diff --git a/Panel/includes/functions.php b/Panel/includes/functions.php index b4d9ad5b..7103c50e 100644 --- a/Panel/includes/functions.php +++ b/Panel/includes/functions.php @@ -72,10 +72,6 @@ function gsp_website_url(string $path = ''): string { return $path === '' ? $base : rtrim($base, '/') . '/' . $path; } -function gsp_panel_to_website_sso_url(string $returnPath = 'serverlist.php'): string { - return 'sso.php?destination=website&return=' . rawurlencode($returnPath); -} - function gsp_discord_invite_url(): string { return 'https://discord.gg/qt9Hnkj6cv'; } diff --git a/Panel/includes/sso.php b/Panel/includes/sso.php deleted file mode 100644 index cacb60b4..00000000 --- a/Panel/includes/sso.php +++ /dev/null @@ -1,204 +0,0 @@ -real_escape_string($prefix . 'sso_tokens'); - $db->query( - "CREATE TABLE IF NOT EXISTS `{$table}` ( - `id` INT UNSIGNED NOT NULL AUTO_INCREMENT, - `token_hash` CHAR(64) NOT NULL, - `user_id` INT(11) NOT NULL, - `source` VARCHAR(32) NOT NULL, - `destination` VARCHAR(32) NOT NULL, - `created_at` DATETIME NOT NULL, - `expires_at` DATETIME NOT NULL, - `used_at` DATETIME DEFAULT NULL, - `nonce` VARCHAR(64) NOT NULL, - `originating_ip` VARCHAR(64) DEFAULT NULL, - `user_agent_hash` CHAR(64) DEFAULT NULL, - `return_path` VARCHAR(255) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `uniq_sso_token_hash` (`token_hash`), - KEY `idx_sso_user_destination` (`user_id`, `destination`), - KEY `idx_sso_expires` (`expires_at`) - ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4" - ); -} - -function gsp_sso_cleanup(mysqli $db, string $prefix): void -{ - gsp_sso_ensure_table($db, $prefix); - $table = $db->real_escape_string($prefix . 'sso_tokens'); - $db->query("DELETE FROM `{$table}` WHERE `expires_at` < (UTC_TIMESTAMP() - INTERVAL 10 MINUTE)"); -} - -function gsp_sso_create_token(mysqli $db, string $prefix, int $userId, string $source, string $destination, string $returnPath, int $ttlSeconds = 60): ?string -{ - if (!gsp_sso_is_secure_request()) { - return null; - } - - gsp_sso_cleanup($db, $prefix); - - $token = rtrim(strtr(base64_encode(random_bytes(32)), '+/', '-_'), '='); - $tokenHash = gsp_sso_hash_token($token); - $nonce = bin2hex(random_bytes(16)); - $createdAt = gmdate('Y-m-d H:i:s'); - $expiresAt = gmdate('Y-m-d H:i:s', time() + max(30, min(60, $ttlSeconds))); - $table = $db->real_escape_string($prefix . 'sso_tokens'); - - $stmt = $db->prepare( - "INSERT INTO `{$table}` - (`token_hash`, `user_id`, `source`, `destination`, `created_at`, `expires_at`, `nonce`, `originating_ip`, `user_agent_hash`, `return_path`) - VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)" - ); - if (!$stmt) { - return null; - } - - $ip = substr(gsp_sso_client_ip(), 0, 64); - $userAgentHash = gsp_sso_user_agent_hash(); - $returnPath = substr($returnPath, 0, 255); - $stmt->bind_param('sissssssss', $tokenHash, $userId, $source, $destination, $createdAt, $expiresAt, $nonce, $ip, $userAgentHash, $returnPath); - $ok = $stmt->execute(); - $stmt->close(); - - return $ok ? $token : null; -} - -function gsp_sso_validate_token(mysqli $db, string $prefix, string $token, string $destination): array -{ - if (!gsp_sso_is_secure_request()) { - return ['success' => false, 'error' => 'SSO requires HTTPS.']; - } - - if (preg_match('/^[A-Za-z0-9_-]{32,128}$/', $token) !== 1) { - return ['success' => false, 'error' => 'Invalid SSO token.']; - } - - gsp_sso_cleanup($db, $prefix); - - $tokenHash = gsp_sso_hash_token($token); - $table = $db->real_escape_string($prefix . 'sso_tokens'); - $stmt = $db->prepare("SELECT * FROM `{$table}` WHERE `token_hash` = ? LIMIT 1"); - if (!$stmt) { - return ['success' => false, 'error' => 'SSO is unavailable.']; - } - - $stmt->bind_param('s', $tokenHash); - $stmt->execute(); - $result = $stmt->get_result(); - $row = $result instanceof mysqli_result ? $result->fetch_assoc() : null; - $stmt->close(); - - if (!$row) { - return ['success' => false, 'error' => 'Invalid SSO token.']; - } - - if (!hash_equals((string)$row['token_hash'], $tokenHash)) { - return ['success' => false, 'error' => 'Invalid SSO token.']; - } - - if ((string)$row['destination'] !== $destination) { - return ['success' => false, 'error' => 'Invalid SSO destination.']; - } - - if (!empty($row['used_at'])) { - return ['success' => false, 'error' => 'This SSO link has already been used.']; - } - - if (strtotime((string)$row['expires_at'] . ' UTC') < time()) { - return ['success' => false, 'error' => 'This SSO link has expired.']; - } - - $currentAgentHash = gsp_sso_user_agent_hash(); - if (!empty($row['user_agent_hash']) && !hash_equals((string)$row['user_agent_hash'], $currentAgentHash)) { - return ['success' => false, 'error' => 'This SSO link is not valid for this browser.']; - } - - $usedAt = gmdate('Y-m-d H:i:s'); - $mark = $db->prepare("UPDATE `{$table}` SET `used_at` = ? WHERE `id` = ? AND `used_at` IS NULL"); - if (!$mark) { - return ['success' => false, 'error' => 'SSO is unavailable.']; - } - - $id = (int)$row['id']; - $mark->bind_param('si', $usedAt, $id); - $mark->execute(); - $updated = $mark->affected_rows === 1; - $mark->close(); - - if (!$updated) { - return ['success' => false, 'error' => 'This SSO link has already been used.']; - } - - return [ - 'success' => true, - 'user_id' => (int)$row['user_id'], - 'source' => (string)$row['source'], - 'destination' => (string)$row['destination'], - 'return_path' => (string)($row['return_path'] ?? ''), - ]; -} diff --git a/Panel/modules/administration/module.php b/Panel/modules/administration/module.php index fd63f9d1..144fd06c 100644 --- a/Panel/modules/administration/module.php +++ b/Panel/modules/administration/module.php @@ -63,24 +63,4 @@ $install_queries[1] = array( KEY `idx_logger_home` (`home_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1;"); -$install_queries[2] = array( -"CREATE TABLE IF NOT EXISTS `".OGP_DB_PREFIX."sso_tokens` -( - `id` INT UNSIGNED NOT NULL AUTO_INCREMENT, - `token_hash` CHAR(64) NOT NULL, - `user_id` INT(11) NOT NULL, - `source` VARCHAR(32) NOT NULL, - `destination` VARCHAR(32) NOT NULL, - `created_at` DATETIME NOT NULL, - `expires_at` DATETIME NOT NULL, - `used_at` DATETIME DEFAULT NULL, - `nonce` VARCHAR(64) NOT NULL, - `originating_ip` VARCHAR(64) DEFAULT NULL, - `user_agent_hash` CHAR(64) DEFAULT NULL, - `return_path` VARCHAR(255) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `uniq_sso_token_hash` (`token_hash`), - KEY `idx_sso_user_destination` (`user_id`, `destination`), - KEY `idx_sso_expires` (`expires_at`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;"); ?