madgerm/Space-Theme
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bfa3d4dda26fd4860181cead8f85f7d666c5e0c
Space-Theme/server/src/Module/Auth/Controller/AuthController.php
madgerm 6bfa3d4dda chore: sync
2026-02-09 00:05:29 +01:00

543 lines
18 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Module\Auth\Controller;
use App\Config\ConfigLoader;
use App\Config\AppConfig;
use App\Module\Email\EmailSenderInterface;
use App\Module\PlanetGenerator\Service\PlanetGenerator;
use App\Shared\Http\JsonResponder;
use PDO;
use PDOException;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Slim\Psr7\Response;
final class AuthController
{
private const PASSWORD_MIN_LENGTH = 8;
private const TITLE_MIN_LENGTH = 2;
private const TITLE_MAX_LENGTH = 40;
private const USERNAME_MIN_LENGTH = 3;
private const USERNAME_MAX_LENGTH = 20;
public function __construct(
private PDO $pdo,
private ConfigLoader $configLoader,
private PlanetGenerator $planetGenerator,
private EmailSenderInterface $emailSender,
private AppConfig $appConfig
) {
}
public function login(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$body = $this->parseBody($request);
$identifier = trim((string)($body['username_or_email'] ?? ''));
$password = (string)($body['password'] ?? '');
if ($identifier === '' || $password === '') {
return JsonResponder::withJson($response, [
'error' => 'invalid_input',
'message' => 'Username/E-Mail und Passwort sind Pflichtfelder.',
], 400);
}
$user = $this->findUserByIdentifier($identifier);
if (!$user || !password_verify($password, (string)($user['password_hash'] ?? ''))) {
return JsonResponder::withJson(new Response(), [
'error' => 'invalid_credentials',
'message' => 'Login fehlgeschlagen.',
], 401);
}
$this->loginUser((int)$user['id']);
return JsonResponder::withJson($response, [
'user' => $this->buildUserSummary($user),
]);
}
public function logout(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$this->startSession();
$_SESSION = [];
if (ini_get('session.use_cookies')) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
}
session_destroy();
return JsonResponder::withJson($response, ['ok' => true]);
}
public function me(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$user = $request->getAttribute('user');
if (!is_array($user) || !isset($user['id'])) {
return JsonResponder::withJson(new Response(), [
'error' => 'auth_required',
'message' => 'Authentifizierung erforderlich.',
], 401);
}
return JsonResponder::withJson($response, [
'user' => $this->buildUserSummary($user),
]);
}
public function registerStep1(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$body = $this->parseBody($request);
$raceKey = trim((string)($body['race_key'] ?? ''));
$races = $this->configLoader->races();
$raceConfig = $races['races'][$raceKey] ?? null;
if ($raceKey === '' || !is_array($raceConfig)) {
return JsonResponder::withJson($response, [
'error' => 'invalid_race',
'message' => 'Ungültige Rasse.',
], 422);
}
$draft = $this->getDraft();
$draft['race_key'] = $raceKey;
$this->saveDraft($draft);
return JsonResponder::withJson($response, [
'draft' => $this->sanitizeDraft($draft),
]);
}
public function registerStep2(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$draft = $this->getDraft();
if (empty($draft['race_key'])) {
return JsonResponder::withJson($response, [
'error' => 'draft_missing',
'message' => 'Bitte zuerst eine Rasse wählen.',
], 409);
}
$body = $this->parseBody($request);
$avatarKey = trim((string)($body['avatar_key'] ?? ''));
$title = $this->sanitizeTitle((string)($body['title'] ?? ''));
if ($avatarKey === '' || !$this->avatarExists($avatarKey)) {
