LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
218 Commits 2 Branches 0 Tags
021c01b3d458b51e2e3cf7d69ad2e46e16f07412
Commit Graph

5 Commits

Author SHA1 Message Date
Jared Vititoe
bcc163bc77 Audit fixes: security, dead code removal, API consolidation, JS dedup 
Security:
- Fix IDOR in delete/update comment (add ticket visibility check)
- XSS defense-in-depth in DashboardView active filters
- Replace innerHTML with DOM construction in toast.js
- Remove redundant real_escape_string in check_duplicates
- Add rate limiting to get_template, download_attachment, audit_log,
  saved_filters, user_preferences endpoints

Bug fixes:
- Session timeout now reads from config instead of hardcoded 18000
- TicketController uses $GLOBALS['config'] instead of duplicate .env parsing
- Add DISCORD_WEBHOOK_URL to centralized config
- Cleanup script uses hashmap for O(1) ticket ID lookups

Dead code removal (~100 lines):
- Remove dead getTicketComments() from TicketModel (wrong bind_param type)
- Remove dead getCategories()/getTypes() from DashboardController
- Remove ~80 lines dead Discord webhook code from update_ticket API

Consolidation:
- Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit)
- Convert 6 API endpoints to use bootstrap
- Extract escapeHtml/getTicketIdFromUrl into shared utils.js
- Batch save for user preferences (1 request instead of 7)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 14:50:06 -05:00
Jared Vititoe
5b2a2c271e Add security logging, domain validation, and output helpers 
- Add authentication failure logging to AuthMiddleware (session expiry,
  access denied, unauthenticated access attempts)
- Add UrlHelper for secure URL generation with host validation against
  configurable ALLOWED_HOSTS whitelist
- Add OutputHelper with consistent XSS-safe escaping functions (h, attr,
  json, url, css, truncate, date, cssClass)
- Add validation to AuditLogModel query parameters (pagination limits,
  date format validation, action/entity type validation, IP sanitization)
- Add APP_DOMAIN and ALLOWED_HOSTS configuration options

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-30 18:51:16 -05:00
Jared Vititoe
6d03f9c89b fix: Session auth, sidebar toggle, and dependencies table 
- Change session.cookie_samesite from Strict to Lax for Authelia compatibility
- Redesign sidebar toggle with separate collapse/expand buttons
- Add script to create missing ticket_dependencies table
- Add .env.example template
- Add check for missing .env with helpful error message

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-23 21:16:29 -05:00
Jared Vititoe
e801eee6ee feat: Add session security and fixation prevention 
Session security improvements in AuthMiddleware:

1. Secure Cookie Configuration:
   - HttpOnly flag prevents JavaScript access to session cookies
   - Secure flag requires HTTPS (protects from MITM)
   - SameSite=Strict prevents CSRF via cookie inclusion
   - Strict mode rejects uninitialized session IDs

2. Session Fixation Prevention:
   - session_regenerate_id(true) called after successful authentication
   - Old session ID destroyed, new one generated
   - Prevents attacker from using pre-set session ID

3. CSRF Token Regeneration:
   - New CSRF token generated on login
   - Ensures fresh token for each session

These changes protect against session hijacking, fixation, and
cross-site attacks while maintaining existing 5-hour timeout.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-09 16:23:09 -05:00
Jared Vititoe
7b25ec1dd1 SSO Update :) 2026-01-01 15:40:32 -05:00