misuzu/public/index.php

<?php
namespace Misuzu;

use RuntimeException;
use Misuzu\Auth\{AuthTokenBuilder,AuthTokenCookie,AuthTokenInfo};

require_once __DIR__ . '/../misuzu.php';

if(!isset($msz) || !($msz instanceof \Misuzu\MisuzuContext))
    die('Misuzu is not initialised.');

set_exception_handler(function(\Throwable $ex) {
    \Sentry\captureException($ex);

    http_response_code(500);
    ob_clean();

    if(MSZ_DEBUG) {
        header('Content-Type: text/plain; charset=utf-8');
        echo (string)$ex;
    } else {
        header('Content-Type: text/html; charset=utf-8');
        echo file_get_contents(MSZ_TEMPLATES . '/500.html');
    }
    exit;
});

// The whole wall of shit before the router setup and dispatch should be worked away
// Lockdown things should be middleware when there's no more legacy files

$request = \Index\Http\HttpRequest::fromRequest();

ob_start();

if(file_exists(MSZ_ROOT . '/.migrating')) {
    http_response_code(503);
    if(!isset($_GET['_check'])) {
        header('Content-Type: text/html; charset=utf-8');
        echo file_get_contents(MSZ_TEMPLATES . '/503.html');
    }
    exit;
}

$tokenPacker = $msz->authCtx->createAuthTokenPacker();

if(filter_has_var(INPUT_COOKIE, 'msz_auth'))
    $tokenInfo = $tokenPacker->unpack(filter_input(INPUT_COOKIE, 'msz_auth'));
elseif(filter_has_var(INPUT_COOKIE, 'msz_uid') && filter_has_var(INPUT_COOKIE, 'msz_sid')) {
    $tokenBuilder = new AuthTokenBuilder;
    $tokenBuilder->setUserId((string)filter_input(INPUT_COOKIE, 'msz_uid', FILTER_SANITIZE_NUMBER_INT));
    $tokenBuilder->setSessionToken((string)filter_input(INPUT_COOKIE, 'msz_sid'));
    $tokenInfo = $tokenBuilder->toInfo();
    $tokenBuilder = null;
} else
    $tokenInfo = AuthTokenInfo::empty();

$userInfo = null;
$sessionInfo = null;
$userInfoReal = null;

if($tokenInfo->hasUserId && $tokenInfo->hasSessionToken) {
    $tokenBuilder = new AuthTokenBuilder($tokenInfo);

    try {
        $sessionInfo = $msz->authCtx->sessions->getSession(sessionToken: $tokenInfo->sessionToken);

        if($sessionInfo->expired) {
            $tokenBuilder->removeUserId();
            $tokenBuilder->removeSessionToken();
        } elseif($sessionInfo->userId === $tokenInfo->userId) {
            $userInfo = $msz->usersCtx->users->getUser($tokenInfo->userId, 'id');

            if($userInfo->deleted) {
                $tokenBuilder->removeUserId();
                $tokenBuilder->removeSessionToken();
            } else {
                $msz->usersCtx->users->recordUserActivity($userInfo, remoteAddr: $_SERVER['REMOTE_ADDR']);
                $msz->authCtx->sessions->recordSessionActivity(sessionInfo: $sessionInfo, remoteAddr: $_SERVER['REMOTE_ADDR']);
                if($sessionInfo->shouldBumpExpires)
                    $tokenBuilder->setEdited();

                if($tokenInfo->hasImpersonatedUserId) {
                    $allowToImpersonate = $userInfo->super;
                    $impersonatedUserId = $tokenInfo->impersonatedUserId;

                    if(!$allowToImpersonate) {
                        $allowImpersonateUsers = $msz->config->getArray(sprintf('impersonate.allow.u%s', $userInfo->id));
                        $allowToImpersonate = in_array((string)$impersonatedUserId, $allowImpersonateUsers, true);
                    }

                    if($allowToImpersonate) {
                        $userInfoReal = $userInfo;

                        try {
                            $userInfo = $msz->usersCtx->users->getUser($impersonatedUserId, 'id');
                        } catch(RuntimeException $ex) {
                            $userInfo = $userInfoReal;
                            $userInfoReal = null;
                            $tokenBuilder->removeImpersonatedUserId();
                        }
                    } else $tokenBuilder->removeImpersonatedUserId();
                }
            }
        }
    } catch(RuntimeException $ex) {
        $tokenBuilder->removeUserId();
        $tokenBuilder->removeSessionToken();
        $tokenBuilder->removeImpersonatedUserId();
        $userInfo = null;
        $sessionInfo = null;
        $userInfoReal = null;
    }

    if($tokenBuilder->isEdited()) {
        $tokenInfo = $tokenBuilder->toInfo();
        AuthTokenCookie::apply($tokenPacker->pack($tokenInfo));
    }
}

$msz->authInfo->setInfo($tokenInfo, $userInfo, $sessionInfo, $userInfoReal);

CSRF::init(
    $msz->config->getString('csrf.secret', 'soup'),
    ($msz->authInfo->isLoggedIn ? $sessionInfo->token : $_SERVER['REMOTE_ADDR'])
);

