<?php
// FORCE_HTTPS=true: 301-Weiterleitung HTTP→HTTPS + HSTS (1 Jahr, inkl. Subdomains)
define('FORCE_HTTPS', true);
if (FORCE_HTTPS && (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] !== 'on')) header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'],1,301)&&exit;
if (FORCE_HTTPS) header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');

// Session-Sicherheit & Konfiguration
define('CMS_ACCESS', true); // Schutz für inkludierte config/user Dateien
define('TFA_TIMEOUT_SEC', 300); // 5 Minuten Limit für den 2FA Code
define('COOKIE_LIFETIME_MIN', 20160); // 14 Tage in Minuten
define('SESSION_TIMEOUT_MIN', 30);	// (Sliding Expiration)
define('WEBCRYPTO_TIMEOUT_MIN', 15);  // Dauer der RAM-Speicherung für WebCrypto-Keys (Minuten)
define('WC_ITER_DEFAULT', 6); // Standard: 600.000 Iterationen für WebCrypto
define('WC_ITER_MAX', 20);	// Max: 2.000.000 Iterationen für WebCrypto
define('LOGIN_DELAY_SECONDS', [0, 0, 0, 30, 120, 300, 900]);

//  OPTIONAL: Einstellungen
define('LOG_ERRORS', false);  
define('SEND_SECURITY_HEADERS', true); 

ini_set('display_errors', 0);
if (LOG_ERRORS) { ini_set('log_errors', 1); $logDir = __DIR__.'/data/temp/log'; if (!is_dir($logDir)) mkdir($logDir, 0755, true); ini_set('error_log', $logDir.'/php_errors.log'); } else { ini_set('log_errors', 0); }
error_reporting(E_ALL);

$lifetime = COOKIE_LIFETIME_MIN * 60;
session_set_cookie_params(['lifetime'=>$lifetime,'path'=>'/','secure'=>isset($_SERVER['HTTPS']),'httponly'=>true,'samesite'=>'Strict']);
session_start();

// Security Headers
if (SEND_SECURITY_HEADERS) { header("X-Content-Type-Options: nosniff"); header("X-Frame-Options: SAMEORIGIN"); header("Referrer-Policy: strict-origin-when-cross-origin"); header("Permissions-Policy: camera=(), microphone=(), geolocation=()"); header("Content-Security-Policy: default-src 'self'; script-src 'self' https://ctaas.de 'unsafe-inline'; style-src 'self' https://ctaas.de 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"); }

// Session Handling & Timeout
if (isset($_SESSION['user'])) { if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $lifetime)) { session_destroy(); header('Location: ?'); exit; } $_SESSION['last_activity'] = time(); setcookie(session_name(), session_id(), time() + $lifetime, '/', '', isset($_SERVER['HTTPS']), true); }
if (!isset($_SESSION['created'])) $_SESSION['created'] = time();
if (isset($_SESSION['created']) && (time() - $_SESSION['created'] > SESSION_TIMEOUT_MIN * 60)) { session_regenerate_id(true); $_SESSION['created'] = time(); }
if (empty($_SESSION['token'])) $_SESSION['token'] = bin2hex(random_bytes(32));

// HTMLPurifier Integration
require_once __DIR__ . '/data/htmlpurifier/HTMLPurifier.standalone.php';
$purifierConfig = HTMLPurifier_Config::createDefault();
$purifierConfig->set('HTML.Allowed', 'a[href|title|target],b,i,strong,em,span[style],br,p[style],ul,ol,li[style],h1[style],h2[style],h3[style],h4[style],h5[style],h6[style],hr,img[src|alt],div[style],table[style],thead,tbody,tr,th[style],td[style],style,u,pre,code');
$purifierConfig->set('CSS.AllowedProperties', 'color,background-color,font-family,font-size,text-align');
$cacheDir = __DIR__ . '/data/temp/purifier_cache';
if (!is_dir($cacheDir)) mkdir($cacheDir, 0755, true);
$purifierConfig->set('Cache.SerializerPath', $cacheDir);
$purifierConfig->set('HTML.TargetBlank', true);
$purifier = new HTMLPurifier($purifierConfig);

// Pfade & Helfer
define('PAGE_DIR', __DIR__ . '/data/pages/');
define('INDEX_FILE', __DIR__ . '/data/index.json');
define('DUMMY_HASH', '$2y$10$dummyhashdummyhashdummyhashdummyhashdummyha');
define('COMPRESS_LEVEL', 9);

// User-Array aus PHP-Datei laden
$USERS = [];
$u_file = __DIR__ . '/data/my_users.php';
if (is_file($u_file)) { 
	require $u_file; 
	$tmp = []; foreach ($USERS as $k => $v) $tmp[strtolower($k)] = $v; $USERS = $tmp; 
}

function user() { return $_SESSION['user'] ?? null; }
function role() { return $_SESSION['role'] ?? null; }
function is_admin() { return strtolower(role() ?? '') === 'admin'; }
function is_logged() { return user() !== null; }
function h($s) { return htmlspecialchars($s ?? '', ENT_QUOTES, 'UTF-8'); }

