<?php
/* 
A domain Class to demonstrate RESTful web services
*/
require_once("database.php");
Class Access_token {
	
	/*
		you should hookup the DAO here
	*/
	
		public function getTokenDetails($username,$password)
		{
			
			$password=md5($password);
				
		$sql= "SELECT token,login_type,sales_person_id,real_name,email,user_id,show_all_deliveries FROM 0_users WHERE user_id='".$username."' and password='".$password."'";
		

		$query=mysql_query($sql);
		
	    if($row=mysql_fetch_array($query))
		{
		  // Issue a fresh, unique per-user token on every successful login so the
		  // API can identify the actual user from the Authorization header.
		  // Previously every row stored the same static token ('12345'), which made
		  // getTokenDetails(...LIMIT 1) always resolve to the first user (admin) and
		  // defeated all server-side salesperson scoping.
		  $new_token = $this->generateToken();
		  mysql_query("UPDATE 0_users SET token='".$new_token."' WHERE user_id='".$username."' and password='".$password."'");

		  $token_det['token']=$new_token;
		  $token_det['login_type']=$row['login_type'];
		  $token_det['sales_person_id']=$row['sales_person_id'];
		  $token_det['full_name']=$row['real_name'];
		  $token_det['email']=$row['email'];
		  $token_det['user_id']=$row['user_id'];
		  $token_det['show_all_deliveries']=$row['show_all_deliveries'];
		}
		else
		{
			$token_det['token']=0;
		}
		
		return $token_det;
		}

		private function generateToken()
		{
			if (function_exists('random_bytes')) {
				return bin2hex(random_bytes(32));
			}
			if (function_exists('openssl_random_pseudo_bytes')) {
				return bin2hex(openssl_random_pseudo_bytes(32));
			}
			return md5(uniqid(mt_rand(), true)).md5(uniqid(mt_rand(), true));
		}
		
}
?>
