From 3ce64d271b2b470bd6c9f7294946347dcdfed9b9 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Thu, 31 Jul 2025 13:53:14 +0200
Subject: Implement sudo mode / reauthentication (#7753)

* Implement sudo mode / reauthentication

* i18n: fr

* generate flags

* Improvements

* Remove HMAC check
* Don't require reauth to access logs when signed in as admin
* Notify user of bad login via notification instead

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 app/Models/Auth.php                | 51 ++++++++++++++++++++++++++++++++++++++
 app/Models/SystemConfiguration.php |  2 ++
 2 files changed, 53 insertions(+)

(limited to 'app/Models')

diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index 5c861f1db..19cd26aa5 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -165,6 +165,7 @@ class FreshRSS_Auth {
 		self::$login_ok = false;
 		Minz_Session::_params([
 			'loginOk' => false,
+			'lastReauth' => false,
 			'csrf' => false,
 			'REMOTE_USER' => false,
 		]);
@@ -230,4 +231,54 @@ class FreshRSS_Auth {
 		}
 		return $token != '' && $token === $csrf;
 	}
+
+	public static function needsReauth(): bool {
+		$auth_type = FreshRSS_Context::systemConf()->auth_type;
+		$reauth_required = FreshRSS_Context::systemConf()->reauth_required;
+		$reauth_time = FreshRSS_Context::systemConf()->reauth_time;
+
+		if (!$reauth_required) {
+			return false;
+		}
+
+		$last_reauth = Minz_Session::paramInt('lastReauth');
+
+		if ($auth_type !== 'none' && time() - $last_reauth > $reauth_time) {
+			if ($auth_type === 'http_auth') {
+				// TODO: not implemented - just let the user through
+				return false;
+			}
+			return true;
+		}
+		return false;
+	}
+
+	/**
+	 * Return if user needs reauth and got redirected to login page.
+	 *
+	 * @param array{c?: string, a?: string, params?: array<string, mixed>}|null $redirect
+	 */
+	public static function requestReauth(?array $redirect = null): bool {
+		if (self::needsReauth()) {
+			if (Minz_Request::paramBoolean('ajax')) {
+				// Send 403 and exit instead of redirect with Minz_Error::error()
+				header('HTTP/1.1 403 Forbidden');
+				exit();
+			}
+
+			$redirect = Minz_Url::serialize($redirect ?? Minz_Request::currentRequest());
+
+			Minz_Request::forward([
+				'c' => 'auth',
+				'a' => 'reauth',
+				'params' => [
+					'r' => $redirect,
+				],
+			], true);
+
+			return true;
+		}
+
+		return false;
+	}
 }
diff --git a/app/Models/SystemConfiguration.php b/app/Models/SystemConfiguration.php
index 403950728..7c7862b8a 100644
--- a/app/Models/SystemConfiguration.php
+++ b/app/Models/SystemConfiguration.php
@@ -9,6 +9,8 @@ declare(strict_types=1);
  * @property bool $api_enabled
  * @property string $archiving
  * @property 'form'|'http_auth'|'none' $auth_type
+ * @property-read bool $reauth_required
+ * @property-read int $reauth_time
  * @property-read string $auto_update_url
  * @property-read array<int,mixed> $curl_options
  * @property string $default_user
-- 
cgit v1.2.3