validation, toast, modal, folder tree

auth.php

@@ -16,27 +16,38 @@ function authenticate($username, $password) {
     foreach ($lines as $line) {
         list($storedUser, $storedPass, $storedRole) = explode(':', trim($line), 3);
         if ($username === $storedUser && password_verify($password, $storedPass)) {
-            return $storedRole; // 
+            return $storedRole; // Return the user's role
         }
     }
-
     return false;
 }
 
 // Get JSON input
 $data = json_decode(file_get_contents("php://input"), true);
-$username = $data["username"] ?? "";
-$password = $data["password"] ?? "";
+$username = trim($data["username"] ?? "");
+$password = trim($data["password"] ?? "");
+
+// Validate input: ensure both fields are provided.
+if (!$username || !$password) {
+    echo json_encode(["error" => "Username and password are required"]);
+    exit;
+}
+
+// Validate username format: allow only letters, numbers, underscores, dashes, and spaces.
+if (!preg_match('/^[A-Za-z0-9_\- ]+$/', $username)) {
+    echo json_encode(["error" => "Invalid username format. Only letters, numbers, underscores, dashes, and spaces are allowed."]);
+    exit;
+}
 
 // Authenticate user
 $userRole = authenticate($username, $password);
 if ($userRole !== false) {
     $_SESSION["authenticated"] = true;
     $_SESSION["username"] = $username;
-    $_SESSION["isAdmin"] = ($userRole === "1"); // correctly recognize admin status
+    $_SESSION["isAdmin"] = ($userRole === "1"); // "1" indicates admin
 
     echo json_encode(["success" => "Login successful", "isAdmin" => $_SESSION["isAdmin"]]);
 } else {
     echo json_encode(["error" => "Invalid credentials"]);
 }
-?>
+?>