function initSession($userid, $username)
{
session_destroy();
session_id(generateSessionId());
session_start();
$_SESSION['loggedin'] = true;
$_SESSION['userid'] = $userid;
$_SESSION['username'] = $username;
}
function newLogin()
{
withStatement("INSERT INTO SESSION (SESSION_ID,CREATED) VALUES (?,NOW())", function ($statement) {
$sessionId = generateSessionId();
$statement->bind_param("s", $sessionId);
executeStatement($statement);
$baseUrl = getBaseUrl();
$loginEmail = emailPrefixToAddress(LOGIN_EMAIL_PREFIX);
sendEmail(emailPrefixToAddress(LOGIN_EMAIL_PREFIX), "Innlogging", "\n\nLogg inn via denne linken:\n{$baseUrl}/php/login.php?sessionId={$sessionId}");
echo "{\"email\":\"{$loginEmail}\"}";
});
}
} else {
logExit("Bad request method. POST/json required", "Bad request method. POST/json required");
}
if (empty($json->username) or empty($json->password) or empty($json->clientToken)) {
logExit("[auth16x.php] login process [Empty input] [ " . (empty($json->username) ? 'LOGIN ' : '') . (empty($json->password) ? 'PASSWORD ' : '') . (empty($json->clientToken) ? 'clientToken ' : '') . "]");
}
loadTool('user.class.php');
DBinit('auth');
$login = $json->username;
$password = $json->password;
$clientToken = $json->clientToken;
if (!preg_match("/^[a-zA-Z0-9_-]+\$/", $password) or !preg_match("/^[a-f0-9-]+\$/", $clientToken)) {
logExit("[auth16x.php] login process [Bad symbols] User [{$login}] Password [{$password}] clientToken [{$clientToken}]");
}
$BD_Field = strpos($login, '@') === false ? $bd_users['login'] : $bd_users['email'];
$auth_user = new User($login, $BD_Field);
if (!$auth_user->id()) {
logExit("[auth16.php] login process [Unknown user] User [{$login}] Password [{$password}]");
}
if ($auth_user->lvl() <= 1) {
exit("Bad login");
}
if (!$auth_user->authenticate($password)) {
logExit("[auth16.php] login process [Wrong password] User [{$login}] Password [{$password}]");
}
$sessid = generateSessionId();
getDB()->ask("UPDATE `{$bd_names['users']}` SET " . "`{$bd_users['session']}`=:session , " . "`{$bd_users['clientToken']}`=:token " . "WHERE `{$BD_Field}`=:login", array('session' => $sessid, 'login' => $login, 'token' => $clientToken));
vtxtlog("[auth16.php] login process [Success] User [{$login}] Session [{$sessid}] clientToken[{$clientToken}]");
$profile = array('id' => $auth_user->id(), 'name' => $auth_user->name());
$responce = array('clientToken' => $clientToken, 'accessToken' => $sessid, 'availableProfiles' => array(0 => $profile), 'selectedProfile' => $profile);
exit(json_encode($responce));
/**
* Dispatch function for POST /events
*
* Determines what the user is requesting -- for example, to add an
* attachment or to create a new session -- and dispatches or handles.
*
* If a new event is requested, takes user input and turns it into an event,
* including web call to Dialback provider, Event insertion, and API key
* creation.
*
* @todo Why does event creation need to be JSON? Seemed like a good idea at
* the time. Move to just HTTP POST fields.
*
* @todo Assumes web call for Dialback number succeeded. Add failure handling.
*
* @throws BadRequestException
*/
function api_EVENTS_POST_dispatch()
{
global $database;
global $path;
global $apiKey;
switch (count($path)) {
/** @noinspection PhpMissingBreakStatementInspection */
case 3:
if ($path[2] != "") {
$response = ['status' => ['code' => 400, 'message' => 'Bad Request'], 'error' => ['message' => 'Invalid Request Path']];
throw new BadRequestException($response);
}
/** @noinspection PhpMissingBreakStatementInspection */
/** @noinspection PhpMissingBreakStatementInspection */
case 2:
$object2 = $path[1];
case 1:
$session = $path[0];
break;
case 0:
break;
default:
$response = ['status' => ['code' => 400, 'message' => 'Bad Request'], 'error' => ['message' => 'Invalid Request Path']];
throw new BadRequestException($response);
break;
}
$funcCall = str_replace("_dispatch", "", __FUNCTION__);
if (isset($session) && strlen($session) > 0) {
$funcCall = $funcCall . '_ID';
$parameter = $session;
if (isset($object2) && strlen($object2) > 0) {
$funcCall = $funcCall . '_' . strtoupper($object2);
}
}
if ($funcCall != str_replace("_dispatch", "", __FUNCTION__)) {
if (function_exists($funcCall)) {
// Explicitly cast $action as a string to reassure the debugger.