return JsonResponder::withJson($response, [
'error' => 'invalid_avatar',
'message' => 'Ungültiger Avatar.',
], 422);
}
if (!$this->isValidTitle($title)) {
return JsonResponder::withJson($response, [
'error' => 'invalid_title',
'message' => 'Titel muss zwischen 2 und 40 Zeichen lang sein.',
], 422);
}
$draft['avatar_key'] = $avatarKey;
$draft['title'] = $title;
$this->saveDraft($draft);
return JsonResponder::withJson($response, [
'draft' => $this->sanitizeDraft($draft),
]);
}
public function registerStep3(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$draft = $this->getDraft();
if (empty($draft['race_key']) || empty($draft['avatar_key']) || empty($draft['title'])) {
return JsonResponder::withJson($response, [
'error' => 'draft_incomplete',
'message' => 'Bitte Registrierungsschritte 1 und 2 abschließen.',
], 409);
}
$body = $this->parseBody($request);
$username = trim((string)($body['username'] ?? ''));
$email = trim((string)($body['email'] ?? ''));
$password = (string)($body['password'] ?? '');
if (!$this->isValidUsername($username)) {
return JsonResponder::withJson($response, [
'error' => 'invalid_username',
'message' => 'Username muss zwischen 3 und 20 Zeichen lang sein.',
], 422);
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
return JsonResponder::withJson($response, [
'error' => 'invalid_email',
'message' => 'Ungültige E-Mail-Adresse.',
], 422);
}
if ($this->length($password) < self::PASSWORD_MIN_LENGTH) {
return JsonResponder::withJson($response, [
'error' => 'invalid_password',
'message' => 'Passwort zu kurz (mindestens 8 Zeichen).',
], 422);
}
$existing = $this->findUserByUsernameOrEmail($username, $email);
if ($existing['username'] ?? false) {
return JsonResponder::withJson($response, [
'error' => 'username_taken',
'message' => 'Username bereits vergeben.',
], 409);
}
if ($existing['email'] ?? false) {
return JsonResponder::withJson($response, [
'error' => 'email_taken',
'message' => 'E-Mail bereits registriert.',
], 409);
}
$token = bin2hex(random_bytes(16));
$isDev = $this->appConfig->isDevEntwicklung();
try {
$this->pdo->beginTransaction();
$stmt = $this->pdo->prepare(
'INSERT INTO users (username, email, password_hash, race_key, title, avatar_key, activation_token, is_active)
VALUES (:username, :email, :password_hash, :race_key, :title, :avatar_key, :activation_token, :is_active)
RETURNING *'
);
$stmt->execute([
'username' => $username,
'email' => $this->lower($email),
'password_hash' => password_hash($password, PASSWORD_DEFAULT),
'race_key' => $draft['race_key'],
'title' => $draft['title'],
'avatar_key' => $draft['avatar_key'],
'activation_token' => $token,
'is_active' => $isDev,
]);
$user = $stmt->fetch();
$userId = (int)($user['id'] ?? 0);
if ($userId <= 0) {
throw new \RuntimeException('User-ID fehlt.');
}
$this->assignRole($userId, 'player');
$this->createStarterPlanet($userId);
$this->pdo->commit();
} catch (PDOException $e) {
$this->pdo->rollBack();
if ($e->getCode() === '23505') {
return JsonResponder::withJson($response, [
'error' => 'duplicate',
'message' => 'Username oder E-Mail bereits registriert.',
], 409);
}
return JsonResponder::withJson($response, [
'error' => 'registration_failed',
'message' => 'Registrierung fehlgeschlagen.',
], 500);
} catch (\Throwable $e) {
$this->pdo->rollBack();
return JsonResponder::withJson($response, [
'error' => 'registration_failed',
'message' => 'Registrierung fehlgeschlagen.',
], 500);
}
$this->clearDraft();
if (!$isDev) {
$this->sendConfirmationEmail($email, $token);
return JsonResponder::withJson($response, [
'status' => 'pending',
