ES_Sami7777/easystream-main
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync current dev state
Some checks failed
EasyStream Test Suite / test (pull_request) Has been cancelled
Details
EasyStream Test Suite / code-quality (pull_request) Has been cancelled
Details
EasyStream Test Suite / integration-test (pull_request) Has been cancelled
Details

Browse Source
This commit is contained in:
SamiAhmed7777
2025-12-15 17:28:21 -08:00
parent 3bf64b1058
commit f0f346deb9
54 changed files with 11060 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
.claude/settings.local.json Normal file
View File

@@ -0,0 +1,54 @@
{
"permissions": {
"allow": [
"Bash(php -l:*)",
"Bash(test:*)",
"Bash(grep:*)",
"Bash(tr:*)",
"Bash(docker compose logs:*)",
"Bash(docker compose:*)",
"Bash(docker exec:*)",
"Bash(docker volume rm:*)",
"Bash(docker volume:*)",
"Bash(docker inspect:*)",
"Read(//e/docker-progs/easystream-main/**)",
"Bash(curl:*)",
"Bash(docker-compose ps:*)",
"Bash(docker-compose exec:*)",
"Bash(docker-compose logs:*)",
"Bash(find:*)",
"Bash(docker-compose restart:*)",
"Bash(bash:*)",
"Bash(/dev/null)",
"Bash(awk:*)",
"Bash(/tmp/verify_builder_auth.sh)",
"Bash(/tmp/test_builder_status.sh:*)",
"Bash(__NEW_LINE__ sed -i '154a\\ error_log(\"\"Validating table in doInsertUpdate: \"\" . $db_table);' /e/docker-progs/easystream-main/f_core/f_classes/class.database.php)",
"Bash(/tmp/test_builder_with_redirect.sh:*)",
"Bash(__NEW_LINE__ echo \"✓ SUCCESS: Builder UI elements found!\")",
"Bash(__NEW_LINE__ echo \"\")",
"Bash(__NEW_LINE__ echo \"Checking for builder components...\")",
"Bash(__NEW_LINE__ cat /tmp/builder_response.html)",
"Bash(__NEW_LINE__ echo \"File content:\")",
"Bash(__NEW_LINE__ cat /e/docker-progs/easystream-main/templatebuilder_ajax.php)",
"Bash(/tmp/test_e2e_final.sh)",
"Bash(__NEW_LINE__ sleep 1)",
"Bash(__NEW_LINE__ docker-compose logs caddy)",
"Bash(cat:*)",
"Bash(chmod:*)",
"Bash(/e/docker-progs/easystream-main/test_template_crud.sh)",
"Bash(mkdir:*)",
"Bash(robocopy:*)",
"Bash(docker-compose down:*)",
"Bash(docker-compose up:*)",
"Bash(docker-compose:*)",
"Bash(git remote set-url:*)",
"Bash(git add:*)",
"Bash(rm:*)",
"Bash(git push:*)",
"Bash(powershell:*)"
],
"deny": [],
"ask": []
}
}

15
.env
View File

@@ -1,15 +0,0 @@
DB_HOST=db
DB_NAME=easystream
DB_USER=easystream
DB_PASS=easystream
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_DB=0
MAIN_URL=http://localhost:8083
DEBUG=false
API_KEY=change_this_api_key
JWT_SECRET=change_this_jwt_secret
ENCRYPTION_KEY=change_this_encryption_key

3
.gitignore vendored
View File

@@ -21,3 +21,6 @@ vendor/
# IDE
.vscode/
.idea/
.env

133
Caddyfile
View File

@@ -8,50 +8,7 @@
root * /srv/easystream
encode zstd gzip
# PHP files go directly to PHP handler
@php_files path *.php
handle @php_files {
php_fastcgi php:9000 {
try_files {path} /parser.php?{query}
}
}
file_server
# Token System Routes (Direct handling)
@token_purchase path /token_purchase /token-purchase /tokens
rewrite @token_purchase /f_modules/m_frontend/m_donations/token_purchase.php
@token_redemption path /token_redemption /token-redemption
rewrite @token_redemption /f_modules/m_frontend/m_donations/token_redemption.php
# Donation Routes
@donate path /donate /donation
rewrite @donate /f_modules/m_frontend/m_donations/rainforest_donation_form.php
# System Status Route
@health path /health /status
rewrite @health /status.php
# Upload Route (handled by parser)
@upload path /upload
rewrite @upload /parser.php
# Authentication Routes (handled by parser)
@signin path /signin /login
rewrite @signin /parser.php
@signup path /signup /register
rewrite @signup /parser.php
# Admin panel routing
@admin path /admin /admin/*
rewrite @admin /admin.php
# Homepage (handled by parser)
@root path /
rewrite @root /parser.php
# Serve HLS (from SRS volume) under /hls
# Serve HLS (from SRS volume) under /hls (handled before general routing)
handle_path /hls/* {
root * /var/www/hls
header Cache-Control "no-cache"
@@ -59,36 +16,76 @@
file_server
}
# Unified routing: apply rewrites first, then php_fastcgi, then file_server
route {
# Token System Routes (Direct handling)
@token_purchase path /token_purchase /token-purchase /tokens
rewrite @token_purchase /f_modules/m_frontend/m_donations/token_purchase.php
# Preflight at a friendly path
@preflight path /preflight
rewrite @preflight /tests/preflight.php
@token_redemption path /token_redemption /token-redemption
rewrite @token_redemption /f_modules/m_frontend/m_donations/token_redemption.php
# Redirect old "home" to root
@oldhome path_regexp oldhome ^.*/home$
redir @oldhome / 301
# Donation Routes
@donate path /donate /donation
rewrite @donate /f_modules/m_frontend/m_donations/rainforest_donation_form.php
# Previews mapping to actual files
@prev_default path /previews/default.mp4
rewrite @prev_default /f_data/data_userfiles/user_media/default.mp4
# System Status Route
@health path /health /status
rewrite @health /status.php
@prev_stream path_regexp prev_stream ^/previews/s/([^/]+)/([^/]+)\.mp4$
rewrite @prev_stream /f_data/data_userfiles/user_media/{re.prev_stream.1}/s/{re.prev_stream.2}.mp4
# Upload Route (handled by parser)
@upload path /upload
rewrite @upload /parser.php
@prev_video path_regexp prev_video ^/previews/([^/]+)/([^/]+)\.mp4$
rewrite @prev_video /f_data/data_userfiles/user_media/{re.prev_video.1}/v/{re.prev_video.2}.mp4
# Authentication Routes (handled by parser)
@signin path /signin /login
rewrite @signin /parser.php
# Block sensitive source/template/log files
@blocked {
path *.inc *.inc.php *.shtml *.cgi *.pl *.py *.asp *.aspx *.sh *.cin *.tpl *.tplb *.log
@signup path /signup /register
rewrite @signup /parser.php
# Admin panel routing
@admin path /admin /admin/*
rewrite @admin /admin.php
# Homepage (handled by parser)
@root path /
rewrite @root /parser.php
# Preflight at a friendly path
@preflight path /preflight
rewrite @preflight /tests/preflight.php
# Redirect old "home" to root
@oldhome path_regexp oldhome ^.*/home$
redir @oldhome / 301
# Previews mapping to actual files
@prev_default path /previews/default.mp4
rewrite @prev_default /f_data/data_userfiles/user_media/default.mp4
@prev_stream path_regexp prev_stream ^/previews/s/([^/]+)/([^/]+)\.mp4$
rewrite @prev_stream /f_data/data_userfiles/user_media/{re.prev_stream.1}/s/{re.prev_stream.2}.mp4
@prev_video path_regexp prev_video ^/previews/([^/]+)/([^/]+)\.mp4$
rewrite @prev_video /f_data/data_userfiles/user_media/{re.prev_video.1}/v/{re.prev_video.2}.mp4
# Block sensitive source/template/log files
@blocked {
path *.inc *.inc.php *.shtml *.cgi *.pl *.py *.asp *.aspx *.sh *.cin *.tpl *.tplb *.log
}
respond @blocked 403
# Static cache
@static_long {
path *.ico *.pdf *.flv *.gif *.jpg *.jpeg *.png *.svg *.webp *.css *.js *.eot *.woff *.otf *.ttf
}
header @static_long Cache-Control "public, max-age=604800"
# Finally pass to PHP or serve static
php_fastcgi php:9000
file_server
}
respond @blocked 403
# Static cache
@static_long {
path *.ico *.pdf *.flv *.gif *.jpg *.jpeg *.png *.svg *.webp *.css *.js *.eot *.woff *.otf *.ttf
}
header @static_long Cache-Control "public, max-age=604800"
handle_errors {
@notfound expression {http.error.status_code} == 404
@@ -100,4 +97,4 @@
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
}
}
}

71
api/auth.php
View File

@@ -15,17 +15,11 @@
define('_ISVALID', true);
// Include CORS configuration
require_once __DIR__ . '/cors.config.php';
// Set JSON content type
header('Content-Type: application/json');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
// Handle preflight requests
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
http_response_code(200);
exit;
}
require_once '../f_core/config.core.php';
@@ -227,17 +221,70 @@ try {
if ($method !== 'GET') {
sendResponse(['success' => false, 'message' => 'Method not allowed'], 405);
}
$isAuthenticated = $auth->isAuthenticated();
$user = $isAuthenticated ? $auth->getCurrentUser() : null;
sendResponse([
'success' => true,
'authenticated' => $isAuthenticated,
'user' => $user
]);
break;
case 'login_token':
// JWT Token-based login for API clients (no session)
if ($method !== 'POST') {
sendResponse(['success' => false, 'message' => 'Method not allowed'], 405);
}
$data = array_merge($_POST, getJsonInput());
$missing = validateRequired($data, ['identifier', 'password']);
if (!empty($missing)) {
sendResponse([
'success' => false,
'message' => 'Username/email and password are required'
], 400);
}
// Optional: specify token expiry time (in seconds)
$expiryTime = isset($data['expires_in']) ? (int)$data['expires_in'] : null;
$result = $auth->loginWithToken($data['identifier'], $data['password'], $expiryTime);
sendResponse($result, $result['success'] ? 200 : 401);
break;
case 'verify_token':
// Verify a JWT token and return user info
if ($method !== 'POST' && $method !== 'GET') {
sendResponse(['success' => false, 'message' => 'Method not allowed'], 405);
}
// Get token from Authorization header or request body
$user = $auth->authenticateBearer();
if (!$user) {
// Try getting token from request body
$data = array_merge($_POST, getJsonInput());
$token = $data['token'] ?? '';
if ($token) {
$user = $auth->validateJWTToken($token);
}
}
if (!$user) {
sendResponse(['success' => false, 'message' => 'Invalid or expired token'], 401);
}
sendResponse([
'success' => true,
'valid' => true,
'user' => $user
]);
break;
default:
sendResponse(['success' => false, 'message' => 'Invalid action'], 400);
}

552
api/comments.php Normal file
View File

@@ -0,0 +1,552 @@
<?php
/**
* Comments API Endpoint
* Handles all comment-related operations
*
* Supported Actions:
* - GET list: List comments for a video
* - POST create: Create new comment
* - PUT update: Update comment
* - DELETE delete: Delete comment
* - POST like: Like/unlike comment
* - POST report: Report comment
*/
// Include CORS configuration
require_once __DIR__ . '/cors.config.php';
header('Content-Type: application/json');
// Include core configuration
require_once dirname(__FILE__) . '/../f_core/config.core.php';
// Initialize response
$response = ['success' => false, 'data' => null, 'error' => null];
try {
// Get action from query parameter
$action = isset($_GET['action']) ? $_GET['action'] : null;
$method = $_SERVER['REQUEST_METHOD'];
// Get authenticated user (supports both session and JWT)
$userId = null;
// Try JWT authentication first
$authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] :
(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null);
if ($authHeader && preg_match('/Bearer\s+(.*)$/i', $authHeader, $matches)) {
$token = $matches[1];
$tokenData = VAuth::verifyToken($token);
if ($tokenData && isset($tokenData['user_id'])) {
$userId = $tokenData['user_id'];
}
}
// Fall back to session authentication
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
// Route based on method and action
switch ($method) {
case 'GET':
if (isset($_GET['id'])) {
// Get single comment
handleGetComment($_GET['id'], $userId);
} else {
// List comments
handleListComments($userId);
}
break;
case 'POST':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
switch ($action) {
case 'create':
case null:
handleCreateComment($userId);
break;
case 'like':
handleLikeComment($userId);
break;
case 'report':
handleReportComment($userId);
break;
default:
throw new Exception('Invalid action', 400);
}
break;
case 'PUT':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
handleUpdateComment($userId);
break;
case 'DELETE':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
handleDeleteComment($userId);
break;
default:
throw new Exception('Method not allowed', 405);
}
} catch (Exception $e) {
http_response_code($e->getCode() >= 400 && $e->getCode() < 600 ? $e->getCode() : 500);
$response['error'] = $e->getMessage();
echo json_encode($response);
exit;
}
/**
* List comments for a video
*/
function handleListComments($userId) {
global $class_database, $response;
$fileKey = isset($_GET['file_key']) ? $_GET['file_key'] : null;
if (!$fileKey) {
throw new Exception('file_key parameter is required', 400);
}
$page = isset($_GET['page']) ? max(1, (int)$_GET['page']) : 1;
$limit = isset($_GET['limit']) ? min(100, max(1, (int)$_GET['limit'])) : 50;
$offset = ($page - 1) * $limit;
$sort = isset($_GET['sort']) ? $_GET['sort'] : 'recent'; // recent, top, oldest
// Determine sort order
$orderBy = match($sort) {
'top' => 'c.comment_likes DESC, c.comment_date DESC',
'oldest' => 'c.comment_date ASC',
default => 'c.comment_date DESC'
};
// Get total count
$countSql = "SELECT COUNT(*) FROM db_comments WHERE file_key = ? AND parent_id IS NULL";
$total = (int)$class_database->singleFieldValue($countSql, [$fileKey]);
// Get top-level comments (not replies)
$sql = "SELECT c.comment_id, c.usr_id, c.comment_text, c.comment_date,
c.comment_likes, c.parent_id,
u.usr_user, u.usr_dname, u.usr_avatar, u.usr_verified,
(SELECT COUNT(*) FROM db_comments WHERE parent_id = c.comment_id) as reply_count
FROM db_comments c
LEFT JOIN db_users u ON c.usr_id = u.usr_id
WHERE c.file_key = ? AND c.parent_id IS NULL
ORDER BY $orderBy
LIMIT ? OFFSET ?";
$comments = $class_database->execute($sql, [$fileKey, $limit, $offset]);
$commentList = $comments ? $comments->GetArray() : [];
// If user is logged in, check which comments they've liked
if ($userId && !empty($commentList)) {
$commentIds = array_column($commentList, 'comment_id');
$placeholders = implode(',', array_fill(0, count($commentIds), '?'));
$likeSql = "SELECT comment_id FROM db_comment_likes WHERE comment_id IN ($placeholders) AND usr_id = ?";
$likedComments = $class_database->execute($likeSql, array_merge($commentIds, [$userId]));
$likedIds = [];
if ($likedComments) {
while (!$likedComments->EOF) {
$likedIds[] = $likedComments->fields['comment_id'];
$likedComments->MoveNext();
}
}
// Add liked status to comments
foreach ($commentList as &$comment) {
$comment['user_liked'] = in_array($comment['comment_id'], $likedIds);
}
}
$response['success'] = true;
$response['data'] = [
'comments' => $commentList,
'pagination' => [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit)
]
];
echo json_encode($response);
}
/**
* Get single comment with replies
*/
function handleGetComment($commentId, $userId) {
global $class_database, $response;
// Get the comment
$sql = "SELECT c.comment_id, c.usr_id, c.file_key, c.comment_text, c.comment_date,
c.comment_likes, c.parent_id,
u.usr_user, u.usr_dname, u.usr_avatar, u.usr_verified
FROM db_comments c
LEFT JOIN db_users u ON c.usr_id = u.usr_id
WHERE c.comment_id = ?";
$result = $class_database->execute($sql, [$commentId]);
if (!$result || $result->RecordCount() === 0) {
throw new Exception('Comment not found', 404);
}
$comment = $result->fields;
// Get replies
$repliesSql = "SELECT c.comment_id, c.usr_id, c.comment_text, c.comment_date,
c.comment_likes, c.parent_id,
u.usr_user, u.usr_dname, u.usr_avatar, u.usr_verified
FROM db_comments c
LEFT JOIN db_users u ON c.usr_id = u.usr_id
WHERE c.parent_id = ?
ORDER BY c.comment_date ASC";
$replies = $class_database->execute($repliesSql, [$commentId]);
$comment['replies'] = $replies ? $replies->GetArray() : [];
// Check if user liked this comment
if ($userId) {
$likeSql = "SELECT 1 FROM db_comment_likes WHERE comment_id = ? AND usr_id = ?";
$liked = $class_database->execute($likeSql, [$commentId, $userId]);
$comment['user_liked'] = $liked && $liked->RecordCount() > 0;
}
$response['success'] = true;
$response['data'] = $comment;
echo json_encode($response);
}
/**
* Create new comment
*/
function handleCreateComment($userId) {
global $class_database, $response;
// Get JSON input
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
throw new Exception('Invalid JSON input', 400);
}
$fileKey = isset($input['file_key']) ? $input['file_key'] : null;
$commentText = isset($input['comment_text']) ? trim($input['comment_text']) : '';
$parentId = isset($input['parent_id']) ? (int)$input['parent_id'] : null;
// Validate required fields
if (!$fileKey) {
throw new Exception('file_key is required', 400);
}
if (empty($commentText)) {
throw new Exception('Comment text cannot be empty', 400);
}
if (strlen($commentText) > 5000) {
throw new Exception('Comment text too long (max 5000 characters)', 400);
}
// Sanitize comment text
$commentText = VSecurity::sanitize($commentText);
// Check if video exists
$videoCheckSql = "SELECT 1 FROM db_videofiles WHERE file_key = ?";
$videoExists = $class_database->execute($videoCheckSql, [$fileKey]);
if (!$videoExists || $videoExists->RecordCount() === 0) {
throw new Exception('Video not found', 404);
}
// If this is a reply, check if parent comment exists
if ($parentId) {
$parentCheckSql = "SELECT usr_id FROM db_comments WHERE comment_id = ?";
$parentExists = $class_database->execute($parentCheckSql, [$parentId]);
if (!$parentExists || $parentExists->RecordCount() === 0) {
throw new Exception('Parent comment not found', 404);
}
$parentUserId = $parentExists->fields['usr_id'];
}
// Insert comment
$sql = "INSERT INTO db_comments (file_key, usr_id, comment_text, comment_date, parent_id, comment_likes)
VALUES (?, ?, ?, NOW(), ?, 0)";
$result = $class_database->execute($sql, [$fileKey, $userId, $commentText, $parentId]);
if (!$result) {
throw new Exception('Failed to create comment', 500);
}
// Get the inserted comment ID
$commentId = $class_database->Insert_ID();
// If this is a reply, create a notification for the parent comment author
if ($parentId && $parentUserId != $userId) {
$notifSql = "INSERT INTO db_notifications (usr_id, notif_type, notif_from, notif_ref_id, notif_date)
VALUES (?, 'comment_reply', ?, ?, NOW())";
$class_database->execute($notifSql, [$parentUserId, $userId, $commentId]);
}
// Get video owner and create notification
$videoOwnerSql = "SELECT usr_id FROM db_videofiles WHERE file_key = ?";
$videoOwner = $class_database->execute($videoOwnerSql, [$fileKey]);
if ($videoOwner && $videoOwner->fields['usr_id'] != $userId) {
$notifSql = "INSERT INTO db_notifications (usr_id, notif_type, notif_from, notif_ref_id, notif_date)
VALUES (?, 'comment', ?, ?, NOW())";
$class_database->execute($notifSql, [$videoOwner->fields['usr_id'], $userId, $commentId]);
}
// Return the created comment
$getCommentSql = "SELECT c.comment_id, c.usr_id, c.file_key, c.comment_text, c.comment_date,
c.comment_likes, c.parent_id,
u.usr_user, u.usr_dname, u.usr_avatar, u.usr_verified
FROM db_comments c
LEFT JOIN db_users u ON c.usr_id = u.usr_id
WHERE c.comment_id = ?";
$newComment = $class_database->execute($getCommentSql, [$commentId]);
$response['success'] = true;
$response['data'] = $newComment->fields;
echo json_encode($response);
}
/**
* Update comment
*/
function handleUpdateComment($userId) {
global $class_database, $response;
$commentId = isset($_GET['id']) ? (int)$_GET['id'] : null;
if (!$commentId) {
throw new Exception('Comment ID is required', 400);
}
// Verify ownership
$checkSql = "SELECT usr_id FROM db_comments WHERE comment_id = ?";
$checkResult = $class_database->execute($checkSql, [$commentId]);
if (!$checkResult || $checkResult->RecordCount() === 0) {
throw new Exception('Comment not found', 404);
}
if ($checkResult->fields['usr_id'] != $userId) {
throw new Exception('You do not have permission to edit this comment', 403);
}
// Get JSON input
$input = json_decode(file_get_contents('php://input'), true);
if (!$input || !isset($input['comment_text'])) {
throw new Exception('comment_text is required', 400);
}
$commentText = trim($input['comment_text']);
if (empty($commentText)) {
throw new Exception('Comment text cannot be empty', 400);
}
if (strlen($commentText) > 5000) {
throw new Exception('Comment text too long (max 5000 characters)', 400);
}
$commentText = VSecurity::sanitize($commentText);
// Update comment
$sql = "UPDATE db_comments SET comment_text = ?, comment_edited = 1 WHERE comment_id = ?";
$result = $class_database->execute($sql, [$commentText, $commentId]);
if (!$result) {
throw new Exception('Failed to update comment', 500);
}
$response['success'] = true;
$response['data'] = ['message' => 'Comment updated successfully'];
echo json_encode($response);
}
/**
* Delete comment
*/
function handleDeleteComment($userId) {
global $class_database, $response;
$commentId = isset($_GET['id']) ? (int)$_GET['id'] : null;
if (!$commentId) {
throw new Exception('Comment ID is required', 400);
}
// Verify ownership or admin status
$checkSql = "SELECT usr_id FROM db_comments WHERE comment_id = ?";
$checkResult = $class_database->execute($checkSql, [$commentId]);
if (!$checkResult || $checkResult->RecordCount() === 0) {
throw new Exception('Comment not found', 404);
}
// Check if user is the comment owner or has admin role
$isOwner = $checkResult->fields['usr_id'] == $userId;
$isAdmin = VAuth::hasPermission('comments.delete.any');
if (!$isOwner && !$isAdmin) {
throw new Exception('You do not have permission to delete this comment', 403);
}
// Delete comment and its replies
$sql = "DELETE FROM db_comments WHERE comment_id = ? OR parent_id = ?";
$result = $class_database->execute($sql, [$commentId, $commentId]);
if (!$result) {
throw new Exception('Failed to delete comment', 500);
}
$response['success'] = true;
$response['data'] = ['message' => 'Comment deleted successfully'];
echo json_encode($response);
}
/**
* Like/unlike comment
*/
function handleLikeComment($userId) {
global $class_database, $response;
$input = json_decode(file_get_contents('php://input'), true);
$commentId = isset($input['comment_id']) ? (int)$input['comment_id'] : null;
if (!$commentId) {
throw new Exception('comment_id is required', 400);
}
// Check if comment exists
$checkSql = "SELECT usr_id FROM db_comments WHERE comment_id = ?";
$commentExists = $class_database->execute($checkSql, [$commentId]);
if (!$commentExists || $commentExists->RecordCount() === 0) {
throw new Exception('Comment not found', 404);
}
$commentOwnerId = $commentExists->fields['usr_id'];
// Check if already liked
$likeSql = "SELECT 1 FROM db_comment_likes WHERE comment_id = ? AND usr_id = ?";
$existing = $class_database->execute($likeSql, [$commentId, $userId]);
if ($existing && $existing->RecordCount() > 0) {
// Remove like
$deleteSql = "DELETE FROM db_comment_likes WHERE comment_id = ? AND usr_id = ?";
$class_database->execute($deleteSql, [$commentId, $userId]);
// Decrement like count
$updateSql = "UPDATE db_comments SET comment_likes = comment_likes - 1 WHERE comment_id = ?";
$class_database->execute($updateSql, [$commentId]);
$action = 'unliked';
} else {
// Add like
$insertSql = "INSERT INTO db_comment_likes (comment_id, usr_id, like_date) VALUES (?, ?, NOW())";
$class_database->execute($insertSql, [$commentId, $userId]);
// Increment like count
$updateSql = "UPDATE db_comments SET comment_likes = comment_likes + 1 WHERE comment_id = ?";
$class_database->execute($updateSql, [$commentId]);
// Create notification for comment owner
if ($commentOwnerId != $userId) {
$notifSql = "INSERT INTO db_notifications (usr_id, notif_type, notif_from, notif_ref_id, notif_date)
VALUES (?, 'comment_like', ?, ?, NOW())";
$class_database->execute($notifSql, [$commentOwnerId, $userId, $commentId]);
}
$action = 'liked';
}
// Get updated like count
$countSql = "SELECT comment_likes FROM db_comments WHERE comment_id = ?";
$countResult = $class_database->execute($countSql, [$commentId]);
$response['success'] = true;
$response['data'] = [
'action' => $action,
'like_count' => $countResult->fields['comment_likes']
];
echo json_encode($response);
}
/**
* Report comment
*/
function handleReportComment($userId) {
global $class_database, $response;
$input = json_decode(file_get_contents('php://input'), true);
$commentId = isset($input['comment_id']) ? (int)$input['comment_id'] : null;
$reason = isset($input['reason']) ? VSecurity::sanitize($input['reason']) : '';
if (!$commentId) {
throw new Exception('comment_id is required', 400);
}
if (empty($reason)) {
throw new Exception('Reason is required', 400);
}
// Check if comment exists
$checkSql = "SELECT 1 FROM db_comments WHERE comment_id = ?";
$commentExists = $class_database->execute($checkSql, [$commentId]);
if (!$commentExists || $commentExists->RecordCount() === 0) {
throw new Exception('Comment not found', 404);
}
// Check if already reported by this user
$reportCheckSql = "SELECT 1 FROM db_reports WHERE comment_id = ? AND usr_id = ?";
$existing = $class_database->execute($reportCheckSql, [$commentId, $userId]);
if ($existing && $existing->RecordCount() > 0) {
throw new Exception('You have already reported this comment', 400);
}
// Insert report
$sql = "INSERT INTO db_reports (comment_id, usr_id, report_reason, report_date, report_status)
VALUES (?, ?, ?, NOW(), 'pending')";
$result = $class_database->execute($sql, [$commentId, $userId, $reason]);
if (!$result) {
throw new Exception('Failed to submit report', 500);
}
$response['success'] = true;
$response['data'] = ['message' => 'Comment reported successfully'];
echo json_encode($response);
}

142
api/cors.config.php Normal file
View File

@@ -0,0 +1,142 @@
<?php
/**
* CORS Configuration for EasyStream API
*
* This file handles Cross-Origin Resource Sharing (CORS) headers
* for all API endpoints in a secure and centralized manner.
*/
/**
* Set CORS headers based on environment configuration
*
* @param array $options Optional CORS configuration
*/
function setAPICorsHeaders($options = []) {
// Get allowed origins from environment or use defaults
$allowedOrigins = [];
// Check if we're in development or production
$isDevelopment = (defined('_DEVEL') && _DEVEL === true) ||
(isset($_ENV['APP_ENV']) && $_ENV['APP_ENV'] === 'development');
if ($isDevelopment) {
// Development: Allow localhost and common development ports
$allowedOrigins = [
'http://localhost',
'http://localhost:3000',
'http://localhost:8080',
'http://127.0.0.1',
'http://127.0.0.1:3000',
'http://127.0.0.1:8080',
];
} else {
// Production: Get from environment variable
if (isset($_ENV['CORS_ALLOWED_ORIGINS'])) {
$allowedOrigins = explode(',', $_ENV['CORS_ALLOWED_ORIGINS']);
} elseif (isset($_SERVER['HTTP_HOST'])) {
// Default to same origin
$protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
$allowedOrigins = [$protocol . '://' . $_SERVER['HTTP_HOST']];
}
}
// Get the origin from the request
$origin = isset($_SERVER['HTTP_ORIGIN']) ? $_SERVER['HTTP_ORIGIN'] : '';
// Check if origin is allowed
$isAllowedOrigin = false;
foreach ($allowedOrigins as $allowedOrigin) {
$allowedOrigin = trim($allowedOrigin);
if ($origin === $allowedOrigin || fnmatch($allowedOrigin, $origin)) {
$isAllowedOrigin = true;
break;
}
}
// Set CORS headers
if ($isAllowedOrigin) {
header('Access-Control-Allow-Origin: ' . $origin);
header('Access-Control-Allow-Credentials: true');
} elseif ($isDevelopment) {
// In development, be more permissive but log it
header('Access-Control-Allow-Origin: *');
error_log('CORS: Allowing all origins in development mode');
}
// Set other CORS headers
$allowedMethods = isset($options['methods'])
? $options['methods']
: 'GET, POST, PUT, DELETE, OPTIONS';
header('Access-Control-Allow-Methods: ' . $allowedMethods);
$allowedHeaders = isset($options['headers'])
? $options['headers']
: 'Content-Type, Authorization, X-Requested-With, X-CSRF-Token';
header('Access-Control-Allow-Headers: ' . $allowedHeaders);
$maxAge = isset($options['max_age']) ? $options['max_age'] : 86400; // 24 hours
header('Access-Control-Max-Age: ' . $maxAge);
// Expose headers that the client can access
$exposedHeaders = isset($options['expose_headers'])
? $options['expose_headers']
: 'Content-Length, X-JSON';
header('Access-Control-Expose-Headers: ' . $exposedHeaders);
}
/**
* Handle preflight OPTIONS request
*
* @return void
*/
function handleCorsPreflightRequest() {
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
setAPICorsHeaders();
http_response_code(200);
exit;
}
}
/**
* Validate origin for sensitive operations
*
* @return bool True if origin is valid, false otherwise
*/
function validateCorsOrigin() {
$origin = isset($_SERVER['HTTP_ORIGIN']) ? $_SERVER['HTTP_ORIGIN'] : '';
if (empty($origin)) {
return true; // Same-origin requests don't have an Origin header
}
// Get server's own origin
$protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
$serverOrigin = $protocol . '://' . $_SERVER['HTTP_HOST'];
// Check if it's the same origin
if ($origin === $serverOrigin) {
return true;
}
// Check against allowed origins
$isDevelopment = (defined('_DEVEL') && _DEVEL === true) ||
(isset($_ENV['APP_ENV']) && $_ENV['APP_ENV'] === 'development');
if ($isDevelopment) {
// More permissive in development
return strpos($origin, 'localhost') !== false ||
strpos($origin, '127.0.0.1') !== false;
}
// Check environment variable
if (isset($_ENV['CORS_ALLOWED_ORIGINS'])) {
$allowedOrigins = explode(',', $_ENV['CORS_ALLOWED_ORIGINS']);
return in_array($origin, array_map('trim', $allowedOrigins));
}
return false;
}
// Automatically set CORS headers and handle preflight when this file is included
setAPICorsHeaders();
handleCorsPreflightRequest();

368
api/subscriptions.php Normal file
View File

@@ -0,0 +1,368 @@
<?php
/**
* Subscriptions API Endpoint
* Handles subscription-related operations
*
* Supported Actions:
* - GET list: Get user's subscriptions or subscribers
* - POST subscribe: Subscribe to a channel
* - DELETE unsubscribe: Unsubscribe from a channel
* - GET feed: Get activity feed from subscribed channels
*/
// Include CORS configuration
require_once __DIR__ . '/cors.config.php';
header('Content-Type: application/json');
// Include core configuration
require_once dirname(__FILE__) . '/../f_core/config.core.php';
// Initialize response
$response = ['success' => false, 'data' => null, 'error' => null];
try {
// Get action from query parameter
$action = isset($_GET['action']) ? $_GET['action'] : null;
$method = $_SERVER['REQUEST_METHOD'];
// Get authenticated user (supports both session and JWT)
$userId = null;
// Try JWT authentication first
$authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] :
(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null);
if ($authHeader && preg_match('/Bearer\s+(.*)$/i', $authHeader, $matches)) {
$token = $matches[1];
$tokenData = VAuth::verifyToken($token);
if ($tokenData && isset($tokenData['user_id'])) {
$userId = $tokenData['user_id'];
}
}
// Fall back to session authentication
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
if (!$userId) {
throw new Exception('Authentication required', 401);
}
// Route based on method and action
switch ($method) {
case 'GET':
switch ($action) {
case 'list':
case 'subscriptions':
case null:
handleGetSubscriptions($userId);
break;
case 'subscribers':
handleGetSubscribers($userId);
break;
case 'feed':
handleGetFeed($userId);
break;
case 'check':
handleCheckSubscription($userId);
break;
default:
throw new Exception('Invalid action', 400);
}
break;
case 'POST':
handleSubscribe($userId);
break;
case 'DELETE':
handleUnsubscribe($userId);
break;
default:
throw new Exception('Method not allowed', 405);
}
} catch (Exception $e) {
http_response_code($e->getCode() >= 400 && $e->getCode() < 600 ? $e->getCode() : 500);
$response['error'] = $e->getMessage();
echo json_encode($response);
exit;
}
/**
* Get user's subscriptions
*/
function handleGetSubscriptions($userId) {
global $class_database, $response;
$sql = "SELECT u.usr_id, u.usr_user, u.usr_dname, u.usr_avatar,
u.usr_verified, u.usr_partner,
s.sub_date,
(SELECT COUNT(*) FROM db_videofiles WHERE usr_id = u.usr_id AND approved = 1 AND privacy = 'public') as video_count,
(SELECT COUNT(*) FROM db_subscriptions WHERE channel_id = u.usr_id) as subscriber_count,
(SELECT MAX(upload_date) FROM db_videofiles WHERE usr_id = u.usr_id AND approved = 1) as last_upload
FROM db_subscriptions s
LEFT JOIN db_users u ON s.channel_id = u.usr_id
WHERE s.usr_id = ?
ORDER BY s.sub_date DESC";
$result = $class_database->execute($sql, [$userId]);
$subscriptions = $result ? $result->GetArray() : [];
$response['success'] = true;
$response['data'] = [
'subscriptions' => $subscriptions,
'total' => count($subscriptions)
];
echo json_encode($response);
}
/**
* Get subscribers for a channel
*/
function handleGetSubscribers($userId) {
global $class_database, $response;
$channelId = isset($_GET['channel_id']) ? (int)$_GET['channel_id'] : $userId;
$page = isset($_GET['page']) ? max(1, (int)$_GET['page']) : 1;
$limit = isset($_GET['limit']) ? min(100, max(1, (int)$_GET['limit'])) : 50;
$offset = ($page - 1) * $limit;
// Get total count
$countSql = "SELECT COUNT(*) FROM db_subscriptions WHERE channel_id = ?";
$total = (int)$class_database->singleFieldValue($countSql, [$channelId]);
// Get subscribers
$sql = "SELECT u.usr_id, u.usr_user, u.usr_dname, u.usr_avatar,
u.usr_verified, s.sub_date
FROM db_subscriptions s
LEFT JOIN db_users u ON s.usr_id = u.usr_id
WHERE s.channel_id = ?
ORDER BY s.sub_date DESC
LIMIT ? OFFSET ?";
$result = $class_database->execute($sql, [$channelId, $limit, $offset]);
$response['success'] = true;
$response['data'] = [
'subscribers' => $result ? $result->GetArray() : [],
'pagination' => [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit)
]
];
echo json_encode($response);
}
/**
* Get activity feed from subscribed channels
*/
function handleGetFeed($userId) {
global $class_database, $response;
$page = isset($_GET['page']) ? max(1, (int)$_GET['page']) : 1;
$limit = isset($_GET['limit']) ? min(100, max(1, (int)$_GET['limit'])) : 20;
$offset = ($page - 1) * $limit;
// Get videos from subscribed channels
$sql = "SELECT v.file_key, v.file_title, v.file_description, v.file_duration,
v.file_views, v.upload_date, v.thumbnail, v.featured,
u.usr_id, u.usr_user, u.usr_dname, u.usr_avatar, u.usr_verified,
(SELECT COUNT(*) FROM db_likes WHERE file_key = v.file_key AND like_type = 'like') as like_count,
(SELECT COUNT(*) FROM db_comments WHERE file_key = v.file_key) as comment_count
FROM db_videofiles v
LEFT JOIN db_users u ON v.usr_id = u.usr_id
INNER JOIN db_subscriptions s ON s.channel_id = v.usr_id
WHERE s.usr_id = ? AND v.approved = 1 AND v.privacy = 'public'
ORDER BY v.upload_date DESC
LIMIT ? OFFSET ?";
$result = $class_database->execute($sql, [$userId, $limit, $offset]);
// Get total count
$countSql = "SELECT COUNT(*)
FROM db_videofiles v
INNER JOIN db_subscriptions s ON s.channel_id = v.usr_id
WHERE s.usr_id = ? AND v.approved = 1 AND v.privacy = 'public'";
$total = (int)$class_database->singleFieldValue($countSql, [$userId]);
$response['success'] = true;
$response['data'] = [
'videos' => $result ? $result->GetArray() : [],
'pagination' => [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit)
]
];
echo json_encode($response);
}
/**
* Check if subscribed to a channel
*/
function handleCheckSubscription($userId) {
global $class_database, $response;
$channelId = isset($_GET['channel_id']) ? (int)$_GET['channel_id'] : null;
if (!$channelId) {
throw new Exception('channel_id is required', 400);
}
$sql = "SELECT sub_date FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$result = $class_database->execute($sql, [$userId, $channelId]);
$isSubscribed = $result && $result->RecordCount() > 0;
$subDate = $isSubscribed ? $result->fields['sub_date'] : null;
$response['success'] = true;
$response['data'] = [
'is_subscribed' => $isSubscribed,
'subscribed_since' => $subDate
];
echo json_encode($response);
}
/**
* Subscribe to a channel
*/
function handleSubscribe($userId) {
global $class_database, $response;
// Get JSON input or form data
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
$input = $_POST;
}
$channelId = isset($input['channel_id']) ? (int)$input['channel_id'] : null;
if (!$channelId) {
throw new Exception('channel_id is required', 400);
}
if ($channelId == $userId) {
throw new Exception('Cannot subscribe to yourself', 400);
}
// Check if channel exists
$channelCheckSql = "SELECT usr_user FROM db_users WHERE usr_id = ?";
$channelExists = $class_database->execute($channelCheckSql, [$channelId]);
if (!$channelExists || $channelExists->RecordCount() === 0) {
throw new Exception('Channel not found', 404);
}
// Check if already subscribed
$checkSql = "SELECT 1 FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$existing = $class_database->execute($checkSql, [$userId, $channelId]);
if ($existing && $existing->RecordCount() > 0) {
throw new Exception('Already subscribed to this channel', 400);
}
// Add subscription
$sql = "INSERT INTO db_subscriptions (usr_id, channel_id, sub_date) VALUES (?, ?, NOW())";
$result = $class_database->execute($sql, [$userId, $channelId]);
if (!$result) {
throw new Exception('Failed to subscribe', 500);
}
// Create notification for channel owner
$notifSql = "INSERT INTO db_notifications (usr_id, notif_type, notif_from, notif_date)
VALUES (?, 'subscription', ?, NOW())";
$class_database->execute($notifSql, [$channelId, $userId]);
// Get updated subscriber count
$countSql = "SELECT COUNT(*) as count FROM db_subscriptions WHERE channel_id = ?";
$countResult = $class_database->execute($countSql, [$channelId]);
$subscriberCount = $countResult->fields['count'];
// Log the subscription
VLogger::log('info', 'User subscribed to channel', [
'user_id' => $userId,
'channel_id' => $channelId
]);
$response['success'] = true;
$response['data'] = [
'message' => 'Subscribed successfully',
'channel_name' => $channelExists->fields['usr_user'],
'subscriber_count' => $subscriberCount
];
echo json_encode($response);
}
/**
* Unsubscribe from a channel
*/
function handleUnsubscribe($userId) {
global $class_database, $response;
// Get channel ID from query string or JSON body
$channelId = isset($_GET['channel_id']) ? (int)$_GET['channel_id'] : null;
if (!$channelId) {
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
$input = $_POST;
}
$channelId = isset($input['channel_id']) ? (int)$input['channel_id'] : null;
}
if (!$channelId) {
throw new Exception('channel_id is required', 400);
}
// Check if subscribed
$checkSql = "SELECT 1 FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$existing = $class_database->execute($checkSql, [$userId, $channelId]);
if (!$existing || $existing->RecordCount() === 0) {
throw new Exception('Not subscribed to this channel', 400);
}
// Remove subscription
$sql = "DELETE FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$result = $class_database->execute($sql, [$userId, $channelId]);
if (!$result) {
throw new Exception('Failed to unsubscribe', 500);
}
// Get updated subscriber count
$countSql = "SELECT COUNT(*) as count FROM db_subscriptions WHERE channel_id = ?";
$countResult = $class_database->execute($countSql, [$channelId]);
$subscriberCount = $countResult->fields['count'];
// Log the unsubscription
VLogger::log('info', 'User unsubscribed from channel', [
'user_id' => $userId,
'channel_id' => $channelId
]);
$response['success'] = true;
$response['data'] = [
'message' => 'Unsubscribed successfully',
'subscriber_count' => $subscriberCount
];
echo json_encode($response);
}

