CMXX - Consumer identity

api/v2/post/consumer_identity.php

@@ -0,0 +1,215 @@
+<?php
+defined($security_key) or exit;
+
+//------------------------------------------
+// consumer_identity
+//------------------------------------------
+//Connect to DB
+$pdo = dbConnect($dbname);
+
+//CONTENT FROM API (POST)
+$post_content = json_decode($input,true);
+
+//SoldTo is empty
+if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
+
+//default whereclause
+list($whereclause,$condition) = getWhereclause('',$permission,$partner,'');
+
+
+
+//SET PARAMETERS FOR QUERY
+$id = (isset($post_content['userkey'])) ? $post_content['userkey']: ''; //check for rowID
+$command = ($id == '')? 'insert' : 'update';  //IF rowID = empty then INSERT
+if (isset($post_content['delete'])){$command = 'delete';} //change command to delete
+if (isset($post_content['reset'])){$command = 'reset';} //change command to reset
+if (isset($post_content['login'], $post_content['email'], $post_content['password'])){$command = 'login';}//change command to login
+$date = date('Y-m-d H:i:s');
+
+//CREATE EMPTY STRINGS
+$clause = '';
+$clause_insert ='';
+$input_insert = '';
+
+//BUILD UP PARTNERHIERARCHY FROM INTERFACE USER
+$partner_product = json_encode(array("salesid"=>$partner->salesid,"soldto"=>$partner->soldto), JSON_UNESCAPED_UNICODE);
+
+//FIXED VARIABLES
+$post_content['updatedby'] = $userrname; //initial = interface user
+$post_content['accounthierarchy'] = $partner_product; // related to interface user
+$post_content['userkey'] = bin2hex(random_bytes(25)); 
+//Create or update resetkey
+$headers = array('alg'=>'HS256','typ'=>'JWT');
+$payload = array('key'=> bin2hex(random_bytes(25)), 'exp'=>(time() + 1800));
+$resetkey = generate_jwt($headers, $payload);
+
+//GET EXISTING CONSUMER DATA
+if ($id != '' && $command == 'reset'){
+
+    //STEP 1 - Get username
+    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE userkey = ?');
+    $stmt->execute([$id]);
+    $consumer_data = $stmt->fetch();
+
+    //STEP 2- Store resetkey
+    $sql = 'UPDATE users SET resetkey = ?, updatedby = ? WHERE id = ? '.$whereclause.'';
+    $stmt = $pdo->prepare($sql);
+    $stmt->execute([$resetkey,$post_content['updatedby'],$id]);
+    
+    //STEP 3 - Send DATA BACK TO FRONT_END
+    $messages = json_encode(array('consumer_email'=> $consumer_data['email'], "resetkey" => $resetkey), JSON_UNESCAPED_UNICODE);
+    //Send results
+    echo $messages;
+    exit;
+}
+
+//ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE
+if ($command == 'update'){ 
+    //Define Query
+    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE userkey = ?');
+    $stmt->execute([$id]);
+    $consumer_data = $stmt->fetch();
+
+    $post_content['updatedby'] = $consumer_data['email'];
+
+    if (isset($post_content['password'])){ 
+        $post_content['password'] = password_hash($password, PASSWORD_DEFAULT);
+    }
+ 
+}
+elseif ($command == 'insert'){
+    $post_content['password'] = bin2hex(random_bytes(25)); //generate initial password
+    $post_content['language'] = isset($post_content['language']) ? $post_content['language'] : 'US';
+}
+elseif ($command == 'login'){
+
+    //SETUP SQL FOR LOGIN_COUNT
+    $sql_login = 'UPDATE consumer_identity SET login_count = ? WHERE id = ?';
+
+    // Check if the account exists
+    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE email = ?');
+    $stmt->execute([ $post_content['email'] ]);
+    $account = $stmt->fetch(PDO::FETCH_ASSOC);
+    
+    if (count($account) != 0){
+
+        //CHECK NUMBER OF LOGIN ATTEMPTS IS BELOW 5
+        if($user_data['login_count'] < 5){
+            // If account exists verify password
+            if ($account && password_verify($post_content['password'], $account['password'])) {
+            
+                //CONSUMER LOGIN CORRECT RETURN DATA
+                $consumer = array(