> diff --git a/Panel/modules/dashboard/dashboard.php b/Panel/modules/dashboard/dashboard.php index 55d62f4e..29b3ca5f 100644 --- a/Panel/modules/dashboard/dashboard.php +++ b/Panel/modules/dashboard/dashboard.php @@ -29,7 +29,7 @@ function exec_ogp_module() $projectRequestUrl = htmlspecialchars(gsp_project_request_url(), ENT_QUOTES, 'UTF-8'); $discordInviteUrl = htmlspecialchars(gsp_discord_invite_url(), ENT_QUOTES, 'UTF-8'); $serverStatusUrl = htmlspecialchars(gsp_server_status_url(), ENT_QUOTES, 'UTF-8'); - $orderAnotherUrl = htmlspecialchars(gsp_panel_to_website_sso_url('serverlist.php'), ENT_QUOTES, 'UTF-8'); + $orderAnotherUrl = htmlspecialchars(gsp_website_url('serverlist.php'), ENT_QUOTES, 'UTF-8'); $theme = isset($settings['theme']) ? $settings['theme'] : 'SimpleBootstrap'; $themeBase = 'themes/' . htmlspecialchars($theme, ENT_QUOTES, 'UTF-8') . '/images/icons/'; $cards = array( diff --git a/Panel/modules/website/README.md b/Panel/modules/website/README.md index 356f75d4..459f3fa4 100644 --- a/Panel/modules/website/README.md +++ b/Panel/modules/website/README.md @@ -15,6 +15,7 @@ This module is the public Gameservers.World sales and documentation website. Panel/modules/website/ index.php serverlist.php + cart.php docs.php login.php pricing.php @@ -34,6 +35,7 @@ Panel/modules/website/ pages/ home.php game_servers.php + cart.php documentation.php pricing.php locations.php @@ -72,22 +74,19 @@ Effects: - `serverlist.php` shows a clean fallback message instead of a fatal include error - shared navigation never crashes because billing config is missing -## Shared Accounts and SSO +## Shared Accounts The Panel user table is the identity source for the website. Website login checks the same `users` table and legacy Panel password hash format instead of creating a second password database. The website and Panel run on different parent domains, so PHP session cookies are -not shared. Authenticated navigation uses short-lived one-time SSO tokens stored -in `OGP_DB_PREFIXsso_tokens`: +not shared. SSO is deferred in the current implementation. Users can use the same +username and password on both sites, but the website and Panel keep separate +sessions. Control Panel and staff links point directly to the configured Panel URL. -- website to Panel: `Panel/modules/website/sso.php` creates a token and redirects to `Panel/sso.php` -- Panel to website: `Panel/sso.php` creates a token and redirects to `Panel/modules/website/sso.php` -- tokens are random, stored only as SHA-256 hashes, expire in 30-60 seconds, and are marked used after one successful validation -- passwords, password hashes, permanent API keys, and PHP session IDs are never placed in URLs - -Production SSO requires HTTPS. Localhost is allowed only for development testing. +`sso.php` endpoints are compatibility redirects only. They do not create tokens or +sessions. ## Ordering @@ -96,15 +95,16 @@ entry point: - `order.php?service_id=...` -That page validates `service_id` server-side against enabled catalog rows before -continuing. Logged-out customers are sent through `login.php` and returned to the -same service after successful login. The removed `billing/order.php` route is -obsolete and should not be used for customer-facing links. +That page validates `service_id` server-side against enabled catalog rows, then +lets anonymous visitors configure slots and location before adding the service to +the session cart. Login or registration is required only when the customer proceeds +to checkout. The removed `billing/order.php` route is obsolete and should not be +used for customer-facing links. -The website owns catalog display, login-return intent, pricing display, and -checkout entry. Payment approval and final server provisioning remain server-side -responsibilities; browser requests must not call private provisioning methods -directly. +The website owns catalog display, cart storage, checkout intent, pricing display, +and customer confirmation. Payment approval and final server provisioning remain +server-side responsibilities; browser requests must not call private provisioning +methods directly. ## Documentation source diff --git a/Panel/modules/website/cart.php b/Panel/modules/website/cart.php new file mode 100644 index 00000000..63b38ad7 --- /dev/null +++ b/Panel/modules/website/cart.php @@ -0,0 +1,58 @@ + 'cart', + 'pageTitle' => 'Cart - Gameservers.World', + 'metaDescription' => 'Review your Gameservers.World server cart before checkout.', + 'canonicalPath' => 'cart.php', + 'items' => website_cart_items(), + 'cartTotal' => website_cart_total(), + 'message' => $message, + 'error' => $error, + ] +); diff --git a/Panel/modules/website/config/config.example.php b/Panel/modules/website/config/config.example.php index 4e039b38..0cf745c9 100644 --- a/Panel/modules/website/config/config.example.php +++ b/Panel/modules/website/config/config.example.php @@ -19,7 +19,6 @@ return [ // Active panel URL. Do not point the public site at /panel/ unless that route is real. 'panel_url' => 'https://panel.iaregamer.com/', 'login_url' => 'https://panel.iaregamer.com/', - 'panel_sso_url' => 'https://panel.iaregamer.com/sso.php', 'company' => [ 'name' => 'Runlevel Systems', diff --git a/Panel/modules/website/includes/bootstrap.php b/Panel/modules/website/includes/bootstrap.php index 1ebe2064..35a3d1e8 100644 --- a/Panel/modules/website/includes/bootstrap.php +++ b/Panel/modules/website/includes/bootstrap.php @@ -3,9 +3,6 @@ declare(strict_types=1); require_once __DIR__ . '/paths.php'; -if (is_readable(WEBSITE_PANEL_INCLUDE_DIR . '/sso.php')) { - require_once WEBSITE_PANEL_INCLUDE_DIR . '/sso.php'; -} if (defined('GSP_WEBSITE_BOOTSTRAPPED')) { return; @@ -44,7 +41,6 @@ $websiteDefaults = [ 'billing_base_url' => '/billing', 'panel_url' => 'https://panel.iaregamer.com/', 'login_url' => 'https://panel.iaregamer.com/', - 'panel_sso_url' => 'https://panel.iaregamer.com/sso.php', 'company' => [ 'name' => 'Runlevel Systems', 'url' => 'https://runlevelsystems.com/', @@ -476,6 +472,9 @@ function website_authenticate_user(string $login, string $password): ?array if (!