From c73b3b208555730432f3ef673032c38cd70cc051 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Fri, 30 Mar 2018 13:05:18 +0100 Subject: [PATCH 1/4] Add x-login-required: yes header to login redirects --- Changelog.md | 1 + build/index.php | 1 + core.php | 1 + module_index.json | 60 +++++++++++++++++++++++------------------------ 4 files changed, 33 insertions(+), 30 deletions(-) diff --git a/Changelog.md b/Changelog.md index cbf0c55..030d410 100644 --- a/Changelog.md +++ b/Changelog.md @@ -23,6 +23,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t ### Changed - Disallow uploads if editing is disabled. Previously files could still be uploaded even if editing was disabled - unless `upload_enabled` was set to `false`. + - Added `x-login-required: yes` header to responses that redirect to the login page for easy detection by machines ## v0.15.1 diff --git a/build/index.php b/build/index.php index b0ba5aa..f39bbc4 100644 --- a/build/index.php +++ b/build/index.php @@ -1962,6 +1962,7 @@ if($settings->require_login_view === true && // If this site requires a login in { // Redirect the user to the login page http_response_code(307); + header("x-login-required: yes"); $url = "?action=login&returnto=" . rawurlencode($_SERVER["REQUEST_URI"]) . "&required=true"; header("location: $url"); exit(page_renderer::render("Login required - $settings->sitename", "

$settings->sitename requires that you login before you are able to access it.

diff --git a/core.php b/core.php index ab7d5c4..e346805 100644 --- a/core.php +++ b/core.php @@ -1585,6 +1585,7 @@ if($settings->require_login_view === true && // If this site requires a login in { // Redirect the user to the login page http_response_code(307); + header("x-login-required: yes"); $url = "?action=login&returnto=" . rawurlencode($_SERVER["REQUEST_URI"]) . "&required=true"; header("location: $url"); exit(page_renderer::render("Login required - $settings->sitename", "

$settings->sitename requires that you login before you are able to access it.

diff --git a/module_index.json b/module_index.json index 9b46d1d..e30a8cc 100755 --- a/module_index.json +++ b/module_index.json @@ -5,7 +5,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a utility action (that anyone can use) called hash that hashes a given string. Useful when changing a user's password.", "id": "action-hash", - "lastupdate": 1465757909, + "lastupdate": 1511518191, "optional": false }, { @@ -14,7 +14,7 @@ "author": "Starbeamrainbowlabs", "description": "Exposes Pepperminty Wiki's new page protection mechanism and makes the protect button in the 'More...' menu on the top bar work.", "id": "action-protect", - "lastupdate": 1465751051, + "lastupdate": 1511518191, "optional": false }, { @@ -23,7 +23,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds an action called 'random' that redirects you to a random page.", "id": "action-random", - "lastupdate": 1518648324, + "lastupdate": 1518719583, "optional": false }, { @@ -32,7 +32,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a 'raw' action that shows you the raw source of a page.", "id": "action-raw", - "lastupdate": 1507993763, + "lastupdate": 1511518191, "optional": false }, { @@ -41,7 +41,7 @@ "author": "Starbeamrainbowlabs", "description": "Provides a basic JSON status action that provices a few useful bits of information for API consumption.", "id": "api-status", - "lastupdate": 1522167607, + "lastupdate": 1522411212, "optional": false }, { @@ -50,7 +50,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a sidebar to the left hand side of every page. Add '$settings->sidebar_show = true;' to your configuration, or append '&sidebar=yes' to the url to enable. Adding to the url sets a cookie to remember your setting.", "id": "extra-sidebar", - "lastupdate": 1505768813, + "lastupdate": 1511518191, "optional": false }, { @@ -59,7 +59,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds threaded comments to the bottom of every page.", "id": "feature-comments", - "lastupdate": 1511450038, + "lastupdate": 1511518191, "optional": false }, { @@ -68,7 +68,7 @@ "author": "Starbeamrainbowlabs", "description": "The module everyone has been waiting for! Adds a web based gui that lets mods change the wiki settings.", "id": "feature-guiconfig", - "lastupdate": 1499800843, + "lastupdate": 1511518191, "optional": false }, { @@ -77,7 +77,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds the ability to keep unlimited page history, limited only by your disk space. Note that this doesn't store file history (yet). Currently depends on feature-recent-changes for rendering of the history page.", "id": "feature-history", - "lastupdate": 1518645062, + "lastupdate": 1518719583, "optional": false }, { @@ -86,7 +86,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds recent changes. Access through the 'recent-changes' action.", "id": "feature-recent-changes", - "lastupdate": 1521408644, + "lastupdate": 1522411212, "optional": false }, { @@ -95,7 +95,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds support for redirect pages. Uses the same syntax that Mediawiki does.", "id": "feature-redirect", - "lastupdate": 1498646092, + "lastupdate": 1511518191, "optional": false }, { @@ -104,7 +104,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds proper search functionality to Pepperminty Wiki using an inverted index to provide a full text search engine. If pages don't show up, then you might have hit a stop word. If not, try