<?php
// script header will go here
include_once("./includes/maj_all_includes.php");
include_once("scripts/AzureMfa.php");

$oAuthVerifier = "";
$oAuthChallenge = "";
$oAuthChallengeMethod = "";

function oAuthChallenge() {
    // Function to generate code verifier and code challenge for oAuth login. See RFC7636 for details. 
    $verifier = $oAuthVerifier;
    if (!$oAuthVerifier) {
        $chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-._~';
        $charLen = strlen($chars) - 1;
        $verifier = '';
        for ($i = 0; $i < 128; $i++) {
            $verifier .= $chars[mt_rand(0, $charLen)];
        }
        $oAuthVerifier = $verifier;
    }
    // Challenge = Base64 Url Encode ( SHA256 ( Verifier ) )
    // Pack (H) to convert 64 char hash into 32 byte hex
    // As there is no B64UrlEncode we use strtr to swap +/ for -_ and then strip off the =
    $oAuthChallenge = str_replace('=', '', strtr(base64_encode(pack('H*', hash('sha256', $verifier))), '+/', '-_'));
    $oAuthChallengeMethod = 'S256';
    
    $output["oAuthVerifier"] = $oAuthVerifier;
    $output["oAuthChallenge"] = $oAuthChallenge;
    $output["oAuthChallengeMethod"] = $oAuthChallengeMethod;
    
    return $output;
}

// if (!$_POST) echo $MAJ_ip;
if ($MAJ_offer_to_remember_login_username)  {
    if ($_COOKIE['username'] != "")  {
        $remember_username = "yes";
        $username = $_COOKIE['username'];
    }
}

if (isset($_POST['submit']))  {
    // process the form                       
    $form_passes = TRUE;
    $username = maj_clean(trim($_POST['username']), 125);
    $password = maj_clean(trim($_POST['password']), 25);
    $password = trim($_POST['password']);
    
    // validate form entries
    if ($username !="")  {                             
                                                                        
        if (!maj_check_if_new_username($username))  {
        }  else  {   	                                              
                                                                        
            $form_passes = FALSE;                                                                             
            $form_error_message[] = "The username you entered is not in the database. Please try again.";	      	        
        
        }  // check for new username
    }  else  {   	                                              
                                                                        
        $form_passes = FALSE;                                                                             
        $form_error_message[] = "The username was blank!";	      	        
        
    }
    // check for blank username
    if ($password =="")  {                             
                                                                        
        $form_passes = FALSE;                                                                             
        $form_error_message[] = "The password was blank!";	      	        
        
    }  // check for blank password
    
    if ($form_passes)  {
    
        if (maj_match_username_password($username, $password))  {
            if (!maj_check_active($username))  {
                $form_passes = FALSE;
                $form_error_message[] = "This account has been deactivated. Please contact the administrator for more information.";
            }  // end if check active
        }  else  { 
            $form_error_message[] = "Incorrect password. Please try again.";
            $form_passes = FALSE;
            if ($MAJ_dont_log_attempted_passwords_at_login) $password = "********";
            maj_log_login($username, $password, "failed", $MAJ_number_of_failed_logins_for_lock, $MAJ_ip);  // Note: will change url if user gets locked out
        } // end if match username and password
        
        if ($form_passes)  {
        
            if (AzureMfa::useMFA()) {
            
                $azure_mfa = new AzureMfa();
            
                $access_token = $azure_mfa->getAccessToken();
                
                if(!empty($access_token)) {
                
                    $client_id = $MAJ_MFA_CLIENT_ID;
                    $tenant_id = $MAJ_MFA_TENANT_ID;
                    $client_secret = $MAJ_MFA_CLIENT_SECRET;
                    
                    $redirect_domain = "https://" . $_SERVER["HTTP_HOST"] . "/scripts/oauth2.php";
                    
                    // generate challenge fields.
                    $oauth_data = oAuthChallenge();
                    $oAuthVerifier = $oauth_data["oAuthVerifier"];
                    $oAuthChallenge = $oauth_data["oAuthChallenge"];
                    $oAuthChallengeMethod = $oauth_data["oAuthChallengeMethod"];
                    
                    // save off the verifier
                    maj_db_do("UPDATE siteuser SET mfa_code_verifier = '{$oAuthVerifier}' WHERE username ='{$username}' and password = '{$password}'");
                    
                    $siteuser_id = maj_get_value("SELECT id FROM siteuser WHERE username ='{$username}' and password = '{$password}'");
                    
                    // we'll use this in the outh2.php script
                    session_start();
                    $_SESSION['siteuser_id'] = $siteuser_id;
                    $_SESSION['mfa_code_verifier'] = $oAuthVerifier;
                    