'message' => 'Bestätige deine E-Mail-Adresse via Link.',
], 201);
}
$this->loginUser((int)$user['id']);
return JsonResponder::withJson($response, [
'user' => $this->buildUserSummary($user),
'status' => 'active',
], 201);
}
public function confirmRegistration(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$body = $this->parseBody($request);
$token = trim((string)($body['token'] ?? ''));
if ($token === '') {
return JsonResponder::withJson($response, [
'error' => 'invalid_token',
'message' => 'Token fehlt.',
], 400);
}
$stmt = $this->pdo->prepare('SELECT * FROM users WHERE activation_token = :token LIMIT 1');
$stmt->execute(['token' => $token]);
$user = $stmt->fetch();
if (!$user) {
return JsonResponder::withJson($response, [
'error' => 'invalid_token',
'message' => 'Ungültiges Token.',
], 404);
}
if ((bool)($user['is_active'] ?? false)) {
return JsonResponder::withJson($response, [
'error' => 'already_active',
'message' => 'Account bereits aktiviert.',
], 409);
}
$stmt = $this->pdo->prepare(
'UPDATE users SET is_active = TRUE, email_verified_at = :verified, activation_token = NULL WHERE id = :id'
);
$stmt->execute([
'verified' => (new \DateTimeImmutable('now'))->format('Y-m-d H:i:s'),
'id' => (int)$user['id'],
]);
$this->loginUser((int)$user['id']);
return JsonResponder::withJson($response, [
'user' => $this->buildUserSummary($user),
]);
}
private function sendConfirmationEmail(string $to, string $token): void
{
$url = $this->appConfig->getAppUrl();
$link = rtrim($url, '/') . '/auth/register/confirm?token=' . urlencode($token);
$body = "Bitte bestätige deinen Account:\n" . $link;
$this->emailSender->sendEmail($to, 'E-Mail-Adresse bestätigen', $body);
}
/**
* @return array<string,mixed>
*/
private function parseBody(ServerRequestInterface $request): array
{
$body = $request->getParsedBody();
if (!is_array($body)) {
return [];
}
return $body;
}
/**
* @param array<string,mixed> $draft
* @return array<string,mixed>
*/
private function sanitizeDraft(array $draft): array
{
return [
'race_key' => $draft['race_key'] ?? null,
'avatar_key' => $draft['avatar_key'] ?? null,
'title' => $draft['title'] ?? null,
];
}
private function findUserByIdentifier(string $identifier): ?array
{
$stmt = $this->pdo->prepare('SELECT * FROM users WHERE username = :id OR LOWER(email) = :email');
$stmt->execute([
'id' => $identifier,
'email' => $this->lower($identifier),
]);
$user = $stmt->fetch();
return $user ?: null;
}
/**
* @return array{username:bool,email:bool}
*/
private function findUserByUsernameOrEmail(string $username, string $email): array
{
$stmt = $this->pdo->prepare('SELECT username, email FROM users WHERE username = :username OR email = :email');
$stmt->execute([
'username' => $username,
'email' => $this->lower($email),
]);
$rows = $stmt->fetchAll();
$result = ['username' => false, 'email' => false];
foreach ($rows as $row) {
if (isset($row['username']) && $row['username'] === $username) {
$result['username'] = true;
}
if (isset($row['email']) && $this->lower((string)$row['email']) === $this->lower($email)) {
$result['email'] = true;
}
}
return $result;
}
/**
* @param array<string,mixed> $user
* @return array<string,mixed>
*/
private function buildUserSummary(array $user): array
{
return [
'id' => (int)($user['id'] ?? 0),
'username' => (string)($user['username'] ?? ''),
'email' => (string)($user['email'] ?? ''),
'race_key' => (string)($user['race_key'] ?? ''),
'title' => (string)($user['title'] ?? ''),
'avatar_key' => (string)($user['avatar_key'] ?? ''),
];
}
private function avatarExists(string $avatarKey): bool
{
$config = $this->configLoader->avatars();
