feat(admin-log): the Logs are tamper-resistant now

Author: thorsten

phpmyfaq/admin/assets/src/index.ts

@@ -25,6 +25,7 @@ import {
   handleSessionsFilter,
   handleStatistics,
   handleTruncateSearchTerms,
+  handleVerifyAdminLog,
 } from './statistics';
 import {
   handleConfiguration,
@@ -142,6 +143,7 @@ document.addEventListener('DOMContentLoaded', async (): Promise<void> => {
   // Statistics
   handleDeleteAdminLog();
   handleExportAdminLog();
+  await handleVerifyAdminLog();
   handleStatistics();
   handleCreateReport();
   handleTruncateSearchTerms();

phpmyfaq/admin/assets/src/statistics/admin-log.ts

@@ -68,6 +68,69 @@ export const handleExportAdminLog = (): void => {
   }
 };
 
+export const handleVerifyAdminLog = async (): Promise<void> => {
+  const verifyButton = document.getElementById('pmf-button-verify-admin-log') as HTMLButtonElement;
+  const resultContainer = document.getElementById('pmf-admin-log-verification-result') as HTMLDivElement;
+
+  if (!verifyButton || !resultContainer) {
+    return;
+  }
+
+  verifyButton.addEventListener('click', async (event: Event) => {
+    event.preventDefault();
+
+    verifyButton.disabled = true;
+    verifyButton.innerHTML = '<i class="fa fa-spinner fa-spin"></i> Checking...';
+
+    resultContainer.classList.add('d-none');
+
+    try {
+      const csrfToken = verifyButton.dataset.pmfCsrf;
+
+      if (!csrfToken) {
+        throw new Error('CSRF Token not found');
+      }
+
+      const response = await fetch(`./api/statistics/admin-log/verify?csrf=${csrfToken}`, {
+        method: 'GET',
+        headers: { Accept: 'application/json' },
+      });
+
+      const data = await response.json();
+
+      resultContainer.classList.remove('d-none');
+
+      if (data.success && data.verification.valid) {
+        resultContainer.className = 'alert alert-success';
+        resultContainer.innerHTML = `
+          <i class="bi bi-check-circle-fill"></i>
+          <strong>Integrity verified</strong>
+          <p class="mb-0">${data.verification.verified} of ${data.verification.total} entries successfully checked.</p>
+        `;
+      } else if (data.success && !data.verification.valid) {
+        const errors = data.verification.errors.map((err: string) => `<li>${err}</li>`).join('');
+        resultContainer.className = 'alert alert-danger';
+        resultContainer.innerHTML = `
+          <i class="bi bi-exclamation-triangle-fill"></i>
+          <strong>⚠️ Manipulation erkannt!</strong>
+          <p>${data.verification.verified} verifiziert, ${data.verification.failed} fehlgeschlagen</p>
+          <ul>${errors}</ul>
+        `;
+      } else {
+        resultContainer.className = 'alert alert-warning';
+        resultContainer.textContent = data.error || 'Fehler bei der Verifikation';
+      }
+    } catch (error) {
+      resultContainer.classList.remove('d-none');
+      resultContainer.className = 'alert alert-danger';
+      resultContainer.textContent = `Fehler: ${error instanceof Error ? error.message : 'Netzwerkfehler'}`;
+    } finally {
+      verifyButton.disabled = false;
+      verifyButton.innerHTML = '<i class="bi bi-shield-check"></i> Integrität prüfen';
+    }
+  });
+};
+
 export const handleDeleteAdminLog = (): void => {
   const buttonDeleteAdminLog = document.getElementById('pmf-delete-admin-log') as HTMLButtonElement | null;
 

phpmyfaq/assets/src/configuration/update.ts

@@ -87,7 +87,7 @@ export const handleUpdateInformation = async (): Promise<void> => {
 };
 
 export const handleConfigBackup = async (): Promise<void> => {
-  if (window.location.href.endsWith('/update/?step=2') || window.location.href.endsWith('/update/?step=2')) {
+  if (window.location.href.endsWith('/update?step=2') || window.location.href.endsWith('/update/?step=2')) {
     const installedVersion = document.getElementById('phpmyfaq-update-installed-version') as HTMLInputElement | null;
 
     if (!installedVersion) return;
@@ -115,7 +115,7 @@ export const handleConfigBackup = async (): Promise<void> => {
 };
 
 export const handleDatabaseUpdate = async (): Promise<void> => {
-  if (window.location.href.endsWith('/update/?step=3') || window.location.href.endsWith('/update/?step=3')) {
+  if (window.location.href.endsWith('/update?step=3') || window.location.href.endsWith('/update/?step=3')) {
     const installedVersion = document.getElementById('phpmyfaq-update-installed-version') as HTMLInputElement | null;
 
     if (!installedVersion) return;

