HEX

File: /var/www/html/tmpr/..//tmpr/../tmpr/../tmpr/..//connect/auth.php
<?php
// Lightweight SSO helpers for issuing and verifying a signed token

$cfg = require __DIR__ . '/config.php';

function is_https(): bool {
    if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
        return true;
    }
    if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
        return true;
    }
    return false;
}

function b64url_encode(string $data): string {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

function b64url_decode(string $data): string {
    return base64_decode(strtr($data, '-_', '+/'));
}

function hmac_sign(string $payload, string $secret): string {
    return b64url_encode(hash_hmac('sha256', $payload, $secret, true));
}

function issue_token(array $claims): string {
    global $cfg;
    $header = ['alg' => 'HS256', 'typ' => 'JWT'];
    $now = time();
    $exp = $now + (int)$cfg['cookie_ttl'];
    $payload = array_merge([
        'iat' => $now,
        'exp' => $exp,
    ], $claims);

    $h = b64url_encode(json_encode($header));
    $p = b64url_encode(json_encode($payload));
    $sig = hmac_sign("$h.$p", $cfg['secret']);
    return "$h.$p.$sig";
}

function verify_token(string $token) {
    global $cfg;
    $parts = explode('.', $token);
    if (count($parts) !== 3) return false;
    [$h, $p, $s] = $parts;
    $expected = hmac_sign("$h.$p", $cfg['secret']);
    if (!hash_equals($expected, $s)) return false;
    $data = json_decode(b64url_decode($p), true);
    if (!is_array($data)) return false;
    if (!isset($data['exp']) || time() > (int)$data['exp']) return false;
    return $data;
}

function set_sso_cookie(string $token): void {
    global $cfg;
    $params = [
        'expires' => time() + (int)$cfg['cookie_ttl'],
        'path' => '/',
        'domain' => '',
        'secure' => is_https(),
        'httponly' => true,
        'samesite' => 'Lax',
    ];
    setcookie($cfg['cookie_name'], $token, $params);
}

function clear_sso_cookie(): void {
    global $cfg;
    setcookie($cfg['cookie_name'], '', [
        'expires' => time() - 3600,
        'path' => '/',
        'domain' => '',
        'secure' => is_https(),
        'httponly' => true,
        'samesite' => 'Lax',
    ]);
}

function current_user() {
    global $cfg;
    if (!isset($_COOKIE[$cfg['cookie_name']])) return false;
    return verify_token($_COOKIE[$cfg['cookie_name']]);
}