From a854a1862a30632e49520f6e1e11333d5c8ff241 Mon Sep 17 00:00:00 2001
From: Daniel Weipert <git@mail.dweipert.de>
Date: Wed, 27 Nov 2024 14:36:20 +0100
Subject: next commit

---
 Game/Lobby/Server/index.php | 56 +++++++++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 20 deletions(-)

(limited to 'Game/Lobby/Server/index.php')

diff --git a/Game/Lobby/Server/index.php b/Game/Lobby/Server/index.php
index 16be3ef..ae734a6 100644
--- a/Game/Lobby/Server/index.php
+++ b/Game/Lobby/Server/index.php
@@ -2,9 +2,11 @@
 
 /*
  * Routes:
- * /host      ?host&port=$port&name=$name
- * /get-list  ?get-list
- * /join      ?join=$id
+ * /host       ?port=$port&name=$name
+ * /get-list   ?
+ * /join       ?id=$id
+ * /close      ?id=$id
+ * /keep-alive ?id=$id
  */
 
 $dbname = $_ENV['DB_NAME'] ?? 'db';
@@ -24,7 +26,8 @@ if (php_sapi_name() == 'cli') {
         port integer,
         creation_time integer,
         ping_time integer,
-        name text
+        name text,
+        secret text
       );
       SQL)
       ->execute();
@@ -33,14 +36,19 @@ if (php_sapi_name() == 'cli') {
   return;
 }
 
-$inputPost = json_decode(file_get_contents('php://input'), true);
-if ($inputPost) {
-  $_POST = $inputPost + $_POST;
+$url = parse_url("$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]");
+$method = $_SERVER['REQUEST_METHOD'];
+
+if ($method == 'POST') {
+  $inputPost = json_decode(file_get_contents('php://input'), true);
+  if ($inputPost) {
+    $_POST = $inputPost + $_POST;
+  }
 }
 
 $response = [];
 
-if (isset($_POST['host'])) {
+if ($method == 'POST' && $url['path'] == '/host') {
   $ip = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP);
 
   if ($ip === false) {
@@ -54,9 +62,10 @@ if (isset($_POST['host'])) {
     $port = intval($_POST['port']);
     $name = $_POST['name'];
     $id = md5($name . time());
+    $secret = md5($id . random_bytes($port));
 
     $success = $db->prepare(<<<SQL
-      insert or replace into games (id, ip, port, creation_time, ping_time, name) values (:id, :ip, :port, :timestamp, :timestamp, :name)
+      insert or replace into games (id, ip, port, creation_time, ping_time, name, secret) values (:id, :ip, :port, :timestamp, :timestamp, :name, :secret)
       SQL)
       ->execute([
         'id' => $id,
@@ -64,13 +73,16 @@ if (isset($_POST['host'])) {
         'port' => $port,
         'timestamp' => time(),
         'name' => $name,
+        'secret' => $secret,
       ]);
 
-
     if ($success) {
       $response = [
         'success' => $success,
-        'data' => $id,
+        'data' => [
+          'id' => $id,
+          'secret' => $secret,
+        ],
       ];
     } else {
       $response = [
@@ -81,7 +93,7 @@ if (isset($_POST['host'])) {
   }
 }
 
-else if (isset($_GET['get-list'])) {
+else if ($method == 'GET' && $url['path'] == '/get-list') {
   $statement = $db->prepare(<<<SQL
     select id, name from games
     where ping_time > :comparison_time
@@ -105,8 +117,8 @@ else if (isset($_GET['get-list'])) {
   ];
 }
 
-else if (isset($_GET['join'])) {
-  $id = $_GET['join'];
+else if ($method == 'GET' && $url['path'] == '/join') {
+  $id = $_GET['id'];
 
   $statement = $db->prepare(<<<SQL
     select ip, port from games
@@ -136,14 +148,16 @@ else if (isset($_GET['join'])) {
   }
 }
 
-else if (isset($_POST['close'])) {
-  $id = $_POST['close'];
+else if ($method == 'POST' && $url['path'] == '/close') {
+  $id = $_POST['id'];
+  $secret = $_POST['secret'];
 
   $success = $db->prepare(<<<SQL
-    delete from games where id = :id
+    delete from games where id = :id and secret = :secret
     SQL)
     ->execute([
       'id' => $id,
+      'secret' => $secret,
     ]);
 
   $response = [
@@ -151,14 +165,16 @@ else if (isset($_POST['close'])) {
   ];
 }
 
-else if (isset($_POST['keep-alive'])) {
-  $id = $_POST['keep-alive'];
+else if ($method == 'POST' && $url['path'] == '/keep-alive') {
+  $id = $_POST['id'];
+  $secret = $_POST['secret'];
 
   $success = $db->prepare(<<<SQL
-    update games set ping_time = :ping_time where id = :id
+    update games set ping_time = :ping_time where id = :id and secret = :secret
     SQL)
     ->execute([
       'id' => $id,
+      'secret' => $secret,
       'ping_time' => time(),
     ]);
 
-- 
cgit v1.2.3