$user || !website_verify_panel_password($user, $password)) { return null; } + if ((string)($user['users_role'] ?? '') === 'banned') { + return null; + } return $user; } @@ -543,7 +542,7 @@ function website_log_activity(string $message, int $userId = 0, string $eventTyp } $safeTable = $db->real_escape_string($table); - $ip = substr((function_exists('gsp_sso_client_ip') ? gsp_sso_client_ip() : (string)($_SERVER['REMOTE_ADDR'] ?? '')), 0, 255); + $ip = substr((string)($_SERVER['REMOTE_ADDR'] ?? ''), 0, 255); $stmt = $db->prepare( "INSERT INTO `{$safeTable}` (`date`, `user_id`, `ip`, `message`, `source_type`, `category`, `event_type`, `severity`) VALUES (FROM_UNIXTIME(UNIX_TIMESTAMP(), '%d-%m-%Y %H:%i:%s'), ?, ?, ?, 'website', 'authentication', ?, 'info')" @@ -560,15 +559,16 @@ function website_log_activity(string $message, int $userId = 0, string $eventTyp function website_safe_return_path(string $returnPath, string $default = 'index.php'): string { - if (function_exists('gsp_sso_safe_return_path')) { - return gsp_sso_safe_return_path($returnPath, $default); - } - if ($returnPath === '' || preg_match('#^[a-z][a-z0-9+.-]*://#i', $returnPath) === 1 || str_starts_with($returnPath, '//')) { return $default; } - return ltrim($returnPath, '/'); + $returnPath = ltrim($returnPath, '/'); + if (str_contains($returnPath, "\0") || str_starts_with($returnPath, '../') || str_contains($returnPath, '/../')) { + return $default; + } + + return $returnPath; } function website_login_url(string $returnPath = ''): string @@ -580,15 +580,9 @@ function website_login_url(string $returnPath = ''): string return website_url($path); } -function website_panel_sso_url(string $returnPath = 'home.php?m=dashboard&p=dashboard'): string -{ - $path = 'sso.php?destination=panel&return=' . rawurlencode(website_safe_return_path($returnPath, 'home.php?m=dashboard&p=dashboard')); - return website_url($path); -} - function website_control_panel_url(string $returnPath = 'home.php?m=dashboard&p=dashboard'): string { - return website_is_logged_in() ? website_panel_sso_url($returnPath) : website_login_url('panel'); + return panel_url(website_safe_return_path($returnPath, 'home.php?m=dashboard&p=dashboard')); } function website_order_url(int|string $serviceId): string @@ -596,6 +590,21 @@ function website_order_url(int|string $serviceId): string return website_url('order.php?service_id=' . rawurlencode((string)$serviceId)); } +function website_cart_url(): string +{ + return website_url('cart.php'); +} + +function website_checkout_url(): string +{ + return website_url('cart.php?checkout=1'); +} + +function website_register_url(string $returnPath = 'cart.php'): string +{ + return panel_url('index.php?m=register'); +} + function website_fetch_service_by_id(int $serviceId): ?array { $db = website_db(); @@ -638,6 +647,96 @@ function website_fetch_service_by_id(int $serviceId): ?array return $service; } +function website_service_name(array $service): string +{ + $name = trim((string)($service['cfg_game_name'] ?? '')); + if ($name === '') { + $name = trim((string)($service['service_name'] ?? '')); + } + return $name === '' ? 'Game Server' : $name; +} + +function website_service_min_slots(array $service): int +{ + foreach (['min_slots', 'minimum_slots', 'slots_min'] as $column) { + if (isset($service[$column]) && (int)$service[$column] > 0) { + return (int)$service[$column]; + } + } + + $pricing = website_config('pricing', []); + return max(1, (int)($pricing['standard_min_slots'] ?? 16)); +} + +function website_service_max_slots(array $service): int +{ + foreach (['max_slots', 'maximum_slots', 'slots_max', 'max_players'] as $column) { + if (isset($service[$column]) && (int)$service[$column] > 0) { + return (int)$service[$column]; + } + } + + return 0; +} + +function website_service_locations(array $service): array +{ + $raw = trim((string)($service['remote_server_id'] ?? '')); + if ($raw === '') { + return []; + } + + $locations = []; + foreach (preg_split('/\s*,\s*/', $raw) ?: [] as $remoteServerId) { + $remoteServerId = trim($remoteServerId); + if ($remoteServerId === '' || !ctype_digit($remoteServerId)) { + continue; + } + $locations[$remoteServerId] = 'Location ' . $remoteServerId; + } + + return $locations; +} + +function website_cart_items(): array +{ + website_start_session(); + return is_array($_SESSION['website_cart'] ?? null) ? $_SESSION['website_cart'] : []; +} + +function website_cart_count(): int +{ + return count(website_cart_items()); +} + +function website_cart_add(array $item): void +{ + website_start_session(); + if (!isset($_SESSION['website_cart']) || !is_array($_SESSION['website_cart'])) { + $_SESSION['website_cart'] = []; + } + + $key = bin2hex(random_bytes(8)); + $_SESSION['website_cart'][$key] = $item; +} + +function website_cart_remove(string $key): void +{ + website_start_session(); + if (isset($_SESSION['website_cart'][$key])) { + unset($_SESSION['website_cart'][$key]); + } +} + +function website_cart_total(): float +{ + $total = 0.0; + foreach (website_cart_items() as $item) { + $total += (float)($item['monthly_total'] ?? 0); + } + return $total; +} + function website_billing_docs_root(): ?string { if (is_dir(WEBSITE_BILLING_DOCS_DIR)) { diff --git a/Panel/modules/website/includes/footer.php b/Panel/modules/website/includes/footer.php index ea524c9f..55b40216 100644 --- a/Panel/modules/website/includes/footer.php +++ b/Panel/modules/website/includes/footer.php @@ -40,17 +40,20 @@ $currentUser = website_current_user();
  • My Account
  • Order a Server
  • Control Panel
    • -
  • My Servers
    • +
  • My Servers
    • +
  • Cart
  • Log Out
