From 93b405ab9f69538546165c75a301c0c57a5359cf Mon Sep 17 00:00:00 2001
From: Camil Staps
Date: Tue, 26 Jul 2016 00:16:17 +0200
Subject: User authentication mechanism

---
 login.php | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 login.php

(limited to 'login.php')

diff --git a/login.php b/login.php
new file mode 100644
index 0000000..e60b7ed
--- /dev/null
+++ b/login.php
@@ -0,0 +1,89 @@
+<?php
+/**
+ * Check if the user is logged in
+ * 
+ * This file should be required by all sensitive PHP scripts. It verifies that
+ * the client has been logged in, and if not, displays a login page.
+ *
+ * See also login-ajax.php, which is specific for files that are loaded through
+ * Ajax (and typically require a json response).
+ * 
+ * @author Camil Staps
+ *
+ * BusinessAdmin: administrative software for small companies
+ * Copyright (C) 2015 Camil Staps (ViviSoft)
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+require_once('./conf.php');
+
+if (isset($_GET['logout'])) {
+	$_SESSION['login'] = false;
+	header('Location: ' . constants::url_external);
+	die();
+}
+
+if (!isset($_SESSION['login']) || $_SESSION['login'] === false) {
+	if (isset($_POST['username'])) {
+		$users = BusinessAdmin::getUsers($_pdo, ['`username`=?'], [$_POST['username']]);
+		if (count($users) == 0) {
+			$_msg = "No user {$_POST['username']} found.<br/>";
+		} else {
+			$user = array_pop($users);
+			if ($user->verifyPassword($_POST['password'])) {
+				$_SESSION['login'] = $user->getId();
+				$_user = $user;
+				return;
+			} else {
+				$_msg = "Password incorrect.<br/>";
+			}
+		}
+	}
+
+	include('./header.php');
+?>
+	<div class="container">
+		<div class="row">
+			<div class="col-md-4 col-md-offset-4">
+				<div class="login-panel panel panel-default">
+					<div class="panel-heading">
+						<h3 class="panel-title">Login<i class="fa fa-lock fa-fw fa-lg pull-right"></i></h3>
+					</div>
+					<div class="panel-body">
+						<?php
+						if (isset($_msg)) {
+							echo "<div class='form-group alert alert-danger'>$_msg</div>";
+						}
+						?>
+						<form action="" method="post">
+							<div class="form-group">
+								<input class="form-control" type="text" name="username" placeholder="Username" autofocus="autofocus"/>
+							</div>
+							<div class="form-group">
+								<input class="form-control" type="password" name="password" placeholder="Password"/>
+							</div>
+							<input type="submit" class="btn btn-lg btn-success btn-block" value="login"/>
+						</form>
+					</div>
+				</div>
+			</div>
+		</div>
+	</div>
+	<?php
+	include('./footer.php');
+	die();
+}
+
+$_user = new user($_pdo, $_SESSION['login']);
-- 
cgit v1.2.3