34394-vm/index.php

<?php
session_start();
require_once __DIR__ . '/db/config.php';
require_once __DIR__ . '/includes/audit.php';

// If user is already logged in, redirect to dashboard
if (isset($_SESSION['user_id'])) {
    header('Location: dashboard.php');
    exit;
}

$error_message = '';

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $email = $_POST['email'] ?? '';
    $password = $_POST['password'] ?? '';

    if (empty($email) || empty($password)) {
        $error_message = 'Please enter both email and password.';
    } else {
        try {
            $pdo = db();
            $stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
            $stmt->execute([$email]);
            $user = $stmt->fetch();

            if ($user && password_verify($password, $user['password_enc'])) {
                if ($user['status'] === 'active') {
                    $_SESSION['user_id'] = $user['id'];
                    $_SESSION['user_email'] = $user['email'];
                    $_SESSION['user_role'] = $user['role'];
                    $_SESSION['user_display_name'] = $user['display_name'];

                    // Regenerate session ID to prevent session fixation
                    session_regenerate_id(true);
                    
                    // Update last login timestamp
                    $updateStmt = $pdo->prepare("UPDATE users SET last_login_at = CURRENT_TIMESTAMP WHERE id = ?");
                    $updateStmt->execute([$user['id']]);

                    log_audit_event('login_success', $user['id']);

                    header('Location: dashboard.php');
                    exit;
                } else {
                    $error_message = 'Your account is disabled. Please contact an administrator.';
                    log_audit_event('login_failed_disabled', $user['id']);
                }
            } else {
                $error_message = 'Invalid email or password.';
                log_audit_event('login_failed_credentials', $user['id'] ?? null);
            }
        } catch (PDOException $e) {
            // In a real app, you would log this error.
            $error_message = 'A database error occurred. Please try again later.';
        }
    }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>FlexPass – Secure Login</title>

    <!-- SEO & Meta Tags -->
    <meta name="description" content="Secure login for FlexPass, the HIPAA-ready credentials vault.">
    <meta name="robots" content="noindex, nofollow"> <!-- Internal tool, no need to index -->

    <!-- Open Graph -->
    <meta property="og:title" content="FlexPass – Secure Login">
    <meta property="og:description" content="A secure, multi-tenant internal web app to store and manage client credentials.">
    <meta property="og:type" content="website">
    <meta property="og:url" content="">

    <!-- Stylesheets -->
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600;700&display=swap" rel="stylesheet">
    <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">

</head>
<body>

    <main class="login-container">
        <div class="login-card">
            <h1>FlexPass</h1>
            <p class="tagline">HIPAA-Ready Credential Vault</p>

            <?php if (!empty($error_message)): ?>
                <div class="alert alert-danger" role="alert">
                    <?php echo htmlspecialchars($error_message); ?>
                </div>
            <?php endif; ?>

            <form id="loginForm" method="POST">
                <div class="mb-3 text-start">
                    <label for="email" class="form-label">Email Address</label>
                    <input type="email" class="form-control" id="email" name="email" required>
                </div>
                <div class="mb-4 text-start">
                    <label for="password" class="form-label">Password</label>
                    <input type="password" class="form-control" id="password" name="password" required>
                </div>
                <button type="submit" class="btn btn-primary w-100">Sign In</button>
            </form>

            <div class="phi-banner">
                <strong>Reminder:</strong> Do not store Protected Health Information (PHI) in notes or other non-encrypted fields.
            </div>
        </div>
    </main>

    <!-- Scripts -->
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
    <script src="assets/js/main.js?v=<?php echo time(); ?>"></script>

</body>
</html>