$id = $_GET["appid"]; $key = $_GET["appsecret"]; $ref = $_SERVER["HTTP_REFERER"]; if ($ref) { $uri = parse_url($ref); // HTTPS CHECK if (strcmp($uri["scheme"], "https") != 0) { $err = ErrorCode::BadRequest; header("HTTP/1.0 " . $err . " " . ConvertErrCodeToMsg($err), true); echo 'HTTPS ONLY<br/>'; echo "<a href=\"javascript:history.go(-1)\">Go Back</a>"; exit; } } //APP CHECK $app = web_check(intval($id), $key); if (strcmp($app["apptype"], "Web") != 0) { echo 'NOT WEBAPP<br/>'; echo "<a href=\"javascript:history.go(-1)\">Go Back</a>"; exit; } $appuri = parse_url($app["returnUrl"]); //REF CHECK if ($ref) { $uri = parse_url($ref); if (strcmp($uri["host"], $appuri["host"]) != 0) { $err = ErrorCode::BadRequest; header("HTTP/1.0 " . $err . " " . ConvertErrCodeToMsg($err), true); echo 'REFERER ERROR<br/>'; echo "<a href=\"javascript:history.go(-1)\">Go Back</a>"; exit;
include_once $_SERVER["DOCUMENT_ROOT"] . "/api/common/webcheck.php"; include_once $_SERVER["DOCUMENT_ROOT"] . "/api/common/usercheck.php"; include_once $_SERVER["DOCUMENT_ROOT"] . "/include/common/antibot.php"; include_once $_SERVER["DOCUMENT_ROOT"] . "/include/common/mui.php"; $username = $_POST["username"]; $password = $_POST["password"]; $csrf_and_antibot = $_POST["csrf_and_antibot"]; $app = $_POST["app"]; $token = $_POST["key"]; $key = csrf_untoken($token); if (!$key) { $err = ErrorCode::BadRequest; header("HTTP/1.0 " . $err . " " . ConvertErrCodeToMsg($err) . " ", true); echo $token . " Not Valid (Error).\r\n"; exit; } $appinfo = web_check($app, $key); $user = user_check($username, $password); ?> <form id="f" name="f" method="post" action="<?php echo $appinfo["returnUrl"]; ?> "> <input type="hidden" name="uid" id="uid" value="<?php echo $user["uid"]; ?> " /> <script type="text/javascript" src="/api/webapi/jsbootstrapper.php/jquery-2.1.4"></script> <script type="text/javascript">$("#f").submit();</script> </form>