| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169 |
- <?php
- // Appliquer les headers de sécurité pour la page de login
- securityHeaders::applyForLogin();
- ?>
- <!DOCTYPE html>
- <html lang="fr">
- <head>
- <meta charset="UTF-8">
- <title>CSE Invent : Identification</title>
- <?php pwa::printManifeste(); ?>
- <meta name="mobile-web-app-capable" content="yes">
- <meta name="apple-mobile-web-app-capable" content="yes">
- <meta name="application-name" content="CSE Invent : CMS">
- <meta name="apple-mobile-web-app-title" content="CSE Invent : CMS">
- <meta name="msapplication-starturl" content="/">
- <meta name="msapplication-TileColor" content="#da532c">
- <meta name="theme-color" content="#ffffff">
- <link rel="icon" type="image/x-icon" href="<?php cache::printFileWithTime("favicon.ico") ?>">
- <!-- Token CSRF pour les requêtes AJAX -->
- <?php echo csrf::metaTag('login-ajax'); ?>
- <script src="<?php cache::printFileWithTime("libs/js/jquery.min.js") ?>"></script>
- <script src="<?php cache::printFileWithTime("libs/bootstrap/js/bootstrap.min.js") ?>"></script>
- <link rel="stylesheet" href="<?php cache::printFileWithTime("libs/bootstrap/assets/dist/css/bootstrap.min.css") ?>">
- <link rel="stylesheet" href="<?php cache::printFileWithTime("css/login.css") ?>">
- </head>
- <body>
- <div class="wrapper fadeInDown">
- <div id="formContent">
- <div class="fadeIn first">
- <img src="img/logo.png" id="icon" alt="CSE Invent" />
- </div>
- <form method="post" action="/submit.php" id="form-authent">
- <?php echo csrf::inputField('login-form'); ?>
- <input type="hidden" name="from" value="login">
- <!-- Honeypot anti-bot (champ invisible) -->
- <div style="position:absolute;left:-9999px;" aria-hidden="true">
- <input type="text" name="website" tabindex="-1" autocomplete="off">
- </div>
- <input type="text" class="fadeIn second" name="email" id="email" placeholder="email" required autocomplete="username">
- <input type="password" class="fadeIn third" name="password" placeholder="mot de passe" required autocomplete="current-password">
- <input type="text" class="third" style="display:none;" name="authenticator" id="authenticator" maxlength="6" placeholder="Code Google Authenticator">
- <input type="button" class="fadeIn fourth" id="submit-authent" value="Se connecter">
- <!-- Message de rate limiting -->
- <div id="rate-limit-warning" class="alert alert-warning" style="display:none;margin:10px;"></div>
- </form>
- <div id="formFooter" <?php if (!alert::ifError()) {
- echo ' style="display:none"';
- } ?>>
- <div class="alert alert-danger" role="alert"><?php if (alert::ifError()) {
- echo alert::printAlert(alert::getError());
- } ?></div>
- </div>
- <script nonce="<?php echo securityHeaders::getNonce(); ?>">
- $(document).ready(function() {
- // Variable pour savoir si on attend le code Authenticator
- var authenticatorRequired = false;
- // Configuration CSRF pour les requêtes AJAX
- $(document).ajaxSend(function(event, jqxhr, settings) {
- if (settings.type === 'POST') {
- const csrfToken = $('meta[name="csrf-token"]').attr('content');
- if (csrfToken) {
- jqxhr.setRequestHeader('X-CSRF-Token', csrfToken);
- }
- }
- });
- $("#submit-authent").on("click", function(e) {
- var $btn = $(this);
- var $warning = $("#rate-limit-warning");
- // Si Authenticator est requis et le code est rempli, soumettre le formulaire
- if (authenticatorRequired) {
- if ($("#authenticator").val().length === 6) {
- $("#form-authent").submit();
- } else {
- $warning.html('<strong>⚠️ Veuillez entrer le code à 6 chiffres.</strong>').show();
- }
- return;
- }
- // Désactiver le bouton pendant la requête
- $btn.prop('disabled', true).val('Vérification...');
- $warning.hide();
- var formData = {
- email: $("#email").val(),
- from: "authenticator",
- csrf_token: $("input[name='csrf_token']").val()
- };
- $.ajax({
- type: "POST",
- url: "submit.php",
- data: formData,
- dataType: "json",
- xhrFields: {
- withCredentials: true
- },
- }).done(function(data) {
- console.log("Réponse authenticator:", data);
- if (data && data.blocked) {
- $warning.html('<strong>⚠️ ' + data.message + '</strong>').show();
- $btn.prop('disabled', true).val('Bloqué');
- if (data.remaining_time) {
- setTimeout(function() {
- $btn.prop('disabled', false).val('Se connecter');
- $warning.hide();
- }, data.remaining_time * 1000);
- }
- } else if (data && (data.authenticator == 1 || data.required === true)) {
- // Google Authenticator requis
- authenticatorRequired = true;
- $("#authenticator").show().focus();
- $("#authenticator").prop("required", true);
- $btn.prop('disabled', false).val('Valider');
- } else {
- // Pas de 2FA, soumettre directement
- $("#form-authent").submit();
- }
- }).fail(function(jqXHR, textStatus, errorThrown) {
- console.error("Erreur AJAX:", textStatus, errorThrown);
- $btn.prop('disabled', false).val('Se connecter');
- if (jqXHR.status === 429) {
- var response = jqXHR.responseJSON || {};
- $warning.html('<strong>⚠️ ' + (response.message || 'Trop de tentatives. Veuillez patienter.') + '</strong>').show();
- } else if (jqXHR.status === 403) {
- $warning.html('<strong>⚠️ Session expirée. Rechargez la page.</strong>').show();
- }
- });
- });
- // Permettre la soumission avec Entrée dans le champ Authenticator
- $("#authenticator").on("keypress", function(e) {
- if (e.which === 13 && $(this).val().length === 6) {
- e.preventDefault();
- $("#form-authent").submit();
- }
- });
- });
- </script>
- </div>
- </div>
- <?php pwa::printServiceWorker(); ?>
- </body>
- </html>
- <?php
- alert::destroyAlert();
- ?>
|
