Ihor_Zhekov/Websites
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc4bfa5dbe76db14c9ae6d12d98cf66e4e8d5fff
Websites/Profice WebSite/scripts/add/send.php

642 lines
18 KiB
PHP
Raw Blame History

<?php
/**
* Profice Web API Handler
* Centralized API endpoint for all form submissions, webhooks, and tracking
* ALL SENSITIVE DATA IS STORED HERE - NOT VISIBLE TO CLIENT
*
* @author Profice Development Team
* @version 2.0.0
*/
// ==========================================
// SECURITY HEADERS
// ==========================================
header('Content-Type: application/json');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
// CORS - Restrict to your domain in production
$allowedOrigins = [
'https://profice.de',
'https://www.profice.de',
'http://localhost',
'http://127.0.0.1'
];
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($origin, $allowedOrigins)) {
header("Access-Control-Allow-Origin: $origin");
} else {
header('Access-Control-Allow-Origin: *'); // Development fallback
}
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type');
header('Access-Control-Max-Age: 86400');
// Handle preflight OPTIONS request
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
http_response_code(200);
exit();
}
// ==========================================
// SENSITIVE CONFIGURATION - HIDDEN FROM CLIENT
// ==========================================
// Environment
define('USE_PRODUCTION', true);
define('DEBUG_MODE', false);
// N8N Webhooks
define('WEBHOOK_TEST', 'https://n8n.profice.de/webhook-test/d94ef798-3f43-46dd-8207-1e335e64518f');
define('WEBHOOK_PROD', 'https://n8n.profice.de/webhook/d94ef798-3f43-46dd-8207-1e335e64518f');
define('WEBHOOK_URL', USE_PRODUCTION ? WEBHOOK_PROD : WEBHOOK_TEST);
// Google Analytics
define('GA_MEASUREMENT_ID', 'G-XXXXXXXXXX'); // Replace with your actual ID
define('GA_API_SECRET', ''); // For server-side tracking
// Google Tag Manager
define('GTM_CONTAINER_ID', 'GTM-XXXXXXX'); // Replace with your actual ID
// Facebook Pixel
define('FB_PIXEL_ID', ''); // Replace with your actual ID
define('FB_ACCESS_TOKEN', ''); // For Conversions API
// Google Ads
define('GADS_CONVERSION_ID', 'AW-XXXXXXXXXX');
define('GADS_CONVERSION_LABEL', '');
// LinkedIn Insight
define('LINKEDIN_PARTNER_ID', '');
// API Keys
define('API_SECRET_KEY', 'your-secret-key-here'); // For API authentication
// Rate Limiting
define('RATE_LIMIT_REQUESTS', 100);
define('RATE_LIMIT_WINDOW', 3600); // 1 hour
// ==========================================
// HELPER FUNCTIONS
// ==========================================
function sendResponse($success, $message, $data = null, $statusCode = 200) {
http_response_code($statusCode);
$response = [
'success' => $success,
'message' => $message,
'timestamp' => date('c')
];
// Only include data if not null and not in production (security)
if ($data !== null && (!USE_PRODUCTION || DEBUG_MODE)) {
$response['data'] = $data;
} elseif ($data !== null && $success) {
// In production, only return safe data
$response['data'] = filterSafeData($data);
}
echo json_encode($response);
exit();
}
function filterSafeData($data) {
// Remove sensitive fields from response
$sensitiveFields = ['webhook_url', 'ip_address', 'user_agent', 'http_code', 'error'];
if (is_array($data)) {
foreach ($sensitiveFields as $field) {
unset($data[$field]);
}
}
return $data;
}
function getClientIP() {
$ipKeys = ['HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR'];
foreach ($ipKeys as $key) {
if (array_key_exists($key, $_SERVER)) {
foreach (explode(',', $_SERVER[$key]) as $ip) {
$ip = trim($ip);
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
return $ip;
}
}
}
}
return $_SERVER['REMOTE_ADDR'] ?? 'unknown';
}
function sanitizeInput($input) {
if (is_array($input)) {
return array_map('sanitizeInput', $input);
}
return htmlspecialchars(trim($input), ENT_QUOTES, 'UTF-8');
}
function validateCSRFToken($token) {
// Implement CSRF validation if needed
return true;
