| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 |
- <?php
- /**
- * lib/print_auth.php
- *
- * Shared authentication for PDF print pages.
- *
- * Print pages can be accessed two ways:
- * 1. Normal browser access — requires an active PHP session (requireLogin)
- * 2. Headless Chrome access — no session; validated via a one-time token
- * file written by pdf-files/headlessChrome_pdf.php
- *
- * Usage (at the top of any print page, after requireLogin is available):
- *
- * require_once __DIR__ . '/../../../lib/print_auth.php';
- * $chromeAccess = authenticatePrintPage($recordId, $randId);
- * $userId = $chromeAccess ? null : getCurrentUserId();
- */
- /**
- * Authenticate a print page request.
- *
- * Returns true if access was granted via a valid headless Chrome ptoken.
- * Returns false if access was granted via normal session login.
- * Dies with 403 if neither is valid.
- */
- function authenticatePrintPage(int $recordId, string $randId): bool
- {
- $ptoken = trim($_GET['ptoken'] ?? '');
- if ($ptoken !== '') {
- // Validate token format first (prevents path traversal)
- if (!preg_match('/^[a-f0-9]{32}$/', $ptoken)) {
- http_response_code(403);
- die('Invalid print token.');
- }
- $tokenFile = dirname(__DIR__) . '/pdf-files/tokens/' . $ptoken . '.tmp';
- if (!file_exists($tokenFile)) {
- http_response_code(403);
- die('Print token not found or already used.');
- }
- $tokenData = json_decode(file_get_contents($tokenFile), true);
- if (
- !is_array($tokenData)
- || (int)$tokenData['rid'] !== $recordId
- || $tokenData['rand'] !== $randId
- || (int)$tokenData['expires'] < time()
- ) {
- @unlink($tokenFile);
- http_response_code(403);
- die('Invalid or expired print token.');
- }
- // Token is valid — do NOT delete here; Chrome may make multiple requests
- // for embedded resources. The generator deletes it after Chrome finishes.
- return true;
- }
- // Fall back to session auth
- requireLogin();
- return false;
- }
|
