From 4e77adce33f89f5cfd23218a1a293d16cdf5d673 Mon Sep 17 00:00:00 2001
From: Joseph Haig <josephhaig@gmail.com>
Date: Sun, 29 May 2016 16:38:43 +0100
Subject: [PATCH] Add simple authentication

---
 README.md                 |  8 ++++
 includes/admin.php        | 78 +++++++++++++++++++++++++++++++++++++++
 includes/authenticate.php | 17 +++++++++
 index.php                 | 14 ++++++-
 raspap.php                | 14 +++++++
 5 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100755 includes/admin.php
 create mode 100644 includes/authenticate.php
 create mode 100644 raspap.php

diff --git a/README.md b/README.md
index c098597d..8e53aca2 100644
--- a/README.md
+++ b/README.md
@@ -59,11 +59,19 @@ Set the files ownership to `www-data` user.
 ```sh
 sudo chown -R www-data:www-data /var/www
 ```
+Move the RaspAP configuration file to the correct location
+```sh
+sudo mkdir /etc/raspad
+sudo mv /var/www/raspad.php /etc/raspad/
+sudo chown -R www-data:www-data /etc/raspad
+```
 Reboot and it should be up and running!
 ```sh
 sudo reboot
 ```
 
+The default username is 'admin' and the default password is 'secret'.
+
 ## Optional services
 OpenVPN and TOR are two additional services that run perfectly well on the RPi, and are a nice way to extend the usefulness of your WiFi router. I've started on interfaces to administer these services. Not everyone will need them, so for the moment they are disabled by default. You can enable them by changing these options in `index.php`:
 
diff --git a/includes/admin.php b/includes/admin.php
new file mode 100755
index 00000000..12d12fee
--- /dev/null
+++ b/includes/admin.php
@@ -0,0 +1,78 @@
+<?php
+
+function Status($message, $level='success', $dismissable=true) {
+	$status = '<div class="alert alert-'.$level;
+	if ($dismissable) $status .= ' alert-dismissable';
+	$status .= '">'.$message;
+	if ($dismissable) $status .= '<button type="button" class="close" data-dismiss="alert" aria-hidden="true">x</button>';
+	$status .= '</div>';
+
+	return $status;
+}
+
+function DisplayRaspAPConfig($username, $password){
+  $status = '';
+  if (isset($_POST['UpdateAdminPassword'])) {
+		if (password_verify($_POST['oldpass'], $password)) {
+			$new_username=trim($_POST['username']);
+			if ($_POST['newpass'] != $_POST['newpassagain']) {
+				$status = Status('New passwords do not match', 'danger');
+			} else if ($new_username == '') {
+				$status = Status('Username must not be empty', 'danger');
+			} else {
+				if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
+					fwrite($auth_file, $new_username.PHP_EOL);
+					fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
+					fclose($auth_file);
+					$username = $new_username;
+					$status = Status('Admin password updated');
+				} else {
+					$status = Status('Failed to update admin password', 'danger');
+				}
+			}
+		} else {
+			$status = Status('Old password does not match', 'danger');
+		}
+  }
+?>
+	<div class="row">
+		<div class="col-lg-12">
+			<div class="panel panel-primary">
+				<div class="panel-heading"><i class="fa fa-dashboard fa-fw"></i>RaspAP Configuration</div>
+				<div class="panel-body">
+					<p><?php echo $status; ?></p>
+					<form role="form" action="/?page=admin_conf" method="POST">
+						<div class="row">
+							<div class="form-group col-md-4">
+								<label for="username">Username</label>
+								<input type="text" class="form-control" name="username" value="<?php echo $username; ?>"/>
+							</div>
+						</div>
+						<div class="row">
+							<div class="form-group col-md-4">
+								<label for="password">Old password</label>
+								<input type="password" class="form-control" name="oldpass"/>
+							</div>
+						</div>
+						<div class="row">
+							<div class="form-group col-md-4">
+								<label for="password">New password</label>
+								<input type="password" class="form-control" name="newpass"/>
+							</div>
+						</div>
+						<div class="row">
+							<div class="form-group col-md-4">
+								<label for="password">Repeat new password</label>
+								<input type="password" class="form-control" name="newpassagain"/>
+							</div>
+						</div>
+						<input type="submit" class="btn btn-outline btn-primary" name="UpdateAdminPassword" value="Save settings" />
+					</form>
+				</div><!-- /.panel-body -->
+			</div><!-- /.panel-default -->
+		</div><!-- /.col-lg-12 -->
+	</div><!-- /.row -->
+<?php 
+}
+
+?>
diff --git a/includes/authenticate.php b/includes/authenticate.php
new file mode 100644
index 00000000..a69a5ced
--- /dev/null
+++ b/includes/authenticate.php
@@ -0,0 +1,17 @@
+<?php
+$valid_passwords = array ("admin" => "admin");
+$valid_users = array_keys($valid_passwords);
+
+$user = $_SERVER['PHP_AUTH_USER'];
+$pass = $_SERVER['PHP_AUTH_PW'];
+
+//$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
+$validated = ($user == $config['admin_user']) && password_verify($pass, $config['admin_pass']);
+
+if (!$validated) {
+  header('WWW-Authenticate: Basic realm="RaspAP"');
+  header('HTTP/1.0 401 Unauthorized');
+  die ("Not authorized");
+}
+
+?>
diff --git a/index.php b/index.php
index 7743ee06..ce05797a 100755
--- a/index.php
+++ b/index.php
@@ -20,6 +20,9 @@
  * @see        http://sirlagz.net/2013/02/08/raspap-webgui/
  */
 