requesting the `invindex-rebuild` action to rebuild the inverted index from scratch.", "id": "feature-search", - "lastupdate": 1521391886, + "lastupdate": 1522411212, "optional": false }, { @@ -113,7 +113,7 @@ "author": "Starbeamrainbowlabs", "description": "An extensible statistics calculation system. Comes with a range of built-in statistics, but can be extended by other modules too.", "id": "feature-stats", - "lastupdate": 1505768903, + "lastupdate": 1511518191, "optional": false }, { @@ -122,7 +122,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds the ability to upload files to Pepperminty Wiki. Uploaded files act as pages and have the special 'File\/' prefix.", "id": "feature-upload", - "lastupdate": 1518645569, + "lastupdate": 1518719583, "optional": false }, { @@ -131,7 +131,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a user preferences page, letting pople do things like change their email address and password.", "id": "feature-user-preferences", - "lastupdate": 1497799247, + "lastupdate": 1511518191, "optional": false }, { @@ -140,7 +140,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds the credits page. You *must* have this module :D", "id": "page-credits", - "lastupdate": 1513196998, + "lastupdate": 1514040637, "optional": false }, { @@ -149,7 +149,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a debug action for administrator use only that collects a load of useful information to make reporting bugs easier.", "id": "page-debug-info", - "lastupdate": 1483389558, + "lastupdate": 1511518191, "optional": false }, { @@ -158,7 +158,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds an action to allow administrators to delete pages.", "id": "page-delete", - "lastupdate": 1501009581, + "lastupdate": 1511518191, "optional": false }, { @@ -167,7 +167,7 @@ "author": "Starbeamrainbowlabs", "description": "Allows you to edit pages by adding the edit and save actions. You should probably include this one.", "id": "page-edit", - "lastupdate": 1521390769, + "lastupdate": 1522411212, "optional": false }, { @@ -176,7 +176,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a page that you can use to export your wiki as a .zip file. Uses $settings->export_only_allow_admins, which controls whether only admins are allowed to export the wiki.", "id": "page-export", - "lastupdate": 1472230366, + "lastupdate": 1511518191, "optional": false }, { @@ -185,7 +185,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a rather useful help page. Access through the 'help' action. This module also exposes help content added to Pepperminty Wiki's inbuilt invisible help section system.", "id": "page-help", - "lastupdate": 1492433537, + "lastupdate": 1511518191, "optional": false }, { @@ -194,7 +194,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a page that lists all the pages in the index along with their metadata.", "id": "page-list", - "lastupdate": 1518645476, + "lastupdate": 1518719583, "optional": false }, { @@ -203,7 +203,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.", "id": "page-login", - "lastupdate": 1505512966, + "lastupdate": 1511518191, "optional": false }, { @@ -212,7 +212,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.", "id": "page-logout", - "lastupdate": 1466011660, + "lastupdate": 1511518191, "optional": false }, { @@ -221,7 +221,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds an action to allow administrators to move pages.", "id": "page-move", - "lastupdate": 1521408303, + "lastupdate": 1522411212, "optional": false }, { @@ -230,7 +230,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds an update page that downloads the latest stable version of Pepperminty Wiki. This module is currently outdated as it doesn't save your module preferences.", "id": "page-update", - "lastupdate": 1476906745, + "lastupdate": 1511518191, "optional": false }, { @@ -239,7 +239,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a 'user-list' action that generates a list of users. Supports json output with 'format=json' in the queyr string.", "id": "page-user-list", - "lastupdate": 1487454626, + "lastupdate": 1511518191, "optional": false }, { @@ -248,7 +248,7 @@ "author": "Starbeamrainbowlabs", "description": "Allows you to view pages. You really should include this one.", "id": "page-view", - "lastupdate": 1518647294, + "lastupdate": 1518719583, "optional": false }, { @@ -257,7 +257,7 @@ "author": "Johnny Broadway & Starbeamrainbowlabs", "description": "The *old* default parser for Pepperminty Wiki. Based on Johnny Broadway's Slimdown (with more than a few modifications). This parser's features are documented in the help page. Superceded by a customised extension of parsedown extra.", "id": "parser-default-old", - "lastupdate": 1458824880, + "lastupdate": 1511518191, "optional": true }, { @@ -266,7 +266,7 @@ "author": "Emanuil Rusev & Starbeamrainbowlabs", "description": "An upgraded (now default!) parser based on Emanuil Rusev's Parsedown Extra PHP library (https:\/\/github.com\/erusev\/parsedown-extra), which is licensed MIT. Please be careful, as this module adds some weight to your installation, and also *requires* write access to the disk on first load.", "id": "parser-parsedown", - "lastupdate": 1517750660, + "lastupdate": 1518719583, "optional": false } ] \ No newline at end of file From b1de0c3663214d6fdfe56cd2ca76b535e9e50c92 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Fri, 30 Mar 2018 13:17:06 +0100 