From 834ec56a4c9a8972d14c8021fdf8f282216efae4 Mon Sep 17 00:00:00 2001
From: iaretechnician <iaretechnician@gmail.com>
Date: Fri, 5 Dec 2025 15:19:10 -0500
Subject: [PATCH] fix login

---
 modules/billing/includes/panel_bridge.php |  8 ++++++++
 modules/billing/login.php                 | 14 --------------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/modules/billing/includes/panel_bridge.php b/modules/billing/includes/panel_bridge.php
index 730bdd37..1dc1c569 100644
--- a/modules/billing/includes/panel_bridge.php
+++ b/modules/billing/includes/panel_bridge.php
@@ -24,6 +24,14 @@ if (!function_exists('billing_panel_bootstrap')) {
             return null;
         }
 
+        // When storefront runs from modules/billing/_website, $root points to modules/.
+        // Adjust path so panel includes resolve from the repository root, not modules/.
+        if (is_dir($root . '/modules') && is_dir($root . '/includes')) {
+            // already at repo root
+        } elseif (is_dir(dirname($root) . '/includes')) {
+            $root = dirname($root);
+        }
+
         // Define panel constants if they are not already defined (panel runtime does this for us).
         if (!defined('INCLUDES')) {
             define('INCLUDES', 'includes/');
diff --git a/modules/billing/login.php b/modules/billing/login.php
index 6d64b852..2653a12b 100644
--- a/modules/billing/login.php
+++ b/modules/billing/login.php
@@ -73,7 +73,6 @@ $debug_messages = [];
 
 // Process login form submission: simplified for debugging
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $debug_messages[] = 'login handler hit; POST keys: ' . implode(', ', array_keys($_POST));
     $username = trim($_POST['ulogin'] ?? '');
     $password = $_POST['upassword'] ?? '';
     if ($username === '' || $password === '') {
@@ -83,10 +82,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     } else {
         $safe = mysqli_real_escape_string($db, $username);
         $sql = "SELECT * FROM {$table_prefix}users WHERE users_login = '$safe' LIMIT 1";
-        $debug_messages[] = 'SQL: ' . $sql;
         $res = mysqli_query($db, $sql);
         if ($res && mysqli_num_rows($res) === 1) {
-            $debug_messages[] = 'user row located in panel DB';
             $row = mysqli_fetch_assoc($res);
             $userId = intval($row['user_id']);
             $legacyHash = $row['users_passwd'] ?? '';
@@ -94,11 +91,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
             $authOk = false;
             if (!empty($modernHash) && function_exists('password_verify')) {
                 $authOk = password_verify($password, $modernHash);
-                $debug_messages[] = 'password_verify ' . ($authOk ? 'accepted hash' : 'rejected hash');
             }
             if (!$authOk && !empty($legacyHash)) {
                 $authOk = (md5($password) === $legacyHash);
-                $debug_messages[] = 'md5 fallback ' . ($authOk ? 'matched legacy' : 'did not match');
                 if ($authOk && function_exists('password_hash')) {
                     $newHash = password_hash($password, PASSWORD_DEFAULT);
                     $escapedHash = mysqli_real_escape_string($db, $newHash);
@@ -106,7 +101,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                 }
             }
             if ($authOk) {
-                $debug_messages[] = 'authOk true; session variables being set';
                 session_regenerate_id(true);
                 $_SESSION['user_id'] = $userId;
                 $_SESSION['users_login'] = $row['users_login'] ?? $username;
@@ -122,10 +116,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                 $panelCtx = billing_panel_bootstrap();
                 if ($panelCtx && isset($panelCtx['db']) && $panelCtx['db'] instanceof OGPDatabase) {
                     $_SESSION['users_api_key'] = $panelCtx['db']->getApiToken($userId);
-                    $debug_messages[] = 'panel bridge pulled api token';
                 } else {
                     $_SESSION['users_api_key'] = $_SESSION['users_api_key'] ?? '';
-                    $debug_messages[] = 'panel bridge unavailable';
                 }
                 site_log_info('login_success', ['username'=>$username, 'ip'=>$_SERVER['REMOTE_ADDR'] ?? '']);
                 $returnToParam = $_POST['return_to'] ?? '';
@@ -136,11 +128,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                 header('Location: ' . $destination);
                 exit();
             }
-            $debug_messages[] = 'authentication failed for provided password';
         }
         $error_message = 'Invalid username or password.';
         site_log_warn('login_failed_invalid_credentials', ['username'=>$username, 'ip'=>$_SERVER['REMOTE_ADDR'] ?? '']);
-        $debug_messages[] = 'no matching user row or auth failure';
     }
 }
 
@@ -315,10 +305,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
             <div class="alert alert-success"><?php echo htmlspecialchars($success_message); ?></div>
         <?php endif; ?>
 
-        <?php if (!empty($debug_messages)): ?>
-            <div class="alert" style="background:#111;color:#0ff;border:1px solid #0ff;margin-bottom:20px;font-size:0.8rem;white-space:pre-line;">Debug:
-<?php echo htmlspecialchars(implode("\n", $debug_messages)); ?></div>
-        <?php endif; ?>
         
         <?php
         // Capture a return_to GET parameter so we can send users back after login