"];

 $config['enable_debug'] = true;

 $config['logging'] = LOG_ERR;

@@ -150,6 +150,11 @@ function login_screen($why = null)

     if ($why) {

         warning($why);

     }

+    if (have_module('loginsecurity')) {

+        require_once('inc/javascript.php');

+        javascript('passkey_ajax.js', 'loginsecurity');

+        javascript('passkey_loginpage.js', 'loginsecurity');

+    }

     show_page('login');

     die();

 }

@@ -0,0 +1,35 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+This code is published under a 0BSD license.

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('inc/base.php');

+require_role(ROLE_SYSTEMUSER);

+

+require_once('totp.php');

+

+$id = (int) $_REQUEST['totp'];

+

+$sure = user_is_sure();

+if ($sure === null) {

+    $section = 'loginsecurity_overview';

+    title("Zwei-Faktor-Anmeldung");

+    are_you_sure("totp={$id}", "Möchten Sie die Zwei-Faktor-Anmeldung wirklich entfernen?");

+} elseif ($sure === true) {

+    delete_systemuser_totp($id);

+    if (!$debugmode) {

+        header("Location: overview");

+    }

+} elseif ($sure === false) {

+    if (!$debugmode) {

+        header("Location: overview");

+    }

+}

@@ -0,0 +1,48 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+This code is published under a 0BSD license.

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('inc/base.php');

+require_role(ROLE_SYSTEMUSER);

+

+require_once('passkey.php');

+

+$id = (int) $_REQUEST['id'];

+

+$pk = null;

+$passkeys = list_passkeys();

+foreach ($passkeys as $item) {

+    if ($item['id'] == $id) {

+        $pk = $item;

+    }

+}

+

+if (!$pk) {

+    system_failure("Invalid passkey");

+}

+

+

+$sure = user_is_sure();

+if ($sure === null) {

+    $section = 'loginsecurity_overview';

+    title("Passkey löschen");

+    are_you_sure("id={$id}", "Möchten Sie den Passkey #{$pk['id']} ({$pk['handle']}) wirklich entfernen?");

+} elseif ($sure === true) {

+    delete_systemuser_passkey($id);

+    if (!$debugmode) {

+        header("Location: overview");

+    }

+} elseif ($sure === false) {

+    if (!$debugmode) {

+        header("Location: overview");

+    }

+}

@@ -0,0 +1,55 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+This code is published under a 0BSD license.

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+function save_passkey($data, $handle=null)

+{

+    require_role(ROLE_SYSTEMUSER);

+    $args = [

+        ":credentialId" => $data->credentialId,

+        ":credentialPublicKey" => $data->credentialPublicKey,

+        ":rpId" => $data->rpId,

+        ":handle" => $handle,

+        ":uid" => $_SESSION['userinfo']['uid']

+        ];

+    db_query("INSERT INTO system.systemuser_passkey (uid, handle, rpId, credentialId, credentialPublicKey) VALUES ".

+            "(:uid, :handle, :rpId, :credentialId, :credentialPublicKey)", $args);

+}

+

+function get_passkey($id) 

+{

+    $ret = db_query("SELECT uid, handle, credentialPublicKey FROM system.systemuser_passkey WHERE credentialId=:id", [":id" => $id]);

+    if ($data = $ret->fetch()) {

+        return $data;

+    }

+    return null;

+}

+

+

+function list_passkeys()

+{

+    $result = db_query("SELECT id, handle, setuptime, rpId FROM system.systemuser_passkey WHERE uid=:uid", [":uid" => $_SESSION['userinfo']['uid']]);

+    $ret = [];

+    while ($item = $result->fetch()) {

+        $ret[] = $item;

+    }

+    return $ret;

+}

+

+function delete_systemuser_passkey($id) {

+    $args = [

+        ":id" => $id,

+        ":uid" => $_SESSION['userinfo']['uid']

+        ];

+    db_query("DELETE FROM system.systemuser_passkey WHERE uid=:uid AND id=:id", $args);

+}

+

@@ -0,0 +1,189 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+This code is published under a 0BSD license.

