Fixes theme helper

.github/workflows/tests.yml

@@ -0,0 +1,112 @@
+name: PHP Tests
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    services:
+      mariadb:
+        image: mariadb:10.6
+        env:
+          MARIADB_ROOT_PASSWORD: root
+          MARIADB_DATABASE: jilo_test
+          MARIADB_USER: test_jilo
+          MARIADB_PASSWORD: test_password
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd="mysqladmin ping -h127.0.0.1 -P3306 -uroot -proot"
+          --health-interval=10s
+          --health-timeout=10s
+          --health-retries=5
+          --health-start-period=30s
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.2'
+        extensions: pdo, pdo_mysql, xdebug
+        coverage: xdebug
+
+    - name: Wait for MariaDB
+      run: |
+        sudo apt-get install -y mariadb-client
+        while ! mysqladmin ping -h"127.0.0.1" -P"3306" -uroot -proot --silent; do
+          echo "Waiting for database connection..."
+          sleep 2
+        done
+
+    - name: Install dependencies
+      run: |
+        cd tests
+        composer install
+
+    - name: Test database connection
+      run: |
+        mysql -h127.0.0.1 -P3306 -uroot -proot -e "SHOW DATABASES;"
+        mysql -h127.0.0.1 -P3306 -uroot -proot -e "SELECT User,Host FROM mysql.user;"
+        mysql -h127.0.0.1 -P3306 -uroot -proot -e "GRANT ALL PRIVILEGES ON jilo_test.* TO 'test_jilo'@'%';"
+        mysql -h127.0.0.1 -P3306 -uroot -proot -e "FLUSH PRIVILEGES;"
+
+    - name: Update database config for CI
+      run: |
+        # Create temporary test config
+        mkdir -p tests/config
+        cat > tests/config/ci-config.php << 'EOF'
+        <?php
+        define('CI_DB_PASSWORD', 'test_password');
+        define('CI_DB_HOST', '127.0.0.1');
+        EOF
+
+        # Verify config file was created
+        echo "Config file contents:"
+        cat tests/config/ci-config.php
+        echo "\nConfig file location:"
+        ls -la tests/config/ci-config.php
+
+        # Grant access from Docker network
+        mysql -h127.0.0.1 -P3306 -uroot -proot -e "
+          DROP USER IF EXISTS 'test_jilo'@'%';
+          CREATE USER 'test_jilo'@'%' IDENTIFIED BY 'test_password';
+          GRANT ALL PRIVILEGES ON jilo_test.* TO 'test_jilo'@'%';
+          CREATE DATABASE IF NOT EXISTS jilo_test;
+          FLUSH PRIVILEGES;
+        "
+
+        # Update test files to require the config (using absolute path)
+        CONFIG_PATH=$(realpath tests/config/ci-config.php)
+        echo "\nConfig path: $CONFIG_PATH"
+
+        # Add require statement at the very start
+        for file in tests/Unit/Classes/{DatabaseTest,UserTest}.php; do
+          echo "<?php" > "$file.tmp"
+          echo "require_once '$CONFIG_PATH';" >> "$file.tmp"
+          tail -n +2 "$file" >> "$file.tmp"
+          mv "$file.tmp" "$file"
+          echo "\nFirst 5 lines of $file:"
+          head -n 5 "$file"
+        done
+
+        # Test database connection directly
+        echo "\nTesting database connection:"
+        mysql -h127.0.0.1 -P3306 -utest_jilo -ptest_password -e "SELECT 'Database connection successful!'" || echo "Database connection failed"
+
+    - name: Run test suite
+      run: |
+        cd tests
+        ./vendor/bin/phpunit
+# FIXME
+#       XDEBUG_MODE=coverage ./vendor/bin/phpunit --coverage-html coverage
+#      env:
+#        COMPOSER_PROCESS_TIMEOUT: 0
+#        COMPOSER_NO_INTERACTION: 1
+#        COMPOSER_NO_AUDIT: 1

CHANGELOG.md

@@ -7,10 +7,123 @@ All notable changes to this project will be documented in this file.
 ## Unreleased
 
 #### Links
-- upstream: https://code.lindeas.com/lindeas/jilo-web/compare/v0.2...HEAD
-- codeberg: https://codeberg.org/lindeas/jilo-web/compare/v0.2...HEAD
-- github: https://github.com/lindeas/jilo-web/compare/v0.2...HEAD
-- gitlab: https://gitlab.com/lindeas/jilo-web/-/compare/v0.2...HEAD
+- upstream: https://code.lindeas.com/lindeas/jilo-web/compare/v0.4...HEAD
+- codeberg: https://codeberg.org/lindeas/jilo-web/compare/v0.4...HEAD
+- github: https://github.com/lindeas/jilo-web/compare/v0.4...HEAD
+- gitlab: https://gitlab.com/lindeas/jilo-web/-/compare/v0.4...HEAD
+
+### Added
+- Added CSS and JS to the default theme
+- Added change theme menu entry
+
+### Changed
+
+### Fixed
+
+---
+
+## 0.4 - 2025-04-12
+
+#### Links
+- upstream: https://code.lindeas.com/lindeas/jilo-web/compare/v0.3...v0.4
+- codeberg: https://codeberg.org/lindeas/jilo-web/compare/v0.3...v0.4
+- github: https://github.com/lindeas/jilo-web/compare/v0.3...v0.4
+- gitlab: https://gitlab.com/lindeas/jilo-web/-/compare/v0.3...v0.4
+
+### Added
+- Added top-right menu with profile, admin, and docs sections
+- Added two-factor authentication
+- Added resetting of forgotten password
+- Added login credentials management
+- Added proper pagination
+- Added agents managemet pages
+- Added javascript-based feedback messages
+- Added description to each page
+- Added CSRF checks
+- Added validator class for all forms
+- Added rate limiting to all pages
+- Added authentication rate limiting to login and registration
+- Added unit tests
+- Added integration/feature tests
+- Added testing workflow for github
+
+### Changed
+- Increased session to 2 hours w/out "remember me", 30 days with
+- Made the config editing in-place with AJAX
+- Redesigned the help page
+- Moved graphs and latest data to their own pages
+- Moved live config.js to its own page
+- Redesigned the messages system and renamed them to feedback messages
+
+### Fixed
+- Bugfixes
+- Fixed config editing
+- Fixed logs search
+- Removed hardcoded messages, changed to feedback messages
+
+---
+
+## 0.3 - 2025-01-15
+
+#### Links
+- upstream: https://code.lindeas.com/lindeas/jilo-web/compare/v0.2.1...v0.3
+- codeberg: https://codeberg.org/lindeas/jilo-web/compare/v0.2.1...v0.3
+- github: https://github.com/lindeas/jilo-web/compare/v0.2.1...v0.3
+- gitlab: https://gitlab.com/lindeas/jilo-web/-/compare/v0.2.1...v0.3
+
+### Added
+- Added status page
+- Added latest data page
+- Added graphs page
+- Added Jilo agents status checks
+- Added periodic Jilo agents checks
+- Added Jilo Server check and notice on error
+- Added "jitsi platforms config" section in the sidebar
+- Added editing for platforms
+- Added editing for hosts
+- Added editing for the Jilo configuration file
+- Added phpdoc comments
+- Added rate limiting for login with blacklist and whitelist
+- Added a page for configuring the rate limiting
+
+### Changed
+- Implemented a new messaging and notifications system
+- Moved all live checks pages to the "live data" sidebar section
+- Separated the config page to multiple pages
+- Moved the config pages to "jitsi platforms config" section
+
+### Fixed
+- Fixed bugs in config editing pages and cleaned up the HTML
+
+---
+
+## 0.2.1 - 2024-10-17
+
+#### Links
+- upstream: https://code.lindeas.com/lindeas/jilo-web/compare/v0.2...v0.2.1
+- codeberg: https://codeberg.org/lindeas/jilo-web/compare/v0.2...v0.2.1
+- github: https://github.com/lindeas/jilo-web/compare/v0.2...v0.2.1
+- gitlab: https://gitlab.com/lindeas/jilo-web/-/compare/v0.2...v0.2.1
+
+### Added
+- Added support for managing Jilo Agents
+- Authenticating to Jilo Agents with JWT tokens with a shared secret key
+- Added Jilo Agent functionality to fetch data, cache it and manage the cache
+- Added more fields and avatar image to user profile
+- Added pagination (with ellipses) for the longer listings
+- Added initial support for application logs
+- Added help page
+- Added support for graphs by Chart.js
+- Added "graphs" section in sidebar with graphs and latest data pages
+
+### Changed
+- Jitsi platforms config moved from file to SQLite database
+- Left sidebar menu items reordered
+
+### Fixed
+- All output HTML sanitized
+- Sanitized input forms data
+- Fixed error in calculation of monthly total conferences on front page
 
 ---
 

README.md

@@ -26,7 +26,7 @@ To see a demo install, go to https://work.lindeas.com/jilo-web-demo/
 
 ## version
 
-Current version: **0.2** released on **2024-08-31**
+Current version: **0.3** released on **2025-01-15**
 
 ## license
 
@@ -36,11 +36,14 @@ Bootstrap is used in this project and is licensed under the MIT License. See lic
 
 JQuery is used in this project and is licensed under the MIT License. See license-jquery file.
 
+Chart.js is used in this project and is licensed under the MIT License. See license-chartjs file.
+
 ## requirements
 
 - web server (deb: apache | nginx)
 - php support in the web server (deb: php-fpm | libapache2-mod-php)
 - pdo and pdo_sqlite support in php (deb: php-db, php-sqlite3) uncomment in php.ini: ;extension=pdo_sqlite
+- php-curl module
 
 ## installation
 

TODO.md

@@ -1,27 +0,0 @@
-# Jilo Web
-
-## TODO
-
-- ~~jilo-web.db outside web root~~
-
-- ~~jilo-web.db writable by web server user~~
-
-- major refactoring after v0.1
-
-- - ~~add bootstrap template~~
-
-- - ~~clean up the code to follow model-view--controller style~~
-
-- - ~~no HTML inside PHP code~~
-
-- - put all additional functions in files in a separate folder
-
-- - ~~reduce try/catch usage, use it only for critical errors~~
-
-- - move all SQL code in the model classes, one query per method
-
-- - add 'limit' to SQL and make pagination
-
-- - pretty URLs routing (no htaccess, it needs to be in PHP code so that it can be used with all servers)
-
-- add mysql/mariadb option

app/classes/agent.php

@@ -0,0 +1,647 @@
+<?php
+
+/**
+ * class Agent
+ *
+ * Provides methods to interact with Jilo agents, including retrieving details, managing agents, generating JWT tokens,
+ * and fetching data from agent APIs.
+ */
+class Agent {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
+    private $db;
+
+    /**
+     * Agent constructor.
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
+    public function __construct($database) {
+        $this->db = $database->getConnection();
+    }
+
+
+    /**
+     * Retrieves details of agents for a specified host.
+     *
+     * @param int $host_id The host ID to filter agents by.
+     * @param int $agent_id Optional agent ID to filter by.
+     *
+     * @return array The list of agent details.
+     */
+    public function getAgentDetails($host_id, $agent_id = '') {
+        $sql = 'SELECT
+                    ja.id,
+                    ja.host_id,
+                    ja.agent_type_id,
+                    ja.url,
+                    ja.secret_key,
+                    ja.check_period,
+                    jat.description AS agent_description,
+                    jat.endpoint AS agent_endpoint,
+                    h.platform_id
+                FROM
+                    jilo_agent ja
+                JOIN
+                    jilo_agent_type jat ON ja.agent_type_id = jat.id
+                JOIN
+                    host h ON ja.host_id = h.id
+                WHERE
+                    ja.host_id = :host_id';
+
+        if ($agent_id !== '') {
+            $sql .= ' AND ja.id = :agent_id';
+        }
+
+        $query = $this->db->prepare($sql);
+
+        $query->bindParam(':host_id', $host_id);
+        if ($agent_id !== '') {
+            $query->bindParam(':agent_id', $agent_id);
+        }
+
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+
+    /**
+     * Retrieves details of a specified agent by its agent ID.
+     *
+     * @param int $agent_id The agent ID to filter by.
+     *
+     * @return array The agent details.
+     */
+    public function getAgentIDDetails($agent_id) {
+        $sql = 'SELECT
+                    ja.id,
+                    ja.host_id,
+                    ja.agent_type_id,
+                    ja.url,
+                    ja.secret_key,
+                    ja.check_period,
+                    jat.description AS agent_description,
+                    jat.endpoint AS agent_endpoint,
+                    h.platform_id
+                FROM
+                    jilo_agent ja
+                JOIN
+                    jilo_agent_type jat ON ja.agent_type_id = jat.id
+                JOIN
+                    host h ON ja.host_id = h.id
+                WHERE
+                    ja.id = :agent_id';
+
+        $query = $this->db->prepare($sql);
+        $query->bindParam(':agent_id', $agent_id);
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+
+    /**
+     * Retrieves all agent types.
+     *
+     * @return array List of all agent types.
+     */
+    public function getAgentTypes() {
+        $sql = 'SELECT *
+                    FROM jilo_agent_type
+                    ORDER BY id';
+        $query = $this->db->prepare($sql);
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+
+    /**
+     * Retrieves agent types already configured for a specific host.
+     *
+     * @param int $host_id The host ID to filter agents by.
+     *
+     * @return array List of agent types configured for the host.
+     */
+    public function getHostAgentTypes($host_id) {
+        $sql = 'SELECT
+                    id,
+                    agent_type_id
+                FROM
+                    jilo_agent
+                WHERE
+                    host_id = :host_id';
+        $query = $this->db->prepare($sql);
+        $query->bindParam(':host_id', $host_id);
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+
+    /**
+     * Add a new agent to the database.
+     *
+     * @param int $host_id The host ID to add the agent to.
+     * @param array $newAgent An associative array containing the details of the agent to be added.
+     *
+     * @return bool|string True if the agent was added successfully, otherwise error message.
+     */
+    public function addAgent($host_id, $newAgent) {
+        try {
+            $sql = 'INSERT INTO jilo_agent
+                    (host_id, agent_type_id, url, secret_key, check_period)
+                    VALUES
+                    (:host_id, :agent_type_id, :url, :secret_key, :check_period)';
+
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':host_id'       => $host_id,
+                ':agent_type_id' => $newAgent['type_id'],
+                ':url'          => $newAgent['url'],
+                ':secret_key'   => $newAgent['secret_key'],
+                ':check_period' => $newAgent['check_period'],
+            ]);
+
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+
+    /**
+     * Edit an existing agent in the database.
+     *
+     * @param int $agent_id The ID of the agent to edit.
+     * @param array $updatedAgent An associative array containing the updated details of the agent.
+     *
+     * @return bool|string True if the agent was updated successfully, otherwise error message.
+     */
+    public function editAgent($agent_id, $updatedAgent) {
+        try {
+            $sql = 'UPDATE jilo_agent
+                    SET
+                        agent_type_id = :agent_type_id,
+                        url = :url,
+                        secret_key = :secret_key,
+                        check_period = :check_period
+                    WHERE
+                        id = :agent_id';
+
+            // Convert empty secret key to NULL
+            $secretKey = !empty($updatedAgent['secret_key']) ? $updatedAgent['secret_key'] : null;
+
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':agent_id'      => $agent_id,
+                ':agent_type_id' => $updatedAgent['agent_type_id'],
+                ':url'           => $updatedAgent['url'],
+                ':secret_key'    => $secretKey,
+                ':check_period'  => $updatedAgent['check_period'],
+            ]);
+
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+
+    /**
+     * Deletes an agent from the database.
+     *
+     * @param int $agent_id The agent ID to delete.
+     *
+     * @return bool|string Returns true on success or an error message on failure.
+     */
+    public function deleteAgent($agent_id) {
+        try {
+            $sql = 'DELETE FROM jilo_agent
+                    WHERE
+                    id = :agent_id';
+
+            $query = $this->db->prepare($sql);
+            $query->bindParam(':agent_id', $agent_id);
+
+            $query->execute();
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+
+    /**
+     * Checks if the agent cache is still valid.
+     *
+     * @param int $agent_id The agent ID to check.
+     *
+     * @return bool Returns true if cache is valid, false otherwise.
+     */
+    public function checkAgentCache($agent_id) {
+        $agent_cache_name = 'agent' . $agent_id . '_cache';
+        $agent_cache_time = 'agent' . $agent_id . '_time';
+        return isset($_SESSION[$agent_cache_name]) && isset($_SESSION[$agent_cache_time]) && (time() - $_SESSION[$agent_cache_time] < 600);
+    }
+
+
+    /**
+     * Base64 URL encodes the input data. Used for encoding JWT tokens
+     *
+     * @param string $data The data to encode.
+     *
+     * @return string The base64 URL encoded string.
+     */
+    private function base64UrlEncode($data) {
+        return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
+    }
+
+
+    /**
+     * Generates a JWT token for a Jilo agent.
+     *
+     * @param array $payload The payload data to include in the token.
+     * @param string $secret_key The secret key used to sign the token.
+     *
+     * @return string The generated JWT token.
+     */
+    public function generateAgentToken($payload, $secret_key) {
+
+        // header
+        $header = json_encode([
+            'typ' => 'JWT',
+            'alg' => 'HS256'
+        ]);
+        $base64Url_header = $this->base64UrlEncode($header);
+
+        // payload
+        $payload = json_encode($payload);
+        $base64Url_payload = $this->base64UrlEncode($payload);
+
+        // signature
+        $signature = hash_hmac('sha256', $base64Url_header . "." . $base64Url_payload, $secret_key ?? '', true);
+        $base64Url_signature = $this->base64UrlEncode($signature);
+
+        // build the JWT
+        $jwt = $base64Url_header . "." . $base64Url_payload . "." . $base64Url_signature;
+
+        return $jwt;
+    }
+
+
+    /**
+     * Fetches data from a Jilo agent's API, optionally forcing a refresh of the cache.
+     *
+     * @param int $agent_id The agent ID to fetch data for.
+     * @param bool $force Whether to force-refresh the cache (default: false).
+     *
+     * @return string The API response, or an error message in JSON format.
+     */
+    public function fetchAgent($agent_id, $force = false) {
+
+        // we need agent details for URL and JWT token
+        $agentDetails = $this->getAgentIDDetails($agent_id);
+
+        // Safe exit in case the agent is not found
+        if (empty($agentDetails)) {
+            return json_encode(['error' => 'Agent not found']);
+        }
+
+        $agent = $agentDetails[0];
+        $agent_cache_name = 'agent' . $agent_id . '_cache';
+        $agent_cache_time = 'agent' . $agent_id . '_time';
+
+        // check if the cache is still valid, unless force-refresh is requested
+        if (!$force && $this->checkAgentCache($agent_id)) {
+            return $_SESSION[$agent_cache_name];
+        }
+
+        // generate the JWT token
+        $payload = [
+            'agent_id'      => $agent_id,
+            'timestamp'     => time()
+        ];
+        $jwt = $this->generateAgentToken($payload, $agent['secret_key']);
+
+        // Make the API request
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, $agent['url'] . $agent['agent_endpoint']);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_TIMEOUT, 10); // timeout 10 seconds
+        curl_setopt($ch, CURLOPT_HTTPHEADER, [
+            'Authorization: Bearer ' . $jwt,
+            'Content-Type: application/json'
+        ]);
+
+        $response = curl_exec($ch);
+        $curl_error = curl_error($ch);
+        $curl_errno = curl_errno($ch);
+        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+
+        curl_close($ch);
+
+        // curl error
+        if ($curl_errno) {
+            return json_encode(['error' => 'curl error: ' . $curl_error]);
+        }
+
+        // response is not 200 OK
+        if ($http_code !== 200) {
+            return json_encode(['error' => 'HTTP error: ' . $http_code]);
+        }
+
+        // other custom error(s)
+        if (strpos($response, 'Auth header not received') !== false) {
+            return json_encode(['error' => 'Auth header not received']);
+        }
+
+        // Cache the result and the timestamp if the response is successful
+        // We decode it so that it's pure JSON and not escaped
+        $_SESSION[$agent_cache_name] = json_decode($response, true);
+        $_SESSION[$agent_cache_time] = time();
+
+        return $response;
+    }
+
+
+    /**
+     * Clears the cached data for a specific agent.
+     *
+     * @param int $agent_id The agent ID for which the cache should be cleared.
+     */
+    public function clearAgentCache($agent_id) {
+        $_SESSION["agent{$agent_id}_cache"] = '';
+        $_SESSION["agent{$agent_id}_cache_time"] = '';
+    }
+
+
+    /**
+     * Gets a value from a nested array using dot notation
+     * e.g. "bridge_selector.bridge_count" will get $array['bridge_selector']['bridge_count']
+     *
+     * @param array $array The array to search in
+     * @param string $path The path in dot notation
+     * @return mixed|null The value if found, null otherwise
+     */
+    private function getNestedValue($array, $path) {
+        $keys = explode('.', $path);
+        $value = $array;
+
+        foreach ($keys as $key) {
+            if (!isset($value[$key])) {
+                return null;
+            }
+            $value = $value[$key];
+        }
+
+        return $value;
+    }
+
+    /**
+     * Retrieves the latest stored data for a specific host, agent type, and metric type.
+     *
+     * @param int $host_id The host ID.
+     * @param string $agent_type The agent type.
+     * @param string $metric_type The metric type to filter by.
+     *
+     * @return mixed The latest stored data.
+     */
+    public function getLatestData($host_id, $agent_type, $metric_type) {
+        $sql = 'SELECT
+                    jac.timestamp,
+                    jac.response_content,
+                    jac.agent_id,
+                    jat.description
+                FROM
+                    jilo_agent_check jac
+                JOIN
+                    jilo_agent ja ON jac.agent_id = ja.id
+                JOIN
+                    jilo_agent_type jat ON ja.agent_type_id = jat.id
+                JOIN
+                    host h ON ja.host_id = h.id
+                WHERE
+                    h.id = :host_id
+                    AND jat.description = :agent_type
+                    AND jac.status_code = 200
+                ORDER BY
+                    jac.timestamp DESC
+                LIMIT 1';
+
+        $query = $this->db->prepare($sql);
+        $query->execute([
+            ':host_id' => $host_id,
+            ':agent_type' => $agent_type
+        ]);
+
+        $result = $query->fetch(PDO::FETCH_ASSOC);
+
+        if ($result) {
+            // Parse the JSON response content
+            $data = json_decode($result['response_content'], true);
+            if (json_last_error() !== JSON_ERROR_NONE) {
+                return null;
+            }
+
+            // Extract the specific metric value from the response based on agent type
+            if ($agent_type === 'jvb') {
+                $value = $this->getNestedValue($data['jvb_api_data'], $metric_type);
+                if ($value !== null) {
+                    return [
+                        'value' => $value,
+                        'timestamp' => $result['timestamp']
+                    ];
+                }
+
+            } elseif ($agent_type === 'jicofo') {
+                $value = $this->getNestedValue($data['jicofo_api_data'], $metric_type);
+                if ($value !== null) {
+                    return [
+                        'value' => $value,
+                        'timestamp' => $result['timestamp']
+                    ];
+                }
+
+            } elseif ($agent_type === 'jigasi') {
+                $value = $this->getNestedValue($data['jigasi_api_data'], $metric_type);
+                if ($value !== null) {
+                    return [
+                        'value' => $value,
+                        'timestamp' => $result['timestamp']
+                    ];
+                }
+
+            } elseif ($agent_type === 'prosody') {
+                $value = $this->getNestedValue($data['prosody_api_data'], $metric_type);
+                if ($value !== null) {
+                    return [
+                        'value' => $value,
+                        'timestamp' => $result['timestamp']
+                    ];
+                }
+
+            } elseif ($agent_type === 'nginx') {
+                $value = $this->getNestedValue($data['nginx_api_data'], $metric_type);
+                if ($value !== null) {
+                    return [
+                        'value' => $value,
+                        'timestamp' => $result['timestamp']
+                    ];
+                }
+            }
+
+
+        }
+
+        return null;
+    }
+
+    /**
+     * Gets historical data for a specific metric from agent checks
+     *
+     * @param int $host_id The host ID
+     * @param string $agent_type The type of agent (e.g., 'jvb', 'jicofo')
+     * @param string $metric_type The type of metric to retrieve
+     * @param string $from_time Start time in Y-m-d format
+     * @param string $until_time End time in Y-m-d format
+     * @return array Array with the dataset from agent checks
+     */
+    public function getHistoricalData($host_id, $agent_type, $metric_type, $from_time, $until_time) {
+        // Get data from agent checks
+        $sql = 'SELECT
+                    DATE(jac.timestamp) as date,
+                    jac.response_content,
+                    COUNT(*) as checks_count
+                FROM
+                    jilo_agent_check jac
+                JOIN
+                    jilo_agent ja ON jac.agent_id = ja.id
+                JOIN
+                    jilo_agent_type jat ON ja.agent_type_id = jat.id
+                JOIN
+                    host h ON ja.host_id = h.id
+                WHERE
+                    h.id = :host_id
+                    AND jat.description = :agent_type
+                    AND jac.status_code = 200
+                    AND DATE(jac.timestamp) BETWEEN :from_time AND :until_time
+                GROUP BY
+                    DATE(jac.timestamp)
+                ORDER BY
+                    DATE(jac.timestamp)';
+
+        $query = $this->db->prepare($sql);
+        $query->execute([
+            ':host_id' => $host_id,
+            ':agent_type' => $agent_type,
+            ':from_time' => $from_time,
+            ':until_time' => $until_time
+        ]);
+
+        $results = $query->fetchAll(PDO::FETCH_ASSOC);
+
+        $data = [];
+        foreach ($results as $row) {
+            $json_data = json_decode($row['response_content'], true);
+            if (json_last_error() === JSON_ERROR_NONE) {
+                $api_data = [];
+                if ($agent_type === 'jvb') {
+                    $api_data = $json_data['jvb_api_data'] ?? [];
+                } elseif ($agent_type === 'jicofo') {
+                    $api_data = $json_data['jicofo_api_data'] ?? [];
+                } elseif ($agent_type === 'jigasi') {
+                    $api_data = $json_data['jigasi_api_data'] ?? [];
+                } elseif ($agent_type === 'prosody') {
+                    $api_data = $json_data['prosody_api_data'] ?? [];
+                } elseif ($agent_type === 'nginx') {
+                    $api_data = $json_data['nginx_api_data'] ?? [];
+                }
+
+                $value = $this->getNestedValue($api_data, $metric_type);
+                if ($value !== null) {
+                    $data[] = [
+                        'date' => $row['date'],
+                        'value' => $value
+                    ];
+                }
+            }
+        }
+
+        return $data;
+    }
+
+    /**
+     * Gets the previous record for a specific metric
+     *
+     * @param int $host_id The host ID
+     * @param string $agent_type The type of agent (e.g., 'jvb', 'jicofo')
+     * @param string $metric_type The type of metric to retrieve
+     * @param string $current_timestamp Current record's timestamp to get data before this
+     * @return array|null Previous record data or null if not found
+     */
+    public function getPreviousRecord($host_id, $agent_type, $metric_type, $current_timestamp) {
+        $sql = 'SELECT
+                    jac.timestamp,
+                    jac.response_content
+                FROM
+                    jilo_agent_check jac
+                JOIN
+                    jilo_agent ja ON jac.agent_id = ja.id
+                JOIN
+                    jilo_agent_type jat ON ja.agent_type_id = jat.id
+                JOIN
+                    host h ON ja.host_id = h.id
+                WHERE
+                    h.id = :host_id
+                    AND jat.description = :agent_type
+                    AND jac.status_code = 200
+                    AND jac.timestamp < :current_timestamp
+                ORDER BY
+                    jac.timestamp DESC
+                LIMIT 1';
+
+        $query = $this->db->prepare($sql);
+        $query->execute([
+            ':host_id' => $host_id,
+            ':agent_type' => $agent_type,
+            ':current_timestamp' => $current_timestamp
+        ]);
+
+        $result = $query->fetch(PDO::FETCH_ASSOC);
+
+        if ($result) {
+            $json_data = json_decode($result['response_content'], true);
+            if (json_last_error() === JSON_ERROR_NONE) {
+                $api_data = [];
+                if ($agent_type === 'jvb') {
+                    $api_data = $json_data['jvb_api_data'] ?? [];
+                } elseif ($agent_type === 'jicofo') {
+                    $api_data = $json_data['jicofo_api_data'] ?? [];
+                } elseif ($agent_type === 'jigasi') {
+                    $api_data = $json_data['jigasi_api_data'] ?? [];
+                } elseif ($agent_type === 'prosody') {
+                    $api_data = $json_data['prosody_api_data'] ?? [];
+                } elseif ($agent_type === 'nginx') {
+                    $api_data = $json_data['nginx_api_data'] ?? [];
+                }
+
+                $value = $this->getNestedValue($api_data, $metric_type);
+                if ($value !== null) {
+                    return [
+                        'value' => $value,
+                        'timestamp' => $result['timestamp']
+                    ];
+                }
+            }
+        }
+
+        return null;
+    }
+}

