From ad4c658b3d1937e9d413a92da6758dfbda262fd5 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 26 May 2026 14:39:42 -0500
Subject: [PATCH 1/3] feat: trusted IPs bypass admin session timeout

Add configurable repeatable rows of trusted IP addresses that bypass
the admin session timeout. Supports exact IPs, CIDR ranges, and
wildcard patterns with per-entry labels and enabled toggles.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                                  |  5 +
 .../Extension/MokoWaaS.php                    | 93 +++++++++++++++++++
 .../forms/trusted_ip_entry.xml                | 28 ++++++
 .../language/en-GB/plg_system_mokowaas.ini    |  7 ++
 .../language/en-US/plg_system_mokowaas.ini    |  7 ++
 src/packages/plg_system_mokowaas/mokowaas.xml | 11 +++
 6 files changed, 151 insertions(+)
 create mode 100644 src/packages/plg_system_mokowaas/forms/trusted_ip_entry.xml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f5160823..d949b54e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - License/subscription check
 - System email template branding (DB approach)
 
+### Added
+- Trusted IPs: configurable repeatable rows of IP addresses, CIDR ranges, and wildcards that bypass admin session timeout
+- Supports exact IPs (192.168.1.100), CIDR (10.0.0.0/24), and wildcards (192.168.1.*)
+- Each entry has a label and enabled toggle for easy management
+
 ## [02.06.00] - 2026-05-25
 
 ### Added
diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index 7cd510cd..f99ce7bd 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -3343,6 +3343,14 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}
 
+		// Don't timeout trusted IPs — extend their session instead
+		if ($this->ipIsTrusted())
+		{
+			ini_set('session.gc_maxlifetime', 315360000);
+
+			return;
+		}
+
 		$session  = Factory::getSession();
 		$lastHit  = $session->get('mokowaas.last_activity', 0);
 		$now      = time();
@@ -3360,6 +3368,91 @@ class MokoWaaS extends CMSPlugin
 		$session->set('mokowaas.last_activity', $now);
 	}
 
+	/**
+	 * Check whether the current request IP matches any trusted IP entry.
+	 *
+	 * Supports exact IPs, CIDR notation (e.g. 10.0.0.0/8), and
+	 * wildcard patterns (e.g. 192.168.1.*).
+	 *
+	 * @return  bool  True if the current IP is in the trusted list.
+	 *
+	 * @since   02.11.00
+	 */
+	protected function ipIsTrusted(): bool
+	{
+		$entries = $this->params->get('trusted_ips', '');
+
+		if (empty($entries))
+		{
+			return false;
+		}
+
+		// Subform stores as JSON string or array
+		if (\is_string($entries))
+		{
+			$entries = json_decode($entries, true);
+		}
+
+		if (!\is_array($entries))
+		{
+			return false;
+		}
+
+		$ip     = $this->app->input->server->getString('REMOTE_ADDR', '');
+		$ipLong = ip2long($ip);
+
+		if ($ipLong === false)
+		{
+			return false;
+		}
+
+		foreach ($entries as $entry)
+		{
+			if (empty($entry['enabled']) || empty($entry['ip']))
+			{
+				continue;
+			}
+
+			$range = trim($entry['ip']);
+
+			// Wildcard: 192.168.1.*
+			if (str_contains($range, '*'))
+			{
+				$pattern = '/^' . str_replace(['.', '*'], ['\\.', '\\d+'], $range) . '$/';
+
+				if (preg_match($pattern, $ip))
+				{
+					return true;
+				}
+
+				continue;
+			}
+
+			// CIDR: 10.0.0.0/8
+			if (str_contains($range, '/'))
+			{
+				[$subnet, $bits] = explode('/', $range, 2);
+				$subnetLong      = ip2long($subnet);
+				$mask            = -1 << (32 - (int) $bits);
+
+				if ($subnetLong !== false && ($ipLong & $mask) === ($subnetLong & $mask))
+				{
+					return true;
+				}
+
+				continue;
+			}
+
+			// Exact match
+			if ($ip === $range)
+			{
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 
 	/**
 	 * Override Joomla upload restrictions at runtime.
diff --git a/src/packages/plg_system_mokowaas/forms/trusted_ip_entry.xml b/src/packages/plg_system_mokowaas/forms/trusted_ip_entry.xml
new file mode 100644
index 00000000..4e06f396
--- /dev/null
+++ b/src/packages/plg_system_mokowaas/forms/trusted_ip_entry.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<form>
+	<field
+		name="ip"
+		type="text"
+		label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_LABEL"
+		description="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_DESC"
+		required="true"
+		hint="e.g. 192.168.1.100 or 10.0.0.0/24"
+		/>
+	<field
+		name="label"
+		type="text"
+		label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_LABEL"
+		description="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_DESC"
+		hint="e.g. Office network"
+		/>
+	<field
+		name="enabled"
+		type="radio"
+		label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ENABLED_LABEL"
+		default="1"
+		class="btn-group btn-group-yesno"
+		>
+		<option value="1">JYES</option>
+		<option value="0">JNO</option>
+	</field>
+</form>
diff --git a/src/packages/plg_system_mokowaas/language/en-GB/plg_system_mokowaas.ini b/src/packages/plg_system_mokowaas/language/en-GB/plg_system_mokowaas.ini
index aa455c4d..538d0cf8 100644
--- a/src/packages/plg_system_mokowaas/language/en-GB/plg_system_mokowaas.ini
+++ b/src/packages/plg_system_mokowaas/language/en-GB/plg_system_mokowaas.ini
@@ -120,6 +120,13 @@ PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_LABEL="Force HTTPS"
 PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_DESC="Redirect all HTTP requests to HTTPS. Supports reverse proxy setups."
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_LABEL="Admin Session Timeout"
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_DESC="Minutes of idle time before admin sessions expire. 0 uses the Joomla default."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_LABEL="Trusted IPs (No Session Timeout)"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_DESC="Sessions from these IP addresses or ranges will never time out. Supports exact IPs, CIDR notation (e.g. 10.0.0.0/24), and wildcards (e.g. 192.168.1.*)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_LABEL="IP / CIDR"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_DESC="An IP address, CIDR range, or wildcard pattern."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_LABEL="Label"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_DESC="A descriptive label for this entry (e.g. Office, VPN)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ENABLED_LABEL="Enabled"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_LABEL="Minimum Password Length"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_DESC="Minimum number of characters required for user passwords."
 PLG_SYSTEM_MOKOWAAS_PASSWORD_UPPER_LABEL="Require Uppercase"
diff --git a/src/packages/plg_system_mokowaas/language/en-US/plg_system_mokowaas.ini b/src/packages/plg_system_mokowaas/language/en-US/plg_system_mokowaas.ini
index 71d15742..4adb06cf 100644
--- a/src/packages/plg_system_mokowaas/language/en-US/plg_system_mokowaas.ini
+++ b/src/packages/plg_system_mokowaas/language/en-US/plg_system_mokowaas.ini
@@ -120,6 +120,13 @@ PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_LABEL="Force HTTPS"
 PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_DESC="Redirect all HTTP requests to HTTPS. Supports reverse proxy setups."
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_LABEL="Admin Session Timeout"
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_DESC="Minutes of idle time before admin sessions expire. 0 uses the Joomla default."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_LABEL="Trusted IPs (No Session Timeout)"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_DESC="Sessions from these IP addresses or ranges will never time out. Supports exact IPs, CIDR notation (e.g. 10.0.0.0/24), and wildcards (e.g. 192.168.1.*)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_LABEL="IP / CIDR"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_DESC="An IP address, CIDR range, or wildcard pattern."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_LABEL="Label"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_DESC="A descriptive label for this entry (e.g. Office, VPN)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ENABLED_LABEL="Enabled"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_LABEL="Minimum Password Length"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_DESC="Minimum number of characters required for user passwords."
 PLG_SYSTEM_MOKOWAAS_PASSWORD_UPPER_LABEL="Require Uppercase"
diff --git a/src/packages/plg_system_mokowaas/mokowaas.xml b/src/packages/plg_system_mokowaas/mokowaas.xml
index f887dca7..1eb71238 100644
--- a/src/packages/plg_system_mokowaas/mokowaas.xml
+++ b/src/packages/plg_system_mokowaas/mokowaas.xml
@@ -322,6 +322,17 @@
 					label="PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_LABEL"
 					description="PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_DESC"
 					default="60" hint="Minutes (0 = Joomla default)" />
+				<field
+					name="trusted_ips"
+					type="subform"
+					label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_DESC"
+					formsource="plugins/system/mokowaas/forms/trusted_ip_entry.xml"
+					multiple="true"
+					layout="joomla.form.field.subform.repeatable-table"
+					groupByFieldset="false"
+					buttons="add,remove,move"
+					/>
 				<field name="password_min_length" type="number" default="12"
 					label="PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_LABEL"
 					description="PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_DESC" />
-- 
2.52.0


