Sample text

api/_auth.php

@@ -4,12 +4,8 @@ require_once("_db.php"); //("api/_db.php");
 
 
 
-// Check if request was to specified file
-function ThisFileIsRequested ($fullpath) {
-	return substr($fullpath, -strlen($_SERVER["SCRIPT_NAME"])) === $_SERVER["SCRIPT_NAME"];
-}
-
-session_start();
+//session_start();
+// This ^ should be placed at login stage
 
 $LOGGED_IN = false;
 
@@ -25,6 +21,18 @@ if (isset($_SESSION["userid"])) {
 		die("user id used in session does not exist");
 	}
 	$LOGGED_IN = true;
+} else {
+	// ATTENTION: idk will this work, but this can be theoretically unsafe or cause fault
+
+	if (session_status()) {
+		session_unset();
+		session_destroy();
+	}
+
+	if (isset($_COOKIE["PHPSESSID"])) {
+		unset($_COOKIE["PHPSESSID"]);
+		setcookie("PHPSESSID", "", time() - 3600, "/");
+	}
 }
 
 ?>

api/_config.php

@@ -1,4 +1,4 @@
-<?php
+<?php // Parsing configuration file
 
 $Config = array();
 $Config_FileName = "config.json";

api/_db.php

@@ -1,6 +1,6 @@
-<?php
+<?php // Database setup
 
-require_once("_config.php"); //("api/_config.php");
+require_once("_config.php");
 
 
 

api/_errors.php

@@ -1,12 +1,15 @@
 <?php
 
 // Internal errors
-$Err_Int_JSONEncode = "int.jsonencode"; // Failed to encode JSON data
+$Err_Int_JSONEncode     = "int.jsonencode";     // Failed to encode JSON data
 
 // Request data parsing errors
-$Err_RDP_InvalidID = "rdp.invalidid"; // Requested ID of resource is invalid
+$Err_RDP_InvalidID      = "rdp.invalidid";      // Requested ID of resource is invalid
+$Err_RDP_InvalidArgs    = "rdp.invalidargs";    // Invalid arguments supplied to method
 
 // Data processing errors
-$Err_DP_IDNotFound = "dp.idnotfound"; // Resource not found by requested ID
+$Err_DP_IDNotFound      = "dp.idnotfound";      // Resource not found by requested ID
+$Err_DP_AlreadyLoggedIn = "dp.alreadyloggedin"; // User already logged into account
+$Err_DP_RegClosed       = "dp.regclosed";       // Registration is closed
 
 ?>

api/_utils.php

@@ -0,0 +1,21 @@
+<?php // Utility functions
+
+// Check if request was to specified file
+function ThisFileIsRequested ($fullpath): bool {
+	return substr($fullpath, -strlen($_SERVER["SCRIPT_NAME"])) === $_SERVER["SCRIPT_NAME"];
+}
+
+// Generate secure random string
+function GenerateRandomString (int $length, string $keyspace = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"): string {
+	if ($length < 1) {
+		die("cant generate random string of size less than 1");
+	}
+	$pieces = [];
+	$max = mb_strlen($keyspace, "8bit") - 1;
+	for ($i = 0; $i < $length; ++$i) {
+		$pieces []= $keyspace[random_int(0, $max)];
+	}
+	return implode('', $pieces);
+}
+
+?>

api/user/create.php

@@ -1,5 +1,60 @@
-<?php
+<?php // Creating account
 
-// TODO
+require_once("../_auth.php");
+require_once("../_utils.php");
+
+
+
+// Create new user account
+function User_Create ($login, $password, $email = null, $invite_id = null, $avatar_path = null): bool {
+	global $db;
+
+	$salt = GenerateRandomString(8);
+	$pwd_hash = hash("sha256", $password . $salt, true);
+
+	$s = $db->prepare("INSERT INTO users (login,email,password_hash,salt,avatar_path,role,invite_id) VALUES (?,?,?,?,?,?,?)");
+	$s->bind_param("sssssss", $login, $email, $pwd_hash, $salt, $avatar_path, "newbie", $invite_id);
+	return $s->execute() !== false;
+}
+
+
+
+if (ThisFileIsRequested(__FILE__)) {
+	require_once("../_json.php");
+
+	// If registration turned off
+	if (!$Config["registration"]["active"]) {
+		ReturnJSONError($Err_DP_RegClosed, "registrations are closed");
+	}
+
+	// If user is logged in, then we should not allow creation of account
+	if ($LOGGED_IN)
+		ReturnJSONError($Err_DP_AlreadyLoggedIn, "you are already logged in");
+
+	// If we have some POST data
+	if (isset($_POST["login"]) && isset($_POST["password"])) {
+		// If we need email but it isnt supplied
+		if ($Config["registration"]["need_email"] && !isset($_POST["email"]))
+			ReturnJSONError($Err_RDP_InvalidArgs, "email is necessary");
+		elseif (isset($_POST["email"])) {
+			// Validation of email
+			if (!filter_var($_POST["email"], FILTER_VALIDATE_EMAIL))
+				ReturnJSONError($Err_RDP_InvalidArgs, "email is invalid");
+		}
+		// If we need invite but it isnt supplied
+		if ($Config["registration"]["need_invite"] && !isset($_POST["invite_id"]))
+			ReturnJSONError($Err_RDP_InvalidArgs, "registrations are invite-only");
+
+		// Check login and password for pattern match
+		$preg_str = "/[^" . $Config["registration"]["allowed_syms"] . "]/";
+		if (preg_match($preg_str, $_POST["login"]) || preg_match($preg_str, $_POST["password"])) {
+			ReturnJSONError($Err_RDP_InvalidArgs, "only allowed symbols are: " . $Config["registration"]["allowed_syms"]);
+		}
+
+		// TODO
+	} else { // Not enough arguments
+		ReturnJSONError($Err_RDP_InvalidArgs, "not enough or no arguments were supplied");
+	}
+}
 
 ?>

api/user/index.php

@@ -1,12 +1,23 @@
-<?php
+<?php // Viewing account data
 
 require_once("../_auth.php");
-require_once("../_json.php");
+require_once("../_utils.php");
 
 
 
+// Check if user with supplied login exists
+function User_LoginExist ($login): bool {
+	global $db;
+
+	$s = $db->prepare("SELECT * FROM users WHERE login = ?");
+	$s->bind_param("s", $login);
+	$s->execute();
+
+	return (bool)$s->get_result()->fetch_assoc();
+}
+
 // Check if user has specified role
-function User_HasRole ($id, $role) {
+function User_HasRole ($id, $role): bool {
 	global $db;
 
 	$s = $db->prepare("SELECT * FROM users WHERE id = ?");
@@ -72,6 +83,8 @@ function User_GetInfoByID ($id) {
 
 
 if (ThisFileIsRequested(__FILE__)) {
+	require_once("../_json.php");
+
 	$UserID = null;
 
 	if (isset($_REQUEST["id"])) {

config.json

@@ -4,5 +4,14 @@
 		"name": "e949",
 		"user": "e949",
 		"pass": "password"
+	},
+	"registration": {
+		"active": true,
+		"need_email": false,
+		"need_invite": false,
+		"allowed_syms": "a-zA-Z0-9_=+-"
+	},
+	"accounts": {
+		"external_avatars": false
 	}
 }