// --- TOTP Verifikation & E-Mail Helfer ---
function verify_totp($secret, $code, $window = 2) {
	$code = preg_replace('/\D/', '', $code);
	if (strlen($code) !== 6) return false;
	$base32chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
	$secret = strtoupper(preg_replace('/[^A-Z2-7]/', '', $secret));
	$secret_bin = ''; $buffer = 0; $bitsLeft = 0;
	for ($i = 0; $i < strlen($secret); $i++) {
		$buffer = ($buffer << 5) | strpos($base32chars, $secret[$i]);
		$bitsLeft += 5;
		if ($bitsLeft >= 8) { $bitsLeft -= 8; $secret_bin .= chr($buffer >> $bitsLeft); }
	}
	if (empty($secret_bin)) return false;
	$time = floor(time() / 30);
	for ($offset = -$window; $offset <= $window; $offset++) {
		$time_bytes = pack('N', 0) . pack('N', $time + $offset);
		$hmac = hash_hmac('sha1', $time_bytes, $secret_bin, true);
		$offset_val = ord($hmac[19]) & 0x0F;
		$otp_int = (((ord($hmac[$offset_val]) & 0x7F) << 24) | (ord($hmac[$offset_val+1]) << 16) | (ord($hmac[$offset_val+2]) << 8) | ord($hmac[$offset_val+3])) % 1000000;
		if (hash_equals(str_pad($otp_int, 6, '0', STR_PAD_LEFT), $code)) return true;
	}
	return false;
}

function send_tfa_mail($u, $c) { if(!is_file(__DIR__.'/data/PHPMailer/PHPMailer.php')) die('Systemfehler: 2FA-Modul fehlt.'); require __DIR__.'/data/PHPMailer/my_PHPMailer_config.php'; require_once __DIR__.'/data/PHPMailer/Exception.php'; require_once __DIR__.'/data/PHPMailer/PHPMailer.php'; require_once __DIR__.'/data/PHPMailer/SMTP.php'; $m = new PHPMailer\PHPMailer\PHPMailer(true); try { $m->isSMTP(); $m->Host = $MAIL_CONF['host']; $m->SMTPAuth = $MAIL_CONF['auth']; $m->Username = $MAIL_CONF['user']; $m->Password = $MAIL_CONF['pass']; $m->SMTPSecure = $MAIL_CONF['smtpsure']; $m->Port = $MAIL_CONF['port']; $m->setFrom($MAIL_CONF['from'], $MAIL_CONF['fromName']); foreach(explode(';', $u['emails']) as $em) $m->addAddress(trim($em)); $m->Subject = 'Dein CMS Login-Code'; $m->Body = "Dein Sicherheitscode lautet: $c\nDieser Code ist ".(TFA_TIMEOUT_SEC/60)." Minuten gueltig."; $m->send(); } catch (Exception $e) { die('Fehler beim Mailversand!'); } }

function update_index() { $idx = []; if (!is_dir(PAGE_DIR)) return; foreach (new DirectoryIterator(PAGE_DIR) as $f) { if ($f->isFile() && $f->getExtension() === 'txt') { [$m] = load_page($f->getPathname()); if ($m) $idx[] = ['path' => $f->getBasename('.txt'), 'title' => $m['title'] ?? $f->getBasename('.txt'), 'pinned' => (int)($m['pinned'] ?? 0), 'reader' => (int)($m['reader'] ?? 0)]; } } $tmp = INDEX_FILE . '.tmp'; if (file_put_contents($tmp, json_encode($idx, JSON_PRETTY_PRINT))) rename($tmp, INDEX_FILE); }

function navigation() { $p = is_file(INDEX_FILE) ? json_decode(file_get_contents(INDEX_FILE), true) : null; if (!is_array($p) || (!empty($p) && !is_file(PAGE_DIR . $p[0]['path'] . '.txt'))) { update_index(); $p = json_decode(file_get_contents(INDEX_FILE), true) ?: []; } if (!is_logged()) $p = array_filter($p, fn($i) => (int)($i['reader'] ?? 0) === 0); usort($p, function($a, $b) { if ($a['path'] === '_start') return -1; if ($b['path'] === '_start') return 1; return ($b['pinned'] ?? 0) <=> ($a['pinned'] ?? 0) ?: strnatcasecmp($a['title'], $b['title']); }); return $p; }

function slug_from_title($title) { $map = ['ä'=>'ae','ö'=>'oe','ü'=>'ue','Ä'=>'Ae','Ö'=>'Oe','Ü'=>'Ue','ß'=>'ss']; return trim(preg_replace('/_+/', '_', preg_replace('/[^a-zA-Z0-9]/', '_', strtr($title, $map))), '_'); }

function generate_filename($title) { $ts = date('ymdHis') . sprintf('%03d', floor(microtime(true) * 1000) % 1000); $slug = slug_from_title($title); $f = $ts . ($slug !== '' ? '_' . $slug : '') . '.txt'; return (strlen($f) <= 64) ? $f : $ts . '_' . substr(str_replace('_', '', $slug), 0, 43) . '.txt'; }

// Logik & Routing
$page = preg_replace('/[^a-zA-Z0-9_]/', '', $_GET['page'] ?? '_start') ?: '_start';

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
	if (!isset($_POST['token']) || $_POST['token'] !== $_SESSION['token']) die('Token ungültig!');

	// Manueller 2FA-E-Mail Versand (Resend-Button)
	if (isset($_POST['resend_email']) && isset($_SESSION['tfa_pending']['email_code'])) {
		send_tfa_mail($_SESSION['tfa_pending']['user'], $_SESSION['tfa_pending']['email_code']);
		$_SESSION['tfa_pending']['ts'] = time();
		header('Location: ?login&2fa&sent=1'); exit;
	}

	// 2FA Überprüfungs-Event
	if (isset($_POST['tfa_check'])) {
		$tmp = __DIR__ . '/data/temp/';
		if (!is_dir($tmp)) mkdir($tmp, 0755, true);
		$ipf = $tmp . 'limit_tfa_' . hash('sha256', $_SERVER['REMOTE_ADDR'] ?? 'unknown') . '.json';
		$ld = is_file($ipf) ? json_decode(file_get_contents($ipf), true) : ['c' => 0, 'l' => 0];
		$dly = LOGIN_DELAY_SECONDS[min($ld['c'], count(LOGIN_DELAY_SECONDS) - 1)];
		if ($dly > 0 && (time() - $ld['l'] < $dly)) die("Warten!");
		
