2017-12-16 20:17:29 +01:00
|
|
|
<?php
|
2019-09-29 00:38:39 +02:00
|
|
|
namespace Misuzu;
|
|
|
|
|
|
2023-07-22 15:02:45 +00:00
|
|
|
use RuntimeException;
|
2024-10-05 02:40:29 +00:00
|
|
|
use Misuzu\Auth\{AuthTokenBuilder,AuthTokenCookie,AuthTokenInfo};
|
2023-07-19 19:03:53 +00:00
|
|
|
|
2020-05-16 22:35:11 +00:00
|
|
|
require_once __DIR__ . '/../misuzu.php';
|
2018-01-03 22:39:01 +01:00
|
|
|
|
2024-12-02 02:28:08 +00:00
|
|
|
if(!isset($msz) || !($msz instanceof \Misuzu\MisuzuContext))
|
|
|
|
|
die('Misuzu is not initialised.');
|
|
|
|
|
|
2023-07-19 19:03:53 +00:00
|
|
|
// The whole wall of shit before the router setup and dispatch should be worked away
|
|
|
|
|
// Lockdown things should be middleware when there's no more legacy files
|
|
|
|
|
|
|
|
|
|
ob_start();
|
|
|
|
|
|
2025-02-09 20:44:10 +00:00
|
|
|
if(is_file($msz->dbCtx->getMigrateLockPath())) {
|
2023-07-19 19:03:53 +00:00
|
|
|
http_response_code(503);
|
2025-01-30 14:52:01 +00:00
|
|
|
header('Content-Type: text/html; charset=utf-8');
|
|
|
|
|
header('X-Accel-Redirect: /error-503.html');
|
2023-07-19 19:03:53 +00:00
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-09 20:44:10 +00:00
|
|
|
$request = \Index\Http\HttpRequest::fromRequest();
|
|
|
|
|
|
2024-11-30 04:09:29 +00:00
|
|
|
$tokenPacker = $msz->authCtx->createAuthTokenPacker();
|
2023-07-19 19:03:53 +00:00
|
|
|
|
2023-08-03 01:35:08 +00:00
|
|
|
if(filter_has_var(INPUT_COOKIE, 'msz_auth'))
|
|
|
|
|
$tokenInfo = $tokenPacker->unpack(filter_input(INPUT_COOKIE, 'msz_auth'));
|
|
|
|
|
elseif(filter_has_var(INPUT_COOKIE, 'msz_uid') && filter_has_var(INPUT_COOKIE, 'msz_sid')) {
|
|
|
|
|
$tokenBuilder = new AuthTokenBuilder;
|
|
|
|
|
$tokenBuilder->setUserId((string)filter_input(INPUT_COOKIE, 'msz_uid', FILTER_SANITIZE_NUMBER_INT));
|
|
|
|
|
$tokenBuilder->setSessionToken((string)filter_input(INPUT_COOKIE, 'msz_sid'));
|
|
|
|
|
$tokenInfo = $tokenBuilder->toInfo();
|
|
|
|
|
$tokenBuilder = null;
|
|
|
|
|
} else
|
|
|
|
|
$tokenInfo = AuthTokenInfo::empty();
|
2023-07-19 19:03:53 +00:00
|
|
|
|
2023-08-03 01:35:08 +00:00
|
|
|
$userInfo = null;
|
|
|
|
|
$sessionInfo = null;
|
|
|
|
|
$userInfoReal = null;
|
2025-01-29 18:19:33 +00:00
|
|
|
$remoteAddr = (string)filter_input(INPUT_SERVER, 'REMOTE_ADDR');
|
2023-07-19 19:03:53 +00:00
|
|
|
|
2024-11-30 04:09:29 +00:00
|
|
|
if($tokenInfo->hasUserId && $tokenInfo->hasSessionToken) {
|
2023-08-03 01:35:08 +00:00
|
|
|
$tokenBuilder = new AuthTokenBuilder($tokenInfo);
|
2023-07-19 19:03:53 +00:00
|
|
|
|
|
|
|
|
try {
|
2024-11-30 04:09:29 +00:00
|
|
|
$sessionInfo = $msz->authCtx->sessions->getSession(sessionToken: $tokenInfo->sessionToken);
|
2023-07-28 20:06:12 +00:00
|
|
|
|
2024-11-30 04:09:29 +00:00
|
|
|
if($sessionInfo->expired) {
|
2023-08-03 01:35:08 +00:00
|
|
|
$tokenBuilder->removeUserId();
|
|
|
|
|
$tokenBuilder->removeSessionToken();
|
2024-11-30 04:09:29 +00:00
|
|
|
} elseif($sessionInfo->userId === $tokenInfo->userId) {
|
|
|
|
|
$userInfo = $msz->usersCtx->users->getUser($tokenInfo->userId, 'id');
|
2023-08-03 01:35:08 +00:00
|
|
|
|
2024-11-30 04:09:29 +00:00
|
|
|
if($userInfo->deleted) {
|
2023-08-03 01:35:08 +00:00
|
|
|
$tokenBuilder->removeUserId();
|
|
|
|
|
$tokenBuilder->removeSessionToken();
|
|
|
|
|
} else {
|
2025-01-28 21:14:48 +00:00
|
|
|
$msz->usersCtx->users->recordUserActivity($userInfo, remoteAddr: $remoteAddr);
|
|
|
|
|
$msz->authCtx->sessions->recordSessionActivity(sessionInfo: $sessionInfo, remoteAddr: $remoteAddr);
|
2024-11-30 04:09:29 +00:00
|
|
|
if($sessionInfo->shouldBumpExpires)
|
2023-08-03 01:35:08 +00:00
|
|
|
$tokenBuilder->setEdited();
|
2023-07-19 19:03:53 +00:00
|
|
|
|
2024-11-30 04:09:29 +00:00
|
|
|
if($tokenInfo->hasImpersonatedUserId) {
