Add simple login system.

diff --git a/public_html/includes/database.php b/public_html/includes/database.php
index 4aa870fb3970716b4e0876d30ef76fb4567a14c3..e3a63d6b5c93d267f4e5f9012761857947c761a8 100644 (file)
--- a/public_html/includes/database.php
+++ b/public_html/includes/database.php
@@ -56,3 +56,9 @@ function insert_array($table, $fields) {
        . 'VALUES (' . implode(',', $values) . ')';
   return run_sql($sql);
 }
+
+function fetch_record($table, $select, $where) {
+  $sql = "SELECT $select FROM $table WHERE $where";
+  $result = run_sql($sql);
+  return mysqli_fetch_assoc($result);
+}

diff --git a/public_html/includes/fields.php b/public_html/includes/fields.php
index 2419528e6456c51ec456ec6bb363a8e22b354e2c..fe851683907b29a894cd8f604c5862f5985d5f05 100644 (file)
--- a/public_html/includes/fields.php
+++ b/public_html/includes/fields.php
@@ -43,6 +43,10 @@ function email_field($values, $name, $label, $attrs=[]) {
   general_field('email', $values, $name, $label, $attrs);
 }
 
+function password_field($values, $name, $label, $attrs=[]) {
+  general_field('password', $values, $name, $label, $attrs);
+}
+
 function hidden_field($name, $value) {
   general_bare_field('hidden', [$name=>$value], $name);
 }

diff --git a/public_html/login.php b/public_html/login.php
new file mode 100644 (file)
index 0000000..022ddeb
--- /dev/null
+++ b/public_html/login.php
@@ -0,0 +1,58 @@
+<?php
+require_once('includes/utils.php');
+require_once('includes/html-templating.php');
+require_once('includes/fields.php');
+require_once('includes/form-validation.php');
+require_once('includes/database.php');
+
+function validate_login(&$errors, $data) {
+  require_fields($errors, $data, ['email_address', 'password']);
+  if (!empty($errors)) return false;
+
+  $record = fetch_record('users', 'id,password',
+                         simple_where('email_address', $data['email_address']));
+
+  // Still compare against a dummy hash when user not found to try and mitigate
+  // against simple timing attacks for existance of users.
+  $hash = password_hash('TestPassword', PASSWORD_DEFAULT);
+  if (!empty($record)) $hash = $record['password'];
+
+  $verified = password_verify($data['password'], $hash);
+
+  if (empty($record) || !$verified) $errors[] = 'Invalid email/password.';
+
+  return empty($errors) ? $record['id'] : false;
+}
+
+function page_title() {
+  return 'Login';
+}
+
+function additional_stylesheets() {
+  stylesheet('fields');
+}
+
+function content() {
+  $params = $errors = [];
+  if (array_key_exists('login', $_POST)) {
+    $uid = validate_login($errors, $_POST);
+    if ($uid) {
+      esc('Login successful!.');
+      die();
+    }
+    $params['email_address'] = $_POST['email_address'];
+  }?>
+
+  <h1>Login</h1>
+
+  <?php show_error_list($errors);?>
+
+  <form method="post" action=""><?php
+    email_field($params, 'email_address', 'Email address', ['required'=>'']);
+    password_field($params, 'password', 'Password', ['required'=>'']);?>
+    <input type="submit" name="login" value="Login" />
+  </form><?php
+}
+
+require_once('includes/template.php');
+?>