+                    'accountID' => $account['userkey'],
+                    'profile' => $account['profile']
+                );
+
+                //Reset login count after succesfull attempt
+                $login_attempt = 0;
+                
+                $stmt_login = $pdo->prepare($sql_login);
+                $stmt_login->execute([$login_attempt, $account['id']]);
+
+                //Encrypt results
+                $messages = json_encode($consumer, JSON_UNESCAPED_UNICODE);
+                //Send results
+                echo $messages; 
+                exit;
+            } 
+            else {
+                //Update Login count with failed attempt
+                $login_attempt = $account['login_count'] + 1;
+                $stmt_login = $pdo->prepare($sql_login);
+                $stmt_login->execute([$login_attempt, $account['id']]);
+                //Send Response
+                http_response_code(403); //Not authorized
+                exit;
+            }
+        }
+        else {
+            //User is blocked & send error
+            $messages = '1';
+            //------------------------------------------
+            //Send results
+            //------------------------------------------
+            echo $messages; 
+            exit;
+        }
+    }
+}
+else {
+    //do nothing
+}
+
+//CREAT NEW ARRAY AND MAP TO CLAUSE
+if(isset($post_content) && $post_content!=''){   
+    foreach ($post_content as $key => $var){
+        if ($key == 'submit' || $key == 'id'){
+            //do nothing
+        }
+        else {
+            $criterias[$key] = $var;
+            $clause .= ' , '.$key.' = ?';
+            $clause_insert .= ' , '.$key.'';
+            $input_insert .= ', ?'; // ? for each insert item
+            $execute_input[]= $var; // Build array for input
+        }
+    }
+}
+
+//CLEAN UP INPUT
+$clause = substr($clause, 2); //Clean clause - remove first comma
+$clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma
+$input_insert = substr($input_insert, 1); //Clean clause - remove first comma
+
+//QUERY AND VERIFY ALLOWED
+if ($command == 'update' && (isAllowed('consumer_identity',$profile,$permission,'U') === 1)){
+    $sql = 'UPDATE consumer_identity SET '.$clause.' WHERE userkey = ? '.$whereclause.'';
+
+    $execute_input[] = $id;
+    $stmt = $pdo->prepare($sql);
+    $stmt->execute($execute_input);
+
+} 
+elseif ($command == 'insert' && isAllowed('',$profile,$permission,'C') === 1){
+    
+    //check if consumer_identity exists
+    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE email = ?');
+    $stmt->execute([$post_content['email']]);
+    $consumer_exist = $stmt->fetch();
+
+    $exists = (isset($consumer_exist['email']))? 1 : 0;
+    if($consumer_exist == 0 ){
+        $sql = 'INSERT INTO consumer_identity ('.$clause_insert.') VALUES ('.$input_insert.')';
+        $stmt = $pdo->prepare($sql);
+        $stmt->execute($execute_input);
+
+        //STEP 2- Send to user
+        $messages = json_encode(array('consumer_email'=> $post_content['email'], "resetkey" => $resetkey), JSON_UNESCAPED_UNICODE);
+        //Send results
+        echo $messages;
+        exit;
+    } else {
+        //------------------------------------------
+        //JSON_ENCODE
+        //------------------------------------------
+        $messages = json_encode($exists, JSON_UNESCAPED_UNICODE);
+
+        //Send results
+        echo $messages;            
+    }
+}
+elseif ($command == 'delete' && isAllowed('consumer_identity',$profile,$permission,'D') === 1){
+    //delete equipment
+    $stmt = $pdo->prepare('DELETE FROM consumer_identity WHERE userkey = ? '.$whereclause.'');
+    $stmt->execute([ $id ]);
+
+    //Add deletion to changelog
+    changelog($dbname,'consumer_identity',$id,'Delete','Delete',$consumername);
+} else
+{
+    //do nothing
+}
+
+
+?>