netalertx
diff --git a/‎front/index.php‎
Lines changed: 70 additions & 10 deletions b/‎front/index.php‎
Lines changed: 70 additions & 10 deletions
diff --git a/‎server/api_server/api_server_start.py‎
Lines changed: 144 additions & 1 deletion b/‎server/api_server/api_server_start.py‎
Lines changed: 144 additions & 1 deletion
diff --git a/‎server/api_server/openapi/schemas.py‎
Lines changed: 83 additions & 0 deletions b/‎server/api_server/openapi/schemas.py‎
Lines changed: 83 additions & 0 deletions
@@ -84,6 +84,52 @@ function is_https_request(): bool {
     return false;
 }
 
+function call_api(string $endpoint, array $data = []): ?array {
+    /*
+    Call NetAlertX API endpoint (for login page endpoints that don't require auth).
+    
+    Returns: JSON response as array, or null on failure
+    */
+    try {
+        // Determine API host (assume localhost on same port as frontend)
+        $api_host = $_SERVER['HTTP_HOST'] ?? 'localhost';
+        $api_scheme = is_https_request() ? 'https' : 'http';
+        $api_url = $api_scheme . '://' . $api_host;
+        
+        $url = $api_url . $endpoint;
+        
+        $ch = curl_init($url);
+        if (!$ch) return null;
+        
+        curl_setopt_array($ch, [
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_TIMEOUT => 5,
+            CURLOPT_FOLLOWLOCATION => false,
+            CURLOPT_HTTPHEADER => [
+                'Content-Type: application/json',
+                'Accept: application/json'
+            ]
+        ]);
+        
+        if (!empty($data)) {
+            curl_setopt($ch, CURLOPT_POST, true);
+            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
+        }
+        
+        $response = curl_exec($ch);
+        $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+        
+        if ($httpcode !== 200 || !$response) {
+            return null;
+        }
+        
+        return json_decode($response, true);
+    } catch (Exception $e) {
+        return null;
+    }
+}
+
 
 function logout_user(): void {
     $_SESSION = [];
@@ -127,18 +173,26 @@ function logout_user(): void {
 
         login_user();
 
+        // Handle "Remember Me" if checked
         if (!empty($_POST['PWRemember'])) {
+            // Generate random token (64-byte hex = 128 chars, use 64 chars)
             $token = bin2hex(random_bytes(32));
 
-            $_SESSION['remember_token'] = hash('sha256',$token);
-
-            setcookie(COOKIE_NAME,$token,[
-                'expires'=>time()+604800,
-                'path'=>'/',
-                'secure'=>is_https_request(),
-                'httponly'=>true,
-                'samesite'=>'Strict'
+            // Call API to save token hash to Parameters table
+            $save_response = call_api('/auth/remember-me/save', [
+                'token' => $token
             ]);
+
+            // If API call successful, set persistent cookie
+            if ($save_response && isset($save_response['success']) && $save_response['success']) {
+                setcookie(COOKIE_NAME, $token, [
+                    'expires' => time() + 604800,
+                    'path' => '/',
+                    'secure' => is_https_request(),
+                    'httponly' => true,
+                    'samesite' => 'Strict'
+                ]);
+            }
         }
 
         safe_redirect(append_hash($redirectTo));
@@ -149,9 +203,15 @@ function logout_user(): void {
    Remember Me Validation
 ===================================================== */
 
-if (!is_authenticated() && !empty($_COOKIE[COOKIE_NAME]) && !empty($_SESSION['remember_token'])) {
+if (!is_authenticated() && !empty($_COOKIE[COOKIE_NAME])) {
+
+    // Call API to validate token against stored hash
+    $validate_response = call_api('/auth/validate-remember', [
+        'token' => $_COOKIE[COOKIE_NAME]
+    ]);
 
-    if (hash_equals($_SESSION['remember_token'], hash('sha256',$_COOKIE[COOKIE_NAME]))) {
+    // If API returns valid token, authenticate and redirect
+    if ($validate_response && isset($validate_response['valid']) && $validate_response['valid'] === true) {
         login_user();
         safe_redirect(append_hash($redirectTo));
     }
 