  • Account Login
    • +
  • Create Account
  • Order a Server
  • Control Panel
    • +
  • Cart
  • Server Guides
  • Request Custom Work
    • -
  • Staff Tools
    • +
  • Staff Tools
  • Discord
    • diff --git a/Panel/modules/website/includes/navigation.php b/Panel/modules/website/includes/navigation.php index 92bee582..9cdeff8c 100644 --- a/Panel/modules/website/includes/navigation.php +++ b/Panel/modules/website/includes/navigation.php @@ -3,6 +3,8 @@ declare(strict_types=1); $activePage = $activePage ?? ''; +$currentUser = website_current_user(); +$cartCount = website_cart_count(); $navLinks = [ ['key' => 'home', 'label' => 'Home', 'href' => website_url('index.php')], ['key' => 'servers', 'label' => 'Game Servers', 'href' => website_url('serverlist.php')], @@ -11,6 +13,15 @@ $navLinks = [ ['key' => 'locations', 'label' => 'Locations', 'href' => website_url('locations.php')], ['key' => 'support', 'label' => 'Support', 'href' => website_url('support.php')], ]; +if ($currentUser) { + $navLinks[] = ['key' => 'account', 'label' => 'My Account', 'href' => website_url('account.php')]; + $navLinks[] = ['key' => 'orders', 'label' => 'My Orders', 'href' => website_url('cart.php')]; + $navLinks[] = ['key' => 'servers_panel', 'label' => 'My Servers', 'href' => panel_url('home.php?m=gamemanager&p=game_monitor')]; +} else { + $navLinks[] = ['key' => 'account', 'label' => 'Login', 'href' => website_login_url()]; + $navLinks[] = ['key' => 'register', 'label' => 'Create Account', 'href' => website_register_url()]; +} +$navLinks[] = ['key' => 'cart', 'label' => 'Cart' . ($cartCount > 0 ? ' (' . $cartCount . ')' : ''), 'href' => website_cart_url()]; ?>
    @@ -40,6 +51,9 @@ $navLinks = [
    Custom Projects Control Panel + + Logout +
    diff --git a/Panel/modules/website/login.php b/Panel/modules/website/login.php index 9dc70ac7..c410f8be 100644 --- a/Panel/modules/website/login.php +++ b/Panel/modules/website/login.php @@ -9,7 +9,7 @@ $returnPath = website_safe_return_path((string)($_GET['return'] ?? $_POST['retur if (website_is_logged_in()) { if ($returnPath === 'panel') { - header('Location: ' . website_panel_sso_url(), true, 302); + header('Location: ' . website_control_panel_url(), true, 302); exit; } header('Location: ' . website_url($returnPath), true, 302); @@ -27,7 +27,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { unset($_SESSION['website_login_return']); if ($returnPath === 'panel') { - header('Location: ' . website_panel_sso_url(), true, 302); + header('Location: ' . website_control_panel_url(), true, 302); exit; } diff --git a/Panel/modules/website/order.php b/Panel/modules/website/order.php index 954c8b59..87a01a76 100644 --- a/Panel/modules/website/order.php +++ b/Panel/modules/website/order.php @@ -6,6 +6,7 @@ require_once __DIR__ . '/includes/bootstrap.php'; $serviceId = filter_input(INPUT_GET, 'service_id', FILTER_VALIDATE_INT); $service = $serviceId ? website_fetch_service_by_id((int)$serviceId) : null; +$error = ''; if (!$service) { website_log_activity('Invalid or unavailable service_id requested from website order flow', (int)($_SESSION['website_user_id'] ?? 0), 'invalid_service'); @@ -23,14 +24,45 @@ if (!$service) { exit; } -if (!website_is_logged_in()) { - $_SESSION['website_pending_order_service_id'] = (int)$service['service_id']; - $_SESSION['website_login_return'] = 'order.php?service_id=' . (int)$service['service_id']; - header('Location: ' . website_login_url('order.php?service_id=' . (int)$service['service_id']), true, 302); - exit; +$locations = website_service_locations($service); +$minSlots = website_service_min_slots($service); +$maxSlots = website_service_max_slots($service); + +if ($_SERVER['REQUEST_METHOD'] === 'POST') { + $slots = filter_input(INPUT_POST, 'slots', FILTER_VALIDATE_INT); + $locationId = trim((string)($_POST['location_id'] ?? '')); + $durationMonths = filter_input(INPUT_POST, 'duration_months', FILTER_VALIDATE_INT); + + if ($slots === false || $slots === null || $slots < $minSlots) { + $error = 'Select at least ' . $minSlots . ' slots for this service.'; + } elseif ($maxSlots > 0 && $slots > $maxSlots) { + $error = 'This service supports a maximum of ' . $maxSlots . ' slots.'; + } elseif (empty($locations) || !array_key_exists($locationId, $locations)) { + $error = 'Select an available location for this service.'; + } elseif (!in_array((int)$durationMonths, [1, 3, 6, 12], true)) { + $error = 'Select a valid billing duration.'; + } else { + $priceMonthly = (float)($service['price_monthly'] ?? 0); + $monthlyTotal = $priceMonthly > 0 ? $priceMonthly : 0.0; + website_cart_add([ + 'service_id' => (int)$service['service_id'], + 'service_name' => website_service_name($service), + 'slots' => (int)$slots, + 'location_id' => $locationId, + 'location_name' => $locations[$locationId], + 'duration_months' => (int)$durationMonths, + 'price_monthly' => $priceMonthly, + 'monthly_total' => $monthlyTotal, + 'added_at' => time(), + ]); + + website_log_activity('Website cart item added for service_id ' . (int)$service['service_id'], (int)($_SESSION['website_user_id'] ?? 0), 'cart_item_added'); + header('Location: ' . website_cart_url(), true, 302); + exit; + } } -website_log_activity('Website order flow started for service_id ' . (int)$service['service_id'], (int)$_SESSION['website_user_id'], 'order_started'); +website_log_activity('Website order flow opened for service_id ' . (int)$service['service_id'], (int)($_SESSION['website_user_id'] ?? 0), 'order_started'); website_render( 'order.php', [ @@ -39,6 +71,9 @@ website_render( 'metaDescription' => 'Configure your Gameservers.World game server order.', 'canonicalPath' => 'order.php', 'service' => $service, - 'error' => null, + 'error' => $error, + 'locations' => $locations, + 'minSlots' => $minSlots, + 'maxSlots' => $maxSlots, ] ); diff --git a/Panel/modules/website/pages/account.php b/Panel/modules/website/pages/account.php index b487181b..0de2e10a 100644 --- a/Panel/modules/website/pages/account.php +++ b/Panel/modules/website/pages/account.php @@ -19,7 +19,7 @@ $isStaff = website_current_user_is_staff();

