Malin/domnitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CSRF, CAPTCHA, and input validation improvements

Browse Source 
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
This commit is contained in:
Hosteroid
2025-10-10 00:04:12 +03:00
parent 98f37c2482
commit a29becc944
41 changed files with 1689 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/Views/domains/bulk-add.php
View File

@@ -18,6 +18,7 @@ ob_start();
<div class="p-6">
<form method="POST" action="/domains/bulk-add" class="space-y-5">
<?= csrf_field() ?>
<!-- Domains Textarea -->
<div>
<label for="domains" class="block text-sm font-medium text-gray-700 mb-1.5">

1
app/Views/domains/create.php
View File

@@ -18,6 +18,7 @@ ob_start();
<div class="p-6">
<form method="POST" action="/domains/store" class="space-y-5">
<?= csrf_field() ?>
<!-- Domain Name -->
<div>
<label for="domain_name" class="block text-sm font-medium text-gray-700 mb-1.5">

3
app/Views/domains/edit.php
View File

@@ -18,6 +18,7 @@ ob_start();
<div class="p-6">
<form method="POST" action="/domains/<?= $domain['id'] ?>/update" class="space-y-5">
<?= csrf_field() ?>
<!-- Domain Name (Read-only) -->
<div>
@@ -98,6 +99,7 @@ ob_start();
<span class="text-sm font-medium text-gray-700">View Details</span>
</a>
<form method="POST" action="/domains/<?= $domain['id'] ?>/refresh" class="m-0">
<?= csrf_field() ?>
<button type="submit"
class="w-full flex items-center justify-center p-3 bg-white border border-gray-200 rounded-lg hover:border-green-300 hover:bg-green-50 transition-colors group">
<i class="fas fa-sync-alt text-green-600 mr-2 text-sm"></i>
@@ -105,6 +107,7 @@ ob_start();
</button>
</form>
<form method="POST" action="/domains/<?= $domain['id'] ?>/delete" onsubmit="return confirm('Delete this domain permanently?')" class="m-0">
<?= csrf_field() ?>
<button type="submit"
class="w-full flex items-center justify-center p-3 bg-white border border-gray-200 rounded-lg hover:border-red-300 hover:bg-red-50 transition-colors group">
<i class="fas fa-trash text-red-600 mr-2 text-sm"></i>

4
app/Views/domains/index.php
View File

@@ -47,6 +47,7 @@ $currentFilters = $filters ?? ['search' => '', 'status' => '', 'group' => '', 's
</button>
<div id="assign-group-dropdown" class="hidden absolute left-0 mt-2 w-64 bg-white rounded-lg shadow-lg border border-gray-200 z-10">
<form method="POST" action="/domains/bulk-assign-group" id="bulk-assign-form">
<?= csrf_field() ?>
<input type="hidden" name="domain_ids" id="bulk-assign-ids">
<div class="p-3">
<select name="group_id" class="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm">
@@ -83,6 +84,7 @@ $currentFilters = $filters ?? ['search' => '', 'status' => '', 'group' => '', 's
<div class="flex gap-2">
<?php if (!empty($domains)): ?>
<form method="POST" action="/domains/bulk-refresh" id="refresh-all-form">
<?= csrf_field() ?>
<?php foreach ($domains as $domain): ?>
<input type="hidden" name="domain_ids[]" value="<?= $domain['id'] ?>">
<?php endforeach; ?>
@@ -299,6 +301,7 @@ $currentFilters = $filters ?? ['search' => '', 'status' => '', 'group' => '', 's
<i class="fas fa-eye"></i>
</a>
<form method="POST" action="/domains/<?= $domain['id'] ?>/refresh" class="inline">
<?= csrf_field() ?>
<button type="submit" class="text-green-600 hover:text-green-800" title="Refresh WHOIS">
<i class="fas fa-sync-alt"></i>
</button>
@@ -307,6 +310,7 @@ $currentFilters = $filters ?? ['search' => '', 'status' => '', 'group' => '', 's
<i class="fas fa-edit"></i>
</a>
<form method="POST" action="/domains/<?= $domain['id'] ?>/delete" class="inline" onsubmit="return confirm('Delete this domain?')">
<?= csrf_field() ?>
<button type="submit" class="text-red-600 hover:text-red-800" title="Delete">
<i class="fas fa-trash"></i>
</button>

3
app/Views/domains/view.php
View File

@@ -39,6 +39,7 @@ ob_start();
</div>
<div class="flex gap-2 items-center">
<form method="POST" action="/domains/<?= $domain['id'] ?>/refresh" class="inline">
<?= csrf_field() ?>
<button type="submit" class="inline-flex items-center justify-center px-3 py-2 bg-green-600 text-white text-xs rounded-lg hover:bg-green-700 transition-colors font-medium min-w-[80px] h-[32px]">
<i class="fas fa-sync-alt mr-1.5"></i>
Refresh
@@ -49,6 +50,7 @@ ob_start();
Edit
</a>
<form method="POST" action="/domains/<?= $domain['id'] ?>/delete" onsubmit="return confirm('Delete this domain?')" class="inline">
<?= csrf_field() ?>
<button type="submit" class="inline-flex items-center justify-center px-3 py-2 bg-red-600 text-white text-xs rounded-lg hover:bg-red-700 transition-colors font-medium min-w-[80px] h-[32px]">
<i class="fas fa-trash mr-1.5"></i>
Delete
@@ -293,6 +295,7 @@ ob_start();
</div>
<div class="p-4">
<form method="POST" action="/domains/<?= $domain['id'] ?>/update-notes" id="notes-form">
<?= csrf_field() ?>
<textarea
name="notes"
id="notes-textarea"