mitrobill/system/autoload/Admin.php

<?php

/**
 *  PHP Mikrotik Billing (https://github.com/hotspotbilling/phpnuxbill/)
 *  by https://t.me/ibnux
 **/


class Admin
{

    public static function getID()
    {
        global $db_pass, $config, $isApi;

        $enable_session_timeout = $config['enable_session_timeout'] == 1;
        $session_timeout_duration = $config['session_timeout_duration'] ? intval($config['session_timeout_duration'] * 60) : intval(60 * 60); // Convert minutes to seconds
        if ($isApi) {
            $enable_session_timeout = false;
        }
        if ($enable_session_timeout && !empty($_SESSION['aid']) && !empty($_SESSION['aid_expiration'])) {
            if ($_SESSION['aid_expiration'] > time()) {
                $isValid = self::validateToken($_SESSION['aid'], $_COOKIE['aid']);
                if (!$isValid) {
                    self::removeCookie();
                    _alert(Lang::T('Token has expired. Please log in again.'), 'danger', "admin");
                    return 0;
                }
                // extend timeout duration
                $_SESSION['aid_expiration'] = time() + $session_timeout_duration;

                return $_SESSION['aid'];
            } else {
                // Session expired, log out the user
                self::removeCookie();
                _alert(Lang::T('Session has expired. Please log in again.'), 'danger', "admin");
                return 0;
            }
        } else if (!empty($_SESSION['aid'])) {
            $isValid = self::validateToken($_SESSION['aid'], $_COOKIE['aid']);
            if (!$isValid) {
                self::removeCookie();
                _alert(Lang::T('Token has expired. Please log in again.') . '.'.$_SESSION['aid'], 'danger', "admin");
                return 0;
            }
            return $_SESSION['aid'];
        }
        // Check if the cookie is set and valid
        elseif (isset($_COOKIE['aid'])) {
            $tmp = explode('.', $_COOKIE['aid']);
            if (sha1("$tmp[0].$tmp[1].$db_pass") == $tmp[2]) {
                // Validate the token in the cookie
                $isValid = self::validateToken($tmp[0], $_COOKIE['aid']);
                if ($isApi) {
                    // For now API need to always return true, next need to add revoke token API
                    $isValid = true;
                }
                if (!empty($_COOKIE['aid']) && !$isValid) {
                    self::removeCookie();
                    _alert(Lang::T('Token has expired. Please log in again.') . '..', 'danger', "admin");
                    return 0;
                } else {
                    if (time() - $tmp[1] < 86400 * 7) {
                        $_SESSION['aid'] = $tmp[0];
                        if ($enable_session_timeout) {
                            $_SESSION['aid_expiration'] = time() + $session_timeout_duration;
                        }
                        return $tmp[0];
                    }
                }
            }
        }

        return 0;
    }

    public static function setCookie($aid)
    {
        global $db_pass, $config;
        $enable_session_timeout = $config['enable_session_timeout'];
        $session_timeout_duration = intval($config['session_timeout_duration']) * 60; // Convert minutes to seconds

        if (isset($aid)) {
            $time = time();
            $token = $aid . '.' . $time . '.' . sha1("$aid.$time.$db_pass");

            // Detect the current protocol
            $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
            // Set cookie with security flags
            setcookie('aid', $token, [
                'expires' => time() + 86400 * 7, // 7 days
                'path' => '/',
                'domain' => '',
                'secure' => $isSecure,
                'httponly' => true,
                'samesite' => 'Lax', // or Strict
            ]);

            $_SESSION['aid'] = $aid;

            if ($enable_session_timeout) {
                $_SESSION['aid_expiration'] = $time + $session_timeout_duration;
            }

            self::upsertToken($aid, $token);

            return $token;
        }

        return '';
    }

    public static function removeCookie()
    {
        global $_app_stage;
        if (isset($_COOKIE['aid'])) {
            $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
            setcookie('aid', '', [
                'expires' => time() - 3600,
                'path' => '/',
                'domain' => '',
                'secure' => $isSecure,
                'httponly' => true,
                'samesite' => 'Lax',
            ]);
            session_destroy();
            session_unset();
            session_start();
            unset($_COOKIE['aid'], $_SESSION['aid']);
        }
    }

