SIMON Master Console Rebuild
True command center for SIMON + WEB360
This rebuild gives you a cleaner production spine: interactive tree, live viewer, guarded editor, dynamic graphics, architecture map, and note storage. It is designed to sit beside your existing
console.php
and become the stronger replacement path.
Dashboard
Tree
Viewer
System Map
File Registry
Notes
Files
15,026
Folders
377
Scanned Size
3.79 GB
PHP Files
791
Editable Text Files
12,310
File viewer
guarded to /htdocs
/api/auth/session_bootstrap.php
<?php declare(strict_types=1); /** * /api/auth/session_bootstrap.php * * Guardian bootstrap * - loads private config safely * - hardens and starts session safely * - centralizes helper functions * - normalizes Guardian identity/session keys * - centrally assigns roles from trusted email allowlist * - prevents common header/session warnings */ date_default_timezone_set('America/Chicago'); /* ========================================================================= LOAD PRIVATE CONFIG ========================================================================= */ $privateConfigCandidates = [ '/homepages/7/d4299367777/private/config.php', '/homepages/7/d4299367777/htdocs/private/config.php', '/kunden/homepages/7/d4299367777/private/config.php', '/kunden/homepages/7/d4299367777/htdocs/private/config.php', dirname(__DIR__, 3) . '/private/config.php', dirname(__DIR__, 4) . '/private/config.php', ]; $configLoaded = false; foreach ($privateConfigCandidates as $configPath) { if (is_string($configPath) && $configPath !== '' && is_file($configPath)) { require_once $configPath; $configLoaded = true; break; } } if (!$configLoaded) { if (!headers_sent()) { http_response_code(500); header('Content-Type: text/plain; charset=utf-8'); } echo 'Guardian configuration file not found.'; exit; } /* ========================================================================= BASIC HELPERS ========================================================================= */ if (!function_exists('guardian_is_https')) { function guardian_is_https(): bool { return ( (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || (isset($_SERVER['SERVER_PORT']) && (int)$_SERVER['SERVER_PORT'] === 443) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower((string)($_SERVER['HTTP_X_FORWARDED_PROTO'] ?? '')) === 'https') ); } } if (!function_exists('guardian_client_ip')) { function guardian_client_ip(): string { $keys = [ 'HTTP_CF_CONNECTING_IP', 'HTTP_X_FORWARDED_FOR', 'REMOTE_ADDR', ]; foreach ($keys as $key) { if (!empty($_SERVER[$key])) { $value = trim((string)$_SERVER[$key]); if ($key === 'HTTP_X_FORWARDED_FOR') { $parts = explode(',', $value); $value = trim((string)($parts[0] ?? '')); } if ($value !== '') { return $value; } } } return '0.0.0.0'; } } if (!function_exists('guardian_user_agent')) { function guardian_user_agent(): string { return trim((string)($_SERVER['HTTP_USER_AGENT'] ?? 'unknown')); } } if (!function_exists('guardian_current_host')) { function guardian_current_host(): string { return strtolower(trim((string)($_SERVER['HTTP_HOST'] ?? ''))); } } if (!function_exists('guardian_cookie_domain')) { function guardian_cookie_domain(): string { $host = guardian_current_host(); if ($host === '' || $host === 'localhost' || filter_var($host, FILTER_VALIDATE_IP)) { return ''; } if (str_ends_with($host, '.gaylordsinclair.com')) { return '.gaylordsinclair.com'; } if ($host === 'gaylordsinclair.com') { return '.gaylordsinclair.com'; } return ''; } } if (!function_exists('guardian_log_event')) { function guardian_log_event(string $event, array $data = []): void { $logDir = defined('GUARDIAN_LOG_DIR') ? GUARDIAN_LOG_DIR : (__DIR__ . '/../../_logs'); if (!is_dir($logDir)) { @mkdir($logDir, 0755, true); } $entry = [ 'time' => date('c'), 'event' => $event, 'data' => $data, 'ip' => guardian_client_ip(), 'ua' => guardian_user_agent(), 'session_id' => session_id(), ]; @file_put_contents( rtrim($logDir, '/\\') . '/auth.log', json_encode($entry, JSON_UNESCAPED_SLASHES) . PHP_EOL, FILE_APPEND | LOCK_EX ); } } /* ========================================================================= SESSION HARDENING ========================================================================= */ $https = guardian_is_https(); if (session_status() !