fixed missing login and billing pages
This commit is contained in:
parent
28533be24d
commit
dbecad8606
755 changed files with 1205 additions and 106715 deletions
|
|
@ -38,10 +38,11 @@ public node status
|
|||
-> Panel/status_api.php
|
||||
-> direct remote host probe + optional agent stats
|
||||
|
||||
website checkout/webhook
|
||||
-> Website/api/* or Website/webhook.php
|
||||
-> billing runtime
|
||||
-> DB and payment gateway APIs
|
||||
website account/order entry
|
||||
-> Panel/modules/website/login.php
|
||||
-> Panel/modules/website/sso.php and Panel/sso.php
|
||||
-> Panel/modules/website/order.php
|
||||
-> shared users table and one-time SSO token table
|
||||
```
|
||||
|
||||
## Panel -> Agent XML-RPC
|
||||
|
|
@ -167,15 +168,16 @@ Return shape:
|
|||
- `mem_percent`
|
||||
- `disk_percent`
|
||||
|
||||
## Website API And Webhooks
|
||||
## Website Account, SSO, And Order Entry
|
||||
|
||||
| Endpoint | Purpose | Auth / Verification |
|
||||
|---|---|---|
|
||||
| `Website/api/create_order.php` | create PayPal order | storefront checkout/session context |
|
||||
| `Website/api/capture_order.php` | capture PayPal order | storefront checkout/session context |
|
||||
| `Website/api/log_error.php` | client-side error logging | open endpoint, writes log |
|
||||
| `Website/webhook.php` | verified PayPal webhook processing | OAuth + webhook signature verification |
|
||||
| `Website/paypal/webhook.php` | compatibility wrapper to active webhook runtime | same |
|
||||
| `Panel/modules/website/login.php` | create website session from shared Panel user database | username/password checked against Panel hash format |
|
||||
| `Panel/modules/website/sso.php` | website SSO endpoint | website session or one-time SSO token |
|
||||
| `Panel/sso.php` | Panel SSO endpoint | Panel session or one-time SSO token |
|
||||
| `Panel/modules/website/order.php` | validate `service_id` and start order intent | website session for continuation |
|
||||
|
||||
The old `Website/api/*` and `Website/webhook.php` checkout compatibility files are not present in this checkout. Payment processing must be reconnected and documented before public checkout is enabled.
|
||||
|
||||
## Internal Module Endpoints
|
||||
|
||||
|
|
@ -291,5 +293,5 @@ This means `ogp_api.php` is part of the scheduler runtime and must stay backward
|
|||
- `sed -n '1,240p' Panel/ogp_api.php`
|
||||
- `rg -n "^function api_" Panel/ogp_api.php`
|
||||
- `sed -n '1,240p' Panel/status_api.php`
|
||||
- `find Website/api -maxdepth 1 -type f`
|
||||
- `sed -n '1,220p' Website/webhook.php`
|
||||
- `sed -n '1,220p' Panel/sso.php`
|
||||
- `sed -n '1,220p' Panel/modules/website/sso.php`
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ AJAX / external API
|
|||
| `administration` | Indirectly, for update and logger views | `panel_update.php`, backup/log helpers | `functions.php`, DB layer, `lib_remote.php` | settings, remote server metadata | `watch_logger.php` | Git / Forgejo, filesystem |
|
||||
| `addonsmanager` | Yes | `workshop_action.php`, `server_content_actions.php`, `server_content_helpers.php`, `config_games` | `lib_remote.php`, XML parser | `addons`, `server_content_manifest`, `server_content_workshop` | `workshop_action.php` | SteamCMD, Workshop, archive installers |
|
||||
| `backup-restore` | Limited / indirect | local helper function file | DB layer, filesystem helpers | backup metadata if present | module pages | zip/tar filesystem work |
|
||||
| `billing` | Yes for server provisioning/expiry actions | embeds storefront runtime; shares logic with `Website/` | DB layer, `lib_remote.php`, payment helpers | orders, invoices, coupons, server provisioning state | webhook and checkout entrypoints under module and website | PayPal, Stripe/manual gateways, email |
|
||||
| `billing` | Historical / partial | legacy billing references remain, but the module directory is absent in this checkout | DB layer, `lib_remote.php` | billing tables may remain for catalog/order records | current website order entry is `Panel/modules/website/order.php` | payment runtime must be reconnected before public checkout |
|
||||
| `circular` | No | own helper file | DB layer | announcement/content records | `show_circular.php` | none |
|
||||
| `config_games` | No direct agent use in main UI | `server_config_parser.php`, `cli-params.php`, `set_mods.php`, `set_params.php` | XML parser, DB layer | `config_homes`, `config_mods` | XML editor-like pages | GameQ, LGSL references |
|
||||
| `cron` | Yes | `shared_cron_functions.php`, uses `ogp_api.php` URLs as scheduled payloads | `lib_remote.php`, XML parser, DB layer | Panel-side scheduler intent; agent-owned cron entries | `events.php`, `thetime.php`, `user_cron.php` | agent scheduler, `wget`, panel API |
|
||||
|
|
@ -137,7 +137,7 @@ This is not a full schema map. It identifies ownership boundaries.