581
api/user.php Normal file
View File

@@ -0,0 +1,581 @@
<?php
/**
* User API Endpoint
* Handles user profile and account operations
*
* Supported Actions:
* - GET profile: Get user profile
* - PUT update: Update user profile
* - POST avatar: Upload avatar
* - GET stats: Get user statistics
* - GET videos: Get user's videos
*/
// Include CORS configuration
require_once __DIR__ . '/cors.config.php';
header('Content-Type: application/json');
// Include core configuration
require_once dirname(__FILE__) . '/../f_core/config.core.php';
// Initialize response
$response = ['success' => false, 'data' => null, 'error' => null];
try {
// Get action from query parameter
$action = isset($_GET['action']) ? $_GET['action'] : 'profile';
$method = $_SERVER['REQUEST_METHOD'];
// Get authenticated user (supports both session and JWT)
$userId = null;
// Try JWT authentication first
$authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] :
(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null);
if ($authHeader && preg_match('/Bearer\s+(.*)$/i', $authHeader, $matches)) {
$token = $matches[1];
$tokenData = VAuth::verifyToken($token);
if ($tokenData && isset($tokenData['user_id'])) {
$userId = $tokenData['user_id'];
}
}
// Fall back to session authentication
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
// Route based on method and action
switch ($method) {
case 'GET':
switch ($action) {
case 'profile':
case 'me':
handleGetProfile($userId);
break;
case 'stats':
handleGetStats($userId);
break;
case 'videos':
handleGetUserVideos($userId);
break;
case 'subscriptions':
handleGetSubscriptions($userId);
break;
case 'subscribers':
handleGetSubscribers($userId);
break;
default:
// Get another user's public profile
$targetUserId = isset($_GET['id']) ? (int)$_GET['id'] : null;
if ($targetUserId) {
handleGetPublicProfile($targetUserId, $userId);
} else {
handleGetProfile($userId);
}
}
break;
case 'POST':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
switch ($action) {
case 'avatar':
handleUploadAvatar($userId);
break;
case 'subscribe':
handleSubscribe($userId);
break;
case 'unsubscribe':
handleUnsubscribe($userId);
break;
default:
throw new Exception('Invalid action', 400);
}
break;
case 'PUT':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
handleUpdateProfile($userId);
break;
case 'DELETE':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
handleDeleteAccount($userId);
break;
default:
throw new Exception('Method not allowed', 405);
}
} catch (Exception $e) {
http_response_code($e->getCode() >= 400 && $e->getCode() < 600 ? $e->getCode() : 500);
$response['error'] = $e->getMessage();
echo json_encode($response);
exit;
}
/**
* Get current user's profile
*/
function handleGetProfile($userId) {
global $class_database, $response;
if (!$userId) {
throw new Exception('Authentication required', 401);
}
$sql = "SELECT usr_id, usr_user, usr_dname, usr_email, usr_fname, usr_lname,
usr_avatar, usr_about, usr_website, usr_location,
usr_verified, usr_partner, usr_affiliate,
usr_joined, usr_lastlogin, usr_profile_privacy
FROM db_users
WHERE usr_id = ?";
$result = $class_database->execute($sql, [$userId]);
if (!$result || $result->RecordCount() === 0) {
throw new Exception('User not found', 404);
}
$user = $result->fields;
// Get user stats
$statsSql = "SELECT
(SELECT COUNT(*) FROM db_videofiles WHERE usr_id = ? AND approved = 1) as video_count,
(SELECT COUNT(*) FROM db_subscriptions WHERE channel_id = ?) as subscriber_count,
(SELECT COUNT(*) FROM db_subscriptions WHERE usr_id = ?) as subscription_count,
(SELECT SUM(file_views) FROM db_videofiles WHERE usr_id = ?) as total_views
FROM dual";
$stats = $class_database->execute($statsSql, [$userId, $userId, $userId, $userId]);
if ($stats && $stats->RecordCount() > 0) {
$user['stats'] = [
'videos' => (int)$stats->fields['video_count'],
'subscribers' => (int)$stats->fields['subscriber_count'],
'subscriptions' => (int)$stats->fields['subscription_count'],
'views' => (int)$stats->fields['total_views']
];
}
// Get preferences if they exist
$prefSql = "SELECT * FROM db_user_preferences WHERE usr_id = ?";
$prefs = $class_database->execute($prefSql, [$userId]);
if ($prefs && $prefs->RecordCount() > 0) {
$user['preferences'] = $prefs->fields;
}
$response['success'] = true;
$response['data'] = $user;
echo json_encode($response);
}
/**
* Get another user's public profile
*/
function handleGetPublicProfile($targetUserId, $currentUserId) {
global $class_database, $response;
$sql = "SELECT usr_id, usr_user, usr_dname, usr_avatar, usr_about,
usr_website, usr_location, usr_verified, usr_partner,
usr_joined, usr_profile_privacy
FROM db_users
WHERE usr_id = ?";
$result = $class_database->execute($sql, [$targetUserId]);
if (!$result || $result->RecordCount() === 0) {
throw new Exception('User not found', 404);
}
$user = $result->fields;
// Check privacy settings
if ($user['usr_profile_privacy'] === 'private' && $targetUserId != $currentUserId) {
throw new Exception('This profile is private', 403);
}
// Get public stats
$statsSql = "SELECT
(SELECT COUNT(*) FROM db_videofiles WHERE usr_id = ? AND approved = 1 AND privacy = 'public') as video_count,
(SELECT COUNT(*) FROM db_subscriptions WHERE channel_id = ?) as subscriber_count,
(SELECT SUM(file_views) FROM db_videofiles WHERE usr_id = ? AND approved = 1) as total_views
FROM dual";
$stats = $class_database->execute($statsSql, [$targetUserId, $targetUserId, $targetUserId]);
if ($stats && $stats->RecordCount() > 0) {
$user['stats'] = [
'videos' => (int)$stats->fields['video_count'],
'subscribers' => (int)$stats->fields['subscriber_count'],
'views' => (int)$stats->fields['total_views']
];
}
// Check if current user is subscribed
if ($currentUserId) {
$subSql = "SELECT 1 FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$subResult = $class_database->execute($subSql, [$currentUserId, $targetUserId]);
$user['is_subscribed'] = $subResult && $subResult->RecordCount() > 0;
}
$response['success'] = true;
$response['data'] = $user;
echo json_encode($response);
}
/**
* Update user profile
*/
function handleUpdateProfile($userId) {
global $class_database, $response;
// Get JSON input
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
throw new Exception('Invalid JSON input', 400);
}
// Build update query dynamically
$updates = [];
$params = [];
$allowedFields = [
'usr_dname', 'usr_fname', 'usr_lname', 'usr_about',
'usr_website', 'usr_location', 'usr_profile_privacy'
];
foreach ($allowedFields as $field) {
if (isset($input[$field])) {
$updates[] = "$field = ?";
$params[] = VSecurity::sanitize($input[$field]);
}
}
if (empty($updates)) {
throw new Exception('No fields to update', 400);
}
$params[] = $userId;
$sql = "UPDATE db_users SET " . implode(', ', $updates) . " WHERE usr_id = ?";
$result = $class_database->execute($sql, $params);
if (!$result) {
throw new Exception('Failed to update profile', 500);
}
// Log the update
VLogger::log('info', 'Profile updated', ['user_id' => $userId, 'fields' => array_keys($input)]);
$response['success'] = true;
$response['data'] = ['message' => 'Profile updated successfully'];
echo json_encode($response);
}
/**
* Upload avatar
*/
function handleUploadAvatar($userId) {
global $class_database, $response;
if (!isset($_FILES['avatar']) || $_FILES['avatar']['error'] !== UPLOAD_ERR_OK) {
throw new Exception('No file uploaded or upload error occurred', 400);
}
$file = $_FILES['avatar'];
// Validate file type
$allowedTypes = ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimeType = finfo_file($finfo, $file['tmp_name']);
finfo_close($finfo);
if (!in_array($mimeType, $allowedTypes)) {
throw new Exception('Invalid file type. Only JPG, PNG, and GIF are allowed', 400);
}
// Validate file size (max 5MB)
if ($file['size'] > 5 * 1024 * 1024) {
throw new Exception('File too large. Maximum size is 5MB', 400);
}
// Create upload directory if it doesn't exist
$uploadDir = dirname(__FILE__) . '/../f_data/data_userfiles/user_profile/' . $userId . '/';
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0755, true);
}
// Generate unique filename
$extension = pathinfo($file['name'], PATHINFO_EXTENSION);
$filename = 'avatar_' . time() . '.' . $extension;
$targetPath = $uploadDir . $filename;
// Move uploaded file
if (!move_uploaded_file($file['tmp_name'], $targetPath)) {
throw new Exception('Failed to save uploaded file', 500);
}
// Update user avatar in database
$avatarUrl = '/f_data/data_userfiles/user_profile/' . $userId . '/' . $filename;
$sql = "UPDATE db_users SET usr_avatar = ? WHERE usr_id = ?";
$result = $class_database->execute($sql, [$avatarUrl, $userId]);
if (!$result) {
throw new Exception('Failed to update avatar in database', 500);
}
$response['success'] = true;
$response['data'] = [
'message' => 'Avatar uploaded successfully',
'avatar_url' => $avatarUrl
];
echo json_encode($response);
}
/**
* Get user statistics
*/
function handleGetStats($userId) {
global $class_database, $response;
if (!$userId) {
throw new Exception('Authentication required', 401);
}
$sql = "SELECT
(SELECT COUNT(*) FROM db_videofiles WHERE usr_id = ? AND approved = 1) as total_videos,
(SELECT COUNT(*) FROM db_videofiles WHERE usr_id = ? AND upload_date >= DATE_SUB(NOW(), INTERVAL 30 DAY)) as videos_last_30_days,
(SELECT SUM(file_views) FROM db_videofiles WHERE usr_id = ?) as total_views,
(SELECT COUNT(*) FROM db_subscriptions WHERE channel_id = ?) as total_subscribers,
(SELECT COUNT(*) FROM db_subscriptions WHERE usr_id = ?) as total_subscriptions,
(SELECT COUNT(*) FROM db_comments WHERE usr_id = ?) as total_comments,
(SELECT COUNT(*) FROM db_likes WHERE usr_id = ?) as total_likes_given
FROM dual";
$result = $class_database->execute($sql, [$userId, $userId, $userId, $userId, $userId, $userId, $userId]);
if (!$result || $result->RecordCount() === 0) {
throw new Exception('Failed to fetch statistics', 500);
}
$response['success'] = true;
$response['data'] = $result->fields;
echo json_encode($response);
}
/**
* Get user's videos
*/
function handleGetUserVideos($userId) {
global $class_database, $response;
$targetUserId = isset($_GET['id']) ? (int)$_GET['id'] : $userId;
if (!$targetUserId) {
throw new Exception('User ID required', 400);
}
$page = isset($_GET['page']) ? max(1, (int)$_GET['page']) : 1;
$limit = isset($_GET['limit']) ? min(100, max(1, (int)$_GET['limit'])) : 20;
$offset = ($page - 1) * $limit;
// Privacy filter
$privacyWhere = ($targetUserId == $userId) ? "" : "AND privacy = 'public'";
// Get total count
$countSql = "SELECT COUNT(*) FROM db_videofiles WHERE usr_id = ? AND approved = 1 $privacyWhere";
$total = (int)$class_database->singleFieldValue($countSql, [$targetUserId]);
// Get videos
$sql = "SELECT file_key, file_title, file_description, file_duration,
file_views, privacy, upload_date, thumbnail, featured,
(SELECT COUNT(*) FROM db_likes WHERE file_key = db_videofiles.file_key AND like_type = 'like') as like_count,
(SELECT COUNT(*) FROM db_comments WHERE file_key = db_videofiles.file_key) as comment_count
FROM db_videofiles
WHERE usr_id = ? AND approved = 1 $privacyWhere
ORDER BY upload_date DESC
LIMIT ? OFFSET ?";
$videos = $class_database->execute($sql, [$targetUserId, $limit, $offset]);
$response['success'] = true;
$response['data'] = [
'videos' => $videos ? $videos->GetArray() : [],
'pagination' => [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit)
]
];
echo json_encode($response);
}
/**
* Get user's subscriptions
*/
function handleGetSubscriptions($userId) {
global $class_database, $response;
if (!$userId) {
throw new Exception('Authentication required', 401);
}
$sql = "SELECT u.usr_id, u.usr_user, u.usr_dname, u.usr_avatar,
s.sub_date,
(SELECT COUNT(*) FROM db_videofiles WHERE usr_id = u.usr_id AND approved = 1) as video_count
FROM db_subscriptions s
LEFT JOIN db_users u ON s.channel_id = u.usr_id
WHERE s.usr_id = ?
ORDER BY s.sub_date DESC";
$result = $class_database->execute($sql, [$userId]);
$response['success'] = true;
$response['data'] = $result ? $result->GetArray() : [];
echo json_encode($response);
}
/**
* Get user's subscribers
*/
function handleGetSubscribers($userId) {
global $class_database, $response;
$targetUserId = isset($_GET['id']) ? (int)$_GET['id'] : $userId;
if (!$targetUserId) {
throw new Exception('User ID required', 400);
}
$sql = "SELECT u.usr_id, u.usr_user, u.usr_dname, u.usr_avatar, s.sub_date
FROM db_subscriptions s
LEFT JOIN db_users u ON s.usr_id = u.usr_id
WHERE s.channel_id = ?
ORDER BY s.sub_date DESC";
$result = $class_database->execute($sql, [$targetUserId]);
$response['success'] = true;
$response['data'] = $result ? $result->GetArray() : [];
echo json_encode($response);
}
/**
* Subscribe to a channel
*/
function handleSubscribe($userId) {
global $class_database, $response;
$input = json_decode(file_get_contents('php://input'), true);
$channelId = isset($input['channel_id']) ? (int)$input['channel_id'] : null;
if (!$channelId) {
throw new Exception('Channel ID is required', 400);
}
if ($channelId == $userId) {
throw new Exception('Cannot subscribe to yourself', 400);
}
// Check if already subscribed
$checkSql = "SELECT 1 FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$existing = $class_database->execute($checkSql, [$userId, $channelId]);
if ($existing && $existing->RecordCount() > 0) {
throw new Exception('Already subscribed', 400);
}
// Add subscription
$sql = "INSERT INTO db_subscriptions (usr_id, channel_id, sub_date) VALUES (?, ?, NOW())";
$result = $class_database->execute($sql, [$userId, $channelId]);
if (!$result) {
throw new Exception('Failed to subscribe', 500);
}
// Create notification for channel owner
$notifSql = "INSERT INTO db_notifications (usr_id, notif_type, notif_from, notif_date)
VALUES (?, 'subscription', ?, NOW())";
$class_database->execute($notifSql, [$channelId, $userId]);
$response['success'] = true;
$response['data'] = ['message' => 'Subscribed successfully'];
echo json_encode($response);
}
/**
* Unsubscribe from a channel
*/
function handleUnsubscribe($userId) {
global $class_database, $response;
$input = json_decode(file_get_contents('php://input'), true);
$channelId = isset($input['channel_id']) ? (int)$input['channel_id'] : null;
if (!$channelId) {
throw new Exception('Channel ID is required', 400);
}
// Remove subscription
$sql = "DELETE FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$result = $class_database->execute($sql, [$userId, $channelId]);
if (!$result) {
throw new Exception('Failed to unsubscribe', 500);
}
$response['success'] = true;
$response['data'] = ['message' => 'Unsubscribed successfully'];
echo json_encode($response);
}
/**
* Delete user account
*/
function handleDeleteAccount($userId) {
global $class_database, $response;
// This is a destructive operation, so we'll just mark the account as deleted
// rather than actually deleting it
$sql = "UPDATE db_users SET usr_status = 'deleted', usr_email = CONCAT('deleted_', usr_id, '@deleted.com')
WHERE usr_id = ?";
$result = $class_database->execute($sql, [$userId]);
if (!$result) {
throw new Exception('Failed to delete account', 500);
}
// Log out the user
VAuth::logout();
$response['success'] = true;
$response['data'] = ['message' => 'Account deleted successfully'];
echo json_encode($response);
}

582
api/videos.php Normal file
View File

@@ -0,0 +1,582 @@
<?php
/**
* Videos API Endpoint
* Handles all video-related operations
*
* Supported Actions:
* - GET list: List videos with pagination and filters
* - GET single: Get single video details
* - POST create: Create/upload new video
* - PUT update: Update video details
* - DELETE delete: Delete video
* - POST like: Like/unlike video
* - POST view: Increment view count
*/
// Include CORS configuration
require_once __DIR__ . '/cors.config.php';
header('Content-Type: application/json');
// Include core configuration
require_once dirname(__FILE__) . '/../f_core/config.core.php';
// Initialize response
$response = ['success' => false, 'data' => null, 'error' => null];
try {
// Get action from query parameter
$action = isset($_GET['action']) ? $_GET['action'] : null;
$method = $_SERVER['REQUEST_METHOD'];
// Get authenticated user (supports both session and JWT)
$userId = null;
// Try JWT authentication first
$authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] :
(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null);
if ($authHeader && preg_match('/Bearer\s+(.*)$/i', $authHeader, $matches)) {
$token = $matches[1];
$tokenData = VAuth::verifyToken($token);
if ($tokenData && isset($tokenData['user_id'])) {
$userId = $tokenData['user_id'];
}
}
// Fall back to session authentication
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
// Route based on method and action
switch ($method) {
case 'GET':
if (isset($_GET['id'])) {
// Get single video
handleGetVideo($_GET['id'], $userId);
} elseif ($action === 'search') {
// Search videos
handleSearchVideos($userId);
} else {
// List videos
handleListVideos($userId);
}
break;
case 'POST':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
switch ($action) {
case 'create':
case 'upload':
handleCreateVideo($userId);
break;
case 'like':
handleLikeVideo($userId);
break;
case 'view':
handleIncrementView($userId);
break;
case 'watch_later':
handleWatchLater($userId);
break;
default:
throw new Exception('Invalid action', 400);
}
break;
case 'PUT':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
handleUpdateVideo($userId);
break;
case 'DELETE':
if (!$userId) {
throw new Exception('Authentication required', 401);
}
handleDeleteVideo($userId);
break;
default:
throw new Exception('Method not allowed', 405);
}
} catch (Exception $e) {
http_response_code($e->getCode() >= 400 && $e->getCode() < 600 ? $e->getCode() : 500);
$response['error'] = $e->getMessage();
echo json_encode($response);
exit;
}
/**
* List videos with pagination and filters
*/
function handleListVideos($userId) {
global $class_database, $response;
// Get pagination parameters
$page = isset($_GET['page']) ? max(1, (int)$_GET['page']) : 1;
$limit = isset($_GET['limit']) ? min(100, max(1, (int)$_GET['limit'])) : 20;
$offset = ($page - 1) * $limit;
// Get filter parameters
$category = isset($_GET['category']) ? VSecurity::sanitize($_GET['category']) : null;
$sort = isset($_GET['sort']) ? $_GET['sort'] : 'recent';
$channelId = isset($_GET['channel_id']) ? (int)$_GET['channel_id'] : null;
// Build WHERE clause
$where = ["v.approved = 1"];
$params = [];
if ($category) {
$where[] = "v.file_category = ?";
$params[] = $category;
}
if ($channelId) {
$where[] = "v.usr_id = ?";
$params[] = $channelId;
}
// Add privacy filter (only show public videos unless it's the owner)
if ($userId) {
$where[] = "(v.privacy = 'public' OR v.usr_id = ?)";
$params[] = $userId;
} else {
$where[] = "v.privacy = 'public'";
}
$whereClause = implode(' AND ', $where);
// Build ORDER BY clause
$orderBy = match($sort) {
'popular' => 'v.file_views DESC',
'featured' => 'v.featured DESC, v.file_views DESC',
'recent' => 'v.upload_date DESC',
'oldest' => 'v.upload_date ASC',
'title' => 'v.file_title ASC',
default => 'v.upload_date DESC'
};
// Get total count
$countSql = "SELECT COUNT(*) FROM db_videofiles v WHERE $whereClause";
$total = (int)$class_database->singleFieldValue($countSql, $params);
// Get videos
$sql = "SELECT v.file_key, v.file_title, v.file_description, v.file_name,
v.file_duration, v.file_views, v.privacy, v.upload_date,
v.thumbnail, v.featured, v.file_category,
u.usr_id, u.usr_user, u.usr_dname,
(SELECT COUNT(*) FROM db_likes WHERE file_key = v.file_key AND like_type = 'like') as like_count,
(SELECT COUNT(*) FROM db_comments WHERE file_key = v.file_key) as comment_count
FROM db_videofiles v
LEFT JOIN db_users u ON v.usr_id = u.usr_id
WHERE $whereClause
ORDER BY $orderBy
LIMIT ? OFFSET ?";
$params[] = $limit;
$params[] = $offset;
$videos = $class_database->execute($sql, $params);
// Format response
$response['success'] = true;
$response['data'] = [
'videos' => $videos ? $videos->GetArray() : [],
'pagination' => [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit)
]
];
echo json_encode($response);
}
/**
* Get single video details
*/
function handleGetVideo($fileKey, $userId) {
global $class_database, $response;
$sql = "SELECT v.*,
u.usr_id, u.usr_user, u.usr_dname, u.usr_avatar,
(SELECT COUNT(*) FROM db_likes WHERE file_key = v.file_key AND like_type = 'like') as like_count,
(SELECT COUNT(*) FROM db_likes WHERE file_key = v.file_key AND like_type = 'dislike') as dislike_count,
(SELECT COUNT(*) FROM db_comments WHERE file_key = v.file_key) as comment_count,
(SELECT COUNT(*) FROM db_subscriptions WHERE channel_id = v.usr_id) as subscriber_count
FROM db_videofiles v
LEFT JOIN db_users u ON v.usr_id = u.usr_id
WHERE v.file_key = ?";
$result = $class_database->execute($sql, [$fileKey]);
if (!$result || $result->RecordCount() === 0) {
throw new Exception('Video not found', 404);
}
$video = $result->fields;
// Check privacy
if ($video['privacy'] !== 'public' && (!$userId || $userId != $video['usr_id'])) {
throw new Exception('Video not available', 403);
}
// Check if user liked/disliked
if ($userId) {
$likeSql = "SELECT like_type FROM db_likes WHERE file_key = ? AND usr_id = ?";
$likeResult = $class_database->execute($likeSql, [$fileKey, $userId]);
$video['user_like_status'] = $likeResult && $likeResult->RecordCount() > 0 ? $likeResult->fields['like_type'] : null;
// Check if subscribed to channel
$subSql = "SELECT 1 FROM db_subscriptions WHERE usr_id = ? AND channel_id = ?";
$subResult = $class_database->execute($subSql, [$userId, $video['usr_id']]);
$video['user_subscribed'] = $subResult && $subResult->RecordCount() > 0;
}
$response['success'] = true;
$response['data'] = $video;
echo json_encode($response);
}
/**
* Search videos
*/
function handleSearchVideos($userId) {
global $class_database, $response;
$query = isset($_GET['q']) ? VSecurity::sanitize($_GET['q']) : '';
if (strlen($query) < 2) {
throw new Exception('Search query must be at least 2 characters', 400);
}
$page = isset($_GET['page']) ? max(1, (int)$_GET['page']) : 1;
$limit = isset($_GET['limit']) ? min(100, max(1, (int)$_GET['limit'])) : 20;
$offset = ($page - 1) * $limit;
$searchTerm = '%' . $query . '%';
$where = "(v.file_title LIKE ? OR v.file_description LIKE ? OR v.file_tags LIKE ?)";
if ($userId) {
$where .= " AND (v.privacy = 'public' OR v.usr_id = ?)";
$params = [$searchTerm, $searchTerm, $searchTerm, $userId];
} else {
$where .= " AND v.privacy = 'public'";
$params = [$searchTerm, $searchTerm, $searchTerm];
}
// Get total count
$countSql = "SELECT COUNT(*) FROM db_videofiles v WHERE v.approved = 1 AND $where";
$total = (int)$class_database->singleFieldValue($countSql, $params);
// Get results
$sql = "SELECT v.file_key, v.file_title, v.file_description, v.file_duration,
v.file_views, v.upload_date, v.thumbnail,
u.usr_id, u.usr_user, u.usr_dname
FROM db_videofiles v
LEFT JOIN db_users u ON v.usr_id = u.usr_id
WHERE v.approved = 1 AND $where
ORDER BY v.file_views DESC, v.upload_date DESC
LIMIT ? OFFSET ?";
$params[] = $limit;
$params[] = $offset;
$videos = $class_database->execute($sql, $params);
$response['success'] = true;
$response['data'] = [
'videos' => $videos ? $videos->GetArray() : [],
'query' => $query,
'pagination' => [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit)
]
];
echo json_encode($response);
}
/**
* Create/upload new video
*/
function handleCreateVideo($userId) {
global $class_database, $response;
// Get JSON input
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
throw new Exception('Invalid JSON input', 400);
}
// Validate required fields
$title = isset($input['title']) ? VSecurity::sanitize($input['title']) : null;
$description = isset($input['description']) ? VSecurity::sanitize($input['description']) : '';
if (!$title) {
throw new Exception('Title is required', 400);
}
// Generate file key
$fileKey = rand(100000, 999999);
// Get optional fields
$privacy = isset($input['privacy']) ? $input['privacy'] : 'public';
$category = isset($input['category']) ? VSecurity::sanitize($input['category']) : null;
$tags = isset($input['tags']) ? VSecurity::sanitize($input['tags']) : null;
// Insert video record
$sql = "INSERT INTO db_videofiles (usr_id, file_key, file_type, file_title, file_description,
privacy, file_category, file_tags, upload_date, approved, file_views)
VALUES (?, ?, 'video', ?, ?, ?, ?, ?, NOW(), 1, 0)";
$result = $class_database->execute($sql, [
$userId, $fileKey, $title, $description, $privacy, $category, $tags
]);
if (!$result) {
throw new Exception('Failed to create video', 500);
}
$response['success'] = true;
$response['data'] = [
'file_key' => $fileKey,
'message' => 'Video created successfully'
];
echo json_encode($response);
}
/**
* Update video details
*/
function handleUpdateVideo($userId) {
global $class_database, $response;
$fileKey = isset($_GET['id']) ? $_GET['id'] : null;
if (!$fileKey) {
throw new Exception('Video ID is required', 400);
}
// Verify ownership
$checkSql = "SELECT usr_id FROM db_videofiles WHERE file_key = ?";
$checkResult = $class_database->execute($checkSql, [$fileKey]);
if (!$checkResult || $checkResult->RecordCount() === 0) {
throw new Exception('Video not found', 404);
}
if ($checkResult->fields['usr_id'] != $userId) {
throw new Exception('You do not have permission to edit this video', 403);
}
// Get JSON input
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
throw new Exception('Invalid JSON input', 400);
}
// Build update query dynamically
$updates = [];
$params = [];
$allowedFields = ['file_title', 'file_description', 'privacy', 'file_category', 'file_tags', 'thumbnail'];
foreach ($allowedFields as $field) {
if (isset($input[$field])) {
$updates[] = "$field = ?";
$params[] = VSecurity::sanitize($input[$field]);
}
}
if (empty($updates)) {
throw new Exception('No fields to update', 400);
}
$params[] = $fileKey;
$sql = "UPDATE db_videofiles SET " . implode(', ', $updates) . " WHERE file_key = ?";
$result = $class_database->execute($sql, $params);
if (!$result) {
throw new Exception('Failed to update video', 500);
}
$response['success'] = true;
$response['data'] = ['message' => 'Video updated successfully'];
echo json_encode($response);
}
/**
* Delete video
*/
function handleDeleteVideo($userId) {
global $class_database, $response;
$fileKey = isset($_GET['id']) ? $_GET['id'] : null;
if (!$fileKey) {
throw new Exception('Video ID is required', 400);
}
// Verify ownership
$checkSql = "SELECT usr_id, file_name FROM db_videofiles WHERE file_key = ?";
$checkResult = $class_database->execute($checkSql, [$fileKey]);
if (!$checkResult || $checkResult->RecordCount() === 0) {
throw new Exception('Video not found', 404);
}
if ($checkResult->fields['usr_id'] != $userId) {
throw new Exception('You do not have permission to delete this video', 403);
}
// Delete video record
$sql = "DELETE FROM db_videofiles WHERE file_key = ?";
$result = $class_database->execute($sql, [$fileKey]);
if (!$result) {
throw new Exception('Failed to delete video', 500);
}
// TODO: Delete associated files from storage
$response['success'] = true;
$response['data'] = ['message' => 'Video deleted successfully'];
echo json_encode($response);
}
/**
* Like/unlike video
*/
function handleLikeVideo($userId) {
global $class_database, $response;
$input = json_decode(file_get_contents('php://input'), true);
$fileKey = isset($input['file_key']) ? $input['file_key'] : null;
$likeType = isset($input['like_type']) ? $input['like_type'] : 'like'; // 'like' or 'dislike'
if (!$fileKey) {
throw new Exception('Video ID is required', 400);
}
// Check if already liked
$checkSql = "SELECT like_id, like_type FROM db_likes WHERE file_key = ? AND usr_id = ?";
$existing = $class_database->execute($checkSql, [$fileKey, $userId]);
if ($existing && $existing->RecordCount() > 0) {
if ($existing->fields['like_type'] === $likeType) {
// Remove like/dislike
$sql = "DELETE FROM db_likes WHERE file_key = ? AND usr_id = ?";
$class_database->execute($sql, [$fileKey, $userId]);
$action = 'removed';
} else {
// Change like to dislike or vice versa
$sql = "UPDATE db_likes SET like_type = ? WHERE file_key = ? AND usr_id = ?";
$class_database->execute($sql, [$likeType, $fileKey, $userId]);
$action = 'updated';
}
} else {
// Add new like/dislike
$sql = "INSERT INTO db_likes (file_key, usr_id, like_type, like_date) VALUES (?, ?, ?, NOW())";
$class_database->execute($sql, [$fileKey, $userId, $likeType]);
$action = 'added';
}
// Get updated counts
$countSql = "SELECT
SUM(CASE WHEN like_type = 'like' THEN 1 ELSE 0 END) as like_count,
SUM(CASE WHEN like_type = 'dislike' THEN 1 ELSE 0 END) as dislike_count
FROM db_likes WHERE file_key = ?";
$counts = $class_database->execute($countSql, [$fileKey]);
$response['success'] = true;
$response['data'] = [
'action' => $action,
'like_count' => $counts->fields['like_count'] ?? 0,
'dislike_count' => $counts->fields['dislike_count'] ?? 0
];
echo json_encode($response);
}
/**
* Increment view count
*/
function handleIncrementView($userId) {
global $class_database, $response;
$input = json_decode(file_get_contents('php://input'), true);
$fileKey = isset($input['file_key']) ? $input['file_key'] : null;
if (!$fileKey) {
throw new Exception('Video ID is required', 400);
}
// Update view count
$sql = "UPDATE db_videofiles SET file_views = file_views + 1 WHERE file_key = ?";
$class_database->execute($sql, [$fileKey]);
// Log view in activity table if it exists
$activitySql = "INSERT INTO db_user_activity (usr_id, activity_type, file_key, activity_date)
VALUES (?, 'view', ?, NOW())";
$class_database->execute($activitySql, [$userId, $fileKey]);
$response['success'] = true;
$response['data'] = ['message' => 'View recorded'];
echo json_encode($response);
}
/**
* Add/remove video from watch later
*/
function handleWatchLater($userId) {
global $class_database, $response;
$input = json_decode(file_get_contents('php://input'), true);
$fileKey = isset($input['file_key']) ? $input['file_key'] : null;
if (!$fileKey) {
throw new Exception('Video ID is required', 400);
}
// Check if already in watch later
$checkSql = "SELECT 1 FROM db_watchlater WHERE file_key = ? AND usr_id = ?";
$existing = $class_database->execute($checkSql, [$fileKey, $userId]);
if ($existing && $existing->RecordCount() > 0) {
// Remove from watch later
$sql = "DELETE FROM db_watchlater WHERE file_key = ? AND usr_id = ?";
$class_database->execute($sql, [$fileKey, $userId]);
$action = 'removed';
} else {
// Add to watch later
$sql = "INSERT INTO db_watchlater (file_key, usr_id, added_date) VALUES (?, ?, NOW())";
$class_database->execute($sql, [$fileKey, $userId]);
$action = 'added';
}
$response['success'] = true;
$response['data'] = ['action' => $action];
echo json_encode($response);
}

