ayrisdev/xciptv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
xciptv/api_secured.php

330 lines
9.1 KiB
PHP
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
/**
* XC IPTV Secured API with Authentication
* Multi-Layer Security System
*/
// ==========================================
// GÜVENLİK AYARLARI
// ==========================================
$SECURITY_CONFIG = [
// Admin Login
'admin_username' => 'admin',
'admin_password' => password_hash('admin123', PASSWORD_BCRYPT), // Değiştir!
// API Keys (Her APK için farklı key)
'api_keys' => [
'myapp_v1_secret_key_2024', // APK 1
'myapp_v2_secret_key_2024', // APK 2
'myapp_v3_secret_key_2024', // APK 3
],
// IP Whitelist (Boş = tüm IP'ler)
'allowed_ips' => [],
// Rate Limiting
'rate_limit' => [
'enabled' => true,
'max_requests' => 60, // dakika başına
'block_duration' => 3600, // 1 saat ban
],
// Token Expiry (saat cinsinden)
'token_expiry' => 24,
];
// ==========================================
// SESSION BAŞLAT
// ==========================================
session_start();
// ==========================================
// RATE LIMIT KONTROLÜ
// ==========================================
function checkRateLimit($ip) {
global $SECURITY_CONFIG;
if (!$SECURITY_CONFIG['rate_limit']['enabled']) {
return true;
}
$log_file = 'rate_limit.json';
$max_requests = $SECURITY_CONFIG['rate_limit']['max_requests'];
$block_duration = $SECURITY_CONFIG['rate_limit']['block_duration'];
// Load log
$data = file_exists($log_file) ? json_decode(file_get_contents($log_file), true) : [];
// Check if IP is blocked
if (isset($data[$ip]['blocked_until']) && time() < $data[$ip]['blocked_until']) {
return false;
}
// Initialize or reset counter
if (!isset($data[$ip]) || time() - $data[$ip]['last_reset'] > 60) {
$data[$ip] = [
'count' => 1,
'last_reset' => time(),
'blocked_until' => null
];
} else {
$data[$ip]['count']++;
// Block if exceeded
if ($data[$ip]['count'] > $max_requests) {
$data[$ip]['blocked_until'] = time() + $block_duration;
file_put_contents($log_file, json_encode($data));
return false;
}
}
file_put_contents($log_file, json_encode($data));
return true;
}
// ==========================================
// API KEY KONTROLÜ
// ==========================================
function validateApiKey($key) {
global $SECURITY_CONFIG;
return in_array($key, $SECURITY_CONFIG['api_keys']);
}
// ==========================================
// TOKEN OLUŞTUR
// ==========================================
function generateToken($api_key) {
global $SECURITY_CONFIG;
$token_data = [
'api_key' => $api_key,
'issued_at' => time(),
'expires_at' => time() + ($SECURITY_CONFIG['token_expiry'] * 3600),
'random' => bin2hex(random_bytes(16))
];
// Token'ı encode et
$token = base64_encode(json_encode($token_data));
// Token'ı kaydet (opsiyonel)
$token_file = 'tokens/' . md5($token) . '.json';
@mkdir('tokens', 0755, true);
@file_put_contents($token_file, json_encode($token_data));
return $token;
}
// ==========================================
// TOKEN DOĞRULA
// ==========================================
function validateToken($token) {
if (empty($token)) return false;
try {
$token_data = json_decode(base64_decode($token), true);
if (!$token_data || !isset($token_data['expires_at'])) {
return false;
}
// Expire check
if (time() > $token_data['expires_at']) {
return false;
}
// API key check
if (!validateApiKey($token_data['api_key'])) {
return false;
}
return true;
} catch (Exception $e) {
return false;
}
}
// ==========================================
// IP KONTROL
// ==========================================
$client_ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
if (!empty($SECURITY_CONFIG['allowed_ips']) && !in_array($client_ip, $SECURITY_CONFIG['allowed_ips'])) {
http_response_code(403);
die(json_encode([
'status' => 'error',
'error_code' => 'IP_BLOCKED',
