public/index.php

<?php

require_once __DIR__ . '/../vendor/autoload.php';

use Core\Application;
use Core\Router;
use Dotenv\Dotenv;
use App\Services\ErrorHandler;

define('PATH_ROOT', __DIR__ . '/../');

// Register global error handlers FIRST (before anything else can fail)
ErrorHandler::register();

// === EARLY REQUEST VALIDATION ===
// Block malformed requests before they cause issues
// This prevents null pointer errors and logs suspicious activity
$requestUri = $_SERVER['REQUEST_URI'] ?? '/';

// Validate REQUEST_URI format - reject if parse_url fails
$parsedPath = parse_url($requestUri, PHP_URL_PATH);
if ($parsedPath === null || $parsedPath === false) {
    // Log the suspicious request
    $logger = new \App\Services\Logger();
    $logger->warning('Malformed REQUEST_URI blocked', [
        'uri' => $requestUri,
        'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown',
        'user_agent' => $_SERVER['HTTP_USER_AGENT'] ?? 'unknown'
    ]);
    
    // Return 400 Bad Request
    http_response_code(400);
    header('Content-Type: text/plain');
    die('Bad Request: Invalid URI format');
}

// Additional validation: REQUEST_URI should start with /
if (!empty($requestUri) && $requestUri[0] !== '/') {
    $logger = new \App\Services\Logger();
    $logger->warning('Invalid REQUEST_URI - must start with /', [
        'uri' => $requestUri,
        'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown'
    ]);
    
    http_response_code(400);
    header('Content-Type: text/plain');
    die('Bad Request: Invalid URI format');
}

// Load environment variables (using safeLoad to not throw if missing)
$dotenv = Dotenv::createImmutable(__DIR__ . '/..');
try {
    $dotenv->load();
} catch (\Throwable $e) {
    // If .env is missing, create a minimal one or use defaults
    if (!file_exists(__DIR__ . '/../.env')) {
        // Show helpful error about missing .env file
        throw new \Exception(
            ".env file not found! Please copy env.example.txt to .env and configure your settings.\n\n" .
            "Quick fix:\n" .
            "1. Copy env.example.txt to .env\n" .
            "2. Update database credentials in .env\n" .
            "3. Set APP_ENV=development or production\n\n" .
            "Original error: " . $e->getMessage()
        );
    }
    throw $e;
}

// Configure and start session (with database sessions if available)
Core\SessionConfig::configure();
Core\SessionConfig::start();

// Load CSRF helper functions
require_once __DIR__ . '/../app/Helpers/CsrfHelper.php';

// Check if system is installed (using flag file - no DB queries!)
// Note: REQUEST_URI has already been validated above, so parse_url won't return null
$currentPath = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?? '/';
$isInstallerPath = strpos($currentPath, '/install') === 0;
$installedFlagFile = __DIR__ . '/../.installed';

if (!$isInstallerPath) {
    // Check if .installed flag file exists
    if (!file_exists($installedFlagFile)) {
        header('Location: /install');
        exit;
    }
}

// Check remember me token if user is not logged in
if (!isset($_SESSION['user_id']) && isset($_COOKIE['remember_token']) && !$isInstallerPath) {
    $authController = new \App\Controllers\AuthController();
    $authController->checkRememberToken();
}

// Set application timezone early (before any date operations)
// Also apply on installer paths (e.g. /install/update) when the app is already installed,
// so that notifications created during upgrades use the correct timezone.
if (file_exists($installedFlagFile)) {
    try {
        $settingModel = new \App\Models\Setting();
        $timezone = $settingModel->getValue('app_timezone', 'UTC');
        date_default_timezone_set($timezone);
    } catch (\Exception $e) {
        date_default_timezone_set('UTC');
    }
} else {
    date_default_timezone_set('UTC');
}

// Initialize application
$app = new Application();

// Load routes
require_once __DIR__ . '/../routes/web.php';

// Run application
$app->run();
Initial Commit 2025-10-08 14:23:07 +03:00			`<?php`

