?", [$_SESSION['id'], "basic", $app_id, time()]); if (sizeof($valid_tokens) > 0) { print_r($valid_tokens); $token = $valid_tokens[0]; header('Location: '. $_GET['callback'].'?access_token='.$token['access_token'].'&refresh='.$token['refresh_token'] .'&expiry='.$token['expiry']); exit(); } // if (validate_access_token()) } if ($_SERVER['REQUEST_METHOD'] === 'POST') { // Here's a few easy steps to figure out if we should give the other party a token or not. // print_r($_POST); // First: match the session ids. If they aren't the same it's probably Not Ok. if (session_id() != $_POST['sessionid']) { echo "

401 Unauthorised

You are not permitted to view this content.

"; exit(401); } // Now let's determine if we're logged in or not. We can use the session for this, and verify using the // `bcid` value (which only appears if youre logged in!!!) if ($_SESSION['auth']) { if (null == $_POST['bcid'] || $_SESSION['id'] != $_POST['bcid']) { // Both of these suggest tampering, // let's log the user out and throw an error. $_SESSION['auth'] = false; $_SESSION['id'] = null; $flash = "Sorry, something went wrong. Please sign in again."; goto login; } } else { // of course, there's also the case that you WERENT logged in. Let's verify if you're logged in or not. $user_db_version = db_execute("SELECT * FROM accounts WHERE email = ?", [$_POST['email']]); if (!password_verify($_POST['password'], $user_db_version['password']) || null == $user_db_version) { // INCORRECT PASSWORD!!!! // or the account doesn't exist. we don't care either way. $flash = "Incorrect email or password."; } else { // if it's correct, we'll still force them to click log in again anyway. I'll also be nice and set the // cookies properly. $_SESSION['id'] = $user_db_version['id']; $_SESSION['auth'] = true; $user = $user_db_version; goto login; } } // The following gets run assuming we know the client is the one CLICKING the button. $tokens = generate_basic_access_token($_POST['bcid'], $app_id); header('Location: '. $_POST['callback'].'?access_token='.$tokens['access'].'&refresh='.$tokens['refresh'] .'&expiry='.$tokens['expiry']); exit(); } login: ?>
<?= htmlspecialchars($user['display_name']) ?>'s avatar × <?= htmlspecialchars($app['title']) ?>

Sign into

Owned by

Something went wrong!

Server returned error:
$error[0] (HTTP response code $error[1])

"; goto dont_show_form; } ?>

uses ByeCorps ID for authentication.

Please double-check the information and avoid signing in with your BCID if you do not trust this app.

Please confirm that you'd like to sign into .

$flash

"; } else { echo "
"; } ?>
"; echo "

You are signed in as ". get_display_name($_SESSION['id'], put_bcid_in_parenthesis: true) . ". Not you?."; goto signedin; } ?>

You will need to sign in first.

You will be brought to .
will be able to see your email and display name.