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('vendor/autoload.php');

+

+function list_systemuser_totp($uid = null)

+{

+    if (!$uid) {

+        $uid = (int)$_SESSION['userinfo']['uid'];

+    }

+    $result = db_query("SELECT id, description, setuptime FROM system.systemuser_totp WHERE uid=?", [$uid]);

+    $ret = [];

+    while ($line = $result->fetch()) {

+        $ret[] = $line;

+    }

+    return $ret;

+}

+

+function check_systemuser_password($password)

+{

+    $result = db_query("SELECT passwort AS password FROM system.passwoerter WHERE uid=:uid", [":uid" => $_SESSION['userinfo']['uid']]);

+    if (@$result->rowCount() > 0) {

+        $entry = $result->fetch(PDO::FETCH_OBJ);

+        $db_password = $entry->password;

+        $hash = crypt($password, $db_password);

+        if ($hash == $db_password) {

+            return true;

+        }

+    }

+    return false;

+}

+

+

+function generate_systemuser_secret()

+{

+    $ga = new PHPGangsta_GoogleAuthenticator();

+

+    $secret = $ga->createSecret();

+    DEBUG('GA-Secret: ' . $secret);

+    return $secret;

+}

+

+function check_systemuser_locked($uid)

+{

+    if (!$uid) {

+        $uid = $_SESSION['userinfo']['uid'];

+    }

+    $result = db_query("SELECT 1 FROM system.systemuser_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND uid=?", [$uid]);

+    return ($result->rowCount() > 0);

+}

+

+function check_systemuser_totp($uid, $code)

+{

+    $ga = new PHPGangsta_GoogleAuthenticator();

+    $secret = null;

+    $checkResult = false;

+    if (isset($_SESSION['totp_secret'])) {

+        // Während des Setup

+        $secret = $_SESSION['totp_secret'];

+        $checkResult = $ga->verifyCode($secret, $code, 2);    // 2 = 2*30sec clock tolerance

+    } else {

+        // Normalbetrieb

+        if (!$uid) {

+            $uid = $_SESSION['userinfo']['uid'];

+        }

+        $result = db_query("SELECT id,secret,failures FROM system.systemuser_totp WHERE uid=? AND (unlock_timestamp IS NULL OR unlock_timestamp<NOW())", [$uid]);

+        while ($tmp = $result->fetch()) {

+            $totp_id = $tmp['id'];

+            $secret = $tmp['secret'];

+        

+            if (check_systemuser_blacklist($uid, $totp_id, $code)) {

+                DEBUG('Replay-Attack');

+                return false;

+            }

+

+            $checkResult = $ga->verifyCode($secret, $code, 2);    // 2 = 2*30sec clock tolerance

+            if ($checkResult) {

+                db_query("UPDATE system.systemuser_totp SET lastused=CURRENT_TIMESTAMP() WHERE id=?", [$totp_id]);

+                blacklist_systemuser_token($uid, $totp_id, $code);

+                DEBUG('OK');

+            } else {

+                DEBUG('TOTP-Code war falsch, checke gegen Restoretoken');

+                if ($code == totp_restoretoken($totp_id)) {

+                    // Das Restoretoken wird als gültiges OTP anerkannt (eigentlich nicht okay aber einfacher)

+                    return true;

+                }

+                if ($tmp['failures'] > 0 && $tmp['failures'] % 5 == 0) {

+                    db_query("UPDATE system.systemuser_totp SET failures = failures+1, unlock_timestamp = NOW() + INTERVAL 5 MINUTE WHERE id=?", [$totp_id]);

+                } else {

+                    db_query("UPDATE system.systemuser_totp SET failures = failures+1 WHERE id=?", [$totp_id]);

+                }

+                DEBUG('FAILED');

+            }

+            if ($checkResult) {

+                // Wenn einer stimmt, dann reicht uns das

+                return true;

+            }

+        }

+    }

+    return $checkResult;

+}

+

+function save_totp_config($description)

+{

+    if (!isset($_SESSION['totp_secret'])) {

+        system_failure("Session kaputt");

+    }

+    $args = [":uid" => $_SESSION['userinfo']['uid'], ":secret" => $_SESSION['totp_secret'], ":restoretoken" => random_string(30), ":description" => $description];

+    db_query("INSERT INTO system.systemuser_totp (description, uid, secret, restoretoken) VALUES (:description, :uid, :secret, :restoretoken)", $args);

+    unset($_SESSION['totp_secret']);

+    return db_insert_id();

+}

+

+function totp_restoretoken($totp_id)

+{

+    $result = db_query("SELECT restoretoken FROM system.systemuser_totp WHERE id=:id", 

+        [":id" => $totp_id]);

+    $data = $result->fetch();

+    DEBUG("Restoretoken für #{$totp_id} ist {$data['restoretoken']}");

+    return $data['restoretoken'];

+}

+

+function generate_systemuser_qrcode_image($secret)

+{

+    $username = $_SESSION['userinfo']['username'];