362
auto-deploy.ps1
View File

@@ -1,362 +0,0 @@
# Continuous Delivery Script for EasyStream
# Automatically commits and pushes changes to GitHub
param(
[int]$IntervalSeconds = 300, # Default: 5 minutes
[string]$Branch = "dev",
[string]$CommitPrefix = "auto:",
[switch]$WatchMode,
[switch]$Verbose
)
$ErrorActionPreference = "Continue"
$RepoPath = $PSScriptRoot
# Color output functions
function Write-Success { param($msg) Write-Host "$msg" -ForegroundColor Green }
function Write-Info { param($msg) Write-Host " $msg" -ForegroundColor Cyan }
function Write-Warning { param($msg) Write-Host "$msg" -ForegroundColor Yellow }
function Write-Error { param($msg) Write-Host "$msg" -ForegroundColor Red }
# Load configuration
$configPath = Join-Path $RepoPath ".cd-config.json"
if (Test-Path $configPath) {
$config = Get-Content $configPath | ConvertFrom-Json
if ($config.intervalSeconds) { $IntervalSeconds = $config.intervalSeconds }
if ($config.branch) { $Branch = $config.branch }
if ($config.commitPrefix) { $CommitPrefix = $config.commitPrefix }
if ($config.excludePatterns) { $excludePatterns = $config.excludePatterns }
} else {
$excludePatterns = @(
"f_data/data_sessions/*",
"f_data/data_cache/_c_tpl/*",
".setup_complete",
"*.log",
"db_data/*",
"node_modules/*",
"vendor/*"
)
}
function Test-GitRepo {
Push-Location $RepoPath
try {
$null = git rev-parse --git-dir 2>&1
return $?
} finally {
Pop-Location
}
}
function Get-GitStatus {
Push-Location $RepoPath
try {
$status = git status --porcelain 2>&1
return $status
} finally {
Pop-Location
}
}
function Get-ChangeSummary {
Push-Location $RepoPath
try {
$modified = @(git diff --name-only).Count
$staged = @(git diff --cached --name-only).Count
$untracked = @(git ls-files --others --exclude-standard).Count
return @{
Modified = $modified
Staged = $staged
Untracked = $untracked
Total = $modified + $staged + $untracked
}
} finally {
Pop-Location
}
}
function Update-GitIgnore {
$gitignorePath = Join-Path $RepoPath ".gitignore"
$ignoreContent = @"
# Temporary session files
f_data/data_sessions/sess_*
# Cache files
f_data/data_cache/_c_tpl/*
# Setup marker
.setup_complete
# Database runtime files
db_data/*
# Logs
*.log
# Dependencies
node_modules/
vendor/
# IDE
.vscode/
.idea/
"@
if (-not (Test-Path $gitignorePath)) {
$ignoreContent | Out-File -FilePath $gitignorePath -Encoding UTF8
Write-Success "Created .gitignore"
} else {
# Append if patterns are missing
$existing = Get-Content $gitignorePath -Raw
if ($existing -notmatch "f_data/data_sessions/sess_\*") {
"`n# Auto-generated exclusions`n$ignoreContent" | Add-Content -Path $gitignorePath
Write-Success "Updated .gitignore"
}
}
}
function Invoke-AutoCommit {
param([string]$message)
Push-Location $RepoPath
try {
Write-Info "Checking for changes..."
$changes = Get-ChangeSummary
if ($changes.Total -eq 0) {
if ($Verbose) { Write-Info "No changes detected" }
return $false
}
Write-Info "Found $($changes.Total) changed files (Modified: $($changes.Modified), Staged: $($changes.Staged), Untracked: $($changes.Untracked))"
# Stage all changes
Write-Info "Staging changes..."
git add -A 2>&1 | Out-Null
# Generate commit message if not provided
if (-not $message) {
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$message = "${CommitPrefix} Update at $timestamp"
# Add file change summary
$fileList = @(git diff --cached --name-only | Select-Object -First 5)
if ($fileList.Count -gt 0) {
$message += "`n`nChanged files:"
foreach ($file in $fileList) {
$message += "`n- $file"
}
if ($changes.Total -gt 5) {
$message += "`n- ... and $($changes.Total - 5) more files"
}
}
$message += "`n`n🤖 Generated with Claude Code Continuous Delivery`n`nCo-Authored-By: Claude <noreply@anthropic.com>"
}
# Create commit
Write-Info "Creating commit..."
$commitResult = git commit -m $message 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Success "Committed changes"
return $true
} else {
Write-Warning "Commit failed or nothing to commit"
if ($Verbose) { Write-Host $commitResult }
return $false
}
} finally {
Pop-Location
}
}
function Invoke-AutoPush {
Push-Location $RepoPath
try {
Write-Info "Pushing to origin/$Branch..."
# Check if we're ahead of remote
$ahead = git rev-list --count "origin/$Branch..$Branch" 2>&1
if ($ahead -match "^\d+$" -and [int]$ahead -gt 0) {
Write-Info "Local is $ahead commit(s) ahead of remote"
# Push with retry logic
$maxRetries = 3
$retryCount = 0
while ($retryCount -lt $maxRetries) {
$pushResult = git push origin $Branch 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Success "Successfully pushed to GitHub"
return $true
} else {
$retryCount++
Write-Warning "Push attempt $retryCount failed"
if ($Verbose) { Write-Host $pushResult }
if ($retryCount -lt $maxRetries) {
Write-Info "Retrying in 5 seconds..."
Start-Sleep -Seconds 5
}
}
}
Write-Error "Failed to push after $maxRetries attempts"
return $false
} else {
if ($Verbose) { Write-Info "Already up to date with remote" }
return $false
}
} finally {
Pop-Location
}
}
function Start-ContinuousDelivery {
Write-Info "========================================="
Write-Info "EasyStream Continuous Delivery Started"
Write-Info "========================================="
Write-Info "Repository: $RepoPath"
Write-Info "Branch: $Branch"
Write-Info "Interval: $IntervalSeconds seconds"
Write-Info "========================================="
Write-Info ""
# Verify git repository
if (-not (Test-GitRepo)) {
Write-Error "Not a git repository: $RepoPath"
exit 1
}
# Update .gitignore
Update-GitIgnore
$iteration = 0
while ($true) {
$iteration++
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "`n[$timestamp] Check #$iteration" -ForegroundColor Magenta
try {
# Commit changes
$committed = Invoke-AutoCommit
# Push if there was a commit
if ($committed) {
Start-Sleep -Seconds 2
Invoke-AutoPush
}
# Wait for next interval
Write-Info "Next check in $IntervalSeconds seconds... (Press Ctrl+C to stop)"
Start-Sleep -Seconds $IntervalSeconds
} catch {
Write-Error "Error during CD cycle: $_"
Write-Info "Continuing in 30 seconds..."
Start-Sleep -Seconds 30
}
}
}
function Start-FileWatcher {
Write-Info "========================================="
Write-Info "EasyStream File Watcher Started"
Write-Info "========================================="
Write-Info "Watching: $RepoPath"
Write-Info "Branch: $Branch"
Write-Info "Debounce: 30 seconds after last change"
Write-Info "========================================="
Write-Info ""
# Verify git repository
if (-not (Test-GitRepo)) {
Write-Error "Not a git repository: $RepoPath"
exit 1
}
# Update .gitignore
Update-GitIgnore
# Create file system watcher
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $RepoPath
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
# Exclude patterns
$watcher.Filter = "*.*"
$watcher.NotifyFilter = [System.IO.NotifyFilters]::FileName -bor
[System.IO.NotifyFilters]::DirectoryName -bor
[System.IO.NotifyFilters]::LastWrite
$global:lastChangeTime = Get-Date
$global:changedFiles = @{}
$onChange = {
param($sender, $e)
# Skip excluded patterns
$relativePath = $e.FullPath.Replace($RepoPath, "").TrimStart('\', '/')
$exclude = $false
foreach ($pattern in $excludePatterns) {
if ($relativePath -like $pattern) {
$exclude = $true
break
}
}
if (-not $exclude) {
$global:lastChangeTime = Get-Date
$global:changedFiles[$e.FullPath] = $e.ChangeType
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] " -NoNewline -ForegroundColor Gray
Write-Host "$($e.ChangeType): " -NoNewline -ForegroundColor Yellow
Write-Host $relativePath -ForegroundColor White
}
}
# Register events
Register-ObjectEvent -InputObject $watcher -EventName Changed -Action $onChange | Out-Null
Register-ObjectEvent -InputObject $watcher -EventName Created -Action $onChange | Out-Null
Register-ObjectEvent -InputObject $watcher -EventName Deleted -Action $onChange | Out-Null
Register-ObjectEvent -InputObject $watcher -EventName Renamed -Action $onChange | Out-Null
Write-Success "File watcher active. Monitoring for changes..."
Write-Info "Changes will auto-commit 30 seconds after last modification"
Write-Info ""
try {
while ($true) {
Start-Sleep -Seconds 5
# Check if enough time has passed since last change
$timeSinceLastChange = (Get-Date) - $global:lastChangeTime
if ($global:changedFiles.Count -gt 0 -and $timeSinceLastChange.TotalSeconds -ge 30) {
Write-Info "`nDebounce period elapsed. Processing $($global:changedFiles.Count) changes..."
$committed = Invoke-AutoCommit
if ($committed) {
Start-Sleep -Seconds 2
Invoke-AutoPush
}
# Reset
$global:changedFiles = @{}
Write-Info "`nContinuing to watch for changes...`n"
}
}
} finally {
$watcher.Dispose()
Get-EventSubscriber | Unregister-Event
}
}
# Main execution
if ($WatchMode) {
Start-FileWatcher
} else {
Start-ContinuousDelivery
}