$funcCall = (string) $funcCall;
if (isset($parameter)) {
$funcCall($parameter);
} else {
$funcCall();
}
} else {
$response = ['status' => ['code' => 400, 'message' => 'Bad Request'], 'error' => ['message' => 'Unsupported API Request.']];
throw new BadRequestException($response);
}
} else {
try {
if (!($jsonRequest = json_decode($_POST['request'], true))) {
throw new InvalidJsonException([$jsonRequest]);
}
$requiredFields = ['segment' => ['filter' => FILTER_VALIDATE_INT], 'phoneNumber' => ['filter' => FILTER_VALIDATE_REGEXP, 'options' => ['options' => ['regexp' => "/^\\+? ?[0-9 ]+\$/"]]], 'emailAddress' => ['filter' => FILTER_VALIDATE_EMAIL], 'state' => ['filter' => FILTER_VALIDATE_REGEXP, 'options' => ['options' => ['regexp' => "/^[A-Za-z ]{4,50}\$/"]]], 'latitude' => ['filter' => FILTER_VALIDATE_FLOAT], 'longitude' => ['filter' => FILTER_VALIDATE_FLOAT]];
foreach ($requiredFields as $key => $parameters) {
if (!isset($jsonRequest[$key])) {
throw new BadRequestException(["Required parameter `{$key}` is missing."]);
}
$value = $jsonRequest[$key];
$filter = $parameters['filter'];
$options = isset($parameters['options']) ? $parameters['options'] : [];
if (!filter_var($value, $filter, $options)) {
throw new BadRequestException(["Parameter `{$key}`: Invalid value."]);
}
}
$sqlQuery = <<<EOF
SELECT
productphoneserver
FROM
tbl__products
INNER JOIN
tbl__segments
ON
tbl__products.productkey=tbl__segments.productkey
WHERE
tbl__segments.segmentkey=?
EOF;
$dialbackQuery = $database->select($sqlQuery, [['i' => $jsonRequest['segment']]]);
$data = ['emailaddress' => $jsonRequest['emailAddress'], 'phonenumber' => $jsonRequest['phoneNumber'], 'latitude' => $jsonRequest['latitude'], 'logitude' => $jsonRequest['longitude'], 'state' => $jsonRequest['state']];
// use key 'http' even if you send the request to https://...
$options = array('http' => array('header' => "Content-type: \n application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data)));
$dialbackNumber = file_get_contents($dialbackQuery[0]['productphoneserver'], false, stream_context_create($options));
if ($dialbackNumber === FALSE) {
/* Handle error */
throw new NoDialbackNumberProvidedException([]);
}
$sqlQuery = <<<EOF
INSERT INTO
tbl__events
(
session,
segmentkey,
phonenumber,
emailaddress,
latitude,
longitude,
state,
dialbacknumber
) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
EOF;
$sessionId = null;
$eventQuery = null;
$eventAdded = false;
$attempts = 1;
$i = 0;
$lastError = null;
do {
try {
$sessionId = generateSessionId();
$eventQuery = $database->insert($sqlQuery, [['s' => $sessionId], ['i' => $jsonRequest['segment']], ['s' => $jsonRequest['phoneNumber']], ['s' => $jsonRequest['emailAddress']], ['d' => $jsonRequest['latitude']], ['d' => $jsonRequest['longitude']], ['s' => $jsonRequest['state']], ['s' => $dialbackNumber]]);
$eventAdded = true;
} catch (DatabaseInsertQueryFailedException $e) {
$lastError = print_r($e, true);
}
$i++;
} while (!$eventAdded and $i <= $attempts);
if (!$eventAdded) {
throw new EventNotAddedException([$lastError]);
}
$sqlQuery = <<<EOF
INSERT INTO
tbl__apikeys
(
expiration,
scope,
ALLOW_RENEW,
ALLOW_UPLOAD,
ALLOW_LIST,
apikey,
scopekey
)
VALUES
(
DATE_ADD(NOW(), INTERVAL 1 HOUR),
'EVENT',
1,
1,
1,
?, ?
