Add the fix for login with wrong credentials directly in admin/admin.php

digitalutsc · Jan 16, 2025 · f16d929 · f16d929
1 parent e6c2847
commit f16d929
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 60 deletions.
diff --git a/admin/admin.php b/admin/admin.php
@@ -19,7 +19,11 @@
     use Noid\Lib\Custom\NoidArk;
 
     // check if user logging yet
-    auth();
+    if (!auth()) { 
+        echo 'Access denied ! Your login credential is matched. <a href="logout.php">Please enter your login credentials to
+                    login.</a>';
+        exit();
+    }
 
     // start buffer for all input for the forms
     ob_start();

diff --git a/admin/auth.php b/admin/auth.php
@@ -18,62 +18,12 @@
 init_system();
 
 $realm = "Restricted area";
-
-if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
-
-    header('HTTP/1.1 401 Unauthorized');
-    header('WWW-Authenticate: Digest realm="' . $realm .
-        '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
-    echo 'Access denied, you must have account to proceed. This site is restricted for University of Toronto Staff only. <a href="logout.php">Please enter your login credentials to login.</a>';
-    //die('Text to send if user hits Cancel button');
-    die();
-}
-
-$data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']);
-$conn = new mysqli(MysqlArkConf::$mysql_host, MysqlArkConf::$mysql_user, MysqlArkConf::$mysql_passwd, MysqlArkConf::$mysql_dbname);
-if (!$conn) {
-    echo "Error: Unable to connect to MySQL." . PHP_EOL;
-    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
-    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
-}
-$sql = "Select `username`, `pasword` from user where username = '" . $data['username'] . "'";
-$result = $conn->query($sql)->fetch_all();
-$users = array();
-
-foreach ($result as $row) {
-    $users[$row[0]] = secureDecryption($row[1], "VUQY%IdGWlBT!83YCM6TtY5X-uIYv)i1AEyk67VpusyCDXZW0", 2734025702752005);
-}
-$conn->close();
-
-if (!isset($data) || !isset($users[$data['username']])) {
-    die('Wrong Credentials! <a href="logout.php">Please enter your login credentials to
-            login.</a>');
+if (auth()) { 
+    header('Location: admin.php');
 }
-
-
-// analyze the PHP_AUTH_DIGEST variable
-if (count($users) == 0 /*|| !isset($users[$data['username']])*/) {
-    header('HTTP/1.1 401 Unauthorized');
-    header('WWW-Authenticate: Digest realm="' . $realm .
-        '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
-
-    echo 'Access denied, your account is not found. <a href="logout.php">Please enter your login credentials to login.</a>';
+else {
+    echo 'Access denied ! Your login credential is matched. <a href="logout.php">Please enter your login credentials to
+                login.</a>';
     exit();
-} else {
-    $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
-    $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
-    $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
-    if ($data['response'] != $valid_response) {
-
-        echo 'Access denied ! Your login credential is matched. <a href="logout.php">Please enter your login credentials to
-            login.</a>';
-        exit();
-    }
-    else {
-        header('Location: admin.php');
-    }
-
 }
-
-
 ob_flush();
diff --git a/admin/functions.php b/admin/functions.php
@@ -12,7 +12,7 @@
 
 use Noid\Lib\Custom\Database;
 use Noid\Lib\Custom\GlobalsArk;
-use Noid\Lib\Custom\MysqlArkConf;
+use Noid\Config\MysqlArkConf;
 use Noid\Lib\Custom\NoidArk;
 
 function init_system() {
@@ -154,16 +154,64 @@ function dbpath(string $dbname = "")
  * authentication function
  */
 function auth(){
-    $realm = "Restricted area";
-
     if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
 
         header('HTTP/1.1 401 Unauthorized');
         header('WWW-Authenticate: Digest realm="' . $realm .
             '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
-        echo 'Access denied, you must have account to proceed. This site is restricted for University of Toronto Staff only. <a href="//'.$_SERVER['HTTP_HOST'].'">Please enter your login credentials to login.</a>';
+        echo 'Access denied, you must have account to proceed. This site is restricted for University of Toronto Staff only. <a href="logout.php">Please enter your login credentials to login.</a>';
+        //die('Text to send if user hits Cancel button');
         die();
     }
+
+    $data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']);
+    $conn = new mysqli(MysqlArkConf::$mysql_host, MysqlArkConf::$mysql_user, MysqlArkConf::$mysql_passwd, MysqlArkConf::$mysql_dbname);
+    if (!$conn) {
+        echo "Error: Unable to connect to MySQL." . PHP_EOL;
+        echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
+        echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
+    }
+    $sql = "Select `username`, `pasword` from user where username = '" . $data['username'] . "'";
+    $result = $conn->query($sql)->fetch_all();
+    $users = array();
+
+    foreach ($result as $row) {
+        $users[$row[0]] = secureDecryption($row[1], "VUQY%IdGWlBT!83YCM6TtY5X-uIYv)i1AEyk67VpusyCDXZW0", 2734025702752005);
+    }
+    $conn->close();
+
+    if (!isset($data) || !isset($users[$data['username']])) {
+        die('Wrong Credentials! <a href="logout.php">Please enter your login credentials to
+                login.</a>');
+    }
+
+
+    // analyze the PHP_AUTH_DIGEST variable
+    if (count($users) == 0 /*|| !isset($users[$data['username']])*/) {
+        header('HTTP/1.1 401 Unauthorized');
+        header('WWW-Authenticate: Digest realm="' . $realm .
+            '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
+
+        /*echo 'Access denied, your account is not found. <a href="logout.php">Please enter your login credentials to login.</a>';
+        exit();*/
+        return false;
+    } else {
+        $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
+        $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
+        $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
+        if ($data['response'] != $valid_response) {
+
+            /*echo 'Access denied ! Your login credential is matched. <a href="logout.php">Please enter your login credentials to
+                login.</a>';
+            exit();*/
+            return false;
+        }
+        else {
+            //header('Location: admin.php');
+            return true;
+        }
+
+    }
 }