			`require_once __DIR__ . '/../vendor/autoload.php';`

			`use Core\Application;`
			`use Core\Router;`
			`use Dotenv\Dotenv;`
Add error log management and bulk admin actions Introduces error log tracking with new ErrorLog model, controller, views, and migration. Adds admin UI for viewing, resolving, and deleting errors. Implements bulk actions for users and notification groups, refactors domain filtering/pagination, and centralizes admin access checks using Auth::requireAdmin(). 2025-10-10 14:01:19 +03:00			`use App\Services\ErrorHandler;`
Initial Commit 2025-10-08 14:23:07 +03:00
autodetect cron script path 2025-10-09 17:08:10 +05:30			`define('PATH_ROOT', __DIR__ . '/../');`

Add error log management and bulk admin actions Introduces error log tracking with new ErrorLog model, controller, views, and migration. Adds admin UI for viewing, resolving, and deleting errors. Implements bulk actions for users and notification groups, refactors domain filtering/pagination, and centralizes admin access checks using Auth::requireAdmin(). 2025-10-10 14:01:19 +03:00			`// Register global error handlers FIRST (before anything else can fail)`
			`ErrorHandler::register();`

Add Pushover notification channel and improve status detection Introduces Pushover as a new notification channel with priority-based alerts, device targeting, and custom sounds. Enhances domain status detection for .nl and .eu domains, ensuring accurate handling when expiration dates or explicit status flags are missing. Fixes PHP 8.x compatibility issues with null parameters in date functions and improves error handling and logging by replacing error_log() with a centralized Logger service. Updates documentation and migrations for version 1.1.1. 2025-11-18 13:22:49 +02:00			`// === EARLY REQUEST VALIDATION ===`
			`// Block malformed requests before they cause issues`
			`// This prevents null pointer errors and logs suspicious activity`
			`$requestUri = $_SERVER['REQUEST_URI'] ?? '/';`

			`// Validate REQUEST_URI format - reject if parse_url fails`
			`$parsedPath = parse_url($requestUri, PHP_URL_PATH);`
			`if ($parsedPath === null \|\| $parsedPath === false) {`
			`// Log the suspicious request`
			`$logger = new \App\Services\Logger();`
			`$logger->warning('Malformed REQUEST_URI blocked', [`
			`'uri' => $requestUri,`
			`'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown',`
			`'user_agent' => $_SERVER['HTTP_USER_AGENT'] ?? 'unknown'`
			`]);`

			`// Return 400 Bad Request`
			`http_response_code(400);`
			`header('Content-Type: text/plain');`
			`die('Bad Request: Invalid URI format');`
			`}`

			`// Additional validation: REQUEST_URI should start with /`
			`if (!empty($requestUri) && $requestUri[0] !== '/') {`
			`$logger = new \App\Services\Logger();`
			`$logger->warning('Invalid REQUEST_URI - must start with /', [`
			`'uri' => $requestUri,`
			`'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown'`
			`]);`

			`http_response_code(400);`
			`header('Content-Type: text/plain');`
			`die('Bad Request: Invalid URI format');`
			`}`