		$pending = $_SESSION['tfa_pending'] ?? null;
		if ($pending && (time() - $pending['ts'] < TFA_TIMEOUT_SEC)) {
			$input_code = trim($_POST['code'] ?? '');
			$verified = false;
			
			if (!empty($pending['totp_secret']) && verify_totp($pending['totp_secret'], $input_code)) {
				$verified = true;
			} elseif (!empty($pending['email_code']) && hash_equals($pending['email_code'], $input_code)) {
				$verified = true;
			}
			
			if ($verified) {
				if (is_file($ipf)) @unlink($ipf);
				$u = $pending['user'];
				unset($_SESSION['tfa_pending']);
				session_regenerate_id(true);
				$_SESSION['user'] = $u['name'];
				$_SESSION['role'] = $u['role'];
				$_SESSION['last_activity'] = time();
				header('Location: ?page=' . $page);
				exit;
			}
		}
		$ld['c']++; $ld['l'] = time(); file_put_contents($ipf, json_encode($ld));
		sleep(2); die('Code falsch oder abgelaufen! <a href="?login">Zurück zum Login</a>');
	}

	if (isset($_POST['login'])) {
		$tmp = __DIR__ . '/data/temp/'; if (!is_dir($tmp)) mkdir($tmp, 0755, true);
		$ipf = $tmp . 'limit_' . hash('sha256', $_SERVER['REMOTE_ADDR'] ?? 'unknown') . '.json';
		$ld = is_file($ipf) ? json_decode(file_get_contents($ipf), true) : ['c' => 0, 'l' => 0];
		$dly = LOGIN_DELAY_SECONDS[min($ld['c'], count(LOGIN_DELAY_SECONDS) - 1)];
		if ($dly > 0 && (time() - $ld['l'] < $dly)) die("Warten!");
		$u_input = trim($_POST['user'] ?? ''); $u_lower = strtolower($u_input); $p = $_POST['pass'] ?? ''; $hash = $USERS[$u_lower]['hash'] ?? DUMMY_HASH;
		
		if (password_verify($p, $hash) && isset($USERS[$u_lower])) { 
			if (is_file($ipf)) @unlink($ipf); 
			$user_data = $USERS[$u_lower];
			$has_totp = !empty($user_data['totp_secret']);
			$has_email = !empty($user_data['emails']);
			
			if ($has_totp || $has_email) {
				$email_code = '';
				if ($has_email) {
					$email_code = (string)random_int(100000, 999999);
					if (!$has_totp) send_tfa_mail($user_data, $email_code);
				}
				$_SESSION['tfa_pending'] = ['user' => $user_data, 'ts' => time(), 'totp_secret' => $has_totp ? $user_data['totp_secret'] : '', 'email_code' => $email_code];
				header('Location: ?login&2fa'); exit;
			}
			session_regenerate_id(true); $_SESSION['user'] = $user_data['name']; $_SESSION['role'] = $user_data['role']; $_SESSION['last_activity'] = time(); header('Location: ?page=' . $page); exit; 
		}
		$ld['c']++; $ld['l'] = time(); file_put_contents($ipf, json_encode($ld)); usleep(500000); header('Location: ?login&error=1'); exit;
	}

	if (isset($_POST['delete']) && is_admin() && $page !== '_start') { @unlink(PAGE_DIR . $page . '.txt'); update_index(); header('Location: ?'); exit; }

	if (isset($_POST['save']) && is_admin()) {
		$title = trim($_POST['title'] ?? ''); $old_n = preg_replace('/[^a-zA-Z0-9_ -]/', '', $_POST['old_page_name'] ?? '');
		$new_f = ($old_n === '_start') ? '_start.txt' : generate_filename($title);
		if ($old_n !== '_new' && $old_n !== '_start' && $old_n . '.txt' !== $new_f && is_file(PAGE_DIR . $old_n . '.txt')) rename(PAGE_DIR . $old_n . '.txt', PAGE_DIR . $new_f);
		$m = ['title' => $title ?: basename($new_f, '.txt'), 'reader' => isset($_POST['reader']) ? 1 : 0, 'gzbase64' => isset($_POST['gzbase64']) ? 1 : 0, 'pinned' => isset($_POST['pinned']) ? 1 : 0, 'webcrypto' => isset($_POST['webcrypto']) ? 1 : 0, 'crypto_meta' => $_POST['crypto_meta'] ?? '', 'lastedit' => date('Y-m-d H:i') . '/' . user()];
		if (empty($m['webcrypto'])) $m['crypto_meta'] = '';
		if (basename($new_f, '.txt') === '_start') { $m['reader'] = 0; $m['pinned'] = 0; $m['webcrypto'] = 0; }
		if ($m['webcrypto'] && $m['gzbase64']) $m['gzbase64'] = 0;
		$cleanContent = $purifier->purify($_POST['content']); save_page(PAGE_DIR . $new_f, $m, $cleanContent); update_index(); header("Location: ?page=" . basename($new_f, '.txt') . "&edit"); exit;
	}
}

if (isset($_GET['logout'])) { session_destroy(); setcookie(session_name(), '', time() - 3600, '/'); header('Location: ?'); exit; }

function load_page($f) { if (!is_file($f)) return [null, null]; $fp = fopen($f, 'rb'); flock($fp, LOCK_SH); $r = stream_get_contents($fp); flock($fp, LOCK_UN); fclose($fp); preg_match('/---META---(.*?)---DATA---/s', $r, $m); $meta = []; foreach (explode("\n", trim($m[1] ?? '')) as $l) if (str_contains($l, '=')) { [$k, $v] = explode('=', $l, 2); $meta[trim($k)] = trim($v); } $d = substr($r, strpos($r, '---DATA---') + 10); if (($meta['gzbase64'] ?? 0) == 1) $d = @gzuncompress(base64_decode($d)); return [$meta, $d]; }

function save_page($f, $m, $d) { if (($m['gzbase64'] ?? 0) == 1) $d = base64_encode(gzcompress($d, COMPRESS_LEVEL)); $content = "---META---\n"; foreach ($m as $k => $v) $content .= "$k=$v\n"; $content .= "---DATA---\n" . $d; $fp = fopen($f, 'wb'); flock($fp, LOCK_EX); fwrite($fp, $content); flock($fp, LOCK_UN); fclose($fp); return true; }