    My Servers

    Open the GSP control panel to manage assigned game servers, files, logs, updates, backups, and server state.

    - Open My Servers + Open My Servers
    @@ -42,7 +42,7 @@ $isStaff = website_current_user_is_staff();

    Staff Access

    Staff links are shown only after account role checks. Server-side authorization still applies inside the Panel.

    - Panel Administration + Panel Administration
    diff --git a/Panel/modules/website/pages/cart.php b/Panel/modules/website/pages/cart.php new file mode 100644 index 00000000..76ddf742 --- /dev/null +++ b/Panel/modules/website/pages/cart.php @@ -0,0 +1,66 @@ + +
    +
    +

    Cart

    +

    Review selected server packages. You can configure and add servers before logging in; login or account creation is required when you proceed to checkout.

    +
    +
    + +
    +
    + +
    + + +
    + + + +
    +

    Your cart is empty

    +

    Browse the catalog to choose a game server, slots, and location.

    +
    + View Game Servers +
    +
    + +
    + $item): ?> +
    +

    +

    Service ID:

    +

    Slots:

    +

    Location:

    +

    Billing duration: month(s)

    +

    0) ? '$' . website_escape(number_format((float)$item['monthly_total'], 2)) . ' / month' : 'Contact for pricing' ?>

    +
    + + + +
    +
    + +
    + +
    +

    Checkout

    +

    Estimated monthly total: 0 ? '$' . website_escape(number_format((float)$cartTotal, 2)) : 'Contact for pricing' ?>

    +

    Prices and service availability are revalidated server-side before payment or provisioning. Adding an item to the cart does not create a running server.

    +
    +
    + + +
    + + Log In + Create Account + + Continue Shopping +
    +
    + +
    +
    diff --git a/Panel/modules/website/pages/login.php b/Panel/modules/website/pages/login.php index c320ae23..a85d4a21 100644 --- a/Panel/modules/website/pages/login.php +++ b/Panel/modules/website/pages/login.php @@ -22,6 +22,7 @@ declare(strict_types=1); -

    After login, Control Panel and server-management links use a short-lived one-time SSO handoff. Passwords and PHP session IDs are never passed between domains.

    +

    Gameservers.World and the GSP Panel use the same account credentials, but they keep separate secure sessions. You may be asked to log in separately when opening the Panel.

    +

    Need an account? Create one through the GSP Panel registration page.

    diff --git a/Panel/modules/website/pages/order.php b/Panel/modules/website/pages/order.php index c6657d0a..281b2bdc 100644 --- a/Panel/modules/website/pages/order.php +++ b/Panel/modules/website/pages/order.php @@ -25,18 +25,20 @@ endif; $serviceName = trim((string)($service['cfg_game_name'] ?? $service['service_name'] ?? 'Game Server')); $description = trim((string)($service['description'] ?? '')); $price = (float)($service['price_monthly'] ?? 0); -$minSlots = (int)($service['min_slots'] ?? $service['minimum_slots'] ?? website_config('pricing', [])['standard_min_slots'] ?? 16); -$maxSlots = (int)($service['max_slots'] ?? $service['maximum_slots'] ?? 0); +$selectedSlots = max((int)$minSlots, (int)($_POST['slots'] ?? $minSlots)); ?>

    Configure

    -

    +

    + +
    +

    Plan

    @@ -52,16 +54,35 @@ $maxSlots = (int)($service['max_slots'] ?? $service['maximum_slots'] ?? 0);

    Checkout boundary

    -

    This website validates the catalog service and keeps your shared account identity. Payment and final provisioning must complete server-side before the Panel creates a running game server.

    +

    You can add this server to your cart before logging in. Payment and final provisioning must complete server-side before the Panel creates a running game server.

    The legacy billing/order.php route is no longer used.

    -
    - Checkout/payment handlers are not present in this repository checkout. Contact support to complete this order or connect the active payment module before enabling public checkout. -
    -
    - Contact Support - Back to Catalog -
    + +
    +

    Server configuration

    + + 0 ? ' max="' . website_escape((string)$maxSlots) . '"' : '' ?> value="" required> + + + + + + + +

    The website stores this selection in your cart and revalidates service, slots, location, and price during checkout.

