admin/37048-vm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

سسشسسسس

Browse Source
This commit is contained in:
Flatlogic Bot 2025-12-08 20:42:20 +00:00
parent f28a0493a0
commit 8a6a18d0c2
15 changed files with 129 additions and 309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/pasted-20251208-162357-8b88f726.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 247 KiB

BIN
assets/pasted-20251208-162516-eecfa280.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 251 KiB

BIN
assets/pasted-20251208-191752-291d87d1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 246 KiB

BIN
assets/pasted-20251208-202214-728417bd.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 329 KiB

319
auth_handler.php
View File

@ -1,284 +1,55 @@
<?php
// MUST be called before session_start()
require_once 'includes/session_config.php';
session_start();
require_once __DIR__ . '/db/config.php';
require_once __DIR__ . '/mail/MailService.php';
$action = $_GET['action'] ?? '';
require_once 'db/config.php';
switch ($action) {
case 'send_otp':
handle_send_otp();
break;
case 'verify_otp':
handle_verify_otp();
break;
case 'google_login':
handle_google_login();
break;
case 'logout':
handle_logout();
break;
default:
header('Location: index.php');
exit;
// If Google user info is not in the session, redirect to login.
if (!isset($_SESSION['google_user_info'])) {
header('Location: login.php?error=google_auth_failed');
exit();
}
function handle_send_otp() {
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
header('Location: login.php');
exit;
// Retrieve user info from session
$google_user = $_SESSION['google_user_info'];
$email = $google_user['email'];
$fullName = $google_user['name'];
$nameParts = explode(' ', $fullName, 2);
$firstName = $nameParts[0];
$lastName = isset($nameParts[1]) ? $nameParts[1] : '';
// Clear the temporary session data
unset($_SESSION['google_user_info']);
try {
$pdo = db();
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);
$user = $stmt->fetch();
if ($user) {
// User exists, log them in
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = trim($user['first_name'] . ' ' . $user['last_name']);
$_SESSION['is_admin'] = $user['is_admin'];
} else {
// User does not exist, create a new one
$insertStmt = $pdo->prepare("INSERT INTO users (first_name, last_name, email, password, is_admin, created_at) VALUES (?, ?, ?, NULL, 0, NOW())");
$insertStmt->execute([$firstName, $lastName, $email]);
$newUserId = $pdo->lastInsertId();
$_SESSION['user_id'] = $newUserId;
$_SESSION['user_name'] = $fullName;
$_SESSION['is_admin'] = 0;
}
$email = filter_var(trim($_POST['email'] ?? ''), FILTER_VALIDATE_EMAIL);
$phone = preg_match('/^09[0-9]{9}$/', trim($_POST['phone'] ?? '')) ? trim($_POST['phone']) : null;
header('Location: profile.php');
exit();
if (!$email && !$phone) {
flash_message('danger', 'لطفاً یک ایمیل یا شماره تلفن معتبر وارد کنید.', 'login.php');
}
$identifier = $email ?: $phone;
$login_method = $email ? 'email' : 'phone';
try {
$pdo = db();
// Generate a secure random code
$otp_code = random_int(100000, 999999);
$code_hash = password_hash((string)$otp_code, PASSWORD_DEFAULT);
// OTP is valid for 10 minutes
$expires_at = date('Y-m-d H:i:s', time() + (10 * 60));
// Store the hashed code in the database. Using the 'email' column for both for now.
$stmt = $pdo->prepare("INSERT INTO otp_codes (email, code_hash, expires_at) VALUES (?, ?, ?)");
$stmt->execute([$identifier, $code_hash, $expires_at]);
if ($login_method === 'email') {
// Send the plain code to the user's email
$subject = "کد ورود شما به فروشگاه آتیمه";
