- Token will be deleted after using it

mailcow · Sep 10, 2024 · 96e6ca3 · 96e6ca3
1 parent 3030b77
commit 96e6ca3
Showing 1 changed file with 37 additions and 33 deletions.
diff --git a/data/web/sogossologin/sogo-auth.php b/data/web/sogossologin/sogo-auth.php
@@ -7,23 +7,23 @@
 
 function checkTokenExists($pdo, $username, $token): bool
 {
-    try {
+  try {
 
-        $stmt = $pdo->prepare("SELECT * FROM `sogo_sso_tokens` WHERE `username` = :username AND `token` = :token");
-        $stmt->bindParam(':username', $username);
-        $stmt->bindParam(':token', $token);
+    $stmt = $pdo->prepare("SELECT * FROM `sogo_sso_tokens` WHERE `username` = :username AND `token` = :token");
+    $stmt->bindParam(':username', $username);
+    $stmt->bindParam(':token', $token);
 
-        $stmt->execute();
+    $stmt->execute();
 
-        $res = $stmt->fetchAll();
-        if(count($res) == 1){
-            return true;
-        }else{
-            return false;
-        }
-    } catch (PDOException $e) {
-        return false;
+    $res = $stmt->fetchAll();
+    if(count($res) == 1){
+      return true;
+    }else{
+      return false;
     }
+  } catch (PDOException $e) {
+    return false;
+  }
 }
 
 
@@ -32,29 +32,33 @@ function checkTokenExists($pdo, $username, $token): bool
 
 
 if(isset($_GET['email']) && $_GET['token']){
-    require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
-    if(checkTokenExists($pdo, $_GET['email'], $_GET['token'])){
-        try {
-            $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
-            $_SESSION[$session_var_user_allowed][] = $_GET['email'];
-            $_SESSION[$session_var_pass] = $sogo_sso_pass;
-            $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
-            $stmt->execute(array(
-                ':username' => $_GET['email'],
-                ':remote_addr' => (isset($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['HTTP_X_REAL_IP'] : $_SERVER['REMOTE_ADDR'])
-            ));
-        }catch (PDOException $e){
-            echo $e->getMessage();
-        }
-
-
-        header("Location: /SOGo/so/{$_GET['email']}");
-    }else{
-        http_response_code(401);
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+  if(checkTokenExists($pdo, $_GET['email'], $_GET['token'])){
+    try {
+      $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+      $_SESSION[$session_var_user_allowed][] = $_GET['email'];
+      $_SESSION[$session_var_pass] = $sogo_sso_pass;
+      $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
+      $stmt->execute(array(
+        ':username' => $_GET['email'],
+        ':remote_addr' => (isset($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['HTTP_X_REAL_IP'] : $_SERVER['REMOTE_ADDR'])
+      ));
+
+      $stmt2 = $pdo->prepare("DELETE FROM `sogo_sso_tokens` WHERE token = :token");
+      $stmt2->bindParam(':token', $_GET['token']);
+      $stmt2->execute();
+    }catch (PDOException $e){
+      echo $e->getMessage();
     }
+
+
+    header("Location: /SOGo/so/{$_GET['email']}");
+  }else{
+    http_response_code(401);
+  }
 }
 
 // if username is empty, SOGo will use the normal login methods / login form
 header("X-User: ");
 header("X-Auth: ");
-header("X-Auth-Type: ");
+header("X-Auth-Type: ");