 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/.cursor-server/data/User/History/2d16b85/ |
<?php
// Audio proxy endpoint - hides actual MP3 file paths
// Uses track_id instead of task_id for community pages
// Now includes signed token validation to prevent URL sharing
error_reporting(0);
ini_set('display_errors', 0);
ob_start();
session_start();
// Include token validation
require_once __DIR__ . '/audio_token.php';
// Get track ID and optional variation from URL
$trackId = $_GET['id'] ?? '';
$variationIndex = isset($_GET['variation']) ? (int)$_GET['variation'] : null;
$token = $_GET['token'] ?? '';
$expires = isset($_GET['expires']) ? (int)$_GET['expires'] : 0;
// CRITICAL: Block direct access - only allow when coming from proper pages
// This prevents people from pasting URLs directly
$referrer = $_SERVER['HTTP_REFERER'] ?? '';
$allowedDomains = [
$_SERVER['HTTP_HOST'] ?? 'soundstudiopro.com',
'soundstudiopro.com',
'www.soundstudiopro.com'
];
$isFromValidPage = false;
// Check if request is coming from a valid page on our domain
if (!empty($referrer)) {
foreach ($allowedDomains as $domain) {
if (strpos($referrer, 'https://' . $domain) === 0 || strpos($referrer, 'http://' . $domain) === 0) {
$isFromValidPage = true;
break;
}
}
}
// Block direct access (no referrer or external referrer)
if (!$isFromValidPage && !empty($token)) {
error_log("Direct access attempt blocked for track $trackId - no valid referrer");
http_response_code(403);
header('Content-Type: text/plain');
echo "Access denied - direct URL access not allowed";
exit;
}
ob_clean();
if (empty($trackId) || !is_numeric($trackId)) {
http_response_code(400);
header('Content-Type: text/plain');
echo "Invalid track ID";
exit;
}
require_once __DIR__ . '/../config/database.php';
ob_clean();
$pdo = getDBConnection();
if (!$pdo) {
http_response_code(500);
header('Content-Type: text/plain');
echo "Database error";
exit;
}
// Get current user and session
$user_id = $_SESSION['user_id'] ?? null;
$session_id = session_id();
// Get track and verify access
$stmt = $pdo->prepare("SELECT id, task_id, audio_url, is_public, user_id, status, metadata, selected_variation FROM music_tracks WHERE id = ? AND status = 'complete'");
$stmt->execute([$trackId]);
$track = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$track) {
http_response_code(404);
header('Content-Type: text/plain');
echo "Track not found";
exit;
}
// SECURITY: Check access
$isOwner = ($user_id && $track['user_id'] == $user_id);
$isPublic = ($track['is_public'] == 1);
// For public tracks, token is optional (for backward compatibility)
// For private tracks or owners, token is required
if ($isPublic) {
// Public track - if token is provided, it MUST be valid for this track and session
// This prevents URL sharing across browsers/sessions
if (!empty($token) && !empty($expires)) {
$tokenValid = validateAudioToken($trackId, $variationIndex, $token, $expires, $user_id, $session_id);
if (!$tokenValid) {
// Try with null user_id (guest mode)
$tokenValid = validateAudioToken($trackId, $variationIndex, $token, $expires, null, $session_id);
}
// CRITICAL: If token is provided, it MUST be valid - prevents cross-browser sharing
if (!$tokenValid) {
error_log("Invalid token for public track $trackId - token does not match session, denying access");
http_response_code(403);
header('Content-Type: text/plain');
echo "Access denied - invalid token for this session";
exit;
}
}
// Public track - allow access (with valid token or without token)
} else {
// Private track - require valid token
if (empty($token) || empty($expires)) {
http_response_code(403);
header('Content-Type: text/plain');
echo "Access denied - missing token";
exit;
}
// Validate token
$tokenValid = validateAudioToken($trackId, $variationIndex, $token, $expires, $user_id, $session_id);
if (!$tokenValid && $isOwner) {
// Owner might have different session, try with null user_id
$tokenValid = validateAudioToken($trackId, $variationIndex, $token, $expires, null, $session_id);
}
if (!$tokenValid) {
http_response_code(403);
header('Content-Type: text/plain');
echo "Access denied - invalid or expired token";
exit;
}
}
// CRITICAL: One-time use enforcement - check BEFORE serving, mark on page loads only
// First page load consumes the use, refresh is blocked
// Range requests (playback/seeking) don't consume uses - they're part of the same session
$isPageLoad = !isset($_SERVER['HTTP_RANGE']) && ($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'GET';
if (!empty($token) && !empty($expires)) {
// Check if token has already been used (blocks refresh)
$usage = checkTokenUsage($token, $trackId);
if ($usage['used'] && $usage['expired']) {
// Token already used - block immediately
error_log("Token already used ($usage[use_count]/" . AUDIO_TOKEN_MAX_USES . ") for track $trackId - denying access");
http_response_code(403);
header('Content-Type: text/plain');
echo "Access denied - token already used";
exit;
}
// Mark token as used ONLY on page loads (not Range requests)
// First page load consumes the use immediately, refresh is blocked
// Range requests (playback/seeking) don't consume uses - allows normal playback
if ($isPageLoad) {
markTokenUsed($token, $trackId);
}
}
