PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix 403 on HTMX fragment requests: AdminAuth Basic Auth sets session key

Browse Source
This commit is contained in:
Pontoporeia
2026-05-04 18:33:27 +02:00
parent 37111eaac4
commit 125c501f40
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
TODO.md
View File

@@ -52,6 +52,10 @@
- [x] `admin/account.php` — admin password `confirm()` kept with `TODO` comment - [x] `admin/account.php` — admin password `confirm()` kept with `TODO` comment
- [x] `admin.css` — added `.admin-dialog--sm`, `.admin-dialog__alert`, `.admin-dialog__footer` styles - [x] `admin.css` — added `.admin-dialog--sm`, `.admin-dialog__alert`, `.admin-dialog__footer` styles
## Fix 403 on HTMX tab requests in parametres.php
- [x] `AdminAuth::requireLogin()` — now sets `$_SESSION[SESSION_KEY]` when accepting nginx Basic Auth credentials (was returning early without marking the session)
- [x] `AdminAuth::isAuthenticated()` — now falls back to `PHP_AUTH_PW` verification (same logic as `requireLogin`) so HTMX requests to `system-fragment.php` authenticate even before a session exists
## Duplicate warning display fixes ## Duplicate warning display fixes
- [x] `toast-fragment.php` — 204 guard now also checks `warning`; warning was silently discarded before - [x] `toast-fragment.php` — 204 guard now also checks `warning`; warning was silently discarded before
- [x] `partage/index.php` — warning stored as plain text (no pre-escaping); `htmlspecialchars()` applied once at render; was double-encoded before - [x] `partage/index.php` — warning stored as plain text (no pre-escaping); `htmlspecialchars()` applied once at render; was double-encoded before

12
app/src/AdminAuth.php
View File

@@ -78,6 +78,7 @@ class AdminAuth
} }
// Try to auto-authenticate from the nginx Basic Auth credentials. // Try to auto-authenticate from the nginx Basic Auth credentials.
if (isset($_SERVER['PHP_AUTH_PW']) && self::verifyHash($_SERVER['PHP_AUTH_PW'], $storedHash)) { if (isset($_SERVER['PHP_AUTH_PW']) && self::verifyHash($_SERVER['PHP_AUTH_PW'], $storedHash)) {
$_SESSION[self::SESSION_KEY] = true;
return; return;
} }
header('Location: ' . self::LOGIN_URL); header('Location: ' . self::LOGIN_URL);
@@ -141,7 +142,16 @@ class AdminAuth
if ($storedHash === null) { if ($storedHash === null) {
return true; // No password configured → dev mode. return true; // No password configured → dev mode.
} }
return !empty($_SESSION[self::SESSION_KEY]); if (!empty($_SESSION[self::SESSION_KEY])) {
return true;
}
// Also accept nginx Basic Auth credentials directly (e.g. HTMX fragment
// requests that arrive before a PHP session has been established).
if (isset($_SERVER['PHP_AUTH_PW']) && self::verifyHash($_SERVER['PHP_AUTH_PW'], $storedHash)) {
$_SESSION[self::SESSION_KEY] = true;
return true;
}
return false;
} }
/** /**