Auto stash before merge of "rewrite" and "origin/rewrite"

common/account_utils.php

@@ -1,5 +1,7 @@
 <?php
 
+const DEMO_USER = "9999999";
+
 function generate_bcid($duplicate_check=false): string
 {
     $CHARS = str_split("ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890");
@@ -94,13 +96,18 @@ function get_user_avatar($userId) {
     return 'https://cdn.id.byecorps.com/profile/default.png';
 }
 
-function set_user_language(string $lang_code, string $id): void
+function set_user_language(string $lang_code, string $id="9999999"): void
 {
+    $_SESSION['lang'] = $lang_code;
+
+    if ($id == DEMO_USER) {
+        return;
+    }
+
     db_execute(
         'UPDATE accounts SET language = ? WHERE id = ?',
         [$lang_code, $id]
     );
-    $_SESSION['lang'] = $lang_code;
 }
 
 function requires_auth($redirect = '/auth/login') {

common/app_utils.php

@@ -0,0 +1,10 @@
+<?php
+
+function get_app_by_id(int $id) {
+    return db_execute('SELECT * FROM apps WHERE id = ?', [$id]);
+}
+
+function get_apps_by_owner_id(str $bcid) {
+    $results = db_execute_all('SELECT * FROM apps WHERE owner_id = ?', [$bcid]);
+    return $results;
+}

common/misc.php

@@ -12,6 +12,14 @@ function location(string $url):void
     exit();
 }
 
-function flash(string $text, string $type, array &$flash) {
+function flash(string $text, array &$flash, string $type="warning") {
     $flash[] = ['text' => $text, 'type' => $type];
 }
+
+function show_flash(array $flash) {
+    $output = '<ul class="flash">';
+    foreach ($flash as $item) {
+        $output .= '<li>'. $item['text'] .'</li>';
+    }
+    return $output;
+}

common/strings.php

@@ -12,20 +12,26 @@ const LANGAUGES = [
         'flag' => 'usa'
     ],
     [
-        'code' => 'en_UWU',
+        'code' => 'fi',
-        'name' => 'Cute English',
+        'name' => 'suomi'
-        'flag' => 'owo'
     ],
     [
         'code' => 'ga',
-        'name' => 'Irish',
+        'name' => 'Gaeilge',
         'flag' => 'ie'
     ],
     [
         'code' => 'nb_NO',
-        'name' => 'Norwegian Bokmål',
+        'name' => 'Norsk bokmål',
         'flag' => 'no'
-    ]
+    ],
+
+    // Joke languages
+    [
+        'code' => 'en_UWU',
+        'name' => 'Cute English',
+        'flag' => 'owo'
+    ],
 ];
 
 function get_string($key="generic.generic", $substitutes=[]) {

common/validation.php

@@ -1,5 +1,31 @@
 <?php
 
+function csfr(): string
+{
+    $token = bin2hex(random_bytes(32));
+    $_SESSION['CSFR_TOKEN'] = $token;
+    return $token;
+}
+
+function csfr_input($echo = false): string
+{
+    $token = csfr();
+    $output = "<input type='hidden' name='CSFR_TOKEN' value='$token' />";
+    if ($echo) echo $output;
+    else return $output;
+}
+
+function validate_csfr($token = null): bool
+{
+    $token = $token ?: $_REQUEST['CSFR_TOKEN'];
+
+    if ($_SESSION['CSFR_TOKEN'] == $token) {
+        return true;
+    }
+
+    return false;
+}
+
 function validate_email($email) {
     return filter_var($email, FILTER_VALIDATE_EMAIL);
 }

index.php

@@ -28,6 +28,7 @@ require_once 'common/strings.php';
 require_once 'common/validation.php';
 require_once 'common/database.php';
 require_once 'common/account_utils.php';
+require_once 'common/app_utils.php';
 require_once 'common/files.php';
 require_once 'common/misc.php';
 
@@ -88,21 +89,25 @@ patch_lang($_SESSION['lang']);
 
