From 1878d156fd10a3e9d8f25b40b297f20af2f2c23a Mon Sep 17 00:00:00 2001
From: Bye <bye@byecorps.com>
Date: Tue, 29 Oct 2024 17:59:36 +0000
Subject: [PATCH] Auto stash before merge of "rewrite" and "origin/rewrite"

---
 .DS_Store                 | Bin 0 -> 8196 bytes
 common/account_utils.php  |  11 +++++--
 common/app_utils.php      |  10 ++++++
 common/misc.php           |  10 +++++-
 common/strings.php        |  18 +++++++----
 common/validation.php     |  26 ++++++++++++++++
 index.php                 |  26 ++++++++++------
 views/.DS_Store           | Bin 0 -> 6148 bytes
 views/admin/dashboard.php |  38 +++++++++++++++++++++++
 views/login.php           |  11 +++++--
 views/oauth_login.php     |  63 ++++++++++++++++++++++++++++++++++++++
 views/partials/footer.php |   3 +-
 views/partials/header.php |   3 ++
 views/settings_region.php |  20 ++++++++++--
 14 files changed, 215 insertions(+), 24 deletions(-)
 create mode 100644 .DS_Store
 create mode 100644 common/app_utils.php
 create mode 100644 views/.DS_Store
 create mode 100644 views/admin/dashboard.php
 create mode 100644 views/oauth_login.php

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..8d6c3b80b07f99a14e1c7fc0fb183fdc393acc4a
GIT binary patch
literal 8196
zcmeHM%W4!s6uqUL$)KC4kVFJ&HHje)CHUI5Vcd$4RS+T0gGpd|ddy5Rh#<WXS1$Ym
z*KS?75Fvu#9|(Sc+k8M=dFoarQ`L`b0uu1nP<5NS_trU_>h9w95RqElX|51W6Hygi
z+lliS3Yzxoo@;09%nYnTK6TnFYmFrC<sxN56c7bO0Z~8{5Cu+)0ywjEtCpPm#w(*J
zAPW4K3h4Jkh^}p9ZE7sPIxuhv02^SM8?Gnx1#D<-WNm6JJZQ?K!kScNOAKYwF(2Bv
z$lBCclTOMOAIc&tTcIdM$NC|MlZuR$Q4|mb@(SqMJ)m3ErY#zH_50-BUDp>UwOYNC
z)G=4Rzc}~i`tpy5zQ1{_zqjdp8@TZvsWb-MEoxGWo_omZ@@?PiVn;vUejF|_wv!(x
zBlO}34_|%L_!VkULNR^`bv*{Od?D+1Im~=`eGnTC-Wo28vKWsC@u!ji3bgU-`yA*O
zI2`$0{4Y1xzwckM`rBL=yU6e3@>_D8`cPmSd(fjn7CqPmdM3i<(7N`jpN7mK7d6_8
z@+hBA2rxz)FrRK-jZ5SC2$#?7vvccr%${gI&N{9#<xxJL4b7**>%626_9wG9SHEWc
zE|-h-z2EN^SQ~E*mq}SnA&*@!=;BF9XxqC-o<8`*JRHBv<KE}l!{@X@Ud(8R%3?eo
zL;Jk$;$CUdFssIkKVUHi1nYG<JZ?<QcMqReCt}2)IKsnMPl!@r;9QsUpLLKy6ga5@
zXUziBy8eGu{{8=?Fp@6{hytfr0TtBNYO5e<&(<7OU2BKv8|b>}xYSrq!NBD>ESKZ3
eM}HXNIz*_>iL6bH#SEH!2w)jx5C#6J0)GMB9TnyP

literal 0
HcmV?d00001

diff --git a/common/account_utils.php b/common/account_utils.php
index d68de02..831c574 100644
--- a/common/account_utils.php
+++ b/common/account_utils.php
@@ -1,5 +1,7 @@
 <?php
 
+const DEMO_USER = "9999999";
+
 function generate_bcid($duplicate_check=false): string
 {
     $CHARS = str_split("ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890");
@@ -94,13 +96,18 @@ function get_user_avatar($userId) {
     return 'https://cdn.id.byecorps.com/profile/default.png';
 }
 
