feat(session): check for a valid session using function in session.php

2025-12-16 03:17:01 +00:00 · 2024-12-26 11:56:44 -06:00 · 2024-12-26 11:56:44 -06:00 · 865b0d7e78
commit 865b0d7e78
parent 57737e8cd4
11 changed files with 85 additions and 104 deletions
--- a/README.md
+++ b/README.md
@ -84,6 +84,8 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ## 🐞 Bugs to fix
 - [x] (2024-11-30) Fix issues with parsing markdown vs. twtxt syntax (replaceed slimdown with Parsedown, supporting lists, block quotes, code/blocks, links, images)
 - [x] (2024-12-26) Extend session duration for 30 days
 - [ ] (2024-12-26) Read the config.ini in a centralized place and add validations useful when installing or upgrading `timeline`.
 ## 🚀 Features to code
--- a/2
+++ b/2
@ -1 +1 @@
-2024.12.23
+2024.12.26
--- a/libs/persistent_session.php
+++ b/libs/persistent_session.php
@ -32,7 +32,7 @@ session_start([
 function hasValidSession(): bool {
 	# If short lived session is valid
-	if (isset($_SESSION['session_expiration'])) {
+	if (isset($_SESSION['session_expiration']) && $_SESSION['session_expiration'] > time()) {
 		return true;
 	}
@ -62,23 +62,21 @@ function getCookieData() {
 	$config = parse_ini_file('private/config.ini');
-	# The cookie data contains the actual data w/ the hash concatonated to the end,
+	# The cookie data contains the actual data w/ the hash concatenated to the end,
 	# since the hash is a fixed length, we can extract the last hash_length chars
 	# to get the hash.
 	$hash = substr($raw, strlen($raw) - HASH_LENGTH, HASH_LENGTH);
 	$data = substr($raw, 0, - (HASH_LENGTH));
-	# Calculate what the hash should be, based on the data. If the data has not been
+	# Calculate the expected hash from the data. If the data has not been
 	# tampered with, $hash and $hash_calculated will be the same
 	$hash_calculated = hash_hmac(HASH_ALGORITHM, $data, $config['secret_key']);
 	# If we calculate a different hash, we can't trust the data.
 	if ($hash_calculated !== $hash) {
-		#echo "Different HASH";
+		#echo "Different HASH. Tempered data?";
 		return False;
 	}
 	# Is it expired ?
 	if (intval($data) < time()) {
 		#echo "Cookie expired";
 		return False;
@ -91,7 +89,7 @@ function makePersistentCookie() {
 	$config = parse_ini_file('private/config.ini');
 	$cookieExpiry = EXPIRATION_DAYS * 24 * 60 * 60 + time(); # X days
-	#$cookieExpiry = 10 + time(); # Debug value - 5 minutes
+	#$cookieExpiry = 10 + time(); # Debug value - 10 seconds
 	# Calculate a hash for the data and append it to the end of the data string
 	$cookieValue = strval($cookieExpiry);
@ -123,6 +121,9 @@ function isSavedCookieValid() {
 		return false;
