misuzu/misuzu.php

<?php
namespace Misuzu;

use Misuzu\Database\{ Database, DatabaseMigrationManager };
use PDO;

define('MSZ_STARTUP', microtime(true));
define('MSZ_ROOT', __DIR__);
define('MSZ_DEBUG', is_file(MSZ_ROOT . '/.debug'));
define('MSZ_PHP_MIN_VER', '7.4.0');

if(version_compare(PHP_VERSION, MSZ_PHP_MIN_VER, '<')) {
    die('Misuzu requires <i>at least</i> PHP <b>' . MSZ_PHP_MIN_VER . '</b> to run.');
}

error_reporting(MSZ_DEBUG ? -1 : 0);
ini_set('display_errors', MSZ_DEBUG ? 'On' : 'Off');

date_default_timezone_set('UTC');
mb_internal_encoding('UTF-8');
set_include_path(get_include_path() . PATH_SEPARATOR . MSZ_ROOT);

require_once 'vendor/autoload.php';

$errorHandler = new \Whoops\Run;
$errorHandler->pushHandler(
    PHP_SAPI === 'cli'
    ? new \Whoops\Handler\PlainTextHandler
    : (
        MSZ_DEBUG
        ? new \Whoops\Handler\PrettyPageHandler
        : ($errorReporter = new WhoopsReporter)
    )
);
$errorHandler->register();

require_once 'src/array.php';
require_once 'src/audit_log.php';
require_once 'src/changelog.php';
require_once 'src/colour.php';
require_once 'src/comments.php';
require_once 'src/csrf.php';
require_once 'src/emotes.php';
require_once 'src/general.php';
require_once 'src/git.php';
require_once 'src/integer.php';
require_once 'src/mail.php';
require_once 'src/manage.php';
require_once 'src/news.php';
require_once 'src/otp.php';
require_once 'src/pagination.php';
require_once 'src/perms.php';
require_once 'src/string.php';
require_once 'src/tpl.php';
require_once 'src/twitter.php';
require_once 'src/url.php';
require_once 'src/zalgo.php';
require_once 'src/Forum/forum.php';
require_once 'src/Forum/leaderboard.php';
require_once 'src/Forum/perms.php';
require_once 'src/Forum/poll.php';
require_once 'src/Forum/post.php';
require_once 'src/Forum/topic.php';
require_once 'src/Forum/validate.php';
require_once 'src/Net/geoip.php';
require_once 'src/Net/ip.php';
require_once 'src/Parsers/parse.php';
require_once 'src/Users/auth.php';
require_once 'src/Users/avatar.php';
require_once 'src/Users/background.php';
require_once 'src/Users/login_attempt.php';
require_once 'src/Users/object.php';
require_once 'src/Users/recovery.php';
require_once 'src/Users/relations.php';
require_once 'src/Users/role.php';
require_once 'src/Users/session.php';
require_once 'src/Users/user.php';
require_once 'src/Users/validation.php';
require_once 'src/Users/warning.php';

$dbConfig = parse_ini_file(MSZ_ROOT . '/config/config.ini', true, INI_SCANNER_TYPED);

if(empty($dbConfig)) {
    echo 'Database config is missing.';
    exit;
}

$dbConfig = $dbConfig['Database'] ?? $dbConfig['Database.mysql-main'] ?? [];

DB::init(DB::buildDSN($dbConfig), $dbConfig['username'] ?? '', $dbConfig['password'] ?? '', [
    PDO::ATTR_CASE => PDO::CASE_NATURAL,
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_ORACLE_NULLS => PDO::NULL_NATURAL,
    PDO::ATTR_STRINGIFY_FETCHES => false,
    PDO::ATTR_EMULATE_PREPARES => false,
    PDO::MYSQL_ATTR_INIT_COMMAND => "
        SET SESSION
            sql_mode = 'STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION',
            time_zone = '+00:00';
    ",
]);