-function set_user_language(string $lang_code, string $id): void
+function set_user_language(string $lang_code, string $id="9999999"): void
 {
+    $_SESSION['lang'] = $lang_code;
+
+    if ($id == DEMO_USER) {
+        return;
+    }
+
     db_execute(
         'UPDATE accounts SET language = ? WHERE id = ?',
         [$lang_code, $id]
     );
-    $_SESSION['lang'] = $lang_code;
 }
 
 function requires_auth($redirect = '/auth/login') {
diff --git a/common/app_utils.php b/common/app_utils.php
new file mode 100644
index 0000000..5fbf33b
--- /dev/null
+++ b/common/app_utils.php
@@ -0,0 +1,10 @@
+<?php
+
+function get_app_by_id(int $id) {
+    return db_execute('SELECT * FROM apps WHERE id = ?', [$id]);
+}
+
+function get_apps_by_owner_id(str $bcid) {
+    $results = db_execute_all('SELECT * FROM apps WHERE owner_id = ?', [$bcid]);
+    return $results;
+}
diff --git a/common/misc.php b/common/misc.php
index 4aaf39e..5f26b9e 100644
--- a/common/misc.php
+++ b/common/misc.php
@@ -12,6 +12,14 @@ function location(string $url):void
     exit();
 }
 
-function flash(string $text, string $type, array &$flash) {
+function flash(string $text, array &$flash, string $type="warning") {
     $flash[] = ['text' => $text, 'type' => $type];
 }
+
+function show_flash(array $flash) {
+    $output = '<ul class="flash">';
+    foreach ($flash as $item) {
+        $output .= '<li>'. $item['text'] .'</li>';
+    }
+    return $output;
+}
diff --git a/common/strings.php b/common/strings.php
index 0fb0606..2a8f26f 100644
--- a/common/strings.php
+++ b/common/strings.php
@@ -12,20 +12,26 @@ const LANGAUGES = [
         'flag' => 'usa'
     ],
     [
-        'code' => 'en_UWU',
-        'name' => 'Cute English',
-        'flag' => 'owo'
+        'code' => 'fi',
+        'name' => 'suomi'
     ],
     [
         'code' => 'ga',
-        'name' => 'Irish',
+        'name' => 'Gaeilge',
         'flag' => 'ie'
     ],
     [
         'code' => 'nb_NO',
-        'name' => 'Norwegian Bokmål',
+        'name' => 'Norsk bokmål',
         'flag' => 'no'
-    ]
+    ],
+
+    // Joke languages
+    [
+        'code' => 'en_UWU',
+        'name' => 'Cute English',
+        'flag' => 'owo'
+    ],
 ];
 
 function get_string($key="generic.generic", $substitutes=[]) {
diff --git a/common/validation.php b/common/validation.php
index ef5ede1..c9b1afa 100644
--- a/common/validation.php
+++ b/common/validation.php
@@ -1,5 +1,31 @@
 <?php
 
+function csfr(): string
+{
+    $token = bin2hex(random_bytes(32));
+    $_SESSION['CSFR_TOKEN'] = $token;
+    return $token;
+}
+
+function csfr_input($echo = false): string
+{
+    $token = csfr();
+    $output = "<input type='hidden' name='CSFR_TOKEN' value='$token' />";
+    if ($echo) echo $output;
+    else return $output;
+}
+
+function validate_csfr($token = null): bool
+{
+    $token = $token ?: $_REQUEST['CSFR_TOKEN'];
+
+    if ($_SESSION['CSFR_TOKEN'] == $token) {
+        return true;
+    }
+
+    return false;
+}
+
 function validate_email($email) {
     return filter_var($email, FILTER_VALIDATE_EMAIL);
 }
diff --git a/index.php b/index.php
index e3b96ff..426e5b9 100644
--- a/index.php
+++ b/index.php
@@ -28,6 +28,7 @@ require_once 'common/strings.php';
 require_once 'common/validation.php';
 require_once 'common/database.php';
 require_once 'common/account_utils.php';
+require_once 'common/app_utils.php';
 require_once 'common/files.php';
 require_once 'common/misc.php';
 
@@ -88,21 +89,25 @@ patch_lang($_SESSION['lang']);
 
 
 $routes = [
-    '' => function () { require 'views/home.php'; },
+    '' => function () { global $user; require 'views/home.php'; },
     'admin' => function () {
-        global $path, $query, $DOC_ROOT, $flash;
+        global $path, $query, $DOC_ROOT, $flash, $user;
 
         requires_auth();
         requires_admin();
 