}
function checkRateLimit($ip) {
$rateLimitFile = __DIR__ . '/rate_limits.json';
$limits = [];
if (file_exists($rateLimitFile)) {
$limits = json_decode(file_get_contents($rateLimitFile), true) ?: [];
}
$now = time();
$windowStart = $now - RATE_LIMIT_WINDOW;
// Clean old entries
$limits = array_filter($limits, function($entry) use ($windowStart) {
return $entry['time'] > $windowStart;
});
// Count requests from this IP
$ipRequests = array_filter($limits, function($entry) use ($ip) {
return $entry['ip'] === $ip;
});
if (count($ipRequests) >= RATE_LIMIT_REQUESTS) {
return false;
}
// Add new request
$limits[] = ['ip' => $ip, 'time' => $now];
file_put_contents($rateLimitFile, json_encode($limits));
return true;
}
// ==========================================
// WEBHOOK FUNCTIONS
// ==========================================
function sendToWebhook($data, $webhookUrl = null) {
$url = $webhookUrl ?? WEBHOOK_URL;
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => json_encode($data),
CURLOPT_HTTPHEADER => [
'Content-Type: application/json',
'User-Agent: Profice-Web-API/2.0'
],
CURLOPT_TIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_FOLLOWLOCATION => true
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
if ($error) {
error_log("Webhook Error: " . $error);
return ['success' => false, 'error' => $error];
}
return [
'success' => $httpCode >= 200 && $httpCode < 300,
'http_code' => $httpCode
];
}
// ==========================================
// TRACKING FUNCTIONS - SERVER SIDE
// ==========================================
function getTrackingConfig() {
// Return tracking configuration for client
// IDs are loaded from server, not exposed in JS
return [
'analytics_enabled' => !empty(GA_MEASUREMENT_ID) && GA_MEASUREMENT_ID !== 'G-XXXXXXXXXX',
'gtm_enabled' => !empty(GTM_CONTAINER_ID) && GTM_CONTAINER_ID !== 'GTM-XXXXXXX',
'fb_enabled' => !empty(FB_PIXEL_ID),
'gads_enabled' => !empty(GADS_CONVERSION_ID) && GADS_CONVERSION_ID !== 'AW-XXXXXXXXXX',
'linkedin_enabled' => !empty(LINKEDIN_PARTNER_ID)
];
}
function loadTrackingScripts($preferences) {
$scripts = [];
// Google Analytics
if ($preferences['analytics'] && !empty(GA_MEASUREMENT_ID) && GA_MEASUREMENT_ID !== 'G-XXXXXXXXXX') {
$scripts['ga'] = [
'type' => 'analytics',
'src' => 'https://www.googletagmanager.com/gtag/js?id=' . GA_MEASUREMENT_ID,
'config' => [
'id' => GA_MEASUREMENT_ID
]
];
}
// Google Tag Manager
if ($preferences['analytics'] && !empty(GTM_CONTAINER_ID) && GTM_CONTAINER_ID !== 'GTM-XXXXXXX') {
$scripts['gtm'] = [
'type' => 'analytics',
'id' => GTM_CONTAINER_ID
];
}
// Facebook Pixel
if ($preferences['marketing'] && !empty(FB_PIXEL_ID)) {
$scripts['fb'] = [
'type' => 'marketing',
'id' => FB_PIXEL_ID
];
}
// Google Ads
if ($preferences['marketing'] && !empty(GADS_CONVERSION_ID) && GADS_CONVERSION_ID !== 'AW-XXXXXXXXXX') {
$scripts['gads'] = [
'type' => 'marketing',
'id' => GADS_CONVERSION_ID
];
}
// LinkedIn
if ($preferences['marketing'] && !empty(LINKEDIN_PARTNER_ID)) {
$scripts['linkedin'] = [
'type' => 'marketing',
'id' => LINKEDIN_PARTNER_ID
];
}
return $scripts;
}
function trackEvent($eventName, $eventData, $preferences) {
$results = [];
// Server-side Google Analytics tracking
if ($preferences['analytics'] && !empty(GA_MEASUREMENT_ID) && !empty(GA_API_SECRET)) {
$results['ga'] = sendGAEvent($eventName, $eventData);
}
// Server-side Facebook Conversions API
if ($preferences['marketing'] && !empty(FB_PIXEL_ID) && !empty(FB_ACCESS_TOKEN)) {
$results['fb'] = sendFBEvent($eventName, $eventData);
}
return $results;
}
function sendGAEvent($eventName, $eventData) {
if (empty(GA_API_SECRET)) return ['success' => false, 'error' => 'No API secret'];
$url = 'https://www.google-analytics.com/mp/collect?measurement_id=' . GA_MEASUREMENT_ID . '&api_secret=' . GA_API_SECRET;
$payload = [
'client_id' => $eventData['client_id'] ?? uniqid(),
'events' => [[
'name' => $eventName,
'params' => $eventData
]]
];
