From bfbbf72959faa385b97d250484be1d25e4fd22aa Mon Sep 17 00:00:00 2001
From: Jerome Jutteau <jerome@jutteau.fr>
Date: Wed, 24 Aug 2022 22:09:15 +0200
Subject: [PATCH 1/1] [TASK] rework user auth

This is a cleaner way to upload files and also prepare for #311.

Signed-off-by: Jerome Jutteau <jerome@jutteau.fr>
---
 admin.php            |  2 +-
 index.php            | 50 +++++++++++++++-----------------------------
 lib/functions.js.php | 18 ++++++----------
 lib/functions.php    | 13 +++++++++++-
 script.php           | 19 ++++++++++-------
 5 files changed, 47 insertions(+), 55 deletions(-)
diff --git a/admin.php b/admin.php
index d05ce35..d196f3f 100644
--- a/admin.php
+++ b/admin.php
@@ -57,7 +57,7 @@ if (php_sapi_name() == "cli") {
 
     /* Logout if requested. */
     if (jirafeau_admin_session_logged() && isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
-        jirafeau_admin_session_end();
+        jirafeau_session_end();
     }
 
     if (!jirafeau_admin_session_logged()) {
diff --git a/index.php b/index.php
index 33bb83e..f7aeb04 100644
--- a/index.php
+++ b/index.php
@@ -32,39 +32,36 @@ if (has_error()) {
     require(JIRAFEAU_ROOT . 'lib/template/footer.php');
     exit;
 }
-
 require(JIRAFEAU_ROOT . 'lib/template/header.php');
 
+// Logout action
+if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
+    jirafeau_session_end();
+}
+
 /* Check if user is allowed to upload. */
-// First check: Challenge by IP NO PASSWORD
-if (true === jirafeau_challenge_upload_ip_without_password($cfg, get_ip_address($cfg))) {
-    $_SESSION['upload_auth'] = true;
-    $_POST['upload_password'] = '';
-    $_SESSION['user_upload_password'] = $_POST['upload_password'];
+// First check: Is user already logged
+if (jirafeau_user_session_logged()) {}
+// Second check: Challenge by IP NO PASSWORD
+elseif (true === jirafeau_challenge_upload_ip_without_password($cfg, get_ip_address($cfg))) {
+    jirafeau_user_session_start();
 }
-// Second check: Challenge by IP
+// Third check: Challenge by IP
 elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
     // Is an upload password required?
     if (jirafeau_has_upload_password($cfg)) {
-        // Logout action
-        if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
-            session_unset();
-        }
-
         // Challenge by password
-        // â¦save successful logins in session
         if (isset($_POST['upload_password'])) {
             if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) {
-                $_SESSION['upload_auth'] = true;
-                $_SESSION['user_upload_password'] = $_POST['upload_password'];
+                jirafeau_user_session_start();
             } else {
-                $_SESSION['admin_auth'] = false;
+                jirafeau_session_end();
                 jirafeau_fatal_error(t('BAD_PSW'), $cfg);
             }
         }
 
         // Show login form if user session is not authorized yet
-        if (true === empty($_SESSION['upload_auth'])) {
+        if (!jirafeau_user_session_logged()) {
             ?>
             <form method="post" class="form login">
             <fieldset>
@@ -81,8 +78,7 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
                 </tr>
                 <tr class = "nav">
                     <td class = "nav next">
-                    <input type = "submit" name = "key" value =
-                    "<?php echo t('LOGIN'); ?>" />
+                    <input type = "submit" name = "key" value = "<?php echo t('LOGIN'); ?>" />
                     </td>
                 </tr>
                 </table>
@@ -255,17 +251,6 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
 
         <p id="max_file_size" class="config"></p>
     <p>
-    <?php
-    if (jirafeau_has_upload_password($cfg) && $_SESSION['upload_auth']) {
-        ?>
-    <input type="hidden" id="upload_password" name="upload_password" value="<?php echo $_SESSION['user_upload_password'] ?>"/>
-    <?php
-    } else {
-        ?>
-    <input type="hidden" id="upload_password" name="upload_password" value=""/>
-    <?php
-    }
-    ?>
     <input type="submit" id="send" value="<?php echo t('SEND'); ?>"
     onclick="
         document.getElementById('upload').style.display = 'none';
@@ -277,9 +262,8 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
     </div> </fieldset>
 
     <?php
-    if (jirafeau_has_upload_password($cfg)
-        && false === jirafeau_challenge_upload_ip_without_password($cfg, get_ip_address($cfg))) {
-        ?>
+    if (jirafeau_user_session_logged()) {
+    ?>
     <form method="post" class="form logout">
         <input type = "hidden" name = "action" value = "logout"/>
         <input type = "submit" value = "<?php echo t('LOGOUT'); ?>" />
diff --git a/lib/functions.js.php b/lib/functions.js.php
index e7bc339..50aa2f0 100644
--- a/lib/functions.js.php
+++ b/lib/functions.js.php
@@ -24,6 +24,7 @@ define('JIRAFEAU_ROOT', dirname(__FILE__) . '/../');
 require(JIRAFEAU_ROOT . 'lib/settings.php');
 require(JIRAFEAU_ROOT . 'lib/functions.php');
 require(JIRAFEAU_ROOT . 'lib/lang.php');
+
 ?>
 // @license magnet:?xt=urn:btih:0b31508aeb0634b347b8270c7bee4d411b5d4109&dn=agpl-3.0.txt AGPL-v3-or-Later
 var web_root = "<?php echo $cfg['web_root']; ?>";
@@ -344,7 +345,7 @@ function add_time_string_to_date(d, time)
     return false;
 }
 
