<?php
if (!defined('ABSPATH')) {
	exit;//Exit if accessed directly
}

class AIOWPSecurity_Process_Renamed_Login_Page {

	public function __construct() {
		add_action('login_init', array($this, 'aiowps_login_init'));
		add_filter('site_url', array($this, 'aiowps_site_url'), 10, 2);
		add_filter('network_site_url', array($this, 'aiowps_site_url'), 10, 2);
		add_filter('wp_redirect', array($this, 'aiowps_wp_redirect'), 10, 2);
		add_filter('register', array($this, 'register_link'));
		add_filter('user_request_action_email_content', array($this, 'aiowps_user_request_email_content'), 10, 2);
		remove_action('template_redirect', 'wp_redirect_admin_locations', 1000); //To prevent redirect to login page when people type "login" at end of home URL

	}

	public function aiowps_login_init() {
		$parsed_request = isset($_SERVER['REQUEST_URI']) ? wp_parse_url(sanitize_url(wp_unslash($_SERVER['REQUEST_URI']))) : '';
		if ($parsed_request && preg_match('/wp-login\.php$/', $parsed_request['path'])) {
			AIOWPSecurity_Process_Renamed_Login_Page::aiowps_set_404();
		}
	}

	public function aiowps_site_url($url) {
		return $this->aiowps_filter_wp_login_file($url);
	}

	public function aiowps_wp_redirect($location) {
		return $this->aiowps_filter_wp_login_file($location);
	}

	/**
	 * Filter register link on the login page
	 *
	 * @param string $registration_url
	 * @return string
	 */
	public function register_link($registration_url) {
		return $this->aiowps_filter_wp_login_file($registration_url);
	}

	/**
	 * Filter confirm link so we hide the secret login slug in the export_personal_data email
	 *
	 * @param string $email_text
	 * @param string $email_data
	 * @return string
	 */
	public function aiowps_user_request_email_content($email_text, $email_data) {
		global $aio_wp_security;
		if (isset($email_data['request']) && isset($email_data['request']->action_name)) {
			if ('export_personal_data' == $email_data['request']->action_name) {
				$confirm_url = $email_data['confirm_url'];
				$login_slug = $aio_wp_security->configs->get_value('aiowps_login_page_slug');
				if (get_option('permalink_structure')) {
					$new_confirm_url = str_replace($login_slug, 'wp-login.php', $confirm_url);
				} else {
					$search_pattern = '?'.$login_slug.'&action';
					$new_confirm_url = str_replace($search_pattern, '/wp-login.php/?action', $confirm_url);
				}

				$email_text_modified = str_replace('###CONFIRM_URL###', esc_url_raw($new_confirm_url), $email_text);
				return $email_text_modified;
			}
		}
		return $email_text;
	}

	/**
	 * Filter all login url strings on the login page
	 *
	 * @param string $url
	 * @return string
	 */
	public function aiowps_filter_wp_login_file($url) {
		if (strpos($url, 'wp-login.php') !== false) {
			$args = explode('?', $url);
			if (isset($args[1])) {
				if (strpos($args[1], 'action=postpass') !== false) {
					return $url; //Don't reveal the secret URL in the post password action url
				}
				parse_str($args[1], $args);
				$url = esc_url(add_query_arg($args, AIOWPSecurity_Process_Renamed_Login_Page::new_login_url()));
				$url = html_entity_decode($url);
			} elseif (isset($_SERVER['REQUEST_URI']) && stripos(urldecode(sanitize_url(wp_unslash($_SERVER['REQUEST_URI']))), 'wp-admin/install.php')) {
				return $url;
			} else {
				$url = AIOWPSecurity_Process_Renamed_Login_Page::new_login_url();
			}
		}
		return $url;
	}

	/**
	 * Login page renamed related tasks, do not allow access if not logged with rename login page.
	 *
	 * @return void
	 */
	public static function renamed_login_init_tasks() {
		// Bail if the host cron job is running by running the command "php wp-cron.php"
		// The $_SERVER['REQUEST_URI'] is undefined when running a PHP file from the command line.
		// for `wp plugin list` it will be empty so showing Not available instead plugin list.
		if (empty($_SERVER['REQUEST_URI']) || defined('WP_CLI') || 'cli' == PHP_SAPI || wp_doing_cron() || wp_doing_ajax()) {
			return;
		}

		global $aio_wp_security;

