login.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/lib/partials.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/lib/utils.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/lib/config.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/lib/alert.php';

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $username = $_POST['username'] ?? null;
    $password = $_POST['password'] ?? null;

    if (!isset($username, $password)) {
        exit(create_alert('/login.php', 400, 'Username and password must be sent!', null));
    }

    $db = new PDO(DB_URL, DB_USER, DB_PASS);

    $stmt = $db->prepare('SELECT * FROM users WHERE username = ?');
    $stmt->execute([$username]);
    $user = $stmt->fetch(PDO::FETCH_ASSOC) ?: null;

    if (!$user) {
        exit(create_alert('/login.php', 401, 'Incorrect username or password.', null));
    }

    if (!password_verify($password, $user['password'])) {
        exit(create_alert('/login.php', 401, 'Incorrect username or password.', null));
    }

    $now = date('Y-m-d H:i:s', time());
    $db->prepare('DELETE FROM tokens WHERE expires_at <= ? AND user_id = ?')
        ->execute([$now, $user['id']]);

    $data = $user;

    if (IS_JSON_REQUEST) {
        $expires_at = date('Y-m-d H:i:s', time() + 86400);

        $token = bin2hex(random_bytes(16));

        $db->prepare('INSERT INTO tokens(user_id, hash, expires_at) VALUES (?, ?, ?)')
            ->execute([$user['id'], hash('sha256', $token), $expires_at]);

        $data = [
            'token' => $token,
            'id' => $user['id']
        ];
    }

    $_SESSION['user'] = $user;

    exit(create_alert('/', 200, null, $data));
}
?>
<!DOCTYPE html>
<html>

<head>
    <title>id</title>
    <link rel="stylesheet" href="/static/style.css">
</head>

<body>
    <main>
        <?php html_navbar(); ?>

        <?php display_alert(); ?>

        <form action="/login.php" method="post" class="column gap-16">
            <h1>Log in to your ilt.su account</h1>

            <div class="column">
                <label for="username">Username</label>
                <div>
                    <input type="text" name="username" id="username" pattern="^[a-zA-Z0-9_]+$" required>
                </div>
            </div>
            <div class="column">
                <label for="password">Password</label>
                <div>
                    <input type="password" name="password" id="password" required>
                </div>
            </div>
            <div class="row gap-8 align-bottom">
                <button type="submit">Log in</button>
                <a href="/register.php">Register</a>
            </div>
        </form>
    </main>
</body>

</html>