From 6a10ff81f6b315cc9996ed4688e03469058539c2 Mon Sep 17 00:00:00 2001
From: trinkey <trinkey@duck.com>
Date: Sat, 22 Mar 2025 08:32:13 -0400
Subject: [PATCH] logging in works now

---
 index.php  |  3 +++
 login.php  | 49 ++++++++++++++++++++++++++++++++++---------------
 signup.php | 11 +++--------
 3 files changed, 40 insertions(+), 23 deletions(-)

diff --git a/index.php b/index.php
index 039f5fe..134362e 100644
--- a/index.php
+++ b/index.php
@@ -1,6 +1,9 @@
 <?php
   include "config.php";
+  include "helper.php";
   include "boilerplate/head.php";
+
+  echo(is_logged_in());
 ?>
 
 <a href="login.php">Log In</a>
diff --git a/login.php b/login.php
index 4182595..fd3ccaa 100644
--- a/login.php
+++ b/login.php
@@ -1,28 +1,47 @@
 <?php
   include "config.php";
-  
+  include "helper.php";
+
+  if (is_logged_in()) {
+    header("Location: index.php");
+    exit();
+  }
+
+  $u = "";
+  $p = "";
+
   if ($_SERVER["REQUEST_METHOD"] === "POST") {
-    $u = $_POST["username"];
+    $u = strtolower(str_replace(" ", "", $_POST["username"]));
     $p = $_POST["password"];
 
-    if ($u && $p) {
-      $response = pg_select(
-        $db,
-        "users",
-        array("username" => $u)
-      );
+    if (!($u && $p)) {
+      $err = "Bad request, missing username or password parameter";
+    } else if (strlen($u) > 64 || strlen($u) === 0) {
+      $err = "Username must be 1-64 chars";
+    } else if (!preg_match("/^[a-z0-9_-]{1,64}$/", $u)) {
+      $err = "Username can only include a-z, 0-9, _, and -";
+    } else {
+      $query = "SELECT password_hash FROM users WHERE username='$u' LIMIT 1;";
 
-      if (sizeof($response) === 0) {
+      $response = pg_query($db, $query);
+
+      if (pg_num_rows($response) === 0) {
         $err = "User '" . htmlspecialchars($u) . "' not found";
       } else {
-        echo json_encode($response);
+        $user = pg_fetch_array($response);
+        if (password_verify($p, $user["password_hash"])) {
+          setcookie(
+            "token",
+            $token,
+            time() + 60 * 60 * 24 * 30 * 265 // 1 year from now
+          );
+          header("Location: index.php");
+          exit();
+        } else {
+          $err = "Incorrect password";
+        }
       }
-    } else {
-      $err = "Bad request, missing username or password parameter";
     }
-  } else {
-    $u = "";
-    $p = "";
   }
 
   $title = "Log In";
diff --git a/signup.php b/signup.php
index 50745db..1e0b0a4 100644
--- a/signup.php
+++ b/signup.php
@@ -78,7 +78,7 @@
     }
   }
 
-  $title = "Log In";
+  $title = "Sign Up";
   include "boilerplate/head.php";
 ?>
 
@@ -86,15 +86,10 @@
   <div><input placeholder="Username" name="username" value="<?php echo htmlspecialchars($u); ?>" maxlength="64" required></div>
   <div><input placeholder="Password" name="password" type="password" value="<?php echo htmlspecialchars($p); ?>" required></div>
   <div><input placeholder="Verify Password" name="verify" type="password" required></div>
-  <div><input type="submit" value="Log in"></div>
+  <div><input type="submit" value="Sign Up"></div>
+  <p><a href="login.php">Log in instead?</a></p>
 </form>
 
 <?php
-  $q = "SELECT count(*) FROM users LIMIT 1;";
-
-  if ($signups !== false || ($signups === false && pg_fetch_array(pg_query($db, $q))["count"] !== 0)) {
-    echo "<p><a href=\"signup.php\">Sign up instead?</a></p>";
-  }
-
   include "boilerplate/foot.php";
 ?>