Learnhelp/wdiscordbotserver
1
0
Fork 0
mirror of https://gitlab.com/pancakes1234/wdiscordbotserver.git synced 2025-06-16 07:14:21 -06:00
Code Issues Packages Projects Releases Wiki Activity

Edit index.php

Browse Source
This commit is contained in:
ザカリアス・ウィリアム・ポージー 2025-05-29 00:34:32 +09:00
parent 78ff3f3c58
commit 3924c93494
1 changed files with 179 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

292
API/index.php
View File

@ -1,21 +1,50 @@
<?php
// Improved Discord Bot Admin API
// Error reporting (disable on production)
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Configure secure session parameters:
session_set_cookie_params([
'httponly' => true,
'secure' => true, // Ensure HTTPS is used in production
'samesite' => 'Strict'
]);
session_start();
// === Login & Authentication ===
// Only proceed if the current session is authenticated.
// If not, show a login form.
if (!isset($_SESSION['logged_in'])) {
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['username'], $_POST['password'])) {
$user_env = getenv('user'); // environment variable "user"
$pass_env = getenv('pass'); // environment variable "pass"
if ($_POST['username'] === $user_env && $_POST['password'] === $pass_env) {
// --- CSRF Utility Functions ---
function getCsrfToken() {
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
return $_SESSION['csrf_token'];
}
function validateCsrfToken($token) {
return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
}
// --- Login and Authentication ---
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['username'], $_POST['password'], $_POST['csrf_token'])) {
if (!validateCsrfToken($_POST['csrf_token'])) {
$error = "Invalid CSRF token.";
} else {
$envUser = getenv('user');
$envPass = getenv('pass');
// Using hash_equals for timing attack prevention
if (hash_equals($_POST['username'], $envUser) && hash_equals($_POST['password'], $envPass)) {
$_SESSION['logged_in'] = true;
header("Location: index.php");
session_regenerate_id(true);
header("Location: " . $_SERVER['PHP_SELF']);
exit;
} else {
$error = "Invalid credentials.";
}
}
}
$loginToken = getCsrfToken();
?>
<!DOCTYPE html>
<html>
@ -64,8 +93,9 @@ if (!isset($_SESSION['logged_in'])) {
<body>
<div class="login-container">
<h2>Login</h2>
<?php if(isset($error)) echo "<p class='error'>{$error}</p>"; ?>
<form method="POST">
<?php if(isset($error)) { echo "<p class='error'>" . htmlspecialchars($error) . "</p>"; } ?>
<form method="POST" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
<input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($loginToken); ?>">
<label>Username</label>
<input type="text" name="username" required>
<label>Password</label>
@ -76,65 +106,76 @@ if (!isset($_SESSION['logged_in'])) {
</body>
</html>
<?php
exit; // Do not execute the rest until logged in.
exit;
}
// === End Authentication ===
// --- Action Handlers ---
$output = "";
// Determine which action to do.
$action = "";
if (isset($_GET['action'])) {
$action = $_GET['action'];
} elseif (isset($_POST['action'])) {
$action = $_POST['action'];
}
$output = ""; // To hold any output from actions
// Handle the different actions.
switch ($action) {
case "version":
// Gets the current commit from /home/server/wdiscordbotserver.
function handleVersionAction() {
$botDir = '/home/server/wdiscordbotserver';
if (is_dir($botDir)) {
$cmd = 'cd ' . escapeshellarg($botDir) . ' && git rev-parse HEAD 2>&1';
$output = shell_exec($cmd);
} else {
$output = "Directory not found.";
return trim(shell_exec($cmd));
}
return "Directory not found.";
}
break;
case "update":
// Removes the folder and clones the repository anew.
function handleUpdateAction() {
// Only allow updates using a POST request with a valid CSRF token.
if ($_SERVER['REQUEST_METHOD'] !== 'POST' || !isset($_POST['csrf_token']) || !validateCsrfToken($_POST['csrf_token'])) {
return "Unauthorized update request.";
}
$botDir = '/home/server/wdiscordbotserver';
$result = "";
if (is_dir($botDir)) {
$rmCmd = 'rm -rf ' . escapeshellarg($botDir) . ' 2>&1';
$output .= shell_exec($rmCmd);
$result .= shell_exec($rmCmd);
}
$cloneCmd = 'git clone https://gitlab.com/pancakes1234/wdiscordbotserver.git ' . escapeshellarg($botDir) . ' 2>&1';
$output .= shell_exec($cloneCmd);
break;
$result .= shell_exec($cloneCmd);
return $result;
}
case "data":
// If editing a file, process its content.
if (isset($_GET['file'])) {
$file = $_GET['file'];
function handleDataAction() {
$baseDir = realpath('/home/server');
$file = $_GET['file'] ?? null;
$response = "";
if ($file) {
$realFile = realpath($file);
if ($realFile === false || strpos($realFile, $baseDir) !== 0) {
$output = "Invalid file.";
$response = "Invalid file.";
} else {
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['content'])) {
file_put_contents($realFile, $_POST['content']);
$output = "File updated successfully.";
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['content'], $_POST['csrf_token'])) {
if (!validateCsrfToken($_POST['csrf_token'])) {
$response = "Invalid CSRF token.";
} else {
if (file_put_contents($realFile, $_POST['content']) !== false) {
$response = "File updated successfully.";
} else {
$response = "Failed to update file.";
}
}
}
break;
}
}
return $response;
}
// Other actions (such as terminal) will be handled in the UI below.
