From 3030b77a892489d8eb822f3ab7aa02e631665f32 Mon Sep 17 00:00:00 2001 From: Yekta Date: Tue, 10 Sep 2024 17:32:12 +0200 Subject: [PATCH 1/2] - Added sogo-auth.php / sogo-tokengenerate.php --- data/web/sogossologin/sogo-auth.php | 60 ++++++++++++++++ data/web/sogossologin/sogo-tokengenerate.php | 76 ++++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 data/web/sogossologin/sogo-auth.php create mode 100644 data/web/sogossologin/sogo-tokengenerate.php diff --git a/data/web/sogossologin/sogo-auth.php b/data/web/sogossologin/sogo-auth.php new file mode 100644 index 0000000000..b3507b454b --- /dev/null +++ b/data/web/sogossologin/sogo-auth.php @@ -0,0 +1,60 @@ +prepare("SELECT * FROM `sogo_sso_tokens` WHERE `username` = :username AND `token` = :token"); + $stmt->bindParam(':username', $username); + $stmt->bindParam(':token', $token); + + $stmt->execute(); + + $res = $stmt->fetchAll(); + if(count($res) == 1){ + return true; + }else{ + return false; + } + } catch (PDOException $e) { + return false; + } +} + + + + + + +if(isset($_GET['email']) && $_GET['token']){ + require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; + if(checkTokenExists($pdo, $_GET['email'], $_GET['token'])){ + try { + $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); + $_SESSION[$session_var_user_allowed][] = $_GET['email']; + $_SESSION[$session_var_pass] = $sogo_sso_pass; + $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)"); + $stmt->execute(array( + ':username' => $_GET['email'], + ':remote_addr' => (isset($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['HTTP_X_REAL_IP'] : $_SERVER['REMOTE_ADDR']) + )); + }catch (PDOException $e){ + echo $e->getMessage(); + } + + + header("Location: /SOGo/so/{$_GET['email']}"); + }else{ + http_response_code(401); + } +} + +// if username is empty, SOGo will use the normal login methods / login form +header("X-User: "); +header("X-Auth: "); +header("X-Auth-Type: "); \ No newline at end of file diff --git a/data/web/sogossologin/sogo-tokengenerate.php b/data/web/sogossologin/sogo-tokengenerate.php new file mode 100644 index 0000000000..6e9cf71612 --- /dev/null +++ b/data/web/sogossologin/sogo-tokengenerate.php @@ -0,0 +1,76 @@ +prepare("CREATE TABLE IF NOT EXISTS `sogo_sso_tokens` ( + `id` INT AUTO_INCREMENT PRIMARY KEY, + `username` TEXT NOT NULL, + `token` TEXT NOT NULL + )"); + $stmt->execute(); + } catch (PDOException $e) { + if ($debug) echo $e->getMessage(); + } +} + +function showTables($pdo) +{ + try { + $stmt2 = $pdo->query("SHOW TABLES"); + $res = $stmt2->fetchAll(PDO::FETCH_ASSOC); + var_dump($res); + } catch (PDOException $e) { + echo $e->getMessage(); + } +} + +function writeTokenToDB($username, $token, $pdo): bool +{ + try { + $stmt = $pdo->prepare("INSERT INTO `sogo_sso_tokens` (`username`, `token`) VALUES (:username, :token)"); + $stmt->bindParam(':username', $username); + $stmt->bindParam(':token', $token); + $success = $stmt->execute(); + return $success; + } catch (PDOException $e) { + echo $e->getMessage(); + return false; + } +} + +function generateToken($username): string +{ + return md5(base64_encode($username) . random_bytes(16) . md5(time())); +} + +function getApiKey($pdo) +{ + try { + $stmt = $pdo->prepare("SELECT `api_key` FROM `api` LIMIT 1"); + $stmt->execute(); + return $stmt->fetchColumn(); + + } catch (PDOException $e) { + return null; + } +} + + +if (isset($_POST['username']) && isset($_POST['apikey'])) { + + if ($_POST['apikey'] == getApiKey($pdo)) { + $username = $_POST['username']; + $token = generateToken($username); + createIfTableDoesntExist($pdo); + writeTokenToDB($username, $token, $pdo); + echo json_encode(array( + "success" => true, + "username"=> $username, + "token" => $token + )); + } +} \ No newline at end of file From 96e6ca3f0ac5ff6f7b65c522411f37d9908b4379 Mon Sep 17 00:00:00 2001 From: Yekta Date: Tue, 10 Sep 2024 17:37:49 +0200 Subject: [PATCH 2/2] - Token will be deleted after using it --- data/web/sogossologin/sogo-auth.php | 70 +++++++++++++++-------------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/data/web/sogossologin/sogo-auth.php b/data/web/sogossologin/sogo-auth.php index b3507b454b..0e42b0dd7e 100644 --- a/data/web/sogossologin/sogo-auth.php +++ b/data/web/sogossologin/sogo-auth.php @@ -7,23 +7,23 @@ function checkTokenExists($pdo, $username, $token): bool { - try { + try { - $stmt = $pdo->prepare("SELECT * FROM `sogo_sso_tokens` WHERE `username` = :username AND `token` = :token"); - $stmt->bindParam(':username', $username); - $stmt->bindParam(':token', $token); + $stmt = $pdo->prepare("SELECT * FROM `sogo_sso_tokens` WHERE `username` = :username AND `token` = :token"); + $stmt->bindParam(':username', $username); + $stmt->bindParam(':token', $token); - $stmt->execute(); + $stmt->execute(); - $res = $stmt->fetchAll(); - if(count($res) == 1){ - return true; - }else{ - return false; - } - } catch (PDOException $e) { - return false; + $res = $stmt->fetchAll(); + if(count($res) == 1){ + return true; + }else{ + return false; } + } catch (PDOException $e) { + return false; + } } @@ -32,29 +32,33 @@ function checkTokenExists($pdo, $username, $token): bool if(isset($_GET['email']) && $_GET['token']){ - require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; - if(checkTokenExists($pdo, $_GET['email'], $_GET['token'])){ - try { - $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); - $_SESSION[$session_var_user_allowed][] = $_GET['email']; - $_SESSION[$session_var_pass] = $sogo_sso_pass; - $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)"); - $stmt->execute(array( - ':username' => $_GET['email'], - ':remote_addr' => (isset($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['HTTP_X_REAL_IP'] : $_SERVER['REMOTE_ADDR']) - )); - }catch (PDOException $e){ - echo $e->getMessage(); - } - - - header("Location: /SOGo/so/{$_GET['email']}"); - }else{ - http_response_code(401); + require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; + if(checkTokenExists($pdo, $_GET['email'], $_GET['token'])){ + try { + $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); + $_SESSION[$session_var_user_allowed][] = $_GET['email']; + $_SESSION[$session_var_pass] = $sogo_sso_pass; + $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)"); + $stmt->execute(array( + ':username' => $_GET['email'], + ':remote_addr' => (isset($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['HTTP_X_REAL_IP'] : $_SERVER['REMOTE_ADDR']) + )); + + $stmt2 = $pdo->prepare("DELETE FROM `sogo_sso_tokens` WHERE token = :token"); + $stmt2->bindParam(':token', $_GET['token']); + $stmt2->execute(); + }catch (PDOException $e){ + echo $e->getMessage(); } + + + header("Location: /SOGo/so/{$_GET['email']}"); + }else{ + http_response_code(401); + } } // if username is empty, SOGo will use the normal login methods / login form header("X-User: "); header("X-Auth: "); -header("X-Auth-Type: "); \ No newline at end of file +header("X-Auth-Type: ");