check_login()) { //Default admin page. } else { header('Location: '.PhangoApp\PhaRouter\Url::make_url('admin', 'app', ['login'])); } break; case 'login': $this->db->connect(); $c_user=$this->db->select_count('useradmin', '', []); $error=1; $error_form=['username_error' => '']; if(!$c_user) { header('Location: '.Url::make_url('admin', 'app', ['signup'])); } else { if($_SERVER['REQUEST_METHOD']=='POST') { //Check csrf token first. if(PhangoApp\PhaRouter\Config::$on_proxy) { $ip=$_SERVER['HTTP_CLIENT_IP'] ?? $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? ''; } else { $ip=$_SERVER['REMOTE_ADDR'] ?? ''; } if($ip!='') { $arr_tries=$this->db->select_a_row('login_tries', [], 'WHERE ip=?', [$ip]); $now=date("Y-m-d H:i:s"); if($arr_tries) { $timestamp_5_min=strtotime($now)-300; $timestamp_last_login=strtotime($arr_tries['date']); if($timestamp_5_min>$timestamp_last_login) { $this->db->delete('login_tries', 'WHERE ip=?', [$ip]); $arr_tries=false; } } $num_tries=$arr_tries['num_tries'] ?? 0; if($num_tries<5) { $username=trim($_POST['username'] ?? ''); $password=trim($_POST['password'] ?? ''); if($username=='') { $error_form['username_error']=_('Username empty'); } $arr_user=$this->db->select_a_row('useradmin', [], 'WHERE username=?', [$username]); if($arr_user) { if(password_verify($password, $arr_user['password'])) { $error=0; $_SESSION['admin_login']=1; $_SESSION['date_login']=date("Y-m-d H:i:s"); if($arr_user['double_auth']) { $_SESSION['double_auth']=1; $this->db->update('useradmin', ['auth_token' => PhangoApp\PhaUtils\Utils::get_token(25)], 'where id=?', [$arr_user['id']]); } } else { $error_form['username_error']=_('Wrong user or password'); } } else { $error_form['username_error']=_('Wrong user or password'); } if($error) { if(!$arr_tries) { $this->db->insert('login_tries', ['num_tries' => 0, 'ip' => $ip]); } else { $this->db->update('login_tries', ['num_tries' => $arr_tries['num_tries']+1, 'date' => date("Y-m-d H:i:s")], 'WHERE ip=?', [$ip]); } } } else { $error_form['username_error']=_('Sorry, you need wait 5 minutes for retry login.'); } } else { $error_form['username_error']=_('Unknown error'); } echo $this->json(['error' => $error, 'error_form' => $error_form, 'message' => '']); } else { echo $this->tpl->load_template('login', ['title' => 'Login']); } } break; case 'signup': $this->db->connect(); $c_user=$this->db->select_count('useradmin', '', []); if(!$c_user) { if($_SERVER['REQUEST_METHOD']=='POST') { $error=0; $error_form=[]; $arr_data=['username', 'email', 'password', 'repeat_password']; foreach($arr_data as $v) { settype($_POST[$v], 'string'); } $username=trim($_POST['username']); if(!preg_match('/^[A-Za-z0-9_-]+$/', $username) || $username=='') { $error=1; $error_form['username_error']=_("Error: empty value"); } $email=filter_var($_POST['email'], FILTER_VALIDATE_EMAIL); if(!$email) { $error=1; $error_form['email_error']=_("Error: email is not valid"); } $password=trim($_POST['password']); $repeat_password=trim($_POST['repeat_password']); if($password=='') { $error=1; $error_form['password_error']=_("Error: password empty"); } else { if($password!=$repeat_password) { $error=1; $error_form['password_error']=_("Error: password not equal"); } } if(!$error) { if(!$this->db->insert('useradmin', ['username' => $username, 'password' => password_hash($password, PASSWORD_DEFAULT), 'email' => $email])) { $error=1; $error_form['username_error']=_("Error: cannot create the user, please contact with the administrator"); } } echo $this->json(['error' => $error, 'error_form' => $error_form, 'message' => '']); } else { echo $this->tpl->load_template('signup', ['title' => 'Signup']); } } break; case 'check_auth': //Session expired. if($this->check_login()) { if($_SERVER['REQUEST_METHOD']=='POST') { } else { echo $this->tpl->load_template('check_auth', ['title' => 'Double auth']); } } break; case 'logout': unset($_SESSION['admin_login']); unset($_SESSION['double_auth']); unset($_SESSION['date_login']); header('Location: '.PhangoApp\PhaRouter\Url::make_url('admin')); break; } } }