// order for these two currently matters i think: it shouldn't.
$router = $msz->createRouting();
$msz->startTemplating();

$mszRequestPath = substr($request->getPath(), 1);
$mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';
$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;

if(str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
    $mszLegacyPathReal = realpath($mszLegacyPath);
    if($mszLegacyPath === $mszLegacyPathReal || $mszLegacyPath === $mszLegacyPathReal . '/') {
        if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())
            Template::throwError(403);

        if(is_dir($mszLegacyPath))
            $mszLegacyPath .= '/index.php';

        if(is_file($mszLegacyPath)) {
            require_once $mszLegacyPath;
            return;
        }
    }
}

$router->dispatch($request);
Imported into new repository. 2022-09-13 13:14:49 +00:00			`<?php`
			`namespace Misuzu;`

Normalised custom exception usage in user classes. Also updated the Index library to include the MediaType fix. 2023-07-22 15:02:41 +00:00			`use RuntimeException;`
Updated to latest Index version. 2024-10-05 02:40:29 +00:00			`use Misuzu\Auth\{AuthTokenBuilder,AuthTokenCookie,AuthTokenInfo};`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
Imported into new repository. 2022-09-13 13:14:49 +00:00			`require_once __DIR__ . '/../misuzu.php';`

Fixed PHPstan detections. 2024-12-02 02:28:08 +00:00			`if(!isset($msz) \|\| !($msz instanceof \Misuzu\MisuzuContext))`
			`die('Misuzu is not initialised.');`

Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`set_exception_handler(function(\Throwable $ex) {`
Added Sentry error logging on the server side. 2023-09-10 20:46:58 +00:00			`\Sentry\captureException($ex);`

Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`http_response_code(500);`
			`ob_clean();`

			`if(MSZ_DEBUG) {`
			`header('Content-Type: text/plain; charset=utf-8');`
			`echo (string)$ex;`
			`} else {`
			`header('Content-Type: text/html; charset=utf-8');`
			`echo file_get_contents(MSZ_TEMPLATES . '/500.html');`
			`}`
			`exit;`
			`});`

			`// The whole wall of shit before the router setup and dispatch should be worked away`
			`// Lockdown things should be middleware when there's no more legacy files`

Imported into new repository. 2022-09-13 13:14:49 +00:00			`$request = \Index\Http\HttpRequest::fromRequest();`

Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`ob_start();`

			`if(file_exists(MSZ_ROOT . '/.migrating')) {`
			`http_response_code(503);`
			`if(!isset($_GET['_check'])) {`
			`header('Content-Type: text/html; charset=utf-8');`
			`echo file_get_contents(MSZ_TEMPLATES . '/503.html');`
			`}`
			`exit;`
			`}`

Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`$tokenPacker = $msz->authCtx->createAuthTokenPacker();`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`if(filter_has_var(INPUT_COOKIE, 'msz_auth'))`
			`$tokenInfo = $tokenPacker->unpack(filter_input(INPUT_COOKIE, 'msz_auth'));`
			`elseif(filter_has_var(INPUT_COOKIE, 'msz_uid') && filter_has_var(INPUT_COOKIE, 'msz_sid')) {`
			`$tokenBuilder = new AuthTokenBuilder;`
			`$tokenBuilder->setUserId((string)filter_input(INPUT_COOKIE, 'msz_uid', FILTER_SANITIZE_NUMBER_INT));`
			`$tokenBuilder->setSessionToken((string)filter_input(INPUT_COOKIE, 'msz_sid'));`
			`$tokenInfo = $tokenBuilder->toInfo();`
			`$tokenBuilder = null;`
			`} else`
			`$tokenInfo = AuthTokenInfo::empty();`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$userInfo = null;`
			`$sessionInfo = null;`
			`$userInfoReal = null;`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`if($tokenInfo->hasUserId && $tokenInfo->hasSessionToken) {`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$tokenBuilder = new AuthTokenBuilder($tokenInfo);`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
			`try {`
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`$sessionInfo = $msz->authCtx->sessions->getSession(sessionToken: $tokenInfo->sessionToken);`
Rewrote Sessions backend. 2023-07-28 20:06:12 +00:00
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`if($sessionInfo->expired) {`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$tokenBuilder->removeUserId();`
			`$tokenBuilder->removeSessionToken();`
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`} elseif($sessionInfo->userId === $tokenInfo->userId) {`
			`$userInfo = $msz->usersCtx->users->getUser($tokenInfo->userId, 'id');`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`if($userInfo->deleted) {`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$tokenBuilder->removeUserId();`
			`$tokenBuilder->removeSessionToken();`
			`} else {`
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`$msz->usersCtx->users->recordUserActivity($userInfo, remoteAddr: $_SERVER['REMOTE_ADDR']);`
			`$msz->authCtx->sessions->recordSessionActivity(sessionInfo: $sessionInfo, remoteAddr: $_SERVER['REMOTE_ADDR']);`
			`if($sessionInfo->shouldBumpExpires)`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$tokenBuilder->setEdited();`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`if($tokenInfo->hasImpersonatedUserId) {`
			`$allowToImpersonate = $userInfo->super;`
			`$impersonatedUserId = $tokenInfo->impersonatedUserId;`
Allow non-super users to impersonate select users. 2023-07-28 21:20:19 +00:00
			`if(!$allowToImpersonate) {`
Fixed PHPstan detections. 2024-12-02 02:28:08 +00:00			`$allowImpersonateUsers = $msz->config->getArray(sprintf('impersonate.allow.u%s', $userInfo->id));`
Allow non-super users to impersonate select users. 2023-07-28 21:20:19 +00:00			`$allowToImpersonate = in_array((string)$impersonatedUserId, $allowImpersonateUsers, true);`
			`}`