return sendToWebhook($payload, $url);
}
function sendFBEvent($eventName, $eventData) {
if (empty(FB_ACCESS_TOKEN)) return ['success' => false, 'error' => 'No access token'];
$url = 'https://graph.facebook.com/v18.0/' . FB_PIXEL_ID . '/events?access_token=' . FB_ACCESS_TOKEN;
$payload = [
'data' => [[
'event_name' => $eventName,
'event_time' => time(),
'action_source' => 'website',
'user_data' => [
'client_ip_address' => getClientIP(),
'client_user_agent' => $_SERVER['HTTP_USER_AGENT'] ?? ''
],
'custom_data' => $eventData
]]
];
return sendToWebhook($payload, $url);
}
// ==========================================
// STORAGE FUNCTIONS
// ==========================================
function storeLead($formData) {
$leadFile = __DIR__ . '/data/leads.json';
$dir = dirname($leadFile);
if (!is_dir($dir)) {
mkdir($dir, 0755, true);
}
$leads = [];
if (file_exists($leadFile)) {
$leads = json_decode(file_get_contents($leadFile), true) ?: [];
}
$lead = [
'id' => uniqid('lead_'),
'datum' => date('d.m.Y'),
'dienstleistung' => $formData['service'] ?? 'Allgemein',
'status' => 'open',
'statusText' => 'Offen',
'description' => $formData['description'] ?? '',
'name' => $formData['name'] ?? '',
'contact' => $formData['contact'] ?? '',
'organisation' => $formData['organisation'] ?? '',
'timestamp' => date('c')
];
array_unshift($leads, $lead);
$leads = array_slice($leads, 0, 100);
file_put_contents($leadFile, json_encode($leads, JSON_PRETTY_PRINT));
return $lead['id'];
}
function storeCookieConsent($consentData) {
$consentFile = __DIR__ . '/data/cookie_consents.json';
$dir = dirname($consentFile);
if (!is_dir($dir)) {
mkdir($dir, 0755, true);
}
$consents = [];
if (file_exists($consentFile)) {
$consents = json_decode(file_get_contents($consentFile), true) ?: [];
}
// Remove existing consent for this IP
$ip = getClientIP();
$consents = array_filter($consents, function($c) use ($ip) {
return ($c['ip_address'] ?? '') !== $ip;
});
$consentData['id'] = uniqid('consent_');
$consentData['ip_address'] = $ip;
$consentData['timestamp'] = date('c');
array_unshift($consents, $consentData);
$consents = array_slice($consents, 0, 1000);
file_put_contents($consentFile, json_encode($consents, JSON_PRETTY_PRINT));
}
function getCookieConsentByIP() {
$consentFile = __DIR__ . '/data/cookie_consents.json';
if (!file_exists($consentFile)) {
return null;
}
$consents = json_decode(file_get_contents($consentFile), true) ?: [];
$ip = getClientIP();
foreach ($consents as $consent) {
if (($consent['ip_address'] ?? '') === $ip) {
return $consent;
}
}
return null;
}
// ==========================================
// REQUEST HANDLERS
// ==========================================
function handleContactForm($data) {
$required = ['name', 'contact'];
foreach ($required as $field) {
if (empty($data[$field])) {
sendResponse(false, "Pflichtfeld fehlt: {$field}", null, 400);
}
}
$formData = [
'name' => sanitizeInput($data['name']),
'organisation' => sanitizeInput($data['organisation'] ?? ''),
'contact' => sanitizeInput($data['contact']),
'service' => sanitizeInput($data['service'] ?? ''),
'budget' => sanitizeInput($data['budget'] ?? ''),
'description' => sanitizeInput($data['description'] ?? ''),
'timestamp' => date('c'),
'source' => 'contact_form',
'ip_address' => getClientIP()
];
$webhookResult = sendToWebhook($formData);
if ($webhookResult['success']) {
storeLead($formData);
}
sendResponse(true, 'Formular erfolgreich gesendet');
}
function handleLoginForm($data) {
$required = ['email', 'password'];
foreach ($required as $field) {
if (empty($data[$field])) {
sendResponse(false, "Pflichtfeld fehlt: {$field}", null, 400);
}
}
$formData = [
'email' => sanitizeInput($data['email']),
'password' => $data['password'], // Don't sanitize password
'remember' => $data['remember'] ?? false,
'timestamp' => date('c'),
'source' => 'login_form',
'ip_address' => getClientIP()
];
$webhookResult = sendToWebhook($formData);