$body = "<div dir='rtl' style='font-family: Vazirmatn, sans-serif; text-align: right;'><h2>کد تایید شما</h2><p>برای ورود یا ثبت‌نام در وب‌سایت آتیمه، از کد زیر استفاده کنید:</p><p style='font-size: 24px; font-weight: bold; letter-spacing: 5px; text-align: center; background: #f0f0f0; padding: 10px; border-radius: 8px;'>{$otp_code}</p><p>این کد تا ۱۰ دقیقه دیگر معتبر است.</p></div>";
$mail_result = MailService::sendMail($identifier, $subject, $body);
if (!$mail_result['success']) {
error_log('OTP Mail Error: ' . ($mail_result['error'] ?? 'Unknown error'));
flash_message('danger', 'خطایی در ارسال ایمیل رخ داد. لطفاً مطمئن شوید ایمیل را درست وارد کرده‌اید.', 'login.php');
}
} else {
// Phone login: Simulate sending OTP since there is no SMS gateway
error_log("OTP for {$identifier}: {$otp_code}"); // Log for debugging
// In a real application, you would integrate with an SMS service here.
// For now, we will show a message that it's not implemented, but allow verification for testing.
$_SESSION['show_otp_for_debugging'] = $otp_code; // Temporarily show OTP on verify page for testing
}
// Store identifier in session to use on the verification page
$_SESSION['otp_identifier'] = $identifier;
header('Location: verify.php');
exit;
} catch (Exception $e) {
error_log('OTP Generation Error: ' . $e->getMessage());
flash_message('danger', 'خطای سرور. لطفاً لحظاتی دیگر دوباره تلاش کنید.', 'login.php');
}
}
function handle_verify_otp() {
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
header('Location: login.php');
exit;
}
$identifier = trim($_POST['identifier'] ?? '');
$otp_code = trim($_POST['otp_code'] ?? '');
if (!$identifier || !$otp_code) {
flash_message('danger', 'شناسه یا کد تایید نامعتبر است.', 'login.php');
}
$login_method = filter_var($identifier, FILTER_VALIDATE_EMAIL) ? 'email' : 'phone';
try {
$pdo = db();
// Find the latest, unused OTP for this identifier that has not expired
$stmt = $pdo->prepare("SELECT * FROM otp_codes WHERE email = ? AND is_used = 0 AND expires_at > NOW() ORDER BY created_at DESC LIMIT 1");
$stmt->execute([$identifier]);
$otp_row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($otp_row && password_verify($otp_code, $otp_row['code_hash'])) {
// Mark OTP as used
$stmt_update = $pdo->prepare("UPDATE otp_codes SET is_used = 1 WHERE id = ?");
$stmt_update->execute([$otp_row['id']]);
// Check if user exists
$column = $login_method === 'email' ? 'email' : 'phone';
$stmt_user = $pdo->prepare("SELECT * FROM users WHERE $column = ?");
$stmt_user->execute([$identifier]);
$user = $stmt_user->fetch(PDO::FETCH_ASSOC);
$user_id = null;
if ($user) {
// User exists, log them in
$user_id = $user['id'];
$_SESSION['user_name'] = $user['first_name'];
} else {
// User does not exist, create a new one
$stmt_create = $pdo->prepare("INSERT INTO users ($column, is_admin) VALUES (?, 0)");
$stmt_create->execute([$identifier]);
$user_id = $pdo->lastInsertId();
$_SESSION['user_name'] = null;
}
// Set session variables for login
$_SESSION['user_id'] = $user_id;
unset($_SESSION['otp_identifier']);
unset($_SESSION['show_otp_for_debugging']);
flash_message('success', 'شما با موفقیت وارد شدید!', 'index.php');
} else {
flash_message('danger', 'کد وارد شده اشتباه یا منقضی شده است.', 'verify.php');
}
} catch (Exception $e) {
error_log('OTP Verification Error: ' . $e->getMessage());
flash_message('danger', 'خطای سرور. لطفاً لحظاتی دیگر دوباره تلاش کنید.', 'verify.php');
}
}
function handle_logout() {
session_unset();
session_destroy();
header('Location: index.php');
exit;
}
function flash_message($type, $message, $location) {
// Ensure identifier is carried over to verify page on error
if ($location === 'verify.php' && isset($_POST['identifier'])) {
$_SESSION['otp_identifier'] = $_POST['identifier'];
}
$_SESSION['flash_message'] = ['type' => $type, 'message' => $message];
header("Location: $location");
exit;
}
function handle_google_login() {
// Load Google credentials from .env