$new = isset($_GET['new']) && is_admin();
$edit = isset($_GET['edit']) && is_admin();

if ($new) { $meta = ['title' => '', 'reader' => 0, 'pinned' => 0, 'gzbase64' => 0, 'webcrypto' => 0, 'crypto_meta' => '']; $content = ''; } 
else {
	[$meta, $content] = load_page(PAGE_DIR . $page . '.txt');
	if (!$meta && !isset($_GET['login']) && !isset($_GET['search'])) { http_response_code(404); echo '<!DOCTYPE html><html><head><meta charset="utf-8"><title>404</title></head><body style="text-align:center;padding:2rem;"><b>404 Error</b> – Seite nicht gefunden!<br><a href="?">zurück</a></body></html>'; exit; }
	if (isset($meta['title']) && $meta['title'] === $page) $meta['title'] = '';
}

$searchData = [];
if (isset($_GET['search'])) { $pages = navigation(); foreach ($pages as $p) { $file = PAGE_DIR . $p['path'] . '.txt'; if (!is_file($file)) continue; [$m, $d] = load_page($file); if (!$m) continue; $item = ['path' => $p['path'], 'title' => $m['title'] ?? $p['title'] ?? $p['path'], 'lastedit' => $m['lastedit'] ?? '', 'gzbase64' => isset($m['gzbase64']) ? (int)$m['gzbase64'] : 0, 'webcrypto' => isset($m['webcrypto']) ? (int)$m['webcrypto'] : 0, 'crypto_meta' => $m['crypto_meta'] ?? '']; $item['data'] = $d; $searchData[] = $item; } }
?>
<!doctype html>
<html>
<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title><?= h($meta['title'] ?? 'CMS') ?></title>
	<?php if (isset($meta['webcrypto']) && $meta['webcrypto'] == 1): ?><meta name="robots" content="noindex, nofollow"><?php endif; ?>
	<link rel="stylesheet" href="cms.css">
	<script src="jodit/beautify/beautify.min.js"></script>
	<script src="jodit/ace/src-min-noconflict/ace.js"></script>
	<script src="jodit/jodit.fat.min.js"></script><link rel="stylesheet" href="jodit/jodit.fat.min.css">
	<script src="jodit/_my_jodit_config.js"></script>
</head>
<body>
<div id="crypto-overlay">
	<h3>🛡️ WebCrypto Schutz</h3>
	<p>Passwort festlegen:</p>
	<input type="password" id="crypto-pw1" class="crypto-input"><br>
	<input type="password" id="crypto-pw2" class="crypto-input"><br>
	<label><input type="checkbox" id="crypto-remember"> RAM-Speicherung</label><br>
	<div style="margin:0.5rem 0;"><span id="iter-label">🛡️ Schutz-Stufe: <?= WC_ITER_DEFAULT ?> (&gt; <?= WC_ITER_DEFAULT * 100 ?>k)</span><br><input type="range" id="iter-slider" min="2" max="<?= WC_ITER_MAX ?>" value="<?= WC_ITER_DEFAULT ?>" style="width:100%" oninput="document.getElementById('iter-label').innerText='🛡️ Schutz-Stufe: '+this.value+' (> '+this.value*100+'k)'"></div>
	<div><button id="crypto-confirm" class="btn-green">Verschlüsseln & Speichern</button><button type="button" onclick="document.getElementById('crypto-overlay').style.display='none'" class="btn-red">Abbrechen</button></div>
</div>

<div id="mob-bar"><button onclick="document.body.classList.toggle('nav-open')" style="margin:0">☰ Menü</button> <b class="mob-bar-title"><?= h($meta['title'] ?? 'CMS') ?> <span class="sess-timer"></span></b></div>

<nav>
	<div class="nav-auth">
		<?php if (!is_logged()): ?><button class="btn-green" onclick="location.href='?login'">Login</button>
		<?php else: ?><span style="display:inline-block"><b><?= h(ucfirst(role())) ?></b>: <?= h(user()) ?></span> <span class="sess-timer"></span><button class="nav-auth-logout" onclick="sessionStorage.clear(); location.href='?logout'">Logout</button><?php endif ?>
		<div id="wc-info" class="wc-info-area">WebCryptoPW im RAM <span class="wc-timer sess-timer"></span><button onclick="sessionStorage.removeItem('webcrypto_pw'); sessionStorage.removeItem('webcrypto_ts'); sessionStorage.removeItem('webcrypto_hash'); location.reload();" style="margin-left:0;">Key löschen</button></div>
		<button class="nav-auth-search" onclick="location.href='?search'">🔍 Suche</button>
	</div>
	<?php $lg = 'start'; $pi = 0; $ni = 0; foreach (navigation() as $n):
	$is_s = ($n['path'] === '_start'); $is_p = ($n['pinned'] ?? 0);
	$is_c = false; if(is_file(PAGE_DIR.$n['path'].'.txt')){ [$nm]=load_page(PAGE_DIR.$n['path'].'.txt'); if(($nm['webcrypto']??0)==1)$is_c=true; }
	$cg = $is_s ? 'start' : ($is_p ? 'pinned' : 'normal');
	if ($cg !== $lg) { echo '<div class="nav-spacer"></div>'; $lg = $cg; }
	$active_cls = ($page === $n['path'] && !isset($_GET['search'])) ? 'active' : '';
	$cls = $is_s ? 'start-page' : ($is_p ? 'pinned-page ' . ($pi++ % 2 ? 'alt' : '') : 'normal-page ' . ($ni++ % 2 ? 'alt' : '')); ?>
	<a href="?page=<?= $n['path'] ?>" <?= $is_c ? 'rel="nofollow"' : '' ?> class="nav-item <?= $cls ?> <?= $active_cls ?>" style="display:block; text-decoration:none; color:inherit; cursor:pointer;"><?= h((empty($n['title']) || $n['title'] === $n['path']) ? '-' : $n['title']) ?></a>
	<?php endforeach ?>
	<?php if (is_admin()): ?><p><button class="btn-green" onclick="location.href='?new'">neue Seite</button><?php endif ?>
</nav>