// --- Process Request Actions ---
$action = $_GET['action'] ?? ($_POST['action'] ?? "");
switch ($action) {
case "version":
$output = handleVersionAction();
break;
case "update":
$output = handleUpdateAction();
break;
case "data":
$output = handleDataAction();
break;
// Additional action cases (e.g., "terminal") can be handled below.
default:
// No action or unrecognized action.
break;
}
?>
@ -143,7 +184,6 @@ switch ($action) {
<head>
<title>Discord Bot Admin API</title>
<style>
/* General styling */
body {
font-family: Arial, sans-serif;
background: #e9e9e9;
@ -160,7 +200,7 @@ switch ($action) {
header {
margin-bottom: 20px;
}
header button {
header button, header form button {
padding: 10px 20px;
margin-right: 10px;
border: none;
@ -169,7 +209,7 @@ switch ($action) {
cursor: pointer;
border-radius: 3px;
}
header button:hover {
header button:hover, header form button:hover {
background: #0056b3;
}
.output {
@ -211,7 +251,7 @@ switch ($action) {
}
</style>
<script>
// For Version and Update actions we can use fetch to load the result via AJAX.
// For Version and Update actions we can use AJAX.
function doAction(action) {
if (action === "data" || action === "terminal") {
window.location.href = "?action=" + action;
@ -220,96 +260,28 @@ switch ($action) {
.then(response => response.text())
.then(data => {
document.getElementById("output").innerText = data;
})
.catch(err => {
document.getElementById("output").innerText = "Error: " + err;
});
}
}
// SSH Connect functionality using the "ssh://" protocol.
function doSSH() {
var sshUser = "<?php echo getenv('user'); ?>"; // SSH username from the env.
var sshHost = window.location.hostname; // use current hostname.
var sshUser = "<?php echo htmlspecialchars(getenv('user')); ?>";
var sshHost = window.location.hostname;
window.location.href = "ssh://" + sshUser + "@" + sshHost;
}
</script>
</head>
<body>
<div class="container">
<header>
<h1>Discord Bot Admin API</h1>
<button onclick="doAction('version')">Version</button>
<button onclick="doAction('update')">Update</button>
<button onclick="window.location.href='?action=data'">Data</button>
<button onclick="doSSH()">SSH Connect</button>
<button onclick="window.location.href='?action=terminal'">Terminal</button>
</header>
<!-- Output area for AJAX-returned actions -->
<div id="output" class="output"><?php echo htmlspecialchars($output); ?></div>
<?php
// === Data Section ===
if ($action === "data") {
if (!isset($_GET['file'])) {
$baseDir = '/home/server';
echo "<h2>Files in {$baseDir}</h2>";
echo "<ul class='file-list'>";
$iterator = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($baseDir, RecursiveDirectoryIterator::SKIP_DOTS)
);
foreach ($iterator as $fileInfo) {
$filePath = $fileInfo->getPathname();
echo "<li><a href='?action=data&file=" . urlencode($filePath) . "'>" . htmlspecialchars($filePath) . "</a></li>";
}
echo "</ul>";
} else {
$file = $_GET['file'];
$baseDir = realpath('/home/server');
$realFile = realpath($file);
if ($realFile === false || strpos($realFile, $baseDir) !== 0) {
echo "<p>Invalid file.</p>";
} else {
echo "<h2>Editing: " . htmlspecialchars($realFile) . "</h2>";
echo "<form method='POST' action='?action=data&file=" . urlencode($realFile) . "'>";
echo "<textarea name='content'>" . htmlspecialchars(file_get_contents($realFile)) . "</textarea><br>";
echo "<input type='hidden' name='action' value='data'>";
echo "<input type='submit' value='Save' style='padding:10px 20px; margin-top:10px;'>";
echo "</form>";
}
}
}
// === Terminal Section ===
elseif ($action === "terminal") :
// This section provides two terminal options:
// 1. Wetty Terminal via an iframe (assumes Wetty is running on port 3000)
// 2. A direct integration of xterm.js (which connects via WebSocket to a Node.js pty server on port 3001)
?>
<div id="terminal-tabs" style="margin-bottom:10px;">
<button onclick="showTab('wetty')">Wetty Terminal</button>
<button onclick="showTab('xterm')">Xterm Terminal</button>
</div>
<div id="wetty" class="terminal-tab" style="display:block;">
<h2>Wetty Terminal</h2>
<iframe src="http://<?php echo $_SERVER['HTTP_HOST']; ?>:3000" width="100%" height="500px" frameborder="0"></iframe>
</div>
<div id="xterm" class="terminal-tab" style="display:none;">
<h2>Xterm Terminal</h2>
<div id="xterm-container" style="width: 100%; height: 500px;"></div>
</div>
<!-- Load xterm.js resources -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/xterm/css/xterm.css" />
<script src="https://cdn.jsdelivr.net/npm/xterm/lib/xterm.js"></script>
<script>
function showTab(tab) {
document.getElementById('wetty').style.display = (tab === 'wetty') ? 'block' : 'none';
document.getElementById('xterm').style.display = (tab === 'xterm') ? 'block' : 'none';
}
// Initialize xterm.js for the Xterm Terminal.