+    $url = 'otpauth://totp/'.$username.'@schokokeks.org?secret=' . $secret;

+

+    $descriptorspec = [

+    0 => ["pipe", "r"],  // STDIN ist eine Pipe, von der das Child liest

+    1 => ["pipe", "w"],  // STDOUT ist eine Pipe, in die das Child schreibt

+    2 => ["pipe", "w"],

+  ];

+

+    $process = proc_open('qrencode -t PNG -s 5 -o -', $descriptorspec, $pipes);

+

+    if (is_resource($process)) {

+        // $pipes sieht nun so aus:

+        // 0 => Schreibhandle, das auf das Child STDIN verbunden ist

+        // 1 => Lesehandle, das auf das Child STDOUT verbunden ist

+

+        fwrite($pipes[0], $url);

+        fclose($pipes[0]);

+

+        $pngdata = stream_get_contents($pipes[1]);

+        fclose($pipes[1]);

+

+        // Es ist wichtig, dass Sie alle Pipes schließen bevor Sie

+        // proc_close aufrufen, um Deadlocks zu vermeiden

+        $return_value = proc_close($process);

+

+        return $pngdata;

+    } else {

+        warning('Es ist ein interner Fehler im Webinterface aufgetreten, aufgrund dessen kein QR-Code erstellt werden kann. Sollte dieser Fehler mehrfach auftreten, kontaktieren Sie bitte die Administratoren.');

+    }

+}

+

+

+function delete_systemuser_totp($id)

+{

+    $args = [":id" => $id,

+                ":uid" => $_SESSION['userinfo']['uid'], ];

+

+    db_query("DELETE FROM system.systemuser_totp WHERE id=:id AND uid=:uid", $args);

+}

+

+

+function blacklist_systemuser_token($uid, $totpid, $token)

+{

+    $args = [":totpid" => $totpid, ":uid" => $uid, ":token" => $token];

+    db_query("INSERT INTO system.systemuser_totp_used (timestamp, uid, totpid, token) VALUES (NOW(), :uid, :totpid, :token)", $args);

+}

+

+function check_systemuser_blacklist($uid, $totpid, $token)

+{

+    $args = [":totpid" => $totpid, ":uid" => $uid, ":token" => $token];

+    db_query("DELETE FROM system.systemuser_totp_used WHERE timestamp < NOW() - INTERVAL 10 MINUTE");

+    $result = db_query("SELECT id FROM system.systemuser_totp_used WHERE uid=:uid AND totpid=:totpid AND token=:token", $args);

+    return ($result->rowCount() > 0);

+}

@@ -0,0 +1,18 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+This code is published under a 0BSD license.

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+$role = $_SESSION['role'];

+

+if ($role & ROLE_SYSTEMUSER) {

+    $menu["loginsecurity_overview"] = ["label" => "Sicherheit", "file" => "overview", "weight" => -20, "submenu" => "systemuser_account" ];

+}

@@ -0,0 +1,4 @@

+name = totp

+description = 2-Faktor-Authentifizierung für Login

+permission = Verwalten der 2-Faktor-Authentifizierung

+

@@ -0,0 +1,47 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+This code is published under a 0BSD license.

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('passkey.php');

+require_once('inc/icons.php');

+require_role(ROLE_SYSTEMUSER);

+require_once('inc/javascript.php');

+javascript("passkey_ajax.js");

+

+title("Sichere Anmeldung");

+

+output('<p>Sie können die Anmeldung bei ' . config('company_name') . ' passwortlos einrichten.</p>');

+

+output('<h3>Anmeldung mit Passkeys / FIDO2</h3>');

+

+output('<p>Mit der Passkeys-Technologie (technisch identisch zu FIDO2 / WebAuthn) können Sie die Anmeldung mit einem Hardware-Security-Modul oder mit Ihrem Mobilgerät als Schlüssel verwenden (Die Möglichkeiten variieren je nach Betriebssystem bzw. Browser). Wir nutzen in diesem Webinterface den Begriff <em>Passkeys</em>, damit ist jedoch stets auch die Verwendung unterschiedlicher FIDO2-Geräte gemeint.</p>

+<p>Bei der Anmeldung mit einem Passkey müssen Sie weder Benutzername noch Passwort eingeben sondern werden (nach Bestätigung Ihres Sicherheitsgeräts) direkt im Webinterface eingeloggt.</p>