 
 $routes = [
-    '' => function () { require 'views/home.php'; },
+    '' => function () { global $user; require 'views/home.php'; },
     'admin' => function () {
-        global $path, $query, $DOC_ROOT, $flash;
+        global $path, $query, $DOC_ROOT, $flash, $user;
 
         requires_auth();
         requires_admin();
 
-        switch ($path[2]) {
+        if (key_exists(2, $path)) {
-            default: return 404;
+            switch ($path[2]) {
-            case 'files':
+                default: return 404;
-                require 'views/admin/files.php';
+                case 'files':
+                    require 'views/admin/files.php';
+            }
+        } else {
+            require 'views/admin/dashboard.php';
         }
     },
     'api' => function () {
-        global $path, $query;
+        global $path, $query, $user;
 
         unset($path[1]);
         $path = array_values($path);
@@ -110,7 +115,7 @@ $routes = [
         require 'api.php'; /* Handoff further routing to API script. */
     },
     'auth' => function () {
-        global $path, $query, $flash;
+        global $path, $query, $flash, $user;
 
         switch ($path[2]) {
             case 'signout':
@@ -122,6 +127,9 @@ $routes = [
             case 'login':
                 require 'views/login.php';
                 break;
+            case 'oauth':
+                require 'views/oauth_login.php';
+                break;
             default:
                 return 404;
         }
@@ -162,7 +170,7 @@ $routes = [
         return 200;
     },
     'settings' => function () {
-        global $path, $flash, $user;
+        global $path, $flash, $user, $query;
         if (isset($path[2])) {
             switch ($path[2]) {
                 default: return 404;

views/admin/dashboard.php

@@ -0,0 +1,38 @@
+<?php
+
+if (!requires_admin()) {exit;} // failsafe in case this file is opened from "not the index".
+
+if (isset($query['delete'])) {
+    delete_file_by_id($query['delete']);
+}
+
+$files = db_execute_all('SELECT * FROM files');
+
+?>
+
+<!doctype html>
+<html>
+<head>
+    <?php include $DOC_ROOT.'/views/partials/head.php' ?>
+    <title>[A] Dashboard ~> ByeCorps ID</title>
+</head>
+<body>
+<?php include $DOC_ROOT.'/views/partials/header.php' ?>
+<main>
+    <h1>[ADMIN] Dashboard</h1>
+
+    <nav>
+        <ul>
+            <li>
+                <a href="/admin/files">Manage files</a>
+            </li>
+            <li>
+                <a href="/admin/applications">Manage applications</a>
+            </li>
+        </ul>
+    </nav>
+
+</main>
+<?php include $DOC_ROOT.'/views/partials/footer.php' ?>
+</body>
+</html>

views/login.php

@@ -10,6 +10,11 @@ if ($_SESSION['auth']) {
 }
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+    if (!validate_csfr()) {
+        flash(get_string('error.generic'), $flash);
+        goto skip;
+    }
+
     // Validate email address
     if (!validate_email($_POST['email'])) {
         $error_body = get_string('error.invalidEmail');
@@ -67,13 +72,15 @@ skip:
         if (isset($subtitle)) {
             echo '<p class="subtitle center">'. $subtitle .'</p>';
         }
-        ?>
+
-        <?php
         if (isset($error_body)) {
             include 'partials/error.php';
         }
         ?>
+        
         <form class="login-form" method="post">
+            <?= csfr_input() ?>
+
             <div class="input"><label for="email"><?= get_string("auth.email") ?></label>
                 <input type="email" name="email" id="email" /></div>
             <div class="input"><label for="password"><?= get_string("auth.password") ?></label>