app/classes/api_response.php

@@ -0,0 +1,47 @@
+<?php
+
+/**
+ * API Response Handler
+ * Provides a consistent way to send JSON responses from controllers
+ */
+class ApiResponse {
+    /**
+     * Send a success response
+     * @param mixed $data Optional data to include in response
+     * @param string $message Optional success message
+     * @param int $status HTTP status code
+     */
+    public static function success($data = null, $message = '', $status = 200) {
+        self::send([
+            'success' => true,
+            'data' => $data,
+            'message' => $message
+        ], $status);
+    }
+
+    /**
+     * Send an error response
+     * @param string $message Error message
+     * @param mixed $errors Optional error details
+     * @param int $status HTTP status code
+     */
+    public static function error($message, $errors = null, $status = 400) {
+        self::send([
+            'success' => false,
+            'error' => $message,
+            'errors' => $errors
+        ], $status);
+    }
+
+    /**
+     * Send the actual JSON response
+     * @param array $data Response data
+     * @param int $status HTTP status code
+     */
+    private static function send($data, $status) {
+        http_response_code($status);
+        header('Content-Type: application/json');
+        echo json_encode($data);
+        exit;
+    }
+}

app/classes/component.php

@@ -1,51 +1,169 @@
 <?php
 
+/**
+ * class Component
+ *
+ * Provides methods to interact with Jitsi component events in the database.
+ */
 class Component {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
     private $db;
 
+    /**
+     * Component constructor.
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
     public function __construct($database) {
         $this->db = $database->getConnection();
     }
 
 
-    // list of component events
-    public function jitsiComponents($jitsi_component, $component_id, $from_time, $until_time) {
-
-        // time period drill-down
-        // FIXME make it similar to the bash version
-        if (empty($from_time)) {
-            $from_time = '0000-01-01';
+    /**
+     * Retrieves Jitsi component events based on various filters.
+     *
+     * @param string $jitsi_component The Jitsi component name.
+     * @param int $component_id The component ID.
+     * @param string $event_type The type of event to filter by.
+     * @param string $from_time The start date in 'YYYY-MM-DD' format.
+     * @param string $until_time The end date in 'YYYY-MM-DD' format.
+     * @param int $offset The offset for pagination.
+     * @param int $items_per_page The number of items to retrieve per page.
+     *
+     * @return array The list of Jitsi component events or an empty array if no results.
+     */
+    public function jitsiComponents($jitsi_component, $component_id, $event_type, $from_time, $until_time, $offset=0, $items_per_page='') {
+        global $logObject;
+        try {
+            // Add time part to dates if not present
+            if (strlen($from_time) <= 10) {
+                $from_time .= ' 00:00:00';
             }
-        if (empty($until_time)) {
-            $until_time = '9999-12-31';
+            if (strlen($until_time) <= 10) {
+                $until_time .= ' 23:59:59';
             }
-        $from_time = htmlspecialchars(strip_tags($from_time));
-        $until_time = htmlspecialchars(strip_tags($until_time));
 
             // list of jitsi component events
-        $sql = "
-SELECT
-    jitsi_component, loglevel, time, component_id, event_type, event_param
-FROM
-    jitsi_components
-WHERE
-    jitsi_component = %s
-AND
-    component_id = %s
-AND
-    (time >= '%s 00:00:00' AND time <= '%s 23:59:59')
-ORDER BY
-    time";
+            $sql = "SELECT jitsi_component, loglevel, time, component_id, event_type, event_param
+                    FROM jitsi_components
+                    WHERE time >= :from_time 
+                    AND time <= :until_time";
 
-        $sql = sprintf($sql, $jitsi_component, $component_id, $from_time, $until_time);
-
-        $query = $this->db->prepare($sql);
-        $query->execute();
-
-        return $query->fetchAll(PDO::FETCH_ASSOC);
+            // Only add component and event filters if they're not the default values
+            if ($jitsi_component !== 'jitsi_component') {
+                $sql .= " AND LOWER(jitsi_component) = LOWER(:jitsi_component)";
+            }
+            if ($component_id !== 'component_id') {
+                $sql .= " AND component_id = :component_id";
+            }
+            if ($event_type !== 'event_type') {
+                $sql .= " AND event_type LIKE :event_type";
             }
 
+            $sql .= " ORDER BY time";
 
+            if ($items_per_page) {
+                $sql .= ' LIMIT :offset, :items_per_page';
             }
 
-?>
+            $stmt = $this->db->prepare($sql);
+
+            // Bind parameters only if they're not default values
+            if ($jitsi_component !== 'jitsi_component') {
+                $stmt->bindValue(':jitsi_component', trim($jitsi_component, "'"));
+            }
+            if ($component_id !== 'component_id') {
+                $stmt->bindValue(':component_id', trim($component_id, "'"));
+            }
+            if ($event_type !== 'event_type') {
+                $stmt->bindValue(':event_type', '%' . trim($event_type, "'") . '%');
+            }
+
+            $stmt->bindParam(':from_time', $from_time);
+            $stmt->bindParam(':until_time', $until_time);
+
+            if ($items_per_page) {
+                $stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
+                $stmt->bindParam(':items_per_page', $items_per_page, PDO::PARAM_INT);
+            }
+
+            $stmt->execute();
+            $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+            if (!empty($result)) {
+                $logObject->log('info', "Retrieved " . count($result) . " Jitsi component events", ['user_id' => $userId, 'scope' => 'system']);
+            }
+            return $result;
+        } catch (PDOException $e) {
+            $logObject->log('error', "Failed to retrieve Jitsi component events: " . $e->getMessage(), ['user_id' => $userId, 'scope' => 'system']);
+            return [];
+        }
+    }
+
+    /**
+     * Gets the total count of components events matching the filter criteria
+     * 
+     * @param string $jitsi_component The Jitsi component name.
+     * @param int $component_id The component ID.
+     * @param string $event_type The type of event to filter by.
+     * @param string $from_time The start date in 'YYYY-MM-DD' format.
+     * @param string $until_time The end date in 'YYYY-MM-DD' format.
+     * 
+     * @return int The total count of matching components
+     */
+    public function getComponentEventsCount($jitsi_component, $component_id, $event_type, $from_time, $until_time) {
+        global $logObject;
+        try {
+            // Add time part to dates if not present
+            if (strlen($from_time) <= 10) {
+                $from_time .= ' 00:00:00';
+            }
+            if (strlen($until_time) <= 10) {
+                $until_time .= ' 23:59:59';
+            }
+
+            // Build the query
+            $sql = "SELECT COUNT(*) as total
+                    FROM jitsi_components
+                    WHERE time >= :from_time
+                    AND time <= :until_time";
+
+            // Only add component and event filters if they're not the default values
+            if ($jitsi_component !== 'jitsi_component') {
+                $sql .= " AND LOWER(jitsi_component) = LOWER(:jitsi_component)";
+            }
+            if ($component_id !== 'component_id') {
+                $sql .= " AND component_id = :component_id";
+            }
+            if ($event_type !== 'event_type') {
+                $sql .= " AND event_type LIKE :event_type";
+            }
+
+            $stmt = $this->db->prepare($sql);
+
+            // Bind parameters only if they're not default values
+            if ($jitsi_component !== 'jitsi_component') {
+                $stmt->bindValue(':jitsi_component', trim($jitsi_component, "'"));
+            }
+            if ($component_id !== 'component_id') {
+                $stmt->bindValue(':component_id', trim($component_id, "'"));
+            }
+            if ($event_type !== 'event_type') {
+                $stmt->bindValue(':event_type', '%' . trim($event_type, "'") . '%');
+            }
+
+            $stmt->bindParam(':from_time', $from_time);
+            $stmt->bindParam(':until_time', $until_time);
+
+            $stmt->execute();
+            $result = $stmt->fetch(PDO::FETCH_ASSOC);
+            return (int)$result['total'];
+        } catch (PDOException $e) {
+            $logObject->log('error', "Failed to retrieve component events count: " . $e->getMessage(), ['user_id' => $userId, 'scope' => 'system']);
+            return 0;
+        }
+    }
+}

app/classes/conference.php

@@ -1,15 +1,39 @@
 <?php
 
+/**
+ * class Conference
+ *
+ * Provides methods for querying conference-related data from the database.
+ */
 class Conference {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
     private $db;
 
+    /**
+     * Conference constructor.
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
     public function __construct($database) {
         $this->db = $database->getConnection();
     }
 
 
-    // search/list specific conference ID
-    public function conferenceById($conference_id, $from_time, $until_time) {
+    /**
+     * Retrieves conference data by conference ID within a specific time range.
+     *
+     * @param string $conference_id The conference ID.
+     * @param string $from_time The start date in 'YYYY-MM-DD' format.
+     * @param string $until_time The end date in 'YYYY-MM-DD' format.
+     * @param int $offset The offset for pagination.
+     * @param int $items_per_page The number of items to retrieve per page.
+     *
+     * @return array The list of conference events or an empty array if no results.
+     */
+    public function conferenceById($conference_id, $from_time, $until_time, $offset=0, $items_per_page='') {
 
         // time period drill-down
         // FIXME make it similar to the bash version
@@ -69,6 +93,11 @@ AND (event_time >= '%s 00:00:00' AND event_time <= '%s 23:59:59')
 ORDER BY
     pe.time";
 
+        if ($items_per_page) {
+            $items_per_page = (int)$items_per_page;
+            $sql .= ' LIMIT ' . $offset . ',' . $items_per_page;
+        }
+
         $sql = sprintf($sql, $conference_id, $from_time, $until_time, $conference_id, $from_time, $until_time);
 
         $query = $this->db->prepare($sql);
@@ -78,8 +107,18 @@ ORDER BY
     }
 
 
-    // search/list specific conference name
-    public function conferenceByName($conference_name, $from_time, $until_time) {
+    /**
+     * Retrieves conference data by conference name within a specific time range.
+     *
+     * @param string $conference_name The conference name.
+     * @param string $from_time The start date in 'YYYY-MM-DD' format.
+     * @param string $until_time The end date in 'YYYY-MM-DD' format.
+     * @param int $offset The offset for pagination.
+     * @param int $items_per_page The number of items to retrieve per page.
+     *
+     * @return array The list of conference events or an empty array if no results.
+     */
+    public function conferenceByName($conference_name, $from_time, $until_time, $offset=0, $items_per_page='') {
 
         // time period drill-down
         // FIXME make it similar to the bash version
@@ -139,6 +178,11 @@ AND (event_time >= '%s 00:00:00' AND event_time <= '%s 23:59:59')
 ORDER BY
     pe.time";
 
+        if ($items_per_page) {
+            $items_per_page = (int)$items_per_page;
+            $sql .= ' LIMIT ' . $offset . ',' . $items_per_page;
+        }
+
         $sql = sprintf($sql, $conference_name, $from_time, $until_time, $conference_name, $from_time, $until_time);
 
         $query = $this->db->prepare($sql);
@@ -148,8 +192,17 @@ ORDER BY
     }
 
 
-    // list of all conferences
-    public function conferencesAllFormatted($from_time, $until_time) {
+    /**
+     * Retrieves all conferences within a specific time range, formatted.
+     *
+     * @param string $from_time The start date in 'YYYY-MM-DD' format.
+     * @param string $until_time The end date in 'YYYY-MM-DD' format.
+     * @param int $offset The offset for pagination.
+     * @param int $items_per_page The number of items to retrieve per page.
+     *
+     * @return array The list of formatted conference data or an empty array if no results.
+     */
+    public function conferencesAllFormatted($from_time, $until_time, $offset=0, $items_per_page='') {
 
         // time period drill-down
         // FIXME make it similar to the bash version
@@ -234,6 +287,11 @@ WHERE (ce.time >= '%s 00:00:00' AND ce.time <= '%s 23:59:59')
 ORDER BY
     c.id";
 
+        if ($items_per_page) {
+            $items_per_page = (int)$items_per_page;
+            $sql .= ' LIMIT ' . $offset . ',' . $items_per_page;
+        }
+
         $sql = sprintf($sql, $from_time, $until_time);
 
         $query = $this->db->prepare($sql);
@@ -242,7 +300,15 @@ ORDER BY
         return $query->fetchAll(PDO::FETCH_ASSOC);
     }
 
-    // number of conferences
+
+    /**
+     * Retrieves the number of conferences within a specific time range.
+     *
+     * @param string $from_time The start date in 'YYYY-MM-DD' format.
+     * @param string $until_time The end date in 'YYYY-MM-DD' format.
+     *
+     * @return int The number of conferences found.
+     */
     public function conferenceNumber($from_time, $until_time) {
 
         // time period drill-down
@@ -259,25 +325,52 @@ ORDER BY
         $until_time = htmlspecialchars(strip_tags($until_time));
 
         // number of conferences for time period (if given)
-        // NB we need to cross check with first occurrence of "bridge selected"
-        // as in Jicofo logs there is no way to get the time for conference ID creation
+        // FIXME sometimes there is no start/end time, find a way around this
         $sql = "
-SELECT COUNT(c.conference_id) as conferences
-FROM
-    conferences c
-LEFT JOIN (
-    SELECT ce.conference_id, MIN(ce.time) as first_event_time
+SELECT COUNT(*) AS conferences
+    FROM (
+    SELECT DISTINCT
+        (SELECT COALESCE
+            (
+                (SELECT ce.time
                     FROM conference_events ce
-    WHERE ce.conference_event = 'bridge selected'
-    GROUP BY ce.conference_id
-) AS first_event ON c.conference_id = first_event.conference_id
-LEFT JOIN
-    conference_events ce ON c.conference_id = ce.conference_id
                     WHERE
-    (ce.time >= '%s 00:00:00' AND ce.time <= '%s 23:59:59')
-AND (ce.conference_event = 'conference created'
-    OR (ce.conference_event = 'bridge selected' AND ce.time = first_event.first_event_time)
-)";
+                        ce.conference_id = c.conference_id
+                        AND
+                        ce.conference_event = 'conference created'
+                ),
+                (SELECT ce.time
+                    FROM conference_events ce
+                    WHERE
+                        ce.conference_id = c.conference_id
+                        AND
+                        ce.conference_event = 'bridge selected'
+                )
+            )
+        ) AS start,
+        (SELECT COALESCE
+            (
+                (SELECT ce.time
+                    FROM conference_events ce
+                    WHERE
+                        ce.conference_id = c.conference_id
+                        AND
+                        (ce.conference_event = 'conference expired' OR ce.conference_event = 'conference stopped')
+                ),
+                (SELECT pe.time
+                    FROM participant_events pe
+                    WHERE
+                        pe.event_param = c.conference_id
+                        ORDER BY pe.time DESC
+                        LIMIT 1
+                )
+            )
+        ) AS end
+        FROM conferences c
+        JOIN
+            conference_events ce ON c.conference_id = ce.conference_id
+        WHERE (start >= '%s 00:00:00' AND end <= '%s 23:59:59')
+    ) AS subquery";
 
         $sql = sprintf($sql, $from_time, $until_time);
 
@@ -289,5 +382,3 @@ AND (ce.conference_event = 'conference created'
 
 
 }
-
-?>

app/classes/config.php

@@ -1,96 +1,158 @@
 <?php
 
+/**
+ * class Config
+ *
+ * Handles editing and fetching of the config files.
+ */
 class Config {
 
