public function __invoke($request, $response, $next) { $token = Token::where('token', $_SESSION['login_token'])->first(); $user = User::where('id', $token->user_id)->first(); if ($user->permission_level !== 'Administrator') { header('Location: /'); exit; } // Pass in the Routes Response body. $response = $next($request, $response); return $response; }
<?php use GalacticBank\Classes\AuthMiddleware; use GalacticBank\Models\User; use GalacticBank\Models\Token; use GalacticBank\Models\Character; use GalacticBank\Models\BalanceRequest; $app->get('/character', function ($request, $response, $args) { $token = Token::where('token', $_SESSION['login_token'])->first(); $user = User::where('id', $token->user_id)->first(); $characters = Character::where('user_id', $user->id)->get(); return $this->view->render($response, 'character.php', ['characters' => $characters]); })->add(new AuthMiddleware());
/* * TODO: Add protection against brute force via audit log. */ /* * GET Route */ $app->get('/login', function ($request, $response, $args) { return $this->view->render($response, 'login.php', []); }); /* * POST Route */ $app->post('/login', function ($request, $response, $args) { $username = $_POST['username'] ?: ''; $password = $_POST['password'] ?: ''; $user = User::where('username', $username)->first(); // Ensure the user exists in our records. if (is_null($user)) { return $this->view->render($response, 'login.php', ['error' => 'Invalid Username or password.']); } // Ensure the passwords match to validate the user. if (!password_verify($password, $user->password)) { Audit::create(['category' => 'Failed login attempt', 'log_note' => 'Invalid credentials attempted for account: ' . $username, 'user_id' => $user->id, 'ip_address' => $_SERVER['REMOTE_ADDR']]); return $this->view->render($response, 'login.php', ['error' => 'Invalid Username or password.']); } // TODO: Check for any currently active token, de-activate token if exists. // Log the user in. $token = Token::generateToken(); Token::create(['token' => $token, 'type' => 'Login Token', 'active' => 'Yes', 'user_id' => $user->id]); $_SESSION['login_token'] = $token; Audit::create(['category' => 'Successful Login', 'log_note' => 'User successfully logged in for account: ' . $username, 'user_id' => $user->id, 'ip_address' => $_SERVER['REMOTE_ADDR']]);