From 0c73f6ef2d4407b0d9824ae3f8fad69fb5d62982 Mon Sep 17 00:00:00 2001
From: "Jory A. Pratt" <geekypenguin@gmail.com>
Date: Sun, 15 Feb 2026 21:53:56 -0600
Subject: [PATCH 1/8] security: add authentication to all backend API endpoints

- Add auth_check.inc for Supermon (sm61loggedin) and Allmon3 (loggedin)
- Require auth in: announcement, delete_file, delete_announcement,
  run_announcement, globalplay, piper_generate, toggle_cron,
  update_announcement, list_mp3, list_ul, list_cron, list_announcements
- Return 403 when not authenticated
---
 announcement.php        |  2 ++
 auth_check.inc          | 17 +++++++++++++++++
 delete_announcement.php |  3 +++
 delete_file.php         |  2 ++
 globalplay.php          |  2 ++
 list_announcements.php  | 14 ++------------
 list_cron.php           |  2 ++
 list_mp3.php            |  5 +----
 list_ul.php             |  4 ++--
 piper_generate.php      |  1 +
 run_announcement.php    |  2 ++
 toggle_cron.php         |  2 ++
 update_announcement.php |  2 ++
 13 files changed, 40 insertions(+), 18 deletions(-)
 create mode 100644 auth_check.inc

diff --git a/announcement.php b/announcement.php
index 38f8e8d..ea8877e 100644
--- a/announcement.php
+++ b/announcement.php
@@ -7,6 +7,8 @@
  * and installs a cron job (classic or nth-week style)
  */
 
+require_once __DIR__ . '/auth_check.inc';
+
 $TMP_DIR      = '/mp3';
 $CONVERT_SCRIPT = '/etc/asterisk/local/audio_convert.sh';
 $PLAY_SCRIPT  = '/etc/asterisk/local/playaudio.sh';
diff --git a/auth_check.inc b/auth_check.inc
new file mode 100644
index 0000000..6398bf3
--- /dev/null
+++ b/auth_check.inc
@@ -0,0 +1,17 @@
+<?php
+/**
+ * auth_check.inc - Require authentication for Announcement Manager API endpoints
+ * Supports both Supermon (sm61loggedin) and Allmon3 (loggedin) session variables.
+ * Include this at the top of any custom PHP file that modifies data.
+ */
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+$authenticated = (isset($_SESSION['sm61loggedin']) && $_SESSION['sm61loggedin'] === true)
+    || (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true);
+if (!$authenticated) {
+    http_response_code(403);
+    header('Content-Type: text/plain');
+    echo 'Authentication required.';
+    exit;
+}
diff --git a/delete_announcement.php b/delete_announcement.php
index 2afe822..4b8acdc 100644
--- a/delete_announcement.php
+++ b/delete_announcement.php
@@ -1,4 +1,7 @@
 <?php
+
+require_once __DIR__ . '/auth_check.inc';
+
 if (!isset($_POST['raw_line'])) {
     echo "Error: Missing cron line";
     exit;
diff --git a/delete_file.php b/delete_file.php
index ab1899a..e6c8edd 100644
--- a/delete_file.php
+++ b/delete_file.php
@@ -1,6 +1,8 @@
 <?php
 // delete_file.php - Delete MP3 or UL file
 
+require_once __DIR__ . '/auth_check.inc';
+
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     http_response_code(405);
     echo "Method not allowed.";
diff --git a/globalplay.php b/globalplay.php
index 00522f3..9eb7614 100644
--- a/globalplay.php
+++ b/globalplay.php
@@ -1,6 +1,8 @@
 <?php
 // allmon-globalplay.php - Global playback using playglobal.sh (rpt playback)
 
+require_once __DIR__ . '/auth_check.inc';
+
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     http_response_code(405);
     echo "Method not allowed.";
diff --git a/list_announcements.php b/list_announcements.php
index 2a2f6c2..4cfd188 100644
--- a/list_announcements.php
+++ b/list_announcements.php
@@ -1,23 +1,13 @@
 <?php
 
 /**
-
  * list_announcements.php
-
- *
-
  * Lists AllStar announcement cron jobs created via Supermon
-
- * Identified by comments beginning with:
-
- *   # Announcement:
-
- *
-
+ * Identified by comments beginning with: # Announcement:
  * CREATED BY N5AD
-
  */
 
+require_once __DIR__ . '/auth_check.inc';
 
 header('Content-Type: application/json');
 
diff --git a/list_cron.php b/list_cron.php
index cd2096e..789ed45 100644
--- a/list_cron.php
+++ b/list_cron.php
@@ -5,6 +5,8 @@
  * CREATED BY N5AD
  */
 
+require_once __DIR__ . '/auth_check.inc';
+
 header('Content-Type: application/json');
 
 // Read root crontab
diff --git a/list_mp3.php b/list_mp3.php
index 21271eb..d3ca8f9 100644
--- a/list_mp3.php
+++ b/list_mp3.php
@@ -1,15 +1,12 @@
 <?php
 
 /**
-
  * list_mp3.php
-
  * Lists both .mp3 and .wav files in /mp3/ for the Announcements Manager
-
  * CREATED BY N5AD
-
  */
 
+require_once __DIR__ . '/auth_check.inc';
 
 $files = [];
 
diff --git a/list_ul.php b/list_ul.php
index c9d4e26..36c8f76 100644
--- a/list_ul.php
+++ b/list_ul.php
@@ -1,8 +1,8 @@
 <?php
 
-// list_ul.php
+// list_ul.php - CREATED BY N5AD
 
-// CREATED BY N5AD
+require_once __DIR__ . '/auth_check.inc';
 
 $SOUNDS_DIR = '/usr/local/share/asterisk/sounds/announcements';
 
diff --git a/piper_generate.php b/piper_generate.php
index a6e484b..fcdd5ae 100644
--- a/piper_generate.php
+++ b/piper_generate.php
@@ -4,6 +4,7 @@
 
 // Now supports voice selection from dropdown
 
+require_once __DIR__ . '/auth_check.inc';
 
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
 
diff --git a/run_announcement.php b/run_announcement.php
index 28c6c5b..6efb552 100644
--- a/run_announcement.php
+++ b/run_announcement.php
@@ -8,6 +8,8 @@
  * Original by N5AD - updated to support MP3/WAV directly
  */
 
+require_once __DIR__ . '/auth_check.inc';
+
 // Only accept POST requests
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     http_response_code(405);
diff --git a/toggle_cron.php b/toggle_cron.php
index 27bb24c..c329b3e 100644
--- a/toggle_cron.php
+++ b/toggle_cron.php
@@ -1,6 +1,8 @@
 <?php
 // toggle_cron.php - Enable/Disable a cron job by commenting/uncommenting the line
 
+require_once __DIR__ . '/auth_check.inc';
+
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     http_response_code(405);
     echo "Method not allowed.";
diff --git a/update_announcement.php b/update_announcement.php
index 678341a..a462fe6 100644
--- a/update_announcement.php
+++ b/update_announcement.php
@@ -6,6 +6,8 @@
  * created by N5AD February 2026
  */
 
+require_once __DIR__ . '/auth_check.inc';
+
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     http_response_code(405);
     echo "Method not allowed.";
-- 
2.47.3