<?php
	require "app.php";
	if (isset($_POST['user'])) {
		$username = $_POST['user'];
		$query = $conn->query("SELECT * FROM Users WHERE User='$username'") or header("Location: ../?wronglogin");
		$row = $query->fetch_array();
		if (password_verify($_POST['pass'], $row['Password'])) {
			if (empty($row['Email'])) { // Unconfirmed E-mail
				$mess = new Message("You have not confirmed your e-mail address yet. Please do so before logging in.", "warning");
				queue_message($mess);
			} else {
				$ips = json_decode($row['Addresses'], true);
				if (in_array($_SERVER["REMOTE_ADDR"], $ips)) {
					// Everything is fine, log in
					$_SESSION['user'] = $row['User'];
					$_SESSION['permissions'] = $row['Permissions'];
					$_SESSION['userid'] = $row['UID'];
					queue_message(new Message("Successfully logged in.", "success"));
				} else { // New IP
					$mess = new_activation($username, "Addresses", $_SERVER["REMOTE_ADDR"]);
					queue_message($mess);
				}
			}
		} else { // Password incorrect
			$message = "Someone has failed to login to your account on " . Config::$sitename . ". They were using the password: " . htmlspecialchars($_POST['pass'] . "Their IP: " . $_SERVER['REMOTE_ADDR']);
			mail($row['Email'], "Failed login attempt", $message);
			queue_message(new Message("Incorrect password, the account owner has been notified.", "danger"));
		}
		if (isset($_POST['redirect'])) {
			$redirect = $_POST['redirect'];
			if (preg_match("/^https?:\/\/(\w*\.)?tankernn\.eu/i", $redirect) === 1 or preg_match("/^\.?\.?\//i", $redirect) === 1) {
				header("Location: $redirect");
			}
			echo "Invalid redirect URL: " . htmlspecialchars($redirect);
		} else {
			echo "Successfully logged in.";
		}
	}
	else {
		echo "No login data present.";
	}

?>