== PHP_SESSION_ACTIVE) { if (!headers_sent()) { $sessionName = defined('GUARDIAN_SESSION_NAME') && is_string(GUARDIAN_SESSION_NAME) && GUARDIAN_SESSION_NAME !== '' ? GUARDIAN_SESSION_NAME : 'GUARDIANSESSID'; session_name($sessionName); ini_set('session.use_only_cookies', '1'); ini_set('session.use_strict_mode', '1'); ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_secure', '1'); ini_set('session.cookie_samesite', 'None'); session_set_cookie_params([ 'lifetime' => 0, 'path' => '/', 'domain' => guardian_cookie_domain(), 'secure' => true, 'httponly' => true, 'samesite' => 'None', ]); } session_start(); } if (!isset($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token']) || $_SESSION['csrf_token'] === '') { try { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); } catch (Throwable $e) { $_SESSION['csrf_token'] = sha1(uniqid('guardian_csrf_', true)); } } /* ========================================================================= CORE INCLUDE ========================================================================= */ $dbInclude = __DIR__ . '/../../_inc/db.php'; if (is_file($dbInclude)) { require_once $dbInclude; } /* ========================================================================= FAILURE / REDIRECT HELPERS ========================================================================= */ if (!function_exists('guardian_allowed_redirects')) { function guardian_allowed_redirects(): array { $allowed = $GLOBALS['GUARDIAN_ALLOWED_REDIRECTS'] ?? []; if (is_array($allowed) && $allowed !== []) { $clean = []; foreach ($allowed as $item) { $item = trim((string)$item); if ($item !== '') { $clean[] = $item; } } if ($clean !== []) { return array_values(array_unique($clean)); } } $default = defined('GUARDIAN_POST_AUTH_DEFAULT') ? GUARDIAN_POST_AUTH_DEFAULT : '/simon/index.php'; return [$default]; } } if (!function_exists('guardian_normalize_redirect')) { function guardian_normalize_redirect(string $redirect): string { $default = defined('GUARDIAN_POST_AUTH_DEFAULT') ? GUARDIAN_POST_AUTH_DEFAULT : '/simon/index.php'; $redirect = trim($redirect); if ($redirect === '') { return $default; } if ( preg_match('#^https?://#i', $redirect) || str_starts_with($redirect, '//') || strpos($redirect, "\r") !== false || strpos($redirect, "\n") !== false ) { return $default; } $allowed = guardian_allowed_redirects(); return in_array($redirect, $allowed, true) ? $redirect : $default; } } if (!function_exists('guardian_capture_redirect_from_request')) { function guardian_capture_redirect_from_request(): string { $default = defined('GUARDIAN_POST_AUTH_DEFAULT') ? GUARDIAN_POST_AUTH_DEFAULT : '/simon/index.php'; $redirect = $default; if (isset($_GET['redirect']) && is_string($_GET['redirect'])) { $redirect = guardian_normalize_redirect($_GET['redirect']); } elseif (isset($_POST['redirect']) && is_string($_POST['redirect'])) { $redirect = guardian_normalize_redirect($_POST['redirect']); } $_SESSION['post_auth_redirect'] = $redirect; return $redirect; } } if (!function_exists('guardian_post_auth_redirect')) { function guardian_post_auth_redirect(): string { $default = defined('GUARDIAN_POST_AUTH_DEFAULT') ? GUARDIAN_POST_AUTH_DEFAULT : '/simon/index.php'; $stored = (string)($_SESSION['post_auth_redirect'] ?? $default); return guardian_normalize_redirect($stored); } } if (!function_exists('guardian_safe_redirect')) { function guardian_safe_redirect(string $requestedRedirect, string $defaultRedirect): string { $defaultRedirect = guardian_normalize_redirect($defaultRedirect); $requestedRedirect = trim($requestedRedirect); if ($requestedRedirect === '') { return $defaultRedirect; } if ( preg_match('#^https?://#i', $requestedRedirect) || str_starts_with($requestedRedirect, '//') || strpos($requestedRedirect, "\r") !