Malin/domnitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6145e45059d6125b20ec5cd869bc4995d7253c02
domnitor/routes/web.php
Hosteroid e3006738a9 Improve security, validation, and isolation checks 
Add multiple security and validation improvements across the app:

- Prevent session fixation: regenerate session ID on login and after successful 2FA; tighten session cookie params (Secure, HttpOnly, SameSite=Lax).
- Harden installer: add CSRF checks for install/update flows and use PDO::quote when injecting admin credentials into SQL migration to avoid injection; add csrf_field() to installer templates.
- Template hardening: add safe_url and safe_mailto Twig filters, escape tag names for JS, and add rel="noopener noreferrer" to external links to mitigate XSS/opener risks.
- Domain controller: validate referrer to avoid open redirects, enforce user isolation mode when finding/deleting/updating domains and when assigning notification groups (ensures users only affect their own resources).
- Notification groups: verify channel belongs to group before deleting or toggling to prevent unauthorized access.
- ErrorLog: whitelist allowed sort columns to avoid arbitrary column injection in ORDER BY.
- Routes: move the debug whois route to protected/admin area.

These changes collectively reduce attack surface (XSS, open redirect, session fixation, SQL injection) and enforce proper resource isolation and input validation.
2026-03-11 00:03:54 +02:00

227 lines
14 KiB
PHP
Raw Blame History

<?php
use Core\Application;
use Core\Auth;
use App\Controllers\DashboardController;
use App\Controllers\DomainController;
use App\Controllers\NotificationGroupController;
use App\Controllers\AuthController;
use App\Controllers\DebugController;
use App\Controllers\SearchController;
use App\Controllers\TldRegistryController;
use App\Controllers\SettingsController;
use App\Controllers\ProfileController;
use App\Controllers\UserController;
use App\Controllers\InstallerController;
use App\Controllers\NotificationController;
use App\Controllers\ErrorLogController;
use App\Controllers\TwoFactorController;
use App\Controllers\TagController;
use App\Controllers\UpdateController;
$router = Application::$router;
// Installer routes (public - before auth)
$router->get('/install', [InstallerController::class, 'index']);
$router->get('/install/check-database', [InstallerController::class, 'checkDatabase']);
$router->post('/install/run', [InstallerController::class, 'install']);
$router->get('/install/complete', [InstallerController::class, 'complete']);
$router->get('/install/update', [InstallerController::class, 'showUpdate']);
$router->post('/install/update', [InstallerController::class, 'runUpdate']);
// Authentication routes (public)
$router->get('/login', [AuthController::class, 'showLogin']);
$router->post('/login', [AuthController::class, 'login']);
$router->get('/logout', [AuthController::class, 'logout']);
$router->get('/register', [AuthController::class, 'showRegister']);
$router->post('/register', [AuthController::class, 'register']);
$router->get('/verify-email', [AuthController::class, 'showVerifyEmail']);
$router->get('/resend-verification', [AuthController::class, 'resendVerification']);
$router->get('/forgot-password', [AuthController::class, 'showForgotPassword']);
$router->post('/forgot-password', [AuthController::class, 'forgotPassword']);
$router->get('/reset-password', [AuthController::class, 'showResetPassword']);
$router->post('/reset-password', [AuthController::class, 'resetPassword']);
// Two-Factor Authentication routes (public during verification)
$router->get('/2fa/verify', [TwoFactorController::class, 'showVerify']);
$router->post('/2fa/verify', [TwoFactorController::class, 'verify']);
$router->post('/2fa/send-email-code', [TwoFactorController::class, 'sendEmailCode']);
// Protected routes - require authentication
Auth::require();
// Debug route (admin-only)
$router->get('/debug/whois', [DebugController::class, 'whois']);
// Dashboard
$router->get('/', [DashboardController::class, 'index']);
