Manager/index.php

<?php
date_default_timezone_set("Europe/Berlin");
error_reporting(E_ALL);
include_once("config.php");
$RUNTIME['BASEDIR'] = __DIR__;
set_include_path('.:'.$RUNTIME['BASEDIR']);

session_set_cookie_params([
	'lifetime' => 86400,
	'path' => '/',
	'domain' => $RUNTIME['DOMAIN'],
	'httponly' => true,
	'secure' => true,
	'samesite' => 'Lax'
]);

session_start();
if(!isset($_SESSION['csrf']) || strlen($_SESSION['csrf']) != 64) {
	$_SESSION['csrf'] = bin2hex(random_bytes(32));
}

include_once("app/utils.php");
include_once("app/HTML.php");

function isValidEndpoint(string $pageName, string $dirPrefix) {
	return preg_match('/^[a-zA-Z0-9\.]{1,100}$/', $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php");
}

function needsLogin(?string $pageName) {
	return $pageName != 'register' && $pageName != 'forgot' && $pageName != 'reset-password' && $pageName != 'login';
}

//TODO: add API keys and/or rate limiting
if(isset($_GET['api'])) {
	if(isValidEndpoint($_GET['api'], 'api')) {
		include "./api/".$_GET['api'].".php";
	} else {
		die("ERROR; ENDPOINT NOT EXIST");
	}

	die();
}

if ($handle = opendir('./plugins/')) {
	while (false !== ($entry = readdir($handle))) {
		if ($entry != "." && $entry != "..") {
			include_once "./plugins/".$entry;
		}
	}

	closedir($handle);
}

if(isset($_GET['logout']) && $_GET['logout'] == '1') {
	$_SESSION = array();
	header('Location: index.php');
}

if(isset($_SESSION['LOGIN']) && $_SESSION['LOGIN'] == 'true') {
	if(!isset($_GET['page'])) {
		include './pages/dashboard.php';
	} else if(isValidEndpoint($_GET['page'], 'pages')) {
		include "./pages/".$_GET['page'].".php";
	} else {
		include "./pages/error.php";
	}
	
	die();
}
else {
	$page = isset($_GET['page']) ? $_GET['page'] : 'login';

	if(needsLogin($page)) {
		$_SESSION['loginMessage'] = 'Du musst dich einloggen, um das MCP nutzen zu können';
		$_SESSION['loginMessageColor'] = 'red';
		header('Location: index.php?page=login');
	}
	else {
		include "./pages/".$page.".php";
	}
}

?>
add files 2020-06-03 15:31:18 +00:00			`<?php`
			`date_default_timezone_set("Europe/Berlin");`
			`error_reporting(E_ALL);`
Fix RUNTIME array being reset after loading config 2023-08-23 16:16:34 +00:00			`include_once("config.php");`
Fix include/template paths 2023-08-23 16:16:35 +00:00			`$RUNTIME['BASEDIR'] = __DIR__;`
			`set_include_path('.:'.$RUNTIME['BASEDIR']);`
Set secure attributes for session cookie 2023-08-23 16:16:34 +00:00
			`session_set_cookie_params([`
			`'lifetime' => 86400,`
			`'path' => '/',`
			`'domain' => $RUNTIME['DOMAIN'],`
			`'httponly' => true,`
			`'secure' => true,`
			`'samesite' => 'Lax'`
			`]);`
Generate CSRF token on session start 2023-08-23 16:16:34 +00:00
add files 2020-06-03 15:31:18 +00:00			`session_start();`
Fix RUNTIME array being reset after loading config 2023-08-23 16:16:34 +00:00			`if(!isset($_SESSION['csrf']) \|\| strlen($_SESSION['csrf']) != 64) {`
Generate CSRF token on session start 2023-08-23 16:16:34 +00:00			`$_SESSION['csrf'] = bin2hex(random_bytes(32));`
			`}`
add files 2020-06-03 15:31:18 +00:00
Reflect directory structure changes 2023-08-23 16:16:35 +00:00			`include_once("app/utils.php");`
			`include_once("app/HTML.php");`
add files 2020-06-03 15:31:18 +00:00
Improve routing 2023-08-23 16:16:34 +00:00			`function isValidEndpoint(string $pageName, string $dirPrefix) {`
Change validation regexes to be more strict 2023-08-23 16:16:36 +00:00			`return preg_match('/^[a-zA-Z0-9\.]{1,100}$/', $pageName) && file_exists("./".$dirPrefix."/".$pageName.".php");`
Improve routing 2023-08-23 16:16:34 +00:00			`}`