    +
    + + Back to Catalog +
    +
    diff --git a/Panel/modules/website/sso.php b/Panel/modules/website/sso.php index 1ab69c68..4cf716a5 100644 --- a/Panel/modules/website/sso.php +++ b/Panel/modules/website/sso.php @@ -4,78 +4,15 @@ declare(strict_types=1); require_once __DIR__ . '/includes/bootstrap.php'; -$db = website_db(); -$prefix = website_table_prefix(); +$destination = trim((string)($_GET['destination'] ?? 'panel')); +$returnPath = website_safe_return_path((string)($_GET['return'] ?? ''), 'home.php?m=dashboard&p=dashboard'); -if (!$db instanceof mysqli || $prefix === '') { - http_response_code(503); - echo 'SSO is temporarily unavailable.'; +website_log_activity('Deprecated website SSO endpoint redirected to direct login/navigation', (int)($_SESSION['website_user_id'] ?? 0), 'sso_deprecated_redirect'); + +if ($destination === 'panel') { + header('Location: ' . panel_url($returnPath), true, 302); exit; } -$token = trim((string)($_GET['token'] ?? '')); -if ($token !== '') { - if (!function_exists('gsp_sso_validate_token')) { - http_response_code(503); - echo 'SSO is not configured.'; - exit; - } - - $validation = gsp_sso_validate_token($db, $prefix, $token, 'website'); - if (empty($validation['success'])) { - website_log_activity('Website SSO failed: ' . (string)$validation['error'], 0, 'sso_failure'); - http_response_code(403); - echo website_escape((string)$validation['error']); - exit; - } - - $user = website_panel_user_by_id((int)$validation['user_id']); - if (!$user) { - http_response_code(403); - echo 'SSO user is no longer available.'; - exit; - } - - website_set_user_session($user); - website_log_activity('Website SSO login succeeded for ' . (string)$user['users_login'], (int)$user['user_id'], 'sso_success'); - $returnPath = website_safe_return_path((string)$validation['return_path'], 'index.php'); - header('Location: ' . website_url($returnPath), true, 302); - exit; -} - -$destination = trim((string)($_GET['destination'] ?? '')); -if ($destination !== 'panel') { - http_response_code(400); - echo 'Invalid SSO destination.'; - exit; -} - -$user = website_current_user(); -if (!$user) { - $_SESSION['website_login_return'] = 'panel'; - header('Location: ' . website_login_url('panel'), true, 302); - exit; -} - -if (!function_exists('gsp_sso_create_token')) { - http_response_code(503); - echo 'SSO is not configured.'; - exit; -} - -$returnPath = website_safe_return_path((string)($_GET['return'] ?? 'home.php?m=dashboard&p=dashboard'), 'home.php?m=dashboard&p=dashboard'); -$newToken = gsp_sso_create_token($db, $prefix, (int)$user['user_id'], 'website', 'panel', $returnPath, 60); -if ($newToken === null) { - http_response_code(403); - echo 'SSO requires HTTPS.'; - exit; -} - -website_log_activity('Website-to-panel SSO token created', (int)$user['user_id'], 'sso_token_created'); -$panelSsoUrl = trim((string)website_config('panel_sso_url', '')); -if ($panelSsoUrl === '') { - $panelSsoUrl = panel_url('sso.php'); -} - -header('Location: ' . $panelSsoUrl . '?token=' . rawurlencode($newToken), true, 302); +header('Location: ' . website_url('index.php'), true, 302); exit; diff --git a/Panel/sso.php b/Panel/sso.php index 66cadf37..8f5e2767 100644 --- a/Panel/sso.php +++ b/Panel/sso.php @@ -3,139 +3,19 @@ declare(strict_types=1); require_once __DIR__ . '/includes/functions.php'; -require_once __DIR__ . '/includes/helpers.php'; -require_once __DIR__ . '/includes/html_functions.php'; -require_once __DIR__ . '/includes/sso.php'; -startSession(); +$destination = trim((string)($_GET['destination'] ?? '')); +$returnPath = trim((string)($_GET['return'] ?? 'serverlist.php')); -define('CONFIG_FILE', __DIR__ . '/includes/config.inc.php'); -require_once CONFIG_FILE; - -$mysqli = @mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null); -if (!$mysqli instanceof mysqli) { - http_response_code(503); - echo 'SSO is temporarily unavailable.'; - exit; -} -@mysqli_set_charset($mysqli, 'utf8mb4'); - -$prefix = (string)$table_prefix; -$panelReturnDefault = 'home.php?m=dashboard&p=dashboard'; -$websiteBase = function_exists('gsp_website_url') ? gsp_website_url() : 'https://gameservers.world/'; - -function gsp_panel_sso_user(mysqli $db, string $prefix, int $userId): ?array -{ - $table = $db->real_escape_string($prefix . 'users'); - $stmt = $db->prepare("SELECT * FROM `{$table}` WHERE `user_id` = ? LIMIT 1"); - if (!$stmt) { - return null; - } - $stmt->bind_param('i', $userId); - $stmt->execute(); - $result = $stmt->get_result(); - $user = $result instanceof mysqli_result ? $result->fetch_assoc() : null; - $stmt->close(); - return is_array($user) ? $user : null; +$returnPath = ltrim($returnPath, '/'); +if ($returnPath === '' || preg_match('#^[a-z][a-z0-9+.-]*://#i', $returnPath) === 1 || str_starts_with($returnPath, '//') || str_contains($returnPath, "\0") || str_starts_with($returnPath, '../') || str_contains($returnPath, '/../')) { + $returnPath = 'serverlist.php'; } -function gsp_panel_sso_api_token(mysqli $db, string $prefix, int $userId): string -{ - $table = $db->real_escape_string($prefix . 'api_tokens'); - $db->query( - "CREATE TABLE IF NOT EXISTS `{$table}` ( - `user_id` int(11) NOT NULL, - `token` varchar(64) NOT NULL, - PRIMARY KEY (`user_id`), - UNIQUE KEY `user_id` (`user_id`) - ) ENGINE=MyISAM DEFAULT CHARSET=latin1" - ); - - $stmt = $db->prepare("SELECT `token` FROM `{$table}` WHERE `user_id` = ? LIMIT 1"); - if ($stmt) { - $stmt->bind_param('i', $userId); - $stmt->execute(); - $result = $stmt->get_result(); - $row = $result instanceof mysqli_result ? $result->fetch_assoc() : null; - $stmt->close(); - if (is_array($row) && !empty($row['token'])) { - return (string)$row['token']; - } - } - - $token = bin2hex(random_bytes(32)); - $insert = $db->prepare("INSERT INTO `{$table}` (`user_id`, `token`) VALUES (?, ?) ON DUPLICATE KEY UPDATE `token` = VALUES(`token`)"); - if ($insert) { - $insert->bind_param('is', $userId, $token); - $insert->execute(); - $insert->close(); - } - - return $token; -} - -function gsp_panel_sso_log(mysqli $db, string $prefix, int $userId, string $message): void -{ - $table = $db->real_escape_string($prefix . 'logger'); - $ip = $db->real_escape_string(gsp_sso_client_ip()); - $message = $db->real_escape_string(substr($message, 0, 1000)); - $db->query( - "INSERT INTO `{$table}` (`date`, `user_id`, `ip`, `message`, `source_type`, `category`, `event_type`, `severity`) - VALUES (FROM_UNIXTIME(UNIX_TIMESTAMP(), '%d-%m-%Y %H:%i:%s'), {$userId}, '{$ip}', '{$message}', 'sso', 'authentication', 'sso', 'info')" - ); -} - -$token = trim((string)($_GET['token'] ?? '')); -if ($token !== '') { - $validation = gsp_sso_validate_token($mysqli, $prefix, $token, 'panel'); - if (empty($validation['success'])) { - http_response_code(403); - echo htmlspecialchars((string)$validation['error'], ENT_QUOTES, 'UTF-8'); - exit; - } - - $user = gsp_panel_sso_user($mysqli, $prefix, (int)$validation['user_id']); - if (!