func (this *WHMCS) handleToken(w http.ResponseWriter, r *http.Request, db *lobster.Database, session *lobster.Session) {
if session.IsLoggedIn() {
lobster.RedirectMessage(w, r, "/panel/dashboard", lobster.L.Info("already_logged_in"))
return
}
r.ParseForm()
token := r.Form.Get("token")
if len(token) != TOKEN_LENGTH {
http.Error(w, "bad token", 403)
}
rows := db.Query("SELECT id, user_id FROM whmcs_tokens WHERE token = ? AND time > DATE_SUB(NOW(), INTERVAL 1 MINUTE)", token)
if !rows.Next() {
http.Error(w, "invalid token", 403)
}
var rowId, userId int
rows.Scan(&rowId, &userId)
rows.Close()
db.Exec("DELETE FROM whmcs_tokens WHERE id = ?", rowId)
session.UserId = userId // we do not grant admin privileges on the session for WHMCS login
log.Printf("Authentication via WHMCS for user_id=%d (%s)", userId, r.RemoteAddr)
lobster.LogAction(db, userId, lobster.ExtractIP(r.RemoteAddr), "Logged in via WHMCS", "")
http.Redirect(w, r, "/panel/dashboard", 303)
}
