prepare("SELECT `allow_from` FROM `api` WHERE `api_key` = :api_key AND `active` = '1';"); $stmt->execute(array( ':api_key' => preg_replace('/[^a-zA-Z0-9-]/', '', $_SERVER['HTTP_X_API_KEY']) )); $api_return = $stmt->fetch(PDO::FETCH_ASSOC); if (!empty($api_return['allow_from'])) { $remote = get_remote_ip(false); $allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $api_return['allow_from'])); if (in_array($remote, $allow_from)) { $_SESSION['mailcow_cc_username'] = 'API'; $_SESSION['mailcow_cc_role'] = 'admin'; $_SESSION['mailcow_cc_api'] = true; } else { $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']); error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']); echo json_encode(array( 'type' => 'error', 'msg' => 'api access denied for ip ' . $_SERVER['REMOTE_ADDR'] )); unset($_POST); die(); } } else { $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']); error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']); echo json_encode(array( 'type' => 'error', 'msg' => 'authentication failed' )); unset($_POST); die(); } } // Update session cookie // setcookie(session_name() ,session_id(), time() + $SESSION_LIFETIME); // Handle logouts if (isset($_POST["logout"])) { if (isset($_SESSION["dual-login"])) { $_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"]; $_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"]; unset($_SESSION["dual-login"]); header("Location: /mailbox"); exit(); } else { session_regenerate_id(true); session_unset(); session_destroy(); session_write_close(); header("Location: /"); } } // Check session function session_check() { if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) { return true; } if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) { $_SESSION['return'][] = array( 'type' => 'warning', 'msg' => 'session_ua' ); return false; } if (!empty($_POST)) { if ($_SESSION['CSRF']['TOKEN'] != $_POST['csrf_token']) { $_SESSION['return'][] = array( 'type' => 'warning', 'msg' => 'session_token' ); return false; } unset($_POST['csrf_token']); $_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32)); $_SESSION['CSRF']['TIME'] = time(); } return true; } if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) { $_POST = array(); $_FILES = array(); }