			`if($allowToImpersonate) {`
			`$userInfoReal = $userInfo;`

			`try {`
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`$userInfo = $msz->usersCtx->users->getUser($impersonatedUserId, 'id');`
Allow non-super users to impersonate select users. 2023-07-28 21:20:19 +00:00			`} catch(RuntimeException $ex) {`
			`$userInfo = $userInfoReal;`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$userInfoReal = null;`
			`$tokenBuilder->removeImpersonatedUserId();`
Allow non-super users to impersonate select users. 2023-07-28 21:20:19 +00:00			`}`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`} else $tokenBuilder->removeImpersonatedUserId();`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`}`
			`}`
			`}`
Normalised custom exception usage in user classes. Also updated the Index library to include the MediaType fix. 2023-07-22 15:02:41 +00:00			`} catch(RuntimeException $ex) {`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$tokenBuilder->removeUserId();`
			`$tokenBuilder->removeSessionToken();`
			`$tokenBuilder->removeImpersonatedUserId();`
			`$userInfo = null;`
			`$sessionInfo = null;`
			`$userInfoReal = null;`
			`}`

			`if($tokenBuilder->isEdited()) {`
			`$tokenInfo = $tokenBuilder->toInfo();`
			`AuthTokenCookie::apply($tokenPacker->pack($tokenInfo));`
Rewrote the user information class. This one took multiple days and it pretty invasive into the core of Misuzu so issue might (will) arise, there's also some features that have gone temporarily missing in the mean time and some inefficiencies introduced that will be fixed again at a later time. The old class isn't gone entirely because I still have to figure out what I'm gonna do about validation, but for the most part this knocks out one of the "layers of backwards compatibility", as I've been referring to it, and is moving us closer to a future where Flashii actually gets real updates. If you run into anything that's broken and you're inhibited from reporting it through the forum, do it through chat or mail me at flashii-issues@flash.moe. 2023-08-02 22:12:47 +00:00			`}`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`}`

Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`$msz->authInfo->setInfo($tokenInfo, $userInfo, $sessionInfo, $userInfoReal);`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`CSRF::init(`
Fixed PHPstan detections. 2024-12-02 02:28:08 +00:00			`$msz->config->getString('csrf.secret', 'soup'),`
Removed getter/setter methods in favour of property hooks and asymmetric visibility. 2024-11-30 04:09:29 +00:00			`($msz->authInfo->isLoggedIn ? $sessionInfo->token : $_SERVER['REMOTE_ADDR'])`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`);`

Added URL registry attributes. 2023-09-10 00:04:53 +00:00			`// order for these two currently matters i think: it shouldn't.`
			`$router = $msz->createRouting();`
Switch to Sasae. 2023-08-31 21:33:34 +00:00			`$msz->startTemplating();`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
Fixed legacy paths being too / tolerant. 2023-09-11 20:15:44 +00:00			`$mszRequestPath = substr($request->getPath(), 1);`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`$mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';`
Fixed legacy paths being too / tolerant. 2023-09-11 20:15:44 +00:00			`$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00
Fixed PHPstan detections. 2024-12-02 02:28:08 +00:00			`if(str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {`
Fixed legacy paths being too / tolerant. 2023-09-11 20:15:44 +00:00			`$mszLegacyPathReal = realpath($mszLegacyPath);`
Fixed chat routes being broken. 2023-09-11 20:36:20 +00:00			`if($mszLegacyPath === $mszLegacyPathReal \|\| $mszLegacyPath === $mszLegacyPathReal . '/') {`
			`if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())`
			`Template::throwError(403);`
Fixed legacy paths being too / tolerant. 2023-09-11 20:15:44 +00:00
Fixed chat routes being broken. 2023-09-11 20:36:20 +00:00			`if(is_dir($mszLegacyPath))`
			`$mszLegacyPath .= '/index.php';`
Switch to Sasae. 2023-08-31 21:33:34 +00:00
Fixed chat routes being broken. 2023-09-11 20:36:20 +00:00			`if(is_file($mszLegacyPath)) {`
			`require_once $mszLegacyPath;`
			`return;`
			`}`
Restructured public folder and initialisation process. 2023-07-19 19:03:53 +00:00			`}`
			`}`

Added URL registry attributes. 2023-09-10 00:04:53 +00:00			`$router->dispatch($request);`