New Login screen

As disucessed issues with old system in  Safari (OSX) and also high load due to cappebilty to stresss / "ddos"  server with fast changing keys

Seperated each step
- Username
- Password
- Autenticate / Check if user needs 2FA
-- Sessions set
or
-- Send to TWOFA Page
-- Autenticate with old data + check 2FA

web/login/index.php

@@ -6,8 +6,7 @@ define('NO_AUTH_REQUIRED',true);
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
-
-$TAB = 'LOGIN';
+$TAB = 'login';
 
 // Logout
 if (isset($_GET['logout'])) {
@@ -33,27 +32,24 @@ if (isset($_SESSION['user'])) {
     exit;
 }
 
-// Basic auth
-if (isset($_POST['user']) && isset($_POST['password'])) {
+if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa'])){
     if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
-        $v_user = escapeshellarg($_POST['user']);
-        $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
-        if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
-            if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
-                $v_ip = escapeshellarg($_SERVER['HTTP_CF_CONNECTING_IP']);
-            }
-        }
-        if (isset($_POST['twofa'])) {
-            $v_twofa = escapeshellarg($_POST['twofa']);
+    $v_user = escapeshellarg($_POST['user']);
+    $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
+    if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
+        if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
+            $v_ip = escapeshellarg($_SERVER['HTTP_CF_CONNECTING_IP']);
         }
+    }
 
-        // Get user's salt
-        $output = '';
-        exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
-        $pam = json_decode(implode('', $output), true);
-        if ( $return_var > 0 ) {
-            sleep(5);
-            $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
+    // Get user's salt
+    $output = '';
+    exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
+    $pam = json_decode(implode('', $output), true);
+    if ( $return_var > 0 ) {
+        sleep(5);
+        unset($_POST['password'], $_POST['user']);
+        $error = "<a class=\"error\">".__('Invalid username or password')."</a>";
         } else {
             $user = $_POST['user'];
             $password = $_POST['password'];
@@ -87,6 +83,7 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
             // Check API answer
             if ( $return_var > 0 ) {
                 sleep(5);
+                unset($_POST['password']);
                 $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
             } else {
 
@@ -99,29 +96,115 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
 
                 // Check if 2FA is active
                 if ($data[$_POST['user']]['TWOFA'] != '') {
-                    if (isset($v_twofa)){
-                        $v_twofa = str_replace(' ', '', $v_twofa);
-                        exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
+                    $v_twofa = $_POST['twofa'];
+                    exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
                         unset($output);
                         if ( $return_var > 0 ) {
                             sleep(1);
                             $ERROR = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>";
                         }
+                }
+                // Define session user
+                $_SESSION['user'] = key($data);
+                $v_user = $_SESSION['user'];
+
+                // Define language
+                $output = '';
+                exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var);
+                $languages = json_decode(implode('', $output), true);
+                if (in_array($data[$v_user]['LANGUAGE'], $languages)){
+                    $_SESSION['language'] = $data[$v_user]['LANGUAGE'];
+                } else {
+                    $_SESSION['language'] = 'en';
+                }
+
+                // Regenerate session id to prevent session fixation
+                session_regenerate_id();
+
+                // Redirect request to control panel interface
+                if (!empty($_SESSION['request_uri'])) {
+                    header("Location: ".$_SESSION['request_uri']);
+                    unset($_SESSION['request_uri']);
+                    exit;
+                } else {
+                    if ($v_user == 'admin') {
+                        header("Location: /list/user/");
                     } else {
-                        sleep(1);
-                        $ERROR = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>";
+                        header("Location: /list/web/");
                     }
+                    exit;
                 }
+            }
+        }
+    }    
+} else if (!empty($_POST['user']) && !empty($_POST['password'])) {
+    if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
+    $v_user = escapeshellarg($_POST['user']);
+    $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
+    if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
+        if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
+            $v_ip = escapeshellarg($_SERVER['HTTP_CF_CONNECTING_IP']);
+        }
+    }
 