+<p><strong>Bitte beachten Sie:</strong> Wenn Sie hier einen Schlüssel hinterlegen, funktioniert diese Anmeldemethode nur hier im Webinterface. Für die Anmeldung per SSH müssen Sie für eine vergleichbare Sicherheit und Komfort einen SSH-Schlüssel in Ihrem Benutzeraccount hinterlegen. Je nach Ihrem Client-System kann auch der SSH-Key dann über das Sicherheitsmodul oder via Passkeys verwaltet werden.</p>');

+

+output('<p>Zur Absicherung Ihres Zugangs empfehlen wir folgendes Vorgehen: Richten Sie den SSH-Zugang über einen SSH-Key und den Zugang zu diesem Webinterface über einen Passkey ein. Setzen Sie dann ein komplexes, neues Passwort zur Wiederherstellung im Fehlerfall und heben Sie dieses Passwort an einem sicheren Ort auf (z.B. ausgedruckt im Tresor). Schalten Sie dann den SSH-Login über Passwort ab. So steht Ihnen das Passwort als Sicherheit zur Wiederherstellung Ihres Zugangs in diesem Webinterface zu Verfügug, es wird aber im Alltag nicht gebraucht.</p>');

+

+$passkeys = list_passkeys();

+if (count($passkeys) > 0) {

+    output('<h4>Aktuell eingerichtete Passkeys:</h4>');

+    foreach ($passkeys as $pk) {

+        $hostname = '';

+        $rpId = $_SERVER['HTTP_HOST'];

+        if ($pk['rpId'] != $rpId) {

+            $hostname = 'Nur gültig für die URL <strong>' . $pk['rpId'] . '</strong>!<br>';

+        }

+        output("<p class=\"passkey\">Gerätebezeichnung: <strong>{$pk['handle']}</strong><br>hinzugefügt am {$pk['setuptime']}<br>" . $hostname . internal_link("delete_passkey", icon_delete() . "Diesen Passkey löschen", "id={$pk['id']}") . "</p>");

+    }

+}

+

+output('<p><label for="passkey_handle">Bezeichnung für neuen Passkey:</label> <input id="passkey_handle" type="text" length="20"> <button onclick="passkey_register()">Passkey registrieren</button></p>

+<p><button onclick="passkey_validate(false)">Passkey prüfen</button></p>');

+

@@ -0,0 +1,97 @@

+var helper = {

+  // (A1) ARRAY BUFFER TO BASE 64

+  atb : b => {

+    let u = new Uint8Array(b), s = "";

+    for (let i=0; i<u.byteLength; i++) { s += String.fromCharCode(u[i]); }

+    return btoa(s);

+  },

+

+  // (A2) BASE 64 TO ARRAY BUFFER

+  bta : o => {

+    let pre = "=?BINARY?B?", suf = "?=";

+    for (let k in o) { if (typeof o[k] == "string") {

+      let s = o[k];

+      if (s.substring(0, pre.length)==pre && s.substring(s.length - suf.length)==suf) {

+        let b = window.atob(s.substring(pre.length, s.length - suf.length)),

+        u = new Uint8Array(b.length);

+        for (let i=0; i<b.length; i++) { u[i] = b.charCodeAt(i); }

+        o[k] = u.buffer;

+      }

+    } else { helper.bta(o[k]); }}

+  },

+

+  // (A3) AJAX FETCH

+  ajax : (url, data, after) => {

+    let form = new FormData();

+    for (let [k,v] of Object.entries(data)) { form.append(k,v); }

+    fetch(url, { method: "POST", body: form })

+    .then(res => res.text())

+    .then(res => after(res))

+    .catch(err => { alert("ERROR!"); console.error(err); });

+  }

+};

+

+function passkey_register() {

+  helper.ajax("../loginsecurity/passkey_ajax", {

+    req : "getCreateArgs",

+    handle : document.getElementById('passkey_handle') ? document.getElementById('passkey_handle').value : null

+  }, async (res) => {

+    try {

+      res = JSON.parse(res);

+      helper.bta(res);

+      passkey_register_send(await navigator.credentials.create(res));

+    } catch (e) { alert("Error"); console.error(e); }

+  });

+}

+

+function passkey_register_send(cred) {

+  helper.ajax("../loginsecurity/passkey_ajax", {

+    req : "processCreate",

+    transport : cred.response.getTransports ? cred.response.getTransports() : null,

+    client : cred.response.clientDataJSON ? helper.atb(cred.response.clientDataJSON) : null,

+    attest : cred.response.attestationObject ? helper.atb(cred.response.attestationObject) : null

+  }, handle_register_result)

+}

+

+function handle_register_result(res) {

+    if (res == "OK") {

+        // Alles okay