Replace all authentication code with a function that does the auth for us

Makes things a little tidier and easier to change in the future, a custom message can be passed to authenticateUser() and this is output if the authentication fails.

Added protection around Include and Exclude species pages as these still accessible & data can still be written to include and exclude species.txt even with a password.
This commit is contained in:
jaredb7
2023-05-13 01:07:19 +10:00
parent 66863f2e6b
commit a80d39d7b6
7 changed files with 66 additions and 202 deletions
+4 -18
View File
@@ -29,28 +29,14 @@ echo "<a href=\"https://github.com/mcguirepr89/BirdNET-Pi.git\" target=\"_blank\
<div class="stream"> <div class="stream">
<?php <?php
if(isset($_GET['stream'])){ if(isset($_GET['stream'])){
$caddypwd = $config['CADDY_PWD']; $user_is_authenticated = authenticateUser('You cannot listen to the live audio stream');
if (!isset($_SERVER['PHP_AUTH_USER'])) { if ($user_is_authenticated) {
header('WWW-Authenticate: Basic realm="My Realm"'); echo "
header('HTTP/1.0 401 Unauthorized');
echo 'You cannot listen to the live audio stream';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd == $caddypwd && $submitteduser == 'birdnet'){
echo "
<audio controls autoplay><source src=\"/stream\"></audio> <audio controls autoplay><source src=\"/stream\"></audio>
</div> </div>
<h1><a href=\"/\"><img class=\"topimage\" src=\"images/bnp.png\"></a></h1> <h1><a href=\"/\"><img class=\"topimage\" src=\"images/bnp.png\"></a></h1>
</div><div class=\"centered\"><h3>$site_name</h3></div>"; </div><div class=\"centered\"><h3>$site_name</h3></div>";
} else { }
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You cannot listen to the live audio stream';
exit;
}
}
} else { } else {
echo " echo "
<form action=\"\" method=\"GET\"> <form action=\"\" method=\"GET\">
+21 -56
View File
@@ -118,20 +118,11 @@ if(isset($_GET['view'])){
if($_GET['view'] == "Streamlit"){echo "<iframe src=\"/stats\"></iframe>";} if($_GET['view'] == "Streamlit"){echo "<iframe src=\"/stats\"></iframe>";}
if($_GET['view'] == "Daily Charts"){include('history.php');} if($_GET['view'] == "Daily Charts"){include('history.php');}
if($_GET['view'] == "Tools"){ if($_GET['view'] == "Tools"){
parseConfig();
//Authenticate before proceeding //Authenticate before proceeding
$caddypwd = $config['CADDY_PWD']; $user_is_authenticated = authenticateUser();
if (!isset($_SERVER['PHP_AUTH_USER'])) { if ($user_is_authenticated) {
header('WWW-Authenticate: Basic realm="My Realm"'); $url = $_SERVER['SERVER_NAME'] . "/scripts/adminer.php";
header('HTTP/1.0 401 Unauthorized'); echo "<div class=\"centered\">
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd == $caddypwd && $submitteduser == 'birdnet'){
$url = $_SERVER['SERVER_NAME']."/scripts/adminer.php";
echo "<div class=\"centered\">
<form action=\"\" method=\"GET\" id=\"views\"> <form action=\"\" method=\"GET\" id=\"views\">
<button type=\"submit\" name=\"view\" value=\"Settings\" form=\"views\">Settings</button> <button type=\"submit\" name=\"view\" value=\"Settings\" form=\"views\">Settings</button>
<button type=\"submit\" name=\"view\" value=\"System Info\" form=\"views\">System Info</button> <button type=\"submit\" name=\"view\" value=\"System Info\" form=\"views\">System Info</button>
@@ -144,19 +135,14 @@ if(isset($_GET['view'])){
<button type=\"submit\" name=\"view\" value=\"Excluded\" form=\"views\">Excluded Species List</button> <button type=\"submit\" name=\"view\" value=\"Excluded\" form=\"views\">Excluded Species List</button>
</form> </form>
</div>"; </div>";
} else { }
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>';
exit;
}
}
} }
if($_GET['view'] == "Recordings"){include('play.php');} if($_GET['view'] == "Recordings"){include('play.php');}
if($_GET['view'] == "Settings"){include('scripts/config.php');} if($_GET['view'] == "Settings"){include('scripts/config.php');}
