 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/domains/soundstudiopro.com/public_html/ |
<?php
/**
* SHIELD VERIFICATION ENDPOINT
*
* Validates the challenge response and issues verification cookie
*/
session_start();
header('Content-Type: application/json');
require_once 'config/shield_config.php';
require_once 'includes/shield.php';
// If Shield is disabled, just pass
if (!shield_is_enabled()) {
$return_url = $_SESSION['shield_challenge']['return_url'] ?? '/';
echo json_encode(['success' => true, 'redirect' => $return_url]);
exit;
}
// Only accept POST
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
http_response_code(405);
echo json_encode(['success' => false, 'error' => 'Method not allowed']);
exit;
}
// Parse JSON body
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
echo json_encode(['success' => false, 'error' => 'Invalid request']);
exit;
}
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
// Verify we have an active challenge
if (!isset($_SESSION['shield_challenge'])) {
shield_log('verify_no_challenge', $ip, []);
echo json_encode(['success' => false, 'error' => 'No active challenge']);
exit;
}
$challenge = $_SESSION['shield_challenge'];
// Verify token matches
if ($input['token'] !== $challenge['token']) {
shield_log('verify_token_mismatch', $ip, []);
echo json_encode(['success' => false, 'error' => 'Invalid token']);
exit;
}
// Verify challenge not expired
if (time() - $challenge['time'] > SHIELD_CHALLENGE_TIMEOUT) {
shield_log('verify_expired', $ip, []);
unset($_SESSION['shield_challenge']);
echo json_encode(['success' => false, 'error' => 'Challenge expired']);
exit;
}
// Verify puzzle answer
$expected_answer = $challenge['puzzle_answer'] ?? null;
$provided_answer = $input['answer'] ?? null;
if ($expected_answer === null || $provided_answer != $expected_answer) {
shield_log('verify_wrong_answer', $ip, [
'expected' => $expected_answer,
'provided' => $provided_answer
]);
echo json_encode(['success' => false, 'error' => 'Verification failed']);
exit;
}
// Verify solve time
$solve_time = $input['solve_time'] ?? 0;
$puzzle_time = $challenge['puzzle_time'] ?? 0;
// Calculate actual time (client-reported)
if ($solve_time < SHIELD_MIN_SOLVE_TIME) {
// Too fast - likely a bot
shield_log('verify_too_fast', $ip, ['solve_time' => $solve_time]);
echo json_encode(['success' => false, 'error' => 'Verification failed']);
exit;
}
if ($solve_time > SHIELD_MAX_SOLVE_TIME) {
// Too slow - might be automated
shield_log('verify_too_slow', $ip, ['solve_time' => $solve_time]);
echo json_encode(['success' => false, 'error' => 'Verification timeout']);
exit;
}
// Check bot indicators
$bot_indicators = $input['bot_indicators'] ?? [];
if (!empty($bot_indicators)) {
// Log but don't necessarily block - some legitimate browsers trip these
shield_log('bot_indicators_detected', $ip, [
'indicators' => $bot_indicators,
'ua' => $_SERVER['HTTP_USER_AGENT'] ?? ''
]);
// Block if webdriver or headless detected
if (in_array('webdriver', $bot_indicators) || in_array('headless', $bot_indicators)) {
echo json_encode(['success' => false, 'error' => 'Browser verification failed']);
exit;
}
}
// All checks passed - issue verification cookie
$fingerprint = $input['fingerprint'] ?? '';
shield_generate_cookie($ip, $fingerprint);
// Clear challenge session
$return_url = $challenge['return_url'] ?? '/';
unset($_SESSION['shield_challenge']);
// Log successful verification
shield_log('verified', $ip, [
'solve_time' => $solve_time,
'fingerprint_hash' => substr(hash('sha256', $fingerprint), 0, 16)
]);
echo json_encode([
'success' => true,
'redirect' => $return_url
]);