== false || strpos($requestedRedirect, "\n") !== false ) { return $defaultRedirect; } $allowed = guardian_allowed_redirects(); return in_array($requestedRedirect, $allowed, true) ? $requestedRedirect : $defaultRedirect; } } if (!function_exists('guardian_redirect')) { function guardian_redirect(string $url): void { if (!headers_sent()) { header('Location: ' . $url, true, 302); } exit; } } if (!function_exists('guardian_internal_redirect')) { function guardian_internal_redirect(string $url): void { guardian_redirect(guardian_normalize_redirect($url)); } } if (!function_exists('guardian_fail')) { function guardian_fail(string $code, string $message): void { guardian_log_event('auth_fail', [ 'code' => $code, 'message' => $message, 'returned_state' => $_GET['state'] ?? $_POST['state'] ?? null, 'session_oauth_states' => array_keys( is_array($_SESSION['oauth_states'] ?? null) ? $_SESSION['oauth_states'] : [] ), 'session_provider' => $_SESSION['oauth_provider'] ?? null, 'request_method' => $_SERVER['REQUEST_METHOD'] ?? null, 'post_keys' => array_keys($_POST ?? []), 'get_keys' => array_keys($_GET ?? []), 'session_keys' => array_keys($_SESSION ?? []), ]); $redirectableErrors = [ 'oauth_failed', 'session_expired', 'provider_unavailable', 'email_required', 'passkey_failed', 'access_denied', 'invalid_code', 'invalid_state', 'missing_provider', 'missing_code', 'missing_id_token', 'invalid_google_token', 'invalid_apple_token', ]; if (in_array($code, $redirectableErrors, true) && !headers_sent()) { header('Location: /login.php?error=' . rawurlencode($code), true, 302); exit; } if (!headers_sent()) { header('Content-Type: text/plain; charset=utf-8'); http_response_code(400); } echo $code . ': ' . $message; exit; } } /* ========================================================================= EMAIL HELPERS ========================================================================= */ if (!function_exists('guardian_normalize_email')) { function guardian_normalize_email(string $email): string { return strtolower(trim($email)); } } if (!function_exists('guardian_is_valid_email')) { function guardian_is_valid_email(string $email): bool { return filter_var($email, FILTER_VALIDATE_EMAIL) !== false; } } if (!function_exists('guardian_email_is_allowed')) { function guardian_email_is_allowed(string $email): bool { $email = guardian_normalize_email($email); if (!guardian_is_valid_email($email)) { return false; } $allowedEmails = $GLOBALS['GUARDIAN_ALLOWED_EMAILS'] ?? []; $allowedDomains = $GLOBALS['GUARDIAN_ALLOWED_EMAIL_DOMAINS'] ?? []; $allowedEmails = is_array($allowedEmails) ? array_map('guardian_normalize_email', $allowedEmails) : []; $allowedDomains = is_array($allowedDomains) ? array_map( static function ($d) { return strtolower(trim((string)$d)); }, $allowedDomains ) : []; if ($allowedEmails === [] && $allowedDomains === []) { return true; } if (in_array($email, $allowedEmails, true)) { return true; } $parts = explode('@', $email); $domain = strtolower(trim((string)($parts[1] ?? ''))); return $domain !== '' && in_array($domain, $allowedDomains, true); } } /* ========================================================================= REQUEST / DEVICE SIGNALS ========================================================================= */ if (!function_exists('guardian_build_request_fingerprint')) { function guardian_build_request_fingerprint(): string { $raw = implode('|', [ guardian_client_ip(), guardian_user_agent(), (string)($_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? ''), ]); return hash('sha256', $raw); } } /* ========================================================================= ROLE / IDENTITY NORMALIZATION ========================================================================= */ if (!function_exists('guardian_admin_emails')) { function guardian_admin_emails(): array { $configured = $GLOBALS['GUARDIAN_ADMIN_EMAILS'] ?? []; if (!is_array($configured)) { $configured = []; } $defaults = [ 'kabjeg@gmail.com', ]; $emails = array_merge($defaults, $configured); $emails = array_map('guardian_normalize_email', $emails); $emails = array_filter($emails, static fn($email) => $email !