From 6e5450d10469298a8187a41013e96c5b16b5ae83 Mon Sep 17 00:00:00 2001
From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com>
Date: Thu, 10 Oct 2024 15:48:32 +0100
Subject: [PATCH 1/3] CSRF added to customer acounts update

---
 system/controllers/accounts.php    | 32 ++++++++++++++++++++++++++++++
 ui/ui/customer/change-password.tpl |  1 +
 ui/ui/customer/email-update.tpl    |  2 ++
 ui/ui/customer/phone-update.tpl    |  2 ++
 ui/ui/customer/profile.tpl         |  1 +
 5 files changed, 38 insertions(+)

diff --git a/system/controllers/accounts.php b/system/controllers/accounts.php
index 596c6e71..29e76e1b 100644
--- a/system/controllers/accounts.php
+++ b/system/controllers/accounts.php
@@ -18,11 +18,17 @@ switch ($action) {
 
     case 'change-password':
         run_hook('customer_view_change_password'); #HOOK
+        $csrf_token = Csrf::generateAndStoreToken();
+        $ui->assign('csrf_token', $csrf_token);
         $ui->display('customer/change-password.tpl');
         break;
 
     case 'change-password-post':
         $password = _post('password');
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'accounts/change-password', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         run_hook('customer_change_password'); #HOOK
         if ($password != '') {
             $d_pass = $user['password'];
@@ -67,9 +73,15 @@ switch ($action) {
 
     case 'profile':
         run_hook('customer_view_edit_profile'); #HOOK
+        $csrf_token = Csrf::generateAndStoreToken();
+        $ui->assign('csrf_token', $csrf_token);
         $ui->display('customer/profile.tpl');
         break;
     case 'edit-profile-post':
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'accounts/profile', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $fullname = _post('fullname');
         $address = _post('address');
         $email = _post('email');
@@ -100,11 +112,17 @@ switch ($action) {
 
 
     case 'phone-update':
+        $csrf_token = Csrf::generateAndStoreToken();
+        $ui->assign('csrf_token', $csrf_token);
         $ui->assign('new_phone', $_SESSION['new_phone']);
         $ui->display('customer/phone-update.tpl');
         break;
 
     case 'phone-update-otp':
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $phone = Lang::phoneFormat(_post('phone'));
         $username = $user['username'];
         $otpPath = $CACHE_PATH . '/sms/';
@@ -152,6 +170,10 @@ switch ($action) {
         break;
 
     case 'phone-update-post':
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $phone = Lang::phoneFormat(_post('phone'));
         $otp_code = _post('otp');
         $username = $user['username'];
@@ -210,10 +232,16 @@ switch ($action) {
         break;
 
     case 'email-update':
+        $csrf_token = Csrf::generateAndStoreToken();
+        $ui->assign('csrf_token', $csrf_token);
         $ui->assign('new_email', $_SESSION['new_email']);
         $ui->display('customer/email-update.tpl');
         break;
     case 'email-update-otp':
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $email = trim(_post('email'));
         $username = $user['username'];
         $otpPath = $CACHE_PATH . '/email/';
@@ -255,6 +283,10 @@ switch ($action) {
         break;
 
     case 'email-update-post':
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $email = trim(_post('email'));
         $otp_code = _post('otp');
         $username = $user['username'];
diff --git a/ui/ui/customer/change-password.tpl b/ui/ui/customer/change-password.tpl
index ae15b564..9b07ca78 100644
--- a/ui/ui/customer/change-password.tpl
+++ b/ui/ui/customer/change-password.tpl
@@ -7,6 +7,7 @@
             <div class="panel-heading">{Lang::T('Change Password')}</div>
             <div class="panel-body">
                 <form class="form-horizontal" method="post" role="form" action="{$_url}accounts/change-password-post">
+                    <input type="hidden" name="csrf_token" value="{$csrf_token}">
                     <div class="form-group">
                         <label class="col-md-2 control-label">{Lang::T('Current Password')}</label>
                         <div class="col-md-6">
diff --git a/ui/ui/customer/email-update.tpl b/ui/ui/customer/email-update.tpl
index 0b700a88..a6365b59 100644
--- a/ui/ui/customer/email-update.tpl
+++ b/ui/ui/customer/email-update.tpl
@@ -19,6 +19,7 @@
                 </div>
             </div>
             <form method="post" role="form" action="{$_url}accounts/email-update-otp">
+                <input type="hidden" name="csrf_token" value="{$csrf_token}">
                 <div class="form-group">
                     <label class="col-md-2 control-label">{Lang::T('New Email')}</label>
                     <div class="col-md-6">
@@ -34,6 +35,7 @@
                 </div>
             </form>
             <form method="post" role="form" action="{$_url}accounts/email-update-post">
+                <input type="hidden" name="csrf_token" value="{$csrf_token}">
                 <!-- Form 2 -->
                 <div class="form-group">
                     <label class="col-md-2 control-label">{Lang::T('OTP')}</label>
diff --git a/ui/ui/customer/phone-update.tpl b/ui/ui/customer/phone-update.tpl
index 3097b6cf..8380e143 100644
--- a/ui/ui/customer/phone-update.tpl
+++ b/ui/ui/customer/phone-update.tpl
@@ -19,6 +19,7 @@
                 </div>
             </div>
             <form method="post" role="form" action="{$_url}accounts/phone-update-otp">
+                <input type="hidden" name="csrf_token" value="{$csrf_token}">
                 <div class="form-group">
                     <label class="col-md-2 control-label">{Lang::T('New Number')}</label>
                     <div class="col-md-6">
@@ -34,6 +35,7 @@
                 </div>
             </form>
             <form method="post" role="form" action="{$_url}accounts/phone-update-post">
+                <input type="hidden" name="csrf_token" value="{$csrf_token}">
                 <!-- Form 2 -->
                 <div class="form-group">
                     <label class="col-md-2 control-label">{Lang::T('OTP')}</label>
diff --git a/ui/ui/customer/profile.tpl b/ui/ui/customer/profile.tpl
index 41fc030f..711e0152 100644
--- a/ui/ui/customer/profile.tpl
+++ b/ui/ui/customer/profile.tpl
@@ -7,6 +7,7 @@
             <div class="panel-heading">{Lang::T('Data Change')}</div>
             <div class="panel-body">
                 <form class="form-horizontal" method="post" role="form" action="{$_url}accounts/edit-profile-post">
+                    <input type="hidden" name="csrf_token" value="{$csrf_token}">
                     <input type="hidden" name="id" value="{$_user['id']}">
                     <div class="form-group">
                         <label class="col-md-2 control-label">{Lang::T('Username')}</label>

