From b2a74c2a17eb3b0a16ca9704bffc2ea1ced14649 Mon Sep 17 00:00:00 2001 From: Troy Grunt Date: Sun, 1 Feb 2026 22:40:30 +0100 Subject: [PATCH] =?UTF-8?q?F=C3=BCge=20Funktionen=20zur=20Verwaltung=20von?= =?UTF-8?q?=20fehlgeschlagenen=20Anmeldeversuchen=20hinzu=20und=20integrie?= =?UTF-8?q?re=20IP-Sperre?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- www/_func.php | 70 ++++++++++++++ www/_sql.php | 2 + www/admin.php | 236 +++++++++++++++++++++++++++++++++++++++++++++++ www/card.php | 1 + www/download.php | 1 + 5 files changed, 310 insertions(+) create mode 100644 www/_func.php create mode 100644 www/admin.php diff --git a/www/_func.php b/www/_func.php new file mode 100644 index 0000000..eeee87a --- /dev/null +++ b/www/_func.php @@ -0,0 +1,70 @@ +single( + "SELECT id, attempts + FROM admin_login_attempts + WHERE ip_address = ?", + "s", + [$ip] + ); + + if (!$entry) { + // Erster Fehlversuch + $sql->set( + "INSERT INTO admin_login_attempts (ip_address, attempts, last_attempt) + VALUES (?, 1, NOW())", + "s", + [$ip] + ); + return; + } + + $attempts = (int)$entry['attempts'] + 1; + + if ($attempts >= 3) { + $sql->set( + "UPDATE admin_login_attempts + SET attempts = ?, + locked_until = DATE_ADD(NOW(), INTERVAL 1 HOUR), + last_attempt = NOW() + WHERE id = ?", + "ii", + [$attempts, $entry['id']] + ); + } else { + $sql->set( + "UPDATE admin_login_attempts + SET attempts = ?, + last_attempt = NOW() + WHERE id = ?", + "ii", + [$attempts, $entry['id']] + ); + } +} +function isIpLocked(string $ip, $sql): bool { + global $sql; + $entry = $sql->single( + "SELECT locked_until + FROM admin_login_attempts + WHERE ip_address = ? + AND locked_until IS NOT NULL + AND locked_until > NOW()", + "s", + [$ip] + ); + + return (bool)$entry; +} +function clearLoginAttempts(string $ip, $sql): void { + global $sql; + $sql->set( + "DELETE FROM admin_login_attempts WHERE ip_address = ?", + "s", + [$ip] + ); +} + + +?> \ No newline at end of file diff --git a/www/_sql.php b/www/_sql.php index 474060f..16c5c8b 100644 --- a/www/_sql.php +++ b/www/_sql.php @@ -171,4 +171,6 @@ class SQL { // echo 'DESTROY'; } } + +$sql = new SQL(); ?> \ No newline at end of file diff --git a/www/admin.php b/www/admin.php new file mode 100644 index 0000000..57386ea --- /dev/null +++ b/www/admin.php @@ -0,0 +1,236 @@ + true, + 'cookie_httponly' => true +]); + +$ip = $_SERVER['REMOTE_ADDR']; + +/** + * 🔒 IP-Sperre prüfen + */ +if (isIpLocked($ip, $sql)) { + http_response_code(403); + exit('Zu viele Fehlversuche. IP für 1 Stunde gesperrt.'); +} + +/** + * 🔐 LOGIN (wenn nicht eingeloggt) + */ +if (!($_SESSION['is_admin'] ?? false)) { + + if ($_SERVER['REQUEST_METHOD'] === 'POST') { + $user = $_POST['username'] ?? ''; + $pass = $_POST['password'] ?? ''; + + $admin = $sql->single( + "SELECT * FROM admin_users WHERE username = ?", + "s", + [$user] + ); + + if (!$admin || !password_verify($pass, $admin['password_hash'])) { + registerFailedLogin($ip, $sql); + $error = 'Ungültige Zugangsdaten'; + } else { + clearLoginAttempts($ip, $sql); + $_SESSION['is_admin'] = true; + $_SESSION['admin_id'] = $admin['id']; + header('Location: admin.php'); + exit; + } + } + + // 🔑 Login-Formular + ?> + + + + + Admin Login + + + +
+

Admin Login

+ + + + +
+ +
+ + + single( + "SELECT * FROM access_tokens WHERE uuid = ?", + "s", + [$uuid] + ); + + /** + * 🆕 UUID existiert noch nicht → an feste Identität hängen + */ + if (!$token) { + $sql->set( + "INSERT INTO access_tokens (identity_id, uuid) + VALUES (1, ?)", + "s", + [$uuid] + ); + + $token = $sql->single( + "SELECT * FROM access_tokens WHERE uuid = ?", + "s", + [$uuid] + ); + } + + /** + * 🔄 Speichern + */ + if ($_SERVER['REQUEST_METHOD'] === 'POST') { + $issuedTo = $_POST['issued_to'] ?? ''; + $fields = $_POST['fields'] ?? []; + + // Notiz speichern + $sql->set( + "UPDATE access_tokens SET notes = ? WHERE id = ?", + "si", + [$issuedTo, $token['id']] + ); + + // Rechte neu setzen + $sql->set( + "DELETE FROM token_permissions WHERE token_id = ?", + "i", + [$token['id']] + ); + + foreach ($fields as $key) { + $sql->set( + "INSERT INTO token_permissions (token_id, field_key) + VALUES (?, ?)", + "is", + [$token['id'], $key] + ); + } + + $saved = true; + } + + // Alle Felder der Identität + $allFields = $sql->get( + "SELECT DISTINCT field_key FROM identity_fields WHERE identity_id = ?", + "i", + [$token['identity_id']] + ); + + // Aktive Rechte + $allowed = $sql->get( + "SELECT field_key FROM token_permissions WHERE token_id = ?", + "i", + [$token['id']] + ); + + $allowedKeys = array_column($allowed, 'field_key'); + ?> + + + + + UUID bearbeiten + + +

UUID verwalten

+

+ + Gespeichert ✔

'; ?> + +
+

Sichtbare Informationen

+ + +
+ + +

Ausgegeben an

+ + +

+ +
+ +

← Zurück

+ + + get("SELECT * FROM identities ORDER BY id DESC"); +$tokens = $sql->get("SELECT * FROM access_tokens ORDER BY created_at DESC"); + +?> + + + + + Admin Dashboard + + +

Admin Dashboard

+ +

Identitäten

+ + +

UUIDs

+ + +

Logout

+ + diff --git a/www/card.php b/www/card.php index 1b651bc..8bbd78f 100644 --- a/www/card.php +++ b/www/card.php @@ -1,5 +1,6 @@