Improve routing 2023-08-23 16:16:36 +00:00			`function needsLogin(?string $pageName) {`
			`return $pageName != 'register' && $pageName != 'forgot' && $pageName != 'reset-password' && $pageName != 'login';`
			`}`

Improve API endpoint name validation 2023-08-23 16:16:34 +00:00			`//TODO: add API keys and/or rate limiting`
Improve routing 2023-08-23 16:16:36 +00:00			`if(isset($_GET['api'])) {`
			`if(isValidEndpoint($_GET['api'], 'api')) {`
			`include "./api/".$_GET['api'].".php";`
Improve API endpoint name validation 2023-08-23 16:16:34 +00:00			`} else {`
add files 2020-06-03 15:31:18 +00:00			`die("ERROR; ENDPOINT NOT EXIST");`
			`}`

			`die();`
			`}`

Improve routing 2023-08-23 16:16:34 +00:00			`if ($handle = opendir('./plugins/')) {`
			`while (false !== ($entry = readdir($handle))) {`
			`if ($entry != "." && $entry != "..") {`
add admin menu 2020-08-04 09:44:59 +00:00			`include_once "./plugins/".$entry;`
			`}`
			`}`

			`closedir($handle);`
			`}`

Improve routing 2023-08-23 16:16:36 +00:00			`if(isset($_GET['logout']) && $_GET['logout'] == '1') {`
Improve routing 2023-08-23 16:16:34 +00:00			`$_SESSION = array();`
Redirect after logout 2023-08-23 16:16:34 +00:00			`header('Location: index.php');`
Improve routing 2023-08-23 16:16:34 +00:00			`}`
add files 2020-06-03 15:31:18 +00:00
Improve routing 2023-08-23 16:16:34 +00:00			`if(isset($_SESSION['LOGIN']) && $_SESSION['LOGIN'] == 'true') {`
Improve routing 2023-08-23 16:16:36 +00:00			`if(!isset($_GET['page'])) {`
Improve routing 2023-08-23 16:16:34 +00:00			`include './pages/dashboard.php';`
Improve routing 2023-08-23 16:16:36 +00:00			`} else if(isValidEndpoint($_GET['page'], 'pages')) {`
			`include "./pages/".$_GET['page'].".php";`
Improve routing 2023-08-23 16:16:34 +00:00			`} else {`
			`include "./pages/error.php";`
add files 2020-06-03 15:31:18 +00:00			`}`
Improve routing 2023-08-23 16:16:34 +00:00
			`die();`
			`}`
Improve routing 2023-08-23 16:16:36 +00:00			`else {`
			`$page = isset($_GET['page']) ? $_GET['page'] : 'login';`
add files 2020-06-03 15:31:18 +00:00
Improve routing 2023-08-23 16:16:36 +00:00			`if(needsLogin($page)) {`
			`$_SESSION['loginMessage'] = 'Du musst dich einloggen, um das MCP nutzen zu können';`
			`$_SESSION['loginMessageColor'] = 'red';`
			`header('Location: index.php?page=login');`
			`}`
			`else {`
			`include "./pages/".$page.".php";`
			`}`
add files 2020-06-03 15:31:18 +00:00			`}`

			`?>`