$router->get('/dashboard', [DashboardController::class, 'index']);
// Search
$router->get('/search', [SearchController::class, 'index']);
$router->get('/api/search/suggest', [SearchController::class, 'suggest']);
// Domains
$router->get('/domains', [DomainController::class, 'index']);
$router->get('/domains/export', [DomainController::class, 'export']);
$router->post('/domains/import', [DomainController::class, 'import']);
$router->get('/domains/create', [DomainController::class, 'create']);
$router->get('/domains/bulk-add', [DomainController::class, 'bulkAdd']);
$router->post('/domains/bulk-add', [DomainController::class, 'bulkAdd']);
$router->post('/domains/bulk-refresh', [DomainController::class, 'bulkRefresh']);
$router->post('/domains/bulk-delete', [DomainController::class, 'bulkDelete']);
$router->post('/domains/bulk-assign-group', [DomainController::class, 'bulkAssignGroup']);
$router->post('/domains/bulk-toggle-status', [DomainController::class, 'bulkToggleStatus']);
$router->post('/domains/bulk-add-tags', [DomainController::class, 'bulkAddTags']);
$router->post('/domains/bulk-remove-tags', [DomainController::class, 'bulkRemoveTags']);
$router->post('/domains/bulk-remove-specific-tag', [DomainController::class, 'bulkRemoveSpecificTag']);
$router->post('/domains/bulk-assign-existing-tag', [DomainController::class, 'bulkAssignExistingTag']);
$router->post('/domains/get-tags-for-domains', [DomainController::class, 'getTagsForDomains']);
$router->post('/domains/transfer', [DomainController::class, 'transfer']);
$router->post('/domains/bulk-transfer', [DomainController::class, 'bulkTransfer']);
$router->post('/domains/store', [DomainController::class, 'store']);
$router->get('/domains/{id}', [DomainController::class, 'show']);
$router->get('/domains/{id}/edit', [DomainController::class, 'edit']);
$router->post('/domains/{id}/update', [DomainController::class, 'update']);
$router->post('/domains/{id}/update-notes', [DomainController::class, 'updateNotes']);
$router->post('/domains/{id}/refresh-whois', [DomainController::class, 'refreshWhois']);
$router->post('/domains/{id}/refresh-dns', [DomainController::class, 'refreshDns']);
$router->post('/domains/{id}/discover-dns', [DomainController::class, 'discoverDns']);
$router->post('/domains/{id}/dns-records', [DomainController::class, 'addDnsRecord']);
$router->post('/domains/{id}/dns-records/bulk-delete', [DomainController::class, 'bulkDeleteDnsRecords']);
$router->post('/domains/{id}/dns-records/{recordId}/delete', [DomainController::class, 'deleteDnsRecord']);
$router->post('/domains/{id}/dns-import', [DomainController::class, 'importDnsZone']);
$router->post('/domains/{id}/ssl/add', [DomainController::class, 'addSslHost']);
$router->post('/domains/{id}/ssl/refresh-all', [DomainController::class, 'refreshAllSsl']);
$router->post('/domains/{id}/ssl/bulk-refresh', [DomainController::class, 'bulkRefreshSsl']);
$router->post('/domains/{id}/ssl/bulk-delete', [DomainController::class, 'bulkDeleteSsl']);
$router->post('/domains/{id}/ssl/{certificateId}/refresh', [DomainController::class, 'refreshSsl']);
$router->post('/domains/{id}/ssl/{certificateId}/delete', [DomainController::class, 'deleteSsl']);
$router->post('/domains/{id}/refresh-all', [DomainController::class, 'refreshAll']);
$router->post('/domains/{id}/delete', [DomainController::class, 'delete']);
// Notification Groups
$router->get('/groups', [NotificationGroupController::class, 'index']);
$router->get('/groups/export', [NotificationGroupController::class, 'export']);
$router->post('/groups/import', [NotificationGroupController::class, 'import']);
$router->get('/groups/create', [NotificationGroupController::class, 'create']);
$router->post('/groups/store', [NotificationGroupController::class, 'store']);
$router->get('/groups/{id}/edit', [NotificationGroupController::class, 'edit']);
$router->post('/groups/{id}/update', [NotificationGroupController::class, 'update']);
$router->post('/groups/{id}/delete', [NotificationGroupController::class, 'delete']);