 	}
 	# @eapl As it's implemented, the user has to login again in 30 days
 	# since the first login, which I think is a good compromise.
 	# Refresh session
 	$_SESSION['session_expiration'] = intval($cookieExpiry);
--- a/libs/session.php
+++ b/libs/session.php
@ -5,9 +5,12 @@ require_once 'libs/persistent_session.php';
 $config = parse_ini_file('private/config.ini');
 $passwordInConfig = $config['password'];
-# TODO: Replace using $_SESSION['password'] in other files
+function checkValidSessionOrRedirectToLogin() {
-# to check for a valid session, as in 'new_twt.php'
+    if (!hasValidSession()) {
-# Use hasValidSession() instead
+        header('Location: ./login');
        exit();
    }
 }
 if (isset($_POST['submit_pass']) && $_POST['pass']) {
    $passwordInForm = $_POST['pass'];
--- a/partials/timeline.php
+++ b/partials/timeline.php
@ -49,9 +49,8 @@
 	</article>
 <?php }
 require_once 'libs/session.php';
-if (!isset($_SESSION['password'])) {
+if (!hasValidSession()) {
 	echo '<center><a href="mailto:' . $config['email'] . '?subject=RE: ' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '" class="button">Comment via email</a></center>';
 }
 ?>
--- a/views/__load_twt_files.php
+++ b/views/__load_twt_files.php
@ -8,16 +8,13 @@ require_once('libs/twtxt.php');
 require_once('libs/hash.php');
 */
-require_once("partials/base.php");
+require_once "partials/base.php";
 require_once "libs/session.php";
 checkValidSessionOrRedirectToLogin();
 $config = parse_ini_file('private/config.ini');
 if (!isset($_SESSION['password'])) {
 	header('Location: ./login');
 	exit();
 }
 $max_execution_time = intval($config['max_execution_time']);
 if ($max_execution_time < 1) {
 	$max_execution_time = 1;
--- a/views/add_feed.php
+++ b/views/add_feed.php
@ -1,6 +1,9 @@
 <?php
-require_once('partials/base.php');
+require_once 'partials/base.php';
-require_once('partials/webfinger_lookup.php');
+require_once 'partials/webfinger_lookup.php';
 require_once 'libs/session.php';
 checkValidSessionOrRedirectToLogin();
 // TODO: Give a warning if the file is not found
 $config = parse_ini_file('private/config.ini');
@ -13,18 +16,6 @@ if ($config['debug_mode']) {
 $txt_file_path = $config['txt_file_path'];
 if (!isset($_SESSION['password'])) {
 	header('Location: ./login');
 	exit();
 }
 /*
 if (!has_valid_session()) {
 	header('Location: login.php');
 	exit();
 }
 */
 if (isset($_POST['url'])) {
 	$url = trim(filter_input(INPUT_POST, 'url'));
 	$nick = trim(filter_input(INPUT_POST, 'nick'));
--- a/views/home.php
+++ b/views/home.php
@ -18,13 +18,12 @@ if (!empty($_GET['profile'])) { // Show twts for some user (Profile view)
 // Load twts, taking $paginateTwts into consideration
 require_once 'partials/base.php';
 require_once 'libs/session.php';
-$title = "Timeline for ".$title;
+$title = "Timeline for $title";
-
+// Redirect guests to Profile view, if URL isn't set to home twtxt.txt
-// Redirect guests to Profile view, if url not set til home twtxt.txt
+if (!hasValidSession() && isset($_GET['url'])) {
 if (!isset($_SESSION['password']) && (isset($_GET['url']))) {
    if ($_GET['url'] != $config['public_txt_url']) {
        header('Location: ./profile');
        exit();
@ -33,10 +32,9 @@ if (!isset($_SESSION['password']) && (isset($_GET['url']))) {
 include_once 'partials/header.php';
-if (isset($_SESSION['password'])) {
+if (hasValidSession()) {
    include 'views/new_twt.php'; // TODO: Split up new_twt into a view and a partial
 } else {
    echo '<center><h2>Timeline</h2>';
    echo '<p>Recent posts from feeds followed by <a href="./profile">
--- a/views/new_twt.php
+++ b/views/new_twt.php
@ -1,4 +1,8 @@
 <?php
 require_once 'libs/session.php';
 checkValidSessionOrRedirectToLogin();
 // TODO: Give a warning if the file is not found
 $config = parse_ini_file('private/config.ini');
@ -12,12 +16,6 @@ $txt_file_path = $config['txt_file_path'];
 $public_txt_url = $config['public_txt_url'];
 $timezone = $config['timezone'];
 require_once 'libs/session.php';
 if (!isset($_SESSION['password'])) {
 	header('Location: ./login');
 	exit();
 }
 if (isset($_POST['submit'])) {
 	$new_post = filter_input(INPUT_POST, 'new_post');
--- a/views/refresh.php
+++ b/views/refresh.php
@ -1,10 +1,8 @@
 <?php
 require_once "partials/base.php";
 require_once 'libs/session.php';
-if (!isset($_SESSION['password'])) {
+checkValidSessionOrRedirectToLogin();
    header('Location: ./login');
    exit();
 }
 ob_start();
--- a/views/upload_img.php
+++ b/views/upload_img.php
@ -1,20 +1,14 @@
 <?php
 require_once "partials/base.php";
 require_once 'libs/session.php';
-require_once("partials/base.php");
+checkValidSessionOrRedirectToLogin();
-if (!isset($_SESSION['password'])) {
+$title = "Upload - $title";
  header('Location: ./login');
  die();
 }
 $title = "Upload - ".$title;
 include_once 'partials/header.php';
 if (!empty($_POST)) {
  // Based on code from: https://www.w3schools.com/php/php_file_upload.asp
  //echo getcwd() ."<br>";