Handle basic HTTP auth using PHP instead of using webserver configuration = better...

diff --git a/wwwroot/config/config_default.inc b/wwwroot/config/config_default.inc
index d74c993c988cbe79dcc42b0b5e969f05dd629fe7..aa21caffe97aa8a56262f7903618f2538e2814cf 100644 (file)
--- a/wwwroot/config/config_default.inc
+++ b/wwwroot/config/config_default.inc
@@ -15,6 +15,14 @@ define('CONFIG_DIR',         SYSTEM_ROOT . 'config/');
 define('AJAX_DIR',             SYSTEM_ROOT . 'wwwroot/ajax/');
 define('INCLUDE_DIR',          SYSTEM_ROOT . 'wwwroot/inc/');
 
+/*
+//Uncomment this to enable Basic HTTP Auth:
+$realm = 'kyberia'; //This is used by browser to identify protected area and saving passwords (one_site+one_realm==one_user+one_password)
+$users = array( //You can specify multiple users in this array
+  'kyberia' => 'passw'
+);
+*/
+
 define('SMARTY_DIR',           SYSTEM_ROOT . 'wwwroot/smarty/libs/');
 define('SMARTY_PLUGIN_DIR',    SYSTEM_ROOT . 'wwwroot/inc/smarty/node_methodz/');
 define('TEMPLATE_DIR',         SYSTEM_DATA . 'templates/');

diff --git a/wwwroot/inc/http_auth.php b/wwwroot/inc/http_auth.php
new file mode 100644 (file)
index 0000000..18b6c78
--- /dev/null
+++ b/wwwroot/inc/http_auth.php
@@ -0,0 +1,78 @@
+<?php
+//Harvie's PHP HTTP-Auth script (2oo7-2o1o)
+//CopyLefted4U ;)
+///SETTINGS//////////////////////////////////////////////////////////////////////////////////////////////////////
+//Login
+/*$realm = 'music'; //This is used by browser to identify protected area and saving passwords (one_site+one_realm==one_user+one_password)
+$users = array( //You can specify multiple users in this array
+       'music' => 'passw'
+);*/
+//Misc
+$require_login = true; //Require login? (if false, no login needed) - WARNING!!!
+$location = '401'; //Location after logout - 401 = default logout page (can be overridden by ?logout=[LOCATION])
+//CopyLeft
+$ver = '2o1o-3.9';
+$link = '<a href="https://blog.harvie.cz/">blog.harvie.cz</a>';
+$banner = "Harvie's PHP HTTP-Auth script (v$ver)";
+$hbanner = "<hr /><i>$banner\n-\n$link</i>\n";
+$cbanner = "<!-- $banner -->\n";
+//Config file
+@include('./_config.php');
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+//MANUAL/////////////////////////////////////////////////////////////////////////////////////////////////////////
+/* HOWTO
+ * To each file, you want to lock add this line (at begin of first line - Header-safe):
+ * <?php require_once('http_auth.php'); ?> //Password Protection 8')
+ * Protected file have to be php script (if it's html, simply rename it to .php)
+ * Server needs to have PHP as module (not CGI).
+ * You need HTTP Basic auth enabled on server and php.
+ */
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+////CODE/////////////////////////////////////////////////////////////////////////////////////////////////////////
+  function send_auth_headers($realm='') {
+    Header('WWW-Authenticate: Basic realm="'.$realm.'"');
+    Header('HTTP/1.0 401 Unauthorized');
+  }
+  
+  function check_auth($PHP_AUTH_USER, $PHP_AUTH_PW) { //Check if login is succesfull (U can modify this to use DB, or anything else)
+    return (isset($GLOBALS['users'][$PHP_AUTH_USER]) && ($GLOBALS['users'][$PHP_AUTH_USER] == $PHP_AUTH_PW));
+  }
+    
+  function unauth() { //Do this when login fails
+    $cbanner = $GLOBALS['cbanner'];
+    $hbanner = $GLOBALS['hbanner'];
+    die("$cbanner<title>401 - Forbidden</title>\n<h1>401 - Forbidden</h1>\n<a href=\"?\">Login...</a>\n$hbanner"); //Show warning and die
+    die(); //Don't forget!!!
+  }
+
+//Backward compatibility
+if(isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_PW'] != '') $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];
+if(isset($_SERVER['PHP_AUTH_PW']) && $_SERVER['PHP_AUTH_PW'] != '') $PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW'];
+
+//Logout
+if(isset($_GET['logout'])) { //script.php?logout
+  if(isset($PHP_AUTH_USER) || isset($PHP_AUTH_PW)) {
+    Header('WWW-Authenticate: Basic realm="'.$realm.'"');
+    Header('HTTP/1.0 401 Unauthorized');
+  } else {
+    if($_GET['logout'] != '') $location = $_GET['logout'];
+    if(trim($location) != '401') Header('Location: '.$location);
+    die("$cbanner<title>401 - Log out successfull</title>\n<h1>401 - Log out successfull</h1>\n<a href=\"?\">Continue...</a>\n$hbanner");
+  }
+}
+
+if($require_login) {
+  if(!isset($PHP_AUTH_USER)) { //Storno or first visit of page
+    send_auth_headers($realm);
+    unauth();
+  } else { //Login sent
+    
+    if (check_auth($PHP_AUTH_USER, $PHP_AUTH_PW)) { //Login succesfull - probably do nothing
+    } else { //Bad login
+      send_auth_headers($realm);
+      unauth();
+    }
+    
+  }
+}
+//Rest of file will be displayed only if login is correct

diff --git a/wwwroot/nodes.php b/wwwroot/nodes.php
index 2070296ebbfeee179b92d973b0772de60de20247..9da99532f7f09664c8936eb57cb1ed60c970d8cc 100644 (file)
--- a/wwwroot/nodes.php
+++ b/wwwroot/nodes.php
@@ -1,4 +1,6 @@
 <?php
+require_once('config/config.inc'); //requiring main config file with path/database etc. constants
+if(isset($realm) && isset($users)) require_once(INCLUDE_DIR.'http_auth.php'); //Ask for auth if enabled...
 //echo($_SERVER['PATH_INFO']."\n<pre>"); var_dump(preg_split('/\//', $_SERVER['PATH_INFO'])); die(); //PATH_INFO Debug (usefull when messing with mod_rewrite)
 // output buffering forcing (mx)
 if (!empty($_POST['FORCE_OB']) && $_POST['FORCE_OB'] == 'true') ob_start();
@@ -74,8 +76,6 @@ if(
 if(isset($_GET['node_kid'])) $_GET['node_id'] = base_convert($_GET['node_kid'], 36, 10);
 if(isset($_GET['template_kid'])) $_GET['template_id'] = base_convert($_GET['template_kid'], 36, 10);
 
-//requiring main config file with path/database etc. constants
-require('config/config.inc');
 require(INCLUDE_DIR.'senate.inc');
 
 if (isset($_SERVER['HTTP_REFERER'])) {