kevinowino869/mitrobill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Testing CSRF from admin login, if works well then we will make it official

Browse Source
This commit is contained in:
Focuslinkstech 2024-10-09 17:13:25 +01:00 committed by Ibnu Maksum
parent bd30261e84
commit 99e8b20bb3
No known key found for this signature in database
GPG Key ID: 7FC82848810579E5
2 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
system/controllers/admin.php
View File

@ -5,12 +5,12 @@
* by https://t.me/ibnux
**/
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
header("Pragma: no-cache");
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
header("Pragma: no-cache");
if(Admin::getID()){
r2(U.'dashboard', "s", Lang::T("You are already logged in"));
if (Admin::getID()) {
r2(U . 'dashboard', "s", Lang::T("You are already logged in"));
}
if (isset($routes['1'])) {
@ -23,6 +23,11 @@ switch ($do) {
case 'post':
$username = _post('username');
$password = _post('password');
//csrf token
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
_alert(Lang::T('Invalid CSRF Token') . ".", 'danger', "admin");
}
run_hook('admin_login'); #HOOK
if ($username != '' and $password != '') {
$d = ORM::for_table('tbl_users')->where('username', $username)->find_one();
@ -36,26 +41,28 @@ switch ($do) {
_log($username . ' ' . Lang::T('Login Successful'), $d['user_type'], $d['id']);
if ($isApi) {
if ($token) {
showResult(true, Lang::T('Login Successful'), ['token' => "a.".$token]);
showResult(true, Lang::T('Login Successful'), ['token' => "a." . $token]);
} else {
showResult(false, Lang::T('Invalid Username or Password'));
}
}
_alert(Lang::T('Login Successful'),'success', "dashboard");
_alert(Lang::T('Login Successful'), 'success', "dashboard");
} else {
_log($username . ' ' . Lang::T('Failed Login'), $d['user_type']);
_alert(Lang::T('Invalid Username or Password').".",'danger', "admin");
_alert(Lang::T('Invalid Username or Password') . ".", 'danger', "admin");
}
} else {
_alert(Lang::T('Invalid Username or Password')."..",'danger', "admin");
_alert(Lang::T('Invalid Username or Password') . "..", 'danger', "admin");
}
} else {
_alert(Lang::T('Invalid Username or Password')."...",'danger', "admin");
_alert(Lang::T('Invalid Username or Password') . "...", 'danger', "admin");
}
break;
default:
run_hook('view_login'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->display('admin-login.tpl');
break;
}

1
ui/ui/admin-login.tpl
View File

@ -24,6 +24,7 @@
{$notify}
{/if}
<form action="{$_url}admin/post" method="post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group has-feedback">
<input type="text" required class="form-control" name="username" placeholder="{Lang::T('Username')}">
<span class="glyphicon glyphicon-user form-control-feedback"></span>