@@ -6,6 +6,7 @@
 
 from flask import Flask, redirect, request, jsonify, url_for, Response
 from models.device_instance import DeviceInstance  # noqa: E402
+from models.parameters_instance import ParametersInstance  # noqa: E402
 from flask_cors import CORS
 from werkzeug.exceptions import HTTPException
 
@@ -94,7 +95,9 @@
     DbQueryRequest, DbQueryResponse,
     DbQueryUpdateRequest, DbQueryDeleteRequest,
     AddToQueueRequest, GetSettingResponse,
-    RecentEventsRequest, SetDeviceAliasRequest
+    RecentEventsRequest, SetDeviceAliasRequest,
+    ValidateRememberRequest, ValidateRememberResponse,
+    SaveRememberRequest, SaveRememberResponse
 )
 
 from .sse_endpoint import (  # noqa: E402 [flake8 lint suppression]
@@ -1933,6 +1936,146 @@ def check_auth(payload=None):
         return jsonify({"success": True, "message": "Authentication check successful"}), 200
 
 
+# --------------------------
+# Remember Me Validation endpoint
+# --------------------------
+@app.route("/auth/validate-remember", methods=["POST"])
+@validate_request(
+    operation_id="validate_remember",
+    summary="Validate Remember Me Token",
+    description="Validate a persistent Remember Me token against stored hash. Called from login page (no auth required).",
+    request_model=ValidateRememberRequest,
+    response_model=ValidateRememberResponse,
+    tags=["auth"],
+    auth_callable=None  # No auth required - used on login page
+)
+def validate_remember(payload=None):
+    """
+    Validate a Remember Me token from persistent cookie.
+
+    Security: Uses timing-safe hash comparison to prevent timing attacks.
+    Token format: hex-encoded 32 random bytes (64 chars) from bin2hex(random_bytes(32))
+    """
+    try:
+        # Extract token from request
+        data = request.get_json() or {}
+        token = data.get("token")
+
+        if not token:
+            mylog("verbose", ["[auth/validate-remember] Missing token in request"])
+            return jsonify({
+                "success": True,
+                "valid": False,
+                "message": "Token validation failed: missing token"
+            }), 200
+
+        # Validate token against stored hash
+        params_instance = ParametersInstance()
+        result = params_instance.validate_token(token)
+
+        if result['valid']:
+            mylog("verbose", ["[auth/validate-remember] Token validation successful"])
+            return jsonify({
+                "success": True,
+                "valid": True,
+                "message": "Token validation successful"
+            }), 200
+        else:
+            mylog("verbose", ["[auth/validate-remember] Token validation failed"])
+            return jsonify({
+                "success": True,
+                "valid": False,
+                "message": "Token validation failed"
+            }), 200
+
+    except Exception as e:
+        mylog("verbose", [f"[auth/validate-remember] Unexpected error: {e}"])
+        return jsonify({
+            "success": False,
+            "valid": False,
+            "error": "Internal server error",
+            "message": "An unexpected error occurred during token validation"
+        }), 500
+
+
+# --------------------------
+# Remember Me Save endpoint
+# --------------------------
+@app.route("/auth/remember-me/save", methods=["POST"])
+@validate_request(
+    operation_id="save_remember",
+    summary="Save Remember Me Token",
+    description="Save a Remember Me token to the database. Called after successful login to enable persistent authentication.",
+    request_model=SaveRememberRequest,
+    response_model=SaveRememberResponse,
+    tags=["auth"],
+    auth_callable=None  # No auth required - used on login page
+)
+def save_remember(payload=None):
+    """
+    Save a Remember Me token.
+
+    Flow:
+    1. User logs in with "Remember Me" checkbox
+    2. Password validated successfully
+    3. Token generated: bin2hex(random_bytes(32))
+    4. This endpoint called: saves hash(token) to Parameters table
+    5. Token (unhashed) set in persistent cookie
+    6. Session created and user redirected
+
+    Security: Only the HASH is stored in the database, not the token itself.
+    If database is compromised, attacker cannot use stolen hashes without the original token.
+    """
+    try:
+        import uuid
+        import hashlib
+
+        # Extract token from request
+        data = request.get_json() or {}
+        token = data.get("token")
+
+        if not token or len(token) < 64:
+            mylog("verbose", ["[auth/remember-me/save] Invalid or missing token"])
+            return jsonify({
+                "success": False,
+                "error": "Invalid token",
+                "message": "Token must be 64+ hex characters"
+            }), 400
+
+        # Hash the token
+        token_hash = hashlib.sha256(token.encode('utf-8')).hexdigest()
+
+        # Generate UUID-based parameter ID
+        token_id = f"remember_me_token_{uuid.uuid4()}"
+
+        # Store hash in Parameters table
+        params_instance = ParametersInstance()
+        success = params_instance.set_parameter(token_id, token_hash)
+
+        if success:
+            mylog("verbose", [f"[auth/remember-me/save] Token saved successfully: {token_id}"])
+            return jsonify({
+                "success": True,
+                "message": "Remember Me token saved successfully",
+                "token_id": token_id
+            }), 200
+        else:
+            mylog("verbose", ["[auth/remember-me/save] Failed to save token to database"])
+            return jsonify({
+                "success": False,
+                "error": "Database error",
+                "message": "Failed to save Remember Me token"
+            }), 500
+
+    except Exception as e:
+        mylog("verbose", [f"[auth/remember-me/save] Unexpected error: {e}"])
+        return jsonify({
+            "success": False,
+            "error": "Internal server error",
+            "message": "An unexpected error occurred while saving Remember Me token"
+        }), 500
+
+
 # --------------------------
 # Health endpoint
 # --------------------------
 