phpmyfaq/assets/templates/admin/statistics/admin-log.twig

@@ -11,13 +11,19 @@
         <button class="btn btn-outline-success" id="pmf-export-admin-log" data-pmf-csrf="{{ csrfExportAdminLogToken }}">
           <i aria-hidden="true" class="bi bi-download"></i> {{ buttonExportAdminLog }}
         </button>
+        <button class="btn btn-success" id="pmf-button-verify-admin-log" data-pmf-csrf="{{ csrfVerifyAdminLogToken }}">
+          <i class="bi bi-shield-check"></i> {{ 'msgAdminLogVerifyIntegrity' | translate }}
+        </button>
         <button class="btn btn-outline-danger" id="pmf-delete-admin-log" data-pmf-csrf="{{ csrfDeleteAdminLogToken }}">
           <i aria-hidden="true" class="bi bi-trash"></i> {{ buttonDeleteAdminLog }}
         </button>
       </div>
     </div>
   </div>
 
+  {# Verification Result Alert (initially hidden) #}
+  <div id="pmf-admin-log-verification-result" class="alert d-none" role="alert"></div>
+
   <table class="table table-striped align-middle border shadow">
     <thead>
     <tr>

phpmyfaq/content/core/config/phpmyfaq-config-backup.2026-01-07.2b0a845b.zip

@@ -523,16 +523,21 @@
         'methods' => 'POST',
     ],
     // Statistics API
-    'admin.api.statistics.adminlog.export' => [
+    'admin.api.statistics.admin-log.export' => [
         'path' => '/statistics/admin-log/export',
         'controller' => [AdminLogController::class, 'export'],
         'methods' => 'POST',
     ],
-    'admin.api.statistics.adminlog.delete' => [
+    'admin.api.statistics.admin-log.delete' => [
         'path' => '/statistics/admin-log',
-        'controller' => [StatisticsController::class, 'deleteAdminLog'],
+        'controller' => [AdminLogController::class, 'delete'],
         'methods' => 'DELETE',
     ],
+    'admin.api.statistics.admin-log.verify' => [
+        'path' => '/statistics/admin-log/verify',
+        'controller' => [AdminLogController::class, 'verify'],
+        'methods' => 'POST',
+    ],
     'admin.api.statistics.ratings.clear' => [
         'path' => '/statistics/ratings/clear',
         'controller' => [StatisticsController::class, 'clearRatings'],

phpmyfaq/src/admin-api-routes.php

@@ -72,7 +72,11 @@ public function log(User $user, string $logText = ''): bool
         }
 
         $request = Request::createFromGlobals();
-        return $this->adminLogRepository->add($user, $logText, $request);
+
+        // Get the hash of the last log entry for chaining
+        $previousHash = $this->adminLogRepository->getLastHash();
+
+        return $this->adminLogRepository->add($user, $logText, $request, $previousHash);
     }
 
     /**
@@ -83,4 +87,70 @@ public function delete(): bool
         $timestamp = (int) Request::createFromGlobals()->server->get(key: 'REQUEST_TIME') - (30 * 86400);
         return $this->adminLogRepository->deleteOlderThan($timestamp);
     }
+
+    /**
+     * Verifies the integrity of the entire admin log chain.
+     * @return array{valid: bool, errors: array<int, string>, total: int, verified: int}
+     */
+    public function verifyChainIntegrity(): array
+    {
+        $logs = $this->getAll();
+        $errors = [];
+        $verified = 0;
+        $total = count($logs);
+
+        if ($total === 0) {
+            return [
+                'valid' => true,
+                'errors' => [],
+                'total' => 0,
+                'verified' => 0,
+            ];
+        }
+
+        $previousHash = null;
+
+        foreach ($logs as $log) {
+            // Verify the hash matches the stored hash
+            if (!$log->verifyIntegrity()) {
+                $errors[] = sprintf('Log ID %d: Hash verification failed - data has been tampered', $log->getId());
+                continue;
+            }
+
+            // Verify the chain (previous hash matches)
+            if ($previousHash !== null && $log->getPreviousHash() !== $previousHash) {
+                $errors[] = sprintf(
+                    'Log ID %d: Chain broken - previous hash mismatch (expected: %s, got: %s)',
+                    $log->getId(),
+                    substr($previousHash, 0, 8) . '...',
+                    substr($log->getPreviousHash() ?? 'NULL', 0, 8) . '...',
+                );
+                continue;
+            }
+
+            // The first entry should have null previous hash
+            if ($previousHash === null && $log->getPreviousHash() !== null) {
+                $errors[] = sprintf('Log ID %d: First entry should have null previous hash', $log->getId());
+                continue;
+            }
+
+            $verified++;
+            $previousHash = $log->getHash();
+        }
+
+        return [
+            'valid' => empty($errors),
+            'errors' => $errors,
+            'total' => $total,
+            'verified' => $verified,
+        ];
+    }
+
+    /**
+     * Calculates hash for a single log entry (for migration or manual verification).
+     */
+    public function calculateHash(AdminLogEntity $log): string
+    {
+        return $log->calculateHash();
+    }
 }

phpmyfaq/src/phpMyFAQ/Administration/AdminLog.php

@@ -47,7 +47,7 @@ public function getAll(): array
         $data = [];
 