-        switch ($path[2]) {
-            default: return 404;
-            case 'files':
-                require 'views/admin/files.php';
+        if (key_exists(2, $path)) {
+            switch ($path[2]) {
+                default: return 404;
+                case 'files':
+                    require 'views/admin/files.php';
+            }
+        } else {
+            require 'views/admin/dashboard.php';
         }
     },
     'api' => function () {
-        global $path, $query;
+        global $path, $query, $user;
 
         unset($path[1]);
         $path = array_values($path);
@@ -110,7 +115,7 @@ $routes = [
         require 'api.php'; /* Handoff further routing to API script. */
     },
     'auth' => function () {
-        global $path, $query, $flash;
+        global $path, $query, $flash, $user;
 
         switch ($path[2]) {
             case 'signout':
@@ -122,6 +127,9 @@ $routes = [
             case 'login':
                 require 'views/login.php';
                 break;
+            case 'oauth':
+                require 'views/oauth_login.php';
+                break;
             default:
                 return 404;
         }
@@ -162,7 +170,7 @@ $routes = [
         return 200;
     },
     'settings' => function () {
-        global $path, $flash, $user;
+        global $path, $flash, $user, $query;
         if (isset($path[2])) {
             switch ($path[2]) {
                 default: return 404;
diff --git a/views/.DS_Store b/views/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..6698d514e1b49aba5438005b0733d1b395947f25
GIT binary patch
literal 6148
zcmeHK%}T^T3{KV+sv_)BZ*vww_64La^)B=QbbmmF))xQHy$im8kK)~@@C|$kzf8iq
z-L85QSrW*6(@Zi=zYa}9L_B(!4T%Oslt2Z0TNqY|tc!M}XBJuHxW`R#In1Y3S$BNh
z@IM)lcehDnno&vDwDkVAU)!r?m1UEnn!uWz=g0d;hi@m#9<yIO>Z`>Q5)h8VRU?C2
zx<>|MD(J3#iguq?`7Gx0{_*_yau9Rr>{V7@8U5tf&g)F_a&ZQn0cT)c89>bzNp=){
zbOxLOXJF2Nd>;Z-Fg0ux<EH~dYyp6Mn4@4Wy@bRB!_=@*#0rEp6sVzWEe2~i?7{p}
z!$wiViLLoyyE9vd!tw6dKSX!pRMAIgz!_*Wu%VX&ssE?n_y6r6zj6kgfwf|Q`&pii
z@JLo$I}azdHb5_+BI4I5&O<PXr5L_aiua&VU=K0@riP6oED-+@h&1@%4E!krp9u;~
A4gdfE