@@ -1031,6 +1031,89 @@ class GetSettingResponse(BaseResponse):
     value: Any = Field(None, description="The setting value")
 
 
+# =============================================================================
+# AUTH SCHEMAS (Remember Me)
+# =============================================================================
+
+
+class ValidateRememberRequest(BaseModel):
+    """Request to validate a Remember Me token."""
+    model_config = ConfigDict(
+        json_schema_extra={
+            "examples": [{
+                "token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2"
+            }]
+        }
+    )
+
+    token: str = Field(
+        ...,
+        min_length=64,
+        max_length=128,
+        description="The unhashed Remember Me token from persistent cookie (hex-encoded binary)"
+    )
+
+
+class ValidateRememberResponse(BaseResponse):
+    """Response from Remember Me token validation."""
+    model_config = ConfigDict(
+        extra="allow",
+        json_schema_extra={
+            "examples": [{
+                "success": True,
+                "valid": True,
+                "message": "Token validation successful"
+            }, {
+                "success": True,
+                "valid": False,
+                "message": "Token validation failed"
+            }]
+        }
+    )
+
+    valid: bool = Field(
+        ...,
+        description="Whether the token is valid and matches stored hash"
+    )
+
+
+class SaveRememberRequest(BaseModel):
+    """Request to save a Remember Me token."""
+    model_config = ConfigDict(
+        json_schema_extra={
+            "examples": [{
+                "token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2"
+            }]
+        }
+    )
+
+    token: str = Field(
+        ...,
+        min_length=64,
+        max_length=128,
+        description="The unhashed Remember Me token to save (hex-encoded binary from bin2hex(random_bytes(32)))"
+    )
+
+
+class SaveRememberResponse(BaseResponse):
+    """Response from Remember Me token save operation."""
+    model_config = ConfigDict(
+        extra="allow",
+        json_schema_extra={
+            "examples": [{
+                "success": True,
+                "message": "Token saved successfully",
+                "token_id": "remember_me_token_550e8400-e29b-41d4-a716-446655440000"
+            }]
+        }
+    )
+
+    token_id: Optional[str] = Field(
+        None,
+        description="The parameter ID where token hash was stored (UUID-based)"
+    )
+
+
 # =============================================================================
 # GRAPHQL SCHEMAS
 # =============================================================================