-                // Check if 2FA was successfully
-                if ( ! isset($v_twofa) || $ERROR == '' ) {
+    // Get user's salt
+    $output = '';
+    exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
+    $pam = json_decode(implode('', $output), true);
+    if ( $return_var > 0 ) {
+        sleep(5);
+        unset($_POST['password'], $_POST['user']);
+        $error = "<a class=\"error\">".__('Invalid username or password')."</a>";
+        } else {
+            $user = $_POST['user'];
+            $password = $_POST['password'];
+            $salt = $pam[$user]['SALT'];
+            $method = $pam[$user]['METHOD'];
+
+            if ($method == 'md5' ) {
+                $hash = crypt($password, '$1$'.$salt.'$');
+            }
+            if ($method == 'sha-512' ) {
+                $hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
+                $hash = str_replace('$rounds=5000','',$hash);
+            }
+            if ($method == 'des' ) {
+                $hash = crypt($password, $salt);
+            }
+
+            // Send hash via tmp file
+            $v_hash = exec('mktemp -p /tmp');
+            $fp = fopen($v_hash, "w");
+            fwrite($fp, $hash."\n");
+            fclose($fp);
+
+            // Check user hash
+            exec(HESTIA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip,  $output, $return_var);
+            unset($output);
+
+            // Remove tmp file
+            unlink($v_hash);
+
+            // Check API answer
+            if ( $return_var > 0 ) {
+                sleep(5);
+                unset($_POST['password']);
+                $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
+            } else {
+
+                // Make root admin user
+                if ($_POST['user'] == 'root') $v_user = 'admin';
+
+                // Get user speciefic parameters
+                exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
+                $data = json_decode(implode('', $output), true);
+
+                // Check if 2FA is active
+                if ($data[$_POST['user']]['TWOFA'] == '') {
                     // Define session user
                     $_SESSION['user'] = key($data);
                     $v_user = $_SESSION['user'];
-
-                    // Get user favorites
-                    get_favourites();
-
+    
                     // Define language
                     $output = '';
                     exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var);
@@ -131,10 +214,10 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
                     } else {
                         $_SESSION['language'] = 'en';
                     }
-
+    
                     // Regenerate session id to prevent session fixation
                     session_regenerate_id();
-
+    
                     // Redirect request to control panel interface
                     if (!empty($_SESSION['request_uri'])) {
                         header("Location: ".$_SESSION['request_uri']);
@@ -151,12 +234,11 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
                 }
             }
         }
-    } else {
-        sleep(1);
-        $ERROR = "<a class=\"error\">".__('Invalid or missing token')."</a>";
-    }
+    }    
 }
 
+
+
 // Check system configuration
 load_hestia_config();
 
@@ -183,4 +265,11 @@ $_SESSION['token'] = md5(uniqid(mt_rand(), true));
 
 require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
 require_once('../templates/header.html');
-require_once('../templates/login.html');
+if (empty($_POST['user'])) {
+    require_once('../templates/login.html');
+}else if (empty($_POST['password'])) {
+    require_once('../templates/login_1.html');
+}else if (empty($_POST['twofa'])) {
+    require_once('../templates/login_2.html');    
+}
+?>

web/templates/login.html

@@ -17,52 +17,22 @@
                                             </td>
                                         </tr>
                                         <tr>
-                                            <td style="padding: 12px 0 0 2px;">
-                                                <?php print __('Username');?>
+                                            <td style="padding: 12px 0 5px 2px;">
+                                                <?php print __('Please login with your username');?>
                                             </td>
                                         </tr>
                                         <tr>
                                             <td>
-                                                <input tabindex="1" type="text" size="20px" style="width:240px;" name="user" class="vst-input">
+                                                <input tabindex="1" type="text" size="20px" style="width:240px;" name="user" class="vst-input" placeholder="<?php print __('Username');?>">
                                             </td>
                                         </tr>
                                         <tr>
-                                            <td style="padding: 12px 0 0 2px;">
-                                                <?php print __('Password');?>
-                                                <div style="padding:0 6px 0px 14px; float:right;">
-                                                    <a tabindex="5" class="vst-advanced" href="/reset/">
-                                                        <?php print __('forgot password');?>
-                                                    </a>
-                                                </div>
+                                            <td height="10px">
                                             </td>
                                         </tr>
                                         <tr>
-                                            <td>
-                                                <input tabindex="2" type="password" size="20px"  style="width:240px;" name="password" class="vst-input">
-                                            </td>
-                                        </tr>
-                                        <tr class="twofa" style="display:none;">
-                                            <td style="padding-top: 12px; padding-left:2px;">
-                                                <?php print __('2FA Token');?>
-                                                <div style="padding:0 6px 0px 14px; float:right;">
-                                                    <a tabindex="5" class="vst-advanced" href="/reset2fa/">
-                                                        <?php print __('Forgot token');?>
-                                                    </a>
-                                                </div>
-                                            </td>
-                                        </tr>
-                                        <tr class="twofa" style="display:none;">
-                                            <td>
-                                                <input tabindex="3" type="text" size="20px" style="width:240px;" name="twofa" class="vst-input">
-                                            </td>
-                                        </tr>
-                                        <tr>
-                                            <td height="28px">
-                                            </td>
-                                        </tr>
-                                        <tr>
-                                            <td style="padding: 0 0 12px 0;">
-                                                    <button tabindex="3" type="submit" class="button"><?php print __('Log in');?>&nbsp;&nbsp;&nbsp;<i class="fas fa-sign-in-alt"></i></button>
+                                            <td style="padding: 0 0 5px 0;">
+                                                <button tabindex="3" type="submit" class="button"><?php print __('Next');?>&nbsp;&nbsp;&nbsp;<i class="fas fa-sign-in-alt"></i></button>
                                             </td>
                                         </tr>
                                     </table>
@@ -80,23 +50,6 @@
                 </tr>
             </table>
         </center>
-        <script type="text/javascript">
-            $(document).ready(function () {
-                $('#form_login').on('input', 'input[name="user"]', function() {
-                    var username = this.value;
-                    $.ajax({
-                        type: 'GET',
-                        url: '/inc/2fa/active.php?user=' + username,
-                        complete: function(xhr) {
-                            if(xhr.status == '200'){
-                                $('.twofa').show();
-                            }else if(xhr.status == '404'){
-                                $('.twofa').hide();
-                            }
-                        }
-                    });
-                });
-            });
-        </script>
+
     </body>
 </html>