literal 0
HcmV?d00001

diff --git a/views/admin/dashboard.php b/views/admin/dashboard.php
new file mode 100644
index 0000000..9aae39f
--- /dev/null
+++ b/views/admin/dashboard.php
@@ -0,0 +1,38 @@
+<?php
+
+if (!requires_admin()) {exit;} // failsafe in case this file is opened from "not the index".
+
+if (isset($query['delete'])) {
+    delete_file_by_id($query['delete']);
+}
+
+$files = db_execute_all('SELECT * FROM files');
+
+?>
+
+<!doctype html>
+<html>
+<head>
+    <?php include $DOC_ROOT.'/views/partials/head.php' ?>
+    <title>[A] Dashboard ~> ByeCorps ID</title>
+</head>
+<body>
+<?php include $DOC_ROOT.'/views/partials/header.php' ?>
+<main>
+    <h1>[ADMIN] Dashboard</h1>
+
+    <nav>
+        <ul>
+            <li>
+                <a href="/admin/files">Manage files</a>
+            </li>
+            <li>
+                <a href="/admin/applications">Manage applications</a>
+            </li>
+        </ul>
+    </nav>
+
+</main>
+<?php include $DOC_ROOT.'/views/partials/footer.php' ?>
+</body>
+</html>
diff --git a/views/login.php b/views/login.php
index b497655..8666c50 100644
--- a/views/login.php
+++ b/views/login.php
@@ -10,6 +10,11 @@ if ($_SESSION['auth']) {
 }
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+    if (!validate_csfr()) {
+        flash(get_string('error.generic'), $flash);
+        goto skip;
+    }
+
     // Validate email address
     if (!validate_email($_POST['email'])) {
         $error_body = get_string('error.invalidEmail');
@@ -67,13 +72,15 @@ skip:
         if (isset($subtitle)) {
             echo '<p class="subtitle center">'. $subtitle .'</p>';
         }
-        ?>
-        <?php
+
         if (isset($error_body)) {
             include 'partials/error.php';
         }
         ?>
+        
         <form class="login-form" method="post">
+            <?= csfr_input() ?>
+
             <div class="input"><label for="email"><?= get_string("auth.email") ?></label>
                 <input type="email" name="email" id="email" /></div>
             <div class="input"><label for="password"><?= get_string("auth.password") ?></label>
diff --git a/views/oauth_login.php b/views/oauth_login.php
new file mode 100644
index 0000000..c37332a
--- /dev/null
+++ b/views/oauth_login.php
@@ -0,0 +1,63 @@
+<?php
+
+$please_exit = false;
+$passed_callback = false;
+
+$app = null;
+
+// Try to get the app details
+try {
+    $app = get_app_by_id($query['appid']);
+} catch (TypeError $e) {
+    flash(get_string('error.noAppId'), $flash);
+    $please_exit = true;
+}
+
+if (empty($app)) {
+    flash(get_string('error.invalidAppId'), $flash);
+}
+
+if (key_exists('callback', $query)) {
+    if ($query['callback'] == $app['callback']) {
+        $passed_callback = true;
+    }
+}
+
+$signed_in = !is_null($user);
+
+?>
+
+<!doctype html>
+<html lang="en">
+<head>
+    <?php include 'partials/head.php' ?>
+    <link rel="stylesheet" href="/styles/login_form.css" />
+</head>
+<body>
+<?php include 'partials/header.php' ?>
+
+<main>
+    <?=
+        show_flash($flash);
+        if ($please_exit) {
+            goto pls_quit;
+        }
+    ?>
+
+    <h1><?= htmlspecialchars($app['title']) ?> wants to sign in with your ByeCorps ID</h1>
+    <p><i><?= htmlspecialchars($app['description']) ?></i><br>(The above was provided by the developers)</p>
+
+    <?php
+        if ($signed_in && $passed_callback) {
+            echo 'PASSED!!';
+        }
+    ?>
+
+    <?php
+    pls_quit:
+    ?>
+</main>
+
+<?php include 'partials/footer.php' ?>
+</body>
+</html>
\ No newline at end of file
diff --git a/views/partials/footer.php b/views/partials/footer.php
index 7dd150f..167c90f 100644
--- a/views/partials/footer.php
+++ b/views/partials/footer.php
@@ -4,6 +4,7 @@
         <div><?= get_string('footer.executionTime', ['time'=>round((microtime(true) - $_SERVER['REQUEST_TIME_FLOAT']) * 1000, 3)]) ?></div>
     </div>
     <div class="item">
-        <script src="/scripts/langauge_switcher.js" defer></script>
+        <p><a href="/settings/region"><?= get_string('generic.changeLanguage') ?> - Change language</a></p>
+<!--        <script src="/scripts/langauge_switcher.js" defer></script>-->
     </div>
 </footer>
\ No newline at end of file
diff --git a/views/partials/header.php b/views/partials/header.php
index b269cbe..949b891 100644
--- a/views/partials/header.php
+++ b/views/partials/header.php
@@ -9,6 +9,9 @@
     <div class="section">
         <?php
             if ($_SESSION['auth']) {
+                if ($user['is_admin']) {
+                    echo '<a class="item" href="/admin">Admin dashboard</a>';
+                }
                 echo '<div class="item">' . get_string("header.hello", ['display_name' => get_user_display_name($_SESSION['id'])]) . '</div>';
                 echo '<a class="item" href="/dashboard">' . get_string('page.dashboard') . '</a>';
                 echo '<div class="item"><a href="/auth/signout">'. get_string('auth.signout') .'</a></div>';
diff --git a/views/settings_region.php b/views/settings_region.php
index b88e235..1a097ba 100644
--- a/views/settings_region.php
+++ b/views/settings_region.php
@@ -3,8 +3,17 @@
 function update_language(): void
 {
     global $user;
+    if (is_null($user)) {
+        $user['id'] = DEMO_USER;
+    }
     set_user_language($_POST['lang'], $user['id']);
-    location('/settings/region');
+    location('/settings/region?success=true');
+}
+
+if (array_key_exists('success', $query)) {
+    if ($query['success'] == 'true') {
+        flash(get_string('generic.languageUpdated'), $flash);
+    }
 }
 
 if (isset($path[3])) {
@@ -37,11 +46,16 @@ if (isset($path[3])) {
 <main>
     <h1><span class="fa-solid fa-fw fa-cog"></span> <?= get_string('page.settings'); ?></h1>
     <div class="grid">
-        <?php include 'partials/settings_list.php' ?>
+        <?php
+            if ($_SESSION['auth']) {
+                include 'partials/settings_list.php';
+            }
+        ?>
         <div class="settingsthingy">
             <h2><?= get_string('settings.region') ?></h2>
             <p>Here you can set the language ByeCorps ID is displayed in.</p>
             <form action="/settings/region/set_language" method="post">
+                <?= show_flash($flash); ?>
                 <div class="language-selector">
                     <?php
                     foreach (LANGAUGES as $lang) {
@@ -51,7 +65,7 @@ if (isset($path[3])) {
                         }
                         echo '<label>
                     <input type="radio" name="lang" '.$checked.' id="lang" value="'. $lang['code'] . '" />
-                    '. $lang['name'] .'
+                    '. get_string('language.'.$lang['code']) .' - '. $lang['name'] .'
                 </label>';
                     }
                     ?>