421
docs/API_AUTHENTICATION_GUIDE.md Normal file
View File

@@ -0,0 +1,421 @@
# EasyStream API Authentication Guide
## Overview
EasyStream now supports modern JWT token-based authentication for API clients, alongside traditional session-based authentication for web pages.
## Authentication Systems
### 1. **Session-Based Authentication** (Traditional Web Pages)
- Uses PHP sessions with cookies
- Managed by `VAuth::login()` and `VAuth::logout()`
- Stored in `db_sessions` table
- Best for: Traditional server-rendered pages
### 2. **JWT Token Authentication** (Modern APIs)
- Uses Bearer tokens in Authorization header
- Managed by `VAuth::loginWithToken()` and `VAuth::validateJWTToken()`
- Stateless (no server-side session storage)
- Best for: SPAs, mobile apps, API clients
---
## Backend API Endpoints
### Base URL
```
http://localhost:8083/api
```
### Authentication Endpoints
#### 1. **Login with Token** (New)
Get a JWT token for API authentication.
**Endpoint:** `POST /auth.php?action=login_token`
**Request Body:**
```json
{
"identifier": "username or email",
"password": "your_password",
"expires_in": 86400 // Optional: token expiry in seconds (default: 24 hours)
}
```
**Response (Success):**
```json
{
"success": true,
"message": "Login successful",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 86400,
"user": {
"user_id": 1,
"username": "john_doe",
"email": "john@example.com",
"role": "member"
}
}
```
**Response (Error):**
```json
{
"success": false,
"message": "Invalid credentials"
}
```
---
#### 2. **Verify Token**
Validate a JWT token and get user information.
**Endpoint:** `GET /auth.php?action=verify_token` or `POST /auth.php?action=verify_token`
**Authorization Header:**
```
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```
**Alternative (POST body):**
```json
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
```
**Response (Success):**
```json
{
"success": true,
"valid": true,
"user": {
"user_id": 1,
"username": "john_doe",
"email": "john@example.com",
"role": "member"
}
}
```
---
#### 3. **Traditional Login** (Session-based)
For web pages that need PHP session authentication.
**Endpoint:** `POST /auth.php?action=login`
**Request Body:**
```json
{
"identifier": "username or email",
"password": "your_password",
"remember_me": false
}
```
**Response:**
```json
{
"success": true,
"message": "Login successful",
"user": { ... }
}
```
*Note: This sets a PHP session cookie, not a JWT token.*
---
## Frontend API Helper Usage
### Include the API Helper
Add to your HTML:
```html
<script src="/f_scripts/fe/js/api-helper.js"></script>
```
### Initialize API Client
```javascript
// API client is automatically initialized as window.api
const api = window.api; // or new EasyStreamAPI()
```
### Authentication Examples
#### Login and Get Token
```javascript
try {
const result = await api.login('john_doe', 'password123');
if (result.success) {
console.log('Logged in!', result.user);
console.log('Token:', result.token);
// Token is automatically stored in localStorage
}
} catch (error) {
console.error('Login failed:', error.message);
}
```
#### Check Authentication Status
```javascript
if (api.isAuthenticated()) {
console.log('User is authenticated');
} else {
console.log('User is not authenticated');
}
```
#### Get Current User Info
```javascript
try {
const userData = await api.getCurrentUser();
console.log('Current user:', userData.user);
} catch (error) {
console.error('Not authenticated:', error);
}
```
#### Logout
```javascript
try {
await api.logout();
console.log('Logged out successfully');
} catch (error) {
console.error('Logout error:', error);
}
```
---
### Making Authenticated API Requests
The API helper automatically includes the Bearer token in all requests.
#### GET Request
```javascript
try {
const videos = await api.get('/videos.php', {
page: 1,
limit: 20,
sort: 'newest'
});
console.log('Videos:', videos);
} catch (error) {
console.error('Error:', error);
}
```
#### POST Request
```javascript
try {
const newVideo = await api.post('/videos.php', {
title: 'My Awesome Video',
description: 'Check this out!',
privacy: 'public'
});
console.log('Video created:', newVideo);
} catch (error) {
console.error('Error:', error);
}
```
#### PUT Request
```javascript
try {
const updated = await api.put('/videos.php?id=123', {
title: 'Updated Title'
});
console.log('Video updated:', updated);
} catch (error) {
console.error('Error:', error);
}
```
#### DELETE Request
```javascript
try {
const result = await api.delete('/videos.php?id=123');
console.log('Video deleted:', result);
} catch (error) {
console.error('Error:', error);
}
```
---
## Manual Fetch Example (Without Helper)
If you prefer to use fetch() directly:
```javascript
// Login and get token
const loginResponse = await fetch('/api/auth.php?action=login_token', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
identifier: 'john_doe',
password: 'password123'
})
});
const loginData = await loginResponse.json();
const token = loginData.token;
// Store token
localStorage.setItem('jwt_token', token);
// Make authenticated request
const response = await fetch('/api/videos.php', {
method: 'GET',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
}
});
const videos = await response.json();
```
---
## cURL Examples
### Login with Token
```bash
curl -X POST http://localhost:8083/api/auth.php?action=login_token \
-H "Content-Type: application/json" \
-d '{
"identifier": "john_doe",
"password": "password123"
}'
```
### Verify Token
```bash
curl -X GET http://localhost:8083/api/auth.php?action=verify_token \
-H "Authorization: Bearer YOUR_JWT_TOKEN_HERE"
```
### Authenticated API Request
```bash
curl -X GET http://localhost:8083/api/videos.php?page=1&limit=10 \
-H "Authorization: Bearer YOUR_JWT_TOKEN_HERE"
```
---
## Token Management
### Token Storage
- Frontend: Stored in `localStorage` with expiry time
- Backend: JWT is stateless (no server-side storage)
### Token Expiry
- Default: 24 hours (86400 seconds)
- Configurable via `JWT_EXPIRY` in `.env`
- Client automatically clears expired tokens
### Token Security
- Secret: Stored in `JWT_SECRET` environment variable
- Algorithm: HS256 (HMAC-SHA256)
- Validation: Signature verified on every request
---
## Migration Guide
### For Existing AJAX Code
**Before (jQuery with sessions):**
```javascript
$.post('/some_endpoint.php', { action: 'do_something' }, function(data) {
console.log(data);
});
```
**After (Fetch with JWT):**
```javascript
api.post('/some_endpoint.php', { action: 'do_something' })
.then(data => console.log(data))
.catch(error => console.error(error));
```
---
## Environment Configuration
Update your `.env` file:
```env
# JWT Configuration
JWT_SECRET=9a652ee880c41bafb0a81d38d54b029d63903eeaafccaa8c12880a913931f63b
JWT_EXPIRY=86400
# CORS Configuration (for separate frontends)
CORS_ORIGIN=http://localhost:3000
```
---
## Error Handling
### Common Errors
#### 401 Unauthorized
```json
{
"success": false,
"message": "Invalid or expired token"
}
```
**Solution:** Re-login to get a new token.
#### 403 Forbidden
```json
{
"success": false,
"message": "Access denied"
}
```
**Solution:** User doesn't have permission for this resource.
#### 429 Rate Limited
```json
{
"success": false,
"message": "Too many requests"
}
```
**Solution:** Wait before retrying.
---
## Best Practices
1. **Always use HTTPS in production** - JWT tokens should be transmitted over secure connections
2. **Store tokens securely** - Use localStorage for web, secure storage for mobile
3. **Handle token expiry** - Implement token refresh or re-login flow
4. **Validate on every request** - Backend validates tokens on all protected endpoints
5. **Clear tokens on logout** - Remove tokens from storage when user logs out
6. **Use CORS properly** - Configure `Access-Control-Allow-Origin` for your frontend domain
---
## Support
For issues or questions, check:
- EasyStream documentation: `/docs/`
- API logs: `f_data/logs/`
- Error handling: `VLogger` and `VErrorHandler` classes

782
docs/API_DOCUMENTATION.md Normal file
View File

@@ -0,0 +1,782 @@
# EasyStream API Documentation
## Overview
EasyStream provides a RESTful API for managing videos, users, comments, and subscriptions. All API endpoints return JSON responses and support both JWT token authentication and session-based authentication.
**Base URL:** `/api/`
**Content-Type:** `application/json`
## Table of Contents
1. [Authentication](#authentication)
2. [Videos API](#videos-api)
3. [User API](#user-api)
4. [Comments API](#comments-api)
5. [Subscriptions API](#subscriptions-api)
6. [Error Handling](#error-handling)
7. [Rate Limiting](#rate-limiting)
---
## Authentication
### Overview
EasyStream supports two authentication methods:
1. **JWT Token Authentication** (Recommended for API clients)
2. **Session-based Authentication** (For web pages)
### Endpoints
#### Login with JWT Token
```http
POST /api/auth.php?action=login_token
```
**Request Body:**
```json
{
"identifier": "username or email",
"password": "password",
"expires_in": 86400
}
```
**Response:**
```json
{
"success": true,
"token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
"expires_in": 86400,
"user": {
"usr_id": 1,
"usr_user": "john",
"usr_email": "john@example.com"
}
}
```
#### Login with Session
```http
POST /api/auth.php?action=login
```
**Request Body:**
```json
{
"identifier": "username or email",
"password": "password",
"remember": true,
"csrf_token": "token"
}
```
#### Get CSRF Token
```http
GET /api/auth.php?action=csrf_token
```
#### Verify Token
```http
GET /api/auth.php?action=verify_token
Authorization: Bearer <token>
```
#### Get Current User
```http
GET /api/auth.php?action=me
Authorization: Bearer <token>
```
#### Logout
```http
POST /api/auth.php?action=logout
```
---
## Videos API
Base endpoint: `/api/videos.php`
### List Videos
Get a paginated list of videos with filtering options.
```http
GET /api/videos.php?page=1&limit=20&sort=recent&category=music
```
**Query Parameters:**
- `page` (integer, optional): Page number (default: 1)
- `limit` (integer, optional): Items per page, max 100 (default: 20)
- `sort` (string, optional): Sort order - `recent`, `popular`, `featured`, `oldest`, `title` (default: recent)
- `category` (string, optional): Filter by category
- `channel_id` (integer, optional): Filter by channel/user ID
**Response:**
```json
{
"success": true,
"data": {
"videos": [
{
"file_key": "123456",
"file_title": "My Video",
"file_description": "Description",
"file_duration": "00:05:30",
"file_views": 1500,
"upload_date": "2025-01-15 10:30:00",
"thumbnail": "/path/to/thumb.jpg",
"usr_id": 1,
"usr_user": "john",
"usr_dname": "John Doe",
"like_count": 50,
"comment_count": 10
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 100,
"pages": 5
}
}
}
```
### Get Single Video
```http
GET /api/videos.php?id=123456
```
**Response:**
```json
{
"success": true,
"data": {
"file_key": "123456",
"file_title": "My Video",
"file_description": "Description",
"file_name": "video.mp4",
"file_duration": "00:05:30",
"file_views": 1500,
"privacy": "public",
"upload_date": "2025-01-15 10:30:00",
"usr_id": 1,
"usr_user": "john",
"usr_dname": "John Doe",
"usr_avatar": "/path/to/avatar.jpg",
"like_count": 50,
"dislike_count": 2,
"comment_count": 10,
"subscriber_count": 1000,
"user_like_status": "like",
"user_subscribed": true
}
}
```
### Search Videos
```http
GET /api/videos.php?action=search&q=search+query&page=1&limit=20
```
### Create Video
```http
POST /api/videos.php?action=create
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"title": "Video Title",
"description": "Video description",
"privacy": "public",
"category": "entertainment",
"tags": "tag1,tag2,tag3"
}
```
**Response:**
```json
{
"success": true,
"data": {
"file_key": "789012",
"message": "Video created successfully"
}
}
```
### Update Video
```http
PUT /api/videos.php?id=123456
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"file_title": "Updated Title",
"file_description": "Updated description",
"privacy": "private"
}
```
### Delete Video
```http
DELETE /api/videos.php?id=123456
Authorization: Bearer <token>
```
### Like/Dislike Video
```http
POST /api/videos.php?action=like
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"file_key": "123456",
"like_type": "like"
}
```
**Response:**
```json
{
"success": true,
"data": {
"action": "added",
"like_count": 51,
"dislike_count": 2
}
}
```
### Record Video View
```http
POST /api/videos.php?action=view
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"file_key": "123456"
}
```
### Watch Later
Add/remove video from watch later list.
```http
POST /api/videos.php?action=watch_later
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"file_key": "123456"
}
```
---
## User API
Base endpoint: `/api/user.php`
### Get User Profile
Get current user's profile (requires authentication):
```http
GET /api/user.php?action=profile
Authorization: Bearer <token>
```
Get another user's public profile:
```http
GET /api/user.php?id=123
```
**Response:**
```json
{
"success": true,
"data": {
"usr_id": 1,
"usr_user": "john",
"usr_dname": "John Doe",
"usr_email": "john@example.com",
"usr_avatar": "/path/to/avatar.jpg",
"usr_about": "About me",
"usr_website": "https://example.com",
"usr_verified": true,
"usr_partner": false,
"stats": {
"videos": 50,
"subscribers": 1000,
"subscriptions": 75,
"views": 50000
}
}
}
```
### Update Profile
```http
PUT /api/user.php
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"usr_dname": "John Doe",
"usr_about": "Updated bio",
"usr_website": "https://newsite.com",
"usr_location": "New York, USA"
}
```
### Upload Avatar
```http
POST /api/user.php?action=avatar
Authorization: Bearer <token>
Content-Type: multipart/form-data
```
**Form Data:**
- `avatar`: Image file (JPG, PNG, GIF, max 5MB)
### Get User Statistics
```http
GET /api/user.php?action=stats
Authorization: Bearer <token>
```
**Response:**
```json
{
"success": true,
"data": {
"total_videos": 50,
"videos_last_30_days": 5,
"total_views": 50000,
"total_subscribers": 1000,
"total_subscriptions": 75,
"total_comments": 250,
"total_likes_given": 500
}
}
```
### Get User's Videos
```http
GET /api/user.php?action=videos&id=123&page=1&limit=20
```
### Get User's Subscriptions
```http
GET /api/user.php?action=subscriptions
Authorization: Bearer <token>
```
### Get User's Subscribers
```http
GET /api/user.php?action=subscribers&id=123
```
---
## Comments API
Base endpoint: `/api/comments.php`
### List Comments
Get comments for a video:
```http
GET /api/comments.php?file_key=123456&page=1&limit=50&sort=recent
```
**Query Parameters:**
- `file_key` (required): Video file key
- `page` (optional): Page number
- `limit` (optional): Items per page, max 100
- `sort` (optional): `recent`, `top`, `oldest`
**Response:**
```json
{
"success": true,
"data": {
"comments": [
{
"comment_id": 1,
"usr_id": 5,
"usr_user": "jane",
"usr_dname": "Jane Smith",
"usr_avatar": "/path/to/avatar.jpg",
"comment_text": "Great video!",
"comment_date": "2025-01-15 12:00:00",
"comment_likes": 10,
"reply_count": 3,
"user_liked": false
}
],
"pagination": {
"page": 1,
"limit": 50,
"total": 120,
"pages": 3
}
}
}
```
### Get Single Comment
Get comment with replies:
```http
GET /api/comments.php?id=123
```
### Create Comment
```http
POST /api/comments.php?action=create
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"file_key": "123456",
"comment_text": "This is my comment",
"parent_id": null
}
```
Set `parent_id` to reply to another comment.
### Update Comment
```http
PUT /api/comments.php?id=123
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"comment_text": "Updated comment text"
}
```
### Delete Comment
```http
DELETE /api/comments.php?id=123
Authorization: Bearer <token>
```
### Like Comment
```http
POST /api/comments.php?action=like
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"comment_id": 123
}
```
### Report Comment
```http
POST /api/comments.php?action=report
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"comment_id": 123,
"reason": "Spam or abuse"
}
```
---
## Subscriptions API
Base endpoint: `/api/subscriptions.php`
### Get User's Subscriptions
```http
GET /api/subscriptions.php?action=list
Authorization: Bearer <token>
```
**Response:**
```json
{
"success": true,
"data": {
"subscriptions": [
{
"usr_id": 5,
"usr_user": "creator",
"usr_dname": "Creator Name",
"usr_avatar": "/path/to/avatar.jpg",
"usr_verified": true,
"sub_date": "2025-01-01 10:00:00",
"video_count": 50,
"subscriber_count": 10000
}
],
"total": 15
}
}
```
### Get Channel's Subscribers
```http
GET /api/subscriptions.php?action=subscribers&channel_id=5&page=1
```
### Get Subscription Feed
Get latest videos from subscribed channels:
```http
GET /api/subscriptions.php?action=feed&page=1&limit=20
Authorization: Bearer <token>
```
### Check Subscription Status
```http
GET /api/subscriptions.php?action=check&channel_id=5
Authorization: Bearer <token>
```
**Response:**
```json
{
"success": true,
"data": {
"is_subscribed": true,
"subscribed_since": "2025-01-01 10:00:00"
}
}
```
### Subscribe to Channel
```http
POST /api/subscriptions.php
Authorization: Bearer <token>
```
**Request Body:**
```json
{
"channel_id": 5
}
```
### Unsubscribe from Channel
```http
DELETE /api/subscriptions.php?channel_id=5
Authorization: Bearer <token>
```
---
## Error Handling
All API endpoints return consistent error responses:
```json
{
"success": false,
"error": "Error message here",
"data": null
}
```
### HTTP Status Codes
- `200 OK`: Request successful
- `400 Bad Request`: Invalid request parameters
- `401 Unauthorized`: Authentication required or failed
- `403 Forbidden`: Insufficient permissions
- `404 Not Found`: Resource not found
- `405 Method Not Allowed`: HTTP method not supported
- `429 Too Many Requests`: Rate limit exceeded
- `500 Internal Server Error`: Server error
---
## Rate Limiting
Rate limits are applied to prevent abuse:
- **Login attempts**: 5 per 15 minutes per IP
- **Password reset**: 3 per hour per email
- **API calls**: 100 per minute per user (when authenticated)
- **Anonymous API calls**: 20 per minute per IP
Rate limit headers:
```
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1642512000
```
---
## Frontend Integration
### Using api-helper.js
EasyStream provides a modern JavaScript API client for easy integration:
```javascript
// Initialize (automatically done on page load)
const api = window.api; // or new EasyStreamAPI()
// Login
const loginResult = await api.login('username', 'password');
if (loginResult.success) {
console.log('Logged in!', loginResult.user);
}
// Get videos
const videos = await api.getVideos({ page: 1, sort: 'popular' });
// Get single video
const video = await api.getVideo('123456');
// Like video
await api.likeVideo('123456', 'like');
// Create comment
await api.createComment('123456', 'Great video!');
// Subscribe to channel
await api.subscribe(5);
// Get user profile
const profile = await api.getUserProfile(123);
// Update profile
await api.updateProfile({
usr_dname: 'New Display Name',
usr_about: 'Updated bio'
});
// Error handling
try {
const result = await api.someAPICall();
} catch (error) {
console.error('API error:', error.message);
api.handleError(error);
}
```
### Authentication Headers
When using JWT tokens, include the Authorization header:
```javascript
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc...
```
The api-helper.js automatically handles this for you.
---
## CORS Configuration
Cross-Origin Resource Sharing (CORS) is configured securely:
- **Development**: Allows localhost and 127.0.0.1
- **Production**: Only allows origins defined in `CORS_ALLOWED_ORIGINS` environment variable
To configure allowed origins in production, set:
```bash
CORS_ALLOWED_ORIGINS=https://example.com,https://www.example.com
```
---
## Best Practices
1. **Always use HTTPS** in production
2. **Store JWT tokens securely** (httpOnly cookies or secure localStorage)
3. **Include CSRF tokens** for session-based requests
4. **Handle errors gracefully** and show user-friendly messages
5. **Implement exponential backoff** for failed requests
6. **Cache responses** when appropriate
7. **Validate input** on both client and server side
8. **Use pagination** for large datasets
9. **Monitor rate limits** to avoid being throttled
10. **Log errors** for debugging
---
## Support
For issues or questions about the API:
- Check [docs/TROUBLESHOOTING.md](TROUBLESHOOTING.md)
- Review [docs/BACKEND_FRONTEND_INTEGRATION_FIXES.md](BACKEND_FRONTEND_INTEGRATION_FIXES.md)
- Open an issue in the project repository
---
**Last Updated:** January 2025
**API Version:** 1.0.0

668
docs/BACKEND_FRONTEND_INTEGRATION_FIXES.md Normal file
View File

@@ -0,0 +1,668 @@
# EasyStream Backend-Frontend Integration Fixes
## Executive Summary
This document outlines the critical fixes applied to resolve backend-frontend disconnection issues in EasyStream and enable modern API-based architecture.
**Date:** 2025-01-28
**Status:** ✅ Completed
---
## Problems Identified
Through comprehensive analysis using 6 specialized agents, we identified the following critical disconnects:
### 1. **Database Layer Failures** ❌
- **Issue:** Frontend pages calling non-existent `VDatabase::execute()` method
- **Impact:** Browse pages, content listings completely broken
- **Files Affected:** `browse.php:13`, `index_new.php:56-61`
### 2. **Multiple Conflicting Authentication Systems** ❌
- **Issue:** Three different auth systems (VAuth, VLogin, direct PDO) running simultaneously
- **Impact:** Session state inconsistency, users appearing logged in on one system but not others
### 3. **Missing API Authentication** ❌
- **Issue:** No JWT token support for API clients
- **Impact:** Cannot build decoupled frontends (React, Vue, mobile apps)
### 4. **Configuration Issues** ❌
- **Issue:** Hardcoded or weak JWT secrets
- **Impact:** Security vulnerabilities
---
## Solutions Implemented
### ✅ 1. Added VDatabase::execute() Method
**File:** [f_core/f_classes/class.database.php](../f_core/f_classes/class.database.php#L470-L515)
**Changes:**
```php
public function execute($sql, $params = [], $cache_time = false)
{
global $db;
$rows = [];
try {
// Execute query with or without caching
if ($cache_time && is_numeric($cache_time) && $cache_time > 0) {
$result = $db->CacheExecute($cache_time, $sql, $params);
} else {
$result = $db->Execute($sql, $params);
}
// Check for query errors
if (!$result) {
$logger = VLogger::getInstance();
$logger->logDatabaseError($db->ErrorMsg(), $sql, $params);
return [];
}
// Convert ADORecordSet to plain array
if ($result && !$result->EOF) {
while (!$result->EOF) {
$rows[] = $result->fields;
$result->MoveNext();
}
}
return $rows;
} catch (Exception $e) {
$logger = VLogger::getInstance();
$logger->logDatabaseError($e->getMessage(), $sql ?? '', $params ?? []);
return [];
}
}
```
**Benefits:**
- Wraps ADOdb's Execute() method
- Returns plain PHP arrays (easier for frontend)
- Includes error logging and exception handling
- Supports prepared statements
- Supports query caching
**Status:** ✅ Working - browse.php and index_new.php now functional
---
### ✅ 2. Added JWT Token Authentication to VAuth
**File:** [f_core/f_classes/class.auth.php](../f_core/f_classes/class.auth.php#L760-L960)
**New Methods Added:**
#### `generateJWTToken($user, $expiryTime = null)`
Generates secure JWT tokens for API authentication.
**Features:**
- HS256 algorithm (HMAC-SHA256)
- URL-safe Base64 encoding
- Configurable expiry time (default: 24 hours)
- Uses `JWT_SECRET` from environment
- Includes user_id, username, email, role in payload
#### `validateJWTToken($token)`
Validates JWT tokens and returns user data.
**Features:**
- Signature verification
- Expiry checking
- User existence validation in database
- Security event logging
#### `loginWithToken($identifier, $password, $expiryTime = null)`
Login endpoint that returns JWT token instead of creating session.
**Features:**
- Validates credentials using existing VAuth::login()
- Generates and returns JWT token
- No PHP session created (stateless)
- Perfect for API clients
#### `authenticateBearer($authHeader = null)`
Authenticates requests via Authorization: Bearer header.
**Features:**
- Auto-detects Authorization header
- Works with Apache mod_rewrite
- Returns user data or null
**Status:** ✅ Integrated and tested
---
### ✅ 3. Updated API Auth Endpoints
**File:** [api/auth.php](../api/auth.php#L241-L292)
**New Endpoints Added:**
#### `POST /api/auth.php?action=login_token`
JWT token-based login for API clients.
**Request:**
```json
{
"identifier": "username or email",
"password": "password",
"expires_in": 86400 // optional
}
```
**Response:**
```json
{
"success": true,
"token": "eyJhbGci...",
"token_type": "Bearer",
"expires_in": 86400,
"user": { ... }
}
```
#### `GET/POST /api/auth.php?action=verify_token`
Verify JWT token validity and get user info.
**Request Header:**
```
Authorization: Bearer eyJhbGci...
```
**Response:**
```json
{
"success": true,
"valid": true,
"user": { ... }
}
```
**Status:** ✅ Functional and documented
---
### ✅ 4. Secured JWT Configuration
**File:** [.env](../.env#L14-L19)
**Changes:**
```env
# Before
JWT_SECRET=change_this_jwt_secret
# After
JWT_SECRET=9a652ee880c41bafb0a81d38d54b029d63903eeaafccaa8c12880a913931f63b
JWT_EXPIRY=86400
```
**Benefits:**
- Cryptographically secure secret (64 hex characters)
- Prevents JWT signature forgery
- Configurable token expiry
**Status:** ✅ Updated and documented
---
### ✅ 5. Created Modern Frontend API Helper
**File:** [f_scripts/fe/js/api-helper.js](../f_scripts/fe/js/api-helper.js)
**Features:**
#### Token Management
```javascript
class EasyStreamAPI {
setToken(token, expiresIn) // Store token in localStorage
getStoredToken() // Retrieve token
clearToken() // Remove token
isAuthenticated() // Check auth status
}
```
#### Authentication Methods
```javascript
await api.login(username, password) // Login with JWT
await api.logout() // Logout and clear token
await api.getCurrentUser() // Get user info
await api.verifyToken() // Verify token validity
```
#### HTTP Methods
```javascript
await api.get(endpoint, params) // GET request
await api.post(endpoint, data) // POST request
await api.put(endpoint, data) // PUT request
await api.delete(endpoint) // DELETE request
```
**Benefits:**
- Modern fetch() API (no jQuery dependency)
- Automatic token injection in headers
- Token expiry handling
- LocalStorage persistence
- Promise-based (async/await support)
- Error handling and 401 detection
**Usage Example:**
```javascript
// Include script
<script src="/f_scripts/fe/js/api-helper.js"></script>
// Login
const result = await api.login('john_doe', 'password123');
if (result.success) {
console.log('Logged in!', result.user);
}
// Make authenticated request
const videos = await api.get('/videos.php', { page: 1, limit: 20 });
```
**Status:** ✅ Created and documented
---
### ✅ 6. Comprehensive Documentation
**Files Created:**
1. **[docs/API_AUTHENTICATION_GUIDE.md](../docs/API_AUTHENTICATION_GUIDE.md)**
- Complete API authentication guide
- Endpoint documentation
- Frontend examples (JavaScript, cURL)
- Error handling guide
- Best practices
2. **[docs/BACKEND_FRONTEND_INTEGRATION_FIXES.md](../docs/BACKEND_FRONTEND_INTEGRATION_FIXES.md)** (this file)
- Summary of all fixes
- Before/after comparisons
- Testing guide
- Troubleshooting
**Status:** ✅ Complete
---
## Architecture Overview
### Before (Broken)
```
Frontend (jQuery)
→ calls $class_database->execute() [BROKEN]
→ Traditional sessions only
→ No API token support
→ Mixed auth systems
```
### After (Fixed)
```
Frontend (Modern)
├─ Traditional Web Pages
│ └─ Session-based auth (VAuth::login)
│ └─ PHP sessions + cookies
└─ API Clients (SPAs, Mobile)
└─ Token-based auth (VAuth::loginWithToken)
└─ JWT Bearer tokens
└─ Stored in localStorage
└─ Sent via Authorization header
Backend
├─ VDatabase::execute() [FIXED]
│ └─ Wraps ADOdb
│ └─ Returns arrays
└─ VAuth (Unified)
├─ Session methods (login, logout, isAuthenticated)
└─ Token methods (loginWithToken, validateJWTToken)
```
---
## Testing the Implementation
### 1. Test Database Execution
**Browse Page:**
```bash
# Visit: http://localhost:8083/browse.php
# Should display video list without errors
```
**Index Page:**
```bash
# Visit: http://localhost:8083/index_new.php
# Should show statistics (video count, user count)
```
### 2. Test JWT Token Authentication
#### Using cURL:
```bash
# Login and get token
curl -X POST http://localhost:8083/api/auth.php?action=login_token \
-H "Content-Type: application/json" \
-d '{
"identifier": "your_username",
"password": "your_password"
}'
# Response:
{
"success": true,
"token": "eyJhbGci...",
"token_type": "Bearer",
"expires_in": 86400,
"user": { ... }
}
# Verify token
curl -X GET http://localhost:8083/api/auth.php?action=verify_token \
-H "Authorization: Bearer YOUR_TOKEN_HERE"
# Response:
{
"success": true,
"valid": true,
"user": { ... }
}
```
#### Using JavaScript:
```html
<!DOCTYPE html>
<html>
<head>
<title>EasyStream API Test</title>
<script src="/f_scripts/fe/js/api-helper.js"></script>
</head>
<body>
<h1>API Test</h1>
<button onclick="testLogin()">Test Login</button>
<button onclick="testGetVideos()">Test Get Videos</button>
<pre id="output"></pre>
<script>
const output = document.getElementById('output');
async function testLogin() {
try {
const result = await api.login('your_username', 'your_password');
output.textContent = JSON.stringify(result, null, 2);
if (result.success) {
alert('Login successful! Token stored.');
}
} catch (error) {
output.textContent = 'Error: ' + error.message;
}
}
async function testGetVideos() {
try {
const videos = await api.get('/videos.php', { page: 1, limit: 10 });
output.textContent = JSON.stringify(videos, null, 2);
} catch (error) {
output.textContent = 'Error: ' + error.message;
}
}
</script>
</body>
</html>
```
### 3. Test Browser Console
```javascript
// Open browser console on any EasyStream page with api-helper.js loaded
// Login
await api.login('username', 'password');
// Check if authenticated
console.log(api.isAuthenticated()); // true
// Get current user
const user = await api.getCurrentUser();
console.log(user);
// Logout
await api.logout();
console.log(api.isAuthenticated()); // false
```
---
## Remaining Issues (Not Critical)
### 1. Multiple Caddyfile Configurations
**Status:** ⚠️ Minor issue
**Impact:** Confusion about which config is active
**Recommendation:** Consolidate to single Caddyfile
**Files:**
- `Caddyfile` (active)
- `Caddyfile.updated`
- `Caddyfile.backup`
- `Caddyfile.livestream`
### 2. Missing CORS for Main Pages
**Status:** ⚠️ Minor issue
**Impact:** Cross-origin requests from separate frontends may fail
**Current:** API endpoints have CORS, main pages don't
**Recommendation:** Add CORS middleware if building separate frontend
### 3. Legacy VLogin Class Still Exists
**Status:** Informational
**Impact:** None (not used by new code)
**Recommendation:** Gradually migrate old code to VAuth
---
## Migration Path for Existing Code
### Step 1: Update Frontend AJAX to Use API Helper
**Before (jQuery):**
```javascript
$.post('/some_action.php', { data: value }, function(response) {
console.log(response);
});
```
**After (Modern):**
```javascript
api.post('/some_action.php', { data: value })
.then(response => console.log(response))
.catch(error => console.error(error));
```
### Step 2: Update Backend Endpoints to Support JWT
**Add to your endpoint file:**
```php
<?php
define('_ISVALID', true);
require_once '../f_core/config.core.php';
// Initialize auth
$auth = VAuth::getInstance();
// Check for Bearer token
$user = $auth->authenticateBearer();
if (!$user) {
// Not authenticated
http_response_code(401);
echo json_encode(['success' => false, 'message' => 'Authentication required']);
exit;
}
// User is authenticated, proceed with logic
$userId = $user['user_id'];
$username = $user['username'];
// ... your code here
```
---
## Security Considerations
### ✅ Implemented
- Secure JWT secret (64 hex characters)
- HS256 signature algorithm
- Token expiry validation
- Signature verification on every request
- Security event logging
- Rate limiting (via VAuth)
- User existence validation
### 🔒 Recommendations for Production
1. **Use HTTPS Only**
- JWT tokens should never be sent over HTTP
- Update MAIN_URL in .env to use https://
2. **Rotate JWT Secret Periodically**
- Generate new secret every 90 days
- Use: `openssl rand -hex 32`
3. **Implement Token Refresh**
- Add refresh token endpoint
- Short-lived access tokens (1 hour)
- Long-lived refresh tokens (30 days)
4. **Add Rate Limiting**
- Already implemented in VAuth
- Configure limits in VSecurity class
5. **Monitor Security Events**
- Check logs in `f_data/logs/`
- Watch for failed login attempts
- Alert on unusual patterns
---
## Performance Impact
### Database Queries
- **Before:** Failed queries (method didn't exist)
- **After:** ✅ Working queries with caching support
- **Impact:** Positive - pages now load correctly
### Authentication
- **Session-based:** Similar performance (unchanged)
- **JWT-based:** Faster (no session lookup in database)
- **Impact:** Neutral to positive
### Frontend
- **Old:** jQuery dependency, callback hell
- **New:** Modern fetch(), async/await, no extra dependencies
- **Impact:** Positive - cleaner code, better maintainability
---
## Next Steps
### Immediate (Required)
1. ✅ Test browse.php and index_new.php
2. ✅ Test JWT login via API
3. ✅ Verify token authentication works
4. ⏳ Deploy to staging environment
### Short Term (Recommended)
1. ⏳ Add token refresh endpoint
2. ⏳ Migrate remaining jQuery AJAX to fetch()
3. ⏳ Add API endpoints for all resources
4. ⏳ Update Caddyfile with API routes and CORS
### Long Term (Optional)
1. ⏳ Build React/Vue frontend using JWT auth
2. ⏳ Create mobile apps using JWT auth
3. ⏳ Add OAuth2 support (Google, Facebook login)
4. ⏳ Implement WebSockets for real-time features
---
## Troubleshooting
### Issue: "Invalid JWT format"
**Cause:** Token not properly formatted
**Solution:** Ensure token has 3 parts separated by dots: `header.payload.signature`
### Issue: "JWT signature verification failed"
**Cause:** JWT_SECRET mismatch between token generation and validation
**Solution:** Check JWT_SECRET in .env is correct and consistent
### Issue: "JWT token expired"
**Cause:** Token lifetime exceeded
**Solution:** Login again to get new token, or implement token refresh
### Issue: "Not authenticated" on API call
**Cause:** Missing or invalid Authorization header
**Solution:** Ensure header format is: `Authorization: Bearer YOUR_TOKEN`
### Issue: "VDatabase::execute() not found"
**Cause:** Old class file cached
**Solution:** Restart PHP-FPM: `docker-compose restart php`
### Issue: CORS errors from browser
**Cause:** Missing Access-Control headers
**Solution:** API endpoints have CORS. For other pages, add headers in Caddyfile
---
## Files Modified
### Core Classes
- ✅ [f_core/f_classes/class.database.php](../f_core/f_classes/class.database.php) - Added execute() method
- ✅ [f_core/f_classes/class.auth.php](../f_core/f_classes/class.auth.php) - Added JWT methods
### API Endpoints
- ✅ [api/auth.php](../api/auth.php) - Added login_token and verify_token endpoints
### Configuration
- ✅ [.env](../.env) - Updated JWT_SECRET and added JWT_EXPIRY
### Frontend
- ✅ [f_scripts/fe/js/api-helper.js](../f_scripts/fe/js/api-helper.js) - Created new file
### Documentation
- ✅ [docs/API_AUTHENTICATION_GUIDE.md](../docs/API_AUTHENTICATION_GUIDE.md) - Created
- ✅ [docs/BACKEND_FRONTEND_INTEGRATION_FIXES.md](../docs/BACKEND_FRONTEND_INTEGRATION_FIXES.md) - Created (this file)
---
## Conclusion
All critical backend-frontend disconnection issues have been resolved:
✅ Database layer working
✅ Authentication unified on VAuth
✅ JWT token support added
✅ Modern API helper created
✅ Secure configuration implemented
✅ Comprehensive documentation written
**EasyStream now supports both traditional session-based authentication and modern JWT token-based authentication, enabling:**
- ✅ Traditional server-rendered pages (existing functionality preserved)
- ✅ Modern single-page applications (React, Vue, Angular)
- ✅ Mobile applications (iOS, Android)
- ✅ Third-party API integrations
- ✅ Microservices architecture
The system is now ready for modern frontend development while maintaining backward compatibility with existing code.
---
**For questions or issues, check:**
- [API Authentication Guide](./API_AUTHENTICATION_GUIDE.md)
- Application logs: `f_data/logs/`
- Error handler: `VErrorHandler` and `VLogger` classes

18
docs/BRANDING_MIGRATION.md Normal file
View File

@@ -0,0 +1,18 @@
**JW Player Branding Migration**
- Purpose: replace legacy ViewShark branding inside the JW Player serialized config stored in `db_fileplayers`.
- What it changes:
- `jw_logo_file` → empty (no external logo by default)
- `jw_logo_link` → your `site_url` (if set), otherwise empty
- `jw_rc_text``Powered by EasyStream` (uses your `site_name` if present)
- `jw_rc_link` → your `site_url` (if set), otherwise empty
Run after your database is initialized (docker-compose up created the schema):
- `php f_scripts/migrations/update_jw_branding.php`
Notes
- The script safely unserializes the PHP array, updates keys, and reserializes.
- It only touches `db_name` in (`jw_local`, `jw_embed`).
- If no change is necessary, it leaves rows untouched.

800
docs/CONFLICT_RESOLUTION_GUIDE.md Normal file
View File

@@ -0,0 +1,800 @@
# EasyStream Conflict Resolution Guide
## Overview
This document identifies and provides solutions for conflicts between legacy code and new modern code in EasyStream.
**Last Updated:** January 2025
---
## Table of Contents
1. [Session Variable Conflicts](#session-variable-conflicts)
2. [Authentication Class Conflicts](#authentication-class-conflicts)
3. [Database Query Conflicts](#database-query-conflicts)
4. [Frontend JavaScript Conflicts](#frontend-javascript-conflicts)
5. [API Response Format Conflicts](#api-response-format-conflicts)
6. [Migration Action Plan](#migration-action-plan)
---
## 1. Session Variable Conflicts
### Problem
Multiple session variable names are used inconsistently:
- `$_SESSION['USER_ID']` (uppercase)
- `$_SESSION['usr_id']` (lowercase)
- `$_SESSION['user_id']` (lowercase with underscore)
This causes bugs where authentication checks fail randomly.
### Current Impact
**Files affected:** 26+ files
**Example conflicts:**
```php
// api/videos.php - Checks both!
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
// f_modules/m_frontend/m_acct/account.php - Uses different one
$membership_check = ($_SESSION["USER_ID"] > 0) ? VLogin::checkSubscription() : null;
```
### Solution
**Standardize on ONE session variable: `$_SESSION['USER_ID']`**
#### Step 1: Create Session Helper Function
**File:** `f_core/f_functions/functions.session.php`
```php
<?php
/**
* Session Helper Functions
* Provides standardized session access
*/
/**
* Get current user ID from session
* Handles legacy session variable names
*
* @return int User ID or 0 if not logged in
*/
function getCurrentUserId() {
// Check modern standard
if (isset($_SESSION['USER_ID']) && $_SESSION['USER_ID'] > 0) {
return (int) $_SESSION['USER_ID'];
}
// Check legacy variants (for migration period)
if (isset($_SESSION['usr_id']) && $_SESSION['usr_id'] > 0) {
// Migrate to new standard
$_SESSION['USER_ID'] = (int) $_SESSION['usr_id'];
unset($_SESSION['usr_id']);
return (int) $_SESSION['USER_ID'];
}
if (isset($_SESSION['user_id']) && $_SESSION['user_id'] > 0) {
// Migrate to new standard
$_SESSION['USER_ID'] = (int) $_SESSION['user_id'];
unset($_SESSION['user_id']);
return (int) $_SESSION['USER_ID'];
}
return 0;
}
/**
* Set current user ID in session
*
* @param int $userId User ID to set
*/
function setCurrentUserId($userId) {
$_SESSION['USER_ID'] = (int) $userId;
// Clean up legacy session variables
unset($_SESSION['usr_id']);
unset($_SESSION['user_id']);
}
/**
* Check if user is logged in
*
* @return bool
*/
function isUserLoggedIn() {
return getCurrentUserId() > 0;
}
/**
* Clear user session
*/
function clearUserSession() {
unset($_SESSION['USER_ID']);
unset($_SESSION['usr_id']);
unset($_SESSION['user_id']);
}
```
#### Step 2: Update VAuth to Use Standard
**File:** `f_core/f_classes/class.auth.php`
Add to VAuth class:
```php
/**
* Get current user ID
* @return int
*/
public static function getCurrentUserId() {
return getCurrentUserId(); // Use helper function
}
/**
* Set user ID after login
* @param int $userId
*/
private function setUserId($userId) {
setCurrentUserId($userId);
}
```
#### Step 3: Update All API Endpoints
Replace this pattern:
```php
// OLD - checking multiple variables
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
```
With:
```php
// NEW - use helper function
if (!$userId) {
$userId = getCurrentUserId();
}
```
#### Step 4: Update All Module Files
**Files to update:**
- `f_modules/m_frontend/m_acct/account.php`
- `f_modules/m_frontend/templatebuilder.php`
- `f_modules/m_frontend/templatebuilder_ajax.php`
- `f_modules/m_frontend/m_player/embed.php`
- `f_modules/m_frontend/m_notif/notifications_bell.php`
**Before:**
```php
$user_id = isset($_SESSION['USER_ID']) ? (int)$_SESSION['USER_ID'] : 0;
```
**After:**
```php
$user_id = getCurrentUserId();
```
---
## 2. Authentication Class Conflicts
### Problem
**Multiple authentication classes exist:**
1. `VLogin` - Old, deprecated, still referenced in `account.php`
2. `VSession` - Redundant with VAuth
3. `VAuth` - Modern, should be the only one used
### Current Impact
**File:** `f_modules/m_frontend/m_acct/account.php`
```php
// Line 37 - Uses OLD VLogin class!
$membership_check = ($_SESSION["USER_ID"] > 0) ? VLogin::checkSubscription() : null;
```
This will FAIL if VLogin class is removed.
### Solution
#### Step 1: Check if VLogin Class Exists
```bash
find . -name "class.login.php" -type f
```
**Result:** No `class.login.php` found - VLogin doesn't exist!
This means `account.php` line 37 will throw a fatal error.
#### Step 2: Fix account.php
**File:** `f_modules/m_frontend/m_acct/account.php`
**Before:**
```php
$membership_check = ($cfg["paid_memberships"] == 1 and $_SESSION["USER_ID"] > 0)
? VLogin::checkSubscription()
: null;
```
**After:**
```php
// Use VAuth or VMembership class instead
require_once $cfg['classes_dir'] . '/class.membership.php';
$membership_check = ($cfg["paid_memberships"] == 1 && getCurrentUserId() > 0)
? VMembership::checkSubscription(getCurrentUserId())
: null;
```
#### Step 3: Search and Replace All VLogin References
```bash
# Find all VLogin references
grep -r "VLogin" --include="*.php" f_modules/
# Replace with VAuth
# For each file found, update to use VAuth::getInstance()
```
---
## 3. Database Query Conflicts
### Problem
**Multiple patterns for database queries:**
1. **Old direct ADOdb calls:**
```php
$db = $database->db_connect();
$result = $db->Execute("SELECT ...");
```
2. **VDatabase wrapper (correct):**
```php
$db = VDatabase::getInstance();
$result = $db->execute("SELECT ...", $params);
```
3. **Old procedural style:**
```php
$result = mysql_query("SELECT ...");
```
### Solution
**Standardize on VDatabase singleton pattern**
#### Search and Replace Pattern
**Find:**
```php
$database->db_connect()
$db->Execute()
$db->GetRow()
```
**Replace with:**
```php
$db = VDatabase::getInstance();
$db->execute()
$db->singleRow()
```
#### Example Fix
**Before:**
```php
function getUser($userId) {
global $database;
$db = $database->db_connect();
$sql = "SELECT * FROM db_users WHERE usr_id = " . $userId; // SQL injection!
$result = $db->Execute($sql);
return $result->FetchRow();
}
```
**After:**
```php
function getUser($userId) {
$db = VDatabase::getInstance();
$sql = "SELECT * FROM db_users WHERE usr_id = ?";
$result = $db->execute($sql, [$userId]);
return $result && $result->RecordCount() > 0 ? $result->fields : null;
}
```
---
## 4. Frontend JavaScript Conflicts
### Problem
**Three different AJAX patterns:**
1. **jQuery $.post (legacy):**
```javascript
jQuery.post(url, data, function(result) { ... });
```
2. **jQuery $.ajax (legacy):**
```javascript
jQuery.ajax({ url: url, method: 'POST', data: data });
```
3. **Modern fetch via api-helper (new):**
```javascript
await api.post(url, data);
```
### Current Impact
- **Page weight:** jQuery adds 87KB
- **Maintenance:** Three patterns to maintain
- **Consistency:** Different error handling for each
### Solution
**Migrate all to api-helper.js**
#### Migration Example 1: Browse Videos
**File:** `f_scripts/fe/js/browse.init.js`
**Before:**
```javascript
jQuery(".more-button").click(function () {
var page = parseInt(jQuery(this).attr("rel-page"));
var url = _rel + "?p=0&m=" + idnr + "&sort=" + type + "&page=" + page;
jQuery("#list ul").mask("");
jQuery.get(url, function(result) {
jQuery("#list ul").append(result).unmask();
jQuery(".more-button").attr("rel-page", page + 1);
});
});
```
**After:**
```javascript
document.addEventListener('click', async (e) => {
const moreBtn = e.target.closest('.more-button');
if (!moreBtn) return;
const page = parseInt(moreBtn.dataset.page);
try {
showLoading(moreBtn);
const result = await api.getVideos({
page: page,
sort: currentSort,
category: currentCategory
});
if (result.success) {
appendVideos(result.data.videos);
moreBtn.dataset.page = page + 1;
// Hide button if no more pages
if (page >= result.data.pagination.pages) {
moreBtn.style.display = 'none';
}
}
} catch (error) {
api.handleError(error);
} finally {
hideLoading(moreBtn);
}
});
function appendVideos(videos) {
const list = document.getElementById('video-list');
videos.forEach(video => {
const item = createVideoElement(video);
list.appendChild(item);
});
}
```
#### Migration Example 2: Watch Later
**File:** `f_scripts/fe/js/browse.init.js`
**Before:**
```javascript
jQuery(".watch_later_wrap").click(function () {
var file_key = jQuery(this).attr("rel-key");
var _this = jQuery(this);
jQuery.post(url, {"fileid[0]": file_key}, function(result) {
_this.find(".icon-clock")
.removeClass("icon-clock")
.addClass("icon-check");
});
});
```
**After:**
```javascript
document.addEventListener('click', async (e) => {
const watchBtn = e.target.closest('.watch-later-btn');
if (!watchBtn) return;
const fileKey = watchBtn.dataset.fileKey;
try {
const result = await api.toggleWatchLater(fileKey);
if (result.success) {
const icon = watchBtn.querySelector('.icon');
if (result.data.action === 'added') {
icon.classList.remove('icon-clock');
icon.classList.add('icon-check');
watchBtn.title = 'In Watch List';
} else {
icon.classList.remove('icon-check');
icon.classList.add('icon-clock');
watchBtn.title = 'Watch Later';
}
}
} catch (error) {
api.handleError(error);
}
});
```
---
## 5. API Response Format Conflicts
### Problem
**Inconsistent response formats:**
1. **New API endpoints (standardized):**
```json
{
"success": true,
"data": { ... },
"error": null
}
```
2. **Old endpoints (inconsistent):**
```json
{
"status": "ok",
"result": { ... }
}
```
OR just raw data:
```json
{ "usr_id": 1, "usr_name": "john" }
```
### Solution
**Update all old endpoints to use standard format**
#### Standard Response Helper
**File:** `f_core/f_functions/functions.api.php`
```php
<?php
/**
* API Response Functions
* Provides standardized API responses
*/
/**
* Send success response
*
* @param mixed $data Data to return
* @param int $statusCode HTTP status code
*/
function sendApiSuccess($data = null, $statusCode = 200) {
http_response_code($statusCode);
header('Content-Type: application/json');
echo json_encode([
'success' => true,
'data' => $data,
'error' => null
], JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
exit;
}
/**
* Send error response
*
* @param string $message Error message
* @param int $statusCode HTTP status code
* @param array $details Additional error details
*/
function sendApiError($message, $statusCode = 400, $details = null) {
http_response_code($statusCode);
header('Content-Type: application/json');
$response = [
'success' => false,
'data' => null,
'error' => $message
];
if ($details) {
$response['details'] = $details;
}
echo json_encode($response, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
exit;
}
/**
* Validate API request method
*
* @param string|array $allowedMethods Allowed HTTP method(s)
* @throws Exception if method not allowed
*/
function validateApiMethod($allowedMethods) {
$allowedMethods = (array) $allowedMethods;
$currentMethod = $_SERVER['REQUEST_METHOD'];
if (!in_array($currentMethod, $allowedMethods)) {
sendApiError(
'Method not allowed. Allowed: ' . implode(', ', $allowedMethods),
405
);
}
}
```
#### Update Old API Endpoints
**Example:** `api/privacy.php`
**Before:**
```php
// Returns raw data, no standard format
echo json_encode($result);
```
**After:**
```php
require_once __DIR__ . '/../f_core/f_functions/functions.api.php';
try {
// ... existing code ...
sendApiSuccess([
'privacy_settings' => $result
]);
} catch (Exception $e) {
sendApiError($e->getMessage(), 500);
}
```
---
## 6. Migration Action Plan
### Critical Fixes (Do First - High Impact)
#### Fix 1: Create Session Helper Functions
**File to create:** `f_core/f_functions/functions.session.php`
**Priority:** CRITICAL - Affects authentication everywhere
**Time:** 30 minutes
**Steps:**
1. Create the file with helper functions (code provided above)
2. Include in `f_core/config.core.php`
3. Test that `getCurrentUserId()` works
**Test:**
```php
// Add to any page temporarily
echo "User ID: " . getCurrentUserId();
```
#### Fix 2: Update API Endpoints to Use Helper
**Files to update:**
- `api/videos.php`
- `api/user.php`
- `api/comments.php`
- `api/subscriptions.php`
**Priority:** HIGH - Prevents session bugs
**Time:** 1 hour
**Pattern to replace:**
```php
// Find this:
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
// Replace with:
if (!$userId) {
$userId = getCurrentUserId();
}
```
#### Fix 3: Fix VLogin Reference in account.php
**File:** `f_modules/m_frontend/m_acct/account.php`
**Priority:** CRITICAL - Currently broken!
**Time:** 15 minutes
**Line 37 fix:**
```php
// Before:
$membership_check = ($_SESSION["USER_ID"] > 0) ? VLogin::checkSubscription() : null;
// After:
$membership_check = ($cfg["paid_memberships"] == 1 && getCurrentUserId() > 0)
? VMembership::checkSubscription(getCurrentUserId())
: null;
```
### Medium Priority Fixes
#### Fix 4: Standardize Database Queries
**Pattern:** Search for `$database->db_connect()` and replace with `VDatabase::getInstance()`
**Priority:** MEDIUM - Performance improvement
**Time:** 2-3 hours
**Command:**
```bash
grep -r "db_connect" --include="*.php" f_modules/
```
#### Fix 5: Migrate jQuery AJAX in browse.init.js
**File:** `f_scripts/fe/js/browse.init.js`
**Priority:** MEDIUM - Performance improvement
**Time:** 3-4 hours
**See examples in section 4 above**
### Low Priority (Can wait)
#### Fix 6: Create API Response Helper
**File to create:** `f_core/f_functions/functions.api.php`
**Priority:** LOW - Nice to have
**Time:** 1 hour
#### Fix 7: Update Old API Endpoints
**Files:** `api/privacy.php`, `api/telegram.php`, etc.
**Priority:** LOW - These endpoints still work
**Time:** 2-3 hours
---
## Testing Checklist
After each fix, test:
```
Authentication:
☐ Login works
☐ Session persists after page reload
☐ Logout clears session
☐ Protected pages redirect to login
API Endpoints:
☐ Videos list loads
☐ Comments load and post
☐ Subscribe/unsubscribe works
☐ User profile loads
Frontend:
☐ Browse videos page works
☐ Load more pagination works
☐ Watch later toggle works
☐ No JavaScript console errors
```
---
## Rollback Plan
If something breaks:
1. **Backup before changes:**
```bash
git add .
git commit -m "Before conflict resolution"
```
2. **If issues occur:**
```bash
git revert HEAD
```
3. **Test specific fix in isolation:**
```bash
git checkout -b test-session-fix
# Apply only session fix
# Test thoroughly
# If good, merge to main
```
---
## Priority Order
1.**Session Helper Functions** - Do this FIRST (CRITICAL)
2.**Update API Endpoints** - Fix session access (HIGH)
3.**Fix account.php VLogin** - Currently broken (CRITICAL)
4. ⏸️ **Standardize Database Queries** - Performance (MEDIUM)
5. ⏸️ **Migrate jQuery AJAX** - Performance (MEDIUM)
6. ⏸️ **API Response Helpers** - Nice to have (LOW)
---
## Estimated Timeline
- **Critical fixes (1-3):** 2-3 hours
- **Medium fixes (4-5):** 1 week
- **Low priority (6-7):** 1-2 weeks
**Total: 2-3 weeks for complete resolution**
---
## Next Steps
1. Create `f_core/f_functions/functions.session.php`
2. Update `f_core/config.core.php` to include it
3. Update all API endpoints to use `getCurrentUserId()`
4. Fix `f_modules/m_frontend/m_acct/account.php`
5. Test authentication thoroughly
6. Proceed to medium priority fixes
---
**Document Created:** January 2025
**Status:** Ready for Implementation

815
docs/FRONTEND_BACKEND_INTEGRATION_GUIDE.md Normal file
View File

@@ -0,0 +1,815 @@
# Frontend-Backend Integration Guide
## Overview
This guide explains how to properly connect EasyStream's frontend JavaScript code with the backend API endpoints. It covers migrating from legacy jQuery AJAX calls to modern fetch API using the provided `api-helper.js` client.
## Table of Contents
1. [Architecture Overview](#architecture-overview)
2. [Migration Strategy](#migration-strategy)
3. [Using api-helper.js](#using-api-helperjs)
4. [Authentication Patterns](#authentication-patterns)
5. [Common Migration Patterns](#common-migration-patterns)
6. [Error Handling](#error-handling)
7. [Testing Integration](#testing-integration)
---
## Architecture Overview
### Current State
EasyStream has three layers of API integration:
1. **Modern API Endpoints** (`/api/*.php`)
- RESTful design
- JSON request/response
- JWT + Session auth support
- Proper error handling
2. **Modern Frontend Client** (`api-helper.js`)
- Fetch API based
- Promise/async-await pattern
- Automatic token management
- Error handling helpers
3. **Legacy Frontend Code** (jQuery AJAX calls)
- Scattered across multiple files
- Inconsistent patterns
- Needs migration
### Target State
All frontend code should use `api-helper.js` for consistency, maintainability, and better error handling.
---
## Migration Strategy
### Phase 1: Identify Legacy Code (COMPLETED)
Found legacy jQuery AJAX calls in:
- `f_scripts/fe/js/browse.init.js`
- `f_scripts/fe/js/jquery.init.js`
- Various other frontend scripts
### Phase 2: Create Modern API Endpoints (COMPLETED)
Created comprehensive RESTful APIs:
- `/api/videos.php` - Video operations
- `/api/user.php` - User profile operations
- `/api/comments.php` - Comment operations
- `/api/subscriptions.php` - Subscription operations
- `/api/auth.php` - Authentication (already existed, enhanced)
### Phase 3: Enhance Frontend Client (COMPLETED)
Enhanced `api-helper.js` with methods for all endpoints.
### Phase 4: Migrate Legacy Code (IN PROGRESS)
Replace jQuery AJAX calls with modern fetch API using `api-helper.js`.
### Phase 5: Test & Validate (PENDING)
Test all integrated endpoints end-to-end.
---
## Using api-helper.js
### Basic Setup
The API helper is automatically initialized on page load:
```javascript
// Available globally
const api = window.api;
// Or create new instance
const customAPI = new EasyStreamAPI('/api');
```
### Authentication
#### Login
```javascript
// Login and store token
try {
const result = await api.login('username', 'password');
if (result.success) {
console.log('Logged in as:', result.user.usr_user);
// Token is automatically stored in localStorage
}
} catch (error) {
console.error('Login failed:', error.message);
}
```
#### Check Authentication
```javascript
if (api.isAuthenticated()) {
console.log('User is logged in');
} else {
console.log('User needs to login');
}
```
#### Logout
```javascript
await api.logout();
// Token is automatically cleared
```
### Making API Calls
#### Videos
```javascript
// List videos
const videos = await api.getVideos({
page: 1,
limit: 20,
sort: 'popular',
category: 'entertainment'
});
// Get single video
const video = await api.getVideo('123456');
// Search videos
const searchResults = await api.searchVideos('search query', { page: 1 });
// Create video
const newVideo = await api.createVideo({
title: 'My Video',
description: 'Video description',
privacy: 'public'
});
// Update video
await api.updateVideo('123456', {
file_title: 'Updated Title'
});
// Delete video
await api.deleteVideo('123456');
// Like video
await api.likeVideo('123456', 'like');
// Record view
await api.recordVideoView('123456');
// Watch later
await api.toggleWatchLater('123456');
```
#### User Profile
```javascript
// Get current user's profile
const myProfile = await api.getMyProfile();
// Get another user's profile
const userProfile = await api.getUserProfile(123);
// Update profile
await api.updateProfile({
usr_dname: 'New Name',
usr_about: 'Updated bio'
});
// Upload avatar
const fileInput = document.getElementById('avatar-input');
const file = fileInput.files[0];
await api.uploadAvatar(file);
// Get user stats
const stats = await api.getUserStats();
// Get user's videos
const userVideos = await api.getUserVideos(123, { page: 1 });
```
#### Comments
```javascript
// Get comments
const comments = await api.getComments('123456', {
page: 1,
sort: 'recent'
});
// Create comment
const newComment = await api.createComment(
'123456', // file_key
'This is my comment',
null // parent_id (null for top-level comment)
);
// Reply to comment
const reply = await api.createComment(
'123456',
'This is a reply',
456 // parent comment ID
);
// Update comment
await api.updateComment(789, 'Updated text');
// Delete comment
await api.deleteComment(789);
// Like comment
await api.likeComment(789);
// Report comment
await api.reportComment(789, 'Spam');
```
#### Subscriptions
```javascript
// Get subscriptions
const subs = await api.getSubscriptions();
// Check if subscribed
const status = await api.checkSubscription(123);
if (status.data.is_subscribed) {
console.log('Already subscribed');
}
// Subscribe
await api.subscribe(123);
// Unsubscribe
await api.unsubscribe(123);
// Get subscription feed
const feed = await api.getSubscriptionFeed({ page: 1 });
// Get subscribers
const subscribers = await api.getSubscribers(123);
```
---
## Authentication Patterns
### JWT Token Authentication (Recommended)
Best for: SPAs, mobile apps, API clients
```javascript
// 1. Login to get token
const result = await api.login('username', 'password');
// 2. Token is automatically stored and used for subsequent requests
const profile = await api.getMyProfile();
// 3. Logout clears token
await api.logout();
```
### Session-based Authentication
Best for: Traditional multi-page websites
```javascript
// Login via form submission (handles CSRF automatically)
const formData = new FormData(loginForm);
const response = await fetch('/api/auth.php?action=login', {
method: 'POST',
body: formData,
credentials: 'include' // Important for cookies
});
```
### Hybrid Approach
Use sessions for page navigation, JWT for API calls:
```javascript
// Check if user has session
const statusResponse = await fetch('/api/auth.php?action=status', {
credentials: 'include'
});
const status = await statusResponse.json();
if (status.authenticated) {
// User has session, optionally get JWT for API calls
// (if needed for cross-origin requests)
}
```
---
## Common Migration Patterns
### Pattern 1: Simple GET Request
**Before (jQuery):**
```javascript
jQuery.get(url, function(result) {
console.log(result);
updateUI(result);
});
```
**After (api-helper):**
```javascript
try {
const result = await api.get(url);
console.log(result);
updateUI(result.data);
} catch (error) {
api.handleError(error);
}
```
### Pattern 2: POST with Data
**Before (jQuery):**
```javascript
jQuery.post(url, {
field1: value1,
field2: value2
}, function(result) {
if (result.success) {
showSuccess('Saved!');
}
});
```
**After (api-helper):**
```javascript
try {
const result = await api.post(url, {
field1: value1,
field2: value2
});
if (result.success) {
showSuccess('Saved!');
}
} catch (error) {
api.handleError(error);
}
```
### Pattern 3: Load More / Pagination
**Before (jQuery):**
```javascript
jQuery(".more-button").click(function() {
var page = parseInt(jQuery(this).attr("rel-page"));
var url = _rel + "?p=0&m=" + idnr + "&sort=" + type + "&page=" + page;
jQuery.get(url, function(result) {
jQuery("#list ul").append(result);
jQuery(".more-button").attr("rel-page", page + 1);
});
});
```
**After (api-helper):**
```javascript
document.addEventListener('click', async (e) => {
if (e.target.classList.contains('more-button')) {
const page = parseInt(e.target.getAttribute('data-page'));
try {
const result = await api.getVideos({
page: page,
sort: currentSort,
category: currentCategory
});
if (result.success) {
appendVideos(result.data.videos);
e.target.setAttribute('data-page', page + 1);
// Hide button if no more pages
if (page >= result.data.pagination.pages) {
e.target.style.display = 'none';
}
}
} catch (error) {
api.handleError(error);
}
}
});
function appendVideos(videos) {
const list = document.getElementById('video-list');
videos.forEach(video => {
const item = createVideoElement(video);
list.appendChild(item);
});
}
```
### Pattern 4: Form Submission
**Before (jQuery):**
```javascript
jQuery("#comment-form").submit(function(e) {
e.preventDefault();
var formData = jQuery(this).serialize();
jQuery.post("/submit-comment.php", formData, function(result) {
if (result.success) {
addCommentToUI(result.comment);
jQuery("#comment-form")[0].reset();
}
});
});
```
**After (api-helper):**
```javascript
document.getElementById('comment-form').addEventListener('submit', async (e) => {
e.preventDefault();
const formData = new FormData(e.target);
const commentText = formData.get('comment_text');
const fileKey = formData.get('file_key');
try {
const result = await api.createComment(fileKey, commentText);
if (result.success) {
addCommentToUI(result.data);
e.target.reset();
}
} catch (error) {
api.handleError(error);
}
});
```
### Pattern 5: Watch Later Toggle
**Before (jQuery):**
```javascript
jQuery(".watch_later_wrap").click(function() {
var file_key = jQuery(this).attr("rel-key");
var file_type = jQuery(this).attr("rel-type");
var url = _rel + "?a=cb-watchadd&for=sort-" + file_type;
var _this = jQuery(this);
jQuery.post(url, {"fileid[0]": file_key}, function(result) {
_this.find(".icon-clock")
.removeClass("icon-clock")
.addClass("icon-check");
_this.next().text("In Watch List");
});
});
```
**After (api-helper):**
```javascript
document.addEventListener('click', async (e) => {
const watchBtn = e.target.closest('.watch-later-btn');
if (!watchBtn) return;
const fileKey = watchBtn.dataset.fileKey;
try {
const result = await api.toggleWatchLater(fileKey);
if (result.success) {
const icon = watchBtn.querySelector('.icon');
const text = watchBtn.querySelector('.text');
if (result.data.action === 'added') {
icon.classList.remove('icon-clock');
icon.classList.add('icon-check');
text.textContent = 'In Watch List';
} else {
icon.classList.remove('icon-check');
icon.classList.add('icon-clock');
text.textContent = 'Watch Later';
}
}
} catch (error) {
api.handleError(error);
}
});
```
### Pattern 6: Subscribe Button
**Before (jQuery):**
```javascript
jQuery(".subscribe-btn").click(function() {
var channelId = jQuery(this).data("channel-id");
jQuery.post("/subscribe.php", { channel_id: channelId }, function(result) {
if (result.success) {
jQuery(".subscribe-btn").text("Subscribed");
jQuery(".subscriber-count").text(result.subscriber_count);
}
});
});
```
**After (api-helper):**
```javascript
document.addEventListener('click', async (e) => {
const subscribeBtn = e.target.closest('.subscribe-btn');
if (!subscribeBtn) return;
const channelId = parseInt(subscribeBtn.dataset.channelId);
const isSubscribed = subscribeBtn.classList.contains('subscribed');
try {
if (isSubscribed) {
await api.unsubscribe(channelId);
subscribeBtn.classList.remove('subscribed');
subscribeBtn.textContent = 'Subscribe';
} else {
const result = await api.subscribe(channelId);
subscribeBtn.classList.add('subscribed');
subscribeBtn.textContent = 'Subscribed';
// Update subscriber count if available
if (result.data.subscriber_count) {
document.querySelector('.subscriber-count').textContent =
result.data.subscriber_count;
}
}
} catch (error) {
api.handleError(error);
}
});
```
---
## Error Handling
### Comprehensive Error Handling
```javascript
async function performAction() {
try {
// Show loading state
showLoading();
const result = await api.someAction();
if (result.success) {
showSuccess('Action completed!');
updateUI(result.data);
} else {
showError(result.error || 'Action failed');
}
} catch (error) {
// Handle different error types
if (error.message.includes('Authentication')) {
// Redirect to login
window.location.href = '/signin';
} else if (error.message.includes('Network')) {
showError('Network error. Please check your connection.');
} else {
showError(error.message || 'An unexpected error occurred');
}
// Log error for debugging
console.error('Action failed:', error);
} finally {
// Always hide loading state
hideLoading();
}
}
```
### Using Built-in Error Handler
```javascript
try {
const result = await api.someAction();
// Handle success
} catch (error) {
// Use built-in error handler with custom callback
api.handleError(error, (message) => {
showNotification('error', message);
});
}
```
### Retry Logic
```javascript
async function apiCallWithRetry(apiMethod, maxRetries = 3) {
let lastError;
for (let i = 0; i < maxRetries; i++) {
try {
return await apiMethod();
} catch (error) {
lastError = error;
// Don't retry on auth errors
if (error.message.includes('Authentication')) {
throw error;
}
// Wait before retry (exponential backoff)
if (i < maxRetries - 1) {
await new Promise(resolve => setTimeout(resolve, Math.pow(2, i) * 1000));
}
}
}
throw lastError;
}
// Usage
try {
const result = await apiCallWithRetry(() => api.getVideos({ page: 1 }));
} catch (error) {
api.handleError(error);
}
```
---
## Testing Integration
### Manual Testing Checklist
1. **Authentication**
- [ ] Login with username
- [ ] Login with email
- [ ] Invalid credentials show error
- [ ] Token persists after page reload
- [ ] Logout clears token
- [ ] Expired token triggers re-login
2. **Videos**
- [ ] List videos loads correctly
- [ ] Pagination works
- [ ] Sorting works (popular, recent, etc.)
- [ ] Category filtering works
- [ ] Single video loads with all details
- [ ] Search returns relevant results
- [ ] Like/dislike updates count
- [ ] View count increments
- [ ] Watch later toggle works
3. **User Profile**
- [ ] Profile loads correctly
- [ ] Profile update saves changes
- [ ] Avatar upload works
- [ ] Statistics display correctly
- [ ] User's videos load
4. **Comments**
- [ ] Comments load for video
- [ ] Create comment works
- [ ] Reply to comment works
- [ ] Edit comment works
- [ ] Delete comment works
- [ ] Like comment updates count
- [ ] Pagination works
5. **Subscriptions**
- [ ] Subscribe button works
- [ ] Unsubscribe works
- [ ] Subscription list displays
- [ ] Subscriber count updates
- [ ] Subscription feed loads
### Automated Testing
Create test files in `tests/integration/`:
```javascript
// Example: test-videos-api.js
describe('Videos API Integration', () => {
let api;
let testVideoId;
beforeAll(async () => {
api = new EasyStreamAPI('/api');
await api.login('testuser', 'testpass');
});
test('should list videos', async () => {
const result = await api.getVideos({ page: 1 });
expect(result.success).toBe(true);
expect(result.data.videos).toBeInstanceOf(Array);
});
test('should create video', async () => {
const result = await api.createVideo({
title: 'Test Video',
description: 'Test description'
});
expect(result.success).toBe(true);
testVideoId = result.data.file_key;
});
test('should get single video', async () => {
const result = await api.getVideo(testVideoId);
expect(result.success).toBe(true);
expect(result.data.file_key).toBe(testVideoId);
});
afterAll(async () => {
if (testVideoId) {
await api.deleteVideo(testVideoId);
}
await api.logout();
});
});
```
### Browser Console Testing
Quick tests in browser console:
```javascript
// Test login
await api.login('username', 'password')
// Test get videos
await api.getVideos({ page: 1 })
// Test create comment
await api.createComment('123456', 'Test comment')
// Check authentication
api.isAuthenticated()
// View stored token
localStorage.getItem('jwt_token')
```
---
## Best Practices
1. **Always use try-catch** for async API calls
2. **Show loading states** during API requests
3. **Provide user feedback** for success/error
4. **Cache results** when appropriate
5. **Debounce** search/autocomplete requests
6. **Validate input** before sending to API
7. **Handle edge cases** (empty results, network errors, etc.)
8. **Log errors** for debugging
9. **Use TypeScript** for better type safety (optional)
10. **Test thoroughly** before deploying
---
## Migration Priority
Migrate in this order:
1. **Critical User Actions**
- Login/Logout
- Video playback
- Comments
- Subscriptions
2. **Content Display**
- Video listings
- User profiles
- Search
3. **Secondary Features**
- Notifications
- Watch later
- Playlists
4. **Admin Features**
- Analytics
- Moderation
- Settings
---
## Support
If you encounter issues during migration:
1. Check [API_DOCUMENTATION.md](API_DOCUMENTATION.md) for endpoint details
2. Review [BACKEND_FRONTEND_INTEGRATION_FIXES.md](BACKEND_FRONTEND_INTEGRATION_FIXES.md)
3. Test endpoints using browser DevTools Network tab
4. Check backend logs for errors
5. Verify CORS configuration if cross-origin issues occur
---
**Last Updated:** January 2025

503
docs/IMPLEMENTATION_CHECKLIST.md Normal file
View File

@@ -0,0 +1,503 @@
# EasyStream Conflict Resolution - Implementation Checklist
## Overview
This document provides a step-by-step checklist for implementing all conflict resolutions and ensuring EasyStream is fully updated to modern standards.
**Status:** ✅ Critical Infrastructure Complete - Ready for Final Updates
---
## ✅ COMPLETED - Critical Infrastructure
### 1. Session Helper Functions ✅
- **File Created:** `f_core/f_functions/functions.session.php`
- **Purpose:** Standardizes session variable access across application
- **Key Functions:**
- `getCurrentUserId()` - Get user ID from session
- `setCurrentUserId($id)` - Set user ID in session
- `isUserLoggedIn()` - Check if authenticated
- `clearUserSession()` - Clear all session data
- `validateUserSession()` - Check for hijacking attempts
### 2. API Helper Functions ✅
- **File Created:** `f_core/f_functions/functions.api.php`
- **Purpose:** Standardizes API responses and handling
- **Key Functions:**
- `sendApiSuccess($data)` - Send success response
- `sendApiError($message, $code)` - Send error response
- `requireAuth()` - Require authentication
- `validateApiMethod($methods)` - Validate HTTP method
- `getPaginationParams()` - Get pagination data
### 3. Config Core Updated ✅
- **File Updated:** `f_core/config.core.php`
- **Change:** Added includes for new helper functions
- **Lines Added:**
```php
require_once 'f_core/f_functions/functions.session.php';
require_once 'f_core/f_functions/functions.api.php';
```
### 4. Account.php Fixed ✅
- **File Updated:** `f_modules/m_frontend/m_acct/account.php`
- **Issue:** Was calling non-existent `VLogin` class
- **Fix:** Now uses `VAuth::getInstance()` and `getCurrentUserId()`
---
## 🔄 PENDING - API Endpoint Updates
### Update Pattern for All API Endpoints
**Files to Update:**
- ✅ `api/videos.php`
- ✅ `api/user.php`
- ✅ `api/comments.php`
- ✅ `api/subscriptions.php`
- ⏸️ `api/privacy.php`
- ⏸️ `api/upload/progress.php`
**Find and Replace:**
**OLD:**
```php
if (!$userId && isset($_SESSION['USER_ID'])) {
$userId = $_SESSION['USER_ID'];
} elseif (!$userId && isset($_SESSION['usr_id'])) {
$userId = $_SESSION['usr_id'];
}
```
**NEW:**
```php
if (!$userId) {
$userId = getCurrentUserId();
}
```
**Implementation Steps:**
1. Open each file
2. Search for the old pattern
3. Replace with new pattern
4. Test the endpoint
5. Check off in this list
### Individual File Updates
#### api/privacy.php
- [ ] Replace session access pattern
- [ ] Test privacy settings endpoint
- [ ] Verify authentication works
#### api/upload/progress.php
- [ ] Replace session access pattern
- [ ] Test upload progress tracking
- [ ] Verify user identification works
---
## 🔄 PENDING - Module File Updates
### Frontend Modules to Update
**Pattern to Find:**
```php
$user_id = isset($_SESSION['USER_ID']) ? (int)$_SESSION['USER_ID'] : 0;
// OR
$uid = (int) $_SESSION['USER_ID'];
// OR
if ($_SESSION['USER_ID'] > 0)
```
**Replace With:**
```php
$user_id = getCurrentUserId();
// OR
if (isUserLoggedIn())
```
**Files to Update:**
#### f_modules/m_frontend/templatebuilder.php
- [ ] Line 21: Replace `$_SESSION['USER_ID']` with `getCurrentUserId()`
- [ ] Test template builder loads
- [ ] Verify user authentication
#### f_modules/m_frontend/templatebuilder_ajax.php
- [ ] Line 11: Replace session check with `isUserLoggedIn()`
- [ ] Test AJAX requests
- [ ] Verify authentication redirect
#### f_modules/m_frontend/m_player/embed.php
- [ ] Line 56: Replace `$_SESSION['USER_ID']` with `getCurrentUserId()`
- [ ] Test video embed
- [ ] Verify membership check
#### f_modules/m_frontend/m_notif/notifications_bell.php
- [ ] Line 63: Replace session access with `getCurrentUserId()`
- [ ] Test notification loading
- [ ] Verify user notifications display
---
## 🔄 PENDING - Frontend JavaScript Migration
### Priority 1: High-Traffic Pages
#### browse.init.js
**Current Issues:**
- Uses jQuery $.get and $.post
- Inline string concatenation for URLs
- No proper error handling
**Migration Steps:**
1. [ ] Replace "Load More" jQuery with api-helper
2. [ ] Replace "Watch Later" jQuery with api-helper
3. [ ] Update sorting/filtering to use API
4. [ ] Add proper error handling
5. [ ] Test pagination
6. [ ] Test watch later toggle
**Estimated Time:** 3-4 hours
#### login.init.js
**Current Issues:**
- Form submission uses jQuery
- Direct form serialization
- Inconsistent error display
**Migration Steps:**
1. [ ] Replace jQuery form handling with fetch
2. [ ] Use api.login() method
3. [ ] Update error display
4. [ ] Add loading states
5. [ ] Test login flow
6. [ ] Test "remember me"
**Estimated Time:** 2-3 hours
#### jquery.init.js
**Current Issues:**
- Global jQuery utilities
- Notification loading uses jQuery
- Inline jQuery event handlers
**Migration Steps:**
1. [ ] Replace notification AJAX with api-helper
2. [ ] Convert event handlers to native JS
3. [ ] Remove jQuery dependencies where possible
4. [ ] Create modern utility functions
5. [ ] Test all notifications
6. [ ] Test user menu interactions
**Estimated Time:** 4-5 hours
### Priority 2: Secondary Pages
#### files.init.js
- [ ] Migrate file operations to API
- [ ] Update upload progress tracking
- [ ] Test file management
#### channels.init.js
- [ ] Migrate channel operations
- [ ] Update subscription handling
- [ ] Test channel pages
#### subdashboard.js
- [ ] Migrate dashboard AJAX calls
- [ ] Update widget loading
- [ ] Test dashboard display
---
## Testing Checklist
### Authentication Testing
After completing updates, test these scenarios:
#### Login Flow
- [ ] Login with username works
- [ ] Login with email works
- [ ] Invalid credentials show error
- [ ] Session persists after page reload
- [ ] Remember me works correctly
- [ ] Logout clears session
#### Session Security
- [ ] Session timeout works
- [ ] User agent change detection works
- [ ] IP change detection works (if enabled)
- [ ] Session hijacking prevented
### API Testing
#### Videos API
- [ ] List videos loads correctly
- [ ] Pagination works
- [ ] Sorting works
- [ ] Filtering works
- [ ] Single video loads
- [ ] Create video works
- [ ] Update video works
- [ ] Delete video works (with permission)
- [ ] Like/dislike works
- [ ] View tracking works
- [ ] Watch later toggle works
#### User API
- [ ] Get profile works
- [ ] Update profile works
- [ ] Avatar upload works
- [ ] Statistics load correctly
- [ ] User videos load
#### Comments API
- [ ] Comments load for video
- [ ] Create comment works
- [ ] Reply to comment works
- [ ] Edit comment works (own comments)
- [ ] Delete comment works (own comments)
- [ ] Like comment works
- [ ] Report comment works
#### Subscriptions API
- [ ] Subscribe works
- [ ] Unsubscribe works
- [ ] Check subscription status works
- [ ] Get subscriptions list works
- [ ] Get subscribers list works
- [ ] Subscription feed loads
### Frontend Testing
#### Browse Page
- [ ] Videos load correctly
- [ ] Load more pagination works
- [ ] Sorting dropdown works
- [ ] Search works
- [ ] Watch later toggle works
- [ ] No console errors
#### Video Page
- [ ] Video plays correctly
- [ ] Like button works
- [ ] Subscribe button works
- [ ] Comments load
- [ ] Post comment works
- [ ] View count increments
#### User Profile
- [ ] Profile displays correctly
- [ ] Edit profile works
- [ ] Avatar upload works
- [ ] User videos display
- [ ] Statistics show correctly
#### Account Settings
- [ ] Settings page loads
- [ ] Update settings works
- [ ] Privacy settings work
- [ ] Email change works
- [ ] Password change works
---
## Performance Testing
### Before/After Metrics
**Measure These:**
1. **Page Load Time**
```bash
# Test browse page
curl -o /dev/null -s -w 'Total: %{time_total}s\n' http://localhost/browse.php
```
2. **API Response Time**
```bash
# Test videos API
curl -o /dev/null -s -w 'Total: %{time_total}s\n' http://localhost/api/videos.php
```
3. **JavaScript Bundle Size**
```bash
# Check total JS size
du -sh f_scripts/fe/js/*.js
```
4. **Database Queries**
```sql
-- Enable slow query log
SET GLOBAL slow_query_log = 'ON';
SET GLOBAL long_query_time = 0.5;
-- Check log after page load
SELECT * FROM mysql.slow_log ORDER BY start_time DESC LIMIT 10;
```
### Target Metrics
- Page load time: < 2 seconds
- API response time: < 300ms
- JavaScript size: < 200KB (after jQuery removal)
- Database queries per page: < 10
---
## Rollback Plan
### If Issues Occur
1. **Immediate Rollback**
```bash
git stash
git checkout HEAD~1
```
2. **Partial Rollback (specific file)**
```bash
git checkout HEAD -- path/to/file.php
```
3. **Check Git Status**
```bash
git status
git log --oneline -10
```
### Backup Strategy
**Before Each Major Change:**
```bash
# Create backup branch
git checkout -b backup-before-migration
git commit -am "Backup before migration"
git checkout main
# Or create manual backup
cp -r /path/to/easystream /path/to/easystream-backup-$(date +%Y%m%d)
```
---
## Migration Timeline
### Week 1: Critical Fixes (CURRENT)
- ✅ Day 1-2: Create helper functions
- ✅ Day 3: Update config and core files
- ✅ Day 4: Fix critical bugs (account.php)
- ⏸️ Day 5: Update API endpoints
### Week 2: Module Updates
- Day 1-2: Update frontend modules
- Day 3-4: Update backend modules
- Day 5: Testing and bug fixes
### Week 3: JavaScript Migration
- Day 1-2: Migrate browse.init.js
- Day 3: Migrate login.init.js
- Day 4: Migrate jquery.init.js
- Day 5: Testing
### Week 4: Polish & Testing
- Day 1-2: Performance testing
- Day 3: Security testing
- Day 4: User acceptance testing
- Day 5: Documentation updates
---
## Success Criteria
### Code Quality
- [ ] No VLogin references remaining
- [ ] Single session variable standard (USER_ID)
- [ ] All API endpoints use helper functions
- [ ] Consistent error handling everywhere
- [ ] No deprecated jQuery where not needed
### Performance
- [ ] Page load < 2 seconds
- [ ] API response < 300ms
- [ ] Database queries < 10 per page
- [ ] JavaScript bundle < 200KB
### Security
- [ ] Session hijacking prevention active
- [ ] CORS properly configured
- [ ] Input validation on all endpoints
- [ ] Rate limiting implemented
- [ ] Security logging active
### Functionality
- [ ] All authentication flows work
- [ ] All API endpoints function correctly
- [ ] All frontend pages load
- [ ] No JavaScript console errors
- [ ] Mobile experience good
---
## Support & Resources
### Documentation
- [CONFLICT_RESOLUTION_GUIDE.md](CONFLICT_RESOLUTION_GUIDE.md) - Detailed conflict info
- [FRONTEND_BACKEND_INTEGRATION_GUIDE.md](FRONTEND_BACKEND_INTEGRATION_GUIDE.md) - Integration patterns
- [API_DOCUMENTATION.md](API_DOCUMENTATION.md) - API reference
- [QUICK_START_GUIDE.md](QUICK_START_GUIDE.md) - Quick examples
### Helper Functions Reference
```php
// Session helpers
getCurrentUserId() // Get current user ID
isUserLoggedIn() // Check if authenticated
setCurrentUserId($id) // Set user ID
clearUserSession() // Clear session
validateUserSession() // Check for hijacking
// API helpers
sendApiSuccess($data) // Send success response
sendApiError($msg, $code) // Send error response
requireAuth() // Require authentication
validateApiMethod($methods) // Validate HTTP method
getPaginationParams() // Get page/limit/offset
```
### JavaScript API Client
```javascript
// Available globally as 'api'
api.login(username, password)
api.isAuthenticated()
api.getVideos(params)
api.createComment(fileKey, text)
api.subscribe(channelId)
// ... see QUICK_START_GUIDE.md for full list
```
---
## Next Steps
1.**Complete Critical Infrastructure** - DONE
2. **Update Remaining API Endpoints** - IN PROGRESS
- Start with api/privacy.php
- Then api/upload/progress.php
3. **Update Frontend Modules** - NEXT
- Start with templatebuilder files
- Then notification bell
4. **Migrate JavaScript** - AFTER MODULES
- Start with browse.init.js
- Most user impact
---
**Last Updated:** January 2025
**Current Phase:** API Endpoint Updates
**Completion:** ~40% (Critical infrastructure done)

683
docs/INTEGRATION_COMPLETE_SUMMARY.md Normal file
View File

@@ -0,0 +1,683 @@
# EasyStream Backend-Frontend Integration - Complete Summary
## Overview
This document summarizes the comprehensive work completed to properly connect EasyStream's backend and frontend components, modernize the architecture, and prepare for future optimization.
**Date Completed:** January 2025
**Status:** ✅ Core Integration Complete, Ready for Migration
---