if($_GET['view'] == "Advanced"){include('scripts/advanced.php');} if($_GET['view'] == "Advanced"){include('scripts/advanced.php');}
if($_GET['view'] == "Included"){ if($_GET['view'] == "Included"){
if(isset($_GET['species']) && isset($_GET['add'])){ $user_is_authenticated = authenticateUser('You cannot modify the system');
if(isset($_GET['species']) && isset($_GET['add']) && $user_is_authenticated){
$file = getFilePath('include_species_list.txt'); $file = getFilePath('include_species_list.txt');
$str = file_get_contents("$file"); $str = file_get_contents("$file");
$str = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $str); $str = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $str);
@@ -183,7 +169,8 @@ if(isset($_GET['view'])){
include('./scripts/include_list.php'); include('./scripts/include_list.php');
} }
if($_GET['view'] == "Excluded"){ if($_GET['view'] == "Excluded"){
if(isset($_GET['species']) && isset($_GET['add'])){ $user_is_authenticated = authenticateUser('You cannot modify the system');
if(isset($_GET['species']) && isset($_GET['add']) && $user_is_authenticated){
$file = getFilePath('exclude_species_list.txt'); $file = getFilePath('exclude_species_list.txt');
$str = file_get_contents("$file"); $str = file_get_contents("$file");
$str = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $str); $str = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $str);
@@ -211,40 +198,17 @@ if(isset($_GET['view'])){
echo "<iframe src='scripts/filemanager/filemanager.php'></iframe>"; echo "<iframe src='scripts/filemanager/filemanager.php'></iframe>";
} }
if($_GET['view'] == "Webterm"){ if($_GET['view'] == "Webterm"){
parseConfig(); //Authenticate before proceeding
//Authenticate before proceeding $user_is_authenticated = authenticateUser("You cannot access the web terminal");
$caddypwd = $config['CADDY_PWD']; if ($user_is_authenticated) {
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot access the web terminal</td></tr></table>';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd == $caddypwd && $submitteduser == 'birdnet'){
#ACCESS THE WEB TERMINAL #ACCESS THE WEB TERMINAL
echo "<iframe src='/terminal'></iframe>"; echo "<iframe src='/terminal'></iframe>";
} else { }
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot access the web terminal</td></tr></table>';
exit;
}
}
} }
} elseif(isset($_GET['submit'])) { } elseif(isset($_GET['submit'])) {
parseConfig();
//Authenticate before proceeding //Authenticate before proceeding
$caddypwd = $config['CADDY_PWD']; $user_is_authenticated = authenticateUser('You cannot modify the system');
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You cannot access the web terminal';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
$allowedCommands = array('service stop livestream.service && service stop icecast2.service', $allowedCommands = array('service stop livestream.service && service stop icecast2.service',
'service restart livestream.service && service restart icecast2.service', 'service restart livestream.service && service restart icecast2.service',
'service disable livestream.service && service disable icecast2 && service stop icecast2.service', 'service disable livestream.service && service disable icecast2 && service stop icecast2.service',
@@ -292,7 +256,7 @@ if(isset($_GET['view'])){
'sudo shutdown now', 'sudo shutdown now',
'sudo clear_all_data.sh'); 'sudo clear_all_data.sh');
$command = $_GET['submit']; $command = $_GET['submit'];
if($submittedpwd == $caddypwd && $submitteduser == 'birdnet' && in_array($command,$allowedCommands)){ if($user_is_authenticated && in_array($command,$allowedCommands)){
if(isset($command)){ if(isset($command)){
$initcommand = $command; $initcommand = $command;
$results = ""; $results = "";
@@ -383,15 +347,16 @@ if(isset($_GET['view'])){
} }