<main>
	<?php if (isset($_GET['login']) && !is_logged()): ?>
		<form method="post" class="box" style="max-width:21.4rem">
			<?php if (isset($_GET['2fa'])): 
				$pending = $_SESSION['tfa_pending'] ?? null;
				$has_totp = !empty($pending['totp_secret']);
				$has_email = !empty($pending['email_code']);
				$label = 'Gib deinen Sicherheitscode ein:';
				if ($has_totp && $has_email) $label = 'Gib deinen E-Mail oder Authenticator Sicherheitscode ein:';
				elseif ($has_email) $label = 'Gib deinen E-Mail Sicherheitscode ein:';
				elseif ($has_totp) $label = 'Gib deinen Authenticator Sicherheitscode ein:';
			?>
				<h3>2FA Bestätigung</h3>
				<?php if (isset($_GET['sent'])) echo '<p style="color:#28a745;font-weight:bold;margin:0 0 0.5rem 0;">E-Mail wurde gesendet!</p>'; ?>
				<p><?= h($label) ?></p>
				<input name="code" placeholder="123456" style="width:100%" autofocus maxlength="6" inputmode="numeric"><br><br>
				<input type="hidden" name="token" value="<?= $_SESSION['token'] ?>">
				<button name="tfa_check" class="btn-green" style="margin-left:0">Bestätigen</button>
				<?php if ($has_totp && $has_email): ?><button name="resend_email" class="btn-yellow" formnovalidate>Code per E-Mail senden</button><?php endif; ?>
				<p><a href="?login" style="font-size:0.9em"><u>zurück zum Passwortlogin</u></a></p>
			<?php else: ?>
				<h3>Login</h3>
				<input name="user" placeholder="Name" style="width:100%" autofocus><br><br>
				<input type="password" name="pass" placeholder="Passwort" style="width:100%"><br><br>
				<input type="hidden" name="token" value="<?= $_SESSION['token'] ?>">
				<button name="login" class="btn-green" style="margin-left:0">Anmelden</button>
			<?php endif ?>
		</form>
	<?php elseif (($new || $edit) && is_admin()): $is_start = (!$new && $page === '_start'); $is_enc = ($edit && ($meta['webcrypto'] ?? 0) == 1); ?>
		<form method="post" id="editForm">
			<input type="hidden" name="old_page_name" value="<?= h($new ? '_new' : $page) ?>"><input type="hidden" name="token" value="<?= $_SESSION['token'] ?>"><input type="hidden" name="crypto_meta" id="crypto_meta" value="<?= h($meta['crypto_meta'] ?? '') ?>">
			<div style="margin-bottom:0.35rem;"><span id="edit-controls-top" style="<?= $is_enc ? 'display:none;' : '' ?>"><input name="title" id="edit-title" value="<?= h($meta['title'] ?? '') ?>" placeholder="Titel..." autofocus><button type="button" id="customSaveBtn" class="btn-green"><?= $new ? 'Erstellen' : 'Speichern' ?></button></span><?php if (!$new && $page !== '_start'): ?><button type="submit" name="delete" value="1" class="btn-red" onclick="return confirm('Seite: \'<?= addslashes(h($meta['title'] ?: $page)) ?>\' wirklich löschen?')">Löschen</button><?php endif ?></div>
			<div id="edit-controls-bottom" style="margin-bottom:0.7rem; <?= $is_enc ? 'display:none;' : '' ?>"><?php if (!$is_start): ?><label><input type="checkbox" name="pinned" <?= ($meta['pinned'] ?? 0) ? 'checked' : '' ?>> 📌 Oben</label> <label><input type="checkbox" name="reader" <?= ($meta['reader'] ?? 0) ? 'checked' : '' ?>> 🔒 Privat</label><?php endif ?> <label><input type="checkbox" name="gzbase64" id="gzbase64_check" <?= ($meta['gzbase64'] ?? 0) ? 'checked' : '' ?>> ⚙️ Gzip</label> <?php if (!$is_start): ?><label><input type="checkbox" name="webcrypto" id="webcrypto_check" <?= ($meta['webcrypto'] ?? 0) ? 'checked' : '' ?>> 🛡️ WebCrypto</label><?php endif ?></div>
			<div id="editor-container">
				<?php if ($is_enc): ?><div id="edit-unlock-area" class="box edit-unlock-area"><h4>🛡️ WebCrypto-verschlüsselt</h4><input type="password" id="edit-unlock-pw" class="edit-unlock-pw" placeholder="Passwort..."><label><input type="checkbox" id="edit-unlock-remember"> RAM-Speicherung</label><br><button type="button" id="btn-edit-unlock" class="btn-green">Editor laden</button><div id="edit-unlock-error" class="edit-unlock-error">Falsch!</div></div><textarea id="editor" name="content" style="display:none;"><?= h($content ?? '') ?></textarea>
				<?php else: ?><textarea id="editor" name="content"><?= h($content ?? '') ?></textarea><?php endif ?>
			</div><input type="hidden" name="save" value="1">
		</form>
	<?php elseif (isset($_GET['search'])): ?>
		<div class="box"><h2 style="margin-top:0">Volltextsuche</h2><form method="get" action="" style="margin-bottom:1.4rem;"><input type="text" name="search" value="<?= h($_GET['search'] ?? '') ?>" placeholder="Suchbegriff..." class="search-input" autofocus><button type="submit" class="btn-green">Suchen</button></form>
		<?php if (isset($_GET['search']) && $_GET['search'] !== ''): ?>
		<div id="searchStatus" class="search-status"></div>
		<div id="searchPrompt" class="search-prompt"><b>Verschlüsselte Datei gefunden: <span id="searchPromptTitle"></span></b><p><input type="password" id="searchPromptPw" class="search-prompt-pw" placeholder="Passwort..."><br><label><input type="checkbox" id="searchPromptRemember"> RAM-Speicherung</label><br><button id="searchPromptUnlock" class="btn-green">Entsperren</button><button id="searchPromptSkip" class="btn-yellow">Überspringen</button><button id="searchPromptSkipAll" class="btn-red">Alle überspringen</button></div>
		<table id="searchResultsTable" class="search-results-table"><thead><tr><th onclick="sortSearch(0)">Seitentitel ↕</th><th onclick="sortSearch(1)">Letzte Änderung ↕</th> </thead><tbody id="searchResultsBody"></tbody></table>
		<?php else: ?><p>Gib einen Suchbegriff ein, um Seiten zu durchsuchen.</p><?php endif; ?>
		</div>
	<?php else: ?>
		<?php if (($meta['reader'] ?? 0) == 1 && !is_logged()): ?><div class="box">🔒 Privat.</div>
		<?php else: ?>
			<?php if (is_admin()): ?><button class="btn-yellow" onclick="location.href='?page=<?= $page ?>&edit'" style="margin:0 0 0.7rem 0">Bearbeiten</button>
			<div class="meta-info"><?= ($meta['reader'] ?? 0) ? '✓ privat ' : '' ?><?= ($meta['pinned'] ?? 0) ? '✓ Oben ' : '' ?><?= ($meta['gzbase64'] ?? 0) ? '✓ Gzip ' : '' ?><?= ($meta['webcrypto'] ?? 0) ? '✓ 🛡️ WebCrypto ' : '' ?><?php if (!empty($meta['lastedit'])): ?> - <?= h($meta['lastedit']) ?><?php endif ?></div>
			<?php endif ?>
			<div class="box"><h2 style="margin-top:0"><?= h($meta['title'] ?: '-') ?></h2><div class="content-body" id="content-body" data-webcrypto="<?= ($meta['webcrypto'] ?? 0) ?>" data-meta="<?= h($meta['crypto_meta'] ?? '') ?>"><?= $content ?></div></div>
		<?php endif ?>
	<?php endif ?>
</main>