$router->post('/groups/bulk-delete', [NotificationGroupController::class, 'bulkDelete']);
$router->post('/groups/transfer', [NotificationGroupController::class, 'transfer']);
$router->post('/groups/bulk-transfer', [NotificationGroupController::class, 'bulkTransfer']);
// Notification Channels
$router->post('/groups/{group_id}/channels', [NotificationGroupController::class, 'addChannel']);
$router->post('/groups/{group_id}/channels/{id}/delete', [NotificationGroupController::class, 'deleteChannel']);
$router->post('/groups/{group_id}/channels/{id}/toggle', [NotificationGroupController::class, 'toggleChannel']);
$router->post('/channels/test', [NotificationGroupController::class, 'testChannel']);
// TLD Registry
$router->get('/tld-registry', [TldRegistryController::class, 'index']);
$router->get('/tld-registry/export', [TldRegistryController::class, 'export']);
$router->post('/tld-registry/import', [TldRegistryController::class, 'import']);
$router->post('/tld-registry/create', [TldRegistryController::class, 'createTld']);
$router->get('/tld-registry/{id}', [TldRegistryController::class, 'show']);
$router->post('/tld-registry/import-tld-list', [TldRegistryController::class, 'importTldList']);
$router->post('/tld-registry/import-rdap', [TldRegistryController::class, 'importRdap']);
$router->post('/tld-registry/import-whois', [TldRegistryController::class, 'importWhois']);
$router->post('/tld-registry/start-progressive-import', [TldRegistryController::class, 'startProgressiveImport']);
$router->get('/tld-registry/import-progress/{log_id}', [TldRegistryController::class, 'importProgress']);
$router->get('/tld-registry/api/import-progress', [TldRegistryController::class, 'apiGetImportProgress']);
$router->post('/tld-registry/bulk-delete', [TldRegistryController::class, 'bulkDelete']);
$router->get('/tld-registry/check-updates', [TldRegistryController::class, 'checkUpdates']);
$router->get('/tld-registry/{id}/toggle-active', [TldRegistryController::class, 'toggleActive']);
$router->get('/tld-registry/{id}/refresh', [TldRegistryController::class, 'refresh']);
$router->post('/tld-registry/{id}/update-whois-server', [TldRegistryController::class, 'updateWhoisServer']);
$router->post('/tld-registry/{id}/update-rdap-servers', [TldRegistryController::class, 'updateRdapServers']);
$router->get('/tld-registry/import-logs', [TldRegistryController::class, 'importLogs']);
$router->get('/api/tld-info', [TldRegistryController::class, 'apiGetTldInfo']);
// Settings
$router->get('/settings', [SettingsController::class, 'index']);
$router->post('/settings/update', [SettingsController::class, 'update']);
$router->post('/settings/update-app', [SettingsController::class, 'updateApp']);
$router->post('/settings/update-email', [SettingsController::class, 'updateEmail']);
$router->post('/settings/update-captcha', [SettingsController::class, 'updateCaptcha']);
$router->post('/settings/update-two-factor', [SettingsController::class, 'updateTwoFactor']);
$router->post('/settings/test-email', [SettingsController::class, 'testEmail']);
$router->post('/settings/test-cron', [SettingsController::class, 'testCron']);
$router->post('/settings/clear-logs', [SettingsController::class, 'clearLogs']);
$router->post('/settings/toggle-isolation', [SettingsController::class, 'toggleIsolationMode']);
// Updates (Admin Only)
$router->post('/api/updates/check', [UpdateController::class, 'check']);
$router->post('/settings/updates/apply', [UpdateController::class, 'apply']);
$router->post('/settings/updates/rollback', [UpdateController::class, 'rollback']);
$router->post('/settings/updates/preferences', [UpdateController::class, 'savePreferences']);
$router->post('/settings/updates/channel', [UpdateController::class, 'updateChannel']);
$router->post('/settings/updates/badge', [UpdateController::class, 'updateBadgePreference']);
// Profile
$router->get('/profile', [ProfileController::class, 'index']);
$router->post('/profile/update', [ProfileController::class, 'update']);