// NOTE: You MUST run a WebSocket Node.js server (for example, using node-pty and ws)
// listening on port 3001 to support this connection.
window.addEventListener('load', function() {
// Initialize the terminal only once.
if(document.getElementById('xterm-container')) {
const terminal = new Terminal();
terminal.open(document.getElementById('xterm-container'));
const socket = new WebSocket('ws://<?php echo $_SERVER['HTTP_HOST']; ?>:3001');
const socket = new WebSocket('ws://' + window.location.hostname + ':3001');
socket.onopen = function() {
terminal.write("Connected to shell\r\n");
};
@ -325,11 +297,77 @@ switch ($action) {
socket.onclose = function() {
terminal.write("\r\nConnection closed.\r\n");
};
}
});
</script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/xterm/css/xterm.css" />
<script src="https://cdn.jsdelivr.net/npm/xterm/lib/xterm.js"></script>
</head>
<body>
<div class="container">
<header>
<h1>Discord Bot Admin API</h1>
<button onclick="doAction('version')">Version</button>
<!-- Update action now uses a form (POST with CSRF token) to improve safety -->
<form style="display:inline;" method="POST" action="?action=update" onsubmit="return confirm('Are you sure you want to update the bot?');">
<input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars(getCsrfToken()); ?>">
<button type="submit">Update</button>
</form>
<button onclick="window.location.href='?action=data'">Data</button>
<button onclick="doSSH()">SSH Connect</button>
<button onclick="window.location.href='?action=terminal'">Terminal</button>
</header>
<!-- AJAX Output Area -->
<div id="output" class="output"><?php echo htmlspecialchars($output); ?></div>
<?php if ($action === "data"):
$baseDir = realpath('/home/server');
if (!isset($_GET['file'])): ?>
<h2>Files in <?php echo htmlspecialchars($baseDir); ?></h2>
<ul class="file-list">
<?php
endif;
try {
$iterator = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($baseDir, RecursiveDirectoryIterator::SKIP_DOTS)
);
foreach ($iterator as $fileInfo) {
$filePath = $fileInfo->getPathname();
echo "<li><a href='?action=data&file=" . urlencode($filePath) . "'>" . htmlspecialchars($filePath) . "</a></li>";
}
} catch (Exception $e) {
echo "<li>Error reading files: " . htmlspecialchars($e->getMessage()) . "</li>";
}
?>
</ul>
<?php else:
$file = $_GET['file'];
$realFile = realpath($file);
if ($realFile === false || strpos($realFile, $baseDir) !== 0): ?>
<p>Invalid file.</p>
<?php else: ?>
<h2>Editing: <?php echo htmlspecialchars($realFile); ?></h2>
<form method="POST" action="?action=data&file=<?php echo urlencode($realFile); ?>">
<input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars(getCsrfToken()); ?>">
<textarea name="content"><?php echo htmlspecialchars(file_get_contents($realFile)); ?></textarea><br>
<input type="hidden" name="action" value="data">
<input type="submit" value="Save" style="padding:10px 20px; margin-top:10px;">
</form>
<?php endif;
endif;
elseif ($action === "terminal"): ?>
<div id="terminal-tabs" style="margin-bottom:10px;">
<button onclick="showTab('wetty')">Wetty Terminal</button>
<button onclick="showTab('xterm')">Xterm Terminal</button>
</div>
<div id="wetty" class="terminal-tab" style="display:block;">
<h2>Wetty Terminal</h2>
<iframe src="http://<?php echo htmlspecialchars($_SERVER['HTTP_HOST']); ?>:3000" width="100%" height="500px" frameborder="0"></iframe>
</div>
<div id="xterm" class="terminal-tab" style="display:none;">
<h2>Xterm Terminal</h2>
<div id="xterm-container" style="width: 100%; height: 500px;"></div>
</div>
<?php endif; ?>
</div>
</body>
</html>