<?php 
    //from : https://api.wordpress.org/secret-key/1.1/salt
    define('AUTH_KEY', '2(QMu)jt|2!(9t]V!4SB/y,+T]LcvGZ8-sV@vS6RUgR!_]&S}{6/RZjAmLeW28On');

    function get_client_ip()
    {
      $ip = null;
      if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
      } elseif (!empty($_SERVER['REMOTE_ADDR'])) {
        $ip = $_SERVER['REMOTE_ADDR'];
      } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
      }
      return($ip);
    }

    $keyring = array(
        '28__u`AAs51n2KqX?hk27/=|mQI-Sv;]nP%Sd:27+pd#eb{KUK+Vui&a_|$m{+8x',
        '{KoCg/!0?7_|&pjyh!D%+IHpaB]rj|NA<^}mU|un= =}|`le[~f)&h-%Qpr>mYLA',
        '0{-f_Z/)J?Dr-=B2G=+U-+&ZTvN2m[+){7nO&rd{t6+|8BW!(+&Lx!U{gF&t.m(8',
        'TY@V>x3x6= |?K|.dBEt2U;9su-h4kS_-4~+AuDvV4<0.:}^o:l;*&WC6P:<58?t',
        '?GOHK0|EpH`X1.1DZ,-r*`?(7+<4rbG?;W*ReX+<#CUuGiQ,G^c[SJh!Q#@aHB #',
        'JdF?Zl=7tE{|+VDh%SzDVj[$nV$Emkt!T9&lhUM7Ty/yRadrv,T(S7CEk rIsx,$',
        'y:XeG#<+>Jb+cqB*^doW[2|N]ju8l<4?$ek?M?0aFaY>W&TJw rNCz+L7+ZN;#f=',
        'E|ngUL<N+f)Qfgs$ggG5ejS${9NN7-)qlH]iB;R]xvy%e3G`C+Lb $?K(5F-Rb%u',
        '!|MuVONHh33|l|`|RqQ|r%sZgCUo?FIXlPBQ`4J/Ajc$fvyS>],O).^DqOWo~Jzy',
        'i2El=I~}<o.qv;A8~ {i/3]j*XghY8K+}|M]mc-Q ~m$#bJY8NdA-jOUF=|+VLyg',
        '}#]wSs]%9,I0SF7A5~|5,3S_,/-(#z+L@oxJ<PM|Jro~p=P.c^EMqDgDf-F4o?Xw',
        'o6h{,vP2CQ&-)gc|Z2^U^{Y^htKH}[IS|&GUtY`E`a)D@kaJr$8,dKSSm@c2D7y+'
    );

    function is_valid_api_key2($key) {
      global $keyring;
      // la clef envoyé es de la forme un md5 : un sel
      // on coupe la clef en deux
      $keyset = explode(':',$key);
      //la premiere partie est un md5
      @ $coded_key = $keyset[0];
      // la deuxième est un sel => en rélité la case de tableau à utiliser
      @ $salt = (int) $keyset[1];
      // on utiulise l'heure comme référence
      $time = strftime('%Y%m%d%H');

      // connection BDD
      $dbhost = 'localhost';
      $dbuser = 'root';
      $dbpass = '';
      $dbname = 'apib3';
      @ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
      // on protège les cractères sensible de la clef interne
      $mysql_safe_salt = $mysqli->real_escape_string($keyring[$salt]);
      // on protège les cractères sensible de la clef fournie
      $mysql_safe_key = $mysqli->real_escape_string($coded_key);
      //on fait le md5 + la comparaison dans le SQL directement
      $sql = "SELECT * FROM `apikey` WHERE MD5(CONCAT(`api_key`,'".$mysql_safe_salt."','".$time."')) = '".$mysql_safe_key."'";
      //die($sql);
      $result = $mysqli->query($sql);
      if ($result->num_rows > 0) {
        $mysqli->close();
        return true;
      }
      $mysqli->close();
      return false;
    }

    function is_valid_api_key($key) {
      $dbhost = 'localhost';
      $dbuser = 'root';
      $dbpass = '';
      $dbname = 'apib3';
      @ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
      $sql = "SELECT * FROM `apikey` WHERE `api_key` LIKE '".$key."'";
      $result = $mysqli->query($sql);
      if ($result->num_rows > 0) {
        $mysqli->close();
        return true;
      }
      $mysqli->close();
      return false;
    }