-    public function getPlatformDetails($config, $platform_id) {
-        $platformDetails = $config['platforms'][$platform_id];
-        return $platformDetails;
+    /**
+     * Edits a config file by updating specified options.
+     *
+     * @param array $updatedConfig Key-value pairs of config options to update.
+     * @param string $config_file Path to the config file.
+     *
+     * @return array Returns an array with 'success' and 'updated' keys on success, or 'success' and 'error' keys on failure.
+     */
+    public function editConfigFile($updatedConfig, $config_file) {
+        global $logObject, $userId;
+        $allLogs = [];
+        $updated = [];
+
+        try {
+            if (!is_array($updatedConfig)) {
+                throw new Exception("Invalid config data: expected array");
             }
 
-    // loading the config.js
-    public function getPlatformConfigjs($platformDetails, $raw = false) {
-        // constructing the URL
-        $configjsFile = $platformDetails['jitsi_url'] . '/config.js';
+            if (!file_exists($config_file) || !is_writable($config_file)) {
+                throw new Exception("Config file does not exist or is not writable: $config_file");
+            }
 
-        // default content, if we can't get the file contents
-        $platformConfigjs = "The file $configjsFile can't be loaded.";
+            // First we get a fresh config file contents as text
+            $config_contents = file_get_contents($config_file);
+            if ($config_contents === false) {
+                throw new Exception("Failed to read the config file: $config_file");
+            }
 
-        // ssl options
-        $contextOptions = [
-            'ssl' => [
-                'verify_peer'		=> true,
-                'verify_peer_name'	=> true,
-            ],
-        ];
-        $context = stream_context_create($contextOptions);
+            $lines = explode("\n", $config_contents);
 
-        // get the file
-        $fileContent = @file_get_contents($configjsFile, false, $context);
+            // We loop through the variables and update them
+            foreach ($updatedConfig as $key => $newValue) {
+                if (strpos($key, '[') !== false) {
+                    preg_match_all('/([^\[\]]+)/', $key, $matches);
+                    if (empty($matches[1])) continue;
 
-        if ($fileContent !== false) {
+                    $parts = $matches[1];
+                    $currentPath = [];
+                    $found = false;
+                    $inTargetArray = false;
 
-            // when we need only uncommented values
-            if ($raw === false) {
-                // remove block comments
-                $platformConfigjs = preg_replace('!/\*.*?\*/!s', '', $fileContent);
-                // remove single-line comments
-                $platformConfigjs = preg_replace('/\/\/[^\n]*/', '', $platformConfigjs);
-                // remove empty lines
-                $platformConfigjs = preg_replace('/^\s*[\r\n]/m', '', $platformConfigjs);
+                    foreach ($lines as $i => $line) {
+                        $line = rtrim($line);
 
-            // when we need the full file as it is
+                        if (preg_match("/^\\s*\\]/", $line)) {
+                            if (!empty($currentPath)) {
+                                if ($inTargetArray && end($currentPath) === $parts[0]) {
+                                    $inTargetArray = false;
+                                }
+                                array_pop($currentPath);
+                            }
+                            continue;
+                        }
+
+                        if (preg_match("/^\\s*['\"]([^'\"]+)['\"]\\s*=>/", $line, $matches)) {
+                            $key = $matches[1];
+
+                            if (strpos($line, '[') !== false) {
+                                $currentPath[] = $key;
+                                if ($key === $parts[0]) {
+                                    $inTargetArray = true;
+                                }
+                            } else if ($key === end($parts) && $inTargetArray) {
+                                $pathMatches = true;
+                                $expectedPath = array_slice($parts, 0, -1);
+
+                                if (count($currentPath) === count($expectedPath)) {
+                                    for ($j = 0; $j < count($expectedPath); $j++) {
+                                        if ($currentPath[$j] !== $expectedPath[$j]) {
+                                            $pathMatches = false;
+                                            break;
+                                        }
+                                    }
+
+                                    if ($pathMatches) {
+                                        if ($newValue === 'true' || $newValue === '1') {
+                                            $replacementValue = 'true';
+                                        } elseif ($newValue === 'false' || $newValue === '0') {
+                                            $replacementValue = 'false';
                                         } else {
-                $platformConfigjs = $fileContent;
+                                            $replacementValue = var_export($newValue, true);
+                                        }
+
+                                        if (preg_match("/^(\\s*['\"]" . preg_quote($key, '/') . "['\"]\\s*=>\\s*).*?(,?)\\s*$/", $line, $matches)) {
+                                            $lines[$i] = $matches[1] . $replacementValue . $matches[2];
+                                            $updated[] = implode('.', array_merge($currentPath, [$key]));
+                                            $found = true;
+                                        }
+                                    }
+                                }
+                            }
                         }
                     }
 
-        return $platformConfigjs;
-
+                    if (!$found) {
+                        $allLogs[] = "Failed to update: $key";
                     }
-
-
-    // loading the interface_config.js
-    public function getPlatformInterfaceConfigjs($platformDetails, $raw = false) {
-        // constructing the URL
-        $interfaceConfigjsFile = $platformDetails['jitsi_url'] . '/interface_config.js';
-
-        // default content, if we can't get the file contents
-        $platformInterfaceConfigjs = "The file $interfaceConfigjsFile can't be loaded.";
-
-        // ssl options
-        $contextOptions = [
-            'ssl' => [
-                'verify_peer'		=> true,
-                'verify_peer_name'	=> true,
-            ],
-        ];
-        $context = stream_context_create($contextOptions);
-
-        // get the file
-        $fileContent = @file_get_contents($interfaceConfigjsFile, false, $context);
-
-        if ($fileContent !== false) {
-
-            // when we need only uncommented values
-            if ($raw === false) {
-                // remove block comments
-                $platformInterfaceConfigjs = preg_replace('!/\*.*?\*/!s', '', $fileContent);
-                // remove single-line comments
-                $platformInterfaceConfigjs = preg_replace('/\/\/[^\n]*/', '', $platformInterfaceConfigjs);
-                // remove empty lines
-                $platformInterfaceConfigjs = preg_replace('/^\s*[\r\n]/m', '', $platformInterfaceConfigjs);
-
-            // when we need the full file as it is
                 } else {
-                $platformInterfaceConfigjs = $fileContent;
+                    if (!preg_match('/^[a-zA-Z_][a-zA-Z0-9_]*$/', $key)) {
+                        throw new Exception("Invalid config key format: $key");
+                    }
+
+                    if ($newValue === 'true' || $newValue === '1') {
+                        $replacementValue = 'true';
+                    } elseif ($newValue === 'false' || $newValue === '0') {
+                        $replacementValue = 'false';
+                    } else {
+                        $replacementValue = var_export($newValue, true);
+                    }
+
+                    $found = false;
+                    foreach ($lines as $i => $line) {
+                        if (preg_match("/^(\\s*['\"]" . preg_quote($key, '/') . "['\"]\\s*=>\\s*).*?(,?)\\s*$/", $line, $matches)) {
+                            $lines[$i] = $matches[1] . $replacementValue . $matches[2];
+                            $updated[] = $key;
+                            $found = true;
+                            break;
                         }
                     }
 
-        return $platformInterfaceConfigjs;
-
+                    if (!$found) {
+                        $allLogs[] = "Failed to update: $key";
+                    }
+                }
             }
 
-
+            // We write the new config file
+            $new_contents = implode("\n", $lines);
+            if (file_put_contents($config_file, $new_contents) === false) {
+                throw new Exception("Failed to write the config file: $config_file");
             }
 
-?>
+            if (!empty($allLogs)) {
+                $logObject->log('info', implode("\n", $allLogs), ['user_id' => $userId, 'scope' => 'system']);
+            }
+
+            return [
+                'success' => true,
+                'updated' => $updated
+            ];
+        } catch (Exception $e) {
+            $logObject->log('error', "Config update error: " . $e->getMessage(), ['user_id' => $userId, 'scope' => 'system']);
+            return [
+                'success' => false,
+                'error' => $e->getMessage()
+            ];
+        }
+    }
+}

app/classes/database.php

@@ -1,79 +1,223 @@
 <?php
 
-require '../app/helpers/errors.php';
-
+/**
+ * class Database
+ *
+ * Manages database connections for SQLite and MySQL (or MariaDB).
+ */
 class Database {
+    /**
+     * @var PDO|null $pdo The database connection instance.
+     */
     private $pdo;
 
+    /**
+     * Database constructor.
+     * Initializes the database connection based on provided options.
+     *
+     * @param array $options An associative array with database connection options:
+     *                       - type: The database type ('sqlite', 'mysql', or 'mariadb').
+     *                       - dbFile: The path to the SQLite database file (required for SQLite).
+     *                       - host: The database host (required for MySQL).
+     *                       - port: The port for MySQL (optional, default: 3306).
+     *                       - dbname: The name of the MySQL database (required for MySQL).
+     *                       - user: The username for MySQL (required for MySQL).
+     *                       - password: The password for MySQL (optional).
+     *
+     * @throws Exception If required extensions are not loaded or options are invalid.
+     */
     public function __construct($options) {
-        // pdo needed
+        // check if PDO extension is loaded
         if (!extension_loaded('pdo')) {
-            $error = getError('PDO extension not loaded.');
+            throw new Exception('PDO extension not loaded.');
         }
 
         // options check
         if (empty($options['type'])) {
-            $error = getError('Database type is not set.');
+            throw new Exception('Database type is not set.');
         }
 
-        // database type
+        // connect based on database type
         switch ($options['type']) {
             case 'sqlite':
                 $this->connectSqlite($options);
                 break;
-            case 'mysql' || 'mariadb':
+            case 'mysql':
+            case 'mariadb':
                 $this->connectMysql($options);
                 break;
             default:
-                $error = getError("Database type \"{$options['type']}\" is not supported.");
+                $this->pdo = null;
         }
     }
 
+    /**
+     * Establishes a connection to a SQLite database.
+     *
+     * @param array $options An associative array with SQLite connection options:
+     *                       - dbFile: The path to the SQLite database file.
+     *
+     * @throws Exception If the SQLite PDO extension is not loaded or the database file is missing.
+     */
     private function connectSqlite($options) {
         // pdo_sqlite extension is needed
         if (!extension_loaded('pdo_sqlite')) {
-            $error = getError('PDO extension for SQLite not loaded.');
+            throw new Exception('PDO extension for SQLite not loaded.');
         }
 
         // SQLite options
-        if (empty($options['dbFile']) || !file_exists($options['dbFile'])) {
-            $error = getError("SQLite database file \"{$dbFile}\" not found.");
+        if (empty($options['dbFile'])) {
+            throw new Exception('SQLite database file path is missing.');
+        }
+
+        // For in-memory database (especially for the tests), skip file check
+        if ($options['dbFile'] !== ':memory:' && !file_exists($options['dbFile'])) {
+            throw new Exception("SQLite database file \"{$options['dbFile']}\" not found.");
         }
 
         // connect to SQLite
         try {
             $this->pdo = new PDO("sqlite:" . $options['dbFile']);
             $this->pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+            // enable foreign key constraints (not ON by default in SQLite3)
+            $this->pdo->exec('PRAGMA foreign_keys = ON;');
         } catch (PDOException $e) {
-            $error = getError('SQLite connection failed: ', $e->getMessage());
+            throw new Exception('SQLite connection failed: ' . $e->getMessage());
         }
     }
 
+    /**
+     * Establishes a connection to a MySQL (or MariaDB) database.
+     *
+     * @param array $options An associative array with MySQL connection options:
+     *                       - host: The database host.
+     *                       - port: The database port (default: 3306).
+     *                       - dbname: The name of the database.
+     *                       - user: The database username.
+     *                       - password: The database password (optional).
+     *
+     * @throws Exception If the MySQL PDO extension is not loaded or required options are missing.
+     */
     private function connectMysql($options) {
         // pdo_mysql extension is needed
         if (!extension_loaded('pdo_mysql')) {
-            $error = getError('PDO extension for MySQL not loaded.');
+            throw new Exception('PDO extension for MySQL not loaded.');
         }
 
         // MySQL options
         if (empty($options['host']) || empty($options['dbname']) || empty($options['user'])) {
-            $error = getError('MySQL connection data is missing.');
+            throw new Exception('MySQL connection data is missing.');
         }
 
         // Connect to MySQL
         try {
-            $dsn = "mysql:host={$options['host']};port={$options['port']};dbname={$options['dbname']};charset=utf8";
+            $port = $options['port'] ?? 3306;
+            $dsn = "mysql:host={$options['host']};port={$port};dbname={$options['dbname']};charset=utf8";
             $this->pdo = new PDO($dsn, $options['user'], $options['password'] ?? '');
             $this->pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
         } catch (PDOException $e) {
-            $error = getError('MySQL connection failed: ', $config['environment'], $e->getMessage());
+            $this->pdo = null;
         }
     }
 
+    /**
+     * Retrieves the current PDO connection instance.
+     *
+     * @return PDO|null The PDO instance or null if no connection is established.
+     */
     public function getConnection() {
         return $this->pdo;
     }
 
+    /**
+     * Executes an SQL query with optional parameters.
+     *
+     * @param string $query The SQL query to execute
+     * @param array $params Optional parameters for the query
+     * @return PDOStatement|false The result of the query execution
+     * @throws Exception If the query fails
+     */
+    public function execute($query, $params = []) {
+        if (!$this->pdo) {
+            throw new Exception('No database connection.');
         }
 
-?>
+        try {
+            $stmt = $this->pdo->prepare($query);
+            $stmt->execute($params);
+            return $stmt;
+        } catch (PDOException $e) {
+            throw new Exception('Query execution failed: ' . $e->getMessage());
+        }
+    }
+
+    /**
+     * Prepares an SQL statement for execution.
+     *
+     * @param string $query The SQL query to prepare
+     * @return PDOStatement The prepared statement
+     * @throws Exception If the preparation fails
+     */
+    public function prepare($query) {
+        if (!$this->pdo) {
+            throw new Exception('No database connection.');
+        }
+
+        try {
+            return $this->pdo->prepare($query);
+        } catch (PDOException $e) {
+            throw new Exception('Statement preparation failed: ' . $e->getMessage());
+        }
+    }
+
+    /**
+     * Begins a database transaction.
+     *
+     * @throws Exception If starting the transaction fails
+     */
+    public function beginTransaction() {
+        if (!$this->pdo) {
+            throw new Exception('No database connection.');
+        }
+
+        try {
+            return $this->pdo->beginTransaction();
+        } catch (PDOException $e) {
+            throw new Exception('Failed to start transaction: ' . $e->getMessage());
+        }
+    }
+
+    /**
+     * Commits the current database transaction.
+     *
+     * @throws Exception If committing the transaction fails
+     */
+    public function commit() {
+        if (!$this->pdo) {
+            throw new Exception('No database connection.');
+        }
+
+        try {
+            return $this->pdo->commit();
+        } catch (PDOException $e) {
+            throw new Exception('Failed to commit transaction: ' . $e->getMessage());
+        }
+    }
+
+    /**
+     * Rolls back the current database transaction.
+     *
+     * @throws Exception If rolling back the transaction fails
+     */
+    public function rollBack() {
+        if (!$this->pdo) {
+            throw new Exception('No database connection.');
+        }
+
+        try {
+            return $this->pdo->rollBack();
+        } catch (PDOException $e) {
+            throw new Exception('Failed to rollback transaction: ' . $e->getMessage());
+        }
+    }
+}

app/classes/feedback.php

@@ -0,0 +1,238 @@
+<?php
+
+class Feedback {
+    // Feedback types
+    const TYPE_SUCCESS = 'success';
+    const TYPE_ERROR = 'danger';
+    const TYPE_INFO = 'info';
+    const TYPE_WARNING = 'warning';
+
+    // Default feedback message configurations
+    const NOTICE = [
+        'DEFAULT' => [
+            'type' => self::TYPE_INFO,
+            'dismissible' => true
+        ]
+    ];
+
+    const ERROR = [
+        'DEFAULT' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ]
+    ];
+
+    const LOGIN = [
+        'LOGIN_SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'LOGIN_FAILED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+        'LOGOUT_SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'SESSION_TIMEOUT' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => true
+        ],
+        'IP_BLACKLISTED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+        'IP_NOT_WHITELISTED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+        'TOO_MANY_ATTEMPTS' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ]
+    ];
+
+    const REGISTER = [
+        'SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'FAILED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => true
+        ],
+        'DISABLED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+    ];
+
+    const SECURITY = [
+        'WHITELIST_ADD_SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'WHITELIST_ADD_ERROR' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => true
+        ],
+        'WHITELIST_REMOVE_SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'WHITELIST_REMOVE_ERROR' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => true
+        ],
+        'BLACKLIST_ADD_SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'BLACKLIST_ADD_ERROR' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => true
+        ],
+        'BLACKLIST_REMOVE_SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'BLACKLIST_REMOVE_ERROR' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => true
+        ],
+        'RATE_LIMIT_INFO' => [
+            'type' => self::TYPE_INFO,
+            'dismissible' => false
+        ],
+        'PERMISSION_DENIED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+        'IP_REQUIRED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ]
+    ];
+
+    const THEME = [
+        'THEME_CHANGE_SUCCESS' => [
+            'type' => self::TYPE_SUCCESS,
+            'dismissible' => true
+        ],
+        'THEME_CHANGE_FAILED' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => true
+        ]
+    ];
+
+    const SYSTEM = [
+        'DB_ERROR' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+        'DB_CONNECT_ERROR' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+        'DB_UNKNOWN_TYPE' => [
+            'type' => self::TYPE_ERROR,
+            'dismissible' => false
+        ],
+    ];
+
+    private static $strings = null;
+
+    /**
+     * Get feedback message strings
+     */
+    private static function getStrings() {
+        if (self::$strings === null) {
+            self::$strings = require __DIR__ . '/../includes/strings.php';
+        }
+        return self::$strings;
+    }
+
+    /**
+     * Get feedback message configuration by key
+     */
+    public static function get($category, $key) {
+        $config = constant("self::$category")[$key] ?? null;
+        if (!$config) return null;
+
+        $strings = self::getStrings();
+        $message = $strings[$category][$key] ?? '';
+
+        return array_merge($config, ['message' => $message]);
+    }
+
+    /**
+     * Render feedback message HTML
+     */
+    // Usage: echo Feedback::render('LOGIN', 'LOGIN_SUCCESS', 'custom message [or null]', true [for dismissible; or null], true [for small; or omit]);
+    public static function render($category, $key, $customMessage = null, $dismissible = null, $small = false, $sanitize = true) {
+        $config = self::get($category, $key);
+        if (!$config) return '';
+
+        $message = $customMessage ?? $config['message'];
+        $isDismissible = $dismissible ?? $config['dismissible'] ?? false;
+        $dismissClass = $isDismissible ? ' alert-dismissible fade show' : '';
+        $dismissButton = $isDismissible ? '<button type="button" class="btn-close' . ($small ? ' btn-close-sm' : '') . '" data-bs-dismiss="alert" aria-label="Close"></button>' : '';
+        $smallClass = $small ? ' alert-sm' : '';
+
+        return sprintf(
+            '<div class="alert alert-%s%s%s" role="alert">%s%s</div>',
+            $config['type'],
+            $dismissClass,
+            $smallClass,
+            $sanitize ? htmlspecialchars($message) : $message,
+            $dismissButton
+        );
+    }
+
+    /**
+     * Get feedback message data for JavaScript
+     */
+    public static function getMessageData($category, $key, $customMessage = null, $dismissible = null, $small = false) {
+        $config = self::get($category, $key);
+        if (!$config) return null;
+
+        return [
+            'type' => $config['type'],
+            'message' => $customMessage ?? $config['message'],
+            'dismissible' => $dismissible ?? $config['dismissible'] ?? false,
+            'small' => $small
+        ];
+    }
+
+    /**
+     * Store feedback message in session for display after redirect
+     */
+    // Usage: Feedback::flash('LOGIN', 'LOGIN_SUCCESS', 'custom message [or null]', true [for dismissible; or null], true [for small; or omit]);
+    public static function flash($category, $key, $customMessage = null, $dismissible = null, $small = false) {
+        if (!isset($_SESSION['flash_messages'])) {
+            $_SESSION['flash_messages'] = [];
+        }
+
+        // Get the feedback message configuration
+        $config = self::get($category, $key);
+        $isDismissible = $dismissible ?? $config['dismissible'] ?? false;
+
+        $_SESSION['flash_messages'][] = [
+            'category' => $category,
+            'key' => $key,
+            'custom_message' => $customMessage,
+            'dismissible' => $isDismissible,
+            'small' => $small
+        ];
+    }
+
+    /**
+     * Get and clear all flash feedback messages
+     */
+    public static function getFlash() {
+        $system_messages = $_SESSION['flash_messages'] ?? [];
+        unset($_SESSION['flash_messages']);
+        return $system_messages;
+    }
+}