Config::init();
mail_settings([
    'method' => Config::get('mail.method', Config::TYPE_STR),
    'host' => Config::get('mail.host', Config::TYPE_STR),
    'port' => Config::get('mail.port', Config::TYPE_INT, 587),
    'encryption' => Config::get('mail.encryption', Config::TYPE_STR),
    'username' => Config::get('mail.username', Config::TYPE_STR),
    'password' => Config::get('mail.password', Config::TYPE_STR),
    'sender_email' => Config::get('mail.sender.address', Config::TYPE_STR),
    'sender_name' => Config::get('mail.sender.name', Config::TYPE_STR),
]);

if(!empty($errorReporter)) {
    $errorReporter->setReportInfo(
        Config::get('error_report.url', Config::TYPE_STR),
        Config::get('error_report.secret', Config::TYPE_STR)
    );
}

// replace this with a better storage mechanism
define('MSZ_STORAGE', Config::get('storage.path', Config::TYPE_STR, MSZ_ROOT . '/store'));
mkdirs(MSZ_STORAGE, true);

if(PHP_SAPI === 'cli') {
    if(realpath($_SERVER['SCRIPT_FILENAME']) === __FILE__) {
        switch($argv[1] ?? null) {
            case 'cron':
                $runLowFreq = (bool)(!empty($argv[2]) && $argv[2] == 'low');

                $cronTasks = [
                    [
                        'name' => 'Ensures main role exists.',
                        'type' => 'sql',
                        'run' => $runLowFreq,
                        'command' => "
                            INSERT IGNORE INTO `msz_roles`
                                (`role_id`, `role_name`, `role_hierarchy`, `role_colour`, `role_description`, `role_created`)
                            VALUES
                                (1, 'Member', 1, 1073741824, NULL, NOW())
                        ",
                    ],
                    [
                        'name' => 'Ensures all users are in the main role.',
                        'type' => 'sql',
                        'run' => $runLowFreq,
                        'command' => "
                            INSERT INTO `msz_user_roles`
                                (`user_id`, `role_id`)
                            SELECT `user_id`, 1 FROM `msz_users` as u
                            WHERE NOT EXISTS (
                                SELECT 1
                                FROM `msz_user_roles` as ur
                                WHERE `role_id` = 1
                                AND u.`user_id` = ur.`user_id`
                            )
                        ",
                    ],
                    [
                        'name' => 'Ensures all display_role values are correct with `msz_user_roles`.',
                        'type' => 'sql',
                        'run' => $runLowFreq,
                        'command' => "
                            UPDATE `msz_users` as u
                            SET `display_role` = (
                                 SELECT ur.`role_id`
                                 FROM `msz_user_roles` as ur
                                 LEFT JOIN `msz_roles` as r
                                 ON r.`role_id` = ur.`role_id`
                                 WHERE ur.`user_id` = u.`user_id`
                                 ORDER BY `role_hierarchy` DESC
                                 LIMIT 1
                            )
                            WHERE NOT EXISTS (
                                SELECT 1
                                FROM `msz_user_roles` as ur
                                WHERE ur.`role_id` = u.`display_role`
                                AND `ur`.`user_id` = u.`user_id`
                            )
                        ",
                    ],
                    [
                        'name' => 'Remove expired sessions.',
                        'type' => 'sql',
                        'run' => true,
                        'command' => "
                            DELETE FROM `msz_sessions`
                            WHERE `session_expires` < NOW()
                        ",
                    ],
                    [
                        'name' => 'Remove old password reset records.',
                        'type' => 'sql',
                        'run' => true,
                        'command' => "
                            DELETE FROM `msz_users_password_resets`
                            WHERE `reset_requested` < NOW() - INTERVAL 1 WEEK
                        ",
                    ],
                    [
                        'name' => 'Clean up login history.',
                        'type' => 'sql',
                        'run' => true,
                        'command' => "
                            DELETE FROM `msz_login_attempts`
                            WHERE `attempt_created` < NOW() - INTERVAL 1 MONTH
                        ",
                    ],
                    [
                        'name' => 'Clean up audit log.',
                        'type' => 'sql',
                        'run' => true,
                        'command' => "
                            DELETE FROM `msz_audit_log`
                            WHERE `log_created` < NOW() - INTERVAL 3 MONTH
                        ",
                    ],
                    [
                        'name' => 'Remove stale forum tracking entries.',
                        'type' => 'sql',
                        'run' => true,
                        'command' => "
                            DELETE tt FROM `msz_forum_topics_track` as tt
                            LEFT JOIN `msz_forum_topics` as t
                            ON t.`topic_id` = tt.`topic_id`
                            WHERE t.`topic_bumped` < NOW() - INTERVAL 1 MONTH
                        ",
                    ],
                    [
                        'name' => 'Synchronise forum_id.',
                        'type' => 'sql',
                        'run' => $runLowFreq,
                        'command' => "
                            UPDATE `msz_forum_posts` AS p
                            INNER JOIN `msz_forum_topics` AS t
                            ON t.`topic_id` = p.`topic_id`
                            SET p.`forum_id` = t.`forum_id`
                        ",
                    ],
                    [
                        'name' => 'Recount forum topics and posts.',
                        'type' => 'func',
                        'run' => $runLowFreq,
                        'command' => 'forum_count_synchronise',
                    ],
                    [
                        'name' => 'Clean up expired tfa tokens.',
                        'type' => 'sql',
                        'run' => true,
                        'command' => "
                            DELETE FROM `msz_auth_tfa`
                            WHERE `tfa_created` < NOW() - INTERVAL 15 MINUTE
                        ",
                    ],
                ];