<script>
function fmtT(sRem) { let d=Math.floor(sRem/86400),h=Math.floor((sRem%86400)/3600),m=Math.floor((sRem%3600)/60),s=sRem%60; return sRem>300?(d>0?d+(d===1?' Tag ':' Tage '):'')+(h<10?'0':'')+h+':'+(m<10?'0':'')+m:(h<10?'0':'')+h+':'+(m<10?'0':'')+m+':'+(s<10?'0':'')+s; }
let sRem = <?= is_logged() ? $lifetime : 0 ?>;
const wcLimit = <?= WEBCRYPTO_TIMEOUT_MIN * 60 * 1000 ?>;
function updateTimers() { if (sRem > 0) document.querySelectorAll('.sess-timer:not(.wc-timer)').forEach(el => el.textContent = fmtT(sRem)); let wcTs = sessionStorage.getItem('webcrypto_ts'), wcInfo = document.getElementById('wc-info'); if (wcTs && sessionStorage.getItem('webcrypto_pw')) { let wcRem = Math.floor((wcLimit - (Date.now() - parseInt(wcTs))) / 1000); if (wcRem > 0) { if (wcInfo) { wcInfo.style.display = 'block'; document.querySelector('.wc-timer').textContent = fmtT(wcRem); } } else { sessionStorage.removeItem('webcrypto_pw'); sessionStorage.removeItem('webcrypto_ts'); sessionStorage.removeItem('webcrypto_hash'); location.reload(); } } else if (wcInfo) wcInfo.style.display = 'none'; }
updateTimers(); setInterval(() => { if (sRem > 0) { sRem--; if (sRem <= 0) { sessionStorage.clear(); location.href = '?logout'; } } updateTimers(); }, 1000);
async function sha256(s) { const b = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(s)); return Array.from(new Uint8Array(b)).map(x => x.toString(16).padStart(2, '0')).join(''); }
async function deriveKey(pw, salt, iter) { const enc = new TextEncoder(), keyMat = await crypto.subtle.importKey("raw", enc.encode(pw), {name: "PBKDF2"}, false, ["deriveKey"]); return crypto.subtle.deriveKey({name: "PBKDF2", salt, iterations: iter, hash: "SHA-256"}, keyMat, {name: "AES-GCM", length: 256}, false, ["encrypt", "decrypt"]); }
async function encryptContent(text, pw, iter) {
	const enc = new TextEncoder(), salt = crypto.getRandomValues(new Uint8Array(16)), iv = crypto.getRandomValues(new Uint8Array(12)), key = await deriveKey(pw, salt, iter);
	const cs = new CompressionStream('gzip'), writer = cs.writable.getWriter(); writer.write(enc.encode(text)); writer.close();
	const compressedData = await new Response(cs.readable).arrayBuffer();
	const cipher = await crypto.subtle.encrypt({name: "AES-GCM", iv}, key, compressedData);
	return { cipher: btoa(new Uint8Array(cipher).reduce((data, byte) => data + String.fromCharCode(byte), '')), salt: btoa(String.fromCharCode(...salt)), iv: btoa(String.fromCharCode(...iv)) };
}
async function decryptContent(cipher, pw, sB64, iB64, iter) {
	const salt = Uint8Array.from(atob(sB64), c => c.charCodeAt(0)), iv = Uint8Array.from(atob(iB64), c => c.charCodeAt(0)), data = Uint8Array.from(atob(cipher), c => c.charCodeAt(0)), key = await deriveKey(pw, salt, iter || 200000);
	const decryptedBuffer = await crypto.subtle.decrypt({name: "AES-GCM", iv}, key, data);
	const ds = new DecompressionStream('gzip'), writer = ds.writable.getWriter(); writer.write(decryptedBuffer); writer.close();
	const plainBuffer = await new Response(ds.readable).arrayBuffer();
	return new TextDecoder().decode(plainBuffer);
}
const checkField = async (f) => { const h = sessionStorage.getItem('webcrypto_hash'); if (!h || !f.value.trim()) { f.style.backgroundColor = ''; return; } f.style.backgroundColor = (await sha256(f.value.trim()) === h) ? '#d4edda' : ''; };
function getStoredPw() { let p = sessionStorage.getItem('webcrypto_pw'), t = sessionStorage.getItem('webcrypto_ts'); if (p && t) { if (Date.now() - t > wcLimit) { sessionStorage.removeItem('webcrypto_pw'); sessionStorage.removeItem('webcrypto_ts'); return null; } else { sessionStorage.setItem('webcrypto_ts', Date.now()); return p; } } return null; }
async function decryptWithStoredOrPrompt(cipher, meta, container, isEd = false) {
	let pw = getStoredPw();
	if (pw) { try { const info = JSON.parse(meta), dec = await decryptContent(cipher, pw, info.salt, info.iv, info.iter); if (isEd) { const ta = document.getElementById('editor'); ta.value = dec; container.remove(); ta.style.display = 'block'; initJodit(); } else container.innerHTML = dec; return true; } catch (e) { pw = null; } }
	container.innerHTML = `<p>🛡️ WebCrypto-geschützt</p><input type="password" id="unlock-pw" placeholder="Passwort..." style="padding:0.6rem;"><br><label><input type="checkbox" id="unlock-remember"> RAM-Speicherung</label><br><button type="button" id="btn-unlock" class="btn-green">Entsperren</button><div id="unlock-error" style="color:red; display:none">Falsch!</div>`;
	const inp = document.getElementById('unlock-pw'); if (inp) { inp.addEventListener('input', () => checkField(inp)); setTimeout(() => inp.focus(), 50); }
