diff --git a/api.php b/api.php index 17a307a..5b09efa 100644 --- a/api.php +++ b/api.php @@ -4,114 +4,70 @@ header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Methods: GET, POST, DELETE, OPTIONS"); header("Access-Control-Allow-Headers: Content-Type, Authorization"); -if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { - http_response_code(200); - exit; -} +if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') exit; define('ENCRYPTION_KEY', 'MaCleSecreteSuperRobuste123!'); -$host = 'localhost'; -$db = 'mon_cinema'; -$user = 'root'; -$pass = ''; -$charset = 'utf8mb4'; -$dsn = "mysql:host=$host;dbname=$db;charset=$charset"; - -try { - $pdo = new PDO($dsn, $user, $pass, [ - PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, - PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, - PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8mb4 COLLATE utf8mb4_unicode_ci" - ]); -} catch (\PDOException $e) { - echo json_encode(["error" => "Erreur BDD : " . $e->getMessage()]); - exit; -} - -function encryptData($data) { - $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); - $encrypted = openssl_encrypt($data, 'aes-256-cbc', ENCRYPTION_KEY, 0, $iv); - return base64_encode($encrypted . '::' . $iv); -} - -function decryptData($data) { - if (!$data) return ''; - $decoded = base64_decode($data); - if (strpos($decoded, '::') === false) return ''; - list($encrypted_data, $iv) = explode('::', $decoded, 2); - return openssl_decrypt($encrypted_data, 'aes-256-cbc', ENCRYPTION_KEY, 0, $iv); -} - -function makeStableId($title, $year) { - $key = strtolower(trim($title)) . '|' . trim($year); - return (abs(crc32($key)) % 2000000000) + 100000000; -} - -function makeNewIdSafe() { - return (abs(crc32(uniqid('', true))) % 2000000000) + 100000000; -} - -function convertRating($rawRating) { - return max(1, min(5, (int)round(floatval($rawRating)))); -} +$pdo = new PDO("mysql:host=localhost;dbname=mon_cinema;charset=utf8mb4", "root", "", [ + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, + PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC +]); function checkAuth($pdo) { - $stmtCheck = $pdo->query("SELECT COUNT(*) as total FROM users"); - if ($stmtCheck->fetch()['total'] == 0) return true; - + $stmt = $pdo->query("SELECT COUNT(*) FROM users"); + if ($stmt->fetchColumn() == 0) return; $token = $_SERVER['HTTP_AUTHORIZATION'] ?? ''; - if (empty($token) && function_exists('apache_request_headers')) { - $headers = apache_request_headers(); - $token = $headers['Authorization'] ?? ''; - } - if ($token !== md5(ENCRYPTION_KEY . 'session')) { http_response_code(403); - echo json_encode(["error" => "Accès interdit."]); + echo json_encode(["error" => "Non autorisé"]); exit; } } -$method = $_SERVER['REQUEST_METHOD']; $action = $_GET['action'] ?? ''; +$data = json_decode(file_get_contents('php://input'), true) ?? []; -switch ($method) { - case 'GET': - if ($action === 'get_films') { - $critiques = $pdo->query("SELECT *, 'critique' AS type FROM critiques ORDER BY created_at DESC")->fetchAll(); - $videotheque = $pdo->query("SELECT *, 'videotheque' AS type FROM videotheque ORDER BY created_at DESC")->fetchAll(); - echo json_encode(array_merge($critiques, $videotheque), JSON_UNESCAPED_UNICODE); - } elseif ($action === 'check_security_status') { - $stmt = $pdo->query("SELECT COUNT(*) as total FROM users"); - echo json_encode(["is_blank" => ($stmt->fetch()['total'] == 0)]); +switch ($action) { + case 'get_films': + $crit = $pdo->query("SELECT *, 'critique' AS type FROM critiques")->fetchAll(); + $video = $pdo->query("SELECT *, 'videotheque' AS type FROM videotheque")->fetchAll(); + echo json_encode(array_merge($crit, $video)); + break; + + case 'login': + $stmt = $pdo->query("SELECT COUNT(*) FROM users"); + if ($stmt->fetchColumn() == 0) { + echo json_encode(["success" => true, "token" => md5(ENCRYPTION_KEY . 'session'), "blank" => true]); + } else { + $stmt = $pdo->prepare("SELECT password_hash FROM users WHERE username = 'admin'"); + $stmt->execute(); + $user = $stmt->fetch(); + if ($user && password_verify($data['password'] ?? '', $user['password_hash'])) { + echo json_encode(["success" => true, "token" => md5(ENCRYPTION_KEY . 'session'), "blank" => false]); + } else { + http_response_code(401); + echo json_encode(["error" => "Erreur"]); + } } break; - case 'POST': - $data = json_decode(file_get_contents('php://input'), true) ?? []; - - if ($action === 'login') { - $stmt = $pdo->query("SELECT COUNT(*) as total FROM users"); - if ($stmt->fetch()['total'] == 0) { - echo json_encode(["success" => true, "token" => md5(ENCRYPTION_KEY . 'session'), "blank" => true]); - } else { - $stmt = $pdo->prepare("SELECT password_hash FROM users WHERE username = 'admin'"); - $stmt->execute(); - $user = $stmt->fetch(); - if ($user && password_verify($data['password'] ?? '', $user['password_hash'])) { - echo json_encode(["success" => true, "token" => md5(ENCRYPTION_KEY . 'session'), "blank" => false]); - } else { - http_response_code(401); - echo json_encode(["error" => "Mot de passe incorrect."]); - } - } - } elseif ($action === 'setup_admin' || $action === 'update_password') { - checkAuth($pdo); - $pwd = $data['password'] ?? $data['new_password'] ?? ''; - $stmt = $pdo->prepare("REPLACE INTO users (id, username, password_hash) VALUES (1, 'admin', :pass)"); - $stmt->execute([':pass' => password_hash($pwd, PASSWORD_BCRYPT)]); + case 'bulk_delete': + checkAuth($pdo); + $ids = $data['ids'] ?? []; + $table = ($data['type'] === 'videotheque') ? 'videotheque' : 'critiques'; + if (!empty($ids)) { + $placeholders = implode(',', array_fill(0, count($ids), '?')); + $stmt = $pdo->prepare("DELETE FROM $table WHERE id IN ($placeholders)"); + $stmt->execute($ids); echo json_encode(["success" => true]); } break; + + case 'delete_film': + checkAuth($pdo); + $table = ($_GET['type'] === 'videotheque') ? 'videotheque' : 'critiques'; + $stmt = $pdo->prepare("DELETE FROM $table WHERE id = ?"); + $stmt->execute([$_GET['id']]); + echo json_encode(["success" => true]); + break; } \ No newline at end of file