echo "<table style='min-width:70%;'><tr class='relative'><th>Output of command:`".$initcommand."`<button class='copyimage' style='right:40px' onclick='copyOutput(this);'>Copy</button></th></tr><tr><td style='padding-left: 0px;padding-right: 0px;padding-bottom: 0px;padding-top: 0px;'><pre class='bash' style='text-align:left;margin:0px'>$results</pre></td></tr></table>"; echo "<table style='min-width:70%;'><tr class='relative'><th>Output of command:`".$initcommand."`<button class='copyimage' style='right:40px' onclick='copyOutput(this);'>Copy</button></th></tr><tr><td style='padding-left: 0px;padding-right: 0px;padding-bottom: 0px;padding-top: 0px;'><pre class='bash' style='text-align:left;margin:0px'>$results</pre></td></tr></table>";
} else { } else {
header('WWW-Authenticate: Basic realm="My Realm"'); header('WWW-Authenticate: Basic realm="BirdNET-Pi"');
header('HTTP/1.0 401 Unauthorized'); header('HTTP/1.0 401 Unauthorized');
echo 'You cannot access the web terminal'; echo 'You cannot modify the system';
exit; exit;
} }
} }
}
ob_end_flush(); ob_end_flush();
} else {include('overview.php');} } else {
include('overview.php');
}
?> ?>
<script> <script>
function myFunction() { function myFunction() {
+2 -16
View File
@@ -5,22 +5,8 @@ if(file_exists('./scripts/common.php')){
include_once "./common.php"; include_once "./common.php";
} }
$caddypwd = $config['CADDY_PWD']; //Authenticate before going any further
if (!isset($_SERVER['PHP_AUTH_USER'])) { authenticateUser('You cannot edit the settings for this installation');
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd !== $caddypwd || $submitteduser !== 'birdnet'){
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>';
exit;
}
}
if(isset($_GET['submit'])) { if(isset($_GET['submit'])) {
if(isset($_GET["ice_pwd"])) { if(isset($_GET["ice_pwd"])) {
+11 -8
View File
@@ -1714,12 +1714,13 @@ function userIsAuthenticated()
} }
/** /**
* When called authenticates the user using the built in PHP_AUTH * When called, authenticates the user using the built-in PHP_AUTH. This is the orignial authentication code just wrapped in a function
* This will automatically * This will automatically terminate the script if authentication fails
* *
* @return void * @param $rejection_message string Message to return to the user if authentication fails
* @return bool
*/ */
function authenticateUser() function authenticateUser($rejection_message = "You cannot edit the settings for this installation")
{ {
global $config, $USER_AUTHENTICATED; global $config, $USER_AUTHENTICATED;
parseConfig(); parseConfig();
@@ -1727,9 +1728,9 @@ function authenticateUser()
$caddypwd = $config['CADDY_PWD']; $caddypwd = $config['CADDY_PWD'];
if (!isset($_SERVER['PHP_AUTH_USER'])) { if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"'); header('WWW-Authenticate: Basic realm="BirdNET-Pi"');
header('HTTP/1.0 401 Unauthorized'); header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>'; echo '<table><tr><td>' . $rejection_message . '</td></tr></table>';
exit; exit;
} else { } else {
//Read the supplied details //Read the supplied details
@@ -1737,14 +1738,16 @@ function authenticateUser()
$submitteduser = $_SERVER['PHP_AUTH_USER']; $submitteduser = $_SERVER['PHP_AUTH_USER'];
// //
if ($submittedpwd !== $caddypwd || $submitteduser !== 'birdnet') { if ($submittedpwd !== $caddypwd || $submitteduser !== 'birdnet') {
header('WWW-Authenticate: Basic realm="My Realm"'); header('WWW-Authenticate: Basic realm="BirdNET-Pi"');
header('HTTP/1.0 401 Unauthorized'); header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>'; echo '<table><tr><td>' . $rejection_message . '</td></tr></table>';
exit; exit;
} else { } else {
$USER_AUTHENTICATED = true; $USER_AUTHENTICATED = true;
} }
} }
return $USER_AUTHENTICATED;
} }
/** /**
+1 -16
View File
@@ -9,22 +9,7 @@ if (file_exists('./scripts/common.php')) {
parseConfig(); parseConfig();
//Authenticate first before allowing further execution //Authenticate first before allowing further execution
$caddypwd = $config['CADDY_PWD']; authenticateUser();
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd !== $caddypwd || $submitteduser !== 'birdnet'){
