2023-10-06 14:48:06 +01:00
|
|
|
<?php
|
|
|
|
if(!file_exists("meowboard.db")) {
|
2024-07-28 00:31:40 +01:00
|
|
|
die("<meta http-equiv=\"refresh\" content=\"0; url=/install.php\">Database not found.");
|
2023-10-06 14:48:06 +01:00
|
|
|
}
|
|
|
|
class Store extends SQLite3
|
|
|
|
{
|
|
|
|
function __construct()
|
|
|
|
{
|
|
|
|
$this->open('meowboard.db');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$db = new Store();
|
|
|
|
$sitenameStatement = $db->prepare("SELECT * FROM settings WHERE key = 'sitename'");
|
|
|
|
$result = $sitenameStatement->execute();
|
|
|
|
$sitename = $result->fetchArray()[1];
|
|
|
|
|
|
|
|
function saltString($string) {
|
|
|
|
global $db;
|
|
|
|
|
|
|
|
$saltStatement = $db->prepare("SELECT * FROM settings WHERE key = 'salt'");
|
|
|
|
$result = $saltStatement->execute();
|
|
|
|
$salt = $result->fetchArray()[1];
|
|
|
|
|
|
|
|
return hash("sha512", $string . $salt);
|
|
|
|
}
|
|
|
|
|
|
|
|
function verifyPassword($username, $password) {
|
|
|
|
global $db;
|
|
|
|
|
|
|
|
$password = hash("sha512", $password);
|
|
|
|
|
|
|
|
$grabUser = $db->prepare("SELECT * FROM users WHERE username = ?");
|
|
|
|
$grabUser->bindParam(1, $username, SQLITE3_TEXT);
|
|
|
|
$result = $grabUser->execute();
|
|
|
|
$resultArray = $result->fetchArray();
|
|
|
|
|
|
|
|
$storedPassword = $resultArray[1];
|
|
|
|
$pepper = $resultArray[2];
|
|
|
|
|
|
|
|
$passwordFinal = hash("sha512", saltString($password) . $pepper);
|
|
|
|
if ($passwordFinal != $storedPassword) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
function issueSessionToken($username) {
|
|
|
|
global $db;
|
|
|
|
|
|
|
|
$token = bin2hex(random_bytes(256));
|
|
|
|
$tokenStore = saltString($token); // We store this value and give the user the unhashed token.
|
|
|
|
$expiry = time() + 2_419_200_000; // 28 days.
|
|
|
|
|
|
|
|
$insertTokenStatement = $db->prepare("INSERT INTO tokens (hash, username, expiry) VALUES (?, ?, ?)");
|
|
|
|
$insertTokenStatement->bindParam(1, $tokenStore, SQLITE3_TEXT);
|
|
|
|
$insertTokenStatement->bindParam(2, $username, SQLITE3_TEXT);
|
|
|
|
$insertTokenStatement->bindParam(3, $expiry, SQLITE3_INTEGER);
|
|
|
|
$result = $insertTokenStatement->execute();
|
|
|
|
|
|
|
|
return $token;
|
|
|
|
}
|
|
|
|
|
|
|
|
function flushSessionTokens() {
|
|
|
|
global $db;
|
|
|
|
|
|
|
|
$flushStatement = $db->prepare("DELETE FROM tokens WHERE expiry < ?");
|
|
|
|
$flushStatement->bindParam(1, time(), SQLITE3_INTEGER);
|
|
|
|
$flushStatement->execute();
|
|
|
|
}
|
|
|
|
|
|
|
|
function purgeSessionTokens() {
|
|
|
|
global $db;
|
|
|
|
|
|
|
|
$db->execute("DELETE FROM tokens");
|
|
|
|
}
|
|
|
|
|
|
|
|
function deleteSessionToken($token) {
|
|
|
|
global $db;
|
|
|
|
$tokenStore = saltString($token);
|
|
|
|
|
|
|
|
$deleteStatement = $db->prepare("DELETE FROM tokens WHERE hash = ?");
|
|
|
|
$deleteStatement->bindParam(1, $tokenStore, SQLITE3_TEXT);
|
|
|
|
$deleteStatement->execute();
|
|
|
|
}
|
|
|
|
|
|
|
|
function checkSessionToken($token) {
|
|
|
|
global $db;
|
|
|
|
flushSessionTokens();
|
|
|
|
|
|
|
|
$tokenStore = saltString($token);
|
|
|
|
|
|
|
|
$getTokenStatement = $db->prepare("SELECT hash FROM tokens WHERE hash = ?");
|
|
|
|
$getTokenStatement->bindParam(1, $tokenStore, SQLITE3_TEXT);
|
|
|
|
$result = $getTokenStatement->execute();
|
|
|
|
$tokenInDB = $result->fetchArray()[0];
|
|
|
|
|
|
|
|
if ($tokenInDB == $tokenStore) { return 1; }
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
function tokenToUsername($token) {
|
|
|
|
global $db;
|
|
|
|
|
|
|
|
$tokenStore = saltString($token);
|
|
|
|
$getTokenStatement = $db->prepare("SELECT username FROM tokens WHERE hash = ?");
|
|
|
|
$getTokenStatement->bindParam(1, $tokenStore, SQLITE3_TEXT);
|
|
|
|
$result = $getTokenStatement->execute();
|
|
|
|
$username = $result->fetchArray()[0];
|
|
|
|
|
|
|
|
return $username;
|
|
|
|
}
|
|
|
|
|
|
|
|
function isAdmin($username) {
|
|
|
|
global $db;
|
|
|
|
|
|
|
|
$getTokenStatement = $db->prepare("SELECT admin FROM users WHERE username = ?");
|
|
|
|
$getTokenStatement->bindParam(1, $username, SQLITE3_TEXT);
|
|
|
|
$result = $getTokenStatement->execute();
|
|
|
|
return $result->fetchArray()[0];
|
|
|
|
}
|
|
|
|
?>
|