Subject: [PATCH 2/4] Add x-login-success header to login responses --- Changelog.md | 1 + build/index.php | 12 ++++++++---- module_index.json | 2 +- modules/page-login.php | 12 ++++++++---- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/Changelog.md b/Changelog.md index 030d410..6bfca29 100644 --- a/Changelog.md +++ b/Changelog.md @@ -24,6 +24,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t ### Changed - Disallow uploads if editing is disabled. Previously files could still be uploaded even if editing was disabled - unless `upload_enabled` was set to `false`. - Added `x-login-required: yes` header to responses that redirect to the login page for easy detection by machines + - Added `x-login-success: (yes|no)` header to login responses for easier machine parsing ## v0.15.1 diff --git a/build/index.php b/build/index.php index f39bbc4..b555644 100644 --- a/build/index.php +++ b/build/index.php @@ -7244,21 +7244,23 @@ register_module([ add_action("checklogin", function() { global $settings, $env; - //actually do the login + // Actually do the login if(isset($_POST["user"]) and isset($_POST["pass"])) { - //the user wants to log in + // The user wants to log in $user = $_POST["user"]; $pass = $_POST["pass"]; if($settings->users->$user->password == hash_password($pass)) { + // Success! :D $env->is_logged_in = true; - $expiretime = time() + 60*60*24*30; //30 days from now + $expiretime = time() + 60*60*24*30; // 30 days from now $_SESSION["$settings->sessionprefix-user"] = $user; $_SESSION["$settings->sessionprefix-pass"] = hash_password($pass); $_SESSION["$settings->sessionprefix-expiretime"] = $expiretime; - //redirect to wherever the user was going + // Redirect to wherever the user was going http_response_code(302); + header("x-login-success: yes"); if(isset($_GET["returnto"])) header("location: " . $_GET["returnto"]); else @@ -7267,7 +7269,9 @@ register_module([ } else { + // Login failed :-( http_response_code(302); + header("x-login-success: no"); $nextUrl = "index.php?action=login&failed=yes"; if(!empty($_GET["returnto"])) $nextUrl .= "&returnto=" . rawurlencode($_GET["returnto"]); diff --git a/module_index.json b/module_index.json index e30a8cc..7a1e55b 100755 --- a/module_index.json +++ b/module_index.json @@ -203,7 +203,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.", "id": "page-login", - "lastupdate": 1511518191, + "lastupdate": 1522412068, "optional": false }, { diff --git a/modules/page-login.php b/modules/page-login.php index fc19aac..0d53158 100644 --- a/modules/page-login.php +++ b/modules/page-login.php @@ -86,21 +86,23 @@ register_module([ add_action("checklogin", function() { global $settings, $env; - //actually do the login + // Actually do the login if(isset($_POST["user"]) and isset($_POST["pass"])) { - //the user wants to log in + // The user wants to log in $user = $_POST["user"]; $pass = $_POST["pass"]; if($settings->users->$user->password == hash_password($pass)) { + // Success! :D $env->is_logged_in = true; - $expiretime = time() + 60*60*24*30; //30 days from now + $expiretime = time() + 60*60*24*30; // 30 days from now $_SESSION["$settings->sessionprefix-user"] = $user; $_SESSION["$settings->sessionprefix-pass"] = hash_password($pass); $_SESSION["$settings->sessionprefix-expiretime"] = $expiretime; - //redirect to wherever the user was going + // Redirect to wherever the user was going http_response_code(302); + header("x-login-success: yes"); if(isset($_GET["returnto"])) header("location: " . $_GET["returnto"]); else @@ -109,7 +111,9 @@ register_module([ } else { + // Login failed :-( http_response_code(302); + header("x-login-success: no"); $nextUrl = "index.php?action=login&failed=yes"; if(!empty($_GET["returnto"])) $nextUrl .= "&returnto=" . rawurlencode($_GET["returnto"]); From 25a60507687189263fdd24acb2065463c1ec7d33 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Fri, 30 Mar 2018 16:40:29 +0100 Subject: [PATCH 3/4] Fix checklogin api docs --- modules/page-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/page-login.php b/modules/page-login.php index 0d53158..de29723 100644 --- a/modules/page-login.php +++ b/modules/page-login.php @@ -64,7 +64,7 @@ register_module([ * @apiPermission Anonymous * * @apiParam {string} user The user name to login with. - * @apiParam {string} password The password to login with. + * @apiParam {string} pass The password to login with. * @apiParam {string} returnto The URL to redirect to upon a successful login. * * @apiError InvalidCredentialsError The supplied credentials were invalid. Note that this error is actually a redirect to ?action=login&failed=yes (with the returnto parameter appended if you supplied one) From 0f2986703e46dacac29fe6bb98b5c80a225aef16 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Fri, 30 Mar 2018 16:44:07 +0100 Subject: [PATCH 4/4] Update changelog --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 6bfca29..caebc17 100644 --- a/Changelog.md +++ b/Changelog.md @@ -20,6 +20,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t - Normalise utf8 text to avoid duplicate ids and missing search results. - Improved handling of mime types in some places in the API. - Added `minified` option to `status` action to reduce data usage slightly + - [Rest API] Fix `checklogin` action documentation ### Changed - Disallow uploads if editing is disabled. Previously files could still be uploaded even if editing was disabled - unless `upload_enabled` was set to `false`.