	document.getElementById('btn-unlock').onclick = async () => { const p = inp.value, rem = document.getElementById('unlock-remember').checked; try { const info = JSON.parse(meta), dec = await decryptContent(cipher, p, info.salt, info.iv, info.iter); if (rem) { sessionStorage.setItem('webcrypto_pw', p); sessionStorage.setItem('webcrypto_ts', Date.now()); updateTimers(); } if (isEd) { const ta = document.getElementById('editor'); ta.value = dec; container.remove(); ta.style.display = 'block'; initJodit(); } else container.innerHTML = dec; } catch (e) { document.getElementById('unlock-error').style.display = 'block'; } };
}
function initJodit() { window.joditEditor = new Jodit('#editor', window.joditConfig); if (document.getElementById('edit-controls-top')) document.getElementById('edit-controls-top').style.display = ''; if (document.getElementById('edit-controls-bottom')) document.getElementById('edit-controls-bottom').style.display = ''; setTimeout(() => window.joditEditor.focus(), 100); }
document.addEventListener('DOMContentLoaded', () => {
	const wcCk = document.getElementById('webcrypto_check'), gzCk = document.getElementById('gzbase64_check'), svBtn = document.getElementById('customSaveBtn');
	if (wcCk && gzCk) { wcCk.addEventListener('change', () => { if (wcCk.checked) gzCk.checked = false; }); gzCk.addEventListener('change', () => { if (gzCk.checked) wcCk.checked = false; }); }
	const box = document.getElementById('content-body'); if (box && box.dataset.webcrypto == "1") decryptWithStoredOrPrompt(box.textContent.trim(), box.dataset.meta, box, false);
	const edU = document.getElementById('edit-unlock-area'), edP = document.getElementById('edit-unlock-pw'); if (edP) edP.addEventListener('input', () => checkField(edP));
	if (edU) {
		const ta = document.getElementById('editor'), cipher = ta.value.trim(), meta = document.getElementById('crypto_meta').value, stP = getStoredPw();
		document.getElementById('btn-edit-unlock').onclick = async () => { const p = edP.value, rem = document.getElementById('edit-unlock-remember').checked; try { const info = JSON.parse(meta), dec = await decryptContent(cipher, p, info.salt, info.iv, info.iter); if (rem) { sessionStorage.setItem('webcrypto_pw', p); sessionStorage.setItem('webcrypto_ts', Date.now()); updateTimers(); } else { sessionStorage.setItem('webcrypto_hash', await sha256(p)); } ta.value = dec; edU.remove(); ta.style.display = 'block'; initJodit(); } catch (e) { document.getElementById('edit-unlock-error').style.display = 'block'; } };
		if (stP) (async () => { try { const info = JSON.parse(meta), dec = await decryptContent(cipher, stP, info.salt, info.iv, info.iter); ta.value = dec; edU.remove(); ta.style.display = 'block'; initJodit(); } catch (e) {} })();
	} else if (document.getElementById('editor')) initJodit();
	if (svBtn) {
		svBtn.onclick = () => { if (!(wcCk && wcCk.checked)) { document.getElementById('editForm').submit(); return; } let stP = getStoredPw();
		if (stP) { (async () => { const ta = document.getElementById('editor'), cont = window.joditEditor ? window.joditEditor.value : ta.value; const sV = document.getElementById('iter-slider') ? parseInt(document.getElementById('iter-slider').value) : <?= WC_ITER_DEFAULT ?>; const iV = (sV * 100000) + Math.floor(Math.random() * 100000); const enc = await encryptContent(cont, stP, iV); ta.value = enc.cipher; document.getElementById('crypto_meta').value = JSON.stringify({salt: enc.salt, iv: enc.iv, iter: iV}); document.getElementById('editForm').submit(); })(); }
		else { document.getElementById('crypto-overlay').style.display = 'flex'; setTimeout(() => document.getElementById('crypto-pw1').focus(), 50); } };
		const p1 = document.getElementById('crypto-pw1'), p2 = document.getElementById('crypto-pw2'); if (p1 && p2) { p1.addEventListener('input', () => checkField(p1)); p2.addEventListener('input', () => checkField(p2)); document.getElementById('crypto-confirm').onclick = async () => { const val1 = p1.value.trim(), val2 = p2.value.trim(); if (!val1 || val1 !== val2) return alert("Fehler!"); const curH = await sha256(val1); const ta = document.getElementById('editor'), cont = window.joditEditor ? window.joditEditor.value : ta.value; const sV = document.getElementById('iter-slider') ? parseInt(document.getElementById('iter-slider').value) : <?= WC_ITER_DEFAULT ?>; const iV = (sV * 100000) + Math.floor(Math.random() * 100000); const enc = await encryptContent(cont, val1, iV); ta.value = enc.cipher; document.getElementById('crypto_meta').value = JSON.stringify({salt: enc.salt, iv: enc.iv, iter: iV}); if (document.getElementById('crypto-remember').checked) { sessionStorage.setItem('webcrypto_pw', val1); sessionStorage.setItem('webcrypto_ts', Date.now()); } else { sessionStorage.setItem('webcrypto_hash', curH); } document.getElementById('editForm').submit(); }; }
	}
});