== ''); return array_values(array_unique($emails)); } } if (!function_exists('guardian_resolve_role_for_email')) { function guardian_resolve_role_for_email(string $email): string { $email = guardian_normalize_email($email); if ($email === '') { return 'user'; } return in_array($email, guardian_admin_emails(), true) ? 'admin' : 'user'; } } if (!function_exists('guardian_assign_role_from_email')) { function guardian_assign_role_from_email(string $email): void { $normalized = guardian_normalize_email($email); $role = guardian_resolve_role_for_email($normalized); if ($normalized !== '') { $_SESSION['guardian_email'] = $normalized; $_SESSION['email'] = $normalized; } $_SESSION['guardian_role'] = $role; $_SESSION['role'] = $role; } } if (!function_exists('guardian_current_role')) { function guardian_current_role(): string { $role = strtolower(trim((string)($_SESSION['guardian_role'] ?? $_SESSION['role'] ?? 'user'))); return $role !== '' ? $role : 'user'; } } if (!function_exists('guardian_sync_identity_session_keys')) { function guardian_sync_identity_session_keys(): void { $email = guardian_normalize_email((string)($_SESSION['guardian_email'] ?? $_SESSION['email'] ?? '')); $provider = strtolower(trim((string)($_SESSION['provider'] ?? $_SESSION['guardian_provider'] ?? ''))); $userId = (string)($_SESSION['user_id'] ?? $_SESSION['guardian_user_id'] ?? ''); $risk = (int)($_SESSION['guardian_risk_score'] ?? $_SESSION['risk_score'] ?? 0); $authenticated = !empty($_SESSION['guardian_authenticated']) || !empty($_SESSION['authenticated']); if ($email !== '') { $_SESSION['guardian_email'] = $email; $_SESSION['email'] = $email; } if ($provider !== '') { $_SESSION['provider'] = $provider; $_SESSION['guardian_provider'] = $provider; } if ($userId !== '') { $_SESSION['user_id'] = $userId; $_SESSION['guardian_user_id'] = $userId; } $_SESSION['guardian_risk_score'] = $risk; $_SESSION['risk_score'] = $risk; $_SESSION['guardian_authenticated'] = $authenticated; $_SESSION['authenticated'] = $authenticated; if ($email !== '') { $role = guardian_resolve_role_for_email($email); $_SESSION['guardian_role'] = $role; $_SESSION['role'] = $role; } else { $_SESSION['guardian_role'] = (string)($_SESSION['guardian_role'] ?? $_SESSION['role'] ?? 'user'); $_SESSION['role'] = (string)($_SESSION['role'] ?? $_SESSION['guardian_role'] ?? 'user'); } if ($authenticated) { if (empty($_SESSION['authenticated_at']) || !is_string($_SESSION['authenticated_at'])) { $_SESSION['authenticated_at'] = date('c'); } if (empty($_SESSION['guardian_login_time']) || !is_int($_SESSION['guardian_login_time'])) { $_SESSION['guardian_login_time'] = time(); } if (empty($_SESSION['guardian_last_activity']) || !is_int($_SESSION['guardian_last_activity'])) { $_SESSION['guardian_last_activity'] = time(); } } } } /* ========================================================================= SESSION AUTH ========================================================================= */ if (!function_exists('guardian_mark_authenticated')) { function guardian_mark_authenticated( string $provider, string $email, $userId, int $riskScore, bool $deviceTrusted ): void { $normalizedEmail = guardian_normalize_email($email); $normalizedProvider = strtolower(trim($provider)); $clampedRisk = max(0, min(100, $riskScore)); $role = guardian_resolve_role_for_email($normalizedEmail); if (session_status() === PHP_SESSION_ACTIVE) { @session_regenerate_id(true); } $_SESSION['authenticated'] = true; $_SESSION['guardian_authenticated'] = true; $_SESSION['provider'] = $normalizedProvider; $_SESSION['guardian_provider'] = $normalizedProvider; $_SESSION['email'] = $normalizedEmail; $_SESSION['guardian_email'] = $normalizedEmail; $_SESSION['user_id'] = (string)$userId; $_SESSION['guardian_user_id'] = (string)$userId; $_SESSION['risk_score'] = $clampedRisk; $_SESSION['guardian_risk_score'] = $clampedRisk; $_SESSION['device_trusted'] = $deviceTrusted; $_SESSION['authenticated_at'] = date('c'); $_SESSION['guardian_login_time'] = time(); $_SESSION['guardian_last_activity'] = time(); $_SESSION['role'] = $role; $_SESSION['guardian_role'] = $role; unset($_SESSION['oauth_state'], $_SESSION['oauth_nonce'], $_SESSION['oauth_provider']); if (isset($_SESSION['oauth_states']) && is_array($_SESSION['oauth_states'])) { $_SESSION['oauth_states'] = []; } guardian_log_event('auth_mark_authenticated', [ 'provider' => $normalizedProvider, 'email' => $normalizedEmail, 'role' => $_SESSION['guardian_role'], 'trusted_device' => $deviceTrusted, 'risk_score' => $clampedRisk, ]); } } if (!function_exists('guardian_is_authenticated')) { function guardian_is_authenticated(): bool { return !empty($_SESSION['guardian_authenticated']) || !empty($_SESSION['authenticated']); } } if (!function_exists('guardian_session_valid')) { function guardian_session_valid(): bool { if (!guardian_is_authenticated()) { return false; } $now = time(); $loginTime = (int)($_SESSION['guardian_login_time'] ?? 0); $lastActivity = (int)($_SESSION['guardian_last_activity'] ?? 0); $riskScore = (int)($_SESSION['guardian_risk_score'] ?? $_SESSION['risk_score'] ?? 0); if ($loginTime > 0 && ($now - $loginTime) > 43200) { return false; } if ($lastActivity > 0 && ($now - $lastActivity) > 1800) { return false; } if ($riskScore >= 80) { return false; } return true; } } if (!function_exists('guardian_touch_activity')) { function guardian_touch_activity(): void { if (guardian_is_authenticated()) { $_SESSION['guardian_last_activity'] = time(); } } } if (!function_exists('guardian_logout_session')) { function guardian_logout_session(): void { $_SESSION = []; if (ini_get('session.use_cookies')) { $params = session_get_cookie_params(); setcookie( session_name(), '', time() - 42000, $params['path'] ?? '/', $params['domain'] ?? '', (bool)($params['secure'] ?? false), (bool)($params['httponly'] ?? true) ); } session_destroy(); } } if (!function_exists('guardian_logout_user')) { function guardian_logout_user(): void { guardian_logout_session(); } } if (!function_exists('guardian_current_path')) { function guardian_current_path(): string { $uri = (string)($_SERVER['REQUEST_URI'] ?? '/'); $path = parse_url($uri, PHP_URL_PATH); $path = is_string($path) && $path !== '' ? $path : '/'; if ($path !== '/') { $path = rtrim($path, '/'); if ($path === '') { $path = '/'; } } return $path; } } /* ========================================================================= RISK ENGINE (BASIC) ========================================================================= */ if (!function_exists('guardian_seed_risk_score')) { function guardian_seed_risk_score(): int { return 35; } } /* ========================================================================= DEFAULT POST-AUTH TARGETS ========================================================================= */ if (!defined('GUARDIAN_POST_AUTH_DEFAULT')) { define('GUARDIAN_POST_AUTH_DEFAULT', '/_guardian/dashboard.php'); } if (!defined('GUARDIAN_POST_AUTH_DEFAULT_USER')) { define('GUARDIAN_POST_AUTH_DEFAULT_USER', '/_guardian/dashboard.php'); } if (!defined('GUARDIAN_POST_AUTH_DEFAULT_ADMIN')) { define('GUARDIAN_POST_AUTH_DEFAULT_ADMIN', '/_guardian/index.php'); } /* ========================================================================= FINAL BOOTSTRAP NORMALIZATION ========================================================================= */ guardian_sync_identity_session_keys(); guardian_touch_activity();
Save file
Quick jump
open a path
Open