sendResponse(true, 'Anmeldung verarbeitet');
}
function handleRegisterForm($data) {
$required = ['name', 'email', 'password'];
foreach ($required as $field) {
if (empty($data[$field])) {
sendResponse(false, "Pflichtfeld fehlt: {$field}", null, 400);
}
}
$formData = [
'name' => sanitizeInput($data['name']),
'email' => sanitizeInput($data['email']),
'password' => $data['password'],
'company' => sanitizeInput($data['company'] ?? ''),
'phone' => sanitizeInput($data['phone'] ?? ''),
'timestamp' => date('c'),
'source' => 'register_form',
'ip_address' => getClientIP()
];
$webhookResult = sendToWebhook($formData);
sendResponse(true, 'Registrierung erfolgreich');
}
function handleLeadForm($data) {
$formData = [
'lead_data' => $data,
'timestamp' => date('c'),
'source' => 'lead_form',
'ip_address' => getClientIP()
];
$webhookResult = sendToWebhook($formData);
sendResponse(true, 'Lead erfolgreich gesendet');
}
function handleCookieConsent($data) {
if (empty($data['preferences'])) {
sendResponse(false, 'Preferences fehlen', null, 400);
}
$consentData = [
'hasConsented' => true,
'preferences' => $data['preferences'],
'source' => 'cookie_consent'
];
storeCookieConsent($consentData);
// Get tracking scripts based on consent
$scripts = loadTrackingScripts($data['preferences']);
// Send consent event to webhook
$webhookData = [
'event_type' => 'cookie_consent_update',
'preferences' => $data['preferences'],
'timestamp' => date('c'),
'ip_address' => getClientIP()
];
sendToWebhook($webhookData);
sendResponse(true, 'Cookie-Einstellungen gespeichert', ['scripts' => $scripts]);
}
function handleGetCookieConsent($data) {
$consent = getCookieConsentByIP();
if ($consent) {
// Get tracking scripts based on saved consent
$scripts = [];
if (!empty($consent['preferences'])) {
$scripts = loadTrackingScripts($consent['preferences']);
}
sendResponse(true, 'Consent gefunden', [
'hasConsented' => $consent['hasConsented'] ?? false,
'preferences' => $consent['preferences'] ?? [],
'scripts' => $scripts
]);
} else {
sendResponse(false, 'Kein Consent gefunden', null, 404);
}
}
function handleGetTrackingConfig($data) {
$config = getTrackingConfig();
sendResponse(true, 'Tracking-Konfiguration', $config);
}
function handleTrackEvent($data) {
if (empty($data['event_name'])) {
sendResponse(false, 'Event name fehlt', null, 400);
}
$preferences = $data['preferences'] ?? ['analytics' => false, 'marketing' => false];
$results = trackEvent($data['event_name'], $data['event_data'] ?? [], $preferences);
sendResponse(true, 'Event getrackt', $results);
}
// ==========================================
// MAIN REQUEST HANDLER
// ==========================================
// Validate request method
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
sendResponse(false, 'Nur POST-Anfragen erlaubt', null, 405);
}
// Rate limiting
$clientIP = getClientIP();
if (!checkRateLimit($clientIP)) {
sendResponse(false, 'Zu viele Anfragen. Bitte später erneut versuchen.', null, 429);
}
// Get JSON input
$jsonInput = file_get_contents('php://input');
$data = json_decode($jsonInput, true);
if (!$data) {
$data = $_POST;
}
if (!$data || empty($data)) {
sendResponse(false, 'Keine Daten empfangen', null, 400);
}
$requestType = $data['type'] ?? 'contact';
try {
switch ($requestType) {
case 'contact':
handleContactForm($data);
break;
case 'login':
handleLoginForm($data);
break;
case 'register':
handleRegisterForm($data);
break;
case 'lead':
handleLeadForm($data);
break;
case 'cookie_consent':
handleCookieConsent($data);
break;
case 'get_cookie_consent':
handleGetCookieConsent($data);
break;
case 'get_tracking_config':
handleGetTrackingConfig($data);
break;
case 'track_event':
handleTrackEvent($data);
break;
default:
sendResponse(false, 'Ungültiger Anfragetyp', null, 400);
}
} catch (Exception $e) {
error_log('API Error: ' . $e->getMessage());
sendResponse(false, 'Interner Serverfehler', null, 500);
}
?>
Reference in New Issue View Git Blame Copy Permalink