From d4b7a03802e743b8b7a31ef1a0b1d8c7e1ccf845 Mon Sep 17 00:00:00 2001
From: shr3dd3r <uraneban@blackhost.xyz>
Date: Sat, 19 Aug 2023 21:15:47 +0300
Subject: [PATCH] Sample text

---
 api/_auth.php       | 20 ++++++++++-----
 api/_config.php     |  2 +-
 api/_db.php         |  4 +--
 api/_errors.php     |  9 ++++---
 api/_utils.php      | 21 ++++++++++++++++
 api/user/create.php | 59 +++++++++++++++++++++++++++++++++++++++++++--
 api/user/index.php  | 19 ++++++++++++---
 config.json         |  9 +++++++
 8 files changed, 126 insertions(+), 17 deletions(-)
 create mode 100644 api/_utils.php

diff --git a/api/_auth.php b/api/_auth.php
index e8c108e..6b9b4b7 100644
--- a/api/_auth.php
+++ b/api/_auth.php
@@ -4,12 +4,8 @@ require_once("_db.php"); //("api/_db.php");
 
 
 
-// Check if request was to specified file
-function ThisFileIsRequested ($fullpath) {
-	return substr($fullpath, -strlen($_SERVER["SCRIPT_NAME"])) === $_SERVER["SCRIPT_NAME"];
-}
-
-session_start();
+//session_start();
+// This ^ should be placed at login stage
 
 $LOGGED_IN = false;
 
@@ -25,6 +21,18 @@ if (isset($_SESSION["userid"])) {
 		die("user id used in session does not exist");
 	}
 	$LOGGED_IN = true;
+} else {
+	// ATTENTION: idk will this work, but this can be theoretically unsafe or cause fault
+
+	if (session_status()) {
+		session_unset();
+		session_destroy();
+	}
+
+	if (isset($_COOKIE["PHPSESSID"])) {
+		unset($_COOKIE["PHPSESSID"]);
+		setcookie("PHPSESSID", "", time() - 3600, "/");
+	}
 }
 
 ?>
\ No newline at end of file
diff --git a/api/_config.php b/api/_config.php
index 575f219..033ca69 100644
--- a/api/_config.php
+++ b/api/_config.php
@@ -1,4 +1,4 @@
-<?php
+<?php // Parsing configuration file
 
 $Config = array();
 $Config_FileName = "config.json";
diff --git a/api/_db.php b/api/_db.php
index 117b761..19c480c 100644
--- a/api/_db.php
+++ b/api/_db.php
@@ -1,6 +1,6 @@
-<?php
+<?php // Database setup
 
-require_once("_config.php"); //("api/_config.php");
+require_once("_config.php");
 
 
 
diff --git a/api/_errors.php b/api/_errors.php
index 00a5792..e67e8a4 100644
--- a/api/_errors.php
+++ b/api/_errors.php
@@ -1,12 +1,15 @@
 <?php
 
 // Internal errors
-$Err_Int_JSONEncode = "int.jsonencode"; // Failed to encode JSON data
+$Err_Int_JSONEncode     = "int.jsonencode";     // Failed to encode JSON data
 
 // Request data parsing errors
-$Err_RDP_InvalidID = "rdp.invalidid"; // Requested ID of resource is invalid
+$Err_RDP_InvalidID      = "rdp.invalidid";      // Requested ID of resource is invalid
+$Err_RDP_InvalidArgs    = "rdp.invalidargs";    // Invalid arguments supplied to method
 
 // Data processing errors
-$Err_DP_IDNotFound = "dp.idnotfound"; // Resource not found by requested ID
+$Err_DP_IDNotFound      = "dp.idnotfound";      // Resource not found by requested ID
+$Err_DP_AlreadyLoggedIn = "dp.alreadyloggedin"; // User already logged into account
+$Err_DP_RegClosed       = "dp.regclosed";       // Registration is closed
 
 ?>
\ No newline at end of file
diff --git a/api/_utils.php b/api/_utils.php
new file mode 100644
index 0000000..ae2847c
--- /dev/null
+++ b/api/_utils.php
@@ -0,0 +1,21 @@
+<?php // Utility functions
+
+// Check if request was to specified file
+function ThisFileIsRequested ($fullpath): bool {
+	return substr($fullpath, -strlen($_SERVER["SCRIPT_NAME"])) === $_SERVER["SCRIPT_NAME"];
+}
+
+// Generate secure random string
+function GenerateRandomString (int $length, string $keyspace = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"): string {
+	if ($length < 1) {
+		die("cant generate random string of size less than 1");
+	}
+	$pieces = [];
+	$max = mb_strlen($keyspace, "8bit") - 1;
+	for ($i = 0; $i < $length; ++$i) {
+		$pieces []= $keyspace[random_int(0, $max)];
+	}
+	return implode('', $pieces);
+}
+
+?>
\ No newline at end of file
diff --git a/api/user/create.php b/api/user/create.php
index 9a19093..13880ec 100644
--- a/api/user/create.php
+++ b/api/user/create.php
@@ -1,5 +1,60 @@
-<?php
+<?php // Creating account
 