$google_client_id = getenv('GOOGLE_CLIENT_ID');
$google_client_secret = getenv('GOOGLE_CLIENT_SECRET');
// The redirect URI must be the exact same one configured in your Google Cloud project
$redirect_uri = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] . strtok($_SERVER["REQUEST_URI"], '?') . '?action=google_login';
if (empty($google_client_id) || empty($google_client_secret)) {
flash_message('danger', 'قابلیت ورود با گوگل هنوز پیکربندی نشده است.', 'login.php');
}
// If 'code' is not in the query string, this is the initial request. Redirect to Google.
if (!isset($_GET['code'])) {
$auth_url = 'https://accounts.google.com/o/oauth2/v2/auth?' . http_build_query([
'client_id' => $google_client_id,
'redirect_uri' => $redirect_uri,
'response_type' => 'code',
'scope' => 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile',
'access_type' => 'online',
'prompt' => 'select_account'
]);
header('Location: ' . $auth_url);
exit;
}
// If 'code' is present, this is the callback from Google.
else {
try {
// Step 1: Exchange authorization code for an access token
$token_url = 'https://oauth2.googleapis.com/token';
$token_data = [
'code' => $_GET['code'],
'client_id' => $google_client_id,
'client_secret' => $google_client_secret,
'redirect_uri' => $redirect_uri,
'grant_type' => 'authorization_code'
];
$token_response = curl_request($token_url, 'POST', $token_data);
if (!isset($token_response['access_token'])) {
throw new Exception("Failed to get access token from Google. Response: " . json_encode($token_response));
}
// Step 2: Use access token to get user's profile information
$userinfo_url = 'https://www.googleapis.com/oauth2/v1/userinfo?access_token=' . $token_response['access_token'];
$userinfo = curl_request($userinfo_url);
if (!isset($userinfo['email'])) {
throw new Exception("Failed to get user info from Google. Response: " . json_encode($userinfo));
}
// Step 3: Log in or create user
$email = filter_var($userinfo['email'], FILTER_VALIDATE_EMAIL);
$first_name = $userinfo['given_name'] ?? '';
$last_name = $userinfo['family_name'] ?? '';
$pdo = db();
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
$user_id = null;
if ($user) {
// User exists, log them in
$user_id = $user['id'];
// Update name if it's missing
if (empty($user['first_name']) && !empty($first_name)) {
$stmt_update = $pdo->prepare("UPDATE users SET first_name = ?, last_name = ? WHERE id = ?");
$stmt_update->execute([$first_name, $last_name, $user_id]);
}
} else {
// User does not exist, create a new one
$stmt_create = $pdo->prepare("INSERT INTO users (email, first_name, last_name, is_admin) VALUES (?, ?, ?, 0)");
$stmt_create->execute([$email, $first_name, $last_name]);
$user_id = $pdo->lastInsertId();
}
// Set session variables for login
$_SESSION['user_id'] = $user_id;
$_SESSION['user_name'] = $first_name;
unset($_SESSION['otp_email']); // Clean up OTP session if it exists
flash_message('success', 'شما با موفقیت با حساب گوگل وارد شدید!', 'index.php');
} catch (Exception $e) {
error_log('Google Login Error: ' . $e->getMessage());
flash_message('danger', 'خطایی در فرآیند ورود با گوگل رخ داد. لطفاً دوباره تلاش کنید.', 'login.php');
}
}
}
function curl_request($url, $method = 'GET', $data = []) {
$ch = curl_init();
if ($method === 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
// Set a common user agent
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36');
$response = curl_exec($ch);
if (curl_errno($ch)) {
$error_msg = curl_error($ch);
curl_close($ch);
throw new Exception("cURL Error: " . $error_msg);
}
curl_close($ch);
return json_decode($response, true);
} catch (Throwable $t) {
$error_message = 'Database error during Google auth processing: ' . $t->getMessage();
error_log($error_message);
header('Location: login.php?error=db_error');
exit();
}