app/classes/host.php

@@ -0,0 +1,165 @@
+<?php
+
+/**
+ * class Host
+ *
+ * Manages the hosts in the database, providing methods to retrieve, add, edit, and delete host entries.
+ */
+class Host {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
+    private $db;
+
+    /**
+     * Host constructor.
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
+    public function __construct($database) {
+        $this->db = $database->getConnection();
+    }
+
+
+    /**
+     * Get details of a specified host ID (or all hosts) in a specified platform ID.
+     *
+     * @param string $platform_id The platform ID to filter the hosts by (optional).
+     * @param string $host_id The host ID to filter the details (optional).
+     *
+     * @return array The details of the host(s) in the form of an associative array.
+     */
+    public function getHostDetails($platform_id = '', $host_id = '') {
+        $sql = 'SELECT
+                    id,
+                    address,
+                    platform_id,
+                    name
+                FROM
+                    host';
+
+        if ($platform_id !== '' && $host_id !== '') {
+            $sql .= ' WHERE platform_id = :platform_id AND id = :host_id';
+        } elseif ($platform_id !== '') {
+            $sql .= ' WHERE platform_id = :platform_id';
+        } elseif ($host_id !== '') {
+            $sql .= ' WHERE id = :host_id';
+        }
+
+        $query = $this->db->prepare($sql);
+
+        if ($platform_id !== '') {
+            $query->bindParam(':platform_id', $platform_id);
+        }
+        if ($host_id !== '') {
+            $query->bindParam(':host_id', $host_id);
+        }
+
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+
+    /**
+     * Add a new host to the database.
+     *
+     * @param array $newHost An associative array containing the details of the host to be added.
+     *
+     * @return bool True if the host was added successfully, otherwise false.
+     */
+    public function addHost($newHost) {
+        try {
+            $sql = 'INSERT INTO host
+                    (address, platform_id, name)
+                    VALUES
+                    (:address, :platform_id, :name)';
+
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':address'          => $newHost['address'],
+                ':platform_id'		=> $newHost['platform_id'],
+                ':name'             => $newHost['name'],
+            ]);
+
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+
+    /**
+     * Edit an existing host in the database.
+     *
+     * @param string $platform_id The platform ID to which the host belongs.
+     * @param array $updatedHost An associative array containing the updated details of the host.
+     *
+     * @return bool|string True if the host was updated successfully, otherwise error message.
+     */
+    public function editHost($platform_id, $updatedHost) {
+        try {
+            $sql = 'UPDATE host SET
+                        address = :address,
+                        name = :name
+                    WHERE
+                        id = :id AND platform_id = :platform_id';
+
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':id'           => $updatedHost['id'],
+                ':platform_id'  => $platform_id,
+                ':address'      => $updatedHost['address'],
+                ':name'         => $updatedHost['name']
+            ]);
+
+            if ($query->rowCount() === 0) {
+                return "No host found with ID {$updatedHost['id']} in platform $platform_id";
+            }
+
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+
+    /**
+     * Delete a host from the database.
+     *
+     * @param int $host_id The ID of the host to be deleted.
+     *
+     * @return bool True if the host was deleted successfully, otherwise false.
+     */
+    public function deleteHost($host_id) {
+        try {
+            // Start transaction
+            $this->db->beginTransaction();
+
+            // First delete all agents associated with this host
+            $sql = 'DELETE FROM jilo_agent WHERE host_id = :host_id';
+            $query = $this->db->prepare($sql);
+            $query->bindParam(':host_id', $host_id);
+            $query->execute();
+
+            // Then delete the host
+            $sql = 'DELETE FROM host WHERE id = :host_id';
+            $query = $this->db->prepare($sql);
+            $query->bindParam(':host_id', $host_id);
+            $query->execute();
+
+            // Commit transaction
+            $this->db->commit();
+            return true;
+
+        } catch (Exception $e) {
+            // Rollback transaction on error
+            $this->db->rollBack();
+            return $e->getMessage();
+        }
+    }
+
+}

app/classes/log.php

@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * Log wrapper that delegates to plugin Log or NullLogger fallback.
+ * Used when code does require_once '../app/classes/log.php'.
+ */
+
+// If there is already a Log plugin loaded
+if (class_exists('Log')) {
+    return;
+}
+
+// Load fallback NullLogger
+require_once __DIR__ . '/../core/NullLogger.php';
+
+class Log {
+    private $logger;
+
+    /**
+     * @param mixed $database Database or DatabaseConnector instance
+     */
+    public function __construct($database) {
+        global $logObject;
+        if (isset($logObject) && method_exists($logObject, 'insertLog')) {
+            $this->logger = $logObject;
+        } else {
+            $this->logger = new \App\Core\NullLogger();
+        }
+    }
+
+    /**
+     * PSR-3 compatible log method
+     * @param string $level
+     * @param string $message
+     * @param array $context
+     */
+    public function log(string $level, string $message, array $context = []): void {
+        $this->logger->log($level, $message, $context);
+    }
+}

app/classes/participant.php

@@ -1,15 +1,40 @@
 <?php
 
+/**
+ * class Participant
+ *
+ * This class provides methods to retrieve information about participants and their related conference data.
+ * It supports querying participant details by ID, name, or IP, as well as listing all participants and counting them within a specific time frame.
+ */
 class Participant {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
     private $db;
 
+    /**
+     * Constructor
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
     public function __construct($database) {
         $this->db = $database->getConnection();
     }
 
 
-    // search/list specific participant ID
-    public function conferenceByParticipantId($participant_id, $from_time, $until_time) {
+    /**
+     * Retrieve conferences by participant ID within a specified time period.
+     *
+     * @param string $participant_id  The participant's ID (endpoint_id).
+     * @param string $from_time       The start date (format: 'YYYY-MM-DD'). Defaults to '0000-01-01' if empty.
+     * @param string $until_time      The end date (format: 'YYYY-MM-DD'). Defaults to '9999-12-31' if empty.
+     * @param int    $offset          The offset for pagination.
+     * @param int    $items_per_page  The number of items per page for pagination.
+     *
+     * @return array List of conferences involving the specified participant ID.
+     */
+    public function conferenceByParticipantId($participant_id, $from_time, $until_time, $offset=0, $items_per_page='') {
 
         // time period drill-down
         // FIXME make it similar to the bash version
@@ -69,6 +94,11 @@ AND (event_time >= '%s 00:00:00' AND event_time <= '%s 23:59:59')
 ORDER BY
     pe.time";
 
+        if ($items_per_page) {
+            $items_per_page = (int)$items_per_page;
+            $sql .= ' LIMIT ' . $offset . ',' . $items_per_page;
+        }
+
         $sql = sprintf($sql, $participant_id, $from_time, $until_time, $participant_id, $from_time, $until_time);
 
         $query = $this->db->prepare($sql);
@@ -78,8 +108,18 @@ ORDER BY
     }
 
 
-    // search/list specific participant name (stats_id)
-    public function conferenceByParticipantName($participant_name, $from_time, $until_time) {
+    /**
+     * Retrieve conferences by participant name within a specified time period.
+     *
+     * @param string $participant_name The participant's name (stats_id).
+     * @param string $from_time        The start date (format: 'YYYY-MM-DD'). Defaults to '0000-01-01' if empty.
+     * @param string $until_time       The end date (format: 'YYYY-MM-DD'). Defaults to '9999-12-31' if empty.
+     * @param int    $offset           The offset for pagination.
+     * @param int    $items_per_page   The number of items per page for pagination.
+     *
+     * @return array List of conferences involving the specified participant name.
+     */
+    public function conferenceByParticipantName($participant_name, $from_time, $until_time, $offset=0, $items_per_page='') {
 
         // time period drill-down
         // FIXME make it similar to the bash version
@@ -139,6 +179,11 @@ AND (event_time >= '%s 00:00:00' AND event_time <= '%s 23:59:59')
 ORDER BY
     pe.time";
 
+        if ($items_per_page) {
+            $items_per_page = (int)$items_per_page;
+            $sql .= ' LIMIT ' . $offset . ',' . $items_per_page;
+        }
+
         $sql = sprintf($sql, $participant_name, $from_time, $until_time, $participant_name, $from_time, $until_time);
 
         $query = $this->db->prepare($sql);
@@ -148,8 +193,18 @@ ORDER BY
     }
 
 
-    // search/list specific participant IP
-    public function conferenceByParticipantIP($participant_ip, $from_time, $until_time) {
+    /**
+     * Retrieve conferences by participant IP within a specified time period.
+     *
+     * @param string $participant_ip   The participant's IP address.
+     * @param string $from_time        The start date (format: 'YYYY-MM-DD'). Defaults to '0000-01-01' if empty.
+     * @param string $until_time       The end date (format: 'YYYY-MM-DD'). Defaults to '9999-12-31' if empty.
+     * @param int    $offset           The offset for pagination.
+     * @param int    $items_per_page   The number of items per page for pagination.
+     *
+     * @return array List of conferences involving the specified participant IP.
+     */
+    public function conferenceByParticipantIP($participant_ip, $from_time, $until_time, $offset=0, $items_per_page='') {
 
         // time period drill-down
         // FIXME make it similar to the bash version
@@ -209,6 +264,11 @@ AND (event_time >= '%s 00:00:00' AND event_time <= '%s 23:59:59')
 ORDER BY
     pe.time";
 
+        if ($items_per_page) {
+            $items_per_page = (int)$items_per_page;
+            $sql .= ' LIMIT ' . $offset . ',' . $items_per_page;
+        }
+
         $sql = sprintf($sql, $participant_ip, $from_time, $until_time, $participant_ip, $from_time, $until_time);
 
         $query = $this->db->prepare($sql);
@@ -218,8 +278,17 @@ ORDER BY
     }
 
 
-    // list of all participants
-    public function participantsAll($from_time, $until_time) {
+    /**
+     * Retrieve a list of all participants within a specified time period.
+     *
+     * @param string $from_time       The start date (format: 'YYYY-MM-DD'). Defaults to '0000-01-01' if empty.
+     * @param string $until_time      The end date (format: 'YYYY-MM-DD'). Defaults to '9999-12-31' if empty.
+     * @param int    $offset          The offset for pagination.
+     * @param int    $items_per_page  The number of items per page for pagination.
+     *
+     * @return array List of all participants.
+     */
+    public function participantsAll($from_time, $until_time, $offset=0, $items_per_page='') {
 
         // time period drill-down
         // FIXME make it similar to the bash version
@@ -246,6 +315,11 @@ WHERE
     pe.time >= '%s 00:00:00' AND pe.time <= '%s 23:59:59'
 ORDER BY p.id";
 
+        if ($items_per_page) {
+            $items_per_page = (int)$items_per_page;
+            $sql .= ' LIMIT ' . $offset . ',' . $items_per_page;
+        }
+
         $sql = sprintf($sql, $from_time, $until_time);
 
         $query = $this->db->prepare($sql);
@@ -254,7 +328,15 @@ ORDER BY p.id";
         return $query->fetchAll(PDO::FETCH_ASSOC);
     }
 
-    // number of participants
+
+    /**
+     * Count the number of participants within a specified time period.
+     *
+     * @param string $from_time  The start date (format: 'YYYY-MM-DD'). Defaults to '0000-01-01' if empty.
+     * @param string $until_time The end date (format: 'YYYY-MM-DD'). Defaults to '9999-12-31' if empty.
+     *
+     * @return int The number of participants.
+     */
     public function participantNumber($from_time, $until_time) {
 
         // time period drill-down
@@ -289,7 +371,4 @@ AND pe.event_type = 'participant joining'";
         return $query->fetchAll(PDO::FETCH_ASSOC);
     }
 
-
 }
-
-?>

app/classes/passwordReset.php

@@ -0,0 +1,172 @@
+<?php
+
+/**
+ * Handles password reset functionality including token generation and validation
+ */
+class PasswordReset {
+    private $db;
+    private const TOKEN_LENGTH = 32;
+    private const TOKEN_EXPIRY = 3600; // 1 hour
+
+    public function __construct($database) {
+        if ($database instanceof PDO) {
+            $this->db = $database;
+        } else {
+            $this->db = $database->getConnection();
+        }
+    }
+
+    /**
+     * Creates a password reset request and sends email to user
+     *
+     * @param string $email User's email address
+     * @return array Status of the reset request
+     */
+    public function requestReset($email) {
+        // Check if email exists
+        $query = $this->db->prepare("
+            SELECT u.id, um.email
+            FROM user u
+            JOIN user_meta um ON u.id = um.user_id
+            WHERE um.email = :email"
+        );
+        $query->bindParam(':email', $email);
+        $query->execute();
+
+        $user = $query->fetch(PDO::FETCH_ASSOC);
+        if (!$user) {
+            return ['success' => false, 'message' => 'If this email exists in our system, you will receive reset instructions.'];
+        }
+
+        // Generate unique token
+        $token = bin2hex(random_bytes(self::TOKEN_LENGTH / 2));
+        $expires = time() + self::TOKEN_EXPIRY;
+
+        // Store token in database
+        $query = $this->db->prepare("
+            INSERT INTO user_password_reset (user_id, token, expires)
+            VALUES (:user_id, :token, :expires)"
+        );
+        $query->bindParam(':user_id', $user['id']);
+        $query->bindParam(':token', $token);
+        $query->bindParam(':expires', $expires);
+
+        if (!$query->execute()) {
+            return ['success' => false, 'message' => 'Failed to process reset request'];
+        }
+
+        // We need the config for the email details
+        global $config;
+
+        // Prepare the reset link
+        $scheme = $_SERVER['REQUEST_SCHEME'];
+        $domain = trim($config['domain'], '/');
+        $folder = trim($config['folder'], '/');
+        $folderPath = $folder !== '' ? "/$folder" : '';
+        $resetLink = "{$scheme}://{$domain}{$folderPath}/index.php?page=login&action=reset&token=" . urlencode($token);
+
+        // Send email with reset link
+        $to = $user['email'];
+        $subject = "{$config['site_name']} - Password reset request";
+        $message = "Dear user,\n\n";
+        $message .= "We received a request to reset your password for your {$config['site_name']} account.\n\n";
+        $message .= "To set a new password, please click the link below:\n\n";
+        $message .= $resetLink . "\n\n";
+        $message .= "This link will expire in 1 hour for security reasons.\n\n";
+        $message .= "If you did not request this password reset, please ignore this email. Your account remains secure.\n\n";
+        if (!empty($config['site_name'])) {
+            $message .= "Best regards,\n";
+            $message .= "The {$config['site_name']} team\n";
+            if (!empty($config['site_slogan'])) {
+                $message .= ":: {$config['site_slogan']} ::";
+            }
+        }
+
+        $headers = [
+            'From' => "noreply@{$config['domain']}",
+            'Reply-To' => "noreply@{$config['domain']}",
+            'X-Mailer' => 'PHP/' . phpversion()
+        ];
+
+        if (!mail($to, $subject, $message, $headers)) {
+            return ['success' => false, 'message' => 'Failed to send reset email'];
+        }
+
+        return ['success' => true, 'message' => 'If this email exists in our system, you will receive reset instructions.'];
+    }
+
+    /**
+     * Validates a reset token and returns associated user ID if valid
+     *
+     * @param string $token Reset token
+     * @return array Validation result with user ID if successful
+     */
+    public function validateToken($token) {
+        $now = time();
+
+        $query = $this->db->prepare("
+            SELECT user_id
+            FROM user_password_reset
+            WHERE token = :token
+            AND expires > :now
+            AND used = 0
+        ");
+
+        $query->bindParam(':token', $token);
+        $query->bindParam(':now', $now);
+        $query->execute();
+
+        $result = $query->fetch(PDO::FETCH_ASSOC);
+
+        if (!$result) {
+            return ['valid' => false];
+        }
+
+        return ['valid' => true, 'user_id' => $result['user_id']];
+    }
+
+    /**
+     * Completes the password reset process
+     *
+     * @param string $token Reset token
+     * @param string $newPassword New password
+     * @return bool Whether reset was successful
+     */
+    public function resetPassword($token, $newPassword) {
+        $validation = $this->validateToken($token);
+        if (!$validation['valid']) {
+            return false;
+        }
+
+        // Start transaction
+        $this->db->beginTransaction();
+
+        try {
+            // Update password
+            $hashedPassword = password_hash($newPassword, PASSWORD_DEFAULT);
+            $query = $this->db->prepare(
+                "UPDATE user
+                SET password = :password
+                WHERE id = :user_id"
+            );
+            $query->bindParam(':password', $hashedPassword);
+            $query->bindParam(':user_id', $validation['user_id']);
+            $query->execute();
+
+            // Mark token as used
+            $query = $this->db->prepare(
+                "UPDATE user_password_reset
+                SET used = 1
+                WHERE token = :token"
+            );
+            $query->bindParam(':token', $token);
+            $query->execute();
+
+            $this->db->commit();
+            return true;
+        } catch (Exception $e) {
+            $this->db->rollBack();
+            return false;
+        }
+    }
+}

app/classes/platform.php

@@ -0,0 +1,163 @@
+<?php
+
+/**
+ * class Platform
+ *
+ * Handles platform management in the database, including retrieving, adding, editing, and deleting platforms.
+ */
+class Platform {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
+    private $db;
+
+    /**
+     * Platform constructor.
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
+    public function __construct($database) {
+        $this->db = $database->getConnection();
+    }
+
+
+    /**
+     * Retrieve details of a specific platform or all platforms.
+     *
+     * @param string $platform_id The ID of the platform to retrieve details for (optional).
+     *
+     * @return array An associative array containing platform details.
+     */
+    public function getPlatformDetails($platform_id = '') {
+        $sql = 'SELECT * FROM platform';
+        if ($platform_id !== '') {
+            $sql .= ' WHERE id = :platform_id';
+            $query = $this->db->prepare($sql);
+            $query->bindParam(':platform_id', $platform_id);
+        } else {
+            $query = $this->db->prepare($sql);
+        }
+
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+
+    /**
+     * Add a new platform to the database.
+     *
+     * @param array $newPlatform An associative array containing the details of the new platform:
+     *                           - `name` (string): The name of the platform.
+     *                           - `jitsi_url` (string): The URL for the Jitsi integration.
+     *                           - `jilo_database` (string): The database name for Jilo integration.
+     *
+     * @return bool|string True if the platform was added successfully, or an error message on failure.
+     */
+    public function addPlatform($newPlatform) {
+        try {
+            $sql = 'INSERT INTO platform
+                    (name, jitsi_url, jilo_database)
+                    VALUES
+                    (:name, :jitsi_url, :jilo_database)';
+
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':name'			=> $newPlatform['name'],
+                ':jitsi_url'		=> $newPlatform['jitsi_url'],
+                ':jilo_database'	=> $newPlatform['jilo_database'],
+            ]);
+
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+
+    /**
+     * Edit an existing platform in the database.
+     *
+     * @param int $platform_id The ID of the platform to update.
+     * @param array $updatedPlatform An associative array containing the updated platform details:
+     *                               - `name` (string): The updated name of the platform.
+     *                               - `jitsi_url` (string): The updated Jitsi URL.
+     *                               - `jilo_database` (string): The updated Jilo database name.
+     *
+     * @return bool|string True if the platform was updated successfully, or an error message on failure.
+     */
+    public function editPlatform($platform_id, $updatedPlatform) {
+        try {
+            $sql = 'UPDATE platform SET
+                        name = :name,
+                        jitsi_url = :jitsi_url,
+                        jilo_database = :jilo_database
+                    WHERE
+                        id = :platform_id';
+
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':name'			=> $updatedPlatform['name'],
+                ':jitsi_url'		=> $updatedPlatform['jitsi_url'],
+                ':jilo_database'	=> $updatedPlatform['jilo_database'],
+                ':platform_id'		=> $platform_id,
+            ]);
+
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+
+    /**
+     * Delete a platform from the database.
+     *
+     * @param int $platform_id The ID of the platform to delete.
+     *
+     * @return bool|string True if the platform was deleted successfully, or an error message on failure.
+     */
+    public function deletePlatform($platform_id) {
+        try {
+            $this->db->beginTransaction();
+
+            // First, get all hosts in this platform
+            $sql = 'SELECT id FROM host WHERE platform_id = :platform_id';
+            $query = $this->db->prepare($sql);
+            $query->bindParam(':platform_id', $platform_id);
+            $query->execute();
+            $hosts = $query->fetchAll(PDO::FETCH_ASSOC);
+
+            // Delete all agents for each host
+            foreach ($hosts as $host) {
+                $sql = 'DELETE FROM jilo_agent WHERE host_id = :host_id';
+                $query = $this->db->prepare($sql);
+                $query->bindParam(':host_id', $host['id']);
+                $query->execute();
+            }
+
+            // Delete all hosts in this platform
+            $sql = 'DELETE FROM host WHERE platform_id = :platform_id';
+            $query = $this->db->prepare($sql);
+            $query->bindParam(':platform_id', $platform_id);
+            $query->execute();
+
+            // Finally, delete the platform
+            $sql = 'DELETE FROM platform WHERE id = :platform_id';
+            $query = $this->db->prepare($sql);
+            $query->bindParam(':platform_id', $platform_id);
+            $query->execute();
+
+            $this->db->commit();
+            return true;
+
+        } catch (Exception $e) {
+            $this->db->rollBack();
+            return $e->getMessage();
+        }
+    }
+
+}