+define('RASPI_CONFIG', '/etc/raspap');
+define('RASPI_ADMIN_DETAILS', RASPI_CONFIG.'/raspap.auth');
+
 // Constants for configuration file paths.
 // These are typical for default RPi installs. Modify if needed.
 define('RASPI_DNSMASQ_CONFIG', '/etc/dnsmasq.conf');
@@ -36,6 +39,9 @@ define('RASPI_TORPROXY_CONFIG', '/etc/tor/torrc');
 define('RASPI_OPENVPN_ENABLED', false );
 define('RASPI_TORPROXY_ENABLED', false );
 
+include_once( RASPI_CONFIG.'/raspap.php' );
+include_once( 'includes/authenticate.php' );
+include_once( 'includes/admin.php' );
 include_once( 'includes/functions.php' );
 
 $output = $return = 0;
@@ -94,7 +100,7 @@ $page = $_GET['page'];
 	                <span class="icon-bar"></span>
 	                <span class="icon-bar"></span>
 	            </button>
-	            <a class="navbar-brand" href="index.html">RaspAP Wifi Portal v1.0</a>
+	            <a class="navbar-brand" href="index.php">RaspAP Wifi Portal v1.0</a>
 			</div>
 			<!-- /.navbar-header -->
 
@@ -124,6 +130,9 @@ $page = $_GET['page'];
 	                        <a href="index.php?page=torproxy_conf"><i class="fa fa-eye-slash fa-fw"></i> Configure TOR proxy</a>
 	                    </li>
 	                	<?php endif; ?>
+	                    <li>
+	                        <a href="index.php?page=admin_conf"><i class="fa fa-dashboard fa-fw"></i> Configure RaspAP</a>
+	                    </li>
 	                </ul>
 	            </div><!-- /.navbar-collapse -->
 	        </div><!-- /.navbar-default -->
@@ -161,6 +170,9 @@ $page = $_GET['page'];
 				case "torproxy_conf":
 					DisplayTorProxyConfig();
 					break;
+				case "admin_conf":
+					DisplayRaspAPConfig($config['admin_user'], $config['admin_pass']);
+					break;
 				case "save_hostapd_conf":
 					SaveHostAPDConfig();
 					break;
diff --git a/raspap.php b/raspap.php
new file mode 100644
index 00000000..9f5430b0
--- /dev/null
+++ b/raspap.php
@@ -0,0 +1,14 @@
+<?php
+
+$config = array(
+  'admin_user' => 'admin',
+  'admin_pass' => '$2y$10$YKIyWAmnQLtiJAy6QgHQ.eCpY4m.HCEbiHaTgN6.acNC6bDElzt.i'
+);
+
+if ( $auth_details = fopen(RASPI_CONFIG.'/raspap.auth', 'r') ) {
+  $config['admin_user'] = trim(fgets($auth_details));
+  $config['admin_pass'] = trim(fgets($auth_details));
+  fclose($auth_details);
+}
+
+?>