    public static function _info($id = 0)
    {
        if (empty($id) && $id == 0) {
            $id = Admin::getID();
        }
        if ($id) {
            return ORM::for_table('tbl_users')->find_one($id);
        } else {
            return null;
        }
    }

    public static function upsertToken($aid, $token)
    {
        $query = ORM::for_table('tbl_users')->findOne($aid);
        $query->login_token = sha1($token);
        $query->save();
    }

    public static function validateToken($aid, $cookieToken)
    {
        global $config;
        $query =  ORM::for_table('tbl_users')->select('login_token')->findOne($aid);
        if ($config['single_session'] != 'yes') {
            return true; // For multi-session, any token is valid
        }
        if (empty($query)) {
            return true;
        }
        return $query->login_token === sha1($cookieToken);
    }
}
PHPMixBill v5.0 - First Upload 2017-03-11 02:51:06 +07:00			`<?php`
Path Configuration 2024-02-26 14:38:04 +07:00
PHPMixBill v5.0 - First Upload 2017-03-11 02:51:06 +07:00			`/**`
Change credits 2023-10-12 15:55:42 +07:00			`* PHP Mikrotik Billing (https://github.com/hotspotbilling/phpnuxbill/)`
			`* by https://t.me/ibnux`
			`**/`

PHPMixBill v5.0 - First Upload 2017-03-11 02:51:06 +07:00
Path Configuration 2024-02-26 14:38:04 +07:00			`class Admin`
			`{`
Session using cookie 2024-02-12 09:45:44 +07:00
Path Configuration 2024-02-26 14:38:04 +07:00			`public static function getID()`
			`{`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`global $db_pass, $config, $isApi;`
if admin session time error, it logout admin out whether admin are online or not, once time reach it logout you out 2024-09-12 11:39:45 +01:00
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`$enable_session_timeout = $config['enable_session_timeout'] == 1;`
			`$session_timeout_duration = $config['session_timeout_duration'] ? intval($config['session_timeout_duration'] * 60) : intval(60 * 60); // Convert minutes to seconds`
Api always Valid 2024-10-11 11:42:38 +07:00			`if ($isApi) {`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`$enable_session_timeout = false;`
			`}`
fix logic Session Admin especially isApi 2024-10-11 11:09:27 +07:00			`if ($enable_session_timeout && !empty($_SESSION['aid']) && !empty($_SESSION['aid_expiration'])) {`
if admin session time error, it logout admin out whether admin are online or not, once time reach it logout you out 2024-09-12 11:39:45 +01:00			`if ($_SESSION['aid_expiration'] > time()) {`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`$isValid = self::validateToken($_SESSION['aid'], $_COOKIE['aid']);`
			`if (!$isValid) {`
			`self::removeCookie();`
			`_alert(Lang::T('Token has expired. Please log in again.'), 'danger', "admin");`
			`return 0;`
			`}`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`// extend timeout duration`
			`$_SESSION['aid_expiration'] = time() + $session_timeout_duration;`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00
if admin session time error, it logout admin out whether admin are online or not, once time reach it logout you out 2024-09-12 11:39:45 +01:00			`return $_SESSION['aid'];`
fix logic Session Admin especially isApi 2024-10-11 11:09:27 +07:00			`} else {`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`// Session expired, log out the user`
if admin session time error, it logout admin out whether admin are online or not, once time reach it logout you out 2024-09-12 11:39:45 +01:00			`self::removeCookie();`
			`_alert(Lang::T('Session has expired. Please log in again.'), 'danger', "admin");`
			`return 0;`
Payment Gateway Audit page 2024-08-01 17:55:58 +07:00			`}`
fix logic Session Admin especially isApi 2024-10-11 11:09:27 +07:00			`} else if (!empty($_SESSION['aid'])) {`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`$isValid = self::validateToken($_SESSION['aid'], $_COOKIE['aid']);`
			`if (!$isValid) {`
			`self::removeCookie();`