|
|||
| Git / Forgejo | `update`, `administration/panel_update.php`, agent `component_update` |
|
||||
| FTP / Pure-FTPd / net2ftp | `ftp`, provisioning |
|
||||
| Discord webhooks | `settings`, `support`, shared `functions.php::discordmsg` |
|
||||
| PayPal / Stripe / manual payments | `billing`, `Website/api/*`, `Website/webhook.php` |
|
||||
| PayPal / Stripe / manual payments | historical `billing` runtime; current website order entry is `Panel/modules/website/order.php` until checkout is reconnected |
|
||||
| TeamSpeak | `teamspeak3`, `TS3Admin` |
|
||||
| TShock | `tshock` |
|
||||
|
||||
|
|
|
|||
|
|
@ -10,11 +10,10 @@ Primary files:
|
|||
|
||||
- `Panel/ogp_api.php`
|
||||
- `Panel/status_api.php`
|
||||
- `Website/api/create_order.php`
|
||||
- `Website/api/capture_order.php`
|
||||
- `Website/api/log_error.php`
|
||||
- `Website/webhook.php`
|
||||
- `Website/paypal/webhook.php`
|
||||
- `Panel/sso.php`
|
||||
- `Panel/modules/website/login.php`
|
||||
- `Panel/modules/website/sso.php`
|
||||
- `Panel/modules/website/order.php`
|
||||
|
||||
## Panel Automation API
|
||||
|
||||
|
|
@ -121,39 +120,27 @@ The scheduler does not call agents directly at runtime. It stores cron lines on
|
|||
|
||||
This makes `ogp_api.php` part of the internal scheduler runtime contract.
|
||||
|
||||
## Website API Endpoints
|
||||
|
||||
### Payment Creation And Capture
|
||||
## Website Account, SSO, And Order Entry
|
||||
|
||||
| Endpoint | Auth | Purpose | Parameters | Returns |
|
||||
|---|---|---|---|---|
|
||||
| `Website/api/create_order.php` | storefront session / checkout context | create PayPal order | checkout/cart payload | JSON PayPal order response |
|
||||
| `Website/api/capture_order.php` | storefront session / checkout context | capture approved PayPal order | order/capture payload | JSON capture result |
|
||||
| `Panel/modules/website/login.php` | Panel user credentials | create a website session against the shared Panel user table | username/password form | website session and redirect |
|
||||
| `Panel/modules/website/logout.php` | website session | destroy website session | none | redirect to website home |
|
||||
| `Panel/modules/website/sso.php?destination=panel` | website session | create a one-time token for Panel login | optional trusted return path | redirect to `Panel/sso.php` |
|
||||
| `Panel/sso.php?token=...` | one-time SSO token | create normal Panel session | token | redirect to Panel page |
|
||||
| `Panel/sso.php?destination=website` | Panel session | create a one-time token for website login | optional trusted return path | redirect to website SSO endpoint |
|
||||
| `Panel/modules/website/sso.php?token=...` | one-time SSO token | create website session | token | redirect to website page |
|
||||
| `Panel/modules/website/order.php` | website session for checkout continuation | validate catalog service and start order intent | `service_id` | order page or login redirect |
|
||||
|
||||
These are thin compatibility wrappers that dispatch into the current billing runtime selected by:
|
||||
SSO tokens are stored in `OGP_DB_PREFIXsso_tokens` as SHA-256 hashes, expire in 30-60 seconds, and are marked used after successful validation. Tokens never contain passwords, password hashes, permanent API keys, or PHP session IDs.