From 60e1eacc593b212b02edcf788b4c7c4e2e76fe27 Mon Sep 17 00:00:00 2001
From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com>
Date: Thu, 10 Oct 2024 16:24:36 +0100
Subject: [PATCH 2/3] fix login loop

---
 system/autoload/Admin.php | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/system/autoload/Admin.php b/system/autoload/Admin.php
index d6b51718..6ac427c7 100644
--- a/system/autoload/Admin.php
+++ b/system/autoload/Admin.php
@@ -47,18 +47,19 @@ class Admin
             if (sha1("$tmp[0].$tmp[1].$db_pass") == $tmp[2]) {
                 // Validate the token in the cookie
                 $isValid = self::validateToken($tmp[0], $_COOKIE['aid']);
-                if (!$isValid) {
+                if (!empty($_COOKIE['aid']) && !$isValid) {
                     self::removeCookie();
                     _alert(Lang::T('Token has expired. Please log in again.'), 'danger', "admin");
                     return 0;
-                }
+                } else {
 
-                if (time() - $tmp[1] < 86400 * 7) {
-                    $_SESSION['aid'] = $tmp[0];
-                    if ($enable_session_timeout) {
-                        $_SESSION['aid_expiration'] = time() + $session_timeout_duration;
+                    if (time() - $tmp[1] < 86400 * 7) {
+                        $_SESSION['aid'] = $tmp[0];
+                        if ($enable_session_timeout) {
+                            $_SESSION['aid_expiration'] = time() + $session_timeout_duration;
+                        }
+                        return $tmp[0];
                     }
-                    return $tmp[0];
                 }
             }
         }
@@ -83,7 +84,7 @@ class Admin
             setcookie('aid', $token, [
                 'expires' => time() + 86400 * 7, // 7 days
                 'path' => '/',
-                'domain' => $app_stage,
+                'domain' => '',
                 'secure' => $isSecure,
                 'httponly' => true,
                 'samesite' => 'Lax', // or Strict
@@ -113,7 +114,7 @@ class Admin
             setcookie('aid', '', [
                 'expires' => time() - 3600,
                 'path' => '/',
-                'domain' => $app_stage,
+                'domain' => '',
                 'secure' => $isSecure,
                 'httponly' => true,
                 'samesite' => 'Lax',

From f77d7051c12b8e2847948be827e357119c11f600 Mon Sep 17 00:00:00 2001
From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com>
Date: Thu, 10 Oct 2024 17:02:04 +0100
Subject: [PATCH 3/3] remove unused variable

---
 system/autoload/Admin.php | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/system/autoload/Admin.php b/system/autoload/Admin.php
index 6ac427c7..8275d3b3 100644
--- a/system/autoload/Admin.php
+++ b/system/autoload/Admin.php
@@ -52,7 +52,6 @@ class Admin
                     _alert(Lang::T('Token has expired. Please log in again.'), 'danger', "admin");
                     return 0;
                 } else {
-
                     if (time() - $tmp[1] < 86400 * 7) {
                         $_SESSION['aid'] = $tmp[0];
                         if ($enable_session_timeout) {
@@ -78,8 +77,6 @@ class Admin
 
             // Detect the current protocol
             $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
-            $serverHost = $_SERVER['HTTP_HOST'];
-            $app_stage = ($serverHost === 'localhost') ? '' : APP_URL;
             // Set cookie with security flags
             setcookie('aid', $token, [
                 'expires' => time() + 86400 * 7, // 7 days
@@ -109,8 +106,6 @@ class Admin
         global $_app_stage;
         if (isset($_COOKIE['aid'])) {
             $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
-            $serverHost = $_SERVER['HTTP_HOST'];
-            $app_stage = ($serverHost === 'localhost') ? '' : APP_URL;
             setcookie('aid', '', [
                 'expires' => time() - 3600,
                 'path' => '/',