<?php

// This function will check a username and token returned by the bzflag
// weblogin page at http://my.bzflag.org/weblogin?action=weblogin. You can use
// this URL to ask a user for his bzflag global login. Your page needs to pass
// in an URL paramater to the weblogin that contains your URL to be called with
// the username and token. This allows your site to use the same usernames and
// passwords as the forums with out having to worry about being accused of
// stealing passwords. The URL paramater can have the keys %TOKEN% and
// %USERNAME% that will be replaced with the real username and token when the
// URL is called. For example:
//
// http://my.bzflag.org/weblogin?action=weblogin&url=http://www.mysite.com/mydir/login.php?token=%TOKEN%&callsign=%USERNAME%
//
// This would call mysite.com with the token and username passed in as
// paramaters after the user has given the page a valid username and password.

// This function should be used after you get the info from the login callback,
// to verify that it is a valid token, and the user belongs to any groups you
// care about.

function validate_token($token, $callsign, $groups=array()){
	//Some config options
	$list_server='http://my.bzflag.org/db/';

	//The program
	//$key => $group
	$group_list='&groups=';
	foreach($groups as $group){
		$group_list.="$group%0D%0A";
	}
	//Trim the last 6 characters, wich are "%0D%0A", off of the last group
	$group_list=substr($group_list, 0, strlen($group_list)-6);

	$reply=file_get_contents(''.$list_server.'?action=CHECKTOKENS&checktokens='.$callsign.'%3D'.$token.''.$group_list.'');

	//If we got a TOKBAD, return false, because the token can't be right
	if(strpos($reply, 'TOKBAD: ')) return false;

	//Here's where it gets tricky: making sure the user is in all groups specified
	$group_list='';
	foreach($groups as $group){
		$group_list.=":$group";
	}
	if(strpos($reply, "TOKGOOD: $callsign$group_list")){
		return true;
	}else{
		return false;
	}
}
?>