Add error log management and bulk admin actions Introduces error log tracking with new ErrorLog model, controller, views, and migration. Adds admin UI for viewing, resolving, and deleting errors. Implements bulk actions for users and notification groups, refactors domain filtering/pagination, and centralizes admin access checks using Auth::requireAdmin(). 2025-10-10 14:01:19 +03:00			`// Load environment variables (using safeLoad to not throw if missing)`
Initial Commit 2025-10-08 14:23:07 +03:00			`$dotenv = Dotenv::createImmutable(__DIR__ . '/..');`
Add error log management and bulk admin actions Introduces error log tracking with new ErrorLog model, controller, views, and migration. Adds admin UI for viewing, resolving, and deleting errors. Implements bulk actions for users and notification groups, refactors domain filtering/pagination, and centralizes admin access checks using Auth::requireAdmin(). 2025-10-10 14:01:19 +03:00			`try {`
			`$dotenv->load();`
			`} catch (\Throwable $e) {`
			`// If .env is missing, create a minimal one or use defaults`
			`if (!file_exists(__DIR__ . '/../.env')) {`
			`// Show helpful error about missing .env file`
			`throw new \Exception(`
			`".env file not found! Please copy env.example.txt to .env and configure your settings.\n\n" .`
			`"Quick fix:\n" .`
			`"1. Copy env.example.txt to .env\n" .`
			`"2. Update database credentials in .env\n" .`
			`"3. Set APP_ENV=development or production\n\n" .`
			`"Original error: " . $e->getMessage()`
			`);`
			`}`
			`throw $e;`
			`}`
Initial Commit 2025-10-08 14:23:07 +03:00
Add CSRF, CAPTCHA, and input validation improvements Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application. 2025-10-10 00:04:12 +03:00			`// Configure and start session (with database sessions if available)`
			`Core\SessionConfig::configure();`
			`Core\SessionConfig::start();`
Initial Commit 2025-10-08 14:23:07 +03:00
Add CSRF, CAPTCHA, and input validation improvements Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application. 2025-10-10 00:04:12 +03:00			`// Load CSRF helper functions`
			`require_once __DIR__ . '/../app/Helpers/CsrfHelper.php';`
Upgraded to 1.1.0 1.1.0 (2025-10-09) - User Notifications System - In-app notification center with 7 notification types, filtering, pagination - Advanced Session Management - Database-backed sessions with geolocation (country, city, ISP) - Remote Session Control - Terminate any device instantly with immediate logout validation - Enhanced Profile Page - Sidebar navigation with 4 tabs, hash-based routing (#profile, #security, #sessions) - MVC Architecture Refactoring - 3 new Helpers (Layout, Domain, Session), ~265 lines cleaned from views - Geolocation Tracking - IP-based location detection using ip-api.com, country flags with flag-icons - Device Detection - Browser & device type parsing (Chrome/Firefox/Safari, Desktop/Mobile/Tablet) - Auto-Detected Cron Paths - Settings show actual installation paths (thanks @jadeops) - Welcome Notifications - Sent to new users on registration or fresh install - Upgrade Notifications - Admins notified on system updates with version & migration count - Web-Based Installer - Replaces CLI, auto-generates encryption key, one-time password display - Web-Based Updater - `/install/update` for running new migrations with smart detection - User Registration - Full signup flow with email verification, password reset, resend verification - User Management - CRUD for users with filtering, sorting, pagination (admin-only) - Remember Me - 30-day secure tokens linked to sessions, cascade deletion on logout - Session Validator - Middleware validates sessions on every request for instant remote logout - Consistent UI/UX - Unified filtering, sorting, pagination across Domains, Users, Notifications, TLD Registry - Smart Migrations - Consolidated schema for fresh installs, incremental for upgrades - XSS Protection - htmlspecialchars() applied across all user-facing data (thanks @jadeops) 2025-10-09 18:02:46 +03:00
			`// Check if system is installed (using flag file - no DB queries!)`
Add Pushover notification channel and improve status detection Introduces Pushover as a new notification channel with priority-based alerts, device targeting, and custom sounds. Enhances domain status detection for .nl and .eu domains, ensuring accurate handling when expiration dates or explicit status flags are missing. Fixes PHP 8.x compatibility issues with null parameters in date functions and improves error handling and logging by replacing error_log() with a centralized Logger service. Updates documentation and migrations for version 1.1.1. 2025-11-18 13:22:49 +02:00			`// Note: REQUEST_URI has already been validated above, so parse_url won't return null`
			`$currentPath = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?? '/';`
Upgraded to 1.1.0 1.1.0 (2025-10-09) - User Notifications System - In-app notification center with 7 notification types, filtering, pagination - Advanced Session Management - Database-backed sessions with geolocation (country, city, ISP) - Remote Session Control - Terminate any device instantly with immediate logout validation - Enhanced Profile Page - Sidebar navigation with 4 tabs, hash-based routing (#profile, #security, #sessions) - MVC Architecture Refactoring - 3 new Helpers (Layout, Domain, Session), ~265 lines cleaned from views - Geolocation Tracking - IP-based location detection using ip-api.com, country flags with flag-icons - Device Detection - Browser & device type parsing (Chrome/Firefox/Safari, Desktop/Mobile/Tablet) - Auto-Detected Cron Paths - Settings show actual installation paths (thanks @jadeops) - Welcome Notifications - Sent to new users on registration or fresh install - Upgrade Notifications - Admins notified on system updates with version & migration count - Web-Based Installer - Replaces CLI, auto-generates encryption key, one-time password display - Web-Based Updater - `/install/update` for running new migrations with smart detection - User Registration - Full signup flow with email verification, password reset, resend verification - User Management - CRUD for users with filtering, sorting, pagination (admin-only) - Remember Me - 30-day secure tokens linked to sessions, cascade deletion on logout - Session Validator - Middleware validates sessions on every request for instant remote logout - Consistent UI/UX - Unified filtering, sorting, pagination across Domains, Users, Notifications, TLD Registry - Smart Migrations - Consolidated schema for fresh installs, incremental for upgrades - XSS Protection - htmlspecialchars() applied across all user-facing data (thanks @jadeops) 2025-10-09 18:02:46 +03:00			`$isInstallerPath = strpos($currentPath, '/install') === 0;`
			`$installedFlagFile = __DIR__ . '/../.installed';`