web/templates/login_1.html

@@ -0,0 +1,56 @@
+        <center>
+            <table class="login animated zoomIn">
+                <tr>
+                    <td>
+                        <table>
+                            <tr>
+                                <td style="padding: 22px 30px 0 42px; height: 280px; width: 170px;">
+                                    <a href="/"><img border=0 src="/images/logo.png" alt="<?=__('Hestia Control Panel');?>" style="margin: 20px; margin-top: 64px;" /></a>
+                                </td>
+                                <td style="padding: 40px 60px 0 0;">
+                                    <form method="post" action="/login/" id="form_login">
+                                    <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
+                                    <input type="hidden" name="user" value="<?php echo $_POST['user']; ?>">
+                                    
+                                    <table class="login-box">
+                                        <tr>
+                                            <td style="padding: 12px 0 0 2px;" class="login-welcome">
+                                                <?php print __('Welcome to Hestia Control Panel');?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td style="padding: 12px 0 5px 2px;">
+                                                <?php print __('Please enter your Password');?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td>
+                                                <input tabindex="2" type="password" size="20px"  style="width:240px;" name="password" class="vst-input" placeholder="<?php print __('Password');?>">
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td height="10px">
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td style="padding: 0 0 5px 0;">
+                                                <button tabindex="3" type="submit" class="button"><?php print __('Login');?>&nbsp;&nbsp;&nbsp;<i class="fas fa-sign-in-alt"></i></button>
+                                            </td>
+                                        </tr>
+                                    </table>
+                                </form>
+                            </td>
+                        </tr>
+                        <tr>
+                            <td colspan=2>
+                                <div class="login-bottom">
+                                    <div style="height:20px"><?php if (isset($ERROR)) echo $ERROR ?></div>
+                                </div>
+                            </td>
+                        </tr>
+                    </table>
+                </tr>
+            </table>
+        </center>
+    </body>
+</html>

web/templates/login_2.html

@@ -0,0 +1,56 @@
+        <center>
+            <table class="login animated zoomIn">
+                <tr>
+                    <td>
+                        <table>
+                            <tr>
+                                <td style="padding: 22px 30px 0 42px; height: 280px; width: 170px;">
+                                    <a href="/"><img border=0 src="/images/logo.png" alt="<?=__('Hestia Control Panel');?>" style="margin: 20px; margin-top: 64px;" /></a>
+                                </td>
+                                <td style="padding: 40px 60px 0 0;">
+                                    <form method="post" action="/login/" id="form_login">
+                                    <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
+                                    <input type="hidden" name="user" value="<?php echo $_POST['user']; ?>">
+                                    <input type="hidden" name="password" value="<?php echo $_POST['password']; ?>">
+                                    <table class="login-box">
+                                        <tr>
+                                            <td style="padding: 12px 0 0 2px;" class="login-welcome">
+                                                <?php print __('Welcome to Hestia Control Panel');?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td style="padding: 12px 0 5px 2px;">
+                                                <?php print __('Please enter your 2FA token');?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td>
+                                                <input tabindex="2" type="" size="20px"  style="width:240px;" name="twofa" class="vst-input" placeholder="<?php print __('2FA Token');?>">
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td height="10px">
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td style="padding: 0 0 5px 0;">
+                                                <button tabindex="3" type="submit" class="button"><?php print __('Login');?>&nbsp;&nbsp;&nbsp;<i class="fas fa-sign-in-alt"></i></button>
+                                            </td>
+                                        </tr>
+                                    </table>
+                                </form>
+                            </td>
+                        </tr>
+                        <tr>
+                            <td colspan=2>
+                                <div class="login-bottom">
+                                    <div style="height:20px"><?php if (isset($ERROR)) echo $ERROR ?></div>
+                                </div>
+                            </td>
+                        </tr>
+                    </table>
+                </tr>
+            </table>
+        </center>
+    </body>
+</html>