From a4358a76583551092a42915059869ed629147d25 Mon Sep 17 00:00:00 2001
From: Robbie Antenesse <dev@alamantus.com>
Date: Tue, 14 May 2019 15:49:54 -0600
Subject: [PATCH] Use cookies for storing tokens

---
 src/php/api/User.php  | 8 +++++---
 src/php/api/index.php | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/php/api/User.php b/src/php/api/User.php
index 7acc1fc..21e4f64 100644
--- a/src/php/api/User.php
+++ b/src/php/api/User.php
@@ -24,9 +24,10 @@ class User {
         }
       } else if (password_verify($password, $user['password'])) {
         $this->db->execute('UPDATE users SET last_login=' . time() . ' WHERE id=' . $user['id']);
+        setcookie('token', $this->generateUserToken($user['id'], $user['current_dictionary']));
         return array(
-          'token' => $this->generateUserToken($user['id'], $user['current_dictionary']),
           'user' => $this->getUserData($user['id']),
+          'dictionary' => $this->token->hash($user['current_dictionary']),
         );
       }
     }
@@ -59,9 +60,10 @@ VALUES (?, ?, ?, ?, ?)';
       if (isset($new_dictionary['error'])) {
         return $new_dictionary;
       } else {
+        setcookie('token', $this->generateUserToken($new_user_id, $new_dictionary));
         return array(
-          'token' => $this->generateUserToken($new_user_id, $new_dictionary),
           'user' => $this->getUserData($new_user_id),
+          'dictionary' => $this->token->hash($new_dictionary),
         );
       }
     }
@@ -95,7 +97,7 @@ VALUES (?, ?, ?, ?, ?)';
   }
 
   public function getUserData ($user_id) {
-    $query = 'SELECT * FROM users WHERE id=?';
+    $query = 'SELECT email, public_name, allow_emails FROM users WHERE id=?';
     $stmt = $this->db->query($query, array($user_id));
     $user = $stmt->fetch();
     if ($stmt && $user) {
diff --git a/src/php/api/index.php b/src/php/api/index.php
index 4af0c82..40ee1b8 100644
--- a/src/php/api/index.php
+++ b/src/php/api/index.php
@@ -6,7 +6,7 @@ $inputJSON = file_get_contents('php://input');
 $request= json_decode($inputJSON, true);
 
 $action = isset($request['action']) ? $request['action'] : '';
-$token = isset($request['token']) ? $request['token'] : false;
+$token = isset($_COOKIE['token']) ? $_COOKIE['token'] : false;
 
 switch ($action) {
   case 'login': {