app/classes/ratelimiter.php

@@ -0,0 +1,668 @@
+<?php
+
+use App\Core\NullLogger;
+
+class RateLimiter {
+    public $db;
+    private $database;
+    /** @var mixed NullLogger (or PSR-3 logger) or plugin Log */
+    private $logger;
+    public $maxAttempts = 5;           // Maximum login attempts
+    public $decayMinutes = 15;         // Time window in minutes
+    public $autoBlacklistThreshold = 10; // Attempts before auto-blacklist
+    public $autoBlacklistDuration = 24;  // Hours to blacklist for
+    public $authRatelimitTable = 'security_rate_auth';  // For rate limiting username/password attempts
+    public $pagesRatelimitTable = 'security_rate_page';  // For rate limiting page requests
+    public $whitelistTable = 'security_ip_whitelist';  // For whitelisting IPs and network ranges
+    public $blacklistTable = 'security_ip_blacklist';  // For blacklisting IPs and network ranges
+    private $pageLimits = [
+        // Default rate limits per minute
+        'default' => 60,
+        'admin' => 120,
+        'message' => 20,
+        'contact' => 30,
+        'call' => 30,
+        'register' => 5,
+        'config' => 10
+    ];
+
+    /**
+     * @param mixed $database Database object
+     * @param mixed $logger Optional NullLogger (or PSR-3 logger) or plugin Log
+     */
+    public function __construct($database, $logger = null) {
+        $this->database = $database;
+        $this->db = $database->getConnection();
+        // Initialize logger (plugin Log if present or NullLogger otherwise)
+        if ($logger !== null) {
+            $this->logger = $logger;
+        } else {
+            global $logObject;
+            $this->logger = isset($logObject) && is_object($logObject) && method_exists($logObject, 'info')
+                ? $logObject
+                : new NullLogger();
+        }
+        // Initialize database tables
+        $this->createTablesIfNotExist();
+    }
+
+    // Database preparation
+    private function createTablesIfNotExist() {
+        // Authentication attempts table
+        $sql = "CREATE TABLE IF NOT EXISTS {$this->authRatelimitTable} (
+            id int(11) PRIMARY KEY AUTO_INCREMENT,
+            ip_address VARCHAR(45) NOT NULL,
+            username VARCHAR(255) NOT NULL,
+            attempted_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+            INDEX idx_ip_username (ip_address, username)
+        )";
+        $this->db->exec($sql);
+
+        // Pages rate limits table
+        $sql = "CREATE TABLE IF NOT EXISTS {$this->pagesRatelimitTable} (
+            id int(11) PRIMARY KEY AUTO_INCREMENT,
+            ip_address VARCHAR(45) NOT NULL,
+            endpoint VARCHAR(255) NOT NULL,
+            request_time DATETIME DEFAULT CURRENT_TIMESTAMP,
+            INDEX idx_ip_endpoint (ip_address, endpoint),
+            INDEX idx_request_time (request_time)
+        )";
+        $this->db->exec($sql);
+
+        // IP whitelist table
+        $sql = "CREATE TABLE IF NOT EXISTS {$this->whitelistTable} (
+            id int(11) PRIMARY KEY AUTO_INCREMENT,
+            ip_address VARCHAR(45) NOT NULL,
+            is_network BOOLEAN DEFAULT FALSE,
+            description VARCHAR(255),
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            created_by VARCHAR(255),
+            UNIQUE KEY unique_ip (ip_address)
+        )";
+        $this->db->exec($sql);
+
+        // IP blacklist table
+        $sql = "CREATE TABLE IF NOT EXISTS {$this->blacklistTable} (
+            id int(11) PRIMARY KEY AUTO_INCREMENT,
+            ip_address VARCHAR(45) NOT NULL,
+            is_network BOOLEAN DEFAULT FALSE,
+            reason VARCHAR(255),
+            expiry_time TIMESTAMP NULL,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            created_by VARCHAR(255),
+            UNIQUE KEY unique_ip (ip_address)
+        )";
+        $this->db->exec($sql);
+
+        // Default IPs to whitelist (local interface and private networks IPs)
+        $defaultIps = [
+            ['127.0.0.1', false, 'localhost IPv4'],
+            ['::1', false, 'localhost IPv6'],
+            ['10.0.0.0/8', true, 'Private network (Class A)'],
+            ['172.16.0.0/12', true, 'Private network (Class B)'],
+            ['192.168.0.0/16', true, 'Private network (Class C)']
+        ];
+
+        // Insert default whitelisted IPs if they don't exist
+        $stmt = $this->db->prepare("INSERT IGNORE INTO {$this->whitelistTable}
+            (ip_address, is_network, description, created_by)
+            VALUES (?, ?, ?, 'system')");
+        foreach ($defaultIps as $ip) {
+            $stmt->execute([$ip[0], $ip[1], $ip[2]]);
+        }
+
+        // Insert known malicious networks
+        $defaultBlacklist = [
+            ['0.0.0.0/8', true, 'Reserved address space - RFC 1122'],
+            ['100.64.0.0/10', true, 'Carrier-grade NAT space - RFC 6598'],
+            ['192.0.2.0/24', true, 'TEST-NET-1 Documentation space - RFC 5737'],
+            ['198.51.100.0/24', true, 'TEST-NET-2 Documentation space - RFC 5737'],
+            ['203.0.113.0/24', true, 'TEST-NET-3 Documentation space - RFC 5737']
+        ];
+
+        $stmt = $this->db->prepare("INSERT IGNORE INTO {$this->blacklistTable}
+            (ip_address, is_network, reason, created_by)
+            VALUES (?, ?, ?, 'system')");
+
+        foreach ($defaultBlacklist as $ip) {
+            $stmt->execute([$ip[0], $ip[1], $ip[2]]);
+        }
+
+    }
+
+    /**
+     * Get number of recent login attempts for an IP
+     */
+    public function getRecentAttempts($ip) {
+        $stmt = $this->db->prepare("SELECT COUNT(*) as attempts FROM {$this->authRatelimitTable}
+            WHERE ip_address = ? AND attempted_at > DATE_SUB(NOW(), INTERVAL ? MINUTE)");
+        $stmt->execute([$ip, $this->decayMinutes]);
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+        return intval($result['attempts']);
+    }
+
+    /**
+     * Check if an IP is blacklisted
+     */
+    public function isIpBlacklisted($ip) {
+        // First check if IP is explicitly blacklisted or in a blacklisted range
+        $stmt = $this->db->prepare("SELECT ip_address, is_network, expiry_time FROM {$this->blacklistTable} WHERE ip_address = ?");
+        $stmt->execute([$ip]);
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+        if ($row) {
+            // Skip expired entries
+            if ($row['expiry_time'] !== null && strtotime($row['expiry_time']) < time()) {
+                return false;
+            }
+            return true;
+        }
+
+        // Check network ranges
+        $stmt = $this->db->prepare("SELECT ip_address, expiry_time FROM {$this->blacklistTable} WHERE is_network = 1");
+        $stmt->execute();
+
+        while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
+            // Skip expired entries
+            if ($row['expiry_time'] !== null && strtotime($row['expiry_time']) < time()) {
+                continue;
+            }
+
+            if ($this->ipInRange($ip, $row['ip_address'])) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if an IP is whitelisted
+     */
+    public function isIpWhitelisted($ip) {
+        // Check exact IP match first
+        $stmt = $this->db->prepare("SELECT ip_address FROM {$this->whitelistTable} WHERE ip_address = ?");
+        $stmt->execute([$ip]);
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        if ($row) {
+            return true;
+        }
+
+        // Only check ranges for IPv4 addresses
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            // Check network ranges
+            $stmt = $this->db->prepare("SELECT ip_address FROM {$this->whitelistTable} WHERE is_network = 1");
+            $stmt->execute();
+
+            while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
+                if ($this->ipInRange($ip, $row['ip_address'])) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    private function ipInRange($ip, $cidr) {
+        // Only work with IPv4 addresses
+        if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return false;
+        }
+
+        list($subnet, $bits) = explode('/', $cidr);
+
+        // Make sure subnet is IPv4
+        if (!filter_var($subnet, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return false;
+        }
+
+        $ip = ip2long($ip);
+        $subnet = ip2long($subnet);
+        $mask = -1 << (32 - $bits);
+        $subnet &= $mask;
+
+        return ($ip & $mask) == $subnet;
+    }
+
+    // Add to whitelist
+    public function addToWhitelist($ip, $isNetwork = false, $description = '', $createdBy = 'system', $userId = null) {
+        try {
+            // Check if IP is blacklisted first
+            if ($this->isIpBlacklisted($ip)) {
+                $message = "Cannot whitelist {$ip} - IP is currently blacklisted";
+                if ($userId) {
+                    $this->logger->log('info', "IP Whitelist: {$message}", ['user_id' => $userId, 'scope' => 'system']);
+                    Feedback::flash('ERROR', 'DEFAULT', $message);
+                }
+                return false;
+            }
+
+            $stmt = $this->db->prepare("INSERT INTO {$this->whitelistTable}
+                (ip_address, is_network, description, created_by)
+                VALUES (?, ?, ?, ?)
+                ON DUPLICATE KEY UPDATE
+                is_network = VALUES(is_network),
+                description = VALUES(description),
+                created_by = VALUES(created_by)");
+
+                $result = $stmt->execute([$ip, $isNetwork, $description, $createdBy]);
+
+                if ($result) {
+                    $logMessage = sprintf(
+                        'IP Whitelist: Added %s "%s" by %s. Description: %s',
+                        $isNetwork ? 'network' : 'IP',
+                        $ip,
+                        $createdBy,
+                        $description
+                    );
+                    $this->logger->log('info', $logMessage, ['user_id' => $userId ?? null, 'scope' => 'system']);
+                }
+
+            return $result;
+
+        } catch (Exception $e) {
+            if ($userId) {
+                $this->logger->log('error', "IP Whitelist: Failed to add {$ip}: " . $e->getMessage(), ['user_id' => $userId, 'scope' => 'system']);
+                Feedback::flash('ERROR', 'DEFAULT', "IP Whitelist: Failed to add {$ip}: " . $e->getMessage());
+            }
+            return false;
+        }
+    }
+
+    // Remove from whitelist
+    public function removeFromWhitelist($ip, $removedBy = 'system', $userId = null) {
+        try {
+            // Get IP details before removal for logging
+            $stmt = $this->db->prepare("SELECT * FROM {$this->whitelistTable} WHERE ip_address = ?");
+            $stmt->execute([$ip]);
+            $ipDetails = $stmt->fetch(PDO::FETCH_ASSOC);
+
+            // Remove the IP
+            $stmt = $this->db->prepare("DELETE FROM {$this->whitelistTable} WHERE ip_address = ?");
+
+            $result = $stmt->execute([$ip]);
+
+            if ($result && $ipDetails) {
+                $logMessage = sprintf(
+                    'IP Whitelist: Removed %s "%s" by %s. Was added by: %s',
+                    $ipDetails['is_network'] ? 'network' : 'IP',
+                    $ip,
+                    $removedBy,
+                    $ipDetails['created_by']
+                );
+                $this->logger->log('info', $logMessage, ['user_id' => $userId ?? null, 'scope' => 'system']);
+            }
+
+            return $result;
+
+        } catch (Exception $e) {
+            if ($userId) {
+                $this->logger->log('error', "IP Whitelist: Failed to remove {$ip}: " . $e->getMessage(), ['user_id' => $userId, 'scope' => 'system']);
+                Feedback::flash('ERROR', 'DEFAULT', "IP Whitelist: Failed to remove {$ip}: " . $e->getMessage());
+            }
+            return false;
+        }
+    }
+
+    public function addToBlacklist($ip, $isNetwork = false, $reason = '', $createdBy = 'system', $userId = null, $expiryHours = null) {
+        try {
+            // Check if IP is whitelisted first
+            if ($this->isIpWhitelisted($ip)) {
+                $message = "Cannot blacklist {$ip} - IP is currently whitelisted";
+                if ($userId) {
+                    $this->logger->log('info', "IP Blacklist: {$message}", ['user_id' => $userId, 'scope' => 'system']);
+                    Feedback::flash('ERROR', 'DEFAULT', $message);
+                }
+                return false;
+            }
+
+            $expiryTime = $expiryHours ? date('Y-m-d H:i:s', strtotime("+{$expiryHours} hours")) : null;
+
+            $stmt = $this->db->prepare("INSERT INTO {$this->blacklistTable}
+                (ip_address, is_network, reason, expiry_time, created_by)
+                VALUES (?, ?, ?, ?, ?)
+                ON DUPLICATE KEY UPDATE
+                is_network = VALUES(is_network),
+                reason = VALUES(reason),
+                expiry_time = VALUES(expiry_time),
+                created_by = VALUES(created_by)");
+
+            $result = $stmt->execute([$ip, $isNetwork, $reason, $expiryTime, $createdBy]);
+
+            if ($result) {
+                $logMessage = sprintf(
+                    'IP Blacklist: Added %s "%s" by %s. Reason: %s. Expires: %s',
+                    $isNetwork ? 'network' : 'IP',
+                    $ip,
+                    $createdBy,
+                    $reason,
+                    $expiryTime ?? 'never'
+                );
+                $this->logger->log('info', $logMessage, ['user_id' => $userId ?? null, 'scope' => 'system']);
+            }
+
+            return $result;
+        } catch (Exception $e) {
+            if ($userId) {
+                $this->logger->log('error', "IP Blacklist: Failed to add {$ip}: " . $e->getMessage(), ['user_id' => $userId, 'scope' => 'system']);
+                Feedback::flash('ERROR', 'DEFAULT', "IP Blacklist: Failed to add {$ip}: " . $e->getMessage());
+            }
+            return false;
+        }
+    }
+
+    public function removeFromBlacklist($ip, $removedBy = 'system', $userId = null) {
+        try {
+            // Get IP details before removal for logging
+            $stmt = $this->db->prepare("SELECT * FROM {$this->blacklistTable} WHERE ip_address = ?");
+            $stmt->execute([$ip]);
+            $ipDetails = $stmt->fetch(PDO::FETCH_ASSOC);
+
+            // Remove the IP
+            $stmt = $this->db->prepare("DELETE FROM {$this->blacklistTable} WHERE ip_address = ?");
+
+            $result = $stmt->execute([$ip]);
+
+            if ($result && $ipDetails) {
+                $logMessage = sprintf(
+                    'IP Blacklist: Removed %s "%s" by %s. Was added by: %s. Reason was: %s',
+                    $ipDetails['is_network'] ? 'network' : 'IP',
+                    $ip,
+                    $removedBy,
+                    $ipDetails['created_by'],
+                    $ipDetails['reason']
+                );
+                $this->logger->log('info', $logMessage, ['user_id' => $userId ?? null, 'scope' => 'system']);
+            }
+
+            return $result;
+        } catch (Exception $e) {
+            if ($userId) {
+                $this->logger->log('error', "IP Blacklist: Failed to remove {$ip}: " . $e->getMessage(), ['user_id' => $userId, 'scope' => 'system']);
+                Feedback::flash('ERROR', 'DEFAULT', "IP Blacklist: Failed to remove {$ip}: " . $e->getMessage());
+            }
+            return false;
+        }
+    }
+
+    public function getWhitelistedIps() {
+        $stmt = $this->db->prepare("SELECT * FROM {$this->whitelistTable} ORDER BY created_at DESC");
+        $stmt->execute();
+
+        return $stmt->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+    public function getBlacklistedIps() {
+        $stmt = $this->db->prepare("SELECT * FROM {$this->blacklistTable} ORDER BY created_at DESC");
+        $stmt->execute();
+
+        return $stmt->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+    public function cleanupExpiredEntries() {
+        try {
+            // Remove expired blacklist entries
+            $stmt = $this->db->prepare("DELETE FROM {$this->blacklistTable}
+                WHERE expiry_time IS NOT NULL AND expiry_time < NOW()");
+            $stmt->execute();
+
+            // Clean old login attempts
+            $stmt = $this->db->prepare("DELETE FROM {$this->authRatelimitTable}
+                WHERE attempted_at < DATE_SUB(NOW(), INTERVAL :minutes MINUTE)");
+            $stmt->execute([':minutes' => $this->decayMinutes]);
+
+            return true;
+        } catch (Exception $e) {
+            $this->logger->log('error', "Failed to cleanup expired entries: " . $e->getMessage(), ['user_id' => $userId ?? null, 'scope' => 'system']);
+            Feedback::flash('ERROR', 'DEFAULT', "Failed to cleanup expired entries: " . $e->getMessage());
+            return false;
+        }
+    }
+
+    public function isAllowed($username, $ipAddress) {
+        // First check if IP is blacklisted
+        if ($this->isIpBlacklisted($ipAddress)) {
+            return false;
+        }
+
+        // Then check if IP is whitelisted
+        if ($this->isIpWhitelisted($ipAddress)) {
+            return true;
+        }
+
+        // Clean old attempts
+        $this->clearOldAttempts();
+
+        // Check if we've hit the rate limit
+        if ($this->tooManyAttempts($username, $ipAddress)) {
+            return false;
+        }
+
+        // Check total attempts across all usernames from this IP
+        $sql = "SELECT COUNT(*) as total_attempts
+                FROM {$this->authRatelimitTable}
+                WHERE ip_address = :ip
+                AND attempted_at > DATE_SUB(NOW(), INTERVAL :minutes MINUTE)";
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip'      => $ipAddress,
+            ':minutes' => $this->decayMinutes
+        ]);
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+        // Check if we would hit auto-blacklist threshold
+        return $result['total_attempts'] < $this->autoBlacklistThreshold;
+    }
+
+    public function attempt($username, $ipAddress, $failed = true) {
+        // Only record failed attempts
+        if (!$failed) {
+            return true;
+        }
+
+        // Record this attempt
+        $sql = "INSERT INTO {$this->authRatelimitTable} (ip_address, username) VALUES (:ip, :username)";
+        $stmt = $this->db->prepare($sql);
+        try {
+            $stmt->execute([
+                ':ip'           => $ipAddress,
+                ':username'     => $username
+            ]);
+        } catch (PDOException $e) {
+            return false;
+        }
+
+        return true;
+    }
+
+    public function tooManyAttempts($username, $ipAddress) {
+        $sql = "SELECT COUNT(*) as attempts
+                FROM {$this->authRatelimitTable}
+                WHERE ip_address = :ip
+                AND username = :username
+                AND attempted_at > DATE_SUB(NOW(), INTERVAL :minutes MINUTE)";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip'           => $ipAddress,
+            ':username'     => $username,
+            ':minutes'      => $this->decayMinutes
+        ]);
+
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+        // Also check what's in the table
+        $sql = "SELECT * FROM {$this->authRatelimitTable} WHERE ip_address = :ip";
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([':ip' => $ipAddress]);
+        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+        $tooMany = $result['attempts'] >= $this->maxAttempts;
+
+        // Auto-blacklist if too many attempts
+        if ($tooMany) {
+            $this->addToBlacklist(
+                $ipAddress,
+                false,
+                'Auto-blacklisted due to excessive login attempts',
+                'system',
+                null,
+                $this->autoBlacklistDuration
+            );
+        }
+
+        return $tooMany;
+    }
+
+    public function clearOldAttempts() {
+        $sql = "DELETE FROM {$this->authRatelimitTable}
+                WHERE attempted_at < DATE_SUB(NOW(), INTERVAL :minutes MINUTE)";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':minutes'      => $this->decayMinutes
+        ]);
+    }
+
+    public function getRemainingAttempts($username, $ipAddress) {
+        $sql = "SELECT COUNT(*) as attempts
+                FROM {$this->authRatelimitTable}
+                WHERE ip_address = :ip
+                AND username = :username
+                AND attempted_at > DATE_SUB(NOW(), INTERVAL :minutes MINUTE)";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip'           => $ipAddress,
+            ':username'     => $username,
+            ':minutes'      => $this->decayMinutes
+        ]);
+
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+        return max(0, $this->maxAttempts - $result['attempts']);
+    }
+
+    public function getDecayMinutes() {
+        return $this->decayMinutes;
+    }
+
+    /**
+     * Check if a page request is allowed
+     */
+    public function isPageRequestAllowed($ipAddress, $endpoint, $userId = null) {
+        // First check if IP is blacklisted
+        if ($this->isIpBlacklisted($ipAddress)) {
+            return false;
+        }
+
+        // Then check if IP is whitelisted
+        if ($this->isIpWhitelisted($ipAddress)) {
+            return true;
+        }
+
+        // Clean old requests
+        $this->cleanOldPageRequests();
+
+        // Get limit based on endpoint type and user role
+        $limit = $this->getPageLimitForEndpoint($endpoint, $userId);
+
+        // Count recent requests, including this one
+        $sql = "SELECT COUNT(*) as request_count
+                FROM {$this->pagesRatelimitTable}
+                WHERE ip_address = :ip
+                AND endpoint = :endpoint
+                AND request_time >= DATE_SUB(NOW(), INTERVAL 1 MINUTE)";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip' => $ipAddress,
+            ':endpoint' => $endpoint
+        ]);
+
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+        return $result['request_count'] < $limit;
+    }
+
+    /**
+     * Record a page request
+     */
+    public function recordPageRequest($ipAddress, $endpoint) {
+        $sql = "INSERT INTO {$this->pagesRatelimitTable} (ip_address, endpoint)
+                VALUES (:ip, :endpoint)";
+
+        $stmt = $this->db->prepare($sql);
+        return $stmt->execute([
+            ':ip' => $ipAddress,
+            ':endpoint' => $endpoint
+        ]);
+    }
+
+    /**
+     * Clean old page requests
+     */
+    private function cleanOldPageRequests() {
+        $sql = "DELETE FROM {$this->pagesRatelimitTable}
+                WHERE request_time < DATE_SUB(NOW(), INTERVAL 1 MINUTE)";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute();
+    }
+
+    /**
+     * Get page rate limit for endpoint
+     */
+    private function getPageLimitForEndpoint($endpoint, $userId = null) {
+        // Admin users get higher limits
+        if ($userId) {
+            // Check admin rights directly from database
+            $stmt = $this->db->prepare('SELECT COUNT(*) FROM `user_right` ur JOIN `right` r ON ur.right_id = r.id WHERE ur.user_id = ? AND r.name = ?');
+            $stmt->execute([$userId, 'superuser']);
+            if ($stmt->fetchColumn() > 0) {
+                return $this->pageLimits['admin'];
+            }
+        }
+
+        // Get endpoint type from the endpoint path
+        $endpointType = $this->getEndpointType($endpoint);
+
+        // Return specific limit if exists, otherwise default
+        return isset($this->pageLimits[$endpointType])
+            ? $this->pageLimits[$endpointType]
+            : $this->pageLimits['default'];
+    }
+
+    /**
+     * Get endpoint type from path
+     */
+    private function getEndpointType($endpoint) {
+        if (strpos($endpoint, 'message') !== false) return 'message';
+        if (strpos($endpoint, 'contact') !== false) return 'contact';
+        if (strpos($endpoint, 'call') !== false) return 'call';
+        if (strpos($endpoint, 'register') !== false) return 'register';
+        if (strpos($endpoint, 'config') !== false) return 'config';
+        return 'default';
+    }
+
+    /**
+     * Get remaining page requests
+     */
+    public function getRemainingPageRequests($ipAddress, $endpoint, $userId = null) {
+        $limit = $this->getPageLimitForEndpoint($endpoint, $userId);
+
+        $sql = "SELECT COUNT(*) as request_count
+                FROM {$this->pagesRatelimitTable}
+                WHERE ip_address = :ip
+                AND endpoint = :endpoint
+                AND request_time > DATE_SUB(NOW(), INTERVAL 1 MINUTE)";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip' => $ipAddress,
+            ':endpoint' => $endpoint
+        ]);
+
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+        return max(0, $limit - $result['request_count']);
+    }
+}

app/classes/router.php

@@ -1,20 +1,46 @@
 <?php
 
+/**
+ * class Router
+ *
+ * A simple Router class to manage URL-to-callback mapping and dispatch requests to the appropriate controllers and methods.
+ * The class supports defining routes, matching URLs against patterns, and invoking callbacks for matched routes.
+ */
 class Router {
-
+    /**
+     * @var array $routes Associative array of route patterns and their corresponding callbacks.
+     */
     private $routes = [];
 
-    public function add() {
+
+    /**
+     * Adds a new route to the router.
+     *
+     * @param string $pattern  The URL pattern to match (regular expression).
+     * @param string $callback The callback for the route in the format "Controller@Method".
+     *
+     * @return void
+     */
+    public function add($pattern, $callback) {
         $this->routes[$pattern] = $callback;
     }
 