// If no variation parameter provided, check for selected variation in metadata
if ($variationIndex === null) {
// Check metadata for selected_variation
if (!empty($track['metadata'])) {
$metadata = is_string($track['metadata']) ? json_decode($track['metadata'], true) : $track['metadata'];
if (isset($metadata['selected_variation'])) {
$variationIndex = (int)$metadata['selected_variation'];
}
}
// Also check selected_variation column if it exists
if ($variationIndex === null && isset($track['selected_variation']) && $track['selected_variation'] !== null) {
$variationIndex = (int)$track['selected_variation'];
}
}
// Get audio URL - check for specific variation first, then main track
$audioUrl = '';
if ($variationIndex !== null) {
// Get specific variation
$stmt = $pdo->prepare("SELECT audio_url FROM audio_variations WHERE track_id = ? AND variation_index = ?");
$stmt->execute([$trackId, $variationIndex]);
$variation = $stmt->fetch(PDO::FETCH_ASSOC);
if ($variation) {
$audioUrl = $variation['audio_url'] ?? '';
}
}
// If no variation or variation not found, use main track
if (empty($audioUrl)) {
$audioUrl = $track['audio_url'] ?? '';
// If still empty, try first variation as fallback
if (empty($audioUrl)) {
$stmt = $pdo->prepare("SELECT audio_url FROM audio_variations WHERE track_id = ? ORDER BY variation_index ASC LIMIT 1");
$stmt->execute([$trackId]);
$variation = $stmt->fetch(PDO::FETCH_ASSOC);
if ($variation) {
$audioUrl = $variation['audio_url'] ?? '';
}
}
}
if (empty($audioUrl)) {
http_response_code(404);
header('Content-Type: text/plain');
echo "Audio not available";
exit;
}
// If it's a local file, serve it with Range support for seeking
if (strpos($audioUrl, '/audio_files/') === 0 || strpos($audioUrl, '/uploads/') === 0) {
$localPath = $_SERVER['DOCUMENT_ROOT'] . $audioUrl;
if (file_exists($localPath)) {
$fileSize = filesize($localPath);
$fileType = mime_content_type($localPath) ?: 'audio/mpeg';
while (ob_get_level()) {
ob_end_clean();
}
header('Content-Type: ' . $fileType);
header('Accept-Ranges: bytes');
header('Cache-Control: public, max-age=3600');
// Handle Range requests for seeking support
if (isset($_SERVER['HTTP_RANGE'])) {
// Parse the Range header
$range = $_SERVER['HTTP_RANGE'];
if (preg_match('/bytes=(\d*)-(\d*)/', $range, $matches)) {
$start = $matches[1] === '' ? 0 : intval($matches[1]);
$end = $matches[2] === '' ? $fileSize - 1 : intval($matches[2]);
// Validate range
if ($start > $end || $start >= $fileSize || $end >= $fileSize) {
http_response_code(416); // Range Not Satisfiable
header("Content-Range: bytes */$fileSize");
exit;
}
$length = $end - $start + 1;
http_response_code(206); // Partial Content
header("Content-Range: bytes $start-$end/$fileSize");
header("Content-Length: $length");
// Serve the requested range
$fp = fopen($localPath, 'rb');
fseek($fp, $start);
$remaining = $length;
while ($remaining > 0 && !feof($fp)) {
$chunk = min(8192, $remaining);
echo fread($fp, $chunk);
$remaining -= $chunk;
flush();
}
fclose($fp);
exit;
}
}
// No Range header - serve full file
header('Content-Length: ' . $fileSize);
readfile($localPath);
exit;
}
}
// If it's an external URL, proxy it with Range support
if (strpos($audioUrl, 'http') === 0) {
while (ob_get_level()) {
ob_end_clean();
}
// Build headers to forward to external server
$requestHeaders = [
'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
];
// Forward Range header if present (for seeking support)
if (isset($_SERVER['HTTP_RANGE'])) {
$requestHeaders[] = 'Range: ' . $_SERVER['HTTP_RANGE'];
}
$ch = curl_init($audioUrl);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, $requestHeaders);
// Capture response headers to forward them
$responseHeaders = [];
curl_setopt($ch, CURLOPT_HEADERFUNCTION, function($curl, $header) use (&$responseHeaders) {
$len = strlen($header);
$header = trim($header);
if (empty($header)) return $len;
// Parse header
$parts = explode(':', $header, 2);
if (count($parts) == 2) {
$name = strtolower(trim($parts[0]));
$value = trim($parts[1]);
$responseHeaders[$name] = $value;
} elseif (strpos($header, 'HTTP/') === 0) {
// Status line - extract status code
if (preg_match('/HTTP\/\d\.?\d?\s+(\d+)/', $header, $matches)) {
$responseHeaders['_status'] = intval($matches[1]);
}
}
return $len;
});
// Buffer the response to get headers first, then stream
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$body = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($httpCode >= 400) {
http_response_code(500);
header('Content-Type: text/plain');
echo "Failed to stream audio";
exit;
}
// Set appropriate status code (206 for partial content, 200 for full)
if ($httpCode == 206) {
http_response_code(206);
}
// Forward relevant headers
header('Content-Type: ' . ($responseHeaders['content-type'] ?? 'audio/mpeg'));
header('Accept-Ranges: bytes');
header('Cache-Control: public, max-age=3600');
if (isset($responseHeaders['content-length'])) {
header('Content-Length: ' . $responseHeaders['content-length']);
}
if (isset($responseHeaders['content-range'])) {
header('Content-Range: ' . $responseHeaders['content-range']);
}
// Output the body
echo $body;
exit;
}
http_response_code(404);
header('Content-Type: text/plain');
echo "Audio not available";
exit;
?>