cannot deactivate postpaid 2024-10-25 14:05:57 +07:00			`_alert(Lang::T('Token has expired. Please log in again.') . '.'.$_SESSION['aid'], 'danger', "admin");`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`return 0;`
			`}`
			`return $_SESSION['aid'];`
Payment Gateway Audit page 2024-08-01 17:55:58 +07:00			`}`
if admin session time error, it logout admin out whether admin are online or not, once time reach it logout you out 2024-09-12 11:39:45 +01:00			`// Check if the cookie is set and valid`
Add session expiration settings You can now set session expiration in settings -> General Settings -> Miscellaneous if admin is Idles for more than minutes set, he will required to login again, just for account security concerns. you can enable or disable 2024-07-27 00:56:48 +01:00			`elseif (isset($_COOKIE['aid'])) {`
Path Configuration 2024-02-26 14:38:04 +07:00			`$tmp = explode('.', $_COOKIE['aid']);`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`if (sha1("$tmp[0].$tmp[1].$db_pass") == $tmp[2]) {`
			`// Validate the token in the cookie`
			`$isValid = self::validateToken($tmp[0], $_COOKIE['aid']);`
Api always Valid 2024-10-11 11:42:38 +07:00			`if ($isApi) {`
			`// For now API need to always return true, next need to add revoke token API`
			`$isValid = true;`
			`}`
fix login loop 2024-10-10 16:24:36 +01:00			`if (!empty($_COOKIE['aid']) && !$isValid) {`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`self::removeCookie();`
cannot deactivate postpaid 2024-10-25 14:05:57 +07:00			`_alert(Lang::T('Token has expired. Please log in again.') . '..', 'danger', "admin");`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`return 0;`
fix login loop 2024-10-10 16:24:36 +01:00			`} else {`
			`if (time() - $tmp[1] < 86400 * 7) {`
			`$_SESSION['aid'] = $tmp[0];`
			`if ($enable_session_timeout) {`
			`$_SESSION['aid_expiration'] = time() + $session_timeout_duration;`
			`}`
			`return $tmp[0];`
Add session expiration settings You can now set session expiration in settings -> General Settings -> Miscellaneous if admin is Idles for more than minutes set, he will required to login again, just for account security concerns. you can enable or disable 2024-07-27 00:56:48 +01:00			`}`
Session using cookie 2024-02-12 09:45:44 +07:00			`}`
			`}`
			`}`
Add session expiration settings You can now set session expiration in settings -> General Settings -> Miscellaneous if admin is Idles for more than minutes set, he will required to login again, just for account security concerns. you can enable or disable 2024-07-27 00:56:48 +01:00
Session using cookie 2024-02-12 09:45:44 +07:00			`return 0;`
			`}`
Setting sAllow Registration = Yes/Voucher/No Registration 2024-10-17 09:35:26 +07:00
Path Configuration 2024-02-26 14:38:04 +07:00			`public static function setCookie($aid)`
			`{`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`global $db_pass, $config;`
Add session expiration settings You can now set session expiration in settings -> General Settings -> Miscellaneous if admin is Idles for more than minutes set, he will required to login again, just for account security concerns. you can enable or disable 2024-07-27 00:56:48 +01:00			`$enable_session_timeout = $config['enable_session_timeout'];`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00			`$session_timeout_duration = intval($config['session_timeout_duration']) * 60; // Convert minutes to seconds`

Path Configuration 2024-02-26 14:38:04 +07:00			`if (isset($aid)) {`
Session using cookie 2024-02-12 09:45:44 +07:00			`$time = time();`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00			`$token = $aid . '.' . $time . '.' . sha1("$aid.$time.$db_pass");`

			`// Detect the current protocol`
			`$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';`
			`// Set cookie with security flags`
			`setcookie('aid', $token, [`
			`'expires' => time() + 86400 * 7, // 7 days`
			`'path' => '/',`
fix login loop 2024-10-10 16:24:36 +01:00			`'domain' => '',`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00			`'secure' => $isSecure,`
			`'httponly' => true,`
			`'samesite' => 'Lax', // or Strict`
			`]);`

