From 59d16d1daa1748a056efc2317510fd3d541b7144 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Mon, 10 Jul 2017 06:49:41 +0200
Subject: [PATCH] login: emulate apache authentication to check admin login

Send 401 response until user validates as admin (replacing ip whitelisting).
Assume all users except for generic 'lid' are allowed.
---
 auth.inc.php | 46 ++++++++++++++++++++++++++++++++++++----------
 foot.inc.php |  4 +++-
 login.php    | 18 ++++++++++++++++++
 3 files changed, 57 insertions(+), 11 deletions(-)
 create mode 100644 login.php

diff --git a/auth.inc.php b/auth.inc.php
index 1a72379..6a5d1d2 100755
--- a/auth.inc.php
+++ b/auth.inc.php
@@ -1,12 +1,38 @@
 <?php
-$ALLOWED = [
-	'127.0.0.1',
-	'192.168.178.0/24',
-	'94.208.83.16', # arie.ziggo
-	'83.161.198.138', # shiar.demon
-	'145.131.141.219', # shiar@1m
-];
-
-$editable = in_array($_SERVER['REMOTE_ADDR'], $ALLOWED) ?
-	$_SERVER['REMOTE_ADDR'] : FALSE;
+global $User, $editable;
+$User = FALSE;
+
+function Auth() {
+	if (isset($_SERVER['PHP_AUTH_USER'])) {
+		$authinfo = [ $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ];
+	}
+	elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+		// cgi compatibility
+		$authinfo = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
+	}
+	else {
+		return;
+	}
+
+	$pwdata = file_get_contents(__DIR__.'/.htpasswd');
+	$pwlist = [];
+	foreach (explode("\n", $pwdata) as $line) {
+		if (!$line) continue;
+		list ($username, $pass) = explode(':', $line);
+		$pwlist[$username] = $pass;
+	}
+
+	list ($authname, $authpass) = $authinfo;
+	$usertest = $pwlist[ strtolower($authname) ];
+	if (!$usertest) return;
+
+	$salt = substr($usertest, 0, 2);
+	if (crypt($authpass, $salt) != $usertest) return;
+
+	$GLOBALS['User'] = $authname;
+}
+
+Auth();
+
+$editable = !empty($User) && $User != 'lid';
 
diff --git a/foot.inc.php b/foot.inc.php
index 586d6a8..229cae8 100755
--- a/foot.inc.php
+++ b/foot.inc.php
@@ -3,6 +3,8 @@
 <?php
 define('N', "\n");
 
+include 'auth.inc.php';
+
 $curfile = ltrim($_SERVER['SCRIPT_NAME'], '/');
 if (is_executable(__DIR__ . '/' . $curfile)) {
 	// dynamic code is +x
@@ -26,7 +28,7 @@ EOT;
 	}
 
 	echo '<p class="footer">'.N;
-	echo "Beheer toegestaan voor $editable:".N;
+	echo "Beheer toegestaan voor $User:".N;
 	printf('<a href="?%s">%s</a>'.N,
 		$edit ? '' : 'edit',
 		$edit ? 'lezen' : ($notfound ? 'aanmaken' : 'aanpassen')
diff --git a/login.php b/login.php
new file mode 100644
index 0000000..35dc55e
--- /dev/null
+++ b/login.php
@@ -0,0 +1,18 @@
+<?php
+require 'auth.inc.php';
+
+if ($editable) {
+	http_response_code(307);
+	header('Location: /');
+	exit;
+}
+
+header('WWW-Authenticate: Basic realm=""');
+http_response_code(401);
+
+// fallback page shown on authentication failure
+include 'head.inc.php';
+?>
+<h2>Inloggen mislukt</h2>
+<p>Geen geldige login voor sitebeheer.</p>
+
-- 
2.30.0