First cut of log on page (#9)

- Add session support
- Refactor security handling to use db connection
- Fix db path issue

src/public/assets/style.css

@@ -57,7 +57,10 @@ article {
         padding: .5rem;
     }
 }
-input[type=url], input[type=text] {
+input[type=url],
+input[type=text],
+input[type=email],
+input[type=password] {
     width: 50%;
     font-size: 1rem;
     padding: .25rem;

src/public/feed.php

@@ -7,10 +7,10 @@
 
 include '../start.php';
 
-Security::verifyUser();
+$db = Data::getConnection();
+Security::verifyUser($db);
 
-$feedId = array_key_exists('id', $_GET) ? $_GET['id'] : '';
-$db     = Data::getConnection();
+$feedId = $_GET['id'] ?? '';
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     $isNew = $_POST['id'] == 'new';
@@ -31,7 +31,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 
 if ($feedId == 'new') {
     $title = 'Add RSS Feed';
-    $feed = [ 'id' => $_GET['id'], 'url' => '' ];
+    $feed = [ 'id' => $_GET['id'], 'url' => ''];
 } else {
     $title = 'Edit RSS Feed';
     if ($feedId == 'error') {

src/public/index.php

@@ -7,9 +7,8 @@
 
 include '../start.php';
 
-Security::verifyUser();
-
 $db = Data::getConnection();
+Security::verifyUser($db);
 
 if (array_key_exists('refresh', $_GET)) {
     $refreshResult = Feed::refreshAll($db);

src/public/item.php

@@ -8,9 +8,8 @@
 
 include '../start.php';
 
-Security::verifyUser();
-
 $db = Data::getConnection();
+Security::verifyUser($db);
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     // "Keep as New" button sends a POST request to reset the is_read flag before going back to the list of unread items
@@ -20,7 +19,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
          WHERE item.id = :id AND feed.user_id = :user
         SQL);
     $isValidQuery->bindValue(':id',   $_POST['id']);
-    $isValidQuery->bindValue(':user', $_REQUEST[Key::USER_ID]);
+    $isValidQuery->bindValue(':user', $_SESSION[Key::USER_ID]);
     $isValidResult = $isValidQuery->execute();
     if ($isValidResult && $isValidResult->fetchArray(SQLITE3_NUM)[0] == 1) {
         $keepUnread = $db->prepare('UPDATE item SET is_read = 0 WHERE id = :id');
@@ -39,7 +38,7 @@ $query = $db->prepare(<<<'SQL'
        AND feed.user_id = :user
     SQL);
 $query->bindValue(':id',   $_GET['id']);
-$query->bindValue(':user', $_REQUEST[Key::USER_ID]);
+$query->bindValue(':user', $_SESSION[Key::USER_ID]);
 $result = $query->execute();
 $item = $result ? $result->fetchArray(SQLITE3_ASSOC) : false;
 

src/public/user/log-off.php

@@ -0,0 +1,10 @@
+<?php
+/**
+ * User Log Off Page
+ */
+
+include '../../start.php';
+
+if (array_key_exists(Key::USER_ID, $_SESSION)) session_destroy();
+
+frc_redirect('/');

src/public/user/log-on.php

@@ -0,0 +1,39 @@
+<?php
+include '../../start.php';
+
+$db = Data::getConnection();
+Security::verifyUser($db, redirectIfAnonymous: false);
+
+// Users already logged on have no need of this page
+if (array_key_exists(Key::USER_ID, $_SESSION)) frc_redirect('/');
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+    Security::logOnUser($_POST['email'] ?? '', $_POST['password'], $_POST['returnTo'], $db);
+    // If we're still here, something didn't work; preserve the returnTo parameter
+    $_GET['returnTo'] = $_POST['returnTo'];
+}
+
+$isSingle = SECURITY_MODEL == Security::SINGLE_USER_WITH_PASSWORD;
+
+page_head('Log On'); ?>
+<h1>Log On</h1>
+<article>
+    <form method=POST action=/user/log-on hx-post=/user/log-on><?php
+        if (($_GET['returnTo'] ?? '') != '') { ?>
+            <input type=hidden name=returnTo value="<?=$_GET['returnTo']?>"><?php
+        }
+        if (!$isSingle) { ?>
+            <label>
+                E-mail Address
+                <input type=email name=email required autofocus>
+            </label><br><?php
+        } ?>
+        <label>
+            Password
+            <input type=password name=password required<?=$isSingle ? ' autofocus' : ''?>>
+        </label><br>
+        <button type=submit>Log On</button>
+    </form>
+</article><?php
+page_foot();
+$db->close();