fixed gateway url

mbadmin.jps

@@ -342,7 +342,7 @@ menu:
     caption: Create phpMyAdmin Gateway
     action: create_pma_gateway
     settings: pmaGatewayConfig
-    successText: "${response.out}"
+    successText: "Gateway URL: ${response.out}"
 
 settings:
   checkDomainConfig:
@@ -1014,7 +1014,7 @@ actions:
           - bash /home/litespeed/mbmanager/pma-gateway/create_pma_gateway.sh --validity="${settings.validity}" --slug="${settings.slug}" | tail -n1
     - return:
         type: info
-        message: "${response.out}"
+        message: "Gateway URL: ${response.out}"
 
 responses:
   enableSuccess:

scripts/pma-gateway/create_pma_gateway.sh

@@ -37,50 +37,70 @@ SECRET_FILE="/var/lib/jelastic/keys/mbadmin_secret"
 sudo mkdir -p "$(dirname $SECRET_FILE)"
 if [[ ! -f "$SECRET_FILE" ]]; then
   sudo sh -c "openssl rand -hex 32 > $SECRET_FILE"
-  sudo chmod 600 "$SECRET_FILE"
 fi
-SECRET=$(sudo cat "$SECRET_FILE")
+sudo chown litespeed:litespeed "$SECRET_FILE"
+sudo chmod 644 "$SECRET_FILE"
+SECRET=$(sudo cat "$SECRET_FILE" | xargs)
 
 now=$(date +%s)
 expires=$((now + VALIDITY*60))
 # token = base64("$SLUG:$expires") . '.' . HMAC_SHA256(secret, data)
 data="$SLUG:$expires"
-base=$(printf "%s" "$data" | base64 -w0)
+base=$(printf "%s" "$data" | base64 | tr -d '\n')
-mac=$(printf "%s" "$data" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)
+mac=$(php -r "echo hash_hmac('sha256', '$data', '$SECRET');")
 token="$base.$mac"
 
-sudo tee "$GATEWAY_FILE" >/dev/null <<PHP
+sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP'
 <?php
-// auto-generated gateway, valid until $expires
+// Secure phpMyAdmin gateway – auto-generated, do NOT edit manually.
+
 ini_set('session.cookie_httponly', 1);
+$param = 'token';
 
-function fail() { header('HTTP/1.1 403 Forbidden'); echo 'Access denied'; exit; }
+function deny() {
+    http_response_code(403);
+    echo 'Access denied';
+    exit;
+}
 
-if (!isset(
+if (!isset($_GET[$param])) {
+    deny();
+}
 
-_PHPMYADMIN_PMA_GATEWAY_TOKEN')){fail();}
+$token = $_GET[$param];
-$token = 
+if (strpos($token, '.') === false) {
-_PHPMYADMIN_PMA_GATEWAY_TOKEN;
+    deny();
-if (!strpos($token,'.')){fail();}
+}
-list(
 
-base, $sig) = explode('.', $token, 2);
+list($base, $sig) = explode('.', $token, 2);
 $data = base64_decode($base, true);
-if ($data === false){fail();}
+if ($data === false) {
-list(
+    deny();
+}
 
-slug, $exp) = explode(':', $data, 2);
+if (strpos($data, ':') === false) {
-if (time()>intval($exp)){fail();}
+    deny();
-$secret = trim(file_get_contents('$SECRET_FILE'));
+}
-if (hash_equals($sig, hash_hmac('sha256', $data, $secret)) === false){fail();}
+
-// set auth cookie then redirect
+list($slug, $exp) = explode(':', $data, 2);
+if (time() > intval($exp)) {
+    deny();
+}
+
+$secret = trim(file_get_contents('/var/lib/jelastic/keys/mbadmin_secret'));
+if (!hash_equals($sig, hash_hmac('sha256', $data, $secret))) {
+    deny();
+}
+
+// Issue short-lived cookie (same expiry as token) and redirect to phpMyAdmin root
 setcookie('pma_token', $sig, intval($exp), '/', '', true, true);
 header('Location: /');
 exit;
 ?>
 PHP
 
-sudo chmod 640 "$GATEWAY_FILE"
+sudo chown litespeed:litespeed "$GATEWAY_FILE"
+sudo chmod 644 "$GATEWAY_FILE"
 
 URL="https://$ENV_HOST:8443/access-db-$SLUG.php?token=$token"
 echo "$URL"