simple tokenized loginsystem

inc/database.php

@@ -53,6 +53,15 @@ class DataBase extends SQLite3 {
 			FOREIGN KEY (personaid) REFERENCES personas(id) ON UPDATE CASCADE ON DELETE CASCADE
 			);
 
+			CREATE TABLE IF NOT EXISTS tokens (
+			id	INTEGER	PRIMARY KEY	AUTOINCREMENT	UNIQUE,
+			userid	INTEGER	NOT NULL,
+			token	TEXT	NOT NULL	UNIQUE,
+			lastuse	TEXT	NOT NULL,
+			expires	TEXT	NOT NULL,
+			FOREIGN KEY (userid) REFERENCES users(id) ON UPDATE CASCADE ON DELETE CASCADE
+			);
+
 			INSERT OR IGNORE INTO users (id, handle, name, about) VALUES ('0', 'SYSTEM', 'SYSTEM', 'SYSTEM');
 
 		";
@@ -70,6 +79,16 @@ class DataBase extends SQLite3 {
 		}
 	}
 
+	function getUserByHandle($handle) {
+		$handle = $this->escapeString($handle);
+		$sql = "SELECT * FROM users AS user WHERE handle='$handle';";
+		$ret = $this->query($sql)->fetchArray(SQLITE3_ASSOC);
+		if(!$ret) {
+			return false;
+		}
+		return $ret;
+	}
+
 	function addPost($text, $userid=NULL, $personaid=NULL) {
 		$id = hexdec(uniqid());
 		$time = time();
@@ -109,6 +128,56 @@ class DataBase extends SQLite3 {
 		return password_verify($password, $dbhash);
 	}
 
+	function tokenGen() {
+		return random_bytes(32);
+	}
+	function tokenAdd($userid) {
+		$token = $this->tokenGen();
+		$hashed = hash('sha256', $token);
+		$time = time();
+		$expires = $time + 2592000; // 30 days
+		$sql = "INSERT INTO tokens (userid, token, lastuse, expires) VALUES ('$userid', '$hashed', '$time', '$expires');";
+		$ret = $this->exec($sql);
+		if(!$ret) {
+			die($this->lastErrorMsg());
+		}
+		return $token;
+	}
+	function tokenRefresh($tokenid) {
+		$time = time();
+		$expires = $time + 2592000; // 30 days
+		$sql = "UPDATE tokens SET lastuse='$time', expires='$expires' WHERE id='$tokenid';";
+		$ret = $this->exec($sql);
+		if(!$ret) {
+			die($this->lastErrorMsg());
+		}
+	}
+	function tokenRemove($token) {
+		$hashed = hash('sha256', $token);
+		$sql = "DELETE FROM tokens WHERE token='$hashed';";
+		$ret = $this->exec($sql);
+		if(!$ret) {
+			die($this->lastErrorMsg());
+		}
+	}
+
+	function getAuthedUserId($token=NULL) {
+		if (empty($token)) { 
+			if (empty($_COOKIE['token'])) {
+				return false;
+			}
+			$token = base64_decode($_COOKIE['token']);
+		}
+		$hashed = hash('sha256', $token);
+		$sql = "SELECT id AS id, userid AS userid FROM tokens WHERE token='$hashed';";
+		$ret = $this->query($sql)->fetchArray(SQLITE3_ASSOC);
+		if(!$ret) {
+			return false;
+		}
+		$this->tokenRefresh($ret['id']);
+		return $ret['userid'];
+	}
+
 	function getPosts($userid=NULL, $personaid = NULL) {
 		$sql = "SELECT * FROM posts AS post LEFT JOIN users AS user ON post.userid=user.id LEFT JOIN personas AS persona ON post.personaid=persona.id;";
 

index.php

@@ -1,3 +1,10 @@
+<?php
+require_once "inc/database.php";
+$database = new DataBase();
+if(!$database) {
+	die($database->lastErrorMsg());
+}
+?>
 <!DOCTYPE html>
 <html>
 <head>
@@ -9,6 +16,21 @@
 <body>
 	<div id="centerbox">
 	<div id="titlebox"><img src="favicon.ico" />Snuffler</div>
+
+	<?php
+	if (!$database->getAuthedUserId()) {
+	?>
+
+	<form id="loginform" method="post" action="login.php">
+		<input type="text" name="name" placeholder="username" />
+		<input type="password" name="pass" placeholder="password" />
+		<input type="submit" name="submit" value="Log in" />
+	</form>
+
+	<?php
+	} else {
+	?>
+	<a href="logout.php">LOG OUT</a>
 	<form id="postform">
 		<textarea id="postformtextarea" name="text" rows="5" placeholder="Whatcha snuffin' about?"></textarea><br />
 		<div id="postformactionrow">
@@ -20,15 +42,12 @@
 		</div>
 	</form>
 
+	<?php
+	}
+	?>
+
 
 <?php
-require_once "inc/database.php";
-
-$database = new DataBase();
-
-if(!$database) {
-	die($database->lastErrorMsg());
-}
 
 //$database->addPost("Test post", 0);
 
@@ -39,8 +58,8 @@ foreach($posts as $post) {
 	echo '<strong>' . $post["user.name"] . '</strong>';
 	echo '<br><small>@' . $post["user.handle"] . '</small>';
 	echo '<p>' . $post["post.text"] . '</p>';
-	echo '<hr><small>' . date("D j.n.Y \k\l\o G:i", $post["post.time"]) . '</small>';
-	echo '<span class="postactions">5👍 0👎 2💬</span>';
+	echo '<hr><small>' . date("D j.n.Y \@ G:i", $post["post.time"]) . '</small>';
+	echo '<span class="postactions">👍5 👎0 💬2</span>';
 	echo "</div>";
 
 }
@@ -49,4 +68,4 @@ $database->close();
 ?>
 </div>
 </body>
-</html>
+</html>

login.php

@@ -0,0 +1,16 @@
+<?php
+if (empty($_POST) || !isset($_POST['submit'])) {
+	die("Login canceled: no post / no submit");
+}
+
+require_once('inc/database.php');
+$db = new DataBase();
+$user = $db->getUserByHandle($_POST['name']);
+if ($db->passwordVerify($user['user.id'], $_POST['pass'])) {
+	$token = $db->tokenAdd($user['user.id']);
+	$token64 = base64_encode($token);
+	$expires = time() + 2592000; // 30 days
+	setcookie('token', $token64, $expires);
+}
+header("Location: /");
+?>

logout.php

@@ -0,0 +1,7 @@
+<?php
+setcookie("token", "", 0);
+require_once('inc/database.php');
+$db = new DataBase();
+$db->tokenRemove(base64_decode($_COOKIE['token']));
+header("Location: /");
+?>

style.css

@@ -7,6 +7,9 @@ hr {
 	border-color: #584200;
 }
 
+#loginform {
+	text-align: center;
+}
 #titlebox {
 	font-size: 5em;
 	text-align: center;