<?php
	$HTML = new HTML();
	$HTML->setHTMLTitle("Login");
	$HTML->importHTML("login.html");

	if($_SERVER['REQUEST_METHOD'] == 'POST')
	{
		include_once 'app/FormValidator.php';
		$validator = new FormValidator(array(
			'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/'),
			'password' => array('required' => true, 'regex' => '/^.{1,1000}$/')
		));
		
		if(!$validator->isValid($_POST)) {
			$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername (Vor- und Nachname) und Passwort ein.");
		}
		else {
			$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1");
			$statementUser->execute(explode(" ", trim($_POST['username']))); 

			while($rowUser = $statementUser->fetch()) 
			{
				$statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1");
				$statementAuth->execute(array($rowUser['PrincipalID'])); 
				
				$RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID'];

				while($rowAuth = $statementAuth->fetch()) 
				{
					if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash'])
					{
						session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
						$_SESSION['USERNAME'] = trim($_POST['username']);
						$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
						$_SESSION['LASTNAME'] = trim($rowUser['LastName']);
						$_SESSION['EMAIL'] = trim($rowUser['Email']);
						$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
						$_SESSION['SALT'] = $rowAuth['passwordSalt'];
						$_SESSION['UUID'] = $rowUser['PrincipalID'];
						$_SESSION['LEVEL'] = $rowUser['UserLevel'];
						$_SESSION['DISPLAYNAME'] = strtoupper(trim($_POST['username']));
						$_SESSION['LOGIN'] = 'true';

						header("Location: index.php?page=".urlencode($_REQUEST['page']));
						die();
					}
				}
			}

			$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Benutzername und/oder Passwort falsch."); 
			$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username'])); 	
		}
	}

	if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
		$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));

	$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", ""); 
	$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", ""); 
	$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard"); 

	$HTML->build();
	echo $HTML->ausgabe();
?>