$avatars = $config['avatars'] ?? [];
foreach ($avatars as $avatar) {
if (is_array($avatar) && ($avatar['key'] ?? null) === $avatarKey) {
return true;
}
}
return false;
}
private function isValidTitle(string $title): bool
{
$len = $this->length($title);
return $len >= self::TITLE_MIN_LENGTH && $len <= self::TITLE_MAX_LENGTH;
}
private function sanitizeTitle(string $title): string
{
$clean = trim(strip_tags($title));
$clean = preg_replace('/\s+/', ' ', $clean) ?? '';
return $clean;
}
private function isValidUsername(string $username): bool
{
$len = $this->length($username);
if ($len < self::USERNAME_MIN_LENGTH || $len > self::USERNAME_MAX_LENGTH) {
return false;
}
return (bool)preg_match('/^[A-Za-z0-9_\-]+$/', $username);
}
private function length(string $value): int
{
if (function_exists('mb_strlen')) {
return mb_strlen($value);
}
return strlen($value);
}
private function lower(string $value): string
{
if (function_exists('mb_strtolower')) {
return mb_strtolower($value);
}
return strtolower($value);
}
private function startSession(): void
{
if (session_status() === PHP_SESSION_ACTIVE) {
return;
}
$secure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
session_start([
'cookie_httponly' => true,
'cookie_samesite' => 'Lax',
'cookie_secure' => $secure,
'cookie_path' => '/',
]);
}
private function loginUser(int $userId): void
{
$this->startSession();
session_regenerate_id(true);
$_SESSION['user_id'] = $userId;
}
/**
* @return array<string,mixed>
*/
private function getDraft(): array
{
$this->startSession();
$draft = $_SESSION['reg_draft'] ?? [];
return is_array($draft) ? $draft : [];
}
/**
* @param array<string,mixed> $draft
*/
private function saveDraft(array $draft): void
{
$this->startSession();
$_SESSION['reg_draft'] = $draft;
}
private function clearDraft(): void
{
$this->startSession();
unset($_SESSION['reg_draft']);
}
private function assignRole(int $userId, string $roleKey): void
{
$stmt = $this->pdo->prepare(
'INSERT INTO user_roles (user_id, role_id)
SELECT :user_id, r.id FROM roles r WHERE r.key = :role_key
ON CONFLICT DO NOTHING'
);
$stmt->execute([
'user_id' => $userId,
'role_key' => $roleKey,
]);
}
private function createStarterPlanet(int $userId): void
{
$config = $this->configLoader->planetClasses();
$resources = [];
foreach (($config['resources'] ?? []) as $res) {
$resources[$res] = 500.0;
}
$seed = random_int(10, 999999);
$generated = $this->planetGenerator->generate('temperate', 'normal', $seed);
$stmt = $this->pdo->prepare(
'INSERT INTO planets (user_id, name, class_key, planet_seed, temperature_c, modifiers, resources, last_resource_update_at)
VALUES (:user_id, :name, :class_key, :planet_seed, :temperature_c, :modifiers, :resources, :last_update)
RETURNING id'
);
$stmt->execute([
'user_id' => $userId,
'name' => 'Heimatwelt',
'class_key' => $generated['class_key'],
'planet_seed' => $seed,
'temperature_c' => (int)$generated['temperature_c'],
'modifiers' => json_encode($generated['modifiers'], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES),
'resources' => json_encode($resources, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES),
'last_update' => (new \DateTimeImmutable('now'))->format('Y-m-d H:i:s'),
]);
$planetId = (int)$stmt->fetchColumn();
$stmt = $this->pdo->prepare(
'INSERT INTO planet_buildings (planet_id, building_key, count, level)
VALUES (:planet_id, :building_key, :count, 0)
ON CONFLICT (planet_id, building_key) DO NOTHING'
);
$stmt->execute([
'planet_id' => $planetId,
'building_key' => 'build_center',
'count' => 1,
]);
}
}
Reference in New Issue View Git Blame Copy Permalink