upd: moved all /public/ files to the root folder

2 files changed, 274 insertions, 0 deletions

diff --git a/account/login/index.php b/account/login/index.php
new file mode 100644
index 0000000..ace116d
--- /dev/null
+++ b/account/login/index.php
@@ -0,0 +1,99 @@
+<?php
+include "../../../src/accounts.php";
+
+if (authorize_user()) {
+    header("Location: /account");
+    exit;
+}
+
+include "../../../src/partials.php";
+include_once "../../../src/config.php";
+include_once "../../../src/alert.php";
+include_once "../../../src/utils.php";
+
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    if (!isset($_POST["username"], $_POST["password"])) {
+        generate_alert("/account/login", "Not enough POST fields");
+        exit;
+    }
+
+    $username = $_POST["username"];
+    $password = $_POST["password"];
+    $remember = intval($_POST["remember"] ?? "0") != 0;
+
+    $db = new PDO(DB_URL, DB_USER, DB_PASS);
+    $stmt = $db->prepare("SELECT secret_key, password FROM users WHERE username = ? AND password IS NOT NULL");
+    $stmt->execute([$username]);
+
+    if ($row = $stmt->fetch()) {
+        if (password_verify($password, $row["password"])) {
+            setcookie("secret_key", $row["secret_key"], $remember ? (time() + ACCOUNT_COOKIE_MAX_LIFETIME) : 0, "/");
+            header("Location: /account");
+            exit;
+        } else {
+            generate_alert("/account/login", "Passwords do not match!", 403);
+            exit;
+        }
+    } else {
+        generate_alert("/account/login", "User not found or is not accessable", 404);
+        exit;
+    }
+}
+?>
+
+<html>
+
+<head>
+    <title>Login - <?php echo INSTANCE_NAME ?></title>
+    <link rel="stylesheet" href="/static/style.css">
+    <link rel="shortcut icon" href="/static/favicon.ico" type="image/x-icon">
+</head>
+
+<body>
+    <div class="container">
+        <div class="wrapper">
+            <?php html_navigation_bar(); ?>
+            <section class="content" style="width: 400px;">
+                <?php display_alert() ?>
+                <section class="box">
+                    <div class="box navtab">
+                        <p>Log in to <?php echo INSTANCE_NAME ?></p>
+                    </div>
+                    <div class="box content">
+                        <form action="/account/login/" method="post">
+                            <div>
+                                <label for="username">Username</label>
+                                <input type="text" name="username" id="form-username" required>
+                            </div>
+                            <div>
+                                <label for="password">Password</label>
+                                <input type="password" name="password" id="form-password" required>
+                            </div>
+                            <div>
+                                <input type="checkbox" name="remember" value="1" id="form-remember">
+                                <label for="remember" class="inline">Remember me</label>
+                            </div>
+                            <div>
+                                <button type="submit">Log in</button>
+                                <?php if (ACCOUNT_REGISTRATION_ENABLE): ?>
+                                    <a href="/account/register.php">Register</a>
+                                <?php endif; ?>
+                            </div>
+                        </form>
+                    </div>
+                </section>
+
+                <?php if (TWITCH_REGISTRATION_ENABLE): ?>
+                    <section class="box column">
+                        <a href="/account/login/twitch.php" class="button purple big">Login with Twitch</a>
+                        <p style="font-size: 12px;">Logging in via Twitch gives you the ability to use
+                            <?php echo INSTANCE_NAME ?> emotes in your Twitch chat.
+                        </p>
+                    </section>
+                <?php endif; ?>
+            </section>
+        </div>
+    </div>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/account/login/twitch.php b/account/login/twitch.php
new file mode 100644
index 0000000..38fd6cc
--- /dev/null
+++ b/account/login/twitch.php
@@ -0,0 +1,175 @@
+<?php
+include_once "../../../src/config.php";
+include_once "../../../src/utils.php";
+include_once "../../../src/alert.php";
+
+if (!TWITCH_REGISTRATION_ENABLE) {
+    generate_alert("/404.php", "Registration via Twitch is disabled", 405);
+    exit;
+}
+
+session_start();
+
+$db = new PDO(DB_URL, DB_USER, DB_PASS);
+
+if (isset($_GET["disconnect"], $_SESSION["user_id"])) {
+    $stmt = $db->prepare("SELECT c.id,
+        CASE WHEN (
+            SELECT u.password FROM users u WHERE u.id = c.user_id
+        ) IS NOT NULL
+        THEN 1 ELSE 0
+        END AS set_password
+        FROM connections c
+        WHERE c.user_id = ?