|
||||
|
||||
- `Website/_compat_include.php`
|
||||
- `website_billing_runtime_file(...)`
|
||||
|
||||
### Client Error Logging
|
||||
|
||||
| Endpoint | Auth | Purpose | Parameters | Returns |
|
||||
|---|---|---|---|---|
|
||||
| `Website/api/log_error.php` | none | receive cart/client JS error payloads | JSON body | JSON `{status: logged}` or error |
|
||||
|
||||
Security note:
|
||||
|
||||
- this endpoint is intentionally open
|
||||
- it writes to `Website/logs/client_errors.log`
|
||||
- rate limiting is not obvious in the current implementation
|
||||
The old `Website/api/create_order.php`, `Website/api/capture_order.php`, `Website/api/log_error.php`, and `Website/webhook.php` compatibility files are not present in this repository checkout. Until an active payment runtime is connected, the website order page validates service intent and sends customers to support rather than claiming checkout is complete.
|
||||
|
||||
### Webhooks
|
||||
|
||||
| Endpoint | Source | Purpose | Auth Model |
|
||||
|---|---|---|---|
|
||||
| `Website/webhook.php` | PayPal | verify and process payment webhook | PayPal OAuth + webhook signature verification |
|
||||
| `Website/paypal/webhook.php` | PayPal | compatibility entrypoint forwarding to `Website/webhook.php` runtime | same |
|
||||
| `Panel/modules/billing/webhook.php` | payment runtime compatibility | billing-side webhook entrypoint | gateway-specific |
|
||||
| none active in this checkout | PayPal | payment processing must be reconnected before public checkout is enabled | document gateway-specific signature verification before use |
|
||||
|
||||
## Security Controls
|
||||
|
||||
|
|
@ -162,12 +149,12 @@ Security note:
|
|||
| token auth | `Panel/ogp_api.php` |
|
||||
| host allowlist | `api_authorized.hosts`, `api_authorized.fwd_hosts`, `settings/api_hosts.php` |
|
||||
| role / ownership checks | inside `api_*` handlers in `ogp_api.php` |
|
||||
| webhook signature verification | `Website/webhook.php` |
|
||||
| one-time SSO token hash storage | `OGP_DB_PREFIXsso_tokens` |
|
||||
|
||||
## Search Coverage Used For This Document
|
||||
|
||||
- `rg -n "^function api_" Panel/ogp_api.php`
|
||||
- `sed -n '1,240p' Panel/ogp_api.php`
|
||||
- `sed -n '1,240p' Panel/status_api.php`
|
||||
- `find Website/api -maxdepth 1 -type f`
|
||||
- `sed -n '1,220p' Website/webhook.php`
|
||||
- `sed -n '1,220p' Panel/sso.php`
|
||||
- `sed -n '1,220p' Panel/modules/website/sso.php`
|
||||
|
|
|
|||
|
|
@ -40,6 +40,14 @@ Commercial billing, provisioning, invoices, orders, transactions, coupons, and p
|
|||
- renewals
|
||||
- account/service status
|
||||
|
||||
## Website Ordering Boundary
|
||||
|
||||
The active Gameservers.World website no longer links customers to `billing/order.php`. The public catalog uses `Panel/modules/website/order.php?service_id=...` as the order entry point. That page validates the enabled service server-side and sends logged-out users through website login before returning them to the intended service.
|
||||
|
||||
Payment approval and final provisioning remain server-side responsibilities. The browser must not call private provisioning methods directly, and prices must be read from server-side catalog data rather than query parameters.