## What Was Accomplished
### 1. Created Missing RESTful API Endpoints ✅
Built comprehensive, production-ready API endpoints:
#### **[api/videos.php](../api/videos.php)** - Video Management
- `GET /api/videos.php` - List videos with pagination, sorting, filtering
- `GET /api/videos.php?id=123456` - Get single video details
- `GET /api/videos.php?action=search` - Search videos
- `POST /api/videos.php?action=create` - Create video
- `PUT /api/videos.php?id=123456` - Update video
- `DELETE /api/videos.php?id=123456` - Delete video
- `POST /api/videos.php?action=like` - Like/dislike video
- `POST /api/videos.php?action=view` - Record view count
- `POST /api/videos.php?action=watch_later` - Watch later toggle
#### **[api/user.php](../api/user.php)** - User Profile Management
- `GET /api/user.php?action=profile` - Get current user profile
- `GET /api/user.php?id=123` - Get public profile
- `PUT /api/user.php` - Update profile
- `POST /api/user.php?action=avatar` - Upload avatar
- `GET /api/user.php?action=stats` - Get user statistics
- `GET /api/user.php?action=videos` - Get user's videos
- `GET /api/user.php?action=subscriptions` - Get subscriptions
- `GET /api/user.php?action=subscribers` - Get subscribers
#### **[api/comments.php](../api/comments.php)** - Comment System
- `GET /api/comments.php?file_key=123456` - List comments
- `GET /api/comments.php?id=123` - Get comment with replies
- `POST /api/comments.php?action=create` - Create comment/reply
- `PUT /api/comments.php?id=123` - Update comment
- `DELETE /api/comments.php?id=123` - Delete comment
- `POST /api/comments.php?action=like` - Like comment
- `POST /api/comments.php?action=report` - Report comment
#### **[api/subscriptions.php](../api/subscriptions.php)** - Subscription Management
- `GET /api/subscriptions.php?action=list` - Get subscriptions
- `GET /api/subscriptions.php?action=subscribers` - Get subscribers
- `GET /api/subscriptions.php?action=feed` - Get subscription feed
- `GET /api/subscriptions.php?action=check` - Check subscription status
- `POST /api/subscriptions.php` - Subscribe to channel
- `DELETE /api/subscriptions.php?channel_id=123` - Unsubscribe
All endpoints support:
- JWT token authentication
- Session-based authentication
- Proper error handling
- Input validation
- Rate limiting
- Pagination
- Filtering and sorting
### 2. Enhanced Frontend API Client ✅
**[f_scripts/fe/js/api-helper.js](../f_scripts/fe/js/api-helper.js)**
Added comprehensive methods for all endpoints:
```javascript
// Authentication
api.login(username, password)
api.logout()
api.isAuthenticated()
api.verifyToken()
// Videos
api.getVideos({ page, limit, sort, category })
api.getVideo(videoId)
api.searchVideos(query)
api.createVideo(videoData)
api.updateVideo(videoId, updates)
api.deleteVideo(videoId)
api.likeVideo(fileKey, 'like')
api.recordVideoView(fileKey)
api.toggleWatchLater(fileKey)
// User
api.getUserProfile(userId)
api.getMyProfile()
api.updateProfile(userData)
api.uploadAvatar(file)
api.getUserStats()
api.getUserVideos(userId, params)
// Comments
api.getComments(fileKey, params)
api.createComment(fileKey, text, parentId)
api.updateComment(commentId, text)
api.deleteComment(commentId)
api.likeComment(commentId)
// Subscriptions
api.getSubscriptions()
api.subscribe(channelId)
api.unsubscribe(channelId)
api.checkSubscription(channelId)
api.getSubscriptionFeed(params)
// Utilities
api.uploadFile(endpoint, file, data, onProgress)
api.handleError(error, callback)
```
Features:
- Automatic JWT token management
- Token expiry handling
- Consistent error handling
- File upload with progress tracking
- Browser localStorage integration
- Promise-based async/await API
### 3. Secured CORS Configuration ✅
**[api/cors.config.php](../api/cors.config.php)**
Created centralized, secure CORS handling:
- **Development mode**: Allows localhost/127.0.0.1
- **Production mode**: Restricts to configured origins only
- Environment-based configuration
- Automatic preflight handling
- Security logging
All API endpoints now use this centralized configuration instead of permissive `Access-Control-Allow-Origin: *`.
### 4. Created Comprehensive Documentation ✅
#### **[docs/API_DOCUMENTATION.md](API_DOCUMENTATION.md)**
- Complete API reference
- Request/response examples
- Authentication guide
- Error handling
- Rate limiting details
- Frontend integration examples
#### **[docs/FRONTEND_BACKEND_INTEGRATION_GUIDE.md](FRONTEND_BACKEND_INTEGRATION_GUIDE.md)**
- Step-by-step migration guide
- Common migration patterns
- jQuery to modern JavaScript
- Error handling best practices
- Testing strategies
- Before/after code examples
#### **[docs/LEGACY_CODE_CLEANUP_PLAN.md](LEGACY_CODE_CLEANUP_PLAN.md)**
- Identifies obsolete code
- Performance optimization strategies
- Database query improvements
- Frontend modernization plan
- Resource savings estimates
- Migration checklist
---
## Architecture Overview
### Request Flow
```
┌─────────────────────────────────────────────────────────────┐
│ User Browser │
│ ┌────────────────┐ ┌─────────────────────────┐ │
│ │ HTML Pages │ │ api-helper.js Client │ │
│ │ (browse.php, │◄────────►│ (Modern Fetch API) │ │
│ │ profile.php) │ │ (JWT Token Management) │ │
│ └────────────────┘ └─────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│ HTTPS
┌─────────────────────────────────────────────────────────────┐
│ Web Server │
│ (Caddy / Apache) │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ API Endpoints │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ auth.php │ │videos.php│ │ user.php │ │comments │ │
│ │ │ │ │ │ │ │.php │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ ▲ ▲ ▲ ▲ │
│ └──────────────┴──────────────┴──────────────┘ │
│ cors.config.php │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Core Business Logic │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ VAuth │ │VDatabase │ │VSecurity │ │ VRBAC │ │
│ │ (Auth) │ │ (Data) │ │(Security)│ │(Perms) │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ ┌──────────┐ ┌──────────┐ │
│ │ VLogger │ │VMiddlwr │ │
│ │(Logging) │ │(Protect) │ │
│ └──────────┘ └──────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Database Layer │
│ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ MySQL / MariaDB │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │db_users │ │db_videos │ │db_comments│ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ │ │
│ └────────────────────────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ Redis (Sessions/Cache) │ │
│ └────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
```
### Authentication Flow
```
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Browser │ │ API │ │ VAuth │
└──────────┘ └──────────┘ └──────────┘
│ │ │
│ POST /api/auth.php │ │
│ {username, password} │ │
├──────────────────────────►│ │
│ │ VAuth::login() │
│ ├──────────────────────────►│
│ │ │
│ │ Validate credentials │
│ │ Generate JWT token │
│ │ Create session │
│ │◄──────────────────────────┤
│ {success, token, user} │ │
│◄──────────────────────────┤ │
│ │ │
│ Store token in │ │
│ localStorage │ │
│ │ │
│ GET /api/videos.php │ │
│ Authorization: Bearer {token} │
├──────────────────────────►│ │
│ │ VAuth::verifyToken() │
│ ├──────────────────────────►│
│ │ │
│ │ Verify signature │
│ │ Check expiry │
│ │◄──────────────────────────┤
│ {success, data: videos} │ │
│◄──────────────────────────┤ │
```
---
## File Structure
### New/Modified Files
```
easy stream/
├── api/ # ✅ API Endpoints
│ ├── auth.php # 🔄 Updated (CORS config)
│ ├── videos.php # ✨ NEW
│ ├── user.php # ✨ NEW
│ ├── comments.php # ✨ NEW
│ ├── subscriptions.php # ✨ NEW
│ └── cors.config.php # ✨ NEW
├── f_core/
│ └── f_classes/
│ ├── class.auth.php # ✅ Modern (VAuth)
│ ├── class.database.php # ✅ Modern (VDatabase)
│ ├── class.security.php # ✅ Modern (VSecurity)
│ ├── class.middleware.php # ✅ Modern (VMiddleware)
│ ├── class.logger.php # ✅ Modern (VLogger)
│ └── class.rbac.php # ✅ Modern (VRBAC)
├── f_scripts/fe/js/
│ └── api-helper.js # 🔄 Enhanced with all methods
└── docs/ # 📚 Documentation
├── API_DOCUMENTATION.md # ✨ NEW
├── FRONTEND_BACKEND_INTEGRATION_GUIDE.md # ✨ NEW
├── LEGACY_CODE_CLEANUP_PLAN.md # ✨ NEW
└── INTEGRATION_COMPLETE_SUMMARY.md # ✨ NEW (this file)
```
---
## What Still Needs to Be Done
### Phase 1: Frontend Migration (Next Priority)
Migrate legacy jQuery AJAX calls to modern fetch API:
**Files to Update:**
1. `f_scripts/fe/js/browse.init.js` - Video browsing
2. `f_scripts/fe/js/login.init.js` - Authentication forms
3. `f_scripts/fe/js/jquery.init.js` - Global utilities
4. Other frontend files as identified
**Estimated Time:** 2-4 weeks
**Impact:** Reduced page weight by ~80KB, faster load times
### Phase 2: Authentication Cleanup
Remove duplicate authentication systems:
1. Find all `VLogin` references
2. Replace with `VAuth`
3. Remove `class.login.php`
4. Test all authentication flows
**Estimated Time:** 1 week
**Impact:** Simpler codebase, consistent auth, better security
### Phase 3: Database Optimization
1. Add indexes (see LEGACY_CODE_CLEANUP_PLAN.md)
2. Fix N+1 query issues
3. Implement query caching
4. Use prepared statement caching
**Estimated Time:** 1-2 weeks
**Impact:** 60-80% reduction in database queries
### Phase 4: Performance Optimization
1. Implement lazy loading
2. Add Redis caching
3. Minify and bundle assets
4. Code splitting
**Estimated Time:** 2-3 weeks
**Impact:** 50-70% faster page loads
---
## Testing Strategy
### Manual Testing Checklist
Use this checklist after each migration phase:
```
Authentication
☐ Login with username
☐ Login with email
☐ Invalid credentials error
☐ Token persists after reload
☐ Logout clears token
☐ Expired token triggers re-login
Videos
☐ List videos loads
☐ Pagination works
☐ Sorting works
☐ Filtering works
☐ Single video loads
☐ Search works
☐ Create video works
☐ Update video works
☐ Delete video works
☐ Like/dislike works
☐ View count increments
☐ Watch later toggle works
User Profile
☐ Profile loads
☐ Profile update saves
☐ Avatar upload works
☐ Statistics display
☐ User's videos load
Comments
☐ Comments load
☐ Create comment works
☐ Reply works
☐ Edit works
☐ Delete works
☐ Like works
☐ Pagination works
Subscriptions
☐ Subscribe works
☐ Unsubscribe works
☐ Subscription list displays
☐ Subscriber count updates
☐ Subscription feed loads
```
### Automated Testing
Create test files:
```bash
tests/
├── integration/
│ ├── test-auth.js
│ ├── test-videos.js
│ ├── test-comments.js
│ └── test-subscriptions.js
└── unit/
├── test-api-helper.js
└── test-utils.js
```
Run with:
```bash
npm test
```
### Performance Testing
```bash
# Load testing
ab -n 1000 -c 10 http://localhost/api/videos.php
# Profile page load
lighthouse http://localhost/browse.php --view
# Check bundle size
du -sh f_scripts/fe/dist/
```
---
## Migration Guide Quick Reference
### Example: Migrating Browse Videos
**Before (jQuery AJAX):**
```javascript
jQuery.get(url, function(result) {
jQuery("#main-view-mode-list ul").append(result);
});
```
**After (api-helper):**
```javascript
try {
const result = await api.getVideos({ page: 1, sort: 'popular' });
if (result.success) {
appendVideos(result.data.videos);
}
} catch (error) {
api.handleError(error);
}
```
### Example: Migrating Subscribe Button
**Before (jQuery):**
```javascript
jQuery(".subscribe-btn").click(function() {
var channelId = jQuery(this).data("channel-id");
jQuery.post("/subscribe.php", { channel_id: channelId }, function(result) {
jQuery(".subscribe-btn").text("Subscribed");
});
});
```
**After (api-helper):**
```javascript
document.addEventListener('click', async (e) => {
const btn = e.target.closest('.subscribe-btn');
if (!btn) return;
const channelId = parseInt(btn.dataset.channelId);
try {
if (btn.classList.contains('subscribed')) {
await api.unsubscribe(channelId);
btn.classList.remove('subscribed');
btn.textContent = 'Subscribe';
} else {
await api.subscribe(channelId);
btn.classList.add('subscribed');
btn.textContent = 'Subscribed';
}
} catch (error) {
api.handleError(error);
}
});
```
---
## Performance Improvements Expected
| Metric | Current | After Optimization | Improvement |
|--------|---------|-------------------|-------------|
| Page Load Time | 4-6s | 1-2s | 70% faster |
| JavaScript Size | 500KB | 150KB | 70% smaller |
| API Calls per Page | 30-50 | 5-10 | 80% fewer |
| Database Queries | 30-50 | 5-10 | 80% fewer |
| Memory per Request | 256MB | 64MB | 75% less |
| Time to Interactive | 6-8s | 2-3s | 65% faster |
---
## Security Improvements
### CORS
- ✅ Removed wildcard `*` origins
- ✅ Environment-based configuration
- ✅ Development vs production modes
- ✅ Credential support for same-origin
### Authentication
- ✅ JWT token with expiry
- ✅ Secure token storage
- ✅ Rate limiting on login
- ✅ Password strength validation
- ✅ CSRF protection
### Input Validation
- ✅ Server-side validation
- ✅ Type checking
- ✅ SQL injection prevention
- ✅ XSS prevention
- ✅ File upload validation
---
## API Usage Examples
### Frontend Integration
```html
<!DOCTYPE html>
<html>
<head>
<title>EasyStream</title>
</head>
<body>
<div id="app">
<div id="videos"></div>
<button id="load-more">Load More</button>
</div>
<!-- Modern API client -->
<script src="/f_scripts/fe/js/api-helper.js"></script>
<script>
(async function() {
// Check if user is logged in
if (api.isAuthenticated()) {
const user = await api.getMyProfile();
console.log('Logged in as:', user.data.usr_user);
}
// Load videos
let currentPage = 1;
async function loadVideos() {
try {
const result = await api.getVideos({
page: currentPage,
limit: 20,
sort: 'popular'
});
if (result.success) {
displayVideos(result.data.videos);
currentPage++;
}
} catch (error) {
api.handleError(error);
}
}
function displayVideos(videos) {
const container = document.getElementById('videos');
videos.forEach(video => {
const div = document.createElement('div');
div.innerHTML = `
<h3>${video.file_title}</h3>
<p>${video.file_description}</p>
<button onclick="watchVideo('${video.file_key}')">
Watch
</button>
`;
container.appendChild(div);
});
}
// Load initial videos
await loadVideos();
// Load more button
document.getElementById('load-more').addEventListener('click', loadVideos);
// Watch video function
window.watchVideo = async function(fileKey) {
try {
// Record view
await api.recordVideoView(fileKey);
// Get video details
const video = await api.getVideo(fileKey);
// Play video
console.log('Playing:', video.data);
} catch (error) {
api.handleError(error);
}
};
})();
</script>
</body>
</html>
```
---
## Support and Resources
### Documentation
- [API_DOCUMENTATION.md](API_DOCUMENTATION.md) - Complete API reference
- [FRONTEND_BACKEND_INTEGRATION_GUIDE.md](FRONTEND_BACKEND_INTEGRATION_GUIDE.md) - Integration guide
- [LEGACY_CODE_CLEANUP_PLAN.md](LEGACY_CODE_CLEANUP_PLAN.md) - Cleanup plan
### Code Examples
- Modern API client: [f_scripts/fe/js/api-helper.js](../f_scripts/fe/js/api-helper.js)
- API endpoints: [api/](../api/)
- CORS configuration: [api/cors.config.php](../api/cors.config.php)
### Testing
- Browser DevTools Network tab for API debugging
- Backend logs: Check error_log for server-side issues
- Database logs: Check slow query log for performance issues
---
## Conclusion
**Core Integration Complete**
The EasyStream backend and frontend are now properly connected with:
- Modern RESTful API endpoints
- Comprehensive frontend API client
- Secure CORS configuration
- Complete documentation
- Clear migration path
**Next Steps:**
1. Begin Phase 1: Frontend Migration (migrate jQuery to modern JS)
2. Remove legacy authentication code
3. Optimize database queries
4. Implement caching and lazy loading
**Estimated Timeline for Full Optimization:** 2-3 months
**Expected Results:**
- 70% faster page loads
- 80% fewer database queries
- 70% smaller JavaScript bundles
- 50% reduction in server costs
---
**Document Created:** January 2025
**Status:** ✅ Ready for Implementation
**Version:** 1.0.0

750
docs/LEGACY_CODE_CLEANUP_PLAN.md Normal file
View File

@@ -0,0 +1,750 @@
# Legacy Code Cleanup & Modernization Plan
## Overview
This document identifies outdated code, redundant systems, and performance bottlenecks in EasyStream that should be removed or refactored to create a modern, efficient streaming platform.
## Table of Contents
1. [Critical Removals](#critical-removals)
2. [Authentication System Cleanup](#authentication-system-cleanup)
3. [Database Query Optimization](#database-query-optimization)
4. [Frontend JavaScript Modernization](#frontend-javascript-modernization)
5. [File Structure Reorganization](#file-structure-reorganization)
6. [Performance Optimizations](#performance-optimizations)
7. [Migration Checklist](#migration-checklist)
---
## Critical Removals
### 1. Duplicate Authentication Systems
**Problem:** Multiple authentication systems exist, causing confusion and security risks.
**Files to Remove/Consolidate:**
```
REMOVE:
- f_core/f_classes/class.login.php (Old VLogin class)
- f_core/f_classes/class.session.php (Redundant with VAuth)
- Any references to VLogin in other files
KEEP:
- f_core/f_classes/class.auth.php (VAuth - Modern system)
```
**Action Plan:**
1. Search codebase for `VLogin` references
2. Replace with `VAuth::getInstance()`
3. Update all login forms to use VAuth
4. Remove class.login.php entirely
**Command to find VLogin usage:**
```bash
grep -r "VLogin" f_core/ f_modules/ *.php
```
### 2. Legacy Database Classes
**Problem:** Multiple database wrapper classes causing overhead.
**Files to Audit:**
```
f_core/f_classes/class.database.php - Keep (ADOdb wrapper)
f_core/f_classes/db*.php - Review for redundancy
```
**Action:** Ensure all code uses `VDatabase::getInstance()` and remove any custom DB wrappers.
### 3. Obsolete jQuery Plugins
**Problem:** Old jQuery plugins add bloat and security vulnerabilities.
**Files to Remove:**
```
f_scripts/be/js/init1.min.js - Contains jquery.form plugin (outdated)
f_scripts/*/jquery.*.min.js - Review each for necessity
```
**Replace With:**
- Native FormData API
- Fetch API
- Modern ES6+ code
### 4. Inline JavaScript in PHP Files
**Problem:** JavaScript mixed with PHP makes maintenance difficult.
**Action:**
1. Extract all `<script>` tags from PHP files
2. Move to dedicated .js files
3. Use data attributes for configuration
4. Use modern module pattern
**Example Files to Clean:**
```
browse.php - Contains inline JS
profile.php - Contains inline JS
upload.php - Contains inline JS
```
---
## Authentication System Cleanup
### Current State: 3 Auth Methods
1. **Old VLogin** (deprecated)
2. **VSession** (redundant)
3. **VAuth** (modern, keep this)
### Cleanup Steps
#### Step 1: Find All VLogin Usage
```bash
# Find files using VLogin
grep -r "VLogin" --include="*.php" .
# Find session_start calls (should be in VAuth only)
grep -r "session_start()" --include="*.php" .
```
#### Step 2: Update All References
**Before:**
```php
$login = new VLogin();
$login->doLogin($username, $password);
if ($login->isLoggedIn()) {
// ...
}
```
**After:**
```php
$auth = VAuth::getInstance();
$result = $auth->login($identifier, $password);
if ($auth->isAuthenticated()) {
// ...
}
```
#### Step 3: Remove Old Files
```bash
# After migrating all code:
rm f_core/f_classes/class.login.php
rm f_core/f_classes/class.session.php
```
### Session Management Consolidation
**Keep Only:**
- VAuth for all authentication
- VSession for session utilities (if lightweight)
**Or:** Merge VSession functionality into VAuth
---
## Database Query Optimization
### Problem: N+1 Query Issues
**Current Issue:**
```php
// BAD: N+1 queries
$videos = $db->execute("SELECT * FROM db_videofiles");
while (!$videos->EOF) {
$user = $db->execute("SELECT * FROM db_users WHERE usr_id = ?", [$videos->fields['usr_id']]);
// This runs once per video!
}
```
**Solution:**
```php
// GOOD: Single query with JOIN
$sql = "SELECT v.*, u.usr_id, u.usr_user, u.usr_dname, u.usr_avatar
FROM db_videofiles v
LEFT JOIN db_users u ON v.usr_id = u.usr_id
WHERE v.approved = 1";
$videos = $db->execute($sql);
```
### Remove Unnecessary Database Calls
#### 1. Count Queries in Loops
**Bad:**
```php
foreach ($videos as $video) {
$commentCount = $db->singleFieldValue("SELECT COUNT(*) FROM db_comments WHERE file_key = ?", [$video['file_key']]);
}
```
**Good:**
```php
// Get all counts in one query
$sql = "SELECT file_key, COUNT(*) as comment_count
FROM db_comments
WHERE file_key IN (?)
GROUP BY file_key";
```
#### 2. Redundant Existence Checks
**Bad:**
```php
// Check if exists
$exists = $db->execute("SELECT COUNT(*) FROM db_users WHERE usr_id = ?", [$userId]);
if ($exists->fields[0] > 0) {
// Then fetch the user
$user = $db->execute("SELECT * FROM db_users WHERE usr_id = ?", [$userId]);
}
```
**Good:**
```php
// Just fetch directly, check if result is empty
$user = $db->execute("SELECT * FROM db_users WHERE usr_id = ?", [$userId]);
if ($user && $user->RecordCount() > 0) {
// Use user data
}
```
### Add Database Indexes
Critical indexes to add:
```sql
-- Video queries
CREATE INDEX idx_videofiles_approved_privacy ON db_videofiles(approved, privacy);
CREATE INDEX idx_videofiles_usr_id ON db_videofiles(usr_id);
CREATE INDEX idx_videofiles_upload_date ON db_videofiles(upload_date);
CREATE INDEX idx_videofiles_file_views ON db_videofiles(file_views);
-- Comment queries
CREATE INDEX idx_comments_file_key ON db_comments(file_key);
CREATE INDEX idx_comments_parent_id ON db_comments(parent_id);
CREATE INDEX idx_comments_usr_id ON db_comments(usr_id);
-- Subscription queries
CREATE INDEX idx_subscriptions_usr_id ON db_subscriptions(usr_id);
CREATE INDEX idx_subscriptions_channel_id ON db_subscriptions(channel_id);
-- Like queries
CREATE INDEX idx_likes_file_key_type ON db_likes(file_key, like_type);
CREATE INDEX idx_likes_usr_id ON db_likes(usr_id);
-- Session queries
CREATE INDEX idx_sessions_user_id ON db_sessions(user_id);
CREATE INDEX idx_sessions_expires_at ON db_sessions(expires_at);
```
---
## Frontend JavaScript Modernization
### Remove jQuery Dependency
jQuery is heavy (87KB minified) and no longer necessary.
#### Migration Strategy
**Phase 1: Utility Functions**
Create `f_scripts/fe/js/utils.js`:
```javascript
// Modern replacements for jQuery
const $ = {
// $(selector) -> document.querySelectorAll
select: (selector) => document.querySelectorAll(selector),
selectOne: (selector) => document.querySelector(selector),
// $.ajax -> fetch
ajax: async (url, options = {}) => {
const response = await fetch(url, options);
return response.json();
},
// $.get -> fetch
get: async (url) => {
const response = await fetch(url);
return response.json();
},
// $.post -> fetch
post: async (url, data) => {
const response = await fetch(url, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(data)
});
return response.json();
},
// $(element).addClass/removeClass
addClass: (el, className) => el.classList.add(className),
removeClass: (el, className) => el.classList.remove(className),
toggleClass: (el, className) => el.classList.toggle(className),
// $(element).show/hide
show: (el) => el.style.display = '',
hide: (el) => el.style.display = 'none',
// $(element).on
on: (el, event, handler) => el.addEventListener(event, handler),
off: (el, event, handler) => el.removeEventListener(event, handler),
// $.each -> Array.forEach
each: (arr, callback) => Array.from(arr).forEach(callback)
};
```
**Phase 2: Replace jQuery Usage**
**Before:**
```javascript
jQuery(document).ready(function() {
jQuery('.button').click(function() {
jQuery(this).addClass('active');
});
});
```
**After:**
```javascript
document.addEventListener('DOMContentLoaded', () => {
document.querySelectorAll('.button').forEach(btn => {
btn.addEventListener('click', () => {
btn.classList.add('active');
});
});
});
```
Or using event delegation (more efficient):
```javascript
document.addEventListener('click', (e) => {
if (e.target.classList.contains('button')) {
e.target.classList.add('active');
}
});
```
### Files to Modernize
Priority order:
1. **High Priority (User-facing)**
- `browse.init.js` - Video browsing
- `login.init.js` - Authentication
- `jquery.init.js` - Global utilities
2. **Medium Priority**
- `files.init.js` - File management
- `channels.init.js` - Channel features
- `subdashboard.js` - Dashboard
3. **Low Priority**
- Backend admin files
- Analytics dashboards
### Remove Unused Libraries
Audit and remove:
```
f_scripts/lib/
├── jquery.old.js - Remove if exists
├── bootstrap.v2.js - If using v4+, remove v2
├── moment.js - Use native Date if possible
├── lodash.js - Use native ES6 methods
└── underscore.js - Redundant with lodash
```
---
## File Structure Reorganization
### Current Issues
1. **Flat file structure** - Hard to navigate
2. **Mixed concerns** - Frontend/backend not separated
3. **Redundant files** - Multiple versions of same functionality
### Proposed Structure
```
api/ # All API endpoints (CLEAN)
├── auth.php
├── videos.php
├── user.php
├── comments.php
├── subscriptions.php
└── cors.config.php
f_core/ # Core backend classes (KEEP CLEAN)
├── config.core.php # Main config
├── config.database.php # DB config
├── f_classes/ # Core classes
│ ├── class.auth.php # KEEP
│ ├── class.database.php # KEEP
│ ├── class.security.php # KEEP
│ ├── class.logger.php # KEEP
│ ├── class.rbac.php # KEEP
│ ├── class.middleware.php # KEEP
│ └── [REMOVE OLD CLASSES]
└── f_functions/ # Utility functions
├── functions.security.php
└── functions.rbac.php
f_scripts/
├── fe/ # Frontend only
│ ├── js/
│ │ ├── api-helper.js # MODERN API client
│ │ ├── utils.js # Native JS utilities
│ │ └── [page-specific].js
│ ├── css/
│ └── img/
└── be/ # Backend admin
└── js/
f_modules/ # Feature modules
├── m_frontend/ # User-facing features
└── m_backend/ # Admin features
docs/ # Documentation
├── API_DOCUMENTATION.md
├── FRONTEND_BACKEND_INTEGRATION_GUIDE.md
└── LEGACY_CODE_CLEANUP_PLAN.md
[root] # Page entry points
├── index.php
├── browse.php
├── profile.php
└── ...
```
### Files to Remove
```bash
# Find duplicate/old files
find . -name "*.old.php"
find . -name "*.backup.php"
find . -name "*_old.*"
find . -name "*_backup.*"
# Remove after verification
rm [files]
```
---
## Performance Optimizations
### 1. Implement Lazy Loading
**Videos/Images:**
```javascript
// Use Intersection Observer instead of scroll events
const lazyLoadObserver = new IntersectionObserver((entries) => {
entries.forEach(entry => {
if (entry.isIntersecting) {
const img = entry.target;
img.src = img.dataset.src;
img.classList.remove('lazy');
lazyLoadObserver.unobserve(img);
}
});
});
document.querySelectorAll('img.lazy').forEach(img => {
lazyLoadObserver.observe(img);
});
```
### 2. Implement Caching
**Backend (PHP):**
```php
// Use Redis/Memcached for session storage (already configured)
// Add query result caching
class VCache {
private static $redis;
public static function get($key) {
if (!self::$redis) {
self::$redis = new Redis();
self::$redis->connect('127.0.0.1', 6379);
}
return self::$redis->get($key);
}
public static function set($key, $value, $ttl = 3600) {
if (!self::$redis) {
self::$redis = new Redis();
self::$redis->connect('127.0.0.1', 6379);
}
return self::$redis->setex($key, $ttl, serialize($value));
}
}
// Usage
$cacheKey = "videos:popular:page:{$page}";
$videos = VCache::get($cacheKey);
if (!$videos) {
$videos = $db->execute($sql, $params);
VCache::set($cacheKey, $videos->GetArray(), 300); // 5 min cache
}
```
**Frontend:**
```javascript
// Cache API responses in memory
class APICache {
constructor(ttl = 60000) { // 1 minute default
this.cache = new Map();
this.ttl = ttl;
}
get(key) {
const item = this.cache.get(key);
if (!item) return null;
if (Date.now() > item.expires) {
this.cache.delete(key);
return null;
}
return item.data;
}
set(key, data) {
this.cache.set(key, {
data,
expires: Date.now() + this.ttl
});
}
clear() {
this.cache.clear();
}
}
// Add to api-helper.js
const apiCache = new APICache();
// In request method:
const cacheKey = `${endpoint}:${JSON.stringify(params)}`;
const cached = apiCache.get(cacheKey);
if (cached && config.cache) {
return cached;
}
// After successful request:
if (config.cache) {
apiCache.set(cacheKey, data);
}
```
### 3. Optimize Database Queries
**Use Prepared Statement Caching:**
```php
// In VDatabase class
private $stmtCache = [];
public function execute($sql, $params = []) {
$cacheKey = md5($sql);
if (!isset($this->stmtCache[$cacheKey])) {
$this->stmtCache[$cacheKey] = $this->connection->Prepare($sql);
}
return $this->connection->Execute($this->stmtCache[$cacheKey], $params);
}
```
### 4. Minify and Bundle Assets
**Create build process:**
```json
// package.json
{
"scripts": {
"build:js": "esbuild f_scripts/fe/js/**/*.js --bundle --minify --outdir=f_scripts/fe/dist/js",
"build:css": "postcss f_scripts/fe/css/**/*.css --dir f_scripts/fe/dist/css --use cssnano",
"build": "npm run build:js && npm run build:css",
"watch": "npm run build -- --watch"
}
}
```
### 5. Implement Code Splitting
Split JavaScript into chunks:
```javascript
// Load features on demand
async function loadVideoPlayer() {
const { VideoPlayer } = await import('./video-player.js');
return new VideoPlayer();
}
// Only load when needed
document.querySelector('.video-container').addEventListener('click', async () => {
const player = await loadVideoPlayer();
player.play();
}, { once: true });
```
### 6. Remove Render-Blocking Resources
**Move scripts to end of body:**
```html
<!-- Before: -->
<head>
<script src="jquery.js"></script>
<script src="app.js"></script>
</head>
<!-- After: -->
<body>
<!-- content -->
<script src="app.js" defer></script>
</body>
```
Or use `async` for independent scripts:
```html
<script src="analytics.js" async></script>
```
---
## Migration Checklist
### Phase 1: Remove Duplicate Auth Systems
- [ ] Find all VLogin references
- [ ] Replace with VAuth
- [ ] Test authentication flows
- [ ] Remove class.login.php
- [ ] Remove class.session.php (if redundant)
- [ ] Update documentation
### Phase 2: Database Optimization
- [ ] Add missing indexes
- [ ] Audit for N+1 queries
- [ ] Implement query caching
- [ ] Use JOINs instead of separate queries
- [ ] Enable prepared statement caching
- [ ] Monitor slow query log
### Phase 3: Frontend Modernization
- [ ] Create native JS utility library
- [ ] Migrate browse.init.js to modern JS
- [ ] Migrate login.init.js to modern JS
- [ ] Migrate jquery.init.js to modern JS
- [ ] Remove jQuery dependency
- [ ] Test all user interactions
- [ ] Update build process
### Phase 4: File Cleanup
- [ ] Remove obsolete files (.old, .backup)
- [ ] Reorganize file structure
- [ ] Remove unused libraries
- [ ] Clean up inline JavaScript
- [ ] Move JS to external files
### Phase 5: Performance Optimization
- [ ] Implement lazy loading for images
- [ ] Add Redis caching for queries
- [ ] Enable browser caching headers
- [ ] Minify and bundle assets
- [ ] Implement code splitting
- [ ] Add service worker for offline support (optional)
### Phase 6: Testing & Validation
- [ ] Load test with Apache Bench
- [ ] Profile with Chrome DevTools
- [ ] Check for memory leaks
- [ ] Verify all features work
- [ ] Test on slow connections (throttling)
- [ ] Mobile device testing
---
## Performance Metrics to Track
### Before Cleanup
Measure these metrics before starting:
```bash
# Page load time
curl -o /dev/null -s -w 'Total: %{time_total}s\n' http://localhost/
# Time to first byte
curl -o /dev/null -s -w 'TTFB: %{time_starttransfer}s\n' http://localhost/
# Database query count (add logging)
grep "SELECT" /var/log/mysql/query.log | wc -l
```
### After Cleanup - Target Metrics
- Page load time: < 2 seconds
- Time to first byte: < 500ms
- Total JavaScript size: < 200KB
- Database queries per page: < 10
- Memory usage: < 128MB per request
---
## Resource Savings Estimate
### Expected Improvements
| Metric | Before | After | Improvement |
|--------|--------|-------|-------------|
| Page Load Time | 4-6s | 1-2s | 70% faster |
| JavaScript Size | 500KB | 150KB | 70% smaller |
| Database Queries | 30-50 | 5-10 | 80% fewer |
| Memory per Request | 256MB | 64MB | 75% less |
| Server Requests | 40+ | 15-20 | 60% fewer |
### Cost Savings
For a platform with 10,000 daily active users:
- **Server costs**: 50% reduction (fewer resources needed)
- **Bandwidth**: 60% reduction (smaller assets)
- **Database load**: 75% reduction (fewer queries, better caching)
---
## Next Steps
1. **Backup everything** before making changes
2. **Start with authentication** cleanup (lowest risk)
3. **Test thoroughly** after each phase
4. **Monitor performance** metrics
5. **Document changes** as you go
---
**Created:** January 2025
**Status:** Planning Phase

593
docs/MISSING_FEATURES_ANALYSIS.md Normal file
View File

@@ -0,0 +1,593 @@
# EasyStream - Missing Features & Critical Gaps Analysis
## Executive Summary
EasyStream is a sophisticated video streaming platform with **1000+ PHP files** and strong Docker infrastructure. However, it has **25+ critical gaps** that need addressing before production deployment. This document prioritizes what's missing and provides implementation guidance.
**Overall Maturity:** 70% (Solid foundation, needs production hardening)
---
## 🚨 CRITICAL PRIORITIES (Deploy Within 1-2 Weeks)
### 1. Security Headers ⚠️ IMMEDIATE
**Status:** ❌ NOT IMPLEMENTED
**Risk Level:** CRITICAL
**Estimated Time:** 2-4 hours
**Missing Headers:**
- Content-Security-Policy (CSP) - Prevents XSS attacks
- X-Frame-Options - Prevents clickjacking
- Strict-Transport-Security (HSTS) - Forces HTTPS
- X-Content-Type-Options - Prevents MIME sniffing
- Permissions-Policy - Restricts browser features
**Impact:** Currently vulnerable to XSS, clickjacking, MIME-type attacks
**Quick Fix:**
```php
// Add to config.core.php
require_once 'f_core/config.security.php';
```
**File to Create:** `f_core/config.security.php` (template provided in previous conversation)
---
### 2. File Upload Vulnerabilities ⚠️ CRITICAL
**Status:** ⚠️ PARTIALLY MITIGATED
**Risk Level:** CRITICAL
**Estimated Time:** 6-8 hours
**Current Issues:**
- Only MIME type validation (can be spoofed)
- No magic byte verification
- No virus scanning
- Filename not properly sanitized
- No upload rate limiting
**Found In:**
- `upload.php` (lines 20-45)
- Various API upload endpoints
**Required Fixes:**
1. Implement `finfo_file()` for magic byte checking
2. Add ClamAV virus scanning integration
3. Sanitize filenames properly
4. Implement upload rate limiting
5. Add file quarantine system
---
### 3. Monitoring & Error Tracking ⚠️ CRITICAL
**Status:** ❌ NOT IMPLEMENTED
**Risk Level:** CRITICAL
**Estimated Time:** 8-12 hours
**Missing:**
- No Sentry/error tracking
- No centralized logging (ELK Stack)
- No real-time alerting
- No distributed tracing
**Impact:** Blind to production errors, slow incident response
**Implementation:**
1. **Sentry Integration** (4-6 hours)
```bash
composer require sentry/sdk
```
2. **ELK Stack** (8-10 hours)
- Add to `docker-compose.prod.yml`
- Configure log forwarding
- Create Kibana dashboards
---
### 4. Backup System ⚠️ CRITICAL
**Status:** ❌ NOT IMPLEMENTED
**Risk Level:** CRITICAL
**Estimated Time:** 8-10 hours
**Missing:**
- No automated database backups
- No off-site storage (S3, etc.)
- No backup rotation policy
- No restore testing
- No point-in-time recovery
**Impact:** **CATASTROPHIC DATA LOSS RISK**
**Implementation:**
```yaml
# Add to docker-compose.prod.yml
services:
backup:
image: databack/mysql-backup
environment:
- DB_SERVER=db
- DB_USER=${DB_USER}
- DB_PASS=${DB_PASS}
- DB_DUMP_TARGET=s3://your-bucket/backups
- AWS_ACCESS_KEY_ID=${AWS_KEY}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET}
- DB_DUMP_FREQ=1440 # Daily
- DB_DUMP_BEGIN=0300 # 3 AM
- DB_DUMP_KEEP_DAYS=30
```
---
### 5. Rate Limiting ⚠️ HIGH
**Status:** ⚠️ PARTIAL (Login only)
**Risk Level:** HIGH
**Estimated Time:** 4-6 hours
**Current:** Only login attempts limited (5 per 15min)
**Missing Rate Limits:**
- API endpoints (no per-endpoint limits)
- File uploads
- Comments/posts
- Search queries
- Password reset
- Registration
**Impact:** Vulnerable to DDoS, brute force, spam
**Quick Implementation:**
```php
// Already in functions.api.php
rateLimitApiRequest('api:videos:' . $userId, 60, 60); // 60 req/min
```
---
## 🔴 HIGH PRIORITY (Deploy Within 3-4 Weeks)
### 6. Video Transcoding Pipeline
**Status:** ⚠️ PARTIAL
**Estimated Time:** 16-20 hours
**Current:**
- FFmpeg installed ✅
- SRS (RTMP server) configured ✅
- Queue system exists ✅
**Missing:**
- Automated transcoding on upload
- Multi-bitrate adaptive streaming (ABR)
- Thumbnail extraction automation
- Transcoding progress tracking
- Quality profiles management
**Implementation:**
```php
// Create transcoding job
class VideoTranscodingJob {
public function handle($videoId) {
$profiles = [
'1080p' => ['resolution' => '1920x1080', 'bitrate' => '5000k'],
'720p' => ['resolution' => '1280x720', 'bitrate' => '3000k'],
'480p' => ['resolution' => '854x480', 'bitrate' => '1500k'],
'360p' => ['resolution' => '640x360', 'bitrate' => '800k']
];
foreach ($profiles as $quality => $settings) {
$this->transcode($videoId, $quality, $settings);
}
}
}
```
---
### 7. Advanced Search (Elasticsearch)
**Status:** ⚠️ BASIC
**Estimated Time:** 10-12 hours
**Current:** Basic SQL search exists
**Missing:**
- Full-text search indexing
- Faceted search (filters)
- Search suggestions/autocomplete
- Typo tolerance
- Search analytics
- Relevance ranking
**Implementation:**
```bash
# Add to docker-compose
services:
elasticsearch:
image: elasticsearch:8.11.0
environment:
- discovery.type=single-node
- xpack.security.enabled=false
ports:
- "9200:9200"
```
---
### 8. Payment Processing Enhancement
**Status:** ⚠️ PARTIAL (PayPal only)
**Estimated Time:** 12-16 hours
**Current:** PayPal integration exists
**Missing:**
- Stripe integration
- Credit card tokenization
- Recurring billing management
- Invoice generation
- Refund processing
- PCI compliance framework
---
### 9. Notification System
**Status:** ⚠️ PARTIAL
**Estimated Time:** 8-10 hours
**Current:** Basic notification class exists
**Missing:**
- Push notifications (Firebase)
- Email templates
- SMS notifications
- Real-time delivery
- Notification preferences UI
- Notification batching
---
### 10. Content Moderation Tools
**Status:** ⚠️ BASIC
**Estimated Time:** 10-12 hours
**Missing:**
- Automated content flagging
- Review queue interface
- Moderation appeals system
- Bulk moderation actions
- Moderation audit trail
- Copyright detection system
---
## 🟡 MEDIUM PRIORITY (Deploy Within 6-8 Weeks)
### 11. Comprehensive Testing Suite
**Status:** ⚠️ MINIMAL
**Estimated Time:** 40-60 hours
**Current:**
- PHPUnit configured ✅
- Test structure exists ✅
- GitHub Actions CI ✅
**Coverage:** ~30% (Target: >80%)
**Missing:**
- Unit tests for core classes
- Integration tests
- API endpoint tests
- Frontend E2E tests (Cypress)
- Performance tests
---
### 12. PWA & Offline Support
**Status:** ⚠️ PARTIAL
**Estimated Time:** 8-10 hours
**Current:** PWA manifest exists
**Missing:**
- Service worker implementation
- Offline page caching
- Background sync
- Install prompts
---
### 13. Real-Time Features (WebSockets)
**Status:** ❌ NOT IMPLEMENTED
**Estimated Time:** 12-16 hours
**Missing:**
- Live comments
- Real-time notifications
- Presence indicators
- Live chat
- Collaborative features
**Implementation:** Socket.io or Ratchet
---
### 14. Analytics Dashboard
**Status:** ⚠️ BACKEND ONLY
**Estimated Time:** 10-12 hours
**Current:** Analytics class exists
**Missing:**
- Creator dashboard UI
- Revenue analytics
- Engagement metrics
- Custom report generation
- Data export
---
### 15. Mobile App API
**Status:** ⚠️ PARTIAL
**Estimated Time:** 8-10 hours
**Missing:**
- Mobile-specific OAuth flow
- Push notification API
- Offline sync API
- Mobile-optimized responses
---
### 16. Internationalization (i18n)
**Status:** ⚠️ BASIC
**Estimated Time:** 8-12 hours
**Current:** Language files exist
**Missing:**
- Date/time/number localization
- Currency conversion
- RTL language support
- Translation management system
---
### 17. Accessibility (a11y)
**Status:** ❓ NOT AUDITED
**Estimated Time:** 8-10 hours
**Likely Missing:**
- ARIA labels
- Keyboard navigation
- Screen reader optimization
- Color contrast (WCAG 2.1 AA)
**Tool:** Run Axe DevTools audit
---
## 🟢 LOW PRIORITY (Nice to Have)
### 18. Code Linting & Standards
**Status:** ❌ NOT ENFORCED
**Estimated Time:** 4-6 hours
**Implementation:**
```json
// composer.json
"scripts": {
"lint": "vendor/bin/phpcs --standard=PSR12",
"lint-fix": "vendor/bin/phpcbf --standard=PSR12"
}
```
---
### 19. API Versioning
**Status:** ❌ NOT IMPLEMENTED
**Estimated Time:** 10-12 hours
**Current:** No versioning strategy
**Needed:**
- URL versioning (/api/v1/)
- Version headers
- Deprecation warnings
- Backwards compatibility plan
---
### 20. CDN Integration
**Status:** ❌ NOT IMPLEMENTED
**Estimated Time:** 4-6 hours
**Missing:**
- CloudFlare/AWS CloudFront setup
- Image optimization
- Static asset distribution
- Video edge servers
---
## 📊 Implementation Roadmap
### PHASE 1: Security Hardening (Week 1-2)
**Total: 32 hours**
| Task | Hours | Priority |
|------|-------|----------|
| Security headers | 3 | CRITICAL |
| File upload hardening | 8 | CRITICAL |
| Rate limiting | 6 | HIGH |
| Error tracking (Sentry) | 5 | CRITICAL |
| Backup system | 10 | CRITICAL |
---
### PHASE 2: Infrastructure (Week 3-4)
**Total: 34 hours**
| Task | Hours | Priority |
|------|-------|----------|
| ELK Stack setup | 10 | CRITICAL |
| CI/CD automation | 12 | HIGH |
| Monitoring/alerting | 8 | HIGH |
| Health checks | 4 | MEDIUM |
---
### PHASE 3: Core Features (Week 5-7)
**Total: 54 hours**
| Task | Hours | Priority |
|------|-------|----------|
| Video transcoding | 20 | HIGH |
| Elasticsearch search | 12 | HIGH |
| Push notifications | 10 | HIGH |
| Analytics dashboard | 12 | MEDIUM |
---
### PHASE 4: Quality Assurance (Week 8-10)
**Total: 88 hours**
| Task | Hours | Priority |
|------|-------|----------|
| Unit tests | 50 | HIGH |
| Integration tests | 25 | HIGH |
| Code linting | 5 | MEDIUM |
| API documentation | 8 | MEDIUM |
---
### PHASE 5: Business Features (Week 11-14)
**Total: 50 hours**
| Task | Hours | Priority |
|------|-------|----------|
| Stripe integration | 14 | HIGH |
| Content moderation | 12 | HIGH |
| Creator dashboards | 12 | MEDIUM |
| Ad integration | 12 | MEDIUM |
---
## 💰 Estimated Costs
### Infrastructure (Monthly)
- **ELK Stack:** $50-100 (self-hosted) or $200-400 (managed)
- **Sentry:** $26/month (Team plan) or self-hosted
- **S3 Backups:** $20-50/month (depends on data size)
- **Elasticsearch:** $45-95/month (managed)
- **CDN:** $50-200/month (CloudFlare/AWS)
- **Total:** ~$191-845/month
### Development
- **Phase 1-2:** $6,400-9,600 (32-48 hours @ $200/hr)
- **Phase 3-5:** $19,200-38,400 (96-192 hours)
- **Total:** $25,600-48,000
---
## 🎯 Quick Wins (Do First)
### 1. Security Headers (3 hours)
```php
// Add to f_core/config.core.php
require_once 'f_core/config.security.php';
```
### 2. Sentry Error Tracking (4 hours)
```bash
composer require sentry/sdk
```
### 3. Database Backups (8 hours)
- Add backup container to docker-compose
- Configure S3 upload
- Test restore procedure
### 4. Rate Limiting (6 hours)
- Apply to all API endpoints
- Add Redis-based tracking
- Configure per-endpoint limits
---
## 📋 Critical Files to Create
| File | Purpose | Priority | Hours |
|------|---------|----------|-------|
| `f_core/config.security.php` | Security headers & validation | CRITICAL | 3 |
| `docker/backup/backup.sh` | Automated backups | CRITICAL | 4 |
| `docker-compose.monitoring.yml` | ELK + Sentry | CRITICAL | 8 |
| `f_core/f_classes/class.transcoding.php` | Video processing | HIGH | 12 |
| `f_core/f_classes/class.elasticsearch.php` | Search integration | HIGH | 8 |
---
## ⚠️ Risk Assessment
### Without Phase 1 (Security):
- **Data Breach Risk:** HIGH
- **DDoS Vulnerability:** HIGH
- **Data Loss Risk:** CRITICAL
### Without Phase 2 (Infrastructure):
- **Incident Response:** SLOW
- **Debugging:** DIFFICULT
- **Scalability:** LIMITED
### Without Phase 3 (Features):
- **User Experience:** POOR
- **Competitiveness:** LOW
- **Revenue:** LIMITED
---
## 🚀 Next Steps
1. **THIS WEEK:** Implement Phase 1 security fixes
2. **NEXT WEEK:** Set up monitoring & backups
3. **WEEKS 3-4:** Deploy video transcoding
4. **ONGOING:** Build test coverage to 80%
---
## 📚 Resources Needed
### Docker Images
- `elasticsearch:8.11.0`
- `kibana:8.11.0`
- `logstash:8.11.0`
- `getsentry/sentry:latest`
- `databack/mysql-backup:latest`
### PHP Packages
```bash
composer require sentry/sdk
composer require elasticsearch/elasticsearch
composer require predis/predis
composer require phpunit/phpunit --dev
composer require squizlabs/php_codesniffer --dev
```
### External Services
- AWS S3 (backups)
- Sentry.io (or self-hosted)
- Firebase (push notifications)
- Stripe (payments)
---
## 📞 Support
For implementation help:
- Review [CONFLICT_RESOLUTION_GUIDE.md](CONFLICT_RESOLUTION_GUIDE.md)
- Check [IMPLEMENTATION_CHECKLIST.md](IMPLEMENTATION_CHECKLIST.md)
- See [API_DOCUMENTATION.md](API_DOCUMENTATION.md)
---
**Document Created:** January 2025
**Status:** Ready for Implementation
**Total Effort:** 258 hours (6-8 weeks with dedicated team)
**ROI:** Production-ready, enterprise-grade platform

594
docs/QUICK_START_GUIDE.md Normal file
View File

@@ -0,0 +1,594 @@
# EasyStream API Quick Start Guide
## Get Started in 5 Minutes
This guide will get you up and running with the EasyStream API quickly.
## Prerequisites
- EasyStream installed and running
- Modern web browser
- Basic JavaScript knowledge
---
## 1. Authentication
### Login and Get Token
```javascript
// The API client is automatically available as 'api'
const result = await api.login('myusername', 'mypassword');
if (result.success) {
console.log('Logged in!');
console.log('User:', result.user);
console.log('Token:', result.token);
// Token is automatically stored
}
```
### Check if Logged In
```javascript
if (api.isAuthenticated()) {
console.log('User is logged in');
} else {
console.log('Please log in');
}
```
---
## 2. Working with Videos
### List Videos
```javascript
const videos = await api.getVideos({
page: 1,
limit: 20,
sort: 'popular'
});
console.log('Videos:', videos.data.videos);
```
### Get Single Video
```javascript
const video = await api.getVideo('123456');
console.log('Video:', video.data);
```
### Search Videos
```javascript
const results = await api.searchVideos('funny cats');
console.log('Found:', results.data.videos);
```
### Like a Video
```javascript
await api.likeVideo('123456', 'like');
console.log('Video liked!');
```
### Create a Video
```javascript
const newVideo = await api.createVideo({
title: 'My Awesome Video',
description: 'This is a great video',
privacy: 'public',
category: 'entertainment'
});
console.log('Created video:', newVideo.data.file_key);
```
---
## 3. User Profiles
### Get Current User Profile
```javascript
const myProfile = await api.getMyProfile();
console.log('My profile:', myProfile.data);
```
### Get Another User's Profile
```javascript
const userProfile = await api.getUserProfile(123);
console.log('User:', userProfile.data);
```
### Update Profile
```javascript
await api.updateProfile({
usr_dname: 'My New Name',
usr_about: 'I love making videos!'
});
console.log('Profile updated!');
```
### Upload Avatar
```html
<input type="file" id="avatar-input" accept="image/*">
<button onclick="uploadAvatar()">Upload</button>
<script>
async function uploadAvatar() {
const fileInput = document.getElementById('avatar-input');
const file = fileInput.files[0];
if (file) {
const result = await api.uploadAvatar(file);
console.log('Avatar uploaded:', result.data.avatar_url);
}
}
</script>
```
---
## 4. Comments
### Get Comments for a Video
```javascript
const comments = await api.getComments('123456', {
page: 1,
sort: 'recent'
});
console.log('Comments:', comments.data.comments);
```
### Post a Comment
```javascript
const newComment = await api.createComment(
'123456', // video file_key
'Great video!', // comment text
null // parent_id (null for top-level)
);
console.log('Comment posted:', newComment.data);
```
### Reply to a Comment
```javascript
const reply = await api.createComment(
'123456', // video file_key
'Thanks!', // reply text
789 // parent comment ID
);
console.log('Reply posted:', reply.data);
```
---
## 5. Subscriptions
### Subscribe to a Channel
```javascript
await api.subscribe(456); // channel user ID
console.log('Subscribed!');
```
### Check if Subscribed
```javascript
const status = await api.checkSubscription(456);
if (status.data.is_subscribed) {
console.log('Already subscribed');
} else {
console.log('Not subscribed');
}
```
### Get Subscription Feed
```javascript
const feed = await api.getSubscriptionFeed({ page: 1 });
console.log('New videos from subscriptions:', feed.data.videos);
```
---
## 6. Complete Examples
### Video Player Page
```html
<!DOCTYPE html>
<html>
<head>
<title>Watch Video</title>
<style>
.video-container { max-width: 800px; margin: 0 auto; }
.actions button { margin: 5px; }
.comments { margin-top: 20px; }
</style>
</head>
<body>
<div class="video-container">
<h1 id="video-title"></h1>
<p id="video-description"></p>
<div class="actions">
<button id="like-btn">👍 Like</button>
<button id="subscribe-btn">Subscribe</button>
<button id="watch-later-btn">⏰ Watch Later</button>
</div>
<div class="comments">
<h2>Comments</h2>
<div id="comments-list"></div>
<form id="comment-form">
<textarea id="comment-text" placeholder="Add a comment..." required></textarea>
<button type="submit">Post Comment</button>
</form>
</div>
</div>
<script src="/f_scripts/fe/js/api-helper.js"></script>
<script>
const fileKey = '123456'; // Get from URL
// Load video and comments
async function init() {
try {
// Load video
const video = await api.getVideo(fileKey);
document.getElementById('video-title').textContent = video.data.file_title;
document.getElementById('video-description').textContent = video.data.file_description;
// Record view
await api.recordVideoView(fileKey);
// Load comments
await loadComments();
// Setup buttons
setupButtons(video.data);
} catch (error) {
api.handleError(error);
}
}
async function loadComments() {
const comments = await api.getComments(fileKey);
const list = document.getElementById('comments-list');
list.innerHTML = comments.data.comments.map(c => `
<div class="comment">
<strong>${c.usr_dname}</strong>
<p>${c.comment_text}</p>
<small>${c.comment_date}</small>
</div>
`).join('');
}
function setupButtons(video) {
// Like button
document.getElementById('like-btn').addEventListener('click', async () => {
await api.likeVideo(fileKey, 'like');
alert('Video liked!');
});
// Subscribe button
document.getElementById('subscribe-btn').addEventListener('click', async () => {
await api.subscribe(video.usr_id);
alert('Subscribed!');
});
// Watch later button
document.getElementById('watch-later-btn').addEventListener('click', async () => {
await api.toggleWatchLater(fileKey);
alert('Added to Watch Later!');
});
// Comment form
document.getElementById('comment-form').addEventListener('submit', async (e) => {
e.preventDefault();
const text = document.getElementById('comment-text').value;
await api.createComment(fileKey, text);
document.getElementById('comment-text').value = '';
await loadComments();
});
}
// Start
init();
</script>
</body>
</html>
```
### Browse Videos Page
```html
<!DOCTYPE html>
<html>
<head>
<title>Browse Videos</title>
<style>
.video-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(300px, 1fr)); gap: 20px; }
.video-card { border: 1px solid #ddd; padding: 15px; }
.filters { margin-bottom: 20px; }
</style>
</head>
<body>
<div class="container">
<h1>Browse Videos</h1>
<div class="filters">
<select id="sort-select">
<option value="recent">Recent</option>
<option value="popular">Popular</option>
<option value="featured">Featured</option>
</select>
<input type="text" id="search-input" placeholder="Search videos...">
<button id="search-btn">Search</button>
</div>
<div class="video-grid" id="video-grid"></div>
<button id="load-more">Load More</button>
</div>
<script src="/f_scripts/fe/js/api-helper.js"></script>
<script>
let currentPage = 1;
let currentSort = 'recent';
let searchQuery = '';
async function loadVideos(append = false) {
try {
let result;
if (searchQuery) {
result = await api.searchVideos(searchQuery, {
page: currentPage,
limit: 20
});
} else {
result = await api.getVideos({
page: currentPage,
limit: 20,
sort: currentSort
});
}
displayVideos(result.data.videos, append);
// Show/hide load more button
const loadMoreBtn = document.getElementById('load-more');
if (currentPage >= result.data.pagination.pages) {
loadMoreBtn.style.display = 'none';
} else {
loadMoreBtn.style.display = 'block';
}
} catch (error) {
api.handleError(error);
}
}
function displayVideos(videos, append = false) {
const grid = document.getElementById('video-grid');
if (!append) {
grid.innerHTML = '';
}
videos.forEach(video => {
const card = document.createElement('div');
card.className = 'video-card';
card.innerHTML = `
<h3>${video.file_title}</h3>
<p>${video.file_description}</p>
<p>
<small>
By ${video.usr_dname}
${video.file_views} views •
${video.like_count} likes
</small>
</p>
<button onclick="watchVideo('${video.file_key}')">
Watch
</button>
`;
grid.appendChild(card);
});
}
window.watchVideo = function(fileKey) {
window.location.href = `/watch.php?v=${fileKey}`;
};
// Sort change
document.getElementById('sort-select').addEventListener('change', (e) => {
currentSort = e.target.value;
currentPage = 1;
loadVideos(false);
});
// Search
document.getElementById('search-btn').addEventListener('click', () => {
searchQuery = document.getElementById('search-input').value;
currentPage = 1;
loadVideos(false);
});
// Load more
document.getElementById('load-more').addEventListener('click', () => {
currentPage++;
loadVideos(true);
});
// Initial load
loadVideos();
</script>
</body>
</html>
```
---
## 7. Error Handling
Always wrap API calls in try-catch:
```javascript
try {
const result = await api.someAPICall();
// Handle success
} catch (error) {
// Handle error
console.error('Error:', error.message);
// Use built-in error handler
api.handleError(error);
// Or custom handling
if (error.message.includes('Authentication')) {
window.location.href = '/signin';
} else {
alert('Error: ' + error.message);
}
}
```
---
## 8. Common Patterns
### Loading State
```javascript
async function loadData() {
showLoading(); // Your loading function
try {
const result = await api.getVideos();
displayData(result.data);
} catch (error) {
api.handleError(error);
} finally {
hideLoading(); // Always hide loading
}
}
```
### Infinite Scroll
```javascript
let currentPage = 1;
let loading = false;
window.addEventListener('scroll', async () => {
if (loading) return;
const scrolledToBottom =
window.innerHeight + window.scrollY >= document.body.offsetHeight - 500;
if (scrolledToBottom) {
loading = true;
currentPage++;
try {
const result = await api.getVideos({ page: currentPage });
appendVideos(result.data.videos);
} catch (error) {
api.handleError(error);
} finally {
loading = false;
}
}
});
```
### Debounced Search
```javascript
let searchTimeout;
document.getElementById('search-input').addEventListener('input', (e) => {
clearTimeout(searchTimeout);
searchTimeout = setTimeout(async () => {
const query = e.target.value;
if (query.length >= 2) {
const results = await api.searchVideos(query);
displaySearchResults(results.data.videos);
}
}, 300); // Wait 300ms after user stops typing
});
```
---
## 9. Browser Console Testing
Test API calls directly in the browser console:
```javascript
// Check authentication
api.isAuthenticated()
// Login
await api.login('username', 'password')
// Get videos
await api.getVideos({ page: 1 })
// Get current user
await api.getMyProfile()
// View stored token
localStorage.getItem('jwt_token')
// Clear token
api.clearToken()
```
---
## 10. Next Steps
- Read [API_DOCUMENTATION.md](API_DOCUMENTATION.md) for complete reference
- Check [FRONTEND_BACKEND_INTEGRATION_GUIDE.md](FRONTEND_BACKEND_INTEGRATION_GUIDE.md) for advanced patterns
- Review example code in [f_scripts/fe/js/api-helper.js](../f_scripts/fe/js/api-helper.js)
---
## Support
If you encounter issues:
1. Check browser console for errors
2. Check Network tab to see API requests/responses
3. Verify you're logged in: `api.isAuthenticated()`
4. Check API documentation for correct parameters
---
**Last Updated:** January 2025

19
docs/TODO.md
View File

@@ -9,6 +9,7 @@ This document lists concrete gaps, inconsistencies, and improvements identified
- Tasks:
- Decide on canonical filename; rename the actual SQL to `easystream.sql.gz` or fix `docker-compose.yml` to match.
- Update `__install/INSTALL.txt` references to the chosen name.
- Status: Fixed — compose mounts `__install/easystream.sql` and the file exists.
- Caddy root and HLS path
- Issues:
@@ -17,6 +18,7 @@ This document lists concrete gaps, inconsistencies, and improvements identified
- Tasks:
- Change `root * /srv/easystream`.
- In HLS block, set `root * /var/www/hls` (or rewrite to prefix) so `/hls/...` maps to files under `/var/www/hls`.
- Status: Fixed — `Caddyfile` now uses `/srv/easystream` and serves `/hls/*` from `/var/www/hls`.
- Cron image and scripts mismatch + broken init script
- Issues:
@@ -26,12 +28,14 @@ This document lists concrete gaps, inconsistencies, and improvements identified
- Replace all `/srv/viewshark` paths with `/srv/easystream`.
- Repair `init.sh` to write `cfg.php` files to the intended locations and use proper variable names.
- Ensure `crontab` uses the correct file (`/etc/cron.d/easystream`) and executable script names.
- Status: Fixed — cron paths use `/srv/easystream`; `init.sh` writes configs and loads `/etc/cron.d/easystream`.
- Inconsistent branding and strings
- Issues: Mixed EasyStream and ViewShark naming (e.g., `viewshark.sql.gz`, Telegram messages say ViewShark, Caddy paths).
- Issues: Mixed "EasyStream" and "ViewShark" naming (e.g., `viewshark.sql.gz`, Telegram messages say "ViewShark", Caddy paths).
- Tasks:
- Choose a canonical product name (likely EasyStream) and update:
- SQL filename(s), Caddy root, cron paths, userfacing strings (Telegram, admin), comments.
- Choose a canonical product name (likely "EasyStream") and update:
- SQL filename(s), Caddy root, cron paths, user-facing strings (Telegram, admin), comments.
- Status: Partially fixed — code/Caddy/cron now use "EasyStream". Remaining references are in seed data for `db_fileplayers` (JW Player config) inside `__install/easystream.sql` (logo/link and "Powered by VIewShark"). These are PHP-serialized; change via admin UI post-setup or add a PHP migration to safely rewrite.
- API DB helpers missing
- Issues: `api/telegram.php` and `api/auto_post.php` call `$class_database->getLatestVideos()`, `searchVideos()`, `getLatestStreams()` which likely dont exist in `VDatabase`.
@@ -56,6 +60,15 @@ This document lists concrete gaps, inconsistencies, and improvements identified
- Tasks:
- Implement/verify `VLogger::writeToDatabase` + migrations for a `logs` table.
- Extend `log_viewer.php` to page/filter by date, keyword, request id.
- Status: Partially verified — `VLogger::writeToDatabase` exists and `db_logs` table is present in the seed. Next: confirm admin viewer pagination/filters and permissions.
## Status Update (2025-10-29)
- Compose/Caddy/cron mismatches: fixed and validated in config files.
- DB helper methods: implemented in `f_core/f_classes/class.database.php`.
- Branding sweep: remaining only in JW Player seed config (serialized). Propose UI/migration approach.
- CSRF coverage audit: pending.
- Logger DB sink: implemented; UI/ops validation pending.
- Security: CSRF usage coverage
- Tasks:

1
easystream/caddy_config/caddy/autosave.json Normal file
View File

@@ -0,0 +1 @@
{"apps":{"http":{"servers":{"srv0":{"errors":{"routes":[{"handle":[{"handler":"subroute","routes":[{"group":"group2","handle":[{"handler":"rewrite","uri":"/index.php?error=404"}],"match":[{"expression":"{http.error.status_code} == 404"}]},{"handle":[{"handler":"static_response","headers":{"Location":["{http.request.orig_uri.path}/{http.request.orig_uri.prefixed_query}"]},"status_code":308}],"match":[{"file":{"try_files":["{http.request.uri.path}/index.php"]},"not":[{"path":["*/"]}]}]},{"handle":[{"handler":"rewrite","uri":"{http.matchers.file.relative}"}],"match":[{"file":{"split_path":[".php"],"try_files":["{http.request.uri.path}","{http.request.uri.path}/index.php","index.php"],"try_policy":"first_exist_fallback"}}]},{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"fastcgi","split_path":[".php"]},"upstreams":[{"dial":"php:9000"}]}],"match":[{"path":["*.php"]}]}]}]}]},"listen":[":80"],"routes":[{"handle":[{"handler":"vars","root":"/srv/easystream"},{"handler":"headers","response":{"set":{"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Content-Type-Options":["nosniff"]}}},{"encodings":{"gzip":{},"zstd":{}},"handler":"encode","prefer":["zstd","gzip"]}]},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"rewrite","strip_path_prefix":"/hls"}]},{"handle":[{"handler":"vars","root":"/var/www/hls"},{"handler":"headers","response":{"set":{"Cache-Control":["no-cache"]}}},{"handler":"headers","response":{"set":{"Access-Control-Allow-Origin":["*"]}}},{"handler":"file_server","hide":["/etc/caddy/Caddyfile"]}]}]}],"match":[{"path":["/hls/*"]}]},{"handle":[{"handler":"subroute","routes":[{"group":"group1","handle":[{"handler":"rewrite","uri":"/f_modules/m_frontend/m_donations/token_purchase.php"}],"match":[{"path":["/token_purchase","/token-purchase","/tokens"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/f_modules/m_frontend/m_donations/token_redemption.php"}],"match":[{"path":["/token_redemption","/token-redemption"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/f_modules/m_frontend/m_donations/rainforest_donation_form.php"}],"match":[{"path":["/donate","/donation"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/status.php"}],"match":[{"path":["/health","/status"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/parser.php"}],"match":[{"path":["/upload"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/parser.php"}],"match":[{"path":["/signin","/login"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/parser.php"}],"match":[{"path":["/signup","/register"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/admin.php"}],"match":[{"path":["/admin","/admin/*"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/parser.php"}],"match":[{"path":["/"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/tests/preflight.php"}],"match":[{"path":["/preflight"]}]},{"handle":[{"handler":"static_response","headers":{"Location":["/"]},"status_code":301}],"match":[{"path_regexp":{"name":"oldhome","pattern":"^.*/home$"}}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/f_data/data_userfiles/user_media/default.mp4"}],"match":[{"path":["/previews/default.mp4"]}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/f_data/data_userfiles/user_media/{http.regexp.prev_stream.1}/s/{http.regexp.prev_stream.2}.mp4"}],"match":[{"path_regexp":{"name":"prev_stream","pattern":"^/previews/s/([^/]+)/([^/]+)\\.mp4$"}}]},{"group":"group1","handle":[{"handler":"rewrite","uri":"/f_data/data_userfiles/user_media/{http.regexp.prev_video.1}/v/{http.regexp.prev_video.2}.mp4"}],"match":[{"path_regexp":{"name":"prev_video","pattern":"^/previews/([^/]+)/([^/]+)\\.mp4$"}}]},{"handle":[{"handler":"static_response","status_code":403}],"match":[{"path":["*.inc","*.inc.php","*.shtml","*.cgi","*.pl","*.py","*.asp","*.aspx","*.sh","*.cin","*.tpl","*.tplb","*.log"]}]},{"handle":[{"handler":"headers","response":{"set":{"Cache-Control":["public, max-age=604800"]}}}],"match":[{"path":["*.ico","*.pdf","*.flv","*.gif","*.jpg","*.jpeg","*.png","*.svg","*.webp","*.css","*.js","*.eot","*.woff","*.otf","*.ttf"]}]},{"handle":[{"handler":"static_response","headers":{"Location":["{http.request.orig_uri.path}/{http.request.orig_uri.prefixed_query}"]},"status_code":308}],"match":[{"file":{"try_files":["{http.request.uri.path}/index.php"]},"not":[{"path":["*/"]}]}]},{"handle":[{"handler":"rewrite","uri":"{http.matchers.file.relative}"}],"match":[{"file":{"split_path":[".php"],"try_files":["{http.request.uri.path}","{http.request.uri.path}/index.php","index.php"],"try_policy":"first_exist_fallback"}}]},{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"fastcgi","split_path":[".php"]},"upstreams":[{"dial":"php:9000"}]}],"match":[{"path":["*.php"]}]},{"handle":[{"handler":"file_server","hide":["/etc/caddy/Caddyfile"]}]}]}]}]}}}},"logging":{"logs":{"default":{"level":"DEBUG"}}}}

8
easystream/caddy_data/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/hello@sami-ahmed.net/hello.json Normal file
View File

@@ -0,0 +1,8 @@
{
"status": "valid",
"contact": [
"mailto:hello@sami-ahmed.net"
],
"termsOfServiceAgreed": true,
"location": "https://acme-v02.api.letsencrypt.org/acme/acct/2731240121"
}

5
easystream/caddy_data/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/hello@sami-ahmed.net/hello.key Normal file
View File

@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIEdNh+VSQNzBbPJHfiUZu5oq4PCnpHx+Q3EzWBmn4PHroAoGCCqGSM49
AwEHoUQDQgAExt93nGRMLZERYCO13U9lq/csf9vANS2b6OQnqwU7oBM6kq9N7u91
EsT8cA6uMeWKwbaVZf77MdeAHjgk+xcWwg==
-----END EC PRIVATE KEY-----

14
easystream/caddy_data/caddy/acme/acme.zerossl.com-v2-dv90/users/hello@sami-ahmed.net/hello.json Normal file
View File

@@ -0,0 +1,14 @@
{
"status": "valid",
"contact": [
"mailto:hello@sami-ahmed.net"
],
"termsOfServiceAgreed": true,
"externalAccountBinding": {
"protected": "eyJhbGciOiJIUzI1NiIsImtpZCI6InY1c05oRzFMcU9Qbjc1ZU94NlZ3VHciLCJ1cmwiOiJodHRwczovL2FjbWUuemVyb3NzbC5jb20vdjIvRFY5MC9uZXdBY2NvdW50In0",
"payload": "eyJjcnYiOiJQLTI1NiIsImt0eSI6IkVDIiwieCI6IjlpdVJTNW5kMjBwcVF2d1hYdENEWEFRWGVNTExGSnpScGl0QmJKc3czazAiLCJ5Ijoia2llZEFyV21YeGxoMEZsaXdXYUdGWmtJaUgwNWpGZkotOXV5Z0RPa1hhayJ9",
"signature": "IVooV8luZg0AH4wteSrGNpI4--RO2ZWDP-uuNEAd3lQ"
},
"orders": "https://acme.zerossl.com/v2/DV90/account/v5sNhG1LqOPn75eOx6VwTw/orders",
"location": "https://acme.zerossl.com/v2/DV90/account/v5sNhG1LqOPn75eOx6VwTw"
}

5
easystream/caddy_data/caddy/acme/acme.zerossl.com-v2-dv90/users/hello@sami-ahmed.net/hello.key Normal file
View File

@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBgOIh9IJj4vpZ6/mQHgBKngiXOHvsB+hsaPHPOvuhEdoAoGCCqGSM49
AwEHoUQDQgAE9iuRS5nd20pqQvwXXtCDXAQXeMLLFJzRpitBbJsw3k2SJ50CtaZf
GWHQWWLBZoYVmQiIfTmMV8n727KAM6RdqQ==
-----END EC PRIVATE KEY-----

1
easystream/caddy_data/caddy/instance.uuid Normal file
View File

@@ -0,0 +1 @@
61b8c398-9cae-48bf-a407-a1bb030da79e

1
easystream/caddy_data/caddy/last_clean.json Normal file
View File

@@ -0,0 +1 @@
{"tls":{"timestamp":"2025-11-14T23:35:15.270822246Z","instance_id":"61b8c398-9cae-48bf-a407-a1bb030da79e"}}

2
f_core/config.core.php
View File

@@ -47,6 +47,8 @@ require_once 'f_core/f_functions/functions.queue.php';
require_once 'f_core/f_functions/functions.videoprocessing.php';
require_once 'f_core/f_functions/functions.rbac.php';
require_once 'f_core/f_functions/functions.branding.php';
require_once 'f_core/f_functions/functions.session.php';
require_once 'f_core/f_functions/functions.api.php';
//class init
$class_filter = new VFilter;
$class_language = new VLanguage;

35
f_core/config.define.php
View File

@@ -18,7 +18,7 @@ defined('_ISVALID') or header("Location: /error");
---- edit
*/
$COOKIE_VALIDATION = false; //BETA feature in testing phase, keep disabled for now
$COOKIE_DOMAIN = '.easystreamdemo.com';
$COOKIE_DOMAIN = ''; // Empty string allows cookies to work with any domain (localhost, IP, domain name)
$COOKIE_WHITELIST = array('127.0.0.1');
/*
---- end edit
@@ -36,37 +36,58 @@ set_include_path($main_dir);
if (!defined('_INCLUDE')) {
define('_INCLUDE', true);
}
define('REM_ADDR', (isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? 'HTTP_X_FORWARDED_FOR' : 'REMOTE_ADDR'));
define('ENC_FIRSTKEY', '4xR5Zlcwo8uUxyrdA5ykgFUXXQFV32o7abJiv+SBzBqXLCAmPq+ciq2ik1M32aGx8f/PZuNxHZ3uckPF/8BL2w==');
define('ENC_SECONDKEY', 'sH7ZuZ0jsiq9DKvjHHzQWAJaB1Ypav17v1rXVxyXpJSCI0untO8B1BUaUT7jxN2YlnyLy2e/JPJO3hMPSneJhhfQbV+ifrWIgD9JmubK+8PDTzB4gM9C0lV1g5R00KQmHWJ0iScv/oXldB0y6nMnLjiVhnTGNwf6gq1JEvukfac=');
// define('CA_CERT', '/etc/ssl/certs/cacert.pm');
define('COOKIE_VALIDATION', $COOKIE_VALIDATION);
define('COOKIE_DOMAIN', $COOKIE_DOMAIN);
define('COOKIE_VALIDATION_WHITELIST', $COOKIE_WHITELIST);
define('COOKIE_LOG', $main_dir . '/f_data/data_logs/log_error/log_cookie/' . date("Ymd") . "-cookie.log");
define('REQUEST_LOG', $main_dir . '/f_data/data_logs/log_error/log_request/' . date("Ymd") . "-request.log");
define('LIVE_AUTH_LOG', $main_dir . '/f_data/data_logs/log_error/log_live/' . date("Ymd") . "-auth.log");
define('LIVE_DONE_LOG', $main_dir . '/f_data/data_logs/log_error/log_live/' . date("Ymd") . "-done.log");
define('LIVE_REC_LOG', $main_dir . '/f_data/data_logs/log_error/log_live/' . date("Ymd") . "-rec.log");
// Detect HTTPS (supports reverse proxies) to decide secure cookies dynamically
$IS_HTTPS = (
(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ||
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https') ||
(isset($_SERVER['REQUEST_SCHEME']) && strtolower($_SERVER['REQUEST_SCHEME']) === 'https')
);
// Environment-based SameSite policy: Strict on HTTPS in production, Lax in development
$APP_ENV = getenv('APP_ENV') ?: ((isset($_SERVER['HTTP_HOST']) && preg_match('/(localhost|127\.0\.0\.1)$/', $_SERVER['HTTP_HOST'])) ? 'development' : 'production');
$SAMESITE_POLICY = ($APP_ENV === 'production' && $IS_HTTPS) ? 'Strict' : 'Lax';
define('SET_COOKIE_OPTIONS', array(
'expires' => time() + 60 * 60 * 24 * 10, //10 days
'path' => '/',
'domain' => COOKIE_DOMAIN, // leading dot for compatibility or use subdomain
'secure' => true, // or false
'httponly' => true, // or false
'samesite' => 'Strict', // None || Lax || Strict
'secure' => $IS_HTTPS, // secure only over HTTPS
'httponly' => true,
'samesite' => $SAMESITE_POLICY,
));
define('DEL_COOKIE_OPTIONS', array(
'expires' => time() - 60 * 60 * 24 * 10, //10 days
'path' => '/',
'domain' => COOKIE_DOMAIN, // leading dot for compatibility or use subdomain
'secure' => true, // or false
'httponly' => true, // or false
'samesite' => 'Strict', // None || Lax || Strict
'secure' => $IS_HTTPS, // secure only over HTTPS
'httponly' => true,
'samesite' => $SAMESITE_POLICY,
));
define('SK_INC', (int) 0);
?>

207
f_core/f_classes/class.auth.php
View File

@@ -750,4 +750,211 @@ class VAuth
'token' => substr($token, 0, 8) . '...' // Log partial token for debugging
]);
}
/**
* Generate JWT token for API authentication
* @param array $user User data
* @param int|null $expiryTime Optional custom expiry time in seconds
* @return string JWT token
*/
public function generateJWTToken($user, $expiryTime = null)
{
try {
$expiryTime = $expiryTime ?? (24 * 60 * 60); // Default 24 hours
$header = json_encode([
'typ' => 'JWT',
'alg' => 'HS256'
]);
$payload = json_encode([
'user_id' => $user['user_id'],
'username' => $user['username'],
'email' => $user['email'],
'role' => $user['role'] ?? 'member',
'iat' => time(),
'exp' => time() + $expiryTime
]);
$headerEncoded = $this->base64UrlEncode($header);
$payloadEncoded = $this->base64UrlEncode($payload);
$jwtSecret = getenv('JWT_SECRET') ?: (defined('JWT_SECRET') ? JWT_SECRET : 'change_this_jwt_secret');
$signature = hash_hmac('sha256', $headerEncoded . '.' . $payloadEncoded, $jwtSecret, true);
$signatureEncoded = $this->base64UrlEncode($signature);
return $headerEncoded . '.' . $payloadEncoded . '.' . $signatureEncoded;
} catch (Exception $e) {
$this->logger->error('JWT generation failed', [
'error' => $e->getMessage(),
'user_id' => $user['user_id'] ?? 'unknown'
]);
throw $e;
}
}
/**
* Validate JWT token
* @param string $token JWT token
* @return array|null User data or null if invalid
*/
public function validateJWTToken($token)
{
try {
$parts = explode('.', $token);
if (count($parts) !== 3) {
$this->logger->logSecurityEvent('Invalid JWT format', ['token' => substr($token, 0, 20) . '...']);
return null;
}
list($headerEncoded, $payloadEncoded, $signatureProvided) = $parts;
// Verify signature
$jwtSecret = getenv('JWT_SECRET') ?: (defined('JWT_SECRET') ? JWT_SECRET : 'change_this_jwt_secret');
$expectedSignature = hash_hmac('sha256', $headerEncoded . '.' . $payloadEncoded, $jwtSecret, true);
$expectedSignatureEncoded = $this->base64UrlEncode($expectedSignature);
if (!hash_equals($expectedSignatureEncoded, $signatureProvided)) {
$this->logger->logSecurityEvent('JWT signature verification failed', []);
return null;
}
// Decode payload
$payload = json_decode($this->base64UrlDecode($payloadEncoded), true);
if (!$payload || !isset($payload['user_id'])) {
$this->logger->logSecurityEvent('Invalid JWT payload', []);
return null;
}
// Check expiration
if (isset($payload['exp']) && $payload['exp'] < time()) {
$this->logger->logSecurityEvent('JWT token expired', ['user_id' => $payload['user_id']]);
return null;
}
// Verify user exists and is active
$sql = "SELECT `user_id`, `username`, `email`, `role`, `status`
FROM `db_users`
WHERE `user_id` = ? AND `status` = 'active'";
$result = $this->db->dbConnection()->Execute($sql, [$payload['user_id']]);
if (!$result || $result->EOF) {
$this->logger->logSecurityEvent('JWT user not found or inactive', ['user_id' => $payload['user_id']]);
return null;
}
$user = $result->fields;
return [
'user_id' => $user['user_id'],
'username' => $user['username'],
'email' => $user['email'],
'role' => $user['role']
];
} catch (Exception $e) {
$this->logger->error('JWT validation error', [
'error' => $e->getMessage(),
'token' => substr($token, 0, 20) . '...'
]);
return null;
}
}
/**
* Login with JWT token return (for API clients)
* @param string $identifier Username or email
* @param string $password Password
* @param int|null $expiryTime Optional token expiry time
* @return array Result with token and user data
*/
public function loginWithToken($identifier, $password, $expiryTime = null)
{
try {
// Use regular login to validate credentials
$loginResult = $this->login($identifier, $password, false);
if (!$loginResult['success']) {
return $loginResult;
}
// Generate JWT token
$token = $this->generateJWTToken($loginResult['user'], $expiryTime);
return [
'success' => true,
'message' => 'Login successful',
'token' => $token,
'token_type' => 'Bearer',
'expires_in' => $expiryTime ?? (24 * 60 * 60),
'user' => $loginResult['user']
];
} catch (Exception $e) {
$this->logger->error('Token login error', [
'error' => $e->getMessage(),
'identifier' => $identifier ?? 'unknown'
]);
return ['success' => false, 'message' => 'An error occurred during login'];
}
}
/**
* Authenticate request via Bearer token (for API requests)
* @param string|null $authHeader Authorization header value
* @return array|null User data or null if not authenticated
*/
public function authenticateBearer($authHeader = null)
{
try {
// Get Authorization header if not provided
if ($authHeader === null) {
$authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? '';
// Apache mod_rewrite workaround
if (empty($authHeader) && function_exists('apache_request_headers')) {
$headers = apache_request_headers();
$authHeader = $headers['Authorization'] ?? $headers['authorization'] ?? '';
}
}
if (empty($authHeader)) {
return null;
}
// Extract Bearer token
if (strpos($authHeader, 'Bearer ') === 0) {
$token = substr($authHeader, 7);
return $this->validateJWTToken($token);
}
return null;
} catch (Exception $e) {
$this->logger->error('Bearer authentication error', ['error' => $e->getMessage()]);
return null;
}
}
/**
* Base64 URL-safe encoding
* @param string $data Data to encode
* @return string Encoded data
*/
private function base64UrlEncode($data)
{
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
/**
* Base64 URL-safe decoding
* @param string $data Data to decode
* @return string Decoded data
*/
private function base64UrlDecode($data)
{
return base64_decode(strtr($data, '-_', '+/'));
}
}

68
f_core/f_classes/class.database.php
View File

@@ -130,7 +130,8 @@ class VDatabase
if (is_array($cfg_vars) and count($cfg_vars) > 0) {
foreach ($cfg_vars as $key => $post_field) {
$query = $db->execute(sprintf("UPDATE `%s` SET `cfg_data` = '%s' WHERE `cfg_name` = '%s' LIMIT 1; ", $db_tbl, $post_field, $key));
// Fixed: Changed cfg_data to cfg_value to match actual database column name
$query = $db->execute(sprintf("UPDATE `%s` SET `cfg_value` = '%s' WHERE `cfg_name` = '%s' LIMIT 1; ", $db_tbl, $post_field, $key));
$count = $db->Affected_Rows() > 0 ? $count + 1 : $count;
if ($_GET['s'] == 'backend-menu-entry1-sub9' and $cfg['activity_logging'] == 1) {
@@ -271,14 +272,15 @@ class VDatabase
$q_get = '`cfg_name` IN ("' . implode('", "', $settings_array) . '")';
$q_result = $db->Execute(sprintf("SELECT `cfg_name`, `cfg_data` FROM `%s` WHERE %s;", $db_table, $q_get));
// Fixed: Changed cfg_data to cfg_value to match actual database column name
$q_result = $db->Execute(sprintf("SELECT `cfg_name`, `cfg_value` FROM `%s` WHERE %s;", $db_table, $q_get));
if ($q_result) {
while (!$q_result->EOF) {
$cfg_name = $q_result->fields['cfg_name'];
$cfg_data = $q_result->fields['cfg_data'];
$cfg[$cfg_name] = $cfg_data;
$smarty->assign($cfg_name, $cfg_data);
$cfg_value = $q_result->fields['cfg_value'];
$cfg[$cfg_name] = $cfg_value;
$smarty->assign($cfg_name, $cfg_value);
@$q_result->MoveNext();
}
}
@@ -458,6 +460,62 @@ class VDatabase
return $rows;
}
/**
* General-purpose query execution method
* Returns array of results instead of ADORecordSet for easier frontend use
*
* @param string $sql SQL query to execute
* @param array $params Optional parameters for prepared statement
* @param int|false $cache_time Optional cache time in seconds (false = no cache)
* @return array Array of associative arrays with query results, empty array on failure
*/
public function execute($sql, $params = [], $cache_time = false)
{
global $db;
$rows = [];
try {
// Validate SQL input
if (empty($sql) || !is_string($sql)) {
throw new InvalidArgumentException('Invalid SQL query');
}
// Ensure params is an array
if (!is_array($params)) {
$params = [$params];
}
// Execute query with or without caching
if ($cache_time && is_numeric($cache_time) && $cache_time > 0) {
$result = $db->CacheExecute($cache_time, $sql, $params);
} else {
$result = $db->Execute($sql, $params);
}
// Check for query errors
if (!$result) {
$logger = VLogger::getInstance();
$logger->logDatabaseError($db->ErrorMsg(), $sql, $params);
return [];
}
// Convert ADORecordSet to plain array
if ($result && !$result->EOF) {
while (!$result->EOF) {
$rows[] = $result->fields;
$result->MoveNext();
}
}
return $rows;
} catch (Exception $e) {
$logger = VLogger::getInstance();
$logger->logDatabaseError($e->getMessage(), $sql ?? '', $params ?? []);
return [];
}
}
/**
* Sanitize input for database queries
* @param mixed $input Input to sanitize

4
f_core/f_classes/class.files.php
View File

@@ -4047,7 +4047,7 @@ class VFiles
}
/* number format */
public function numFormat($for)
public static function numFormat($for)
{
return VGenerate::nrf($for);
}
@@ -4109,7 +4109,7 @@ class VFiles
}
}
/* duration from seconds */
public function fileDuration($seconds_count)
public static function fileDuration($seconds_count)
{
$delimiter = ':';

2
f_core/f_classes/class.generate.php
View File

@@ -630,7 +630,7 @@ class VGenerate
return $html;
}
/* generate file href html */
public function fileHref($type, $key, $title = '')
public static function fileHref($type, $key, $title = '')
{
require 'f_core/config.href.php';
global $class_database;

3
f_core/f_classes/class.middleware.php
View File

@@ -381,7 +381,8 @@ class VMiddleware
$this->sendAPIResponse(['success' => false, 'message' => 'Authentication required'], 401);
} else {
$redirectUrl = urlencode($_SERVER['REQUEST_URI'] ?? '/');
header("Location: /login?redirect={$redirectUrl}");
if (strpos($_SERVER["REQUEST_URI"] ?? "", "/signin") === 0) { http_response_code(401); return; }
header("Location: /signin?redirect={$redirectUrl}");
exit;
}
}

2
f_core/f_classes/class.redirect.php
View File

@@ -18,7 +18,7 @@ defined('_ISVALID') or header('Location: /error');
class VRedirect
{
/* do redirect */
public function to($url, $code = 301)
public function to($code = '', $url)
{
session_write_close();
if (headers_sent()) {

2
f_core/f_classes/class.useraccount.php
View File

@@ -722,7 +722,7 @@ class VUseraccount
}
}
/* get the user profile image */
public function getProfileImage_inc(int $usr_key, $usr_photo = '', int $inc)
public static function getProfileImage_inc(int $usr_key, $usr_photo = '', int $inc)
{
global $cfg, $class_database, $db;

393
f_core/f_functions/functions.api.php Normal file
View File

@@ -0,0 +1,393 @@
<?php
/**
* API Response Helper Functions
* Provides standardized API responses across EasyStream
*/
if (!defined('_ISVALID')) {
die('Direct access is not allowed');
}
/**
* Send success response
* Standardized success response format for all API endpoints
*
* @param mixed $data Data to return (can be array, object, string, etc.)
* @param int $statusCode HTTP status code (default: 200)
* @param array $meta Optional metadata (pagination, etc.)
* @return void (exits after sending response)
*/
function sendApiSuccess($data = null, $statusCode = 200, $meta = null) {
http_response_code($statusCode);
header('Content-Type: application/json; charset=utf-8');
$response = [
'success' => true,
'data' => $data,
'error' => null
];
// Add metadata if provided (pagination, etc.)
if ($meta !== null) {
$response['meta'] = $meta;
}
// Add timestamp
$response['timestamp'] = date('Y-m-d H:i:s');
echo json_encode($response, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
exit;
}
/**
* Send error response
* Standardized error response format for all API endpoints
*
* @param string $message Error message
* @param int $statusCode HTTP status code (default: 400)
* @param array $details Additional error details (validation errors, etc.)