+
+    /**
+     * Dispatches a request to the appropriate route callback.
+     *
+     * @param string $url The URL to match against the defined routes.
+     *
+     * @return void Outputs the result of the invoked callback or a 404 error if no route matches.
+     */
     public function dispatch($url) {
-        // remove variables from url
+        // remove query string variables from url
         $url = strtok($url, '?');
 
         foreach ($this->routes as $pattern => $callback) {
+            // check if the URL matches the current route pattern
             if (preg_match('#^' . $pattern . '$#', $url, $matches)) {
-                // move any exact match
+                // remove the exact match to extrat parameters
                 array_shift($matches);
                 return $this->invoke($callback, $matches);
             }
@@ -25,14 +51,35 @@ class Router {
         echo '404 page not found';
     }
 
+
+    /**
+     * Invokes the callback for a matched route.
+     *
+     * @param string $callback The callback for the route in the format "Controller@Method".
+     * @param array  $params   Parameters extracted from the route pattern.
+     *
+     * @return void Executes the specified method on the specified controller with the provided parameters.
+     *
+     * @throws Exception If the controller class or method does not exist.
+     */
     private function invoke($callback, $params) {
         list($controllerName, $methodName) = explode('@', $callback);
-//        $controllerClass = "\\App\\Controllers\\$controllerName";
-        $controllerClass = "../pages/$pageName";
+        $controllerClass = "../pages/$controllerName";
+
+        // ensure the controller class exists
+        if (!class_exists($controllerClass)) {
+            throw new Exception("Controller '$controllerClass' not found.");
+        }
+
         $controller = new $controllerClass();
+
+        // ensure the method exists on the controller
+        if (!method_exists($controller, $methodName)) {
+            throw new Exception("Method '$methodName' not found in controller '$controllerClass'.");
+        }
+
+        // call the controller's method with the parameters
         call_user_func_array([$controller, $methodName], $params);
     }
 
 }
-
-?>

app/classes/server.php

@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * class Server
+ *
+ * Handles server-related operations, including retrieving server status.
+ */
+class Server {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
+    private $db;
+
+    /**
+     * Server constructor.
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
+    public function __construct($database) {
+        $this->db = $database->getConnection();
+    }
+
+
+    /**
+     * Checks the status of a Jilo server by sending a GET request to its health endpoint.
+     *
+     * @param string $host The server hostname or IP address (default: '127.0.0.1').
+     * @param int $port The port on which the server is running (default: 8080).
+     * @param string $endpoint The health check endpoint path (default: '/health').
+     *
+     * @return bool True if the server returns a 200 OK status, otherwise false.
+     */
+    public function getServerStatus($host = '127.0.0.1', $port = 8080, $endpoint = '/health') {
+        $url = "http://$host:$port$endpoint";
+        $options = [
+            'http' => [
+                'method'    => 'GET',
+                'timeout'   => 3,
+            ],
+        ];
+        $context = stream_context_create($options);
+        $response = @file_get_contents($url, false, $context);
+
+        // We check the response if it's 200 OK
+        if ($response !== false && isset($http_response_header) && strpos($http_response_header[0], '200 OK') !== false) {
+            return true;
+        }
+
+        // If it's not 200 OK
+        return false;
+    }
+
+}

app/classes/session.php

@@ -0,0 +1,265 @@
+<?php
+
+/**
+ * Session Class
+ *
+ * Core session management functionality for the application
+ */
+class Session {
+    private static $initialized = false;
+    private static $sessionName = ''; // Will be set from config, if not we'll have a random session name
+
+    /**
+     * Generate a random session name
+     */
+    private static function generateRandomSessionName(): string {
+        return 'sess_' . bin2hex(random_bytes(8)); // 16-character random string
+    }
+    private static $sessionOptions = [
+        'cookie_httponly' => 1,
+        'cookie_secure' => 1,
+        'cookie_samesite' => 'Strict',
+        'gc_maxlifetime' => 7200 // 2 hours
+    ];
+
+    /**
+     * Initialize session configuration
+     */
+    private static function initialize() {
+        if (self::$initialized) {
+            return;
+        }
+
+        global $config;
+
+        // Get session name from config or generate a random one
+        self::$sessionName = $config['session']['name'] ?? self::generateRandomSessionName();
+
+        // Set session name before starting the session
+        session_name(self::$sessionName);
+
+        // Set session cookie parameters
+        $thisPath = $config['folder'] ?? '/';
+        $thisDomain = $config['domain'] ?? '';
+        $isSecure = isset($_SERVER['HTTPS']);
+
+        session_set_cookie_params([
+            'lifetime' => 0, // Session cookie (browser session)
+            'path' => $thisPath,
+            'domain' => $thisDomain,
+            'secure' => $isSecure,
+            'httponly' => true,
+            'samesite' => 'Strict'
+        ]);
+
+        self::$initialized = true;
+    }
+
+    /**
+     * Get session name from config or generate a random one
+     */
+    private static function getSessionNameFromConfig($config) {
+        if (isset($config['session']['name']) && !empty($config['session']['name'])) {
+            return $config['session']['name'];
+        }
+        return self::generateRandomSessionName();
+    }
+
+    /**
+     * Start or resume a session with secure options
+     */
+    public static function startSession() {
+        self::initialize();
+
+        if (session_status() === PHP_SESSION_NONE) {
+            if (!headers_sent()) {
+                session_start(self::$sessionOptions);
+            }
+        }
+    }
+
+    /**
+     * Destroy current session and clean up
+     */
+    public static function destroySession() {
+        if (session_status() === PHP_SESSION_ACTIVE) {
+            session_unset();
+            session_destroy();
+        }
+    }
+
+    /**
+     * Get current username if set
+     */
+    public static function getUsername() {
+        return isset($_SESSION['username']) ? htmlspecialchars($_SESSION['username']) : null;
+    }
+
+    /**
+     * Get current user ID if set
+     */
+    public static function getUserId() {
+        return isset($_SESSION['user_id']) ? (int)$_SESSION['user_id'] : null;
+    }
+
+    /**
+     * Check if current session is valid
+     *
+     * @param bool $strict If true, will return false for new/unauthenticated sessions
+     * @return bool True if session is valid, false otherwise
+     */
+    public static function isValidSession($strict = true) {
+        // If session is not started or empty, it's not valid
+        if (session_status() !== PHP_SESSION_ACTIVE || empty($_SESSION)) {
+            return false;
+        }
+
+        // In non-strict mode, consider empty session as valid (for login/logout)
+        if (!$strict && !isset($_SESSION['user_id']) && !isset($_SESSION['username'])) {
+            return true;
+        }
+
+        // In strict mode, require user_id and username
+        if ($strict && (!isset($_SESSION['user_id']) || !isset($_SESSION['username']))) {
+            return false;
+        }
+
+        // Check session timeout
+        $session_timeout = isset($_SESSION['REMEMBER_ME']) ? (30 * 24 * 60 * 60) : 7200; // 30 days or 2 hours
+        if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $session_timeout)) {
+            return false;
+        }
+
+        // Update last activity time
+        $_SESSION['LAST_ACTIVITY'] = time();
+
+        // Regenerate session ID periodically (every 30 minutes)
+        if (!isset($_SESSION['CREATED'])) {
+            $_SESSION['CREATED'] = time();
+        } else if (time() - $_SESSION['CREATED'] > 1800) {
+            // Regenerate session ID and update creation time
+            if (!headers_sent() && session_status() === PHP_SESSION_ACTIVE) {
+                $oldData = $_SESSION;
+                session_regenerate_id(true);
+                $_SESSION = $oldData;
+                $_SESSION['CREATED'] = time();
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Set remember me option for extended session
+     */
+    public static function setRememberMe($value = true) {
+        $_SESSION['REMEMBER_ME'] = $value;
+    }
+
+    /**
+     * Clear session data and cookies
+     */
+    public static function cleanup($config) {
+        self::destroySession();
+
+        // Clear cookies if headers not sent
+        if (!headers_sent()) {
+            setcookie('username', '', [
+                'expires' => time() - 3600,
+                'path' => $config['folder'],
+                'domain' => $config['domain'],
+                'secure' => isset($_SERVER['HTTPS']),
+                'httponly' => true,
+                'samesite' => 'Strict'
+            ]);
+        }
+
+        // Start fresh session
+        self::startSession();
+
+        // Reset session timeout flag
+        unset($_SESSION['session_timeout_shown']);
+    }
+
+    /**
+     * Create a new authenticated session for a user
+     */
+    public static function createAuthSession($userId, $username, $rememberMe, $config) {
+        // Ensure session is started
+        self::startSession();
+
+        // Set session variables
+        $_SESSION['user_id'] = $userId;
+        $_SESSION['username'] = $username;
+        $_SESSION['LAST_ACTIVITY'] = time();
+        $_SESSION['REMEMBER_ME'] = $rememberMe;
+
+        // Set cookie lifetime based on remember me
+        $cookieLifetime = $rememberMe ? time() + (30 * 24 * 60 * 60) : 0;
+
+        // Update session cookie with remember me setting
+        if (!headers_sent()) {
+            setcookie(
+                session_name(),
+                session_id(),
+                [
+                    'expires' => $cookieLifetime,
+                    'path' => $config['folder'] ?? '/',
+                    'domain' => $config['domain'] ?? '',
+                    'secure' => isset($_SERVER['HTTPS']),
+                    'httponly' => true,
+                    'samesite' => 'Strict'
+                ]
+            );
+
+            // Set username cookie
+            setcookie('username', $username, [
+                'expires' => $cookieLifetime,
+                'path' => $config['folder'] ?? '/',
+                'domain' => $config['domain'] ?? '',
+                'secure' => isset($_SERVER['HTTPS']),
+                'httponly' => true,
+                'samesite' => 'Strict'
+            ]);
+        }
+
+        if ($rememberMe) {
+            self::setRememberMe(true);
+        }
+    }
+
+    /**
+     * Store 2FA pending information in session
+     */
+    public static function store2FAPending($userId, $username, $rememberMe = false) {
+        $_SESSION['2fa_pending_user_id'] = $userId;
+        $_SESSION['2fa_pending_username'] = $username;
+        if ($rememberMe) {
+            $_SESSION['2fa_pending_remember'] = true;
+        }
+    }
+
+    /**
+     * Clear 2FA pending information from session
+     */
+    public static function clear2FAPending() {
+        unset($_SESSION['2fa_pending_user_id']);
+        unset($_SESSION['2fa_pending_username']);
+        unset($_SESSION['2fa_pending_remember']);
+    }
+
+    /**
+     * Get 2FA pending information
+     */
+    public static function get2FAPending() {
+        if (!isset($_SESSION['2fa_pending_user_id']) || !isset($_SESSION['2fa_pending_username'])) {
+            return null;
+        }
+
+        return [
+            'user_id' => $_SESSION['2fa_pending_user_id'],
+            'username' => $_SESSION['2fa_pending_username'],
+            'remember_me' => isset($_SESSION['2fa_pending_remember'])
+        ];
+    }
+}

app/classes/settings.php

@@ -0,0 +1,97 @@
+<?php
+
+/**
+ * class Settings
+ *
+ * Handles editing and fetching jilo configuration.
+ */
+class Settings {
+
+    /**
+     * Loads javascript file the Jitsi server.
+     *
+     * @param string $jitsiUrl The base URL of the Jitsi server.
+     * @param string $livejsFile The name of the remote js file to load.
+     * @param bool $raw Whether to return the full file (true) or only uncommented values (false).
+     *
+     * @return string The content of the interface_config.js file or an error message.
+     */
+    public function getPlatformJsFile($jitsiUrl, $livejsFile, $raw = false) {
+        // constructing the URL
+        $jsFile = $jitsiUrl . '/' . $livejsFile;
+
+        // default content, if we can't get the file contents
+        $jsFileContent = "The file $livejsFile can't be loaded.";
+
+        // Check if URL is valid
+        if (!filter_var($jsFile, FILTER_VALIDATE_URL)) {
+            return "Invalid URL: $jsFile";
+        }
+
+        // ssl options
+        $contextOptions = [
+            'ssl' => [
+                'verify_peer'		=> true,
+                'verify_peer_name'	=> true,
+            ],
+        ];
+        $context = stream_context_create($contextOptions);
+
+        // Try to get headers first to check if file exists and wasn't redirected
+        $headers = @get_headers($jsFile, 1);  // 1 to get headers as array
+        if ($headers === false) {
+            return "The file $livejsFile can't be loaded (connection error).";
+        }
+
+        // Check for redirects
+        $statusLine = $headers[0];
+        if (strpos($statusLine, '301') !== false || strpos($statusLine, '302') !== false) {
+            return "The file $livejsFile was redirected - this might indicate the file doesn't exist.";
+        }
+
+        // Check if we got 200 OK
+        if (strpos($statusLine, '200') === false) {
+            return "The file $livejsFile can't be loaded (HTTP error: $statusLine).";
+        }
+
+        // Check content type
+        $contentType = isset($headers['Content-Type']) ? $headers['Content-Type'] : '';
+        if (is_array($contentType)) {
+            $contentType = end($contentType); // get last content-type in case of redirects
+        }
+        if (stripos($contentType, 'javascript') === false && stripos($contentType, 'text/plain') === false) {
+            return "The file $livejsFile doesn't appear to be a JavaScript file (got $contentType).";
+        }
+
+        // get the file
+        $fileContent = @file_get_contents($jsFile, false, $context);
+
+        if ($fileContent !== false) {
+            // Quick validation of content
+            $firstLine = strtolower(trim(substr($fileContent, 0, 100)));
+            if (strpos($firstLine, '<!doctype html>') !== false || 
+                strpos($firstLine, '<html') !== false || 
+                strpos($firstLine, '<?xml') !== false) {
+                return "The file $livejsFile appears to be HTML/XML content instead of JavaScript.";
+            }
+
+            // when we need only uncommented values
+            if ($raw === false) {
+                // remove block comments
+                $jsFileContent = preg_replace('!/\*.*?\*/!s', '', $fileContent);
+                // remove single-line comments
+                $jsFileContent = preg_replace('/\/\/[^\n]*/', '', $jsFileContent);
+                // remove empty lines
+                $jsFileContent = preg_replace('/^\s*[\r\n]/m', '', $jsFileContent);
+
+            // when we need the full file as it is
+            } else {
+                $jsFileContent = $fileContent;
+            }
+        }
+
+        return $jsFileContent;
+
+    }
+
+}

app/classes/twoFactorAuth.php

@@ -0,0 +1,420 @@
+<?php
+
+/**
+ * Class TwoFactorAuthentication
+ *
+ * Handles two-factor authentication functionality using TOTP (Time-based One-Time Password).
+ * Internal implementation without external dependencies.
+ */
+class TwoFactorAuthentication {
+    private $db;
+    private $secretLength = 20; // 160 bits for SHA1
+    private $period = 30;       // Time step in seconds (T0)
+    private $digits = 6;        // Number of digits in TOTP code
+    private $algorithm = 'sha1'; // HMAC algorithm
+    private $issuer = 'TotalMeet';
+    private $window = 1;        // Time window of 1 step before/after
+
+    /**
+     * Constructor
+     *
+     * @param PDO $database Database connection
+     */
+    public function __construct($database) {
+        if ($database instanceof PDO) {
+            $this->db = $database;
+        } else {
+            $this->db = $database->getConnection();
+        }
+    }
+
+    /**
+     * Enable 2FA for a user
+     *
+     * @param int $userId User ID
+     * @param string $secret Secret key (base32 encoded)
+     * @param string $code Verification code
+     * @return bool True if enabled successfully
+     */
+    public function enable($userId, $secret = null, $code = null) {
+        try {
+            // Check if 2FA is already enabled
+            $stmt = $this->db->prepare('SELECT enabled FROM user_2fa WHERE user_id = ?');
+            $stmt->execute([$userId]);
+            $existing = $stmt->fetch(PDO::FETCH_ASSOC);
+
+            if ($existing && $existing['enabled']) {
+                return false;
+            }
+
+            // If no secret provided, generate one and return setup data
+            if ($secret === null) {
+                // Generate secret key
+                $secret = $this->generateSecret();
+
+                // Get user's username for the QR code
+                $stmt = $this->db->prepare('SELECT username FROM user WHERE id = ?');
+                $stmt->execute([$userId]);
+                $user = $stmt->fetch(PDO::FETCH_ASSOC);
+
+                // Generate backup codes
+                $backupCodes = $this->generateBackupCodes();
+
+                // Store in database without enabling yet
+                $this->db->beginTransaction();
+
+                $stmt = $this->db->prepare('
+                    INSERT INTO user_2fa (user_id, secret_key, backup_codes, enabled, created_at)
+                    VALUES (?, ?, ?, 0, NOW())
+                    ON DUPLICATE KEY UPDATE
+                        secret_key = VALUES(secret_key),
+                        backup_codes = VALUES(backup_codes),
+                        enabled = VALUES(enabled),
+                        created_at = VALUES(created_at)
+                ');
+
+                $stmt->execute([
+                    $userId,
+                    $secret,
+                    json_encode($backupCodes)
+                ]);
+
+                $this->db->commit();
+
+                // Generate otpauth URL for QR code
+                $otpauthUrl = $this->generateOtpauthUrl($user['username'], $secret);
+
+                return [
+                    'success' => true,
+                    'data' => [
+                        'secret' => $secret,
+                        'otpauthUrl' => $otpauthUrl,
+                        'backupCodes' => $backupCodes
+                    ]
+                ];
+            }
+
+            // If secret and code provided, verify the code and enable 2FA
+            if ($code !== null) {
+                // Verify the setup code
+                if (!$this->verify($userId, $code)) {
+                    error_log("Code verification failed");
+                    return false;
+                }
+
+                // Enable 2FA
+                $stmt = $this->db->prepare('
+                    UPDATE user_2fa
+                    SET enabled = 1
+                    WHERE user_id = ? AND secret_key = ?
+                ');
+                return $stmt->execute([$userId, $secret]);
+            }
+
+            return false;
+
+        } catch (Exception $e) {
+            if ($this->db->inTransaction()) {
+                $this->db->rollBack();
+            }
+            error_log('2FA enable error: ' . $e->getMessage());
+            return false;
+        }
+    }
+
+    /**
+     * Verify a 2FA code
+     *
+     * @param int $userId User ID
+     * @param string $code The verification code
+     * @return bool True if verified, false otherwise
+     */
+    public function verify($userId, $code) {
+        try {
+            // Get user's 2FA settings
+            $settings = $this->getUserSettings($userId);
+            if (!$settings) {
+                return false;
+            }
+
+            // Check if code matches a backup code
+            if ($this->verifyBackupCode($userId, $code)) {
+                return true;
+            }
+
+            // Get current Unix timestamp
+            $currentTime = time();
+
+            // Check time window
+            for ($timeSlot = -$this->window; $timeSlot <= $this->window; $timeSlot++) {
+                $checkTime = $currentTime + ($timeSlot * $this->period);
+                $generatedCode = $this->generateCode($settings['secret_key'], $checkTime);
+                if (hash_equals($generatedCode, $code)) {
+                    return true;
+                }
+            }
+
+            return false;
+
+        } catch (Exception $e) {
+            error_log('2FA verification error: ' . $e->getMessage());
+            return false;
+        }
+    }
+
+    /**
+     * Generate a random secret key
+     *
+     * @return string Base32 encoded secret
+     */
+    private function generateSecret() {
+        // Generate random bytes (160 bits for SHA1)
+        $random = random_bytes($this->secretLength);
+        return $this->base32Encode($random);
+    }
+
+    /**
+     * Base32 encode data
+     *
+     * @param string $data Data to encode
+     * @return string Base32 encoded string
+     */
+    private function base32Encode($data) {
+        $alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+        $binary = '';
+        $encoded = '';
+
+        // Convert to binary
+        for ($i = 0; $i < strlen($data); $i++) {
+            $binary .= str_pad(decbin(ord($data[$i])), 8, '0', STR_PAD_LEFT);
+        }
+
+        // Process 5 bits at a time
+        for ($i = 0; $i < strlen($binary); $i += 5) {
+            $chunk = substr($binary, $i, 5);
+            if (strlen($chunk) < 5) {
+                $chunk = str_pad($chunk, 5, '0', STR_PAD_RIGHT);
+            }
+            $encoded .= $alphabet[bindec($chunk)];
+        }
+
+        // Add padding
+        $padding = strlen($encoded) % 8;
+        if ($padding > 0) {
+            $encoded .= str_repeat('=', 8 - $padding);
+        }
+
+        return $encoded;
+    }
+
+    /**
+     * Base32 decode data
+     *
+     * @param string $data Base32 encoded string
+     * @return string Decoded data
+     */
+    private function base32Decode($data) {
+        $alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+        // Remove padding and uppercase
+        $data = rtrim(strtoupper($data), '=');
+
+        $binary = '';
+
+        // Convert to binary
+        for ($i = 0; $i < strlen($data); $i++) {
+            $position = strpos($alphabet, $data[$i]);
+            if ($position === false) {
+                continue;
+            }
+            $binary .= str_pad(decbin($position), 5, '0', STR_PAD_LEFT);
+        }
+
+        $decoded = '';
+        // Process 8 bits at a time
+        for ($i = 0; $i + 7 < strlen($binary); $i += 8) {
+            $chunk = substr($binary, $i, 8);
+            $decoded .= chr(bindec($chunk));
+        }
+
+        return $decoded;
+    }
+
+    /**
+     * Generate a TOTP code for a given secret and time
+     * RFC 6238 compliant implementation
+     */
+    private function generateCode($secret, $time) {
+        // Calculate number of time steps since Unix epoch
+        $timeStep = (int)floor($time / $this->period);
+
+        // Pack time into 8 bytes (64-bit big-endian)
+        $timeBin = pack('J', $timeStep);
+
+        // Clean secret of any padding
+        $secret = rtrim($secret, '=');
+
+        // Get binary secret
+        $secretBin = $this->base32Decode($secret);
+
+        // Calculate HMAC
+        $hash = hash_hmac($this->algorithm, $timeBin, $secretBin, true);
+
+        // Get dynamic truncation offset
+        $offset = ord($hash[strlen($hash) - 1]) & 0xF;
+
+        // Generate 31-bit number
+        $code = (
+            ((ord($hash[$offset]) & 0x7F) << 24) |
+            ((ord($hash[$offset + 1]) & 0xFF) << 16) |
+            ((ord($hash[$offset + 2]) & 0xFF) << 8) |
+            (ord($hash[$offset + 3]) & 0xFF)
+        ) % pow(10, $this->digits);
+
+        $code = str_pad($code, $this->digits, '0', STR_PAD_LEFT);
+
+        return $code;
+    }
+
+    /**
+     * Generate otpauth URL for QR codes
+     * Format: otpauth://totp/ISSUER:ACCOUNT?secret=SECRET&issuer=ISSUER&algorithm=ALGORITHM&digits=DIGITS&period=PERIOD
+     */
+    private function generateOtpauthUrl($username, $secret) {
+        $params = [
+            'secret' => $secret,
+            'issuer' => $this->issuer,
+            'algorithm' => strtoupper($this->algorithm),
+            'digits' => $this->digits,
+            'period' => $this->period
+        ];
+
+        return sprintf(
+            'otpauth://totp/%s:%s?%s',
+            rawurlencode($this->issuer),
+            rawurlencode($username),
+            http_build_query($params)
+        );
+    }
+
+    /**
+     * Generate backup codes
+     *
+     * @param int $count Number of backup codes to generate
+     * @return array Array of backup codes
+     */
+    private function generateBackupCodes($count = 8) {
+        $codes = [];
+        for ($i = 0; $i < $count; $i++) {
+            $codes[] = bin2hex(random_bytes(4));
+        }
+        return $codes;
+    }
+
+    /**
+     * Verify a backup code
+     *
+     * @param int $userId User ID
+     * @param string $code The backup code to verify
+     * @return bool True if verified, false otherwise
+     */
+    private function verifyBackupCode($userId, $code) {
+        try {
+            $stmt = $this->db->prepare('SELECT backup_codes FROM user_2fa WHERE user_id = ?');
+            $stmt->execute([$userId]);
+            $result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+            if (!$result) {
+                return false;
+            }
+
+            $backupCodes = json_decode($result['backup_codes'], true);
+
+            // Check if the code exists and hasn't been used
+            $codeIndex = array_search($code, $backupCodes);
+            if ($codeIndex !== false) {
+                // Remove the used code
+                unset($backupCodes[$codeIndex]);
+                $backupCodes = array_values($backupCodes);
+
+                // Update backup codes in database
+                $stmt = $this->db->prepare('
+                    UPDATE user_2fa
+                    SET backup_codes = ?
+                    WHERE user_id = ?
+                ');
+                $stmt->execute([json_encode($backupCodes), $userId]);
+
+                return true;
+            }
+
+            return false;
+
+        } catch (Exception $e) {
+            error_log('Backup code verification error: ' . $e->getMessage());
+            return false;
+        }
+    }
+
+    /**
+     * Disable 2FA for a user
+     *
+     * @param int $userId User ID
+     * @return bool True if disabled successfully
+     */
+    public function disable($userId) {
+        try {
+            // First check if user has 2FA settings
+            $settings = $this->getUserSettings($userId);
+            if (!$settings) {
+                return false;
+            }
+
+            // Delete the 2FA settings entirely instead of just disabling
+            $stmt = $this->db->prepare('
+                DELETE FROM user_2fa
+                WHERE user_id = ?
+            ');
+            return $stmt->execute([$userId]);
+
+        } catch (Exception $e) {
+            error_log('2FA disable error: ' . $e->getMessage());
+            return false;
+        }
+    }
+
+    /**
+     * Check if 2FA is enabled for a user
+     *
+     * @param int $userId User ID
+     * @return bool True if enabled
+     */
+    public function isEnabled($userId) {
+        try {
+            $stmt = $this->db->prepare('SELECT enabled FROM user_2fa WHERE user_id = ?');
+            $stmt->execute([$userId]);
+            $result = $stmt->fetch(PDO::FETCH_ASSOC);
+            return $result && $result['enabled'];
+
+        } catch (Exception $e) {
+            error_log('2FA status check error: ' . $e->getMessage());
+            return false;
+        }
+    }
+
+    private function getUserSettings($userId) {
+        try {
+            $stmt = $this->db->prepare('
+                SELECT secret_key, backup_codes, enabled
+                FROM user_2fa
+                WHERE user_id = ?
+            ');
+            $stmt->execute([$userId]);
+            return $stmt->fetch(PDO::FETCH_ASSOC);
+
+        } catch (Exception $e) {
+            error_log('Failed to get user 2FA settings: ' . $e->getMessage());
+            return null;
+        }
+    }
+}