|
||||
|
||||
In this repository checkout the historical `Panel/modules/billing` runtime is not present, although billing tables and integration references remain. The website order page therefore stops at validated order intent and support handoff until the active checkout/payment runtime is connected.
|
||||
|
||||
## Admin Workflow
|
||||
|
||||
- configure payment gateways
|
||||
|
|
@ -72,4 +80,3 @@ Commercial billing, provisioning, invoices, orders, transactions, coupons, and p
|
|||
## Recommendation
|
||||
|
||||
- Keep / Rewrite
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,49 @@ The website module centralizes these helpers in `includes/bootstrap.php`:
|
|||
|
||||
The website does not include the billing config loader directly. It reads panel or billing DB values safely, uses them only when needed, and avoids public fatal errors tied to missing config files.
|
||||
|
||||
## Shared Accounts and SSO
|
||||
|
||||
The website uses the Panel `users` table as the account source of truth. A customer has the same `user_id` on Gameservers.World, the GSP Panel, support, billing, and server orders.
|
||||
|
||||
Website login verifies credentials against the existing Panel password hash format. This preserves current Panel login behavior and avoids a second website password database.
|
||||
|
||||
`gameservers.world` and `panel.iaregamer.com` cannot share a normal PHP session cookie because they are unrelated parent domains. The bridge is a one-time SSO token:
|
||||
|
||||
- website to Panel: `Panel/modules/website/sso.php` creates a token and redirects to `Panel/sso.php`
|
||||
- Panel to website: `Panel/sso.php` creates a token and redirects back to `Panel/modules/website/sso.php`
|
||||
- table: `OGP_DB_PREFIXsso_tokens`
|
||||
- lifetime: 30-60 seconds
|
||||
- storage: SHA-256 token hash only
|
||||
- reuse: rejected after `used_at` is set
|
||||
- URL contents: token only, never passwords, password hashes, API keys, or PHP session IDs
|
||||
- HTTPS is required in production
|
||||
|
||||
Expired tokens are cleaned opportunistically when SSO is used. The administration module also creates the table for fresh installs.
|
||||
|
||||
## Ordering
|
||||
|
||||
The current public catalog route is `serverlist.php`. Customer-facing Order buttons must use:
|
||||
|
||||
- `order.php?service_id=...`
|
||||
|
||||
The old `billing/order.php` route is obsolete in this repository layout and must not be used for active Gameservers.World links.
|
||||
|
||||
`order.php` validates the requested `service_id` server-side against enabled catalog records before allowing the customer to continue. Logged-out customers have the intended order path stored in the website session, are sent to `login.php`, and return to the same service after successful login.
|
||||
|
||||
The website owns catalog display, order intent, login-return behavior, checkout entry, and customer confirmation. The Panel owns final provisioning, server assignment to the shared `user_id`, game-home creation, agent handoff, and provisioning state. Public browser requests must not call private provisioning methods directly.
|
||||
|
||||
Checkout/payment handlers are not present in this repository checkout. Until the active payment runtime is connected, `order.php` validates the selected service and sends the customer to support instead of pretending payment or provisioning is available.
|
||||
|
||||
## Navigation
|
||||
|
||||
Website footer account links are state-aware:
|
||||
|
||||
- logged out: `Account Login`, `Order a Server`, `Control Panel`
|
||||
- logged in: `My Account`, `Order a Server`, `Control Panel`, `My Servers`, `Log Out`
|
||||
- staff-only links appear only for Panel admin users and still rely on Panel authorization server-side
|
||||
|
||||
The website Control Panel button sends logged-in users through website-to-Panel SSO. Logged-out users go through website login first. The Panel dashboard `Order Another Server` link sends logged-in Panel users through Panel-to-website SSO.
|
||||
|
||||
## Deployment
|
||||
|
||||
Recommended:
|
||||
|
|
@ -56,6 +99,9 @@ Recommended:
|
|||
- `locations.php`
|
||||
- `support.php`
|
||||
- `login.php`
|
||||
- `account.php`
|
||||
- `order.php`
|
||||
- `sso.php`
|
||||
|
||||
## Pricing and Platform Reference
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue