From 865b0d7e78570207c757b1fa4608e0f9c61b20d7 Mon Sep 17 00:00:00 2001 From: "eapl.mx" Date: Thu, 26 Dec 2024 11:56:44 -0600 Subject: [PATCH] feat(session): check for a valid session using function in session.php --- README.md | 12 +++--- VERSION | 2 +- libs/persistent_session.php | 15 ++++---- libs/session.php | 9 +++-- partials/timeline.php | 9 ++--- views/__load_twt_files.php | 19 ++++------ views/add_feed.php | 73 ++++++++++++++++--------------------- views/home.php | 20 +++++----- views/new_twt.php | 10 ++--- views/refresh.php | 6 +-- views/upload_img.php | 14 ++----- 11 files changed, 85 insertions(+), 104 deletions(-) diff --git a/README.md b/README.md index 3a2a48b..49eebbc 100644 --- a/README.md +++ b/README.md @@ -39,13 +39,13 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## 🛠 Installation and setup 0. You need to have a webhosting with **PHP 8** and perferable running Apache or similar for timeline to work. - + > There are free options, but I would suggest that you pay for your hosting and also get a nice domain, so you have more ownership over your data and online idetenty. 1. Download the code from https://github.com/sorenpeter/timeline as a zip 2. Upload the content of the zip to you webhosting using a FTP client - + - The default would be to put eveything from within the timeline-main folder in the root so you will have: ``` @@ -66,7 +66,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ### Webfinger endpoint setup -6. For allowing others to look you on using webfinger, you need to move the `.well-known` folder from within the `_webfinger_endpoint` to the root of your domain, so it is accesable from www.example.net/.well-know/webfinger +6. For allowing others to look you on using webfinger, you need to move the `.well-known` folder from within the `_webfinger_endpoint` to the root of your domain, so it is accesable from www.example.net/.well-know/webfinger 7. You also need to edit the `index.php` file wihtin the `.well-know/webfinger` folder and set the correct path for you timeline installation in `$timeline_dir` variable. @@ -84,6 +84,8 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## 🐞 Bugs to fix - [x] (2024-11-30) Fix issues with parsing markdown vs. twtxt syntax (replaceed slimdown with Parsedown, supporting lists, block quotes, code/blocks, links, images) +- [x] (2024-12-26) Extend session duration for 30 days +- [ ] (2024-12-26) Read the config.ini in a centralized place and add validations useful when installing or upgrading `timeline`. ## 🚀 Features to code @@ -97,7 +99,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # 🙏 Credits / shoutouts -## Ideas and inspiration +## Ideas and inspiration - [twtxt](https://twtxt.readthedocs.io) - The original decentralised, minimalist microblogging service for hackers @@ -109,7 +111,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - [twtxt-php](https://github.com/eapl-gemugami/twtxt-php) - A minimalistic and personal PHP site for your twtxt microblogging. -- [Slimdown](https://github.com/jbroadway/slimdown) - A simple regex-based Markdown parser in PHP. +- [Slimdown](https://github.com/jbroadway/slimdown) - A simple regex-based Markdown parser in PHP. - Tag cloud feature is based on php code by [Domingos Faria](https://social.dfaria.eu/search) diff --git a/VERSION b/VERSION index a5ee8d9..9d56291 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2024.12.23 +2024.12.26 diff --git a/libs/persistent_session.php b/libs/persistent_session.php index 7224923..cf444ec 100644 --- a/libs/persistent_session.php +++ b/libs/persistent_session.php @@ -32,7 +32,7 @@ session_start([ function hasValidSession(): bool { # If short lived session is valid - if (isset($_SESSION['session_expiration'])) { + if (isset($_SESSION['session_expiration']) && $_SESSION['session_expiration'] > time()) { return true; } @@ -62,23 +62,21 @@ function getCookieData() { $config = parse_ini_file('private/config.ini'); - # The cookie data contains the actual data w/ the hash concatonated to the end, + # The cookie data contains the actual data w/ the hash concatenated to the end, # since the hash is a fixed length, we can extract the last hash_length chars # to get the hash. $hash = substr($raw, strlen($raw) - HASH_LENGTH, HASH_LENGTH); $data = substr($raw, 0, - (HASH_LENGTH)); - # Calculate what the hash should be, based on the data. If the data has not been + # Calculate the expected hash from the data. If the data has not been # tampered with, $hash and $hash_calculated will be the same $hash_calculated = hash_hmac(HASH_ALGORITHM, $data, $config['secret_key']); - # If we calculate a different hash, we can't trust the data. if ($hash_calculated !== $hash) { - #echo "Different HASH"; + #echo "Different HASH. Tempered data?"; return False; } - # Is it expired ? if (intval($data) < time()) { #echo "Cookie expired"; return False; @@ -91,7 +89,7 @@ function makePersistentCookie() { $config = parse_ini_file('private/config.ini'); $cookieExpiry = EXPIRATION_DAYS * 24 * 60 * 60 + time(); # X days - #$cookieExpiry = 10 + time(); # Debug value - 5 minutes + #$cookieExpiry = 10 + time(); # Debug value - 10 seconds # Calculate a hash for the data and append it to the end of the data string $cookieValue = strval($cookieExpiry); @@ -123,6 +121,9 @@ function isSavedCookieValid() { return false; } + # @eapl As it's implemented, the user has to login again in 30 days + # since the first login, which I think is a good compromise. + # Refresh session $_SESSION['session_expiration'] = intval($cookieExpiry); diff --git a/libs/session.php b/libs/session.php index c21f512..a920687 100644 --- a/libs/session.php +++ b/libs/session.php @@ -5,9 +5,12 @@ require_once 'libs/persistent_session.php'; $config = parse_ini_file('private/config.ini'); $passwordInConfig = $config['password']; -# TODO: Replace using $_SESSION['password'] in other files -# to check for a valid session, as in 'new_twt.php' -# Use hasValidSession() instead +function checkValidSessionOrRedirectToLogin() { + if (!hasValidSession()) { + header('Location: ./login'); + exit(); + } +} if (isset($_POST['submit_pass']) && $_POST['pass']) { $passwordInForm = $_POST['pass']; diff --git a/partials/timeline.php b/partials/timeline.php index ca4a666..0f63089 100644 --- a/partials/timeline.php +++ b/partials/timeline.php @@ -39,7 +39,7 @@ if (isset($_SESSION['password'])) { echo ' | Reply'; - } + } ?> @@ -49,9 +49,8 @@ Comment via email'; -} - -?> \ No newline at end of file +} \ No newline at end of file diff --git a/views/__load_twt_files.php b/views/__load_twt_files.php index 96ce792..89d4286 100644 --- a/views/__load_twt_files.php +++ b/views/__load_twt_files.php @@ -8,16 +8,13 @@ require_once('libs/twtxt.php'); require_once('libs/hash.php'); */ -require_once("partials/base.php"); +require_once "partials/base.php"; +require_once "libs/session.php"; + +checkValidSessionOrRedirectToLogin(); $config = parse_ini_file('private/config.ini'); -if (!isset($_SESSION['password'])) { - header('Location: ./login'); - exit(); -} - - $max_execution_time = intval($config['max_execution_time']); if ($max_execution_time < 1) { $max_execution_time = 1; @@ -69,15 +66,15 @@ foreach ($fileLines as $currentLine) { $i = 1; $total = count($twtFollowingList); -foreach ($twtFollowingList as $following) { +foreach ($twtFollowingList as $following) { $float = $i/$total; $percent = intval($float * 100)."%"; - + // Javascript for updating the progress bar and information echo ''; updateCachedFile($following[1]); diff --git a/views/add_feed.php b/views/add_feed.php index 41f0e03..61f46c9 100644 --- a/views/add_feed.php +++ b/views/add_feed.php @@ -1,6 +1,9 @@ - + include 'partials/header.php'; + ?> -