$user) { - http_response_code(403); - echo 'SSO user is no longer available.'; - exit; - } - - session_regenerate_id(true); - $_SESSION['user_id'] = $user['user_id']; - $_SESSION['users_login'] = $user['users_login']; - $_SESSION['users_passwd'] = $user['users_passwd']; - $_SESSION['users_group'] = $user['users_role']; - $_SESSION['users_lang'] = $user['users_lang']; - $_SESSION['users_theme'] = $user['users_theme']; - $_SESSION['users_api_key'] = gsp_panel_sso_api_token($mysqli, $prefix, (int)$user['user_id']); - - gsp_panel_sso_log($mysqli, $prefix, (int)$user['user_id'], 'Panel SSO login succeeded for ' . $user['users_login']); - $returnPath = gsp_sso_safe_return_path((string)$validation['return_path'], $panelReturnDefault); - header('Location: ' . $returnPath, true, 302); +if ($destination === 'website') { + header('Location: ' . gsp_website_url($returnPath), true, 302); exit; } -$destination = trim((string)($_GET['destination'] ?? 'website')); -if ($destination !== 'website') { - http_response_code(400); - echo 'Invalid SSO destination.'; - exit; -} - -if (empty($_SESSION['user_id'])) { - header('Location: index.php', true, 302); - exit; -} - -$returnPath = gsp_sso_safe_return_path((string)($_GET['return'] ?? 'serverlist.php'), 'serverlist.php'); -$newToken = gsp_sso_create_token($mysqli, $prefix, (int)$_SESSION['user_id'], 'panel', 'website', $returnPath, 60); -if ($newToken === null) { - http_response_code(403); - echo 'SSO requires HTTPS.'; - exit; -} - -gsp_panel_sso_log($mysqli, $prefix, (int)$_SESSION['user_id'], 'Panel-to-website SSO token created'); -header('Location: ' . rtrim($websiteBase, '/') . '/sso.php?token=' . rawurlencode($newToken), true, 302); +header('Location: index.php', true, 302); exit; diff --git a/docs/architecture/API_REFERENCE.md b/docs/architecture/API_REFERENCE.md index 9e1ec448..452d8700 100644 --- a/docs/architecture/API_REFERENCE.md +++ b/docs/architecture/API_REFERENCE.md @@ -40,9 +40,9 @@ public node status website account/order entry -> Panel/modules/website/login.php - -> Panel/modules/website/sso.php and Panel/sso.php + -> Panel/modules/website/sso.php and Panel/sso.php compatibility redirects -> Panel/modules/website/order.php - -> shared users table and one-time SSO token table + -> shared users table, separate website and Panel sessions ``` ## Panel -> Agent XML-RPC @@ -168,14 +168,15 @@ Return shape: - `mem_percent` - `disk_percent` -## Website Account, SSO, And Order Entry +## Website Account And Order Entry | Endpoint | Purpose | Auth / Verification | |---|---|---| | `Panel/modules/website/login.php` | create website session from shared Panel user database | username/password checked against Panel hash format | -| `Panel/modules/website/sso.php` | website SSO endpoint | website session or one-time SSO token | -| `Panel/sso.php` | Panel SSO endpoint | Panel session or one-time SSO token | -| `Panel/modules/website/order.php` | validate `service_id` and start order intent | website session for continuation | +| `Panel/modules/website/sso.php` | compatibility redirect for old SSO links | no token/session creation | +| `Panel/sso.php` | compatibility redirect for old SSO links | no token/session creation | +| `Panel/modules/website/order.php` | validate `service_id`, slots, and location before adding to cart | anonymous website session | +| `Panel/modules/website/cart.php` | review cart and require login only at checkout | anonymous website session; website login for checkout | The old `Website/api/*` and `Website/webhook.php` checkout compatibility files are not present in this checkout. Payment processing must be reconnected and documented before public checkout is enabled. diff --git a/docs/features/USER_API.md b/docs/features/USER_API.md index 8e0a91b5..7a82f379 100644 --- a/docs/features/USER_API.md +++ b/docs/features/USER_API.md @@ -120,21 +120,20 @@ The scheduler does not call agents directly at runtime. It stores cron lines on This makes `ogp_api.php` part of the internal scheduler runtime contract. -## Website Account, SSO, And Order Entry +## Website Account And Order Entry | Endpoint | Auth | Purpose | Parameters | Returns | |---|---|---|---|---| | `Panel/modules/website/login.php` | Panel user credentials | create a website session against the shared Panel user table | username/password form | website session and redirect | | `Panel/modules/website/logout.php` | website session | destroy website session | none | redirect to website home | -| `Panel/modules/website/sso.php?destination=panel` | website session | create a one-time token for Panel login | optional trusted return path | redirect to `Panel/sso.php` | -| `Panel/sso.php?token=...` | one-time SSO token | create normal Panel session | token | redirect to Panel page | -| `Panel/sso.php?destination=website` | Panel session | create a one-time token for website login | optional trusted return path | redirect to website SSO endpoint | -| `Panel/modules/website/sso.php?token=...` | one-time SSO token | create website session | token | redirect to website page | -| `Panel/modules/website/order.php` | website session for checkout continuation | validate catalog service and start order intent | `service_id` | order page or login redirect | +| `Panel/modules/website/sso.php` | none | compatibility redirect for old SSO links | safe `destination` / `return` values | direct website or Panel redirect | +| `Panel/sso.php` | none | compatibility redirect for old Panel-to-website SSO links | safe `destination` / `return` values | direct website or Panel redirect | +| `Panel/modules/website/order.php` | anonymous website session | validate catalog service and configure order intent | `service_id`, slots/location POST | order page or cart redirect | +| `Panel/modules/website/cart.php` | anonymous website session; website login required only for checkout | review cart and begin checkout intent | cart actions | cart page or login redirect | -SSO tokens are stored in `OGP_DB_PREFIXsso_tokens` as SHA-256 hashes, expire in 30-60 seconds, and are marked used after successful validation. Tokens never contain passwords, password hashes, permanent API keys, or PHP session IDs. +SSO is deferred in the current implementation because `gameservers.world` and `panel.iaregamer.com` cannot share one PHP session cookie. Users can use the same Panel-backed credentials on both sites, but website and Panel sessions are separate. -The old `Website/api/create_order.php`, `Website/api/capture_order.php`, `Website/api/log_error.php`, and `Website/webhook.php` compatibility files are not present in this repository checkout. Until an active payment runtime is connected, the website order page validates service intent and sends customers to support rather than claiming checkout is complete. +The old `Website/api/create_order.php`, `Website/api/capture_order.php`, `Website/api/log_error.php`, and `Website/webhook.php` compatibility files are not present in this repository checkout. Until an active payment runtime is connected, the website cart preserves validated order intent and displays a friendly checkout-unavailable message rather than claiming checkout is complete. ### Webhooks @@ -149,7 +148,7 @@ The old `Website/api/create_order.php`, `Website/api/capture_order.php`, `Websit | token auth | `Panel/ogp_api.php` | | host allowlist | `api_authorized.hosts`, `api_authorized.fwd_hosts`, `settings/api_hosts.php` | | role / ownership checks | inside `api_*` handlers in `ogp_api.php` | -| one-time SSO token hash storage | `OGP_DB_PREFIXsso_tokens` | +| website session cart | `$_SESSION['website_cart']` | ## Search Coverage Used For This Document diff --git a/docs/modules/billing.md b/docs/modules/billing.md index f6fa08f6..132b1d7e 100644 --- a/docs/modules/billing.md +++ b/docs/modules/billing.md @@ -42,11 +42,11 @@ Commercial billing, provisioning, invoices, orders, transactions, coupons, and p ## Website Ordering Boundary -The active Gameservers.World website no longer links customers to `billing/order.php`. The public catalog uses `Panel/modules/website/order.php?service_id=...