46 lines
1.6 KiB
PHP
Executable File
46 lines
1.6 KiB
PHP
Executable File
<?php
|
|
require_once __DIR__ . "/wevads-shield.php";
|
|
if(session_status()===PHP_SESSION_NONE)session_start();
|
|
|
|
// Public pages (no auth needed)
|
|
$public = ['arsenal-login.php'];
|
|
$page = basename($_SERVER['SCRIPT_FILENAME'] ?? '');
|
|
$uri = $_SERVER['REQUEST_URI'] ?? '';
|
|
$ext = pathinfo($page, PATHINFO_EXTENSION);
|
|
|
|
// Allow: login page, static assets
|
|
if (in_array($page, $public)) return;
|
|
if (in_array($ext, ['js','css','png','jpg','jpeg','gif','svg','ico','woff','woff2','ttf'])) return;
|
|
|
|
// API + exec: require their own auth (key-based)
|
|
if (in_array($page, ['claude-exec.php','claude-exec2.php','bx.php'])) return;
|
|
if (strpos($uri, '/api/') === 0) {
|
|
// APIs need either session OR API key
|
|
if (isset($_SESSION['arsenal_auth']) && $_SESSION['arsenal_auth'] === true) return;
|
|
if (isset($_SERVER['HTTP_X_ARSENAL_KEY']) && $_SERVER['HTTP_X_ARSENAL_KEY'] === 'W2026-API-KEY') return;
|
|
// Allow from localhost (internal calls)
|
|
$ip = $_SERVER['REMOTE_ADDR'] ?? '';
|
|
if ($ip === '127.0.0.1' || $ip === '::1') return;
|
|
header('HTTP/1.1 401 Unauthorized');
|
|
echo json_encode(['error'=>'auth_required']);
|
|
exit;
|
|
}
|
|
|
|
// Session timeout: 8 hours
|
|
$timeout = 8 * 3600;
|
|
if (isset($_SESSION['arsenal_time']) && (time() - $_SESSION['arsenal_time']) > $timeout) {
|
|
session_destroy();
|
|
if(session_status()===PHP_SESSION_NONE)session_start();
|
|
header('Location: /arsenal-login.php?expired=1');
|
|
exit;
|
|
}
|
|
|
|
// Not authenticated → redirect
|
|
if (!isset($_SESSION['arsenal_auth']) || $_SESSION['arsenal_auth'] !== true) {
|
|
header('Location: /arsenal-login.php');
|
|
exit;
|
|
}
|
|
|
|
// Refresh session time on activity
|
|
$_SESSION['arsenal_time'] = time();
|