$app */
$app = require __DIR__ . '/../bootstrap.php';
$config = $app['config'];
$admin = $config['admin'];
$h = static fn (string $v): string => Security::e($v);
// Already signed in? Go straight to the listing.
if (Auth::isAdmin()) {
header('Location: contents.php', true, 302);
exit;
}
$error = '';
$now = time();
// --- Throttle state -------------------------------------------------------
$attempts = (int) ($_SESSION['login_attempts'] ?? 0);
$lockUntil = (int) ($_SESSION['login_lock_until'] ?? 0);
$locked = $lockUntil > $now;
if (Request::isPost()) {
if ($locked) {
$error = 'Too many attempts. Please try again later.';
} elseif (!Security::verifyCsrf((string) ($_POST['csrf_token'] ?? ''))) {
$error = 'Your session expired. Please try again.';
} else {
$username = (string) ($_POST['Username'] ?? '');
$password = (string) ($_POST['Password'] ?? '');
$hash = (string) $admin['password_hash'];
if ($hash === '') {
// Misconfiguration: no hash set. Never silently allow access.
\App\Logger::error('Admin login attempted but ADMIN_PASSWORD_HASH is not set');
$error = 'Login is not configured. Contact the administrator.';
} else {
$userOk = hash_equals((string) $admin['username'], $username);
$passOk = password_verify($password, $hash);
if ($userOk && $passOk) {
// Success: reset throttle, elevate session.
unset($_SESSION['login_attempts'], $_SESSION['login_lock_until']);
Auth::login();
$_SESSION['UID'] = 'admin';
header('Location: contents.php', true, 302);
exit;
}
// Failure: count it, lock out if over the limit.
$attempts++;
$_SESSION['login_attempts'] = $attempts;
if ($attempts >= (int) $admin['max_attempts']) {
$_SESSION['login_lock_until'] = $now + (int) $admin['lockout_secs'];
$_SESSION['login_attempts'] = 0;
}
\App\Logger::warning('Failed admin login', ['attempts' => $attempts]);
$error = 'Incorrect login credentials!';
}
}
}
$csrf = Security::csrfToken();
?>
SlideServe - Admin Console
SlideServe Admin
Sign in to SlideServe Site Admin