1
cart_handler.php
View File

@ -1,4 +1,5 @@
<?php
require_once __DIR__ . '/includes/session_config.php';
session_start();
require_once 'db/config.php';

1
checkout_handler.php
View File

@ -1,4 +1,5 @@
<?php
require_once __DIR__ . '/includes/session_config.php';
session_start();

2
db/config.php
View File

@ -18,6 +18,6 @@ function db() {
// Google API configuration
define('GOOGLE_CLIENT_ID', '915631311746-o6gk076l6lfvuboin99u2h8cgqilc0qk.apps.googleusercontent.com');
define('GOOGLE_CLIENT_SECRET', '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');
define('GOOGLE_CLIENT_SECRET', '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');
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
define('GOOGLE_REDIRECT_URL', $protocol . $_SERVER['HTTP_HOST'] . '/google_callback.php');

33
debug.log Normal file
View File

@ -0,0 +1,33 @@
Google callback received: Array
(
[code] => 4/0ATX87lPjrFIOuwWliENWcywUFg2GEgcus6DYYxEZCL3ISMUJlz2hqnXSPJ1U_xb5nX_WAg
[scope] => email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid
[authuser] => 0
[prompt] => none
)
Google token response: Array
(
[access_token] => ya29.A0Aa7pCA82ZzUaONLUeRj6TaiCF4mN_rnoysKXYJx0sBfNIlsRFNhsWQCH9KRqJqs82imX0t3UqTAPol9kD6c-XJKKI2ulxWmO7vabFCvWoaF2LR6fMNTH4iaruLxAws6xvgyObdGfkQgGHBDu2JBrMvEi0bLjqAMf5qOZA1mmRuR2CJzDnHTZoCqSaf7VeweMSAD8FkMx3Kn1t9CWs8CJce-OUBrQghfntFzqbvhbgf4rQynhpjg2iLtrvXmP_PPMIb_WJDTuvB9jrDBXi46McpOPPyheygaCgYKAUISARISFQHGX2MioKN_UM1Usr69JF1Ts3UnCQ0293
[expires_in] => 3598
[scope] => https://www.googleapis.com/auth/userinfo.email openid https://www.googleapis.com/auth/userinfo.profile
[token_type] => Bearer
[id_token] => eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ1NDNlMjFhMDI3M2VmYzY2YTQ3NTAwMDI0NDFjYjIxNTFjYjIzNWYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI5MTU2MzEzMTE3NDYtbzZnazA3Nmw2bGZ2dWJvaW45OXUyaDhjZ3FpbGMwcWsuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI5MTU2MzEzMTE3NDYtbzZnazA3Nmw2bGZ2dWJvaW45OXUyaDhjZ3FpbGMwcWsuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTExNjMwMjQwMTY0NTUxMTM0OTYiLCJlbWFpbCI6ImR1c3QuYWk4OUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6InUyZXNtVzcxdGo2RGRETTBaOEN6SkEiLCJuYW1lIjoiZHVzdCBhaSIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS9BQ2c4b2NLaVRaZmJYVThOc3NzUW1Sb1V4dllKWkVTVldfVmpRU3FmRnhoNjZnazRPVFNrY2c9czk2LWMiLCJnaXZlbl9uYW1lIjoiZHVzdCIsImZhbWlseV9uYW1lIjoiYWkiLCJpYXQiOjE3NjUyMjQxMTQsImV4cCI6MTc2NTIyNzcxNH0.UvgktDzIgMhJLKvQfSGs9GTfodjShyXNRvnPs60vtnyGhdb0d6E8nD_l4kF5HXlcJAMpb4T7QVNCKvXdeG8gI68-_n-FIUfIqkePh167Qh553gHw-8K7v8vmmvDpVvWg4gPXBqARsgZc6_53qAEd6b2aUGGiRDicCwBkS6tDk4We14bIO71g7d70WEnmBLIE5YA7FIj9PYMfWMs0r9oN8fgG1Qt29LO3L4AQ7P8QzqZ3bNL4OiZC_kl0wsVK6TBDuoXFxUMPsUhkvUNr4A67mJa900wxjW9TrzNG8ZJBiwybgdKIY71r_xtEpPemTHuhYsmvaOlzhJ4RkngneNCY8Q
[created] => 1765224114
)
Google callback received: Array
(
[code] => 4/0ATX87lPjrFIOuwWliENWcywUFg2GEgcus6DYYxEZCL3ISMUJlz2hqnXSPJ1U_xb5nX_WAg
[scope] => email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid
[authuser] => 0
[prompt] => none
)
Google token response: Array
(
[error] => invalid_grant
[error_description] => Bad Request
)
Google Auth Exception: Token error: Bad Request