app/classes/user.php

@@ -1,38 +1,526 @@
 <?php
 
+/**
+ * class User
+ *
+ * Handles user-related functionalities such as login, rights management, and profile updates.
+ */
 class User {
+    /**
+     * @var PDO|null $db The database connection instance.
+     */
     private $db;
+    private $rateLimiter;
+    private $twoFactorAuth;
 
+    /**
+     * User constructor.
+     * Initializes the database connection.
+     *
+     * @param object $database The database object to initialize the connection.
+     */
     public function __construct($database) {
+        if ($database instanceof PDO) {
+            $this->db = $database;
+        } else {
             $this->db = $database->getConnection();
         }
+        require_once __DIR__ . '/ratelimiter.php';
+        require_once __DIR__ . '/twoFactorAuth.php';
 
-    // registration
-    public function register($username, $password) {
-        $hashedPassword = password_hash($password, PASSWORD_DEFAULT);
-        $query = $this->db->prepare("INSERT INTO users (username, password) VALUES (:username, :password)");
-        $query->bindParam(':username', $username);
-        $query->bindParam(':password', $hashedPassword);
-
-        return $query->execute();
+        $this->rateLimiter = new RateLimiter($database);
+        $this->twoFactorAuth = new TwoFactorAuthentication($database);
     }
 
-    // login
-    public function login($username, $password) {
-        $query = $this->db->prepare("SELECT * FROM  users WHERE username = :username");
+
+    /**
+     * Logs in a user by verifying credentials.
+     *
+     * @param string $username The username of the user.
+     * @param string $password The password of the user.
+     * @param string $twoFactorCode Optional. The 2FA code if 2FA is enabled.
+     *
+     * @return array Login result with status and any necessary data
+     */
+    public function login($username, $password, $twoFactorCode = null) {
+        // Get user's IP address
+        $ipAddress = getUserIP();
+
+        // Check rate limiting first
+        if (!$this->rateLimiter->isAllowed($username, $ipAddress)) {
+            $remainingTime = $this->rateLimiter->getDecayMinutes();
+            throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes.");
+        }
+
+        // Then check credentials
+        $query = $this->db->prepare("SELECT * FROM user WHERE username = :username");
         $query->bindParam(':username', $username);
         $query->execute();
 
         $user = $query->fetch(PDO::FETCH_ASSOC);
         if ($user && password_verify($password, $user['password'])) {
+            // Check if 2FA is enabled
+            if ($this->twoFactorAuth->isEnabled($user['id'])) {
+                if ($twoFactorCode === null) {
+                    return [
+                        'status' => 'requires_2fa',
+                        'user_id' => $user['id'],
+                        'username' => $user['username']
+                    ];
+                }
+
+                // Verify 2FA code
+                if (!$this->twoFactorAuth->verify($user['id'], $twoFactorCode)) {
+                    return [
+                        'status' => 'invalid_2fa',
+                        'message' => 'Invalid 2FA code'
+                    ];
+                }
+            }
+
+            // Login successful
             $_SESSION['user_id'] = $user['id'];
             $_SESSION['username'] = $user['username'];
+            $_SESSION['CREATED'] = time();
+            $_SESSION['LAST_ACTIVITY'] = time();
+            return [
+                'status' => 'success',
+                'user_id' => $user['id'],
+                'username' => $user['username']
+            ];
+        }
+
+        // Get remaining attempts AFTER this failed attempt
+        $remainingAttempts = $this->rateLimiter->getRemainingAttempts($username, $ipAddress);
+        return [
+            'status' => 'failed',
+            'message' => "Invalid credentials. {$remainingAttempts} attempts remaining."
+        ];
+    }
+
+
+    /**
+     * Retrieves a user ID based on the username.
+     *
+     * @param string $username The username to look up.
+     *
+     * @return array|null User ID details or null if not found.
+     */
+    // FIXME not used now?
+    public function getUserId($username) {
+        $sql = 'SELECT id FROM user WHERE username = :username';
+        $query = $this->db->prepare($sql);
+        $query->bindParam(':username', $username);
+
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+
+    }
+
+
+    /**
+     * Fetches user details by user ID.
+     *
+     * @param int $userId The user ID.
+     *
+     * @return array|null User details or null if not found.
+     */
+    public function getUserDetails($userId) {
+        $sql = 'SELECT
+                    um.*,
+                    u.username
+                FROM
+                    user_meta um
+                LEFT JOIN user u
+                    ON um.user_id = u.id
+                WHERE
+                    u.id = :user_id';
+
+        $query = $this->db->prepare($sql);
+        $query->execute([
+            ':user_id'		=> $userId,
+        ]);
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+
+    }
+
+
+    /**
+     * Grants a user a specific right.
+     *
+     * @param int $userId    The user ID.
+     * @param int $right_id  The right ID to grant.
+     *
+     * @return void
+     */
+    public function addUserRight($userId, $right_id) {
+        $sql = 'INSERT INTO user_right
+                    (user_id, right_id)
+                VALUES
+                    (:user_id, :right_id)';
+        $query = $this->db->prepare($sql);
+        $query->execute([
+            ':user_id'		=> $userId,
+            ':right_id'		=> $right_id,
+        ]);
+    }
+
+
+    /**
+     * Revokes a specific right from a user.
+     *
+     * @param int $userId    The user ID.
+     * @param int $right_id  The right ID to revoke.
+     *
+     * @return void
+     */
+    public function removeUserRight($userId, $right_id) {
+        $sql = 'DELETE FROM user_right
+                WHERE
+                    user_id = :user_id
+                AND
+                    right_id = :right_id';
+        $query = $this->db->prepare($sql);
+        $query->execute([
+            ':user_id'		=> $userId,
+            ':right_id'		=> $right_id,
+        ]);
+    }
+
+
+    /**
+     * Retrieves all rights in the system.
+     *
+     * @return array List of rights.
+     */
+    public function getAllRights() {
+        $sql = 'SELECT
+                    id AS right_id,
+                    name AS right_name
+                FROM `right`
+                ORDER BY id ASC';
+        $query = $this->db->prepare($sql);
+        $query->execute();
+
+        return $query->fetchAll(PDO::FETCH_ASSOC);
+
+    }
+
+
+    /**
+     * Retrieves the rights assigned to a specific user.
+     *
+     * @param int $userId The user ID.
+     *
+     * @return array List of user rights.
+     */
+    public function getUserRights($userId) {
+        $sql = 'SELECT
+                    u.id AS user_id,
+                    r.id AS right_id,
+                    r.name AS right_name
+                FROM
+                    `user` u
+                    LEFT JOIN `user_right` ur
+                        ON u.id = ur.user_id
+                    LEFT JOIN `right` r
+                        ON ur.right_id = r.id
+                WHERE
+                    u.id = :user_id';
+
+        $query = $this->db->prepare($sql);
+        $query->execute([
+            ':user_id'		=> $userId,
+        ]);
+
+        $result = $query->fetchAll(PDO::FETCH_ASSOC);
+
+        // ensure specific entries are included in the result
+        $specialEntries = [];
+
+        // user 1 is always superuser
+        if ($userId == 1) {
+            $specialEntries = [
+                [
+                    'user_id' => 1,
+                    'right_id' => 1,
+                    'right_name' => 'superuser'
+                ]
+            ];
+
+        // user 2 is always demo
+        } elseif ($userId == 2) {
+            $specialEntries = [
+                [
+                    'user_id' => 2,
+                    'right_id' => 100,
+                    'right_name' => 'demo user'
+                ]
+            ];
+        }
+
+        // merge the special entries with the existing results
+        $result = array_merge($specialEntries, $result);
+        // remove duplicates if necessary
+        $result = array_unique($result, SORT_REGULAR);
+
+        // return the modified result
+        return $result;
+
+    }
+
+
+    /**
+     * Check if the user has a specific right.
+     *
+     * @param int    $userId      The user ID.
+     * @param string $right_name  The human-readable name of the user right.
+     *
+     * @return bool True if the user has the right, false otherwise.
+     */
+    function hasRight($userId, $right_name) {
+        $userRights = $this->getUserRights($userId);
+        $userHasRight = false;
+
+        // superuser always has all the rights
+        if ($userId === 1) {
+            $userHasRight = true;
+        }
+
+        foreach ($userRights as $right) {
+            if ($right['right_name'] === $right_name) {
+                $userHasRight = true;
+                break;
+            }
+        }
+
+        return $userHasRight;
+
+    }
+
+
+    /**
+     * Updates a user's metadata in the database.
+     *
+     * @param int   $userId       The ID of the user to update.
+     * @param array $updatedUser  An associative array containing updated user data:
+     *  - 'name' (string): The updated name of the user.
+     *  - 'email' (string): The updated email of the user.
+     *  - 'timezone' (string): The updated timezone of the user.
+     *  - 'bio' (string): The updated biography of the user.
+     *
+     * @return bool|string Returns true if the update is successful, or an error message if an exception occurs.
+     */
+    public function editUser($userId, $updatedUser) {
+        try {
+            $sql = 'UPDATE user_meta SET
+                        name = :name,
+                        email = :email,
+                        timezone = :timezone,
+                        bio = :bio
+                    WHERE user_id = :user_id';
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':user_id'	=> $userId,
+                ':name'		=> $updatedUser['name'],
+                ':email'	=> $updatedUser['email'],
+                ':timezone'	=> $updatedUser['timezone'],
+                ':bio'		=> $updatedUser['bio']
+            ]);
+
             return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+
+    }
+
+
+    /**
+     * Removes a user's avatar from the database and deletes the associated file.
+     *
+     * @param int    $userId      The ID of the user whose avatar is being removed.
+     * @param string $old_avatar  Optional. The file path of the current avatar to delete. Default is an empty string.
+     *
+     * @return bool|string Returns true if the avatar is successfully removed, or an error message if an exception occurs.
+     */
+    public function removeAvatar($userId, $old_avatar = '') {
+        try {
+            // remove from database
+            $sql = 'UPDATE user_meta SET
+                        avatar = NULL
+                    WHERE user_id = :user_id';
+            $query = $this->db->prepare($sql);
+            $query->execute([
+                ':user_id'	=> $userId,
+            ]);
+
+            // delete the old avatar file
+            if ($old_avatar && file_exists($old_avatar)) {
+                unlink($old_avatar);
+            }
+
+            return true;
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+
+    }
+
+
+    /**
+     * Updates a user's avatar by uploading a new file and saving its path in the database.
+     *
+     * @param int    $userId        The ID of the user whose avatar is being updated.
+     * @param array  $avatar_file   The uploaded avatar file from the $_FILES array.
+     *                              Should include 'tmp_name', 'name', 'error', etc.
+     * @param string $avatars_path  The directory path where avatar files should be saved.
+     *
+     * @return bool|string Returns true if the avatar is successfully updated, or an error message if an exception occurs.
+     */
+    public function changeAvatar($userId, $avatar_file, $avatars_path) {
+        try {
+            // check if the file was uploaded
+            if (isset($avatar_file) && $avatar_file['error'] === UPLOAD_ERR_OK) {
+                $fileTmpPath = $avatar_file['tmp_name'];
+                $fileName = $avatar_file['name'];
+                $fileExtension = strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
+
+                // validate file extension
+                if (in_array($fileExtension, ['jpg', 'png', 'jpeg'])) {
+                    $newFileName = md5(time() . $fileName) . '.' . $fileExtension;
+                    $dest_path = $avatars_path . $newFileName;
+
+                    // move the file to avatars folder
+                    if (move_uploaded_file($fileTmpPath, $dest_path)) {
+                        try {
+                            // update user's avatar path in DB
+                            $sql = 'UPDATE user_meta SET
+                                        avatar = :avatar
+                                    WHERE user_id = :user_id';
+                            $query = $this->db->prepare($sql);
+                            $query->execute([
+                                ':avatar' => $newFileName,
+                                ':user_id' => $userId
+                            ]);
+                            // all went OK
+                            $_SESSION['notice'] .= 'Avatar updated successfully. ';
+                            return true;
+                        } catch (Exception $e) {
+                            return $e->getMessage();
+                        }
                     } else {
+                        $_SESSION['error'] .= 'Error moving the uploaded file. ';
+                    }
+                } else {
+                    $_SESSION['error'] .= 'Invalid avatar file type. ';
+                }
+            } else {
+                $_SESSION['error'] .= 'Error uploading the avatar file. ';
+            }
+
+        } catch (Exception $e) {
+            return $e->getMessage();
+        }
+    }
+
+    /**
+     * Get all users for messaging
+     *
+     * @return array List of users with their IDs and usernames
+     */
+    public function getUsers() {
+        $sql = "SELECT id, username
+                FROM `user`
+                ORDER BY username ASC";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute();
+
+        return $stmt->fetchAll(PDO::FETCH_ASSOC);
+    }
+
+    /**
+     * Enable two-factor authentication for a user
+     *
+     * @param int    $userId  User ID
+     * @param string $secret  Secret key to use
+     * @param string $code    Verification code to validate
+     * @return bool True if enabled successfully
+     */
+    public function enableTwoFactor($userId, $secret = null, $code = null) {
+        return $this->twoFactorAuth->enable($userId, $secret, $code);
+    }
+
+    /**
+     * Disable two-factor authentication for a user
+     *
+     * @param int $userId User ID
+     * @return bool True if disabled successfully
+     */
+    public function disableTwoFactor($userId) {
+        return $this->twoFactorAuth->disable($userId);
+    }
+
+    /**
+     * Verify a two-factor authentication code
+     *
+     * @param int    $userId  User ID
+     * @param string $code    The verification code
+     * @return bool True if verified
+     */
+    public function verifyTwoFactor($userId, $code) {
+        return $this->twoFactorAuth->verify($userId, $code);
+    }
+
+    /**
+     * Check if two-factor authentication is enabled for a user
+     *
+     * @param int $userId User ID
+     * @return bool True if enabled
+     */
+    public function isTwoFactorEnabled($userId) {
+        return $this->twoFactorAuth->isEnabled($userId);
+    }
+
+    /**
+     * Change a user's password
+     *
+     * @param int    $userId           User ID
+     * @param string $currentPassword  Current password for verification
+     * @param string $newPassword      New password to set
+     * @return bool True if password was changed successfully
+     */
+    public function changePassword($userId, $currentPassword, $newPassword) {
+        try {
+            // First verify the current password
+            $sql = "SELECT password FROM user WHERE id = :user_id";
+            $query = $this->db->prepare($sql);
+            $query->execute([':user_id' => $userId]);
+            $user = $query->fetch(PDO::FETCH_ASSOC);
+
+            if (!$user || !password_verify($currentPassword, $user['password'])) {
+                return false;
+            }
+
+            // Hash the new password
+            $hashedPassword = password_hash($newPassword, PASSWORD_DEFAULT);
+
+            // Update the password
+            $sql = "UPDATE user SET password = :password WHERE id = :user_id";
+            $query = $this->db->prepare($sql);
+            return $query->execute([
+                ':password' => $hashedPassword,
+                ':user_id' => $userId
+            ]);
+
+        } catch (Exception $e) {
+            error_log("Error changing password: " . $e->getMessage());
             return false;
         }
     }
-
 }
-
-?>

app/classes/validator.php

@@ -0,0 +1,110 @@
+<?php
+
+class Validator {
+    private $errors = [];
+    private $data = [];
+
+    public function __construct(array $data) {
+        $this->data = $data;
+    }
+
+    public function validate(array $rules) {
+        foreach ($rules as $field => $fieldRules) {
+            foreach ($fieldRules as $rule => $parameter) {
+                $this->applyRule($field, $rule, $parameter);
+            }
+        }
+        return empty($this->errors);
+    }
+
+    private function applyRule($field, $rule, $parameter) {
+        $value = $this->data[$field] ?? null;
+
+        switch ($rule) {
+            case 'required':
+                if ($parameter && empty($value)) {
+                    $this->addError($field, "Field is required");
+                }
+                break;
+            case 'email':
+                if (!empty($value) && !filter_var($value, FILTER_VALIDATE_EMAIL)) {
+                    $this->addError($field, "Invalid email format");
+                }
+                break;
+            case 'min':
+                if (!empty($value) && strlen($value) < $parameter) {
+                    $this->addError($field, "Minimum length is $parameter characters");
+                }
+                break;
+            case 'max':
+                if (!empty($value) && strlen($value) > $parameter) {
+                    $this->addError($field, "Maximum length is $parameter characters");
+                }
+                break;
+            case 'numeric':
+                if (!empty($value) && !is_numeric($value)) {
+                    $this->addError($field, "Must be a number");
+                }
+                break;
+            case 'phone':
+                if (!empty($value) && !preg_match('/^[+]?[\d\s-()]{7,}$/', $value)) {
+                    $this->addError($field, "Invalid phone number format");
+                }
+                break;
+            case 'url':
+                if (!empty($value) && !filter_var($value, FILTER_VALIDATE_URL)) {
+                    $this->addError($field, "Invalid URL format");
+                }
+                break;
+            case 'date':
+                if (!empty($value)) {
+                    $date = date_parse($value);
+                    if ($date['error_count'] > 0) {
+                        $this->addError($field, "Invalid date format");
+                    }
+                }
+                break;
+            case 'in':
+                if (!empty($value) && !in_array($value, $parameter)) {
+                    $this->addError($field, "Invalid option selected");
+                }
+                break;
+            case 'matches':
+                if ($value !== ($this->data[$parameter] ?? null)) {
+                    $this->addError($field, "Does not match $parameter field");
+                }
+                break;
+            case 'ip':
+                if (!empty($value)) {
+                    // Support both IPv4 and IPv6
+                    if (!filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)) {
+                        $this->addError($field, "Invalid IP address format");
+                    }
+                }
+                break;
+        }
+    }
+
+    private function addError($field, $message) {
+        if (!isset($this->errors[$field])) {
+            $this->errors[$field] = [];
+        }
+        $this->errors[$field][] = $message;
+    }
+
+    public function getErrors() {
+        return $this->errors;
+    }
+
+    public function hasErrors() {
+        return !empty($this->errors);
+    }
+
+    public function getFirstError() {
+        if (!$this->hasErrors()) {
+            return null;
+        }
+        $firstField = array_key_first($this->errors);
+        return $this->errors[$firstField][0];
+    }
+}

app/config/jilo-web.conf.php

@@ -10,6 +10,17 @@ return [
     'domain'			=> 'localhost',
     // subfolder for the web app, if any
     'folder'			=> '/jilo-web/',
+    // site name used in emails and in the interface
+    'site_name'			=> 'Jilo Web',
+    // session configuration
+    'session' => [
+        // session name, if empty a random one will be generated
+        'name' => 'jilo',
+        // 2 hours (7200) default, when "remember me" is not checked
+        'lifetime' => 7200,
+        // 30 days (2592000) default, when "remember me" is checked
+        'remember_me_lifetime' => 2592000,
+    ],
     // set to false to disable new registrations
     'registration_enabled'	=> true,
     // will be displayed on login screen
@@ -20,38 +31,27 @@ return [
     //*******************************************
 