$router->post('/profile/change-password', [ProfileController::class, 'changePassword']);
$router->post('/profile/delete', [ProfileController::class, 'delete']);
$router->get('/profile/resend-verification', [ProfileController::class, 'resendVerification']);
$router->post('/profile/logout-other-sessions', [ProfileController::class, 'logoutOtherSessions']);
$router->post('/profile/logout-session/{sessionId}', [ProfileController::class, 'logoutSession']);
$router->post('/profile/upload-avatar', [ProfileController::class, 'uploadAvatar']);
$router->post('/profile/delete-avatar', [ProfileController::class, 'deleteAvatar']);
// Two-Factor Authentication management (protected)
$router->get('/2fa/setup', [TwoFactorController::class, 'setup']);
$router->post('/2fa/verify-setup', [TwoFactorController::class, 'verifySetup']);
$router->get('/2fa/cancel-setup', [TwoFactorController::class, 'cancelSetup']);
$router->get('/2fa/backup-codes', [TwoFactorController::class, 'backupCodes']);
$router->post('/2fa/disable', [TwoFactorController::class, 'disable']);
$router->post('/2fa/regenerate-backup-codes', [TwoFactorController::class, 'regenerateBackupCodes']);
// Notifications
$router->get('/notifications', [NotificationController::class, 'index']);
$router->get('/notifications/{id}/mark-read', [NotificationController::class, 'markAsRead']);
$router->get('/notifications/mark-all-read', [NotificationController::class, 'markAllAsRead']);
$router->post('/notifications/{id}/delete', [NotificationController::class, 'delete']);
$router->post('/notifications/clear-all', [NotificationController::class, 'clearAll']);
$router->get('/api/notifications/unread-count', [NotificationController::class, 'getUnreadCount']);
$router->get('/api/notifications/recent', [NotificationController::class, 'getRecent']);
// User Management (Admin Only)
$router->get('/users', [UserController::class, 'index']);
$router->get('/users/create', [UserController::class, 'create']);
$router->post('/users/store', [UserController::class, 'store']);
$router->get('/users/{id}', [UserController::class, 'show']);
$router->get('/users/{id}/edit', [UserController::class, 'edit']);
$router->post('/users/{id}/update', [UserController::class, 'update']);
$router->post('/users/{id}/delete', [UserController::class, 'delete']);
$router->post('/users/{id}/toggle-status', [UserController::class, 'toggleStatus']);
$router->post('/users/bulk-toggle-status', [UserController::class, 'bulkToggleStatus']);
$router->post('/users/bulk-delete', [UserController::class, 'bulkDelete']);
// Error Logs (Admin Only)
$router->get('/errors', [ErrorLogController::class, 'index']);
$router->get('/errors/{id}', [ErrorLogController::class, 'show']);
$router->post('/errors/{id}/resolve', [ErrorLogController::class, 'markResolved']);
$router->post('/errors/{id}/unresolve', [ErrorLogController::class, 'markUnresolved']);
$router->post('/errors/{id}/delete', [ErrorLogController::class, 'delete']);
$router->post('/errors/bulk-delete', [ErrorLogController::class, 'bulkDelete']);
$router->post('/errors/clear-resolved', [ErrorLogController::class, 'clearResolved']);
// Tag Management
$router->get('/tags', [TagController::class, 'index']);
$router->get('/tags/export', [TagController::class, 'export']);
$router->post('/tags/import', [TagController::class, 'import']);
$router->post('/tags/create', [TagController::class, 'create']);
$router->post('/tags/update', [TagController::class, 'update']);
$router->post('/tags/delete', [TagController::class, 'delete']);
$router->post('/tags/transfer', [TagController::class, 'transfer']);
$router->post('/tags/bulk-delete', [TagController::class, 'bulkDelete']);
$router->post('/tags/bulk-transfer', [TagController::class, 'bulkTransfer']);
$router->get('/tags/{id}', [TagController::class, 'show']);
$router->post('/tags/bulk-add-to-domains', [TagController::class, 'bulkAddToDomains']);
$router->post('/tags/bulk-remove-from-domains', [TagController::class, 'bulkRemoveFromDomains']);
Reference in New Issue View Git Blame Copy Permalink