Release

web/lib/app.php

@@ -0,0 +1,109 @@
+<?php
+declare(strict_types=1);
+
+$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
+session_set_cookie_params([
+  'lifetime' => 0,
+  'path'     => '/',
+  'domain'   => '',
+  'secure'   => $secure,
+  'httponly' => true,
+  'samesite' => 'Strict',
+]);
+ini_set('session.use_strict_mode', '1');
+ini_set('session.cookie_httponly', '1');
+session_name('torpanel');
+session_start();
+
+const APP_CONF_DIR  = '/etc/torpanel';
+const APP_CONF_FILE = APP_CONF_DIR . '/app.json';
+const STATE_DIR     = '/var/lib/torpanel';
+const LOGIN_THROTTLE_FILE = STATE_DIR . '/login_throttle.json';
+const SESSION_IDLE_TTL = 60 * 60 * 12;
+
+if (!empty($_SESSION['last']) && (time() - (int)$_SESSION['last']) > SESSION_IDLE_TTL) {
+    $_SESSION = [];
+    if (ini_get('session.use_cookies')) {
+        $p = session_get_cookie_params();
+        setcookie(session_name(), '', time() - 42000, $p['path'], $p['domain'], $p['secure'] ?? false, $p['httponly'] ?? true);
+    }
+    session_destroy();
+    session_start();
+}
+$_SESSION['last'] = time();
+
+function app_is_installed(): bool {
+    return is_file(APP_CONF_FILE);
+}
+function app_config(): array {
+    if (!app_is_installed()) return [];
+    $raw = @file_get_contents(APP_CONF_FILE);
+    return $raw ? (json_decode($raw, true) ?: []) : [];
+}
+function app_save_config(array $cfg): void {
+    if (!is_dir(APP_CONF_DIR)) mkdir(APP_CONF_DIR, 0770, true);
+    $tmp = APP_CONF_FILE . '.tmp';
+    file_put_contents($tmp, json_encode($cfg, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+    rename($tmp, APP_CONF_FILE);
+    @chmod(APP_CONF_FILE, 0640);
+}
+
+function auth_login(string $u, string $p): bool {
+    $cfg = app_config();
+    if (!isset($cfg['admin_user'], $cfg['admin_pass'])) return false;
+    if (!hash_equals($cfg['admin_user'], $u)) return false;
+    if (!password_verify($p, $cfg['admin_pass'])) return false;
+    session_regenerate_id(true);
+    $_SESSION['uid']  = $u;
+    $_SESSION['ua']   = substr($_SERVER['HTTP_USER_AGENT'] ?? '', 0, 160);
+    $_SESSION['last'] = time();
+    return true;
+}
+function auth_logout(): void {
+    $_SESSION = [];
+    if (ini_get('session.use_cookies')) {
+        $p = session_get_cookie_params();
+        setcookie(session_name(), '', time() - 42000, $p['path'], $p['domain'], $p['secure'] ?? false, $p['httponly'] ?? true);
+    }
+    session_destroy();
+}
+function auth_require(): void {
+    if (!app_is_installed()) { header('Location: /setup.php'); exit; }
+    if (empty($_SESSION['uid'])) { header('Location: /login.php'); exit; }
+}
+
+
+function throttle_state(): array {
+    if (!is_dir(STATE_DIR)) @mkdir(STATE_DIR, 0775, true);
+    $raw = @file_get_contents(LOGIN_THROTTLE_FILE);
+    return $raw ? (json_decode($raw, true) ?: []) : [];
+}
+function throttle_save(array $st): void {
+    $tmp = LOGIN_THROTTLE_FILE . '.tmp';
+    file_put_contents($tmp, json_encode($st));
+    @chmod($tmp, 0660);
+    rename($tmp, LOGIN_THROTTLE_FILE);
+}
+function throttle_check(string $ip): int {
+    $st = throttle_state();
+    $now = time();
+    $key = $ip ?: 'unknown';
+    $rec = $st[$key] ?? ['fails'=>0, 'until'=>0];
+    if ($rec['until'] > $now) return $rec['until'] - $now;
+    return 0;
+}
+function throttle_record(string $ip, bool $ok): void {
+    $st = throttle_state();
+    $now = time();
+    $key = $ip ?: 'unknown';
+    $rec = $st[$key] ?? ['fails'=>0, 'until'=>0];
+    if ($ok) {
+        $rec = ['fails'=>0, 'until'=>0];
+    } else {
+        $rec['fails'] = min(10, ($rec['fails'] ?? 0) + 1);
+        $wait = min(300, 2 ** $rec['fails']);
+        $rec['until'] = $now + $wait;
+    }
+    $st[$key] = $rec;
+    throttle_save($st);
+}