46 lines
2.1 KiB
PHP
46 lines
2.1 KiB
PHP
<?php
|
|
$uri = $_SERVER['HTTP_X_ORIGINAL_URI'] ?? $_SERVER['REQUEST_URI'] ?? 'NONE';
|
|
error_log("AUTH_CHECK uri=$uri");
|
|
$public_exact = ['/', '/index.html', '/login.html', '/login', '/register.html', '/wevia-widget.html', '/wevia.html', '/enterprise-model.html'];
|
|
$public_prefixes = ['/products/', '/blog/', '/service/', '/api/'];
|
|
$is_public = in_array($uri, $public_exact);
|
|
if (!$is_public) { foreach ($public_prefixes as $p) { if (strpos($uri, $p) === 0) { $is_public = true; break; } } }
|
|
if (!$is_public && preg_match('/\.(css|js|png|jpg|svg|ico|woff2?|ttf|gif|webp)$/', $uri)) { $is_public = true; }
|
|
if ($is_public) { http_response_code(200); echo 'PUBLIC'; exit; }
|
|
// NEW v19 · Agent token bypass (opus session v19)
|
|
// Auth_request is internal only - we can only see X-Original-URI and headers forwarded by nginx
|
|
// User provides token via header X-Agent-Token OR query ?_agent_token= in original URI
|
|
$supplied = '';
|
|
if (preg_match('/[?&]_agent_token=([A-Za-z0-9_-]+)/', $uri, $m)) {
|
|
$supplied = $m[1];
|
|
}
|
|
// Also check if header was forwarded (requires nginx fastcgi_param HTTP_X_AGENT_TOKEN $http_x_agent_token)
|
|
$supplied = $supplied ?: ($_SERVER['HTTP_X_AGENT_TOKEN'] ?? '');
|
|
|
|
if ($supplied) {
|
|
$expected = '';
|
|
if (is_readable('/etc/weval/secrets.env')) {
|
|
foreach (file('/etc/weval/secrets.env', FILE_IGNORE_NEW_LINES) as $line) {
|
|
if (strpos($line, 'AGENT_TOKEN=') === 0) {
|
|
$expected = trim(substr($line, strlen('AGENT_TOKEN=')));
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (!$expected) $expected = 'DROID2026'; // fallback known
|
|
|
|
if (hash_equals($expected, $supplied)) {
|
|
@file_put_contents(
|
|
'/var/log/nginx/agent-bypass.log',
|
|
date('c') . ' uri=' . substr($uri, 0, 200) . ' ua=' . substr($_SERVER['HTTP_USER_AGENT'] ?? '?', 0, 80) . "\n",
|
|
FILE_APPEND | LOCK_EX
|
|
);
|
|
http_response_code(200);
|
|
echo 'AGENT-OK';
|
|
exit;
|
|
}
|
|
}
|
|
|
|
require __DIR__ . '/weval-auth.php';
|
|
if (weval_check_auth()) { http_response_code(200); echo 'OK'; } else { http_response_code(401); echo 'UNAUTHORIZED'; }
|