|
|
|
|
|
$allowToImpersonate = $userInfo->super;
|
|
|
|
|
$impersonatedUserId = $tokenInfo->impersonatedUserId;
|
2023-07-28 21:20:19 +00:00
|
|
|
|
|
|
|
|
if(!$allowToImpersonate) {
|
2024-12-02 02:28:08 +00:00
|
|
|
$allowImpersonateUsers = $msz->config->getArray(sprintf('impersonate.allow.u%s', $userInfo->id));
|
2023-07-28 21:20:19 +00:00
|
|
|
$allowToImpersonate = in_array((string)$impersonatedUserId, $allowImpersonateUsers, true);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if($allowToImpersonate) {
|
|
|
|
|
$userInfoReal = $userInfo;
|
|
|
|
|
|
|
|
|
|
try {
|
2024-11-30 04:09:29 +00:00
|
|
|
$userInfo = $msz->usersCtx->users->getUser($impersonatedUserId, 'id');
|
2023-07-28 21:20:19 +00:00
|
|
|
} catch(RuntimeException $ex) {
|
|
|
|
|
$userInfo = $userInfoReal;
|
2023-08-03 01:35:08 +00:00
|
|
|
$userInfoReal = null;
|
|
|
|
|
$tokenBuilder->removeImpersonatedUserId();
|
2023-07-28 21:20:19 +00:00
|
|
|
}
|
2023-08-03 01:35:08 +00:00
|
|
|
} else $tokenBuilder->removeImpersonatedUserId();
|
2023-07-19 19:03:53 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-07-22 15:02:45 +00:00
|
|
|
} catch(RuntimeException $ex) {
|
2023-08-03 01:35:08 +00:00
|
|
|
$tokenBuilder->removeUserId();
|
|
|
|
|
$tokenBuilder->removeSessionToken();
|
|
|
|
|
$tokenBuilder->removeImpersonatedUserId();
|
|
|
|
|
$userInfo = null;
|
|
|
|
|
$sessionInfo = null;
|
|
|
|
|
$userInfoReal = null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if($tokenBuilder->isEdited()) {
|
|
|
|
|
$tokenInfo = $tokenBuilder->toInfo();
|
|
|
|
|
AuthTokenCookie::apply($tokenPacker->pack($tokenInfo));
|
2023-08-02 22:12:47 +00:00
|
|
|
}
|
2023-07-19 19:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
2024-11-30 04:09:29 +00:00
|
|
|
$msz->authInfo->setInfo($tokenInfo, $userInfo, $sessionInfo, $userInfoReal);
|
2023-08-03 01:35:08 +00:00
|
|
|
|
2023-07-19 19:03:53 +00:00
|
|
|
CSRF::init(
|
2024-12-02 02:28:08 +00:00
|
|
|
$msz->config->getString('csrf.secret', 'soup'),
|
2025-02-02 02:09:56 +00:00
|
|
|
($msz->authInfo->loggedIn ? $sessionInfo->token : $remoteAddr)
|
2023-07-19 19:03:53 +00:00
|
|
|
);
|
|
|
|
|
|
2023-09-10 00:04:53 +00:00
|
|
|
// order for these two currently matters i think: it shouldn't.
|
2025-01-29 00:25:53 +00:00
|
|
|
$router = $msz->createRouting($request);
|
2023-08-31 21:33:34 +00:00
|
|
|
$msz->startTemplating();
|
2023-07-19 19:03:53 +00:00
|
|
|
|
2025-02-09 23:34:28 +00:00
|
|
|
if($msz->domainRoles->hasRole($request->getHeaderLine('Host'), 'main')) {
|
2025-01-29 23:13:17 +00:00
|
|
|
$mszRequestPath = substr($request->path, 1);
|
2025-02-09 20:44:10 +00:00
|
|
|
$mszLegacyPathPrefix = Misuzu::PATH_PUBLIC_LEGACY . '/';
|
2025-01-29 00:25:53 +00:00
|
|
|
$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;
|
2023-07-19 19:03:53 +00:00
|
|
|
|
2025-01-29 00:25:53 +00:00
|
|
|
if(str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
|
|
|
|
|
$mszLegacyPathReal = realpath($mszLegacyPath);
|
|
|
|
|
if($mszLegacyPath === $mszLegacyPathReal || $mszLegacyPath === $mszLegacyPathReal . '/') {
|
2025-01-30 14:55:09 +00:00
|
|
|
if(str_starts_with($mszRequestPath, 'manage') && !$msz->hasManageAccess())
|
2025-01-29 00:25:53 +00:00
|
|
|
Template::throwError(403);
|
2023-09-11 20:15:48 +00:00
|
|
|
|
2025-01-29 00:25:53 +00:00
|
|
|
if(is_dir($mszLegacyPath))
|
|
|
|
|
$mszLegacyPath .= '/index.php';
|
2023-08-31 21:33:34 +00:00
|
|
|
|
2025-01-29 00:25:53 +00:00
|
|
|
if(is_file($mszLegacyPath)) {
|
|
|
|
|
require_once $mszLegacyPath;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2023-09-11 20:36:20 +00:00
|
|
|
}
|
2023-07-19 19:03:53 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-10 00:04:53 +00:00
|
|
|
$router->dispatch($request);
|