+    ");
+    $stmt->execute([$_SESSION["user_id"]]);
+
+    if ($row = $stmt->fetch()) {
+        if ($row["set_password"]) {
+            $db->prepare("DELETE FROM connections WHERE user_id = ? AND platform = 'twitch'")->execute([$_SESSION["user_id"]]);
+            generate_alert("/account", "Successfully disconnected from Twitch!", 200);
+        } else {
+            generate_alert("/account", "You must set a password before deleting any connections", 403);
+        }
+    } else {
+        generate_alert("/account", "No Twitch connection found", 404);
+    }
+    exit;
+}
+
+$client_id = TWITCH_CLIENT_ID;
+$client_secret = TWITCH_SECRET_KEY;
+$redirect_uri = TWITCH_REDIRECT_URI;
+
+if (isset($_GET["error"])) {
+    header("Location: /account/login");
+    exit;
+}
+
+if (!isset($_GET["code"])) {
+    header("Location: https://id.twitch.tv/oauth2/authorize?client_id=$client_id&redirect_uri=$redirect_uri&response_type=code");
+    exit;
+}
+
+$code = $_GET["code"];
+
+// obtaining twitch token
+$request = curl_init();
+curl_setopt($request, CURLOPT_URL, "https://id.twitch.tv/oauth2/token");
+curl_setopt($request, CURLOPT_POST, 1);
+curl_setopt(
+    $request,
+    CURLOPT_POSTFIELDS,
+    "client_id=$client_id&client_secret=$client_secret&code=$code&grant_type=authorization_code&redirect_uri=$redirect_uri"
+);
+curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
+
+$response = curl_exec($request);
+curl_close($request);
+
+$response = json_decode($response, true);
+
+if (array_key_exists("status", $response)) {
+    header("Location: /account/login");
+    exit;
+}
+
+// identifying user
+$request = curl_init();
+curl_setopt($request, CURLOPT_URL, "https://api.twitch.tv/helix/users");
+curl_setopt($request, CURLOPT_HTTPHEADER, [
+    "Authorization: Bearer " . $response["access_token"],
+    "Client-Id: $client_id"
+]);
+curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
+
+$twitch_user = curl_exec($request);
+curl_close($request);
+
+$twitch_user = json_decode($twitch_user, true);
+
+if (empty($twitch_user["data"])) {
+    generate_alert("/account", "Failed to identify Twitch user", 500);
+    exit;
+}
+
+$twitch_user = $twitch_user["data"][0];
+
+// saving it
+$twitch_access_token = $response["access_token"];
+$twitch_refresh_token = $response["refresh_token"];
+$twitch_expires_on = time() + intval($response["expires_in"]);
+
+// creating user if not exists
+$stmt = $db->prepare("SELECT * FROM users u
+    INNER JOIN connections c ON c.alias_id = ?
+    WHERE c.user_id = u.id AND c.platform = 'twitch'
+");
+$stmt->execute([$twitch_user["id"]]);
+
+$user_id = "";
+$user_secret_key = "";
+$user_name = "";
+
+if ($row = $stmt->fetch()) {
+    if (isset($_SESSION["user_id"]) && $_SESSION["user_id"] != $row["id"]) {
+        generate_alert("/account", "There is another " . INSTANCE_NAME . " account associated with that Twitch account", 409);
+        exit;
+    }
+
+    $user_name = $row["username"];
+    $user_secret_key = $row["secret_key"];
+    $user_id = $row["id"];
+} else {
+    $user_secret_key = generate_random_string(32);
+    $user_name = $twitch_user["login"];
+    $user_id = bin2hex(random_bytes(16));
+
+    list($user_secret_key, $user_name, $user_id) = match (isset($_SESSION["user_id"])) {
+        true => [$_COOKIE["secret_key"], $_SESSION["user_name"], $_SESSION["user_id"]],
+        default => [generate_random_string(32), $twitch_user["login"], bin2hex(random_bytes(16))]
+    };
+
+    if (!isset($_SESSION["user_id"])) {
+        // checking for duplicates
+        $stmt = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ?");
+        $stmt->execute([$user_name]);
+        $duplicates = intval($stmt->fetch()[0]);
+        if ($duplicates > 0) {
+            $i = 1;
+            while (true) {
+                $stmt = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ?");
+                $stmt->execute(["$user_name$i"]);
+
+                if ($stmt->fetch()[0] == 0) {
+                    break;
+                }
+
+                $i++;
+            }
+            $user_name .= $i;
+        }
+
+        $stmt = $db->prepare("INSERT INTO users(id, username, secret_key) VALUES (?, ?, ?)");
+        if (!$stmt->execute([$user_id, $user_name, $user_secret_key])) {
+            $db = null;
+            echo "Failed to create a user";
+            exit;
+        }
+    }
+
+    $stmt = $db->prepare("INSERT INTO connections(user_id, alias_id, platform, data) VALUES (?, ?, 'twitch', ?)");
+    $stmt->execute([
+        $user_id,
+        $twitch_user["id"],
+        sprintf("%s:%s:%s", $twitch_access_token, $twitch_refresh_token, $twitch_expires_on)
+    ]);
+}
+
+$_SESSION["user_id"] = $user_id;
+$_SESSION["user_name"] = $user_name;
+setcookie("secret_key", $user_secret_key, time() + ACCOUNT_COOKIE_MAX_LIFETIME, "/");
+
+$db = null;
+
+header("Location: /account");
\ No newline at end of file