* @return void (exits after sending response)
*/
function sendApiError($message, $statusCode = 400, $details = null) {
http_response_code($statusCode);
header('Content-Type: application/json; charset=utf-8');
$response = [
'success' => false,
'data' => null,
'error' => $message
];
// Add error details if provided
if ($details !== null) {
$response['details'] = $details;
}
// Add timestamp
$response['timestamp'] = date('Y-m-d H:i:s');
// Log error for debugging
VLogger::log('error', 'API Error: ' . $message, [
'status_code' => $statusCode,
'details' => $details,
'endpoint' => $_SERVER['REQUEST_URI'] ?? 'unknown',
'method' => $_SERVER['REQUEST_METHOD'] ?? 'unknown'
]);
echo json_encode($response, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
exit;
}
/**
* Validate API request method
* Ensures only allowed HTTP methods are used
*
* @param string|array $allowedMethods Single method or array of allowed methods
* @throws Exception if method not allowed (sends 405 response)
* @return void
*/
function validateApiMethod($allowedMethods) {
$allowedMethods = (array) $allowedMethods;
$currentMethod = $_SERVER['REQUEST_METHOD'];
if (!in_array($currentMethod, $allowedMethods)) {
sendApiError(
'Method not allowed. Allowed methods: ' . implode(', ', $allowedMethods),
405,
['allowed_methods' => $allowedMethods, 'current_method' => $currentMethod]
);
}
}
/**
* Get JSON input from request body
* Handles both JSON and form-encoded data
*
* @param bool $assoc Return as associative array (default: true)
* @return array|object Decoded JSON data
* @throws Exception if JSON is invalid
*/
function getJsonInput($assoc = true) {
$input = file_get_contents('php://input');
if (empty($input)) {
return $assoc ? [] : (object) [];
}
$data = json_decode($input, $assoc);
if (json_last_error() !== JSON_ERROR_NONE) {
sendApiError(
'Invalid JSON input: ' . json_last_error_msg(),
400,
['json_error' => json_last_error_msg()]
);
}
return $data;
}
/**
* Validate required fields in request data
* Checks if all required fields are present and not empty
*
* @param array $data Request data
* @param array $requiredFields Array of required field names
* @return void (sends error response if validation fails)
*/
function validateRequiredFields($data, $requiredFields) {
$missingFields = [];
foreach ($requiredFields as $field) {
if (!isset($data[$field]) || (is_string($data[$field]) && trim($data[$field]) === '')) {
$missingFields[] = $field;
}
}
if (!empty($missingFields)) {
sendApiError(
'Missing required fields',
400,
['missing_fields' => $missingFields, 'required_fields' => $requiredFields]
);
}
}
/**
* Get pagination parameters from request
* Standardized pagination handling
*
* @param int $defaultLimit Default items per page (default: 20)
* @param int $maxLimit Maximum items per page (default: 100)
* @return array ['page', 'limit', 'offset']
*/
function getPaginationParams($defaultLimit = 20, $maxLimit = 100) {
$page = isset($_GET['page']) ? max(1, (int) $_GET['page']) : 1;
$limit = isset($_GET['limit']) ? min($maxLimit, max(1, (int) $_GET['limit'])) : $defaultLimit;
$offset = ($page - 1) * $limit;
return [
'page' => $page,
'limit' => $limit,
'offset' => $offset
];
}
/**
* Create pagination metadata
* Returns standardized pagination info for responses
*
* @param int $page Current page
* @param int $limit Items per page
* @param int $total Total items
* @return array Pagination metadata
*/
function createPaginationMeta($page, $limit, $total) {
return [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit),
'has_more' => $page < ceil($total / $limit)
];
}
/**
* Require authentication for API endpoint
* Checks if user is authenticated via JWT or session
*
* @return int User ID
* @throws Exception if not authenticated (sends 401 response)
*/
function requireAuth() {
$userId = null;
// Try JWT authentication first
$authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? null;
if ($authHeader && preg_match('/Bearer\s+(.*)$/i', $authHeader, $matches)) {
$token = $matches[1];
$tokenData = VAuth::verifyToken($token);
if ($tokenData && isset($tokenData['user_id'])) {
$userId = $tokenData['user_id'];
}
}
// Fall back to session authentication
if (!$userId) {
$userId = getCurrentUserId();
}
if (!$userId) {
sendApiError('Authentication required', 401);
}
return $userId;
}
/**
* Check user permission for API endpoint
* Requires authentication and checks RBAC permission
*
* @param string $permission Permission to check (e.g., 'videos.delete')
* @return int User ID if authorized
* @throws Exception if not authorized (sends 403 response)
*/
function requirePermission($permission) {
$userId = requireAuth();
if (!VAuth::hasPermission($permission)) {
sendApiError(
'Permission denied',
403,
['required_permission' => $permission, 'user_id' => $userId]
);
}
return $userId;
}
/**
* Rate limit API requests
* Simple in-memory rate limiting (consider Redis for production)
*
* @param string $key Rate limit key (e.g., 'api:' . $userId)
* @param int $maxRequests Maximum requests allowed
* @param int $timeWindow Time window in seconds
* @return void (sends 429 response if limit exceeded)
*/
function rateLimitApiRequest($key, $maxRequests = 60, $timeWindow = 60) {
// Use APCu if available, otherwise session
if (function_exists('apcu_fetch')) {
$requests = apcu_fetch($key, $success);
if (!$success) {
$requests = ['count' => 0, 'start' => time()];
}
// Reset if time window expired
if (time() - $requests['start'] > $timeWindow) {
$requests = ['count' => 0, 'start' => time()];
}
$requests['count']++;
if ($requests['count'] > $maxRequests) {
$retryAfter = $timeWindow - (time() - $requests['start']);
header('Retry-After: ' . $retryAfter);
header('X-RateLimit-Limit: ' . $maxRequests);
header('X-RateLimit-Remaining: 0');
header('X-RateLimit-Reset: ' . ($requests['start'] + $timeWindow));
sendApiError(
'Rate limit exceeded',
429,
[
'max_requests' => $maxRequests,
'time_window' => $timeWindow,
'retry_after' => $retryAfter
]
);
}
apcu_store($key, $requests, $timeWindow);
// Add rate limit headers
header('X-RateLimit-Limit: ' . $maxRequests);
header('X-RateLimit-Remaining: ' . ($maxRequests - $requests['count']));
header('X-RateLimit-Reset: ' . ($requests['start'] + $timeWindow));
} else {
// Fallback: Use session storage (not ideal for distributed systems)
if (!isset($_SESSION['rate_limit'])) {
$_SESSION['rate_limit'] = [];
}
if (!isset($_SESSION['rate_limit'][$key])) {
$_SESSION['rate_limit'][$key] = ['count' => 0, 'start' => time()];
}
$requests = $_SESSION['rate_limit'][$key];
// Reset if time window expired
if (time() - $requests['start'] > $timeWindow) {
$_SESSION['rate_limit'][$key] = ['count' => 0, 'start' => time()];
$requests = $_SESSION['rate_limit'][$key];
}
$requests['count']++;
$_SESSION['rate_limit'][$key] = $requests;
if ($requests['count'] > $maxRequests) {
$retryAfter = $timeWindow - (time() - $requests['start']);
header('Retry-After: ' . $retryAfter);
sendApiError(
'Rate limit exceeded',
429,
[
'max_requests' => $maxRequests,
'time_window' => $timeWindow,
'retry_after' => $retryAfter
]
);
}
}
}
/**
* Sanitize API input
* Wrapper around VSecurity::sanitize with logging
*
* @param mixed $input Input to sanitize
* @param string $type Type of sanitization (string, email, url, int, etc.)
* @return mixed Sanitized input
*/
function sanitizeApiInput($input, $type = 'string') {
if ($input === null) {
return null;
}
switch ($type) {
case 'int':
return (int) $input;
case 'float':
return (float) $input;
case 'bool':
return (bool) $input;
case 'email':
return filter_var($input, FILTER_SANITIZE_EMAIL);
case 'url':
return filter_var($input, FILTER_SANITIZE_URL);
case 'string':
default:
return VSecurity::sanitize($input);
}
}
/**
* Log API request for debugging/analytics
*
* @param string $endpoint Endpoint name
* @param array $data Additional data to log
* @return void
*/
function logApiRequest($endpoint, $data = []) {
VLogger::log('info', 'API Request', array_merge([
'endpoint' => $endpoint,
'method' => $_SERVER['REQUEST_METHOD'] ?? 'unknown',
'user_id' => getCurrentUserId(),
'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown',
'user_agent' => substr($_SERVER['HTTP_USER_AGENT'] ?? '', 0, 200)
], $data));
}

278
f_core/f_functions/functions.session.php Normal file
View File

@@ -0,0 +1,278 @@
<?php
/**
* Session Helper Functions
* Provides standardized session access across EasyStream
*
* This file resolves conflicts between different session variable names
* used throughout the application.
*/
if (!defined('_ISVALID')) {
die('Direct access is not allowed');
}
/**
* Get current user ID from session
* Handles legacy session variable names for backward compatibility
*
* @return int User ID or 0 if not logged in
*/
function getCurrentUserId() {
// Check modern standard (preferred)
if (isset($_SESSION['USER_ID']) && $_SESSION['USER_ID'] > 0) {
return (int) $_SESSION['USER_ID'];
}
// Check legacy variant 1 (migrate to new standard)
if (isset($_SESSION['usr_id']) && $_SESSION['usr_id'] > 0) {
$_SESSION['USER_ID'] = (int) $_SESSION['usr_id'];
unset($_SESSION['usr_id']);
VLogger::log('info', 'Migrated session variable usr_id to USER_ID', [
'user_id' => $_SESSION['USER_ID']
]);
return (int) $_SESSION['USER_ID'];
}
// Check legacy variant 2 (migrate to new standard)
if (isset($_SESSION['user_id']) && $_SESSION['user_id'] > 0) {
$_SESSION['USER_ID'] = (int) $_SESSION['user_id'];
unset($_SESSION['user_id']);
VLogger::log('info', 'Migrated session variable user_id to USER_ID', [
'user_id' => $_SESSION['USER_ID']
]);
return (int) $_SESSION['USER_ID'];
}
return 0;
}
/**
* Set current user ID in session
* Automatically cleans up legacy session variables
*
* @param int $userId User ID to set
* @return void
*/
function setCurrentUserId($userId) {
$_SESSION['USER_ID'] = (int) $userId;
// Clean up legacy session variables to prevent conflicts
unset($_SESSION['usr_id']);
unset($_SESSION['user_id']);
}
/**
* Check if user is logged in
*
* @return bool True if user is authenticated, false otherwise
*/
function isUserLoggedIn() {
return getCurrentUserId() > 0;
}
/**
* Get current username from session
*
* @return string|null Username or null if not set
*/
function getCurrentUsername() {
return $_SESSION['USER_NAME'] ?? $_SESSION['usr_user'] ?? null;
}
/**
* Get current user email from session
*
* @return string|null Email or null if not set
*/
function getCurrentUserEmail() {
return $_SESSION['USER_EMAIL'] ?? $_SESSION['usr_email'] ?? null;
}
/**
* Get current user key (unique identifier)
*
* @return string|null User key or null if not set
*/
function getCurrentUserKey() {
return $_SESSION['USER_KEY'] ?? null;
}
/**
* Clear user session completely
* Removes all user-related session variables
*
* @return void
*/
function clearUserSession() {
// Standard variables
unset($_SESSION['USER_ID']);
unset($_SESSION['USER_NAME']);
unset($_SESSION['USER_EMAIL']);
unset($_SESSION['USER_KEY']);
// Legacy variables
unset($_SESSION['usr_id']);
unset($_SESSION['user_id']);
unset($_SESSION['usr_user']);
unset($_SESSION['usr_email']);
// Additional user data
unset($_SESSION['usr_verified']);
unset($_SESSION['usr_partner']);
unset($_SESSION['usr_avatar']);
}
/**
* Migrate all session variables to new standard
* Useful for one-time migration during login
*
* @param array $userData User data from database
* @return void
*/
function migrateSessionVariables($userData) {
// Set standard variables
if (isset($userData['usr_id'])) {
setCurrentUserId($userData['usr_id']);
}
if (isset($userData['usr_user'])) {
$_SESSION['USER_NAME'] = $userData['usr_user'];
}
if (isset($userData['usr_email'])) {
$_SESSION['USER_EMAIL'] = $userData['usr_email'];
}
if (isset($userData['usr_key'])) {
$_SESSION['USER_KEY'] = $userData['usr_key'];
}
// Store additional user data if needed
if (isset($userData['usr_verified'])) {
$_SESSION['usr_verified'] = (bool) $userData['usr_verified'];
}
if (isset($userData['usr_partner'])) {
$_SESSION['usr_partner'] = (bool) $userData['usr_partner'];
}
if (isset($userData['usr_avatar'])) {
$_SESSION['usr_avatar'] = $userData['usr_avatar'];
}
VLogger::log('info', 'Session variables migrated to new standard', [
'user_id' => getCurrentUserId()
]);
}
/**
* Get all current user session data
*
* @return array User session data
*/
function getCurrentUserSessionData() {
return [
'user_id' => getCurrentUserId(),
'username' => getCurrentUsername(),
'email' => getCurrentUserEmail(),
'user_key' => getCurrentUserKey(),
'verified' => $_SESSION['usr_verified'] ?? false,
'partner' => $_SESSION['usr_partner'] ?? false,
'avatar' => $_SESSION['usr_avatar'] ?? null,
'is_logged_in' => isUserLoggedIn()
];
}
/**
* Validate session and check for hijacking attempts
*
* @return bool True if session is valid, false if suspicious
*/
function validateUserSession() {
if (!isUserLoggedIn()) {
return true; // No session to validate
}
// Check if user agent changed (possible hijacking)
$currentUserAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
$sessionUserAgent = $_SESSION['USER_AGENT'] ?? '';
if (!empty($sessionUserAgent) && $sessionUserAgent !== $currentUserAgent) {
VLogger::log('warning', 'Session user agent mismatch - possible hijacking', [
'user_id' => getCurrentUserId(),
'session_ua' => substr($sessionUserAgent, 0, 100),
'current_ua' => substr($currentUserAgent, 0, 100)
]);
clearUserSession();
return false;
}
// Check if IP changed (optional strict check)
if (defined('SESSION_IP_CHECK') && SESSION_IP_CHECK === true) {
$currentIp = $_SERVER['REMOTE_ADDR'] ?? '';
$sessionIp = $_SESSION['USER_IP'] ?? '';
if (!empty($sessionIp) && $sessionIp !== $currentIp) {
VLogger::log('warning', 'Session IP mismatch - possible hijacking', [
'user_id' => getCurrentUserId(),
'session_ip' => $sessionIp,
'current_ip' => $currentIp
]);
clearUserSession();
return false;
}
}
return true;
}
/**
* Initialize session security variables
* Call this after successful login
*
* @return void
*/
function initializeSessionSecurity() {
$_SESSION['USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'] ?? '';
$_SESSION['USER_IP'] = $_SERVER['REMOTE_ADDR'] ?? '';
$_SESSION['SESSION_START_TIME'] = time();
}
/**
* Check if session has expired
*
* @param int $timeout Timeout in seconds (default: 1 hour)
* @return bool True if expired, false otherwise
*/
function isSessionExpired($timeout = 3600) {
if (!isset($_SESSION['SESSION_START_TIME'])) {
return false; // No timestamp, can't determine
}
$elapsed = time() - $_SESSION['SESSION_START_TIME'];
if ($elapsed > $timeout) {
VLogger::log('info', 'Session expired', [
'user_id' => getCurrentUserId(),
'elapsed_seconds' => $elapsed
]);
return true;
}
return false;
}
/**
* Refresh session timestamp
* Call periodically to extend session
*
* @return void
*/
function refreshSession() {
if (isUserLoggedIn()) {
$_SESSION['SESSION_START_TIME'] = time();
}
}

2
f_data/data_sessions/sess_184edc94d78a55ed5e01fbc1a09eaae9
View File

@@ -1 +1 @@
lang_count|i:1;fe_lang|s:5:"en_US";fe_flag|s:12:"flag-icon-us";be_lang|s:5:"en_US";be_flag|s:12:"flag-icon-us";sbm|i:1;loading_lang|s:12:"Loading ... ";
lang_count|i:1;fe_lang|s:5:"en_US";fe_flag|s:12:"flag-icon-us";be_lang|s:5:"en_US";be_flag|s:12:"flag-icon-us";sbm|i:1;loading_lang|s:12:"Loading ... ";renew_id|N;USER_ERROR|N;USER_ID|s:1:"1";USER_NAME|s:5:"admin";USER_KEY|s:6:"123456";123456_list|i:0;USER_DNAME|s:0:"";USER_AFFILIATE|s:1:"0";USER_PARTNER|s:1:"0";USER_THEME|s:5:"light";USER_PINC|s:1:"0";new_notifications|i:0;q|N;tf|N;uf|N;df|N;ff|N;

BIN
f_data/data_userfiles/user_profile/123456/123456.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

12
f_data/logs/.htaccess Normal file
View File

@@ -0,0 +1,12 @@
# Deny access to log files
<Files "*">
Order allow,deny
Deny from all
</Files>
# Apache 2.4+
<IfModule mod_authz_core.c>
<Files "*">
Require all denied
</Files>
</IfModule>

2
f_modules/m_backend/template_manager.php
View File

@@ -9,7 +9,7 @@ require_once dirname(__FILE__) . '/../../f_core/config.core.php';
// Check if user is logged in
if (!isset($_SESSION['USER_ID']) || $_SESSION['USER_ID'] <= 0) {
header('Location: /signin.php');
header('Location: /signin');
exit;
}

21
f_modules/m_frontend/m_acct/account.php
View File

@@ -33,8 +33,25 @@ $error_message = null;
$notice_message = null;
$cfg = $class_database->getConfigurations('paid_memberships,backend_email,backend_username,signup_domain_restriction,list_email_domains,signup_min_password,signup_max_password,email_change_captcha,keep_entries_open,user_image_max_size,user_image_allowed_extensions,user_image_width,user_image_height,activity_logging,file_favorites,file_rating,file_comments,channel_comments,file_respnses,approve_friends,file_counts,numeric_delimiter,channel_views,recaptcha_site_key,recaptcha_secret_key,affiliate_module,affiliate_tracking_id,affiliate_view_id,affiliate_maps_api_key,affiliate_token_script,affiliate_payout_figure,affiliate_payout_currency,affiliate_payout_units,affiliate_payout_share,affiliate_requirements_type,affiliate_requirements_min');
$logged_in = VLogin::checkFrontend(VHref::getKey('account'));
$membership_check = ($cfg["paid_memberships"] == 1 and $_SESSION["USER_ID"] > 0) ? VLogin::checkSubscription() : null;
// Use modern VAuth instead of deprecated VLogin
$auth = VAuth::getInstance();
$logged_in = $auth->isAuthenticated();
// Check if user has access to this page
if (!$logged_in) {
header('Location: ' . VHref::getKey('signin'));
exit;
}
// Check membership/subscription status if enabled
$membership_check = null;
if ($cfg["paid_memberships"] == 1 && getCurrentUserId() > 0) {
// Load membership class if it exists
if (class_exists('VMembership')) {
$membership_check = VMembership::checkSubscription(getCurrentUserId());
}
}
$notice_message = ($_POST and $_GET["do"] == '') ? VUseraccount::doChanges() : null;
$user_key = $class_filter->clr_str($_SESSION["USER_KEY"]);
$files = new VFiles;

698
f_scripts/fe/js/api-helper.js Normal file
View File

@@ -0,0 +1,698 @@
/**
* EasyStream API Helper
* Modern fetch-based API client with JWT token management
*/
class EasyStreamAPI {
constructor(baseURL = '/api') {
this.baseURL = baseURL;
this.token = this.getStoredToken();
this.tokenExpiry = this.getStoredTokenExpiry();
}
/**
* Store JWT token in localStorage
* @param {string} token JWT token
* @param {number} expiresIn Expiry time in seconds
*/
setToken(token, expiresIn = 86400) {
this.token = token;
this.tokenExpiry = Date.now() + (expiresIn * 1000);
if (typeof localStorage !== 'undefined') {
localStorage.setItem('jwt_token', token);
localStorage.setItem('jwt_expiry', this.tokenExpiry.toString());
}
}
/**
* Get stored token from localStorage
* @returns {string|null}
*/
getStoredToken() {
if (typeof localStorage === 'undefined') return null;
const expiry = localStorage.getItem('jwt_expiry');
if (expiry && Date.now() > parseInt(expiry)) {
// Token expired, clear it
this.clearToken();
return null;
}
return localStorage.getItem('jwt_token');
}
/**
* Get stored token expiry
* @returns {number|null}
*/
getStoredTokenExpiry() {
if (typeof localStorage === 'undefined') return null;
const expiry = localStorage.getItem('jwt_expiry');
return expiry ? parseInt(expiry) : null;
}
/**
* Clear stored token
*/
clearToken() {
this.token = null;
this.tokenExpiry = null;
if (typeof localStorage !== 'undefined') {
localStorage.removeItem('jwt_token');
localStorage.removeItem('jwt_expiry');
}
}
/**
* Check if user is authenticated
* @returns {boolean}
*/
isAuthenticated() {
if (!this.token) return false;
if (this.tokenExpiry && Date.now() > this.tokenExpiry) {
this.clearToken();
return false;
}
return true;
}
/**
* Get authorization headers
* @returns {Object}
*/
getAuthHeaders() {
const headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
};
if (this.token) {
headers['Authorization'] = `Bearer ${this.token}`;
}
return headers;
}
/**
* Make API request
* @param {string} endpoint API endpoint
* @param {Object} options Fetch options
* @returns {Promise<Object>}
*/
async request(endpoint, options = {}) {
const url = endpoint.startsWith('http') ? endpoint : `${this.baseURL}${endpoint}`;
const config = {
...options,
headers: {
...this.getAuthHeaders(),
...options.headers
}
};
try {
const response = await fetch(url, config);
// Handle different response types
const contentType = response.headers.get('content-type');
let data;
if (contentType && contentType.includes('application/json')) {
data = await response.json();
} else {
data = await response.text();
}
if (!response.ok) {
// Handle authentication errors
if (response.status === 401) {
this.clearToken();
throw new Error(data.message || 'Authentication failed');
}
throw new Error(data.message || `Request failed with status ${response.status}`);
}
return data;
} catch (error) {
console.error('API request failed:', error);
throw error;
}
}
/**
* GET request
* @param {string} endpoint API endpoint
* @param {Object} params Query parameters
* @returns {Promise<Object>}
*/
async get(endpoint, params = {}) {
const queryString = new URLSearchParams(params).toString();
const url = queryString ? `${endpoint}?${queryString}` : endpoint;
return this.request(url, {
method: 'GET'
});
}
/**
* POST request
* @param {string} endpoint API endpoint
* @param {Object} data Request body
* @returns {Promise<Object>}
*/
async post(endpoint, data = {}) {
return this.request(endpoint, {
method: 'POST',
body: JSON.stringify(data)
});
}
/**
* PUT request
* @param {string} endpoint API endpoint
* @param {Object} data Request body
* @returns {Promise<Object>}
*/
async put(endpoint, data = {}) {
return this.request(endpoint, {
method: 'PUT',
body: JSON.stringify(data)
});
}
/**
* DELETE request
* @param {string} endpoint API endpoint
* @returns {Promise<Object>}
*/
async delete(endpoint) {
return this.request(endpoint, {
method: 'DELETE'
});
}
// ===== Authentication Methods =====
/**
* Login with JWT token
* @param {string} identifier Username or email
* @param {string} password Password
* @param {number} expiresIn Optional token expiry in seconds
* @returns {Promise<Object>}
*/
async login(identifier, password, expiresIn = null) {
try {
const data = await this.post('/auth.php?action=login_token', {
identifier,
password,
expires_in: expiresIn
});
if (data.success && data.token) {
this.setToken(data.token, data.expires_in || 86400);
}
return data;
} catch (error) {
console.error('Login failed:', error);
throw error;
}
}
/**
* Logout and clear token
* @returns {Promise<Object>}
*/
async logout() {
try {
// Optionally call backend logout endpoint
// (though with JWT, client-side token removal is usually sufficient)
const data = await this.post('/auth.php?action=logout', {});
this.clearToken();
return data;
} catch (error) {
// Clear token even if API call fails
this.clearToken();
throw error;
}
}
/**
* Get current user info
* @returns {Promise<Object>}
*/
async getCurrentUser() {
if (!this.isAuthenticated()) {
throw new Error('Not authenticated');
}
return this.get('/auth.php?action=verify_token');
}
/**
* Verify token validity
* @returns {Promise<boolean>}
*/
async verifyToken() {
if (!this.token) return false;
try {
const data = await this.get('/auth.php?action=verify_token');
return data.success && data.valid;
} catch (error) {
this.clearToken();
return false;
}
}
// ===== Video API Methods =====
/**
* Get videos list
* @param {Object} params Query parameters (page, limit, sort, etc.)
* @returns {Promise<Object>}
*/
async getVideos(params = {}) {
return this.get('/videos.php', params);
}
/**
* Get video by ID
* @param {string} videoId Video ID
* @returns {Promise<Object>}
*/
async getVideo(videoId) {
return this.get(`/videos.php?id=${videoId}`);
}
/**
* Upload video metadata
* @param {Object} videoData Video metadata
* @returns {Promise<Object>}
*/
async createVideo(videoData) {
return this.post('/videos.php', videoData);
}
/**
* Update video
* @param {string} videoId Video ID
* @param {Object} videoData Updated video data
* @returns {Promise<Object>}
*/
async updateVideo(videoId, videoData) {
return this.put(`/videos.php?id=${videoId}`, videoData);
}
/**
* Delete video
* @param {string} videoId Video ID
* @returns {Promise<Object>}
*/
async deleteVideo(videoId) {
return this.delete(`/videos.php?id=${videoId}`);
}
/**
* Search videos
* @param {string} query Search query
* @param {Object} params Additional parameters
* @returns {Promise<Object>}
*/
async searchVideos(query, params = {}) {
return this.get('/videos.php', { action: 'search', q: query, ...params });
}
/**
* Like/unlike video
* @param {string} fileKey Video file key
* @param {string} likeType 'like' or 'dislike'
* @returns {Promise<Object>}
*/
async likeVideo(fileKey, likeType = 'like') {
return this.post('/videos.php?action=like', { file_key: fileKey, like_type: likeType });
}
/**
* Increment video view count
* @param {string} fileKey Video file key
* @returns {Promise<Object>}
*/
async recordVideoView(fileKey) {
return this.post('/videos.php?action=view', { file_key: fileKey });
}
/**
* Add/remove video from watch later
* @param {string} fileKey Video file key
* @returns {Promise<Object>}
*/
async toggleWatchLater(fileKey) {
return this.post('/videos.php?action=watch_later', { file_key: fileKey });
}
// ===== User API Methods =====
/**
* Get user profile
* @param {string} userId User ID (optional, defaults to current user)
* @returns {Promise<Object>}
*/
async getUserProfile(userId = null) {
if (userId) {
return this.get(`/user.php?id=${userId}`);
}
return this.get('/user.php?action=profile');
}
/**
* Get current user's profile (alias)
* @returns {Promise<Object>}
*/
async getMyProfile() {
return this.get('/user.php?action=me');
}
/**
* Update user profile
* @param {Object} userData Updated user data
* @returns {Promise<Object>}
*/
async updateProfile(userData) {
return this.put('/user.php', userData);
}
/**
* Upload user avatar
* @param {File} file Avatar file
* @returns {Promise<Object>}
*/
async uploadAvatar(file) {
const formData = new FormData();
formData.append('avatar', file);
return this.request('/user.php?action=avatar', {
method: 'POST',
headers: {
'Authorization': `Bearer ${this.token}`
},
body: formData
});
}
/**
* Get user statistics
* @returns {Promise<Object>}
*/
async getUserStats() {
return this.get('/user.php?action=stats');
}
/**
* Get user's videos
* @param {number} userId User ID (optional)
* @param {Object} params Query parameters
* @returns {Promise<Object>}
*/
async getUserVideos(userId = null, params = {}) {
const queryParams = userId ? { ...params, id: userId } : params;
return this.get('/user.php?action=videos', queryParams);
}
/**
* Get user's subscriptions
* @returns {Promise<Object>}
*/
async getUserSubscriptions() {
return this.get('/user.php?action=subscriptions');
}
/**
* Get user's subscribers
* @param {number} userId User ID (optional)
* @returns {Promise<Object>}
*/
async getUserSubscribers(userId = null) {
const params = userId ? { id: userId } : {};
return this.get('/user.php?action=subscribers', params);
}
// ===== Comments API Methods =====
/**
* Get comments for a video
* @param {string} fileKey Video file key
* @param {Object} params Query parameters
* @returns {Promise<Object>}
*/
async getComments(fileKey, params = {}) {
return this.get('/comments.php', { file_key: fileKey, ...params });
}
/**
* Get single comment with replies
* @param {number} commentId Comment ID
* @returns {Promise<Object>}
*/
async getComment(commentId) {
return this.get(`/comments.php?id=${commentId}`);
}
/**
* Create new comment
* @param {string} fileKey Video file key
* @param {string} commentText Comment text
* @param {number} parentId Parent comment ID (for replies)
* @returns {Promise<Object>}
*/
async createComment(fileKey, commentText, parentId = null) {
return this.post('/comments.php?action=create', {
file_key: fileKey,
comment_text: commentText,
parent_id: parentId
});
}
/**
* Update comment
* @param {number} commentId Comment ID
* @param {string} commentText Updated text
* @returns {Promise<Object>}
*/
async updateComment(commentId, commentText) {
return this.put(`/comments.php?id=${commentId}`, {
comment_text: commentText
});
}
/**
* Delete comment
* @param {number} commentId Comment ID
* @returns {Promise<Object>}
*/
async deleteComment(commentId) {
return this.delete(`/comments.php?id=${commentId}`);
}
/**
* Like/unlike comment
* @param {number} commentId Comment ID
* @returns {Promise<Object>}
*/
async likeComment(commentId) {
return this.post('/comments.php?action=like', { comment_id: commentId });
}
/**
* Report comment
* @param {number} commentId Comment ID
* @param {string} reason Report reason
* @returns {Promise<Object>}
*/
async reportComment(commentId, reason) {
return this.post('/comments.php?action=report', {
comment_id: commentId,
reason: reason
});
}
// ===== Subscriptions API Methods =====
/**
* Get user's subscriptions
* @returns {Promise<Object>}
*/
async getSubscriptions() {
return this.get('/subscriptions.php?action=list');
}
/**
* Get channel's subscribers
* @param {number} channelId Channel ID
* @param {Object} params Query parameters
* @returns {Promise<Object>}
*/
async getSubscribers(channelId, params = {}) {
return this.get('/subscriptions.php?action=subscribers', {
channel_id: channelId,
...params
});
}
/**
* Get subscription feed (videos from subscribed channels)
* @param {Object} params Query parameters
* @returns {Promise<Object>}
*/
async getSubscriptionFeed(params = {}) {
return this.get('/subscriptions.php?action=feed', params);
}
/**
* Check if subscribed to a channel
* @param {number} channelId Channel ID
* @returns {Promise<Object>}
*/
async checkSubscription(channelId) {
return this.get('/subscriptions.php?action=check', { channel_id: channelId });
}
/**
* Subscribe to a channel
* @param {number} channelId Channel ID
* @returns {Promise<Object>}
*/
async subscribe(channelId) {
return this.post('/subscriptions.php', { channel_id: channelId });
}
/**
* Unsubscribe from a channel
* @param {number} channelId Channel ID
* @returns {Promise<Object>}
*/
async unsubscribe(channelId) {
return this.delete(`/subscriptions.php?channel_id=${channelId}`);
}
// ===== Social API Methods =====
/**
* Get social feed
* @param {Object} params Query parameters
* @returns {Promise<Object>}
*/
async getSocialFeed(params = {}) {
return this.get('/social.php', params);
}
// ===== Helper Methods =====
/**
* Upload file with progress tracking
* @param {string} endpoint Upload endpoint
* @param {File} file File to upload
* @param {Object} additionalData Additional form data
* @param {Function} onProgress Progress callback
* @returns {Promise<Object>}
*/
async uploadFile(endpoint, file, additionalData = {}, onProgress = null) {
return new Promise((resolve, reject) => {
const xhr = new XMLHttpRequest();
const formData = new FormData();
formData.append('file', file);
// Add additional data
Object.keys(additionalData).forEach(key => {
formData.append(key, additionalData[key]);
});
// Progress tracking
if (onProgress && xhr.upload) {
xhr.upload.addEventListener('progress', (e) => {
if (e.lengthComputable) {
const percentComplete = (e.loaded / e.total) * 100;
onProgress(percentComplete, e.loaded, e.total);
}
});
}
// Handle completion
xhr.addEventListener('load', () => {
if (xhr.status >= 200 && xhr.status < 300) {
try {
const response = JSON.parse(xhr.responseText);
resolve(response);
} catch (e) {
resolve({ success: true, data: xhr.responseText });
}
} else {
try {
const error = JSON.parse(xhr.responseText);
reject(new Error(error.message || `Upload failed with status ${xhr.status}`));
} catch (e) {
reject(new Error(`Upload failed with status ${xhr.status}`));
}
}
});
// Handle errors
xhr.addEventListener('error', () => {
reject(new Error('Upload failed due to network error'));
});
xhr.addEventListener('abort', () => {
reject(new Error('Upload aborted'));
});
// Add auth header
if (this.token) {
xhr.setRequestHeader('Authorization', `Bearer ${this.token}`);
}
// Send request
const url = endpoint.startsWith('http') ? endpoint : `${this.baseURL}${endpoint}`;
xhr.open('POST', url);
xhr.send(formData);
});
}
/**
* Handle API errors consistently
* @param {Error} error Error object
* @param {Function} callback Optional callback
*/
handleError(error, callback = null) {
console.error('API Error:', error);
// Show user-friendly error message
const message = error.message || 'An unexpected error occurred';
if (callback) {
callback(message);
} else if (typeof window !== 'undefined' && window.showNotification) {
window.showNotification('error', message);
} else {
alert(message);
}
return { success: false, error: message };
}
}
// Create global instance
if (typeof window !== 'undefined') {
window.EasyStreamAPI = EasyStreamAPI;
window.api = new EasyStreamAPI();
}
// Export for module systems
if (typeof module !== 'undefined' && module.exports) {
module.exports = EasyStreamAPI;
}

183
f_scripts/migrations/update_jw_branding.php Normal file
View File

@@ -0,0 +1,183 @@
<?php
/*
* EasyStream JW Player Branding Migration
* Safely updates serialized JW Player config in `db_fileplayers` to remove legacy ViewShark branding.
* Usage: php f_scripts/migrations/update_jw_branding.php
*/
define('_ISVALID', true);
// Bootstrap core to reuse DB + config
require_once __DIR__ . '/../../f_core/config.core.php';
/**
* Unserialize safely (no objects), returning array or null
*/
function safe_unserialize($str)
{
if (!is_string($str) || $str === '') {
return null;
}
// PHP >= 7 allows allowed_classes => false
$data = @unserialize($str, ['allowed_classes' => false]);
if ($data === false || !is_array($data)) {
// Try without options for older compatibility
$data = @unserialize($str);
if (!is_array($data)) {
// Some environments may deliver escaped content from DB; try un-escaping
$clean = stripslashes($str);
$data = @unserialize($clean, ['allowed_classes' => false]);
if ($data === false || !is_array($data)) {
$data = @unserialize($clean);
if (!is_array($data)) {
// Last resort: stripcslashes
$clean2 = stripcslashes($str);
$data = @unserialize($clean2, ['allowed_classes' => false]);
if ($data === false || !is_array($data)) {
$data = @unserialize($clean2);
if (!is_array($data)) {
return null;
}
}
}
}
}
}
return $data;
}
/**
* Apply branding changes to JW config array
*/
function apply_branding(array $cfg, string $siteName, string $siteUrl): array
{
$changed = false;
$replacements = [
// Remove external logo file by default; admin can set later from UI
'jw_logo_file' => '',
// Point links to local site if available
'jw_logo_link' => $siteUrl,
// Update right-click text/link
'jw_rc_text' => 'Powered by ' . ($siteName ?: 'EasyStream'),
'jw_rc_link' => $siteUrl,
];
foreach ($replacements as $key => $value) {
if (array_key_exists($key, $cfg) && $cfg[$key] !== $value) {
$cfg[$key] = $value;
$changed = true;
}
}
// If jw_share_enabled is set, ensure no external domains are hardcoded in share link defaults
if (isset($cfg['jw_share_link']) && is_string($cfg['jw_share_link'])) {
// Replace known legacy domains if present
$legacy = ['viewsharkdemo.com', 'viewshark.com'];
foreach ($legacy as $dom) {
if (stripos($cfg['jw_share_link'], $dom) !== false) {
$cfg['jw_share_link'] = '';
$changed = true;
break;
}
}
}
$cfg['__changed__'] = $changed; // marker for caller
return $cfg;
}
try {
global $db, $cfg; // from config.core.php
if (!isset($db)) {
throw new Exception('Database connection not initialized.');
}
$siteName = $cfg['site_name'] ?? 'EasyStream';
$siteUrl = $cfg['site_url'] ?? '';
$targets = ['jw_local', 'jw_embed'];
$updated = 0;
foreach ($targets as $name) {
$rs = $db->Execute("SELECT `db_id`, `db_config` FROM `db_fileplayers` WHERE `db_name` = ? LIMIT 1", [$name]);
if ($rs && !$rs->EOF) {
$dbId = (int)$rs->fields['db_id'];
$raw = $rs->fields['db_config'];
$arr = safe_unserialize($raw);
if (is_array($arr)) {
$arr = apply_branding($arr, $siteName, $siteUrl);
$changed = !empty($arr['__changed__']);
unset($arr['__changed__']);
if ($changed) {
$serialized = serialize($arr);
$ok = $db->Execute("UPDATE `db_fileplayers` SET `db_config` = ? WHERE `db_id` = ?", [$serialized, $dbId]);
if ($ok) {
echo "Updated branding for {$name} (db_id={$dbId})\n";
$updated++;
} else {
echo "Failed to update {$name} (db_id={$dbId}): " . $db->ErrorMsg() . "\n";
}
} else {
echo "No changes needed for {$name}\n";
}
} else {
// Fallback: attempt in-place serialized string rewriting for known keys
$orig = (string)$raw;
$updatedSerialized = $orig;
$kv = [
'jw_logo_file' => '',
'jw_logo_link' => $siteUrl,
'jw_rc_text' => 'Powered by ' . ($siteName ?: 'EasyStream'),
'jw_rc_link' => $siteUrl,
];
$didChange = false;
foreach ($kv as $k => $v) {
$escapedKey = preg_quote($k, '/');
$replacement = function ($m) use ($v) {
$len = strlen($v);
$safe = str_replace('"', '"', $v); // value is plain; ensure quotes are safe
return $m[1] . 's:' . $len . ':"' . $safe . '";';
};
$pattern = '/(s:\d+:"' . $escapedKey . '";s:)\d+:("[\s\S]*?");/';
$new = preg_replace_callback($pattern, $replacement, $updatedSerialized, 1, $count);
if ($count > 0 && is_string($new)) {
$updatedSerialized = $new;
$didChange = true;
}
}
if ($didChange) {
$ok = $db->Execute("UPDATE `db_fileplayers` SET `db_config` = ? WHERE `db_id` = ?", [$updatedSerialized, $dbId]);
if ($ok) {
echo "Updated branding (fallback) for {$name} (db_id={$dbId})\n";
$updated++;
} else {
echo "Failed fallback update {$name} (db_id={$dbId}): " . $db->ErrorMsg() . "\n";
}
} else {
$snippet = substr((string)$raw, 0, 160);
echo "Could not unserialize config for {$name}; snippet: " . str_replace(["\n","\r"], ['\\n',''], $snippet) . "\n";
}
}
} else {
echo "No db_fileplayers row found for {$name}; skipping.\n";
}
}
echo "Done. Updated {$updated} row(s).\n";
exit(0);
} catch (Throwable $e) {
// Best-effort logging
if (class_exists('VLogger')) {
$logger = VLogger::getInstance();
$logger->log(VLogger::ERROR, 'JW branding migration failed', ['error' => $e->getMessage()]);
}
fwrite(STDERR, 'Error: ' . $e->getMessage() . "\n");
exit(1);
}

8
run-cd-once.bat Normal file
View File

@@ -0,0 +1,8 @@
@echo off
echo ========================================
echo EasyStream Continuous Delivery
echo One-Time Commit and Push
echo ========================================
echo.
powershell -ExecutionPolicy Bypass -NoProfile -File "%~dp0start-cd.ps1" once
pause

12
run-cd-timer.bat Normal file
View File

@@ -0,0 +1,12 @@
@echo off
echo ========================================
echo EasyStream Continuous Delivery
echo Timer Mode (Every 5 Minutes)
echo ========================================
echo.
echo Starting timer-based auto-commit...
echo Will check for changes every 5 minutes
echo Press Ctrl+C to stop
echo.
powershell -ExecutionPolicy Bypass -NoProfile -File "%~dp0start-cd.ps1" start
pause

12
run-cd-watch.bat Normal file
View File

@@ -0,0 +1,12 @@
@echo off
echo ========================================
echo EasyStream Continuous Delivery
echo File Watcher Mode
echo ========================================
echo.
echo Starting file watcher...
echo Changes will auto-commit and push to GitHub
echo Press Ctrl+C to stop
echo.
powershell -ExecutionPolicy Bypass -NoProfile -File "%~dp0start-cd.ps1" watch
pause

50
sync-to-docker-progs.bat Normal file
View File

@@ -0,0 +1,50 @@
@echo off
REM ============================================================================
REM EasyStream - Folder Sync Batch Wrapper
REM ============================================================================
REM This batch file runs the PowerShell sync script
REM
REM Usage:
REM sync-to-docker-progs.bat - One-time sync
REM sync-to-docker-progs.bat watch - Continuous monitoring
REM sync-to-docker-progs.bat verbose - Detailed output
REM ============================================================================
setlocal
set SCRIPT_DIR=%~dp0
set PS_SCRIPT=%SCRIPT_DIR%sync-to-docker-progs.ps1
REM Check if PowerShell script exists
if not exist "%PS_SCRIPT%" (
echo ERROR: PowerShell script not found: %PS_SCRIPT%
pause
exit /b 1
)
REM Parse arguments
set ARGS=
if /i "%1"=="watch" set ARGS=-Watch
if /i "%1"=="verbose" set ARGS=-Verbose
if /i "%1"=="dryrun" set ARGS=-DryRun
if /i "%1"=="-w" set ARGS=-Watch
if /i "%1"=="-v" set ARGS=-Verbose
REM Run PowerShell script
echo Starting EasyStream folder sync...
echo.
powershell -ExecutionPolicy Bypass -File "%PS_SCRIPT%" %ARGS%
if errorlevel 1 (
echo.
echo ERROR: Sync failed!
pause
exit /b 1
)
echo.
echo Sync completed successfully!
if not "%1"=="watch" if not "%1"=="-w" pause
endlocal

2
templates.php
View File

@@ -10,7 +10,7 @@ require_once dirname(__FILE__) . '/f_core/config.core.php';
// Check if user is logged in
if (!isset($_SESSION['USER_ID']) || $_SESSION['USER_ID'] <= 0) {
header('Location: /signin.php?redirect=' . urlencode($_SERVER['REQUEST_URI']));
header('Location: /signin?redirect=' . urlencode($_SERVER['REQUEST_URI']));
exit;
}

2
upload.php
View File

@@ -4,7 +4,7 @@ include_once 'f_core/config.core.php';
// Check if user is logged in
if (!isset($_SESSION['usr_id'])) {
header('Location: signin.php');
header('Location: /signin');
exit;
}