'admin', 'admin_password' => password_hash('admin123', PASSWORD_BCRYPT), // Değiştir! // API Keys (Her APK için farklı key) 'api_keys' => [ 'myapp_v1_secret_key_2024', // APK 1 'myapp_v2_secret_key_2024', // APK 2 'myapp_v3_secret_key_2024', // APK 3 ], // IP Whitelist (Boş = tüm IP'ler) 'allowed_ips' => [], // Rate Limiting 'rate_limit' => [ 'enabled' => true, 'max_requests' => 60, // dakika başına 'block_duration' => 3600, // 1 saat ban ], // Token Expiry (saat cinsinden) 'token_expiry' => 24, ]; // ========================================== // SESSION BAŞLAT // ========================================== session_start(); // ========================================== // RATE LIMIT KONTROLÜ // ========================================== function checkRateLimit($ip) { global $SECURITY_CONFIG; if (!$SECURITY_CONFIG['rate_limit']['enabled']) { return true; } $log_file = 'rate_limit.json'; $max_requests = $SECURITY_CONFIG['rate_limit']['max_requests']; $block_duration = $SECURITY_CONFIG['rate_limit']['block_duration']; // Load log $data = file_exists($log_file) ? json_decode(file_get_contents($log_file), true) : []; // Check if IP is blocked if (isset($data[$ip]['blocked_until']) && time() < $data[$ip]['blocked_until']) { return false; } // Initialize or reset counter if (!isset($data[$ip]) || time() - $data[$ip]['last_reset'] > 60) { $data[$ip] = [ 'count' => 1, 'last_reset' => time(), 'blocked_until' => null ]; } else { $data[$ip]['count']++; // Block if exceeded if ($data[$ip]['count'] > $max_requests) { $data[$ip]['blocked_until'] = time() + $block_duration; file_put_contents($log_file, json_encode($data)); return false; } } file_put_contents($log_file, json_encode($data)); return true; } // ========================================== // API KEY KONTROLÜ // ========================================== function validateApiKey($key) { global $SECURITY_CONFIG; return in_array($key, $SECURITY_CONFIG['api_keys']); } // ========================================== // TOKEN OLUŞTUR // ========================================== function generateToken($api_key) { global $SECURITY_CONFIG; $token_data = [ 'api_key' => $api_key, 'issued_at' => time(), 'expires_at' => time() + ($SECURITY_CONFIG['token_expiry'] * 3600), 'random' => bin2hex(random_bytes(16)) ]; // Token'ı encode et $token = base64_encode(json_encode($token_data)); // Token'ı kaydet (opsiyonel) $token_file = 'tokens/' . md5($token) . '.json'; @mkdir('tokens', 0755, true); @file_put_contents($token_file, json_encode($token_data)); return $token; } // ========================================== // TOKEN DOĞRULA // ========================================== function validateToken($token) { if (empty($token)) return false; try { $token_data = json_decode(base64_decode($token), true); if (!$token_data || !isset($token_data['expires_at'])) { return false; } // Expire check if (time() > $token_data['expires_at']) { return false; } // API key check if (!validateApiKey($token_data['api_key'])) { return false; } return true; } catch (Exception $e) { return false; } } // ========================================== // IP KONTROL // ========================================== $client_ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown'; if (!empty($SECURITY_CONFIG['allowed_ips']) && !in_array($client_ip, $SECURITY_CONFIG['allowed_ips'])) { http_response_code(403); die(json_encode([ 'status' => 'error', 'error_code' => 'IP_BLOCKED', 'message' => 'Your IP is not whitelisted' ])); } // Rate limit check if (!checkRateLimit($client_ip)) { http_response_code(429); die(json_encode([ 'status' => 'error', 'error_code' => 'RATE_LIMIT_EXCEEDED', 'message' => 'Too many requests. Try again later.', 'retry_after' => $SECURITY_CONFIG['rate_limit']['block_duration'] ])); } // ========================================== // ENDPOINT: LOGIN (Admin Panel) // ========================================== if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'login') { header('Content-Type: application/json'); $username = $_POST['username'] ?? ''; $password = $_POST['password'] ?? ''; if ($username === $SECURITY_CONFIG['admin_username'] && password_verify($password, $SECURITY_CONFIG['admin_password'])) { $_SESSION['admin_logged_in'] = true; $_SESSION['login_time'] = time(); echo json_encode([ 'status' => 'success', 'message' => 'Login successful', 'redirect' => 'panel.php' ]); } else { sleep(2); // Brute force protection echo json_encode([ 'status' => 'error', 'message' => 'Invalid credentials' ]); } exit; } // ========================================== // ENDPOINT: GET TOKEN (APK için) // ========================================== if (isset($_GET['action']) && $_GET['action'] === 'get_token') { header('Content-Type: application/json'); $api_key = $_GET['api_key'] ?? $_POST['api_key'] ?? ''; if (!validateApiKey($api_key)) { http_response_code(401); echo json_encode([ 'status' => 'error', 'error_code' => 'INVALID_API_KEY', 'message' => 'Invalid API key' ]); exit; } $token = generateToken($api_key); echo json_encode([ 'status' => 'success', 'token' => $token, 'expires_in' => $SECURITY_CONFIG['token_expiry'] * 3600, 'issued_at' => time() ]); exit; } // ========================================== // ENDPOINT: GET CONFIG (Ana API) // ========================================== if (isset($_GET['action']) && $_GET['action'] === 'get_config') { header('Content-Type: application/json'); // Token kontrolü $token = $_GET['token'] ?? $_SERVER['HTTP_AUTHORIZATION'] ?? ''; $token = str_replace('Bearer ', '', $token); if (!validateToken($token)) { http_response_code(401); echo json_encode([ 'status' => 'error', 'error_code' => 'INVALID_TOKEN', 'message' => 'Invalid or expired token' ]); exit; } // ========================================== // CONFIG (Token geçerli ise döndür) // ========================================== require_once 'config.php'; $config = [ 'app' => [ 'name' => 'MAGTV Android Player', 'customer_id' => 'v2000', 'expiry' => 'LIFETIME', 'version' => '7.0', ], 'portals' => [ [ 'id' => 1, 'name' => 'GİRİŞ 1', 'url' => 'http://hdd.inoon.uk', 'port' => '8080', ], [ 'id' => 2, 'name' => 'GİRİŞ 2', 'url' => 'http://hdd.inoon.uk', 'port' => '8080', ], [ 'id' => 3, 'name' => 'GİRİŞ 3', 'url' => 'http://imagson.site', 'port' => '8080', ], ], ]; echo json_encode([ 'status' => 'success', 'data' => $config, 'timestamp' => time() ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE); exit; } // ========================================== // ADMIN PANEL ACCESS CHECK // ========================================== // Güvenli oturum kontrolü artık panel.php'nin en üstünde yapılmaktadır. // ========================================== // DEFAULT: API Dökümantasyonu // ========================================== if (!isset($_GET['action'])) { header('Content-Type: application/json'); echo json_encode([ 'name' => 'XC IPTV Secured API', 'version' => '2.0', 'status' => 'online', 'security' => 'enabled', 'endpoints' => [ 'POST /api.php?action=login' => 'Admin login', 'GET /api.php?action=get_token&api_key=YOUR_KEY' => 'Get access token', 'GET /api.php?action=get_config&token=YOUR_TOKEN' => 'Get portal config', ], 'documentation' => 'https://' . ($_SERVER['HTTP_HOST'] ?? 'localhost') . '/docs' ], JSON_PRETTY_PRINT); } ?>