    //header('Content-type: text/plain;charset=utf-8');
    header('Content-type: application/json;charset=utf-8');
    $vars=array();
    foreach(array('REQUEST_METHOD',
    'REDIRECT_URL',
    'QUERY_STRING',
    'REQUEST_URI',
    'REQUEST_TIME_FLOAT',
    'REQUEST_TIME') as $key)
    {
      if(isset($_SERVER[$key]))
      {
        $vars[$key] = $_SERVER[$key];
      }
      else
      {
        $vars[$key] = "";
      }
    }
    //echo json_encode($vars);
    $query = preg_replace("/^\/api/","",$vars['REDIRECT_URL']);
    //echo $query;

    switch($query) 
    {
      case "/toto/" :
      case "/test/" :
        header('HTTP/1.1 200 OK');
        echo json_encode( (object) array('status'=>'active') );
      break;

      case '/checksaltedkey/' :
        if($vars['REQUEST_METHOD'] == "GET") 
        {
          if(isset($_GET['key']))
          {
            header('HTTP/1.1 200 OK');
            echo json_encode( (object) array(
                'valid'=>is_valid_api_key2($_GET['key']),
                'ip'=>get_client_ip() ));         
          }
          else
          {
            header('HTTP/1.1 403 Forbidden');
            echo json_encode( (object) array('error'=>'Please provide a valid key') );
          }
        }
        else 
        {
          header('HTTP/1.1 405 Method Not Allowed');
          echo json_encode( (object) array('error'=>'/checksaltedkey/ requires GET method') );
        }          
      break;

      case '/users/' :
        if($vars['REQUEST_METHOD'] == "GET") 
        {
          if(isset($_GET['key']) && is_valid_api_key($_GET['key']))
          {
            $dbhost = 'localhost';
            $dbuser = 'root';
            $dbpass = '';
            $dbname = 'apib3';
            //si je préfixe avec @je n'aurais pas le message d'erreur.
            @ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);            
            $sql = "SELECT COUNT(*) AS nbusers FROM `user`";
            $result = $mysqli->query($sql);
            if ($result->num_rows > 0) {
                $row = $result->fetch_array(MYSQLI_ASSOC);
                header('HTTP/1.1 200 OK');
                echo json_encode( (object) array('users'=>$row['nbusers']));                
                $result->free_result();
                $mysqli->close();
            }
          }
          else
          {
            header('HTTP/1.1 403 Forbidden');
            echo json_encode( (object) array('error'=>'Please provide a valid key') );
          }
        }
        else 
        {
          header('HTTP/1.1 405 Method Not Allowed');
          echo json_encode( (object) array('error'=>'/users/ requires GET method') );
        }
      break;

      case "/key/" :
      case "/key" :
        if($vars['REQUEST_METHOD'] == "POST") 
        {
          if(!empty($_POST['user']) && !empty($_POST['password']))
          {
            $uid = null;
            $user = $_POST['user'];
            $password = md5($_POST['password'].AUTH_KEY);
            $response = array('user'=>$user,'md5'=>$password);

            //essayer de se connecter à ùysql (nb sur un xampp/wammp souvent l'utilisateur  root avec mot de passe vide)
            //https://www.tutorialspoint.com/mysqli/mysqli_connection.htm
            // na pas oublier de convertir les → en ->
            $dbhost = 'localhost';
            $dbuser = 'root';
            $dbpass = '';
            $dbname = 'apib3';
            //si je préfixe avec @je n'aurais pas le message d'erreur.
            @ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
            
            if($mysqli->connect_errno ) {
               header('HTTP/1.1 500 Internal Server Error');
               echo json_encode( (object) array('error'=>"Connect failed: ".$mysqli->connect_error ));
               exit();
            }
            else {
              $response['connection'] = 'successful';
              // vérifier si l'utilisateur existe 
              $sql = "SELECT * FROM `user` WHERE `user` LIKE '".$user."' AND `password` ='".$password."'";
              $result = $mysqli->query($sql);
              if ($result->num_rows > 0) {
                  $row = $result->fetch_array(MYSQLI_ASSOC);
                  $response['uid'] = $row['id'];
                  $result->free_result();
              }
              else {
                $sql ="INSERT INTO `user` VALUES (NULL,'".$user."','".$password."')";
                $result = $mysqli->query($sql);
                if($mysqli->connect_errno ) {
                  header('HTTP/1.1 500 Internal Server Error');
                  echo json_encode( (object) array('error'=>"Insert failed: ".$mysqli->connect_error ));
                  exit();
                }
                else {
                  $uid = $mysqli->insert_id;
                  $response['insert'] = 'successful user id is '.$uid;
                  $response['uid'] = $uid;
                }
              }
              $apikey = md5(array_rand($keyring).$response['uid'].microtime(true));
              $sql ="INSERT INTO `apikey` VALUES ('".$response['uid']."','".$apikey."')";
              $result = $mysqli->query($sql);
              $response = array('key'=>$apikey);
            }
            $mysqli->close();
            header('HTTP/1.1 200 OK');
            echo json_encode( (object) $response );
          }
          else 
          {
            header('HTTP/1.1 403 Forbidden');
            echo json_encode( (object) array('error'=>'PLease provide a valid user and matching password') );
          }
        }
        else 
        {
          header('HTTP/1.1 405 Method Not Allowed');
          echo json_encode( (object) array('error'=>'/key/ requires POST method') );
        }
      break;

      default :
       // header('HTTP/1.1 404 Not Found');
        header('HTTP/1.1 501 Not Implemented');
        echo json_encode( (object) array('error'=>'This path has not been implemented') );
      break;
    }