UA and IP checks can now be disabled via extendedValidation option

2025-01-22 15:24:15 +03:00 · 2021-04-21 11:41:56 +00:00 · 2021-04-21 11:41:56 +00:00 · 586aa99cd6
commit 586aa99cd6
parent 60bbd5b8b5
2 changed files with 10 additions and 1 deletions
--- a/chandler-example.yml
+++ b/chandler-example.yml
@ -20,4 +20,5 @@ chandler:
    security:
        secret: ""
        csrfProtection: "permissive"
        extendedValidation: false
        sessionDuration: 14
--- a/chandler/Security/Authenticator.php
+++ b/chandler/Security/Authenticator.php
@ -27,6 +27,7 @@ class Authenticator
                      ->table("ChandlerTokens")
                      ->where($data)
                      ->fetch();
        if(!$token) {
            $this->db->table("ChandlerTokens")->insert($data);
            $token = $this->db->table("ChandlerTokens")->where($data)->fetch();
@ -68,9 +69,16 @@ class Authenticator
                          "token" => $token,
                      ])
                      ->fetch();
        if(!$token) return null;
-        if($token->ip === CONNECTING_IP && $token->ua === $_SERVER["HTTP_USER_AGENT"]) {
+        $checksPassed = false;
        if(CHANDLER_ROOT_CONF["security"]["extendedValidation"])
            $checksPassed = $token->ip === CONNECTING_IP && $token->ua === $_SERVER["HTTP_USER_AGENT"];
        else
            $checksPassed = true;
        if($checksPassed) {
            $su   = $this->session->get("_su");
            $user = $this->db->table("ChandlerUsers")->get($su ?? $token->user);
            if(!$user) return null;