		//The following will process the native wordpress post password protection form
		//Normally this is done by wp-login.php file but we cannot use that since the login page has been renamed
		
		// Bots with URLs like: /index.php?action[]=aaaa will return an array here. It needs to be a string.
		$action = (isset($_GET['action']) && is_string($_GET['action'])) ? sanitize_text_field(wp_unslash($_GET['action'])) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- No nonce available.
		// phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing -- No nonce available.
		if (isset($_POST['post_password']) && 'postpass' == $action) {

			// Check if the captcha is enabled for the password protected pages and process validation if the login page was renamed
			if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_password_protected_captcha')) {
				$aio_wp_security->captcha_obj->validate_password_protected_password_form_with_captcha();
			}

			require_once ABSPATH . 'wp-includes/class-phpass.php';
			$hasher = new PasswordHash(8, true);

			/**
			 * Filter the life span of the post password cookie.
			 *
			 * By default, the cookie expires 10 days from creation. To turn this
			 * into a session cookie, return 0.
			 *
			 * @since 3.7.0
			 *
			 * @param int $expires The expiry time, as passed to setcookie().
			 */
			$expire = apply_filters('post_password_expires', time() + 10 * DAY_IN_SECONDS);
			// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- No nonce available, not recommended to sanitize passwords.
			setcookie('wp-postpass_' . COOKIEHASH, $hasher->HashPassword(wp_unslash($_POST['post_password'])), $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true);

			wp_safe_redirect(wp_get_referer());
			exit();
		}

		//case where someone attempting to reach wp-admin
		if (is_admin() && !is_user_logged_in() && (isset($_SERVER["SCRIPT_FILENAME"]) ? basename(sanitize_text_field(wp_unslash($_SERVER["SCRIPT_FILENAME"]))) : '') !== 'admin-post.php') {
			//Fix to prevent fatal error caused by some themes and Yoast SEO
			do_action('aiowps_before_wp_die_renamed_login');
			wp_die(esc_html__('You do not have permission to access this page.', 'all-in-one-wp-security-and-firewall') .  ' ' . esc_html__('Please log in and try again.', 'all-in-one-wp-security-and-firewall'), 403);
		}

		//case where someone attempting to reach wp-login
		if (isset($_SERVER['REQUEST_URI']) && stripos(urldecode(sanitize_url(wp_unslash($_SERVER['REQUEST_URI']))), 'wp-login.php') && !is_user_logged_in()) {

			// Handle export personal data request for rename login case
			if (isset($_GET['request_id'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
				$request_id = (int) sanitize_text_field(wp_unslash($_GET['request_id'])); // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
				$result = '';
				if (isset($_GET['confirm_key'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
					$key = sanitize_text_field(wp_unslash($_GET['confirm_key'])); // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
					$result = wp_validate_user_request_key($request_id, $key);
				} else {
					$result = new WP_Error('invalid_key', esc_html__('Invalid key', 'all-in-one-wp-security-and-firewall'));
				}

				if (is_wp_error($result)) {
					// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- PCP error. $result is WPError object with sanitized strings.
					wp_die($result);
				} elseif (!empty($result)) {
					_wp_privacy_account_request_confirmed($request_id);
					$message = _wp_privacy_account_request_confirmed_message($request_id);
					login_header(__('User action confirmed.', 'all-in-one-wp-security-and-firewall'), $message);
					login_footer();
					exit;
				}
			}

			//Check if the maintenance (lockout) mode is active - if so prevent access to site by not displaying 404 page!
			if ($aio_wp_security->configs->get_value('aiowps_site_lockout') == '1') {
				AIOWPSecurity_WP_Loaded_Tasks::site_lockout_tasks();
			} else {
				AIOWPSecurity_Process_Renamed_Login_Page::aiowps_set_404();
			}
		}

		//case where someone attempting to reach the standard register or signup pages
		$request_uri = urldecode(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])));
		if ('' !== $request_uri && stripos($request_uri, 'wp-register.php') || '' !== $request_uri && stripos($request_uri, 'wp-signup.php')) {
			//Check if the maintenance (lockout) mode is active - if so prevent access to site by not displaying 404 page!
			if ('1' == $aio_wp_security->configs->get_value('aiowps_site_lockout')) {
				AIOWPSecurity_WP_Loaded_Tasks::site_lockout_tasks();
			} else {
				AIOWPSecurity_Process_Renamed_Login_Page::aiowps_set_404();
			}
		}