Webfinger lookup

+

Webfinger lookup

-
- - -
-
-
- - - -

Add a new feed to follow

- -
-
- - - - + + +
- -
-
+
+ - + - +

Add a new feed to follow

+ +
+
+ + + + +
+ +
+
+ + + + \ No newline at end of file diff --git a/views/home.php b/views/home.php index a326e6d..a8d0ae0 100644 --- a/views/home.php +++ b/views/home.php @@ -18,25 +18,23 @@ if (!empty($_GET['profile'])) { // Show twts for some user (Profile view) // Load twts, taking $paginateTwts into consideration require_once 'partials/base.php'; +require_once 'libs/session.php'; -$title = "Timeline for ".$title; +$title = "Timeline for $title"; - -// Redirect guests to Profile view, if url not set til home twtxt.txt - -if (!isset($_SESSION['password']) && (isset($_GET['url']))) { - if ($_GET['url'] != $config['public_txt_url']) { - header('Location: ./profile'); - exit(); - } +// Redirect guests to Profile view, if URL isn't set to home twtxt.txt +if (!hasValidSession() && isset($_GET['url'])) { + if ($_GET['url'] != $config['public_txt_url']) { + header('Location: ./profile'); + exit(); + } } include_once 'partials/header.php'; -if (isset($_SESSION['password'])) { +if (hasValidSession()) { include 'views/new_twt.php'; // TODO: Split up new_twt into a view and a partial } else { - echo '

Timeline

'; echo '

Recent posts from feeds followed by diff --git a/views/new_twt.php b/views/new_twt.php index f90980b..5fcf6b8 100644 --- a/views/new_twt.php +++ b/views/new_twt.php @@ -1,4 +1,8 @@ ";