     // database
-    'db' => [
-        // DB type for the web app, currently only "sqlite" is used
-        'db_type'		=> 'sqlite',
-        // default is ../app/jilo-web.db
+    'db_type'			=> 'mariadb',
+
+    'sqlite' => [
         'sqlite_file'		=> '../app/jilo-web.db',
     ],
+
+    'sql' => [
+        'sql_host'		=> 'localhost',
+        'sql_port'		=> '3306',
+        'sql_database'		=> 'jilo',
+        'sql_username'		=> 'jilouser',
+        'sql_password'		=> 'jilopass',
+    ],
+
+    // avatars path
+    'avatars_path'		=> 'uploads/avatars/',
+    // default avatar
+    'default_avatar'		=> 'static/default_avatar.png',
     // system info
-    'version'			=> '0.2',
+    'version'			=> '0.4',
     // development has verbose error messages, production has not
     'environment'		=> 'development',
 
-    // *************************************
-    // Maintained by the app, edit with care
-    // *************************************
-
-    'platforms' => [
-        '0' => [
-            'name' => 'lindeas',
-            'jitsi_url' => 'https://meet.lindeas.com',
-            'jilo_database' => '../../jilo/jilo-meet.lindeas.db',
-        ],
-        '1' => [
-            'name' => 'meet.example.com',
-            'jitsi_url' => 'https://meet.example.com',
-            'jilo_database' => '../../jilo/jilo.db',
-        ],
-        '2' => [
-            'name' => 'test3',
-            'jitsi_url' => 'https://test3.example.com',
-            'jilo_database' => '../../jilo/jilo2.db',
-        ],
-    ],
 ];
-
-?>

app/config/theme.php

@@ -0,0 +1,35 @@
+<?php
+
+return [
+    // Active theme (can be overridden by user preference)
+    'active_theme' => 'default',
+
+    // Available themes with their display names
+    'available_themes' => [
+        'default' => 'Default built-in theme',
+        'modern' => 'Modern theme',
+        'retro' => 'Alternative retro theme'
+    ],
+
+    // Path configurations
+    'paths' => [
+        // Base directory for all external themes
+        'themes' => __DIR__ . '/../../themes',
+
+        // Default templates location (built-in fallback)
+        'templates' => __DIR__ . '/../templates',
+
+        // Public assets directory (built-in fallback)
+        'public' => __DIR__ . '/../../public_html'
+    ],
+
+    // Theme configuration defaults
+    'default_config' => [
+        'name' => 'Unnamed Theme',
+        'description' => 'A Jilo Web theme',
+        'version' => '1.0.0',
+        'author' => 'Lindeas Inc.',
+        'screenshot' => 'screenshot.png',
+        'options' => []
+    ]
+];

app/core/ConfigLoader.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Core;
+
+class ConfigLoader
+{
+    /**
+     * @var string|null
+     */
+    private static $configPath = null;
+
+    /**
+     * Load configuration array from a set of possible file locations.
+     *
+     * @param string[] $locations
+     * @return array
+     */
+    public static function loadConfig(array $locations): array
+    {
+        $configFile = null;
+        foreach ($locations as $location) {
+            if (file_exists($location)) {
+                $configFile = $location;
+                break;
+            }
+        }
+        if (!$configFile) {
+            die('Config file not found');
+        }
+        self::$configPath = $configFile;
+        return require $configFile;
+    }
+
+    /**
+     * @return string|null
+     */
+    public static function getConfigPath(): ?string
+    {
+        return self::$configPath;
+    }
+}

app/core/DatabaseConnector.php

@@ -0,0 +1,37 @@
+<?php
+
+namespace App\Core;
+
+use Exception;
+use Feedback;
+
+class DatabaseConnector
+{
+    /**
+     * Connect to the database using given configuration and handle errors.
+     *
+     * @param array $config
+     * @return mixed Database connection
+     */
+    public static function connect(array $config)
+    {
+        // Load DB classes
+        require_once __DIR__ . '/../classes/database.php';
+        require_once __DIR__ . '/../includes/database.php';
+
+        try {
+            $db = connectDB($config);
+            if (!$db) {
+                throw new Exception('Could not connect to database');
+            }
+            return $db;
+        } catch (Exception $e) {
+            // Show error and exit
+            Feedback::flash('ERROR', 'DEFAULT', getError('Error connecting to the database.', $e->getMessage()));
+            include __DIR__ . '/../templates/page-header.php';
+            include __DIR__ . '/../helpers/feedback.php';
+            include __DIR__ . '/../templates/page-footer.php';
+            exit();
+        }
+    }
+}

app/core/HookDispatcher.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace App\Core;
+
+class HookDispatcher
+{
+    /**
+     * Stores all registered hooks and their callbacks.
+     * @var array<string, array<callable>>
+     */
+    private static array $hooks = [];
+
+    /**
+     * Register a callback for a given hook.
+     */
+    public static function register(string $hook, callable $callback): void
+    {
+        if (!isset(self::$hooks[$hook])) {
+            self::$hooks[$hook] = [];
+        }
+        self::$hooks[$hook][] = $callback;
+    }
+
+    /**
+     * Dispatch all callbacks for the specified hook.
+     */
+    public static function dispatch(string $hook, array $context = []): void
+    {
+        if (!empty(self::$hooks[$hook])) {
+            foreach (self::$hooks[$hook] as $callback) {
+                call_user_func($callback, $context);
+            }
+        }
+    }
+
+    /**
+     * Apply filters for a hook key, passing a value through all callbacks.
+     * Each callback should accept the value and return a modified value.
+     *
+     * @param string $hook
+     * @param mixed $value
+     * @return mixed
+     */
+    public static function applyFilters(string $hook, $value)
+    {
+        if (!empty(self::$hooks[$hook])) {
+            foreach (self::$hooks[$hook] as $callback) {
+                $value = call_user_func($callback, $value);
+            }
+        }
+        return $value;
+    }
+}

app/core/MiddlewarePipeline.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Core;
+
+class MiddlewarePipeline {
+    /** @var callable[] */
+    private $middlewares = [];
+
+    /**
+     * Add a middleware to the pipeline.
+     * @param callable $middleware Should return false to halt execution.
+     */
+    public function add(callable $middleware): void {
+        $this->middlewares[] = $middleware;
+    }
+
+    /**
+     * Execute all middlewares in sequence.
+     * @return bool False if any middleware returns false, true otherwise.
+     */
+    public function run(): bool {
+        foreach ($this->middlewares as $middleware) {
+            $result = call_user_func($middleware);
+            if ($result === false) {
+                return false;
+            }
+        }
+        return true;
+    }
+}

app/core/NullLogger.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace App\Core;
+
+/**
+ * NullLogger is a fallback for disabling logging when there is no logging plugin enabled.
+ */
+class NullLogger
+{
+    /**
+     * PSR-3 compatible log stub.
+     * @param string $level
+     * @param string $message
+     * @param array $context
+     */
+    public function log(string $level, string $message, array $context = []): void {}
+}

app/core/PluginManager.php

@@ -0,0 +1,37 @@
+<?php
+
+namespace App\Core;
+
+class PluginManager
+{
+    /**
+     * Loads all enabled plugins from the given directory.
+     *
+     * @param string $pluginsDir
+     * @return array<string, array{path: string, meta: array}>
+     */
+    public static function load(string $pluginsDir): array
+    {
+        $enabled = [];
+        foreach (glob($pluginsDir . '*', GLOB_ONLYDIR) as $pluginPath) {
+            $manifest = $pluginPath . '/plugin.json';
+            if (!file_exists($manifest)) {
+                continue;
+            }
+            $meta = json_decode(file_get_contents($manifest), true);
+            if (empty($meta['enabled'])) {
+                continue;
+            }
+            $name = basename($pluginPath);
+            $enabled[$name] = [
+                'path' => $pluginPath,
+                'meta' => $meta,
+            ];
+            $bootstrap = $pluginPath . '/bootstrap.php';
+            if (file_exists($bootstrap)) {
+                include_once $bootstrap;
+            }
+        }
+        return $enabled;
+    }
+}

app/core/Router.php

@@ -0,0 +1,57 @@
+<?php
+
+namespace App\Core;
+
+use Session;
+use Feedback;
+
+class Router {
+    /**
+     * Check session validity and handle redirection for protected pages.
+     * Returns current username if session is valid, null otherwise.
+     */
+    public static function checkAuth(array $config, string $app_root, array $public_pages, string $page): ?string {
+        // Always allow login page to be accessed
+        if ($page === 'login') {
+            return null;
+        }
+
+        // Check if this is a public page
+        $isPublicPage = in_array($page, $public_pages, true);
+
+        // For public pages, don't validate session
+        if ($isPublicPage) {
+            return null;
+        }
+
+        // For protected pages, check if we have a valid session
+        $validSession = Session::isValidSession(true);
+
+        // If session is valid, return the username
+        if ($validSession) {
+            return Session::getUsername();
+        }
+
+        // If we get here, we need to redirect to login
+        // Only show timeout message if we had an active session before
+        if (isset($_SESSION['LAST_ACTIVITY']) && !isset($_SESSION['session_timeout_shown'])) {
+            Feedback::flash('LOGIN', 'SESSION_TIMEOUT');
+            $_SESSION['session_timeout_shown'] = true;
+        }
+
+        // Preserve flash messages
+        $flash_messages = $_SESSION['flash_messages'] ?? [];
+        Session::cleanup($config);
+        $_SESSION['flash_messages'] = $flash_messages;
+
+        // Build login URL with redirect if appropriate
+        $loginUrl = $app_root . '?page=login';
+        $trimmed = trim($page, '/?');
+        if (!empty($trimmed) && !in_array($trimmed, INVALID_REDIRECT_PAGES, true)) {
+            $loginUrl .= '&redirect=' . urlencode($_SERVER['REQUEST_URI']);
+        }
+
+        header('Location: ' . $loginUrl);
+        exit();
+    }
+}

app/helpers/config.php

@@ -1,25 +0,0 @@
-<?php
-
-// Function to format arrays with square brackets
-function formatArray(array $array, $indentLevel = 2) {
-    $indent = str_repeat('    ', $indentLevel); // 4 spaces per indent level
-    $output = "[\n";
-
-    foreach ($array as $key => $value) {
-        $output .= $indent . "'" . $key . "'" . ' => ';
-
-        if (is_array($value)) {
-            $output .= formatArray($value, $indentLevel + 1);
-        } else {
-            $output .= var_export($value, true);
-        }
-
-        $output .= ",\n";
-    }
-
-    $output .= str_repeat('    ', $indentLevel - 1) . ']';
-
-    return $output;
-}
-
-?>

app/helpers/database.php

@@ -1,67 +0,0 @@
-<?php
-
-// connect to database
-function connectDB($config, $database = '', $platform_id = '') {
-
-    // connecting ti a jilo sqlite database
-    if ($database === 'jilo') {
-        try {
-            $dbFile = $config['platforms'][$platform_id]['jilo_database'] ?? null;
-            if (!$dbFile || !file_exists($dbFile)) {
-                throw new Exception(getError("Invalid platform ID \"{$platform_id}\", database file \"{$dbFile}\"not found."));
-            }
-            $db = new Database([
-                'type'		=> 'sqlite',
-                'dbFile'	=> $dbFile,
-            ]);
-        } catch (Exception $e) {
-            $error = getError('Error connecting to DB.', $e->getMessage());
-            include '../app/templates/block-message.php';
-            exit();
-        }
-
-    // connecting to a jilo-web database of the web app
-    } else {
-
-        // sqlite database file
-        if ($config['db']['db_type'] === 'sqlite') {
-            try {
-                $db = new Database([
-                    'type'	=> $config['db']['db_type'],
-                    'dbFile'	=> $config['db']['sqlite_file'],
-                ]);
-                $pdo = $db->getConnection();
-            } catch (Exception $e) {
-                $error = getError('Error connecting to DB.', $e->getMessage());
-                include '../app/templates/block-message.php';
-                exit();
-            }
-        // mysql/mariadb database
-        } elseif ($config['db']['db_type'] === 'mysql' || $config['db']['db_type'] === 'mariadb') {
-            try {
-                $db = new Database([
-                    'type'	=> $config['db']['db_type'],
-                    'host'	=> $config['db']['sql_host'] ?? 'localhost',
-                    'port'	=> $config['db']['sql_port'] ?? '3306',
-                    'dbname'	=> $config['db']['sql_database'],
-                    'user'	=> $config['db']['sql_username'],
-                    'password'	=> $config['db']['sql_password'],
-                ]);
-                $pdo = $db->getConnection();
-            } catch (Exception $e) {
-                $error = getError('Error connecting to DB.', $e->getMessage());
-                include '../app/templates/block-message.php';
-                exit();
-            }
-        // unknown database
-        } else {
-            $error = "Error: unknow database type \"{$config['db']['db_type']}\"";
-            include '../app/templates/block-message.php';
-            exit();
-        }
-
-    }
-
-    return $db;
-}
-?>

app/helpers/errors.php

@@ -1,14 +0,0 @@
-<?php
-
-function getError($message, $error = '', $environment = null) {
-    global $config;
-    $environment = $config['environment'] ?? 'production';
-
-    if ($environment === 'production') {
-        return 'There was an unexpected error. Please try again.';
-    } else {
-        return $error ?: $message;
-    }
-}
-
-?>

app/helpers/feedback.php

@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * Feedback Helper
+ *
+ * Combines functionality to handle retrieving and displaying feedback messages.
+ */
+
+// Get any flash messages from previous request
+$flash_messages = Feedback::getFlash();
+if (!empty($flash_messages)) {
+    $system_messages = array_merge($system_messages ?? [], array_map(function($flash) {
+        return [
+            'category' => $flash['category'],
+            'key' => $flash['key'],
+            'custom_message' => $flash['custom_message'] ?? null,
+            'dismissible' => $flash['dismissible'] ?? false,
+            'small' => $flash['small'] ?? false
+        ];
+    }, $flash_messages));
+}
+
+// Show feedback messages
+if (isset($system_messages) && is_array($system_messages)) {
+    foreach ($system_messages as $msg) {
+        echo Feedback::render(
+            $msg['category'],
+            $msg['key'],
+            $msg['custom_message'] ?? null,
+            $msg['dismissible'] ?? false,
+            $msg['small'] ?? false
+        );
+    }
+}

app/helpers/graph.php

@@ -0,0 +1,112 @@
+<div style="position: relative; width: 800px; height: 400px;">
+    <div id="current-period-<?= $data['graph_name'] ?>" style="text-align: center; position: absolute; top: 0; left: 0; right: 0; z-index: 10; font-size: 14px; background-color: rgba(255, 255, 255, 0.7);"></div>
+    <canvas id="graph_<?= $data['graph_name'] ?>" style="margin-top: 20px; margin-bottom: 50px;"></canvas>
+</div>
+
+<script>
+var ctx = document.getElementById('graph_<?= $data['graph_name'] ?>').getContext('2d');
+var timeRangeName = '';
+
+// Prepare datasets
+var datasets = [];
+<?php foreach ($data['datasets'] as $dataset): ?>
+    var chartData = <?php echo json_encode($dataset['data']); ?>;
+    datasets.push({
+        label: '<?= $dataset['label'] ?>',
+        data: chartData.map(function(item) {
+            return {
+                x: item.date,
+                y: item.value
+            };
+        }),
+        borderColor: '<?= $dataset['color'] ?>',
+        borderWidth: 1,
+        fill: false
+    });
+<?php endforeach; ?>
+
+var graph_<?= $data['graph_name'] ?> = new Chart(ctx, {
+    type: 'line',
+    data: {
+        datasets: datasets
+    },
+    options: {
+        layout: {
+            padding: {
+                top: 30
+            }
+        },
+        scales: {
+            x: {
+                type: 'time',
+                time: {
+                    unit: 'day'
+                }
+            },
+            y: {
+                beginAtZero: true
+            }
+        },
+        plugins: {
+            zoom: {
+                pan: {
+                    enabled: true,
+                    mode: 'x'
+                },
+                zoom: {
+                    mode: 'x',
+                    drag: {
+                        enabled: true,  // Enable drag to select range
+                        borderColor: 'rgba(255, 99, 132, 0.3)',
+                        borderWidth: 1
+                    },
+                    onZoom: function({ chart }) {
+                        propagateZoom(chart); // Propagate the zoom to all graphs
+                        setActive(document.getElementById('custom_range'));
+                    }
+                }
+            },
+            legend: {
+                position: 'bottom',
+                labels: {
+                    boxWidth: 20,
+                    padding: 10
+                }
+            },
+            title: {
+                display: true,
+                text: '<?= $data['graph_title'] ?>',
+                font: {
+                    size: 16,
+                    weight: 'bold'
+                },
+                padding: {
+                    bottom: 10
+                }
+            }
+        }
+    }
+});
+
+// Store graph instance and title for later reference
+graphs.push({
+    graph: graph_<?= $data['graph_name'] ?>,
+    label: '<?= $data['graph_title'] ?>'
+});
+
+// Function to update the period label
+function updatePeriodLabel(chart, label) {
+    var startDate = new Date(chart.scales.x.min);
+    var endDate = new Date(chart.scales.x.max);
+    var periodLabel = document.getElementById('current-period-<?= $data['graph_name'] ?>');
+
+    if (timeRangeName) {
+        periodLabel.textContent = label + ' (' + timeRangeName + ')';
+    } else {
+        periodLabel.textContent = label + ' (from ' + startDate.toLocaleDateString() + ' to ' + endDate.toLocaleDateString() + ')';
+    }
+}
+
+// Initial label update
+updatePeriodLabel(graph_<?= $data['graph_name'] ?>, '<?= $data['graph_title'] ?>');
+</script>

app/helpers/ip_helper.php

@@ -0,0 +1,24 @@
+<?php
+
+/**
+ * Returns the user's IP address.
+ * Uses global $user_IP set by Logger plugin if available, else falls back to server variables.
+ *
+ * @return string
+ */
+function getUserIP() {
+    global $user_IP;
+    if (!empty($user_IP)) {
+        return $user_IP;
+    }
+    // Fallback to HTTP headers or REMOTE_ADDR
+    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
+        return $_SERVER['HTTP_CLIENT_IP'];
+    }
+    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+        // May contain multiple IPs
+        $parts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
+        return trim($parts[0]);
+    }
+    return $_SERVER['REMOTE_ADDR'] ?? '';
+}

app/helpers/logger_loader.php

@@ -0,0 +1,15 @@
+<?php
+
+/**
+ * Returns a logger instance: plugin Log if available, otherwise NullLogger.
+ *
+ * @param mixed $database Database or DatabaseConnector instance.
+ * @return mixed Logger instance with PSR-3 log() compatible method.
+ */
+function getLoggerInstance($database) {
+    if (class_exists('Log')) {
+        return new Log($database);
+    }
+    require_once __DIR__ . '/../core/NullLogger.php';
+    return new \App\Core\NullLogger();
+}

app/helpers/pagination.php

@@ -0,0 +1,81 @@
+
+                        <div class="text-center">
+                            <div class="pagination">
+<?php
+    $param = '';
+    if (isset($_REQUEST['id'])) {
+        $param .= '&id=' . htmlspecialchars($_REQUEST['id']);
+    }
+    if (isset($_REQUEST['name'])) {
+        $param .= '&name=' . htmlspecialchars($_REQUEST['name']);
+    }
+    if (isset($_REQUEST['ip'])) {
+        $param .= '&ip=' . htmlspecialchars($_REQUEST['ip']);
+    }
+    if (isset($_REQUEST['event'])) {
+        $param .= '&event=' . htmlspecialchars($_REQUEST['event']);
+    }
+    if (isset($_REQUEST['from_time'])) {
+        $param .= '&from_time=' . htmlspecialchars($from_time);
+    }
+    if (isset($_REQUEST['until_time'])) {
+        $param .= '&until_time=' . htmlspecialchars($until_time);
+    }
+
+    $max_visible_pages = 10;
+    $step_pages = 10;
+
+    if ($browse_page > 1) {
+        echo '<span><a href="' . htmlspecialchars($url) . '&p=1">first</a></span>';
+    } else {
+        echo '<span>first</span>';
+    }
+
+    for ($i = 1; $i <= $page_count; $i++) {
+        // always show the first, last, step pages (10, 20, 30, etc.),
+        // and the pages close to the current one
+        if (
+            $i === 1 || // first page
+            $i === $page_count || // last page
+            $i === $browse_page || // current page
+            $i === $browse_page -1 ||
+            $i === $browse_page +1 ||
+            $i === $browse_page -2 ||
+            $i === $browse_page +2 ||
+            ($i % $step_pages === 0 && $i > $max_visible_pages) // the step pages - 10, 20, etc.
+        ) {
+            if ($i === $browse_page) {
+                // current page, no link
+                if ($browse_page > 1) {
+                    echo '<span><a href="' . htmlspecialchars($app_root) . '?platform=' . htmlspecialchars($platform_id) . '&page=' . htmlspecialchars($page) . $param . '&p=' . (htmlspecialchars($browse_page) -1) . '"><<</a></span>';
+                } else {
+                    echo '<span><<</span