ayrisdev/xciptv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit with security patches

Browse Source
This commit is contained in:
mstfyldz
2026-02-22 17:08:48 +03:00
commit b44389a0a2
13 changed files with 1619 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

329
api_secured.php Normal file
View File

@@ -0,0 +1,329 @@
<?php
/**
* XC IPTV Secured API with Authentication
* Multi-Layer Security System
*/
// ==========================================
// GÜVENLİK AYARLARI
// ==========================================
$SECURITY_CONFIG = [
// Admin Login
'admin_username' => 'admin',
'admin_password' => password_hash('admin123', PASSWORD_BCRYPT), // Değiştir!
// API Keys (Her APK için farklı key)
'api_keys' => [
'myapp_v1_secret_key_2024', // APK 1
'myapp_v2_secret_key_2024', // APK 2
'myapp_v3_secret_key_2024', // APK 3
],
// IP Whitelist (Boş = tüm IP'ler)
'allowed_ips' => [],
// Rate Limiting
'rate_limit' => [
'enabled' => true,
'max_requests' => 60, // dakika başına
'block_duration' => 3600, // 1 saat ban
],
// Token Expiry (saat cinsinden)
'token_expiry' => 24,
];
// ==========================================
// SESSION BAŞLAT
// ==========================================
session_start();
// ==========================================
// RATE LIMIT KONTROLÜ
// ==========================================
function checkRateLimit($ip) {
global $SECURITY_CONFIG;
if (!$SECURITY_CONFIG['rate_limit']['enabled']) {
return true;
}
$log_file = 'rate_limit.json';
$max_requests = $SECURITY_CONFIG['rate_limit']['max_requests'];
$block_duration = $SECURITY_CONFIG['rate_limit']['block_duration'];
// Load log
$data = file_exists($log_file) ? json_decode(file_get_contents($log_file), true) : [];
// Check if IP is blocked
if (isset($data[$ip]['blocked_until']) && time() < $data[$ip]['blocked_until']) {
return false;
}
// Initialize or reset counter
if (!isset($data[$ip]) || time() - $data[$ip]['last_reset'] > 60) {
$data[$ip] = [
'count' => 1,
'last_reset' => time(),
'blocked_until' => null
];
} else {
$data[$ip]['count']++;
// Block if exceeded
if ($data[$ip]['count'] > $max_requests) {
$data[$ip]['blocked_until'] = time() + $block_duration;
file_put_contents($log_file, json_encode($data));
return false;
}
}
file_put_contents($log_file, json_encode($data));
return true;
}
// ==========================================
// API KEY KONTROLÜ
// ==========================================
function validateApiKey($key) {
global $SECURITY_CONFIG;
return in_array($key, $SECURITY_CONFIG['api_keys']);
}
// ==========================================
// TOKEN OLUŞTUR
// ==========================================
function generateToken($api_key) {
global $SECURITY_CONFIG;
$token_data = [
'api_key' => $api_key,
'issued_at' => time(),
'expires_at' => time() + ($SECURITY_CONFIG['token_expiry'] * 3600),
'random' => bin2hex(random_bytes(16))
];
// Token'ı encode et
$token = base64_encode(json_encode($token_data));
// Token'ı kaydet (opsiyonel)
$token_file = 'tokens/' . md5($token) . '.json';
@mkdir('tokens', 0755, true);
@file_put_contents($token_file, json_encode($token_data));
return $token;
}
// ==========================================
// TOKEN DOĞRULA
// ==========================================
function validateToken($token) {
if (empty($token)) return false;
try {
$token_data = json_decode(base64_decode($token), true);
if (!$token_data || !isset($token_data['expires_at'])) {
return false;
}
// Expire check
if (time() > $token_data['expires_at']) {
return false;
}
// API key check
if (!validateApiKey($token_data['api_key'])) {
return false;
}
return true;
} catch (Exception $e) {
return false;
}
}
// ==========================================
// IP KONTROL
// ==========================================
$client_ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
if (!empty($SECURITY_CONFIG['allowed_ips']) && !in_array($client_ip, $SECURITY_CONFIG['allowed_ips'])) {