'message' => 'Your IP is not whitelisted'
]));
}
// Rate limit check
if (!checkRateLimit($client_ip)) {
http_response_code(429);
die(json_encode([
'status' => 'error',
'error_code' => 'RATE_LIMIT_EXCEEDED',
'message' => 'Too many requests. Try again later.',
'retry_after' => $SECURITY_CONFIG['rate_limit']['block_duration']
]));
}
// ==========================================
// ENDPOINT: LOGIN (Admin Panel)
// ==========================================
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'login') {
header('Content-Type: application/json');
$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';
if ($username === $SECURITY_CONFIG['admin_username'] &&
password_verify($password, $SECURITY_CONFIG['admin_password'])) {
$_SESSION['admin_logged_in'] = true;
$_SESSION['login_time'] = time();
echo json_encode([
'status' => 'success',
'message' => 'Login successful',
'redirect' => 'panel.php'
]);
} else {
sleep(2); // Brute force protection
echo json_encode([
'status' => 'error',
'message' => 'Invalid credentials'
]);
}
exit;
}
// ==========================================
// ENDPOINT: GET TOKEN (APK için)
// ==========================================
if (isset($_GET['action']) && $_GET['action'] === 'get_token') {
header('Content-Type: application/json');
$api_key = $_GET['api_key'] ?? $_POST['api_key'] ?? '';
if (!validateApiKey($api_key)) {
http_response_code(401);
echo json_encode([
'status' => 'error',
'error_code' => 'INVALID_API_KEY',
'message' => 'Invalid API key'
]);
exit;
}
$token = generateToken($api_key);
echo json_encode([
'status' => 'success',
'token' => $token,
'expires_in' => $SECURITY_CONFIG['token_expiry'] * 3600,
'issued_at' => time()
]);
exit;
}
// ==========================================
// ENDPOINT: GET CONFIG (Ana API)
// ==========================================
if (isset($_GET['action']) && $_GET['action'] === 'get_config') {
header('Content-Type: application/json');
// Token kontrolü
$token = $_GET['token'] ?? $_SERVER['HTTP_AUTHORIZATION'] ?? '';
$token = str_replace('Bearer ', '', $token);
if (!validateToken($token)) {
http_response_code(401);
echo json_encode([
'status' => 'error',
'error_code' => 'INVALID_TOKEN',
'message' => 'Invalid or expired token'
]);
exit;
}
// ==========================================
// CONFIG (Token geçerli ise döndür)
// ==========================================
require_once 'config.php';
$config = [
'app' => [
'name' => 'MAGTV Android Player',
'customer_id' => 'v2000',
'expiry' => 'LIFETIME',
'version' => '7.0',
],
'portals' => [
[
'id' => 1,
'name' => 'GİRİŞ 1',
'url' => 'http://hdd.inoon.uk',
'port' => '8080',
],
[
'id' => 2,
'name' => 'GİRİŞ 2',
'url' => 'http://hdd.inoon.uk',
'port' => '8080',
],
[
'id' => 3,
'name' => 'GİRİŞ 3',
'url' => 'http://imagson.site',
'port' => '8080',
],
],
];
echo json_encode([
'status' => 'success',
'data' => $config,
'timestamp' => time()
], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
exit;
}
// ==========================================
// ADMIN PANEL ACCESS CHECK
// ==========================================
// Güvenli oturum kontrolü artık panel.php'nin en üstünde yapılmaktadır.
// ==========================================
// DEFAULT: API Dökümantasyonu
// ==========================================
if (!isset($_GET['action'])) {
header('Content-Type: application/json');
echo json_encode([
'name' => 'XC IPTV Secured API',
'version' => '2.0',
'status' => 'online',
'security' => 'enabled',
'endpoints' => [
'POST /api.php?action=login' => 'Admin login',
'GET /api.php?action=get_token&api_key=YOUR_KEY' => 'Get access token',
'GET /api.php?action=get_config&token=YOUR_TOKEN' => 'Get portal config',
],
'documentation' => 'https://' . ($_SERVER['HTTP_HOST'] ?? 'localhost') . '/docs'
], JSON_PRETTY_PRINT);
}
?>
Reference in New Issue View Git Blame Copy Permalink