` as the order entry point. That page validates the enabled service server-side and sends logged-out users through website login before returning them to the intended service. +The active Gameservers.World website no longer links customers to `billing/order.php`. The public catalog uses `Panel/modules/website/order.php?service_id=...` as the order entry point. That page validates the enabled service server-side and allows anonymous visitors to configure slots/location and add the package to the website session cart. Payment approval and final provisioning remain server-side responsibilities. The browser must not call private provisioning methods directly, and prices must be read from server-side catalog data rather than query parameters. -In this repository checkout the historical `Panel/modules/billing` runtime is not present, although billing tables and integration references remain. The website order page therefore stops at validated order intent and support handoff until the active checkout/payment runtime is connected. +In this repository checkout the historical `Panel/modules/billing` runtime is not present, although billing tables and integration references remain. The website cart therefore stops at validated order intent and a friendly checkout-unavailable message until the active checkout/payment runtime is connected. ## Admin Workflow diff --git a/docs/modules/website.md b/docs/modules/website.md index 911e4b57..ec16f2df 100644 --- a/docs/modules/website.md +++ b/docs/modules/website.md @@ -35,24 +35,15 @@ The website module centralizes these helpers in `includes/bootstrap.php`: The website does not include the billing config loader directly. It reads panel or billing DB values safely, uses them only when needed, and avoids public fatal errors tied to missing config files. -## Shared Accounts and SSO +## Shared Accounts The website uses the Panel `users` table as the account source of truth. A customer has the same `user_id` on Gameservers.World, the GSP Panel, support, billing, and server orders. Website login verifies credentials against the existing Panel password hash format. This preserves current Panel login behavior and avoids a second website password database. -`gameservers.world` and `panel.iaregamer.com` cannot share a normal PHP session cookie because they are unrelated parent domains. The bridge is a one-time SSO token: +`gameservers.world` and `panel.iaregamer.com` cannot share a normal PHP session cookie because they are unrelated parent domains. SSO is deferred for this phase. The website and Panel keep separate sessions, and users may log in separately on both sites with the same credentials. Passwords, password hashes, PHP session IDs, and authentication tokens are never passed in URLs. -- website to Panel: `Panel/modules/website/sso.php` creates a token and redirects to `Panel/sso.php` -- Panel to website: `Panel/sso.php` creates a token and redirects back to `Panel/modules/website/sso.php` -- table: `OGP_DB_PREFIXsso_tokens` -- lifetime: 30-60 seconds -- storage: SHA-256 token hash only -- reuse: rejected after `used_at` is set -- URL contents: token only, never passwords, password hashes, API keys, or PHP session IDs -- HTTPS is required in production - -Expired tokens are cleaned opportunistically when SSO is used. The administration module also creates the table for fresh installs. +`Panel/modules/website/sso.php` and `Panel/sso.php` are retained only as compatibility redirects for old links. Active navigation must not depend on them. ## Ordering @@ -62,11 +53,13 @@ The current public catalog route is `serverlist.php`. Customer-facing Order butt The old `billing/order.php` route is obsolete in this repository layout and must not be used for active Gameservers.World links. -`order.php` validates the requested `service_id` server-side against enabled catalog records before allowing the customer to continue. Logged-out customers have the intended order path stored in the website session, are sent to `login.php`, and return to the same service after successful login. +`order.php` validates the requested `service_id` server-side against enabled catalog records before allowing the customer to continue. Anonymous visitors can configure slots and location, add the server package to the session cart, and review the cart before login. -The website owns catalog display, order intent, login-return behavior, checkout entry, and customer confirmation. The Panel owns final provisioning, server assignment to the shared `user_id`, game-home creation, agent handoff, and provisioning state. Public browser requests must not call private provisioning methods directly. +Login or registration is required only at checkout. The cart is stored in the website session and remains available through website login session regeneration. Panel registration is currently linked directly until a website-native registration form is restored. -Checkout/payment handlers are not present in this repository checkout. Until the active payment runtime is connected, `order.php` validates the selected service and sends the customer to support instead of pretending payment or provisioning is available. +The website owns catalog display, cart storage, order intent, login-return behavior, checkout entry, and customer confirmation. The Panel owns final provisioning, server assignment to the shared `user_id`, game-home creation, agent handoff, and provisioning state. Public browser requests must not call private provisioning methods directly. + +Checkout/payment handlers are not present in this repository checkout. Until the active payment runtime is connected, `cart.php` preserves the validated cart and shows a friendly checkout-unavailable message instead of pretending payment or provisioning is available. ## Navigation @@ -76,7 +69,7 @@ Website footer account links are state-aware: - logged in: `My Account`, `Order a Server`, `Control Panel`, `My Servers`, `Log Out` - staff-only links appear only for Panel admin users and still rely on Panel authorization server-side -The website Control Panel button sends logged-in users through website-to-Panel SSO. Logged-out users go through website login first. The Panel dashboard `Order Another Server` link sends logged-in Panel users through Panel-to-website SSO. +The website main navigation also includes visible `Login`, `Create Account`, and `Cart` entries when appropriate. Control Panel, My Servers, and staff administration links point directly to the configured Panel domain. The Panel dashboard `Order Another Server` link points directly to the website catalog. ## Deployment @@ -101,6 +94,7 @@ Recommended: - `login.php` - `account.php` - `order.php` +- `cart.php` - `sso.php` ## Pricing and Platform Reference