From d92df704c4c93d93fd3dfe8fc3e391bf01b8771d Mon Sep 17 00:00:00 2001
From: "gitea-actions[bot]" <gitea-actions[bot]@mokoconsulting.tech>
Date: Tue, 26 May 2026 19:40:52 +0000
Subject: [PATCH 2/3] chore(version): auto-bump patch 02.10.05 [skip ci]

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8d0d7470..2decfd43 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
  DEFGROUP: Joomla.Plugin
  INGROUP: MokoWaaS
  REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.10.04
+ VERSION: 02.10.05
  PATH: /README.md
  BRIEF: MokoWaaS platform plugin for Joomla
 -->
-- 
2.52.0


From c97c29f9ed8ef379c37d32373f370152c62bdcc7 Mon Sep 17 00:00:00 2001
From: "gitea-actions[bot]" <gitea-actions[bot]@mokoconsulting.tech>
Date: Tue, 26 May 2026 19:40:54 +0000
Subject: [PATCH 3/3] chore: update updates.xml (development: 02.10.05-dev)
 [skip ci]

---
 updates.xml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/updates.xml b/updates.xml
index 34b00b09..91aa707c 100644
--- a/updates.xml
+++ b/updates.xml
@@ -108,13 +108,14 @@
     <description>MokoWaaS development build.</description>
     <element>pkg_mokowaas</element>
     <type>package</type>
-    <version>02.10.04</version>
+    <client>site</client>
+    <version>02.10.05</version>
     <creationDate>2026-05-26</creationDate>
     <infourl title='MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/development</infourl>
     <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.10.04-dev.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.10.05-dev.zip</downloadurl>
     </downloads>
-    <sha256>19d135c23a9ade1948547ed955c1b9a0dce857e1d6b2e0a62e20fecc268b5523</sha256>
+    <sha256>0aaebe7a5c688b1c17a4a3a3d768b83b24cc3880caa7f9e691ef2ab8e734f352</sha256>
     <tags><tag>development</tag></tags>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>
-- 
2.52.0