1
execution_test.log Normal file
View File

@ -0,0 +1 @@
google_callback.php was executed at 2025-12-08 19:56:56

61
google_callback.php
View File

@ -1,7 +1,14 @@
<?php
// MUST be called before session_start()
require_once 'includes/session_config.php';
session_start();
require_once 'vendor/autoload.php';
require_once 'db/config.php';
// Google API configuration
define('GOOGLE_CLIENT_ID', '915631311746-o6gk076l6lfvuboin99u2h8cgqilc0qk.apps.googleusercontent.com');
define('GOOGLE_CLIENT_SECRET', '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');
define('GOOGLE_REDIRECT_URL', 'https://atimah-leather.dev.flatlogic.app/google_callback.php');
// Check if the user has a temporary identifier from the initial login, and clear it.
if (isset($_SESSION['otp_identifier'])) {
@ -18,53 +25,43 @@ $client->addScope("profile");
// Handle the OAuth 2.0 server response
if (isset($_GET['code'])) {
try {
error_log('Google callback received: ' . print_r($_GET, true));
$token = $client->fetchAccessTokenWithAuthCode($_GET['code']);
error_log('Google token response: ' . print_r($token, true));
if (isset($token['error'])) {
throw new Exception('Google auth error: ' . $token['error_description']);
throw new Exception('Token error: ' . ($token['error_description'] ?? 'Unknown error'));
}
$client->setAccessToken($token['access_token']);
// Get user profile information
$google_oauth = new Google_Service_Oauth2($client);
$google_account_info = $google_oauth->userinfo->get();
$email = $google_account_info->email;
$name = $google_account_info->name;
$pdo = db();
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);
$user = $stmt->fetch();
$userInfo = [
'email' => $google_account_info->email,
'name' => $google_account_info->name,
];
if ($user) {
// User exists, log them in
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = $user['name'];
$_SESSION['is_admin'] = $user['is_admin'];
} else {
// User does not exist, create a new one
// A null password is used as authentication is managed by Google.
$insertStmt = $pdo->prepare("INSERT INTO users (name, email, password, is_admin, created_at) VALUES (?, ?, NULL, 0, NOW())");
$insertStmt->execute([$name, $email]);
$newUserId = $pdo->lastInsertId();
$_SESSION['google_user_info'] = $userInfo;
$_SESSION['user_id'] = $newUserId;
$_SESSION['user_name'] = $name;
$_SESSION['is_admin'] = 0;
}
// Explicitly save the session data before redirecting.
session_write_close();
// Redirect to the profile page upon successful login/registration
header('Location: profile.php');
header('Location: auth_handler.php');
exit();
} catch (Exception $e) {
// On error, redirect to login with an error message
error_log($e->getMessage()); // Log the actual error for debugging
header('Location: login.php?error=google_auth_failed');
} catch (Throwable $t) {
// Log the actual error to the server's error log for inspection.
error_log('Google Auth Exception: ' . $t->getMessage());
header('Location: login.php?error=google_auth_failed_exception');
exit();
}
} else {
// If no authorization code is present, generate the authentication URL and redirect.
$authUrl = $client->createAuthUrl();
header('Location: ' . $authUrl);
// Instead of redirecting, print the URL for debugging
echo "Please copy this URL and send it back to me:<br><br>";
echo $authUrl;
exit();
}

3
includes/header.php
View File

@ -1,4 +1,7 @@
<?php
// Enforce session cookie settings BEFORE starting the session
require_once __DIR__ . '/session_config.php';
if (session_status() === PHP_SESSION_NONE) {
session_start();
}

11
includes/session_config.php Normal file
View File

@ -0,0 +1,11 @@
<?php
// Force session cookie parameters for cross-domain compatibility.
session_set_cookie_params([
'lifetime' => 86400, // 24 hours
'path' => '/',
'domain' => '', // Set your domain if needed, empty for current host
'secure' => true, // Must be true for SameSite=None
'httponly' => true,
'samesite' => 'None' // Allows cross-site cookie sending
]);
?>

1
login.php
View File

@ -1,4 +1,5 @@
<?php
require_once __DIR__ . '/includes/session_config.php';
session_start();
if (isset($_SESSION['user_id'])) {

1
verify.php
View File

@ -1,4 +1,5 @@
<?php
require_once __DIR__ . '/includes/session_config.php';
session_start();
// Redirect if identifier is not in session