<?php if (isset($_GET['search'])): ?>
const searchData = <?= json_encode($searchData) ?>;
const isAdmin = <?= is_admin() ? 'true' : 'false' ?>;
let currentTerm = "<?= addslashes($_GET['search'] ?? '') ?>", searchResults = [], skipAllEncrypted = false, sortCol = -1, sortAsc = true;
function normalizeRegex(s) { return new RegExp(s.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*"), "gi"); }
function askForPassword(title) {
	return new Promise(resolve => {
		const prompt = document.getElementById('searchPrompt'); document.getElementById('searchPromptTitle').innerText = title; const pwInput = document.getElementById('searchPromptPw'), remInp = document.getElementById('searchPromptRemember');
		pwInput.value = ''; prompt.style.display = 'block'; setTimeout(() => pwInput.focus(), 50);
		const cleanup = () => { document.getElementById('searchPromptUnlock').onclick = null; document.getElementById('searchPromptSkip').onclick = null; document.getElementById('searchPromptSkipAll').onclick = null; prompt.style.display = 'none'; };
		document.getElementById('searchPromptUnlock').onclick = () => { const pw = pwInput.value, rem = remInp.checked; cleanup(); resolve({pw, remember: rem}); };
		document.getElementById('searchPromptSkip').onclick = () => { cleanup(); resolve('skip'); };
		document.getElementById('searchPromptSkipAll').onclick = () => { cleanup(); resolve('skipAll'); };
	});
}
async function getDecryptedContent(item) {
	if (!item.webcrypto) return item.data; let pw = getStoredPw(), decrypted = false, result = null;
	if (pw) { try { const meta = JSON.parse(item.crypto_meta); result = await decryptContent(item.data, pw, meta.salt, meta.iv, meta.iter); decrypted = true; sessionStorage.setItem('webcrypto_ts', Date.now()); } catch (e) {} }
	if (!decrypted && !skipAllEncrypted) {
		const choice = await askForPassword(item.title); if (choice === 'skip') return null; if (choice === 'skipAll') { skipAllEncrypted = true; return null; }
		if (choice.pw) { try { const meta = JSON.parse(item.crypto_meta); result = await decryptContent(item.data, choice.pw, meta.salt, meta.iv, meta.iter); decrypted = true; if (choice.remember) { sessionStorage.setItem('webcrypto_pw', choice.pw); sessionStorage.setItem('webcrypto_ts', Date.now()); } } catch (e) { alert("Passwort falsch!"); return null; } }
	}
	return (decrypted || skipAllEncrypted) ? result : null;
}
async function runSearch() {
	const term = currentTerm, regex = normalizeRegex(term), status = document.getElementById('searchStatus'), table = document.getElementById('searchResultsTable'), tbody = document.getElementById('searchResultsBody');
	tbody.innerHTML = ''; searchResults = []; skipAllEncrypted = false; table.style.display = 'none'; status.innerText = '⏳ Suche läuft...';
	for (const item of searchData) { if (item.title.match(regex)) { searchResults.push({title: item.title, path: item.path, date: item.lastedit}); } else { const content = await getDecryptedContent(item); if (content && content.match(regex)) searchResults.push({title: item.title, path: item.path, date: item.lastedit}); } }
	renderSearchResults(); status.innerText = `✅ Suche abgeschlossen. ${searchResults.length} Treffer gefunden.`; table.style.display = 'table';
}
function renderSearchResults() {
	const tbody = document.getElementById('searchResultsBody'); tbody.innerHTML = '';
	searchResults.forEach(res => { const parts = res.date.split('/'); const tr = document.createElement('tr');
	let dateHtml = escapeHtml(parts[0] || '-'); if (isAdmin && parts[1]) dateHtml += ' <small>' + escapeHtml(parts[1]) + '</small>';
	tr.innerHTML = `<td class="search-result-td"><a href="?page=${res.path}" class="search-result-link">${escapeHtml(res.title)}</a><td class="search-result-td">${dateHtml}`;
	tbody.appendChild(tr); });
}
function escapeHtml(str) { return str ? str.replace(/[&<>]/g, m => (m === '&' ? '&amp;' : m === '<' ? '&lt;' : '&gt;')) : ''; }
function sortSearch(col) { sortCol === col ? (sortAsc = !sortAsc) : (sortCol = col, sortAsc = true); searchResults.sort((a, b) => { let v1 = col === 0 ? a.title.toLowerCase() : (a.date.split('/')[0] || ''), v2 = col === 0 ? b.title.toLowerCase() : (b.date.split('/')[0] || ''); return v1 < v2 ? (sortAsc ? -1 : 1) : v1 > v2 ? (sortAsc ? 1 : -1) : 0; }); renderSearchResults(); }
runSearch();
<?php endif ?>
</script></body></html>