                foreach($cronTasks as $cronTask) {
                    if($cronTask['run']) {
                        echo $cronTask['name'] . PHP_EOL;

                        switch($cronTask['type']) {
                            case 'sql':
                                DB::exec($cronTask['command']);
                                break;

                            case 'func':
                                call_user_func($cronTask['command']);
                                break;
                        }
                    }
                }
                break;

            case 'migrate':
                $doRollback = !empty($argv[2]) && $argv[2] === 'rollback';

                touch(MSZ_ROOT . '/.migrating');

                echo "Creating migration manager.." . PHP_EOL;
                $migrationManager = new DatabaseMigrationManager(DB::getPDO(), MSZ_ROOT . '/database');
                $migrationManager->setLogger(function ($log) {
                    echo $log . PHP_EOL;
                });

                if($doRollback) {
                    $migrationManager->rollback();
                } else {
                    $migrationManager->migrate();
                }

                $errors = $migrationManager->getErrors();
                $errorCount = count($errors);

                if($errorCount < 1) {
                    echo 'Completed with no errors!' . PHP_EOL;
                } else {
                    echo PHP_EOL . "There were {$errorCount} errors during the migrations..." . PHP_EOL;

                    foreach($errors as $error) {
                        echo $error . PHP_EOL;
                    }
                }

                unlink(MSZ_ROOT . '/.migrating');
                break;

            case 'new-mig':
                if(empty($argv[2])) {
                    echo 'Specify a migration name.' . PHP_EOL;
                    return;
                }

                if(!preg_match('#^([a-z_]+)$#', $argv[2])) {
                    echo 'Migration name may only contain alpha and _ characters.' . PHP_EOL;
                    return;
                }

                $filename = date('Y_m_d_His_') . trim($argv[2], '_') . '.php';
                $filepath = MSZ_ROOT . '/database/' . $filename;
                $namespace = snake_to_camel($argv[2]);
                $template = <<<MIG
<?php
namespace Misuzu\DatabaseMigrations\\$namespace;

use PDO;

function migrate_up(PDO \$conn): void {
    \$conn->exec("
        CREATE TABLE ...
    ");
}

function migrate_down(PDO \$conn): void {
    \$conn->exec("
        DROP TABLE ...
    ");
}