                    $oAuthURL = 'https://login.microsoftonline.com/' . $tenant_id . '/oauth2/v2.0/' . 'authorize?response_type=code&client_id=' . $client_id . '&redirect_uri=' . urlencode($redirect_domain) . '&scope=openid%20offline_access&code_challenge=' . $oAuthChallenge . '&code_challenge_method=' . $oAuthChallengeMethod;

                    header('Location: ' . $oAuthURL);
                    exit;
                } 
                
            } else {
        
                /* MFA disabled */
                
                // TODO should the following be included in oauth2.php
        
                if ($MAJ_offer_to_remember_login_username)  {  
                    if ($_POST['remember_username'] == "on")  {
                        $cookie_time = time()+60*60*24*90;
                        setcookie("username",$username, $cookie_time);
                    }  else  {
                        setcookie("username","");
                    }
                }
                
                $config_web_alias = $MAJ_web_alias;
                
                session_start();
                
                $MAJ_userid = maj_get_userid($username);
                $_SESSION['MAJ_userid'] = $MAJ_userid;
                $_SESSION['MAJ_web_alias'] = $config_web_alias;
                
                //check and see if they need to compete a software agreement form
                $query = "SELECT COUNT(id) FROM software_agreement
                        WHERE is_current_agreement = 'y'
                            AND active = 'y'
                            AND id NOT IN (SELECT software_agreement_id
                                            FROM jsiteuser_software_agreement
                                            WHERE siteuser_id = '$MAJ_userid'
                                            AND active = 'y'
                                        )
                        ";
                        
                        
                // ************* MOVE to landing page???? *************************//

                $agreement_needed_count = maj_get_value($query);

                if ($agreement_needed_count > 0) $_SESSION['require_software_agreement'] = true;
                
                $ask_to_change_password = maj_get_value("SELECT ask_to_change_password FROM siteuser WHERE id = '$MAJ_userid'");
                if (preg_match("/$username/",$password) || $ask_to_change_password == 'y')  {
                
                    header("Location: $MAJ_site_root/change_password.$MAJ_file_extension");
                    
                }  else if($_SESSION['send_to'] != "" && !preg_match("/_file\.html/", $_SESSION['send_to']))  { 
                    // people were getting stuck on view_file.html and download_file.html
                    header("Location: {$_SESSION['send_to']}");
                    
                }  else{
                
                    header("Location: $MAJ_site_root/mainmenu.$MAJ_file_extension");
                }
                
                if ($MAJ_dont_log_attempted_passwords_at_login) $password = "********";
                maj_log_login($username, $password, "success", $MAJ_number_of_failed_logins_for_lock, $MAJ_ip);
            
                exit;  // shouldn't make it past here
            }
        }   
    }
} // end if form submitted


// start form content
$content = "<h2>Log in to $MAJ_companyname $MAJ_appname</h2>\n\n";
if ($form_error_message)  {
   include_once("$MAJ_include_path/code/display_form_error_messages.php");
}
// start form
$content .= "";
$content .= "<form action='$PHP_SELF' name='login_form' method='post'>\n";
$content .= "<table class='login' cellpadding='4'>\n";
$content .= "<tr><td>Username:</td>\n";
$content .= "<td><input type='text' name='username' value='$username' maxlength='20' class='text'></td></tr>\n";
$content .= "<tr><td>Password:</td>\n";
$content .= "<td><input type='password' name='password' value='' maxlength='20' class='text'></td></tr>\n";
if ($MAJ_offer_to_remember_login_username) {
   $content .= "<tr><td colspan='2'><input type='checkbox' name='remember_username'";
   if ($remember_username == "yes") $content .= " CHECKED ";
   $content .= ">&nbsp;&nbsp;Remember my username on this computer</td></tr>\n";
}
$content .= "<tr><td colspan='2'><center><input type='submit' name='submit' value='Login' class='button'></center></td></tr>\n";
$content .= "</table></form>\n";
$title = "$MAJ_companyname $MAJ_appname  | Login";
if (($MAJ_offer_to_remember_login_username && $remember_username=="yes") || ($username != "" && !$d))  {
   $body_tag = "onLoad='window.document.login_form.password.focus();'";
}   else  {
   $body_tag = "onLoad='window.document.login_form.username.focus();'";
}
if ($MAJ_offer_to_email_forgotten_password) $content .= "<p><a href='forgot_password.$MAJ_file_extension'>Forgot your password?</a></p>";
$bottom_links=FALSE;
include_once("$MAJ_include_path/code/display_page.php");
?>