         $query = sprintf(
-            'SELECT id, time, usr AS user, text, ip FROM %sfaqadminlog ORDER BY id DESC',
+            'SELECT id, time, usr AS user, text, ip, hash, previous_hash FROM %sfaqadminlog ORDER BY id DESC',
             Database::getTablePrefix(),
         );
 
@@ -60,32 +60,52 @@ public function getAll(): array
                 ->setTime((int) $row->time)
                 ->setUserId((int) $row->user)
                 ->setText($row->text)
-                ->setIp($row->ip);
+                ->setIp($row->ip)
+                ->setHash($row->hash ?? null)
+                ->setPreviousHash($row->previous_hash ?? null);
             $data[$row->id] = $adminLog;
         }
 
         return $data;
     }
 
-    public function add(User $user, string $logText, Request $request): bool
+    /**
+     * Adds a new logging entry with hash chain integrity.
+     *
+     * @param User    $user         User object
+     * @param string  $logText      Logged string
+     * @param Request $request      Request object
+     * @param string|null $previousHash Hash of the previous entry
+     */
+    public function add(User $user, string $logText, Request $request, ?string $previousHash = null): bool
     {
-        $table = Database::getTablePrefix() . 'faqadminlog';
-        $id = $this->configuration->getDb()->nextId($table, 'id');
-        $time = (int) $request->server->get('REQUEST_TIME');
+        $time = (int) $request->server->get('REQUEST_TIME', time());
         $userId = $user->getUserId();
-        $text = $this->configuration->getDb()->escape(nl2br($logText));
-        $ip = $this->configuration->getDb()->escape((string) $request->getClientIp());
+        $ip = $request->getClientIp() ?? '';
 
-        $query = strtr("INSERT INTO table: (id, time, usr, text, ip) VALUES (id:, time:, userId:, 'text:', 'ip:')", [
-            'table:' => $table,
-            'id:' => (string) $id,
-            'time:' => (string) $time,
-            'userId:' => (string) $userId,
-            'text:' => $text,
-            'ip:' => $ip,
-        ]);
+        // Create a temporary entity to calculate hash
+        $entity = new AdminLogEntity();
+        $entity->setTime($time);
+        $entity->setUserId($userId);
+        $entity->setIp($ip);
+        $entity->setText($logText);
+        $entity->setPreviousHash($previousHash);
 
-        return (bool) $this->configuration->getDb()->query($query);
+        // Calculate hash for this entry
+        $hash = $entity->calculateHash();
+
+        $insert = sprintf(
+            "INSERT INTO %sfaqadminlog (time, usr, ip, text, hash, previous_hash) VALUES (%d, %d, '%s', '%s', '%s', %s)",
+            Database::getTablePrefix(),
+            $time,
+            $userId,
+            $this->configuration->getDb()->escape($ip),
+            $this->configuration->getDb()->escape($logText),
+            $hash,
+            $previousHash !== null ? "'" . $this->configuration->getDb()->escape($previousHash) . "'" : 'NULL',
+        );
+
+        return (bool) $this->configuration->getDb()->query($insert);
     }
 
     public function deleteOlderThan(int $timestamp): bool
@@ -98,4 +118,22 @@ public function deleteOlderThan(int $timestamp): bool
 
         return (bool) $this->configuration->getDb()->query($query);
     }
+
+    /**
+     * Returns the hash of the most recent log entry for chain linking.
+     *
+     * @return string|null Hash of the last entry or null if no entries exist
+     */
+    public function getLastHash(): ?string
+    {
+        $query = sprintf('SELECT hash FROM %sfaqadminlog ORDER BY id DESC LIMIT 1', Database::getTablePrefix());
+
+        $result = $this->configuration->getDb()->query($query);
+
+        if ($result && ($row = $this->configuration->getDb()->fetchObject($result))) {
+            return $row->hash;
+        }
+
+        return null;
+    }
 }

phpmyfaq/src/phpMyFAQ/Administration/AdminLogRepository.php

@@ -70,6 +70,7 @@ public function index(Request $request): Response
             'buttonExportAdminLog' => Translation::get(key: 'msgAdminLogExportCsv'),
             'buttonDeleteAdminLog' => Translation::get(key: 'ad_adminlog_del_older_30d'),
             'csrfExportAdminLogToken' => Token::getInstance($this->session)->getTokenString('export-adminlog'),
+            'csrfVerifyAdminLogToken' => Token::getInstance($this->session)->getTokenString('admin-log-verify'),
             'csrfDeleteAdminLogToken' => Token::getInstance($this->session)->getTokenString('delete-adminlog'),
             'currentLocale' => $this->configuration->getLanguage()->getLanguage(),
             'pagination' => $pagination->render(),