MIG;

                file_put_contents($filepath, $template);

                echo "Template for '{$namespace}' has been created." . PHP_EOL;
                break;

            case 'twitter-auth':
                $apiKey = Config::get('twitter.api.key', Config::TYPE_STR);
                $apiSecret = Config::get('twitter.api.secret', Config::TYPE_STR);

                if(empty($apiKey) || empty($apiSecret)) {
                    echo 'No Twitter api keys set in config.' . PHP_EOL;
                    break;
                }

                twitter_init($apiKey, $apiSecret);
                echo 'Twitter Authentication' . PHP_EOL;

                $authPage = twitter_auth_create();

                if(empty($authPage)) {
                    echo 'Request to begin authentication failed.' . PHP_EOL;
                    break;
                }

                echo 'Go to the page below and paste the pin code displayed.' . PHP_EOL . $authPage . PHP_EOL;

                $pin = readline('Pin: ');
                $authComplete = twitter_auth_complete($pin);

                if(empty($authComplete)) {
                    echo 'Invalid pin code.' . PHP_EOL;
                    break;
                }

                echo 'Authentication successful!' . PHP_EOL
                    . "Token: {$authComplete['token']}" . PHP_EOL
                    . "Token Secret: {$authComplete['token_secret']}" . PHP_EOL;
                break;

            default:
                echo 'Unknown command.' . PHP_EOL;
                break;
        }
    }
} else {
    if(!mb_check_encoding()) {
        http_response_code(415);
        echo 'Invalid request encoding.';
        exit;
    }

    ob_start();

    if(!is_readable(MSZ_STORAGE) || !is_writable(MSZ_STORAGE)) {
        echo 'Cannot access storage directory.';
        exit;
    }

    geoip_init(Config::get('geoip.database', Config::TYPE_STR, '/var/lib/GeoIP/GeoLite2-Country.mmdb'));

    if(!MSZ_DEBUG) {
        $twigCache = sys_get_temp_dir() . '/msz-tpl-cache-' . md5(MSZ_ROOT);
        mkdirs($twigCache, true);
    }

    tpl_init([
        'debug' => MSZ_DEBUG,
        'auto_reload' => MSZ_DEBUG,
        'cache' => $twigCache ?? false,
    ]);

    tpl_var('globals', [
        'site_name' => Config::get('site.name', Config::TYPE_STR, 'Misuzu'),
        'site_description' => Config::get('site.desc', Config::TYPE_STR),
        'site_url' => Config::get('site.url', Config::TYPE_STR),
        'site_twitter' => Config::get('social.twitter', Config::TYPE_STR),
    ]);

    tpl_add_path(MSZ_ROOT . '/templates');

    if(file_exists(MSZ_ROOT . '/.migrating')) {
        http_response_code(503);
        echo tpl_render('home.migration');
        exit;
    }

    // Remove this block at the start of April, 2 months is plenty for this to propagate
    if(!empty($_COOKIE['msz_uid']) && !empty($_COOKIE['msz_sid'])
        && ctype_digit($_COOKIE['msz_uid']) && ctype_xdigit($_COOKIE['msz_sid'])
        && strlen($_COOKIE['msz_sid']) === 64) {
        $_COOKIE['msz_auth'] = Base64::decode(user_session_cookie_pack($_COOKIE['msz_uid'], $_COOKIE['msz_sid']), true);
        setcookie('msz_auth', $_COOKIE['msz_auth'], strtotime('1 year'), '/', '', !empty($_SERVER['HTTPS']), true);
        setcookie('msz_uid', '', -3600, '/', '', !empty($_SERVER['HTTPS']), true);
        setcookie('msz_sid', '', -3600, '/', '', !empty($_SERVER['HTTPS']), true);
    }

    if(!empty($_COOKIE['msz_auth']) && is_string($_COOKIE['msz_auth'])) {
        $cookieData = user_session_cookie_unpack(Base64::decode($_COOKIE['msz_auth'], true));

