embed-app-php/embedded.php at main · JoonWebdotcom/embed-app-php · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
<?php
namespace JoonWeb\EmbedApp;
require_once __DIR__ . '/config/constants.php';
require_once __DIR__ . '/src/JoonWebAPI.php';
require_once __DIR__ . '/src/DBSessionManager.php';
require_once __DIR__ .'/config/database.php';
$session = new SessionManager();
$api = new JoonWebAPI();

// Handle health check separately
if (isset($_GET['health_check'])) {
    header('Content-Type: text/plain');
    echo 'OK';
    exit;
}

function verifyJoonWebHmac($params) {
    $hmac = $params['hmac'] ?? '';
    unset($params['hmac']);

    ksort($params);
    $message = http_build_query($params);
    $calculated_hmac = hash_hmac('sha256', $message, JOONWEB_CLIENT_SECRET);

    return hash_equals($hmac, $calculated_hmac);
}

function getStoredTokenFromDatabase($site_domain) {
    global $session;
    $data = $session->getSiteFromDatabase($site_domain);


    if($data){
        return [
            'access_token' => $data['access_token'],
            'scope' => !empty($data['scope']) ? explode(",",$data['scope']) : [],
            'expires_in' => 9999999999999999,
            'associated_user' => [
                'id' => 123456,
                'email' => 'user@example.com'
            ]
        ];
    } else {
        return false;
    }
}


// Check if we have JoonWeb embedded parameters
if (isset($_GET['session']) && isset($_GET['id_token']) && isset($_GET['site'])) {

    // Verify HMAC first
    if (!verifyJoonWebHmac($_GET)) {
        die('Invalid HMAC signature');
    }

    // Decode and verify ID token
    $id_token = json_decode(base64_decode($_GET['id_token']), true);

    if ($id_token && $id_token['exp'] > time()) {
        // Valid session - get token from database using site parameter
        $token_data = getStoredTokenFromDatabase($_GET['site']);

        if ($token_data) {
            $session->startSession($_GET['site'], $token_data);


            // Store JoonWeb session info
            $_SESSION['joonweb_session'] = $_GET['session'];
            $_SESSION['joonweb_user'] = $id_token['sub'] ?? null;
        }else{
            exit("Invalid Token");
        }
    }else{
        exit("Expired");
    }
}


// TEMPORARY: Bypass authentication for testing - REMOVE LATER
if (!$session->isAuthenticated() && $session->isEmbeddedRequest()) {
   die("Invalid Sessionx");
}

// Check if user is authenticated
if (!$session->isAuthenticated()) {
    if ($session->isEmbeddedRequest()) {
        // REMOVED: echo "App is Loaded"; - This was causing the loop
        include 'views/embedded/loading.php';
    } else {
       include 'views/embedded/loading.php';
    }
    exit;
}

// Rest of your normal flow...
$api->setAccessToken($session->getAccessToken());
$api->setSiteDomain($session->getSiteDomain());

try {
    $site = $api->getSite();

} catch (Exception $e) {
    $session->destroySession();
    if ($session->isEmbeddedRequest()) {
        die('Session expired');
    } else {
        die('Session expired iframe');
    }
    exit;
}

// Handle routing
$page = $_GET['page'] ?? 'dashboard';
$valid_pages = ['dashboard'];

if (!in_array($page, $valid_pages)) {
    $page = 'dashboard';
}

// Set security headers for embedding
header("Content-Security-Policy: frame-ancestors https://*.joonweb.com");
header("X-Frame-Options: ALLOW-FROM https://accounts.joonweb.com");


// Load the appropriate view
$view_file = "views/embedded/{$page}.php";
if (file_exists($view_file)) {
    include $view_file;
} else {
    include 'views/embedded/dashboard.php';

}