http_response_code(403);
die(json_encode([
'status' => 'error',
'error_code' => 'IP_BLOCKED',
'message' => 'Your IP is not whitelisted'
]));
}
// Rate limit check
if (!checkRateLimit($client_ip)) {
http_response_code(429);
die(json_encode([
'status' => 'error',
'error_code' => 'RATE_LIMIT_EXCEEDED',
'message' => 'Too many requests. Try again later.',
'retry_after' => $SECURITY_CONFIG['rate_limit']['block_duration']
]));
}
// ==========================================
// ENDPOINT: LOGIN (Admin Panel)
// ==========================================
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'login') {
header('Content-Type: application/json');
$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';
if ($username === $SECURITY_CONFIG['admin_username'] &&
password_verify($password, $SECURITY_CONFIG['admin_password'])) {
$_SESSION['admin_logged_in'] = true;
$_SESSION['login_time'] = time();
echo json_encode([
'status' => 'success',
'message' => 'Login successful',
'redirect' => 'panel.php'
]);
} else {
sleep(2); // Brute force protection
echo json_encode([
'status' => 'error',
'message' => 'Invalid credentials'
]);
}
exit;
}
// ==========================================
// ENDPOINT: GET TOKEN (APK için)
// ==========================================
if (isset($_GET['action']) && $_GET['action'] === 'get_token') {
header('Content-Type: application/json');
$api_key = $_GET['api_key'] ?? $_POST['api_key'] ?? '';
if (!validateApiKey($api_key)) {
http_response_code(401);
echo json_encode([
'status' => 'error',
'error_code' => 'INVALID_API_KEY',
'message' => 'Invalid API key'
]);
exit;
}
$token = generateToken($api_key);
echo json_encode([
'status' => 'success',
'token' => $token,
'expires_in' => $SECURITY_CONFIG['token_expiry'] * 3600,
'issued_at' => time()
]);
exit;
}
// ==========================================
// ENDPOINT: GET CONFIG (Ana API)
// ==========================================
if (isset($_GET['action']) && $_GET['action'] === 'get_config') {
header('Content-Type: application/json');
// Token kontrolü
$token = $_GET['token'] ?? $_SERVER['HTTP_AUTHORIZATION'] ?? '';
$token = str_replace('Bearer ', '', $token);
if (!validateToken($token)) {
http_response_code(401);
echo json_encode([
'status' => 'error',
'error_code' => 'INVALID_TOKEN',
'message' => 'Invalid or expired token'
]);
exit;
}
// ==========================================
// CONFIG (Token geçerli ise döndür)
// ==========================================
require_once 'config.php';
$config = [
'app' => [
'name' => 'MAGTV Android Player',
'customer_id' => 'v2000',
'expiry' => 'LIFETIME',
'version' => '7.0',
],
'portals' => [
[
'id' => 1,
'name' => 'GİRİŞ 1',
'url' => 'http://hdd.inoon.uk',
'port' => '8080',
],
[
'id' => 2,
'name' => 'GİRİŞ 2',
'url' => 'http://hdd.inoon.uk',
'port' => '8080',
],
[
'id' => 3,
'name' => 'GİRİŞ 3',
'url' => 'http://imagson.site',
'port' => '8080',
],
],
];
echo json_encode([
'status' => 'success',
'data' => $config,
'timestamp' => time()
], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
exit;
}
// ==========================================
// ADMIN PANEL ACCESS CHECK
// ==========================================
// Güvenli oturum kontrolü artık panel.php'nin en üstünde yapılmaktadır.
// ==========================================
// DEFAULT: API Dökümantasyonu
// ==========================================
if (!isset($_GET['action'])) {
header('Content-Type: application/json');
echo json_encode([
'name' => 'XC IPTV Secured API',
'version' => '2.0',
'status' => 'online',
'security' => 'enabled',
'endpoints' => [
'POST /api.php?action=login' => 'Admin login',
'GET /api.php?action=get_token&api_key=YOUR_KEY' => 'Get access token',
'GET /api.php?action=get_config&token=YOUR_TOKEN' => 'Get portal config',
],
'documentation' => 'https://docs.yourdomain.com'
], JSON_PRETTY_PRINT);
}
?>