text0Nly/main/api.php
2025-06-16 03:13:53 +03:00

115 lines
3.9 KiB
PHP

<?php
header('Content-Type: application/json');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Content-Security-Policy: default-src \'self\'');
session_start();
require_once 'RateLimiter.php';
$limiter = new RateLimiter();
if (!$limiter->isAllowed($_SERVER['REMOTE_ADDR'])) {
http_response_code(429);
die(json_encode(['error' => 'Too many requests']));
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!isset($_SESSION['csrf_token']) || !isset($_SERVER['HTTP_X_CSRF_TOKEN']) ||
$_SESSION['csrf_token'] !== $_SERVER['HTTP_X_CSRF_TOKEN']) {
http_response_code(403);
die(json_encode(['error' => 'Invalid CSRF token']));
}
}
$config = require 'config.php';
$db = new PDO(
"mysql:host={$config['db']['host']};dbname={$config['db']['name']}",
$config['db']['user'],
$config['db']['pass']
);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$limit = isset($_GET['limit']) ? (int)$_GET['limit'] : 50;
$limit = min(max(1, $limit), 100);
try {
$stmt = $db->prepare("SELECT username, message, created_at, signature, is_encrypted FROM messages ORDER BY created_at DESC LIMIT ?");
$stmt->execute([$limit]);
$messages = $stmt->fetchAll(PDO::FETCH_ASSOC);
$filtered_messages = array_map(function($msg) {
return [
'username' => htmlspecialchars($msg['username']),
'message' => $msg['is_encrypted'] ? '[Encrypted]' : htmlspecialchars($msg['message']),
'created_at' => $msg['created_at'],
'signature' => $msg['signature'] ? '[Signed]' : '',
'is_encrypted' => (bool)$msg['is_encrypted']
];
}, $messages);
echo json_encode(['messages' => $filtered_messages]);
} catch (Exception $e) {
error_log("API Error: " . $e->getMessage());
http_response_code(500);
echo json_encode(['error' => 'Server error']);
}
exit;
}
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
http_response_code(405);
die(json_encode(['error' => 'Method not allowed']));
}
$ip = $_SERVER['REMOTE_ADDR'];
$stmt = $db->prepare("SELECT COUNT(*) FROM messages WHERE username = ? AND created_at > DATE_SUB(NOW(), INTERVAL 1 MINUTE)");
$stmt->execute([$ip]);
if ($stmt->fetchColumn() > 10) {
http_response_code(429);
die(json_encode(['error' => 'Too many requests']));
}
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
http_response_code(400);
die(json_encode(['error' => 'Invalid JSON']));
}
$username = filter_var($input['username'] ?? '', FILTER_SANITIZE_STRING);
$message = $input['message'] ?? '';
$signature = $input['signature'] ?? '';
$is_encrypted = !empty($input['encrypted']) ? 1 : 0;
if (!$username || !$message || strlen($username) > 50 || strlen($message) > 10000) {
http_response_code(400);
die(json_encode(['error' => 'Invalid input']));
}
try {
$stmt = $db->prepare('SELECT is_blocked FROM users WHERE username = ?');
$stmt->execute([$username]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if ($user && $user['is_blocked']) {
http_response_code(403);
die(json_encode(['error' => 'Account is blocked']));
}
$stmt = $db->prepare('SELECT id FROM users WHERE username = ?');
$stmt->execute([$username]);
if ($stmt->fetch()) {
http_response_code(400);
die(json_encode(['error' => 'Username already registered']));
}
$stmt = $db->prepare('INSERT INTO messages (username, message, signature, is_encrypted) VALUES (?, ?, ?, ?)');
$stmt->execute([$username, $message, $signature, $is_encrypted]);
echo json_encode(['success' => true]);
} catch (Exception $e) {
error_log("API Error: " . $e->getMessage());
http_response_code(500);
echo json_encode(['error' => 'Server error']);
}