Changed text / Improved password check

web/login/index.php

@@ -2,7 +2,6 @@
 
 define('NO_AUTH_REQUIRED',true);
 
-
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
@@ -13,6 +12,8 @@ if (isset($_GET['logout'])) {
     session_destroy();
 }
 
+
+
 // Login as someone else
 if (isset($_SESSION['user'])) {
     if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
@@ -32,7 +33,7 @@ if (isset($_SESSION['user'])) {
     exit;
 }
 
-if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa'])){
+function authenticate_user(){
     if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
     $v_user = escapeshellarg($_POST['user']);
     $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
@@ -40,16 +41,17 @@ if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa
         if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
             $v_ip = escapeshellarg($_SERVER['HTTP_CF_CONNECTING_IP']);
         }
-    }
-
-    // Get user's salt
+    } 
+     // Get user's salt
     $output = '';
     exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
     $pam = json_decode(implode('', $output), true);
     if ( $return_var > 0 ) {
-        sleep(5);
-        unset($_POST['password'], $_POST['user']);
+        sleep(2);
+        unset($_POST['password']);
+        unset($_POST['user']);
         $error = "<a class=\"error\">".__('Invalid username or password')."</a>";
+        return $error;
         } else {
             $user = $_POST['user'];
             $password = $_POST['password'];
@@ -82,9 +84,10 @@ if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa
 
             // Check API answer
             if ( $return_var > 0 ) {
-                sleep(5);
+                sleep(2);
                 unset($_POST['password']);
-                $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
+                $error = "<a class=\"error\">".__('Invalid username or password')."</a>";
+                return $error;
             } else {
 
                 // Make root admin user
@@ -96,13 +99,18 @@ if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa
 
                 // Check if 2FA is active
                 if ($data[$_POST['user']]['TWOFA'] != '') {
-                    $v_twofa = $_POST['twofa'];
-                    exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
+                   if (empty($_POST['twofa'])){
+                       return false;
+                   }else{
+                        $v_twofa = $_POST['twofa'];
+                        exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
                         unset($output);
                         if ( $return_var > 0 ) {
-                            sleep(1);
-                            $ERROR = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>";
+                            sleep(2);
+                            $error = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>";
+                            return $error;
                         }
+                   }
                 }
                 // Define session user
                 $_SESSION['user'] = key($data);
@@ -136,109 +144,14 @@ if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa
                 }
             }
         }
-    }    
-} else if (!empty($_POST['user']) && !empty($_POST['password'])) {
-    if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
-    $v_user = escapeshellarg($_POST['user']);
-    $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
-    if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
-        if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
-            $v_ip = escapeshellarg($_SERVER['HTTP_CF_CONNECTING_IP']);
-        }
     }
-
-    // Get user's salt
-    $output = '';
-    exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
-    $pam = json_decode(implode('', $output), true);
-    if ( $return_var > 0 ) {
-        sleep(5);
-        unset($_POST['password'], $_POST['user']);
-        $error = "<a class=\"error\">".__('Invalid username or password')."</a>";
-        } else {
-            $user = $_POST['user'];
-            $password = $_POST['password'];
-            $salt = $pam[$user]['SALT'];
-            $method = $pam[$user]['METHOD'];
-
-            if ($method == 'md5' ) {
-                $hash = crypt($password, '$1$'.$salt.'$');
-            }
-            if ($method == 'sha-512' ) {
-                $hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
-                $hash = str_replace('$rounds=5000','',$hash);
-            }
-            if ($method == 'des' ) {
-                $hash = crypt($password, $salt);
-            }
-
-            // Send hash via tmp file
-            $v_hash = exec('mktemp -p /tmp');
-            $fp = fopen($v_hash, "w");
-            fwrite($fp, $hash."\n");
-            fclose($fp);
-
-            // Check user hash
-            exec(HESTIA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip,  $output, $return_var);
-            unset($output);
-
-            // Remove tmp file
-            unlink($v_hash);
-
-            // Check API answer
-            if ( $return_var > 0 ) {
-                sleep(5);
-                unset($_POST['password']);
-                $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
-            } else {
-
-                // Make root admin user
-                if ($_POST['user'] == 'root') $v_user = 'admin';
-
-                // Get user speciefic parameters
-                exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
-                $data = json_decode(implode('', $output), true);
-
-                // Check if 2FA is active
-                if ($data[$_POST['user']]['TWOFA'] == '') {
-                    // Define session user
-                    $_SESSION['user'] = key($data);
-                    $v_user = $_SESSION['user'];
-    
-                    // Define language
-                    $output = '';
-                    exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var);
-                    $languages = json_decode(implode('', $output), true);
-                    if (in_array($data[$v_user]['LANGUAGE'], $languages)){
-                        $_SESSION['language'] = $data[$v_user]['LANGUAGE'];
-                    } else {
-                        $_SESSION['language'] = 'en';
-                    }
-    
-                    // Regenerate session id to prevent session fixation
-                    session_regenerate_id();
-    
-                    // Redirect request to control panel interface
-                    if (!empty($_SESSION['request_uri'])) {
-                        header("Location: ".$_SESSION['request_uri']);
-                        unset($_SESSION['request_uri']);
-                        exit;
-                    } else {
-                        if ($v_user == 'admin') {
-                            header("Location: /list/user/");
-                        } else {
-                            header("Location: /list/web/");
-                        }
-                        exit;
-                    }
-                }
-            }
-        }
-    }    
 }
 
