authCtx->createAuthTokenPacker(); if(filter_has_var(INPUT_COOKIE, 'msz_auth')) $tokenInfo = $tokenPacker->unpack(filter_input(INPUT_COOKIE, 'msz_auth')); elseif(filter_has_var(INPUT_COOKIE, 'msz_uid') && filter_has_var(INPUT_COOKIE, 'msz_sid')) { $tokenBuilder = new AuthTokenBuilder; $tokenBuilder->setUserId((string)filter_input(INPUT_COOKIE, 'msz_uid', FILTER_SANITIZE_NUMBER_INT)); $tokenBuilder->setSessionToken((string)filter_input(INPUT_COOKIE, 'msz_sid')); $tokenInfo = $tokenBuilder->toInfo(); $tokenBuilder = null; } else $tokenInfo = AuthTokenInfo::empty(); $userInfo = null; $sessionInfo = null; $userInfoReal = null; if($tokenInfo->hasUserId && $tokenInfo->hasSessionToken) { $tokenBuilder = new AuthTokenBuilder($tokenInfo); try { $sessionInfo = $msz->authCtx->sessions->getSession(sessionToken: $tokenInfo->sessionToken); if($sessionInfo->expired) { $tokenBuilder->removeUserId(); $tokenBuilder->removeSessionToken(); } elseif($sessionInfo->userId === $tokenInfo->userId) { $userInfo = $msz->usersCtx->users->getUser($tokenInfo->userId, 'id'); if($userInfo->deleted) { $tokenBuilder->removeUserId(); $tokenBuilder->removeSessionToken(); } else { $msz->usersCtx->users->recordUserActivity($userInfo, remoteAddr: $_SERVER['REMOTE_ADDR']); $msz->authCtx->sessions->recordSessionActivity(sessionInfo: $sessionInfo, remoteAddr: $_SERVER['REMOTE_ADDR']); if($sessionInfo->shouldBumpExpires) $tokenBuilder->setEdited(); if($tokenInfo->hasImpersonatedUserId) { $allowToImpersonate = $userInfo->super; $impersonatedUserId = $tokenInfo->impersonatedUserId; if(!$allowToImpersonate) { $allowImpersonateUsers = $cfg->getArray(sprintf('impersonate.allow.u%s', $userInfo->id)); $allowToImpersonate = in_array((string)$impersonatedUserId, $allowImpersonateUsers, true); } if($allowToImpersonate) { $userInfoReal = $userInfo; try { $userInfo = $msz->usersCtx->users->getUser($impersonatedUserId, 'id'); } catch(RuntimeException $ex) { $userInfo = $userInfoReal; $userInfoReal = null; $tokenBuilder->removeImpersonatedUserId(); } } else $tokenBuilder->removeImpersonatedUserId(); } } } } catch(RuntimeException $ex) { $tokenBuilder->removeUserId(); $tokenBuilder->removeSessionToken(); $tokenBuilder->removeImpersonatedUserId(); $userInfo = null; $sessionInfo = null; $userInfoReal = null; } if($tokenBuilder->isEdited()) { $tokenInfo = $tokenBuilder->toInfo(); AuthTokenCookie::apply($tokenPacker->pack($tokenInfo)); } } $msz->authInfo->setInfo($tokenInfo, $userInfo, $sessionInfo, $userInfoReal); CSRF::init( $cfg->getString('csrf.secret', 'soup'), ($msz->authInfo->isLoggedIn ? $sessionInfo->token : $_SERVER['REMOTE_ADDR']) ); // order for these two currently matters i think: it shouldn't. $router = $msz->createRouting(); $msz->startTemplating(); $mszRequestPath = substr($request->getPath(), 1); $mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/'; $mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath; if(!empty($mszLegacyPath) && str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) { $mszLegacyPathReal = realpath($mszLegacyPath); if($mszLegacyPath === $mszLegacyPathReal || $mszLegacyPath === $mszLegacyPathReal . '/') { if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess()) Template::throwError(403); if(is_dir($mszLegacyPath)) $mszLegacyPath .= '/index.php'; if(is_file($mszLegacyPath)) { require_once $mszLegacyPath; return; } } } $router->dispatch($request);