Add session expiration settings You can now set session expiration in settings -> General Settings -> Miscellaneous if admin is Idles for more than minutes set, he will required to login again, just for account security concerns. you can enable or disable 2024-07-27 00:56:48 +01:00			`$_SESSION['aid'] = $aid;`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00
Add session expiration settings You can now set session expiration in settings -> General Settings -> Miscellaneous if admin is Idles for more than minutes set, he will required to login again, just for account security concerns. you can enable or disable 2024-07-27 00:56:48 +01:00			`if ($enable_session_timeout) {`
			`$_SESSION['aid_expiration'] = $time + $session_timeout_duration;`
			`}`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`self::upsertToken($aid, $token);`

fix rest api, need to change every variable to readable 2024-04-01 13:01:21 +07:00			`return $token;`
Session using cookie 2024-02-12 09:45:44 +07:00			`}`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00
fix rest api, need to change every variable to readable 2024-04-01 13:01:21 +07:00			`return '';`
Session using cookie 2024-02-12 09:45:44 +07:00			`}`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00
Path Configuration 2024-02-26 14:38:04 +07:00			`public static function removeCookie()`
			`{`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`global $_app_stage;`
Path Configuration 2024-02-26 14:38:04 +07:00			`if (isset($_COOKIE['aid'])) {`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00			`$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';`
			`setcookie('aid', '', [`
			`'expires' => time() - 3600,`
			`'path' => '/',`
fix login loop 2024-10-10 16:24:36 +01:00			`'domain' => '',`
Critical Updates, Fight Against Insecurity 2024-10-09 15:47:41 +01:00			`'secure' => $isSecure,`
			`'httponly' => true,`
			`'samesite' => 'Lax',`
			`]);`
session_destroy(); 2024-10-11 10:37:35 +07:00			`session_destroy();`
cannot deactivate postpaid 2024-10-25 14:05:57 +07:00			`session_unset();`
			`session_start();`
			`unset($_COOKIE['aid'], $_SESSION['aid']);`
Session using cookie 2024-02-12 09:45:44 +07:00			`}`
			`}`

Path Configuration 2024-02-26 14:38:04 +07:00			`public static function _info($id = 0)`
			`{`
			`if (empty($id) && $id == 0) {`
Fix invoice 2024-02-23 14:40:47 +07:00			`$id = Admin::getID();`
			`}`
Path Configuration 2024-02-26 14:38:04 +07:00			`if ($id) {`
Menu With Auth 2024-02-26 11:25:15 +07:00			`return ORM::for_table('tbl_users')->find_one($id);`
Path Configuration 2024-02-26 14:38:04 +07:00			`} else {`
fix variable Admin.php 2024-02-27 07:12:02 +07:00			`return null;`
Menu With Auth 2024-02-26 11:25:15 +07:00			`}`
PHPMixBill v5.0 - First Upload 2017-03-11 02:51:06 +07:00			`}`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00
			`public static function upsertToken($aid, $token)`
			`{`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`$query = ORM::for_table('tbl_users')->findOne($aid);`
			`$query->login_token = sha1($token);`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`$query->save();`
			`}`

			`public static function validateToken($aid, $cookieToken)`
			`{`
Single session Admin can be set in the misc settings 2024-10-18 10:55:07 +07:00			`global $config;`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`$query = ORM::for_table('tbl_users')->select('login_token')->findOne($aid);`
cannot deactivate postpaid 2024-10-25 14:05:57 +07:00			`if ($config['single_session'] != 'yes') {`
Single session Admin can be set in the misc settings 2024-10-18 10:55:07 +07:00			`return true; // For multi-session, any token is valid`
			`}`
cannot deactivate postpaid 2024-10-25 14:05:57 +07:00			`if (empty($query)) {`
Single session Admin can be set in the misc settings 2024-10-18 10:55:07 +07:00			`return true;`
			`}`
fix position Admin::_info(); 2024-10-11 11:07:47 +07:00			`return $query->login_token === sha1($cookieToken);`
Fight Against Insecurity : Prevent Admin multiple Login Sessions, its a security threat to phpnuxbill. plase note: if you are running nuxbill on localhost please set app_stage to something else e.g. $_app_stage = 'Demo'; its very important 2024-10-10 14:33:27 +01:00			`}`
Path Configuration 2024-02-26 14:38:04 +07:00			`}`