views/oauth_login.php

@@ -0,0 +1,63 @@
+<?php
+
+$please_exit = false;
+$passed_callback = false;
+
+$app = null;
+
+// Try to get the app details
+try {
+    $app = get_app_by_id($query['appid']);
+} catch (TypeError $e) {
+    flash(get_string('error.noAppId'), $flash);
+    $please_exit = true;
+}
+
+if (empty($app)) {
+    flash(get_string('error.invalidAppId'), $flash);
+}
+
+if (key_exists('callback', $query)) {
+    if ($query['callback'] == $app['callback']) {
+        $passed_callback = true;
+    }
+}
+
+$signed_in = !is_null($user);
+
+?>
+
+<!doctype html>
+<html lang="en">
+<head>
+    <?php include 'partials/head.php' ?>
+    <link rel="stylesheet" href="/styles/login_form.css" />
+</head>
+<body>
+<?php include 'partials/header.php' ?>
+
+<main>
+    <?=
+        show_flash($flash);
+        if ($please_exit) {
+            goto pls_quit;
+        }
+    ?>
+
+    <h1><?= htmlspecialchars($app['title']) ?> wants to sign in with your ByeCorps ID</h1>
+    <p><i><?= htmlspecialchars($app['description']) ?></i><br>(The above was provided by the developers)</p>
+
+    <?php
+        if ($signed_in && $passed_callback) {
+            echo 'PASSED!!';
+        }
+    ?>
+
+    <?php
+    pls_quit:
+    ?>
+</main>
+
+<?php include 'partials/footer.php' ?>
+</body>
+</html>

views/partials/footer.php

@@ -4,6 +4,7 @@
         <div><?= get_string('footer.executionTime', ['time'=>round((microtime(true) - $_SERVER['REQUEST_TIME_FLOAT']) * 1000, 3)]) ?></div>
     </div>
     <div class="item">
-        <script src="/scripts/langauge_switcher.js" defer></script>
+        <p><a href="/settings/region"><?= get_string('generic.changeLanguage') ?> - Change language</a></p>
+<!--        <script src="/scripts/langauge_switcher.js" defer></script>-->
     </div>
 </footer>

views/partials/header.php

@@ -9,6 +9,9 @@
     <div class="section">
         <?php
             if ($_SESSION['auth']) {
+                if ($user['is_admin']) {
+                    echo '<a class="item" href="/admin">Admin dashboard</a>';
+                }
                 echo '<div class="item">' . get_string("header.hello", ['display_name' => get_user_display_name($_SESSION['id'])]) . '</div>';
                 echo '<a class="item" href="/dashboard">' . get_string('page.dashboard') . '</a>';
                 echo '<div class="item"><a href="/auth/signout">'. get_string('auth.signout') .'</a></div>';

views/settings_region.php

@@ -3,8 +3,17 @@
 function update_language(): void
 {
     global $user;
+    if (is_null($user)) {
+        $user['id'] = DEMO_USER;
+    }
     set_user_language($_POST['lang'], $user['id']);
-    location('/settings/region');
+    location('/settings/region?success=true');
+}
+
+if (array_key_exists('success', $query)) {
+    if ($query['success'] == 'true') {
+        flash(get_string('generic.languageUpdated'), $flash);
+    }
 }
 
 if (isset($path[3])) {
@@ -37,11 +46,16 @@ if (isset($path[3])) {
 <main>
     <h1><span class="fa-solid fa-fw fa-cog"></span> <?= get_string('page.settings'); ?></h1>
     <div class="grid">
-        <?php include 'partials/settings_list.php' ?>
+        <?php
+            if ($_SESSION['auth']) {
+                include 'partials/settings_list.php';
+            }
+        ?>
         <div class="settingsthingy">
             <h2><?= get_string('settings.region') ?></h2>
             <p>Here you can set the language ByeCorps ID is displayed in.</p>
             <form action="/settings/region/set_language" method="post">
+                <?= show_flash($flash); ?>
                 <div class="language-selector">
                     <?php
                     foreach (LANGAUGES as $lang) {
@@ -51,7 +65,7 @@ if (isset($path[3])) {
                         }
                         echo '<label>
                     <input type="radio" name="lang" '.$checked.' id="lang" value="'. $lang['code'] . '" />
-                    '. $lang['name'] .'
+                    '. get_string('language.'.$lang['code']) .' - '. $lang['name'] .'
                 </label>';
                     }
                     ?>