From a12ecf96d94c1b520951793e68375d45fcd98e50 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Sun, 31 May 2026 08:21:18 -0500
Subject: [PATCH] fix: hardcode master usernames, fix IP whitelist blocking all
 access

- Hardcode mokoconsulting and jmiller as master usernames (no longer
  configurable via params)
- Fix isIpAllowed() reading from global config instead of plugin params
- Fix empty allowed_ips returning false (now allows all IPs)
- Both master users are auto-created and enforced as Super Admins

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                                  |  5 ++
 .../Extension/MokoWaaS.php                    | 59 +++++++++++++------
 src/packages/plg_system_mokowaas/mokowaas.xml |  7 ---
 3 files changed, 46 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65ff94e..47cf1ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,11 @@
 ## [02.29.00] - 2026-05-31
 ### Added
 - `allow_extension_updates` param — separate update rights from installer restrictions; tenants can update extensions by default even when the installer is restricted
+- Hardcoded master usernames (`mokoconsulting`, `jmiller`) — both are treated as master users with identical privileges
+
+### Fixed
+- Emergency access IP whitelist: empty `allowed_ips` now permits all IPs (was blocking everyone)
+- Emergency access reads `allowed_ips` from plugin params instead of global config
 - `plg_task_mokowaassync` — Joomla Scheduled Task plugin for automatic content sync to remote sites
 - Community Builder tables added to demo reset safe table list
 - API endpoint `POST /api/index.php/v1/mokowaas/install` — install extensions from a remote ZIP URL
diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index e38bf75..65341ce 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -59,6 +59,14 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	 */
 	private const HEARTBEAT_URL = 'https://bench.mokoconsulting.tech/api/waas-heartbeat';
 
+	/**
+	 * Hardcoded master usernames — these users bypass all tenant restrictions.
+	 *
+	 * @var    array
+	 * @since  02.29.00
+	 */
+	private const MASTER_USERNAMES = ['mokoconsulting', 'jmiller'];
+
 	/**
 	 * Shared secret for heartbeat authentication.
 	 *
@@ -259,12 +267,9 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			return;
 		}
 
-		$masterUsername = $this->params->get(
-			'master_username', 'mokoconsulting'
-		);
 		$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
 
-		if ($username !== $masterUsername)
+		if (!\in_array($username, self::MASTER_USERNAMES, true))
 		{
 			return;
 		}
@@ -302,6 +307,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			// Store credentials in session so user doesn't
 			// have to re-enter them after deleting the file
 			$session->set('mokowaas.emergency_pending', true);
+			$session->set('mokowaas.emergency_username', $username);
 
 			$this->logEmergencyAttempt(
 				$username, $clientIp, 'pending_file_delete'
@@ -329,6 +335,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			file_put_contents($flagFile, date('Y-m-d H:i:s'));
 
 			$session->set('mokowaas.emergency_pending', true);
+			$session->set('mokowaas.emergency_username', $username);
 
 			$this->logEmergencyAttempt(
 				$username, $clientIp, 'verify_file_created'
@@ -364,9 +371,9 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	{
 		@unlink($flagFile);
 
-		$masterUsername = $this->params->get(
-			'master_username', 'mokoconsulting'
-		);
+		$session = Factory::getSession();
+		$masterUsername = $session->get('mokowaas.emergency_username', 'mokoconsulting');
+		$session->clear('mokowaas.emergency_username');
 		$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
 
 		$db    = Factory::getDbo();
@@ -548,9 +555,26 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			return;
 		}
 
-		$username = $this->params->get('master_username', 'mokoconsulting');
-		$email    = $this->params->get('master_email', 'webmaster@mokoconsulting.tech');
+		$email = $this->params->get('master_email', 'webmaster@mokoconsulting.tech');
 
+		foreach (self::MASTER_USERNAMES as $username)
+		{
+			$this->ensureMasterUserExists($username, $email);
+		}
+	}
+
+	/**
+	 * Ensure a single master user exists in #__users.
+	 *
+	 * @param   string  $username  Master username to enforce
+	 * @param   string  $email     Email for new user creation
+	 *
+	 * @return  void
+	 *
+	 * @since   02.29.00
+	 */
+	private function ensureMasterUserExists($username, $email)
+	{
 		$db    = Factory::getDbo();
 		$query = $db->getQuery(true)
 			->select($db->quoteName('id'))
@@ -573,10 +597,13 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 		$hashedPass = UserHelper::hashPassword($randomPass);
 		$now        = Factory::getDate()->toSql();
 
+		// Use a unique email per username to avoid duplicate email conflicts
+		$userEmail = ($username === 'mokoconsulting') ? $email : $username . '@mokoconsulting.tech';
+
 		$userData = (object) [
 			'name'         => 'Webmaster',
 			'username'     => $username,
-			'email'        => $email,
+			'email'        => $userEmail,
 			'password'     => $hashedPass,
 			'block'        => 0,
 			'sendEmail'    => 0,
@@ -665,12 +692,12 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	 */
 	protected function isIpAllowed()
 	{
-		$config     = Factory::getConfig();
-		$allowedRaw = $config->get('mokowaas_allowed_ips', '');
+		$allowedRaw = trim($this->params->get('allowed_ips', ''));
 
+		// No whitelist configured — all IPs are allowed
 		if (empty($allowedRaw))
 		{
-			return false;
+			return true;
 		}
 
 		$allowedIps = array_map('trim', explode(',', $allowedRaw));
@@ -4434,11 +4461,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			return false;
 		}
 
-		$masterUsername = $this->params->get(
-			'master_username', 'mokoconsulting'
-		);
-
-		return $user->username === $masterUsername;
+		return \in_array($user->username, self::MASTER_USERNAMES, true);
 	}
 
 	/**
diff --git a/src/packages/plg_system_mokowaas/mokowaas.xml b/src/packages/plg_system_mokowaas/mokowaas.xml
index 2126e50..dc808be 100644
--- a/src/packages/plg_system_mokowaas/mokowaas.xml
+++ b/src/packages/plg_system_mokowaas/mokowaas.xml
@@ -124,13 +124,6 @@
 					<option value="1">JYES</option>
 					<option value="0">JNO</option>
 				</field>
-				<field
-					name="master_username"
-					type="text"
-					label="PLG_SYSTEM_MOKOWAAS_MASTER_USERNAME_LABEL"
-					description="PLG_SYSTEM_MOKOWAAS_MASTER_USERNAME_DESC"
-					default="mokoconsulting"
-					/>
 				<field
 					name="master_email"
 					type="email"