auth/api/login.php

<?php

require __DIR__ . "/../util.php";
require __DIR__ . "/../db.php";
require __DIR__ . "/../logger.php";
require __DIR__ . "/../rate_limit.php";

session_start();

$data = array_merge($_POST, auth_read_json());
$login = trim((string) ($data["login"] ?? ""));
$password = (string) ($data["password"] ?? "");
$siteKey = auth_get_site_key($data);
$clientIp = auth_get_client_ip();

if (!auth_is_valid_login($login) || !auth_is_valid_password($password) || !auth_is_valid_site_key($siteKey)) {
    auth_log_event([
        "ip" => $clientIp,
        "login" => $login,
        "siteKey" => $siteKey,
        "status" => "invalid_payload",
    ]);
    auth_json_response(400, ["ok" => false, "message" => "Неверные данные."]);
}

$rate = auth_check_rate_limit($clientIp);
if ($rate["limited"]) {
    auth_log_event([
        "ip" => $clientIp,
        "login" => $login,
        "siteKey" => $siteKey,
        "status" => "rate_limited",
    ]);
    header("Retry-After: " . (string) $rate["retry_after"]);
    auth_json_response(429, ["ok" => false, "message" => "Слишком много попыток. Попробуйте позже."]);
}

$db = auth_get_db();
$stmt = $db->prepare("SELECT id, password_hash FROM users WHERE login = ? LIMIT 1");
$stmt->bind_param("s", $login);
$stmt->execute();
$result = $stmt->get_result();
$row = $result ? $result->fetch_assoc() : null;
$stmt->close();

$hash = $row["password_hash"] ?? password_hash("invalid_password", PASSWORD_BCRYPT);
$passwordOk = password_verify($password, $hash);

if (!$row || !$passwordOk) {
    auth_log_event([
        "ip" => $clientIp,
        "login" => $login,
        "siteKey" => $siteKey,
        "status" => "invalid_credentials",
    ]);
    auth_json_response(401, ["ok" => false, "message" => "Неверный логин или пароль."]);
}

$stmt = $db->prepare("SELECT 1 FROM user_access WHERE user_id = ? AND site_key = ? LIMIT 1");
$stmt->bind_param("is", $row["id"], $siteKey);
$stmt->execute();
$accessResult = $stmt->get_result();
$hasAccess = $accessResult && $accessResult->num_rows > 0;
$stmt->close();

if (!$hasAccess) {
    auth_log_event([
        "ip" => $clientIp,
        "login" => $login,
        "siteKey" => $siteKey,
        "status" => "access_denied",
    ]);
    auth_json_response(403, ["ok" => false, "message" => "Нет доступа к этому сайту."]);
}

$_SESSION["auth_user_id"] = (int) $row["id"];
$_SESSION["auth_login"] = $login;
$_SESSION["auth_time"] = time();

auth_log_event([
    "ip" => $clientIp,
    "login" => $login,
    "siteKey" => $siteKey,
    "status" => "success",
]);

auth_json_response(200, ["ok" => true]);
init 2026-01-19 05:35:37 +03:00			`<?php`

			`require __DIR__ . "/../util.php";`
			`require __DIR__ . "/../db.php";`
			`require __DIR__ . "/../logger.php";`
			`require __DIR__ . "/../rate_limit.php";`

			`session_start();`

			`$data = array_merge($_POST, auth_read_json());`
			`$login = trim((string) ($data["login"] ?? ""));`
			`$password = (string) ($data["password"] ?? "");`
			`$siteKey = auth_get_site_key($data);`
			`$clientIp = auth_get_client_ip();`

			`if (!auth_is_valid_login($login) \|\| !auth_is_valid_password($password) \|\| !auth_is_valid_site_key($siteKey)) {`
			`auth_log_event([`
			`"ip" => $clientIp,`
			`"login" => $login,`
			`"siteKey" => $siteKey,`
			`"status" => "invalid_payload",`
			`]);`
			`auth_json_response(400, ["ok" => false, "message" => "Неверные данные."]);`
			`}`

			`$rate = auth_check_rate_limit($clientIp);`
			`if ($rate["limited"]) {`
			`auth_log_event([`
			`"ip" => $clientIp,`
			`"login" => $login,`
			`"siteKey" => $siteKey,`
			`"status" => "rate_limited",`
			`]);`
			`header("Retry-After: " . (string) $rate["retry_after"]);`
			`auth_json_response(429, ["ok" => false, "message" => "Слишком много попыток. Попробуйте позже."]);`
			`}`

			`$db = auth_get_db();`
			`$stmt = $db->prepare("SELECT id, password_hash FROM users WHERE login = ? LIMIT 1");`
			`$stmt->bind_param("s", $login);`
			`$stmt->execute();`
			`$result = $stmt->get_result();`
			`$row = $result ? $result->fetch_assoc() : null;`
			`$stmt->close();`

			`$hash = $row["password_hash"] ?? password_hash("invalid_password", PASSWORD_BCRYPT);`
			`$passwordOk = password_verify($password, $hash);`

			`if (!$row \|\| !$passwordOk) {`
			`auth_log_event([`
			`"ip" => $clientIp,`
			`"login" => $login,`
			`"siteKey" => $siteKey,`
			`"status" => "invalid_credentials",`
			`]);`
			`auth_json_response(401, ["ok" => false, "message" => "Неверный логин или пароль."]);`
			`}`

			`$stmt = $db->prepare("SELECT 1 FROM user_access WHERE user_id = ? AND site_key = ? LIMIT 1");`
			`$stmt->bind_param("is", $row["id"], $siteKey);`
			`$stmt->execute();`
			`$accessResult = $stmt->get_result();`
			`$hasAccess = $accessResult && $accessResult->num_rows > 0;`
			`$stmt->close();`

			`if (!$hasAccess) {`
			`auth_log_event([`
			`"ip" => $clientIp,`
			`"login" => $login,`
			`"siteKey" => $siteKey,`
			`"status" => "access_denied",`
			`]);`
			`auth_json_response(403, ["ok" => false, "message" => "Нет доступа к этому сайту."]);`
			`}`

			`$_SESSION["auth_user_id"] = (int) $row["id"];`
			`$_SESSION["auth_login"] = $login;`
			`$_SESSION["auth_time"] = time();`

			`auth_log_event([`
			`"ip" => $clientIp,`
			`"login" => $login,`
			`"siteKey" => $siteKey,`
			`"status" => "success",`
			`]);`

			`auth_json_response(200, ["ok" => true]);`