-
-
+if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa'])){
+    $error = authenticate_user(); 
+} else if (!empty($_POST['user']) && !empty($_POST['password'])) {
+    $error = authenticate_user();    
+}
 // Check system configuration
 load_hestia_config();
 
@@ -262,7 +175,6 @@ if (empty($_SESSION['language'])) {
 
 // Generate CSRF token
 $_SESSION['token'] = md5(uniqid(mt_rand(), true));
-
 require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
 require_once('../templates/header.html');
 if (empty($_POST['user'])) {

web/templates/login.html

@@ -18,7 +18,7 @@
                                         </tr>
                                         <tr>
                                             <td style="padding: 12px 0 5px 2px;">
-                                                <?php print __('Please login with your username');?>
+                                                <?php print __('Username');?>
                                             </td>
                                         </tr>
                                         <tr>
@@ -42,7 +42,7 @@
                         <tr>
                             <td colspan=2>
                                 <div class="login-bottom">
-                                    <div style="height:20px"><?php if (isset($ERROR)) echo $ERROR ?></div>
+                                    <div style="height:20px"><?php if (isset($error)) echo $error ?></div>
                                 </div>
                             </td>
                         </tr>
@@ -52,4 +52,4 @@
         </center>
 
     </body>
-</html>
+</html>

web/templates/login_1.html

@@ -19,8 +19,13 @@
                                             </td>
                                         </tr>
                                         <tr>
-                                            <td style="padding: 12px 0 5px 2px;">
-                                                <?php print __('Please enter your Password');?>
+                                           <td style="padding: 12px 0 0 2px;">
+                                                <?php print __('Password');?>
+                                                <div style="padding:0 6px 0px 14px; float:right;">
+                                                    <a tabindex="5" class="vst-advanced" href="/reset/">
+                                                        <?php print __('forgot password');?>
+                                                    </a>
+                                                </div>
                                             </td>
                                         </tr>
                                         <tr>

web/templates/login_2.html

@@ -18,9 +18,14 @@
                                                 <?php print __('Welcome to Hestia Control Panel');?>
                                             </td>
                                         </tr>
-                                        <tr>
-                                            <td style="padding: 12px 0 5px 2px;">
-                                                <?php print __('Please enter your 2FA token');?>
+                                        <tr class="twofa">
+                                            <td style="padding-top: 12px; padding-left:2px;">
+                                                <?php print __('2FA Token');?>
+                                                <div style="padding:0 6px 0px 14px; float:right;">
+                                                    <a tabindex="5" class="vst-advanced" href="/reset2fa/">
+                                                        <?php print __('Forgot token');?>
+                                                    </a>
+                                                </div>
                                             </td>
                                         </tr>
                                         <tr>