intranet-apei/login.php

<?php
require('./Assets/functions.php');
$config = json_decode(file_get_contents("./Assets/config.json"), true);
$bdd = connectBDD("localhost", $config["BDD_USER"], $config["BDD_PASSWD"], $config["BDD_NAME"]);

function useRegex($input, $regex)
    {
        return preg_match($regex, $input);
    }

session_start();

if (isset($_POST['user']) && isset($_POST['password']) && isset($_GET['redirect_to'])) {
  if (useRegex($_POST['user'], '/^APEI\d{4}$/')) {
    if (validateCSRFToken($_SESSION['csrf'], $_POST['csrf']) && verifyPassword(getHashPwd($bdd, $_POST['user'])["password"], $_POST['password'])) {
      $csrf = '';
      $_SESSION['connected'] = true;
      $_SESSION['site'] = getSite($bdd, $_POST['user']);
      $_SESSION['permission'] = getUserPerms($bdd, $_POST['user']);
      $_SESSION['username'] = $_POST['user'];
      header('location: ' . $_GET['redirect_to']);
    }
  }
} else {
  $csrf = bin2hex(random_bytes(32));
  $_SESSION['csrf'] = $csrf;
}
?>
<!DOCTYPE html>
<html lang="fr">

<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
  <link rel="stylesheet" href="./styles-scripts/login.css">
  <title>Se connecter !</title>
</head>

<body>
  <form method="POST">
    <div class="form-group">
      <label for="user">Nom d'utilisateur :</label>
      <input type="text" class="form-control" id="user" name="user" required>
    </div>
    <div class="form-group">
      <label for="password">Password</label>
      <input type="password" class="form-control" id="password" name="password" required>
    </div>
    <div class="form-group">
      <input type="hidden" name="csrf" value="<?= $csrf ?>">
      <button type="submit" class="btn btn-primary button">Connexion</button>
      <button class="btn btn-success button" onclick="window.location.replace('./index.php')">Revenir à l'accueil</button>
    </div>
  </form>
  <a href="./activate.php">Activer mon compte</a>
  <h3>En cas d'oubli de votre mot de passe, veuillez contacter Blandine Lemaire au <a href="tel:20117">20117</a></h3>
</body>

</html>