func (this *WHMCS) handleToken(w http.ResponseWriter, r *http.Request, db *lobster.Database, session *lobster.Session) { if session.IsLoggedIn() { lobster.RedirectMessage(w, r, "/panel/dashboard", lobster.L.Info("already_logged_in")) return } r.ParseForm() token := r.Form.Get("token") if len(token) != TOKEN_LENGTH { http.Error(w, "bad token", 403) } rows := db.Query("SELECT id, user_id FROM whmcs_tokens WHERE token = ? AND time > DATE_SUB(NOW(), INTERVAL 1 MINUTE)", token) if !rows.Next() { http.Error(w, "invalid token", 403) } var rowId, userId int rows.Scan(&rowId, &userId) rows.Close() db.Exec("DELETE FROM whmcs_tokens WHERE id = ?", rowId) session.UserId = userId // we do not grant admin privileges on the session for WHMCS login log.Printf("Authentication via WHMCS for user_id=%d (%s)", userId, r.RemoteAddr) lobster.LogAction(db, userId, lobster.ExtractIP(r.RemoteAddr), "Logged in via WHMCS", "") http.Redirect(w, r, "/panel/dashboard", 303) }