			`if (!$isInstallerPath) {`
			`// Check if .installed flag file exists`
			`if (!file_exists($installedFlagFile)) {`
			`header('Location: /install');`
			`exit;`
			`}`
			`}`

			`// Check remember me token if user is not logged in`
			`if (!isset($_SESSION['user_id']) && isset($_COOKIE['remember_token']) && !$isInstallerPath) {`
			`$authController = new \App\Controllers\AuthController();`
			`$authController->checkRememberToken();`
			`}`

Fix bulk actions selection and set timezone earlier Improves bulk actions in the domains view by ensuring unique domain IDs are counted and selected, preventing double-counting from desktop and mobile checkboxes. Adds CSRF token to bulk actions forms for security. Moves timezone initialization to public/index.php to ensure it is set before any date operations, and updates base layout to reflect this change. 2025-10-11 21:22:39 +03:00			`// Set application timezone early (before any date operations)`
Set timezone when app is installed regardless of path Remove the installer-path exclusion when initializing the application timezone. If the installed flag file exists, the app timezone is now applied (from settings) even on installer/update routes so notifications created during upgrades use the correct timezone. UTC remains the fallback when settings or the database are unavailable, and UTC is used when the app is not installed. 2026-03-02 12:09:02 +02:00			`// Also apply on installer paths (e.g. /install/update) when the app is already installed,`
			`// so that notifications created during upgrades use the correct timezone.`
			`if (file_exists($installedFlagFile)) {`
Fix bulk actions selection and set timezone earlier Improves bulk actions in the domains view by ensuring unique domain IDs are counted and selected, preventing double-counting from desktop and mobile checkboxes. Adds CSRF token to bulk actions forms for security. Moves timezone initialization to public/index.php to ensure it is set before any date operations, and updates base layout to reflect this change. 2025-10-11 21:22:39 +03:00			`try {`
			`$settingModel = new \App\Models\Setting();`
			`$timezone = $settingModel->getValue('app_timezone', 'UTC');`
			`date_default_timezone_set($timezone);`
			`} catch (\Exception $e) {`
			`date_default_timezone_set('UTC');`
			`}`
			`} else {`
			`date_default_timezone_set('UTC');`
			`}`

Initial Commit 2025-10-08 14:23:07 +03:00			`// Initialize application`
			`$app = new Application();`

			`// Load routes`
			`require_once __DIR__ . '/../routes/web.php';`

			`// Run application`
			`$app->run();`