401 Unauthorised
You are not permitted to view this content.
"; exit(401); } // Now let's determine if we're logged in or not. We can use the session for this, and verify using the // `bcid` value (which only appears if youre logged in!!!) if ($_SESSION['auth']) { if (null == $_POST['bcid'] || $_SESSION['id'] != $_POST['bcid']) { // Both of these suggest tampering, // let's log the user out and throw an error. $_SESSION['auth'] = false; $_SESSION['id'] = null; $flash = "Sorry, something went wrong. Please sign in again."; goto login; } } else { // of course, there's also the case that you WERENT logged in. Let's verify if you're logged in or not. $user_db_version = db_execute("SELECT * FROM accounts WHERE email = ?", [$_POST['email']]); if (!password_verify($_POST['password'], $user_db_version['password']) || null == $user_db_version) { // INCORRECT PASSWORD!!!! // or the account doesn't exist. we don't care either way. $flash = "Incorrect email or password."; } else { // if it's correct, we'll still force them to click log in again anyway. I'll also be nice and set the // cookies properly. $_SESSION['id'] = $user_db_version['id']; $_SESSION['auth'] = true; $user = $user_db_version; goto login; } } // The following gets run assuming we know the client is the one CLICKING the button. $tokens = generate_basic_access_token($_POST['bcid']); header('Location: '. $_POST['callback'].'?access_token='.$tokens['access'].'&refresh='.$tokens['refresh'] .'&expiry='.$tokens['expiry']); exit(); } login: ?>Owned by = get_display_name($app['owner_id'], put_bcid_in_parenthesis: true) ?>
Server returned error:$error[0]
(HTTP response code $error[1])
= $app['title'] ?> uses ByeCorps ID for authentication.
Please double-check the information and avoid signing in with your BCID if you do not trust this app.
Please confirm that you'd like to sign into = $app['title'] ?>.
$flash"; } else { echo "