        if(!empty($cookieData) && user_session_start($cookieData['user_id'], $cookieData['session_token'])) {
            $userDisplayInfo = DB::prepare('
                SELECT
                    u.`user_id`, u.`username`, u.`user_background_settings`, u.`user_deleted`,
                    COALESCE(u.`user_colour`, r.`role_colour`) AS `user_colour`
                FROM `msz_users` AS u
                LEFT JOIN `msz_roles` AS r
                ON u.`display_role` = r.`role_id`
                WHERE `user_id` = :user_id
            ');
            $userDisplayInfo->bind('user_id', $cookieData['user_id']);
            $userDisplayInfo = $userDisplayInfo->fetch();

            if($userDisplayInfo) {
                if(!is_null($userDisplayInfo['user_deleted'])) {
                    setcookie('msz_auth', '', -9001, '/', '', !empty($_SERVER['HTTPS']), true);
                    user_session_stop(true);
                    $userDisplayInfo = [];
                } else {
                    user_bump_last_active($cookieData['user_id']);
                    user_session_bump_active(user_session_current('session_id'));

                    if(user_session_current('session_expires_bump')) {
                        setcookie('msz_auth', $_COOKIE['msz_auth'], strtotime('1 month'), '/', '', !empty($_SERVER['HTTPS']), true);
                    }

                    $userDisplayInfo['perms'] = perms_get_user($userDisplayInfo['user_id']);
                    $userDisplayInfo['ban_expiration'] = user_warning_check_expiration($userDisplayInfo['user_id'], MSZ_WARN_BAN);
                    $userDisplayInfo['silence_expiration'] = $userDisplayInfo['ban_expiration'] > 0 ? 0 : user_warning_check_expiration($userDisplayInfo['user_id'], MSZ_WARN_SILENCE);
                }
            }
        }
    }

    csrf_settings(
        Config::get('csrf.secret', Config::TYPE_STR, 'insecure'),
        empty($userDisplayInfo) ? ip_remote_address() : $cookieData['session_token']
    );

    if(Config::get('private.enabled', Config::TYPE_BOOL)) {
        $onLoginPage = $_SERVER['PHP_SELF'] === url('auth-login');
        $onPasswordPage = parse_url($_SERVER['PHP_SELF'], PHP_URL_PATH) === url('auth-forgot');
        $misuzuBypassLockdown = !empty($misuzuBypassLockdown) || $onLoginPage;

        if(!$misuzuBypassLockdown) {
            if(user_session_active()) {
                $privatePermCat = Config::get('private.perm.cat', Config::TYPE_STR);
                $privatePermVal = Config::get('private.perm.val', Config::TYPE_INT);

                if(!empty($privatePermCat) && $privatePermVal > 0) {
                    if(!perms_check_user($privatePermCat, $userDisplayInfo['user_id'], $privatePermVal)) {
                        unset($userDisplayInfo);
                        user_session_stop(); // au revoir
                    }
                }
            } elseif(!$onLoginPage && !($onPasswordPage && Config::get('private.allow_password_reset', Config::TYPE_BOOL, true))) {
                url_redirect('auth-login');
                exit;
            }
        }
    }

    if(!empty($userDisplayInfo)) {
        tpl_var('current_user', $userDisplayInfo);
    }

    $inManageMode = starts_with($_SERVER['REQUEST_URI'], '/manage');
    $hasManageAccess = !empty($userDisplayInfo['user_id'])
        && !user_warning_check_restriction($userDisplayInfo['user_id'])
        && perms_check_user(MSZ_PERMS_GENERAL, $userDisplayInfo['user_id'], MSZ_PERM_GENERAL_CAN_MANAGE);
    tpl_var('has_manage_access', $hasManageAccess);

    if($inManageMode) {
        if(!$hasManageAccess) {
            echo render_error(403);
            exit;
        }

        tpl_var('manage_menu', manage_get_menu($userDisplayInfo['user_id'] ?? 0));
    }
}