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot edit the settings for this installation</td></tr></table>';
exit;
}
}
//Authenticated //Authenticated
//Read in the apprise config //Read in the apprise config
+6 -21
View File
@@ -31,28 +31,13 @@ if(isset($_GET['custom_image'])){
} }
if(isset($_GET['blacklistimage'])) { if(isset($_GET['blacklistimage'])) {
if(isset($_SERVER['PHP_AUTH_USER'])) { $user_is_authenticated = authenticateUser('You cannot modify the system');
$submittedpwd = $_SERVER['PHP_AUTH_PW']; if($user_is_authenticated){
$submitteduser = $_SERVER['PHP_AUTH_USER']; $imageid = $_GET['blacklistimage'];
if($submittedpwd == $config['CADDY_PWD'] && $submitteduser == 'birdnet'){ $result = blacklistFlickrImage($imageid);
unset($_SESSION['images']);
$imageid = $_GET['blacklistimage']; die($result['message']);
$result = blacklistFlickrImage($imageid);
unset($_SESSION['images']);
die($result['message']);
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated.';
exit;
} }
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated.';
exit;
}
} }
if(isset($_GET['fetch_chart_string']) && $_GET['fetch_chart_string'] == "true") { if(isset($_GET['fetch_chart_string']) && $_GET['fetch_chart_string'] == "true") {
+21 -67
View File
@@ -6,86 +6,40 @@ if(file_exists('./scripts/common.php')){
} }
if(isset($_GET['deletefile'])) { if(isset($_GET['deletefile'])) {
if(isset($_SERVER['PHP_AUTH_USER'])) { $user_is_authenticated = authenticateUser('You must be authenticated to change the protection of files.');
$submittedpwd = $_SERVER['PHP_AUTH_PW']; if ($user_is_authenticated) {
$submitteduser = $_SERVER['PHP_AUTH_USER']; $filename_to_delete = $_GET['deletefile'];
if($submittedpwd == $config['CADDY_PWD'] && $submitteduser == 'birdnet'){ $message = deleteDetection($filename_to_delete)['message'];
echo $message;
$filename_to_delete = $_GET['deletefile']; die();
$message = deleteDetection($filename_to_delete)['message']; }
echo $message;
die();
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
} }
if(isset($_GET['excludefile'])) { if(isset($_GET['excludefile'])) {
if(isset($_SERVER['PHP_AUTH_USER'])) { $user_is_authenticated = authenticateUser('You must be authenticated to change the protection of files.');
$submittedpwd = $_SERVER['PHP_AUTH_PW']; if ($user_is_authenticated) {
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd == $config['CADDY_PWD'] && $submitteduser == 'birdnet'){
if(isset($_GET['exclude_add'])) { if (isset($_GET['exclude_add'])) {
$response_data = protectDetectionFromDeletion('protect', $_GET['excludefile']); $response_data = protectDetectionFromDeletion('protect', $_GET['excludefile']);
echo $response_data['message']; echo $response_data['message'];
die(); die();
} else { } else {
$response_data = protectDetectionFromDeletion('unprotect', $_GET['excludefile']); $response_data = protectDetectionFromDeletion('unprotect', $_GET['excludefile']);
echo $response_data['message']; echo $response_data['message'];
die(); die();
} }
} else { }
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
} }
$shifted_path = getDirectory('shifted_dir'); $shifted_path = getDirectory('shifted_dir');
if(isset($_GET['shiftfile'])) { if(isset($_GET['shiftfile'])) {
//Parse the ini files
parseConfig();
//Authenticate before going any further //Authenticate before going any further
$caddypwd = $config['CADDY_PWD']; authenticateUser('You cannot shift files for this installation');
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot shift files for this installation</td></tr></table>';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd !== $caddypwd || $submitteduser !== 'birdnet'){
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot shift files for this installation<</td></tr></table>';
exit;
}
}
//Authenticated //Authenticated if we get this far
$filename = $_GET['shiftfile']; $filename = $_GET['shiftfile'];
$doShift = null; $doShift = null;
if (isset($_GET['doshift'])) { if (isset($_GET['doshift'])) {