e008000aa6
Protect UI with PHP session login and secure APIs. - Add login/logout pages and session auth helper - Serve protected content from index.php - Redirect index.html to index.php to prevent bypass - Require auth for image list/upload APIs Co-authored-by: Cursor <cursoragent@cursor.com>
59 lines
1.5 KiB
PHP
59 lines
1.5 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
/**
|
|
* Session-based auth gate (no DB).
|
|
* Required credentials:
|
|
* - username: admin
|
|
* - password: admin5004!
|
|
*
|
|
* NOTE: Password is stored as SHA-256 hash here (not plaintext).
|
|
*/
|
|
|
|
function dreamgirl_session_start(): void {
|
|
if (session_status() === PHP_SESSION_ACTIVE) return;
|
|
|
|
$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
|
|
|
|
// PHP 7.3+ supports samesite via array; older versions may ignore unknown keys.
|
|
session_set_cookie_params([
|
|
'lifetime' => 0,
|
|
'path' => '/',
|
|
'httponly' => true,
|
|
'samesite' => 'Lax',
|
|
'secure' => $secure,
|
|
]);
|
|
|
|
session_start();
|
|
}
|
|
|
|
function dreamgirl_is_logged_in(): bool {
|
|
dreamgirl_session_start();
|
|
return isset($_SESSION['dreamgirl_user']) && $_SESSION['dreamgirl_user'] === 'admin';
|
|
}
|
|
|
|
function dreamgirl_check_credentials(string $username, string $password): bool {
|
|
if ($username !== 'admin') return false;
|
|
|
|
// sha256("admin5004!")
|
|
$expectedSha256 = 'adcda104b73b73f8cddf5c8047a6bc0e5e1388265ed4bf0f31f704c13cbc11b7';
|
|
$gotSha256 = hash('sha256', $password);
|
|
|
|
return hash_equals($expectedSha256, $gotSha256);
|
|
}
|
|
|
|
function dreamgirl_require_login_page(): void {
|
|
if (dreamgirl_is_logged_in()) return;
|
|
header('Location: /login.php');
|
|
exit;
|
|
}
|
|
|
|
function dreamgirl_require_login_json(): void {
|
|
if (dreamgirl_is_logged_in()) return;
|
|
http_response_code(401);
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
echo json_encode(['ok' => false, 'error' => 'Unauthorized'], JSON_UNESCAPED_UNICODE);
|
|
exit;
|
|
}
|
|
|