-function classic_upload (file, time, password, one_time, upload_password)
+function classic_upload (file, time, password, one_time)
 {
     // Delay time estimation init as we can't have file size
     upload_time_estimation_init(0);
@@ -397,9 +398,6 @@ function classic_upload (file, time, password, one_time, upload_password)
         form.append ("key", password);
     if (one_time)
         form.append ("one_time_download", '1');
-    if (upload_password.length > 0)
-        form.append ("upload_password", upload_password);
-
     req.send (form);
 }
 
@@ -416,7 +414,7 @@ var async_global_time;
 var async_global_transfering = 0;
 var async_global_last_code;
 
-function async_upload_start (max_size, file, time, password, one_time, upload_password)
+function async_upload_start (max_size, file, time, password, one_time)
 {
     async_global_transfered = 0;
     async_global_file = file;
@@ -455,8 +453,6 @@ function async_upload_start (max_size, file, time, password, one_time, upload_pa
         form.append ("key", password);
     if (one_time)
         form.append ("one_time_download", '1');
-    if (upload_password.length > 0)
-        form.append ("upload_password", upload_password);
 
     // Start time estimation
     upload_time_estimation_init(async_global_file.size);
@@ -607,8 +603,7 @@ function upload (max_chunk_size)
             document.getElementById('file_select').files[0],
             document.getElementById('select_time').value,
             document.getElementById('input_key').value,
-            one_time,
-            document.getElementById('upload_password').value
+            one_time
             );
     }
     else
@@ -617,8 +612,7 @@ function upload (max_chunk_size)
             document.getElementById('file_select').files[0],
             document.getElementById('select_time').value,
             document.getElementById('input_key').value,
-            one_time,
-            document.getElementById('upload_password').value
+            one_time
             );
     }
 }
@@ -807,7 +801,7 @@ function set_light_mode() {
 }
 
 function color_scheme_preferences() {
-    
+
     let dark_mode_steel_sheet = "<?php echo 'media/' . $cfg['dark_style'] . '/style.css.php'; ?>"
     if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
         set_dark_mode();
diff --git a/lib/functions.php b/lib/functions.php
index 1e084fb..9672fe1 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1476,7 +1476,7 @@ function jirafeau_admin_session_start()
     $_SESSION['admin_csrf'] = md5(uniqid(mt_rand(), true));
 }
 
-function jirafeau_admin_session_end()
+function jirafeau_session_end()
 {
     $_SESSION = array();
     session_destroy();
@@ -1496,6 +1496,17 @@ function jirafeau_admin_csrf_field()
     return "<input type='hidden' name='admin_csrf' value='". $_SESSION['admin_csrf'] . "'/>";
 }
 
+function jirafeau_user_session_start()
+{
+    $_SESSION['user_auth'] = true;
+}
+
+function jirafeau_user_session_logged()
+{
+    return isset($_SESSION['user_auth']) &&
+        $_SESSION['user_auth'] === true;
+}
+
 function jirafeau_dir_size($dir)
 {
     $size = 0;
diff --git a/script.php b/script.php
index 0d4aeab..99ebfeb 100644
--- a/script.php
+++ b/script.php
@@ -62,20 +62,22 @@ if (has_error()) {
     exit;
 }
 
+session_start();
+
 /* Upload file */
 if (isset($_FILES['file']) && is_writable(VAR_FILES)
     && is_writable(VAR_LINKS)) {
-    if (isset($_POST['upload_password'])) {
-        if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
+    if (!jirafeau_user_session_logged()) {
+        if (isset($_POST['upload_password']) &&
+            !jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
             echo 'Error 3: Invalid password';
             exit;
-        }
-    } else {
-        if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
+        } elseif (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
             echo 'Error 2: No password nor allowed IP';
             exit;
         }
     }
+
     $key = '';
     if (isset($_POST['key'])) {
         $key = $_POST['key'];
@@ -135,7 +137,7 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES)
     } else {
         $ip = "";
     }
-    
+
     $res = jirafeau_upload(
         $_FILES['file'],
         isset($_POST['one_time_download']),
@@ -405,7 +407,8 @@ fi
 }
 /* Initialize an asynchronous upload. */
 elseif (isset($_GET['init_async'])) {
-    if (isset($_POST['upload_password'])) {
+    if (jirafeau_user_session_logged()) {}
+    elseif (isset($_POST['upload_password'])) {
         if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
             echo 'Error 20: Invalid password';
             exit;
@@ -479,7 +482,7 @@ elseif (isset($_GET['init_async'])) {
     } else {
         $ip = "";
     }
-    
+
     echo jirafeau_async_init(
         $_POST['filename'],
         $type,
-- 
2.34.1