-// TODO
+require_once("../_auth.php");
+require_once("../_utils.php");
+
+
+
+// Create new user account
+function User_Create ($login, $password, $email = null, $invite_id = null, $avatar_path = null): bool {
+	global $db;
+
+	$salt = GenerateRandomString(8);
+	$pwd_hash = hash("sha256", $password . $salt, true);
+
+	$s = $db->prepare("INSERT INTO users (login,email,password_hash,salt,avatar_path,role,invite_id) VALUES (?,?,?,?,?,?,?)");
+	$s->bind_param("sssssss", $login, $email, $pwd_hash, $salt, $avatar_path, "newbie", $invite_id);
+	return $s->execute() !== false;
+}
+
+
+
+if (ThisFileIsRequested(__FILE__)) {
+	require_once("../_json.php");
+
+	// If registration turned off
+	if (!$Config["registration"]["active"]) {
+		ReturnJSONError($Err_DP_RegClosed, "registrations are closed");
+	}
+
+	// If user is logged in, then we should not allow creation of account
+	if ($LOGGED_IN)
+		ReturnJSONError($Err_DP_AlreadyLoggedIn, "you are already logged in");
+
+	// If we have some POST data
+	if (isset($_POST["login"]) && isset($_POST["password"])) {
+		// If we need email but it isnt supplied
+		if ($Config["registration"]["need_email"] && !isset($_POST["email"]))
+			ReturnJSONError($Err_RDP_InvalidArgs, "email is necessary");
+		elseif (isset($_POST["email"])) {
+			// Validation of email
+			if (!filter_var($_POST["email"], FILTER_VALIDATE_EMAIL))
+				ReturnJSONError($Err_RDP_InvalidArgs, "email is invalid");
+		}
+		// If we need invite but it isnt supplied
+		if ($Config["registration"]["need_invite"] && !isset($_POST["invite_id"]))
+			ReturnJSONError($Err_RDP_InvalidArgs, "registrations are invite-only");
+
+		// Check login and password for pattern match
+		$preg_str = "/[^" . $Config["registration"]["allowed_syms"] . "]/";
+		if (preg_match($preg_str, $_POST["login"]) || preg_match($preg_str, $_POST["password"])) {
+			ReturnJSONError($Err_RDP_InvalidArgs, "only allowed symbols are: " . $Config["registration"]["allowed_syms"]);
+		}
+
+		// TODO
+	} else { // Not enough arguments
+		ReturnJSONError($Err_RDP_InvalidArgs, "not enough or no arguments were supplied");
+	}
+}
 
 ?>
\ No newline at end of file
diff --git a/api/user/index.php b/api/user/index.php
index 0bcc8f0..e85b47d 100644
--- a/api/user/index.php
+++ b/api/user/index.php
@@ -1,12 +1,23 @@
-<?php
+<?php // Viewing account data
 
 require_once("../_auth.php");
-require_once("../_json.php");
+require_once("../_utils.php");
 
 
 
+// Check if user with supplied login exists
+function User_LoginExist ($login): bool {
+	global $db;
+
+	$s = $db->prepare("SELECT * FROM users WHERE login = ?");
+	$s->bind_param("s", $login);
+	$s->execute();
+
+	return (bool)$s->get_result()->fetch_assoc();
+}
+
 // Check if user has specified role
-function User_HasRole ($id, $role) {
+function User_HasRole ($id, $role): bool {
 	global $db;
 
 	$s = $db->prepare("SELECT * FROM users WHERE id = ?");
@@ -72,6 +83,8 @@ function User_GetInfoByID ($id) {
 
 
 if (ThisFileIsRequested(__FILE__)) {
+	require_once("../_json.php");
+
 	$UserID = null;
 
 	if (isset($_REQUEST["id"])) {
diff --git a/config.json b/config.json
index 5fa12c3..3d749aa 100644
--- a/config.json
+++ b/config.json
@@ -4,5 +4,14 @@
 		"name": "e949",
 		"user": "e949",
 		"pass": "password"
+	},
+	"registration": {
+		"active": true,
+		"need_email": false,
+		"need_invite": false,
+		"allowed_syms": "a-zA-Z0-9_=+-"
+	},
+	"accounts": {
+		"external_avatars": false
 	}
 }
\ No newline at end of file