		$login_slug = $aio_wp_security->configs->get_value('aiowps_login_page_slug');

		if (self::is_renamed_login_page_requested($login_slug)) {
			if (empty($action) && is_user_logged_in()) {
				//if user is already logged in but tries to access the renamed login page, send them to the dashboard
				// or to requested redirect-page, filtered in 'login_redirect'.
				if (isset($_REQUEST['redirect_to'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
					$redirect_to = wp_sanitize_redirect(wp_unslash($_REQUEST['redirect_to'])); // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
					$redirect_to = wp_validate_redirect($redirect_to, apply_filters('wp_safe_redirect_fallback', admin_url(), 302));
					$requested_redirect_to = $redirect_to;
				} else {
					$redirect_to = admin_url();
					$requested_redirect_to = '';
				}
				$redirect_to = apply_filters('login_redirect', $redirect_to, $requested_redirect_to, wp_get_current_user());
				AIOWPSecurity_Utility::redirect_to_url($redirect_to);
			} else {
				global $wp_version;
				do_action('aiowps_rename_login_load');
				// logout action called by WooCommerce does not apply the login whitelist which shows a 403 error for the customer
				if (!(isset($_GET['action']) && 'logout' == $_GET['action'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
					AIOWPSecurity_Utility_IP::check_login_whitelist_and_forbid();
				}

				status_header(200);
				if (version_compare($wp_version, '6.6', '>=')) {
					require_once(AIO_WP_SECURITY_PATH . '/other-includes/wp-security-rename-login-feature.php');
				} elseif (version_compare($wp_version, '5.7', '>=')) {
					require_once(AIO_WP_SECURITY_PATH . '/other-includes/wp-security-rename-login-feature-pre-6-6.php');
				} elseif (version_compare($wp_version, '5.2', '>=')) {
					require_once(AIO_WP_SECURITY_PATH . '/other-includes/wp-security-rename-login-feature-pre-5-7.php');
				} else {
					require_once(AIO_WP_SECURITY_PATH . '/other-includes/wp-security-rename-login-feature-pre-5-2.php');
				}

				die;
			}
		}
	}

	public static function new_login_url() {
		global $aio_wp_security;
		$login_slug = $aio_wp_security->configs->get_value('aiowps_login_page_slug');
		if (get_option('permalink_structure')) {
			return trailingslashit(trailingslashit(home_url()) . $login_slug);
		} else {
			return trailingslashit(site_url()) . '?' . $login_slug;
		}
	}

	public static function aiowps_set_404() {
		global $wp_query;
		do_action('aiowps_before_set_404'); // This hook is for themes which produce a fatal error when the rename login feature is enabled and someone visits "wp-admin" slug directly

		status_header(404);
		$wp_query->set_404();
		do_action('template_redirect'); // Trigger 'template_redirect' to allow third-party plugins to intercept and inject custom logic before rendering the fallback template.

		$template = get_404_template();
		if (empty($template)) $template = get_index_template();
		$template = apply_filters('template_include', $template);
		if ($template) include($template);
		die;
	}
	
	/**
	 * Check renamed login page is requested
	 *
	 * @param string $login_slug Renamed loginpage slug
	 *
	 * @return boolean
	 */
	public static function is_renamed_login_page_requested($login_slug) {
		
		if (empty($_SERVER['REQUEST_URI'])) return false;
	
		$parsed_url_path = isset($_SERVER['REQUEST_URI']) ? wp_parse_url(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])), PHP_URL_PATH) : '';
		$home_url_with_slug = home_url($login_slug, 'relative');

		/*
		 * Compatibility fix for WPML, TranslatePress plugin
		 */
		if (function_exists('wpml_object_id') || function_exists('trp_enable_translatepress')) {
			$home_url_with_slug = home_url($login_slug);
			$parsed_home_url_with_slug = wp_parse_url($home_url_with_slug);
			$home_url_with_slug = $parsed_home_url_with_slug['path']; //this will return just the path minus the protocol and host
		}

		// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
		if (untrailingslashit($parsed_url_path) === $home_url_with_slug || (!get_option('permalink_structure') && isset($_GET[$login_slug]))) {
			return true;
		}
		
		return false;
	}

}