)
EOF;
$apiKey = null;
$scopeKey = (int) $eventQuery->insert_id;
$apiKeyAdded = false;
$attempts = 1;
$i = 0;
$apiKeyQuery = null;
do {
try {
$apiKey = generateApiKey($sessionId);
$apiKeyQuery = $database->insert($sqlQuery, [['s' => $apiKey], ['i' => $scopeKey]]);
$apiKeyAdded = true;
} catch (DatabaseInsertQueryFailedException $e) {
$lastError = print_r($e, true);
}
$i++;
} while (!$apiKeyAdded and $i <= $attempts);
if (!$apiKeyAdded) {
throw new ApiKeyNotAddedException([$lastError]);
}
$eventQuery->close();
$apiKeyQuery->close();
$response = ['data' => ['session' => $sessionId, 'dial' => $dialbackNumber, 'apiKey' => $apiKey], 'status' => ['code' => 201]];
sendResponse($response);
} catch (Exception $e) {
sendResponse($e);
}
}
}
function loginServer()
{
include "connect.php";
$ver = $_GET['version'];
if (isset($_GET['user']) && isset($_GET['password']) && isset($_GET['version'])) {
if (launcher() == $ver) {
$postPass = $_GET['password'];
$loginName = $_GET['user'];
$login = mysql_real_escape_string($loginName);
$result1 = mysql_query("SELECT {$db_columnUser}, {$db_columncheck} FROM {$db_table} WHERE {$db_columnUser} ='{$login}'") or die("������ � ���� ���������� �������." . mysql_error());
$row1 = mysql_fetch_assoc($result1);
$checkrow = $row1[$db_columncheck];
if ($checkrow != 0) {
die("abanned");
}
if ($crypt == 'hash_md5' || $crypt == 'hash_authme' || $crypt == 'hash_xauth' || $crypt == 'hash_cauth' || $crypt == 'hash_joomla' || $crypt == 'hash_wordpress' || $crypt == 'hash_dle' || $crypt == 'hash_drupal') {
$query = "SELECT {$db_columnUser}, {$db_columnPass} FROM {$db_table} WHERE {$db_columnUser}='{$login}'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_assoc($result);
$realPass = $row[$db_columnPass];
}
if ($crypt == 'hash_ipb' || $crypt == 'hash_vbulletin') {
$query = "SELECT {$db_columnUser},{$db_columnPass},{$db_columnSalt} FROM {$db_table} WHERE {$db_columnUser}='{$login}'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_assoc($result);
$realPass = $row[$db_columnPass];
$salt = $row[$db_columnSalt];
}
if ($crypt == 'hash_xenforo') {
$query = "SELECT {$db_table}.{$db_columnId},{$db_table}.{$db_columnUser},{$db_tableOther}.{$db_columnId},{$db_tableOther}.{$db_columnPass} FROM {$db_table}, {$db_tableOther} WHERE {$db_table}.{$db_columnId} = {$db_tableOther}.{$db_columnId} AND {$db_table}.{$db_columnUser}='{$login}'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_assoc($result);
$realPass = substr($row[$db_columnPass], 22, 64);
$salt = substr($row[$db_columnPass], 105, 64);
}
if ($realPass) {
if ($crypt == 'hash_md5' || $crypt == 'hash_dle') {
$checkPass = $crypt($postPass);
}
if ($crypt == 'hash_authme' || $crypt == 'hash_xauth' || $crypt == 'hash_cauth' || $crypt == 'hash_joomla' || $crypt == 'hash_wordpress' || $crypt == 'hash_drupal') {
$checkPass = $crypt($realPass, $postPass);
}
if ($crypt == 'hash_ipb' || $crypt == 'hash_vbulletin' || $crypt == 'hash_xenforo') {
$checkPass = $crypt($postPass, $salt);
}
if (strcmp($realPass, $checkPass) == 0) {
$sessid = generateSessionId();
mysql_query("UPDATE {$db_table} SET {$db_columnSesId}='{$sessid}' WHERE {$db_columnUser} = '{$login}'") or die("������ � ���� ���������� �������.");
die("0");
} else {
die("abuse");
}
} else {
die("fail");
}
} else {
die("oldLauncher");
}
}
}
