Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gg/devel #2

Open
wants to merge 39 commits into
base: master
Choose a base branch
from
Open

Gg/devel #2

wants to merge 39 commits into from

Conversation

gggeek
Copy link
Contributor

@gggeek gggeek commented Nov 13, 2024

Sorry for the size... this grew a fair bit while waiting for the first PR to be merged.

New features:

  • browsing the reports is only allowed to logged-in users
  • logged-in users can change their own password via a web page
  • non-logged-in users can reset their own password via getting a link by email (this can be disabled via config)
  • rate-limiting is implemented for both crash report submittal and for other forms
  • proper support for reverse-proxies in front of the webserver
  • the sql generated is compatible with mariadb and posgtresql (not fully tested yet)
  • indexes are added to DB tables to speed up queries in case of huge data set
  • an audit log is introduced, covering most (all?) non-trivial events

gggeek added 30 commits October 14, 2024 23:32
@gggeek
WIP add firewall and login form; improve form input fields html; refa…
d829e24 
…ctoring and improviding phpdocs
@gggeek
Fix: factory method for singleton should not allow different args on …
012fe06 
…every call
@gggeek
Keep trace of more events in the audit log; update user profile with …
d4962ee 
…last login timestamp
@gggeek
avoid php warning if trying to start a session after headers have bee…
513f857 
…n sent; improve comments
@gggeek
add self-service password reset
1b3d749
@gggeek
whitespace fixes
0309d8a
@gggeek
add support for anti-CSRF tokens; enable it in the password-change fo…
4ef543c 
…rm; related refactoring
@gggeek
refactor the form fields class; tie anticsrf tokens to the form showi…
88a061e 
…ng them
@gggeek
complete form field refactoring: avoid double error message in login …
8b4324b 
…form; improve code validating of redirect fields; fix php error if post to pwd change form misses the csrf token; add to html inputs minLength contraint if specified by the field
@gggeek
one comment
e7781ca
@gggeek
remove debugging data
8a18622
@gggeek
comments
2bcc140
@gggeek
add session limiting, based on redis usage; refactor exceptions hiera…
752f4fe 
…rchy;do validate minlength constraint limit
@gggeek
do not show rate limiter error messages if there are platform issues;…
6b5dcb9 
… hide rate limiting details in error messages;make key hash of rate limiter more robust in case of unwary devs
@gggeek
update readme
6c792ae
@gggeek
a nitpick
6104e70
@gggeek
reset rate-limit of login form on succesful login; refactor names and…
346cab0 
… namespaces of various classes
@gggeek
fix updating users passwords via cli
bcdaa8f
@gggeek
add user::isAuthenticated method
6cbb543
@gggeek
remove existing anticsrf tokens from the session if switching users
bfbfaa0
@gggeek
fix bug when checking for multiple roles; do not always autostart ses…
7125af4 
…sion when creating the firewall
@gggeek
nitpicks: remove one unused use statement; change order of comparison…
b609975 
… clauses
@gggeek
implement forgot-password functionality for non-logged-in users; a li…
b189b8e 
…ttle related refactoring
@gggeek
add rate-limiting to forgotpassword forms
e6f1428
@gggeek
fix fatal error in case token not in request
bf25a20
@gggeek
fix logic of setting errors to forms
8ebd302
@gggeek
update readme with expanded installation instructions
32fdd05
@gggeek
add support for db indexes and foreign keys
9306d4c
@gggeek
add support for pgsql and wip suupport for mariadb
cd4dc8b
@gggeek
update readme and remove dead code after cursory testing on mariadb
988a802
@gggeek
Copy link
Contributor Author

gggeek commented Nov 15, 2024
edited
Loading

Status update:

in my fork, branch gg/devel, I have now implemented:

  • the logic for the 'upload' functionality proposed in the merge of PR Gg/devel #1, with users being able to see/delete their data for 1 hour
  • allowing to disable the 'forgotpassword' feature, in case sendmail is not configured for php
  • a different page title for each page
  • allow using/generating urls which omit the trailing .php (nice in case of future rewrites ;-)
  • a fix for running on MariaDB

...then I pushed it to GitHub without realizing that it was the branch which was used for the PR :-O

Which means that this PR now has 9 more commits, and a few more files too.
If you find this unbearably big to review, please let me know, and I will try to split the work in smaller chunks.

With this, the basic functionality should be complete. I do have a list of ideas for improvements and new features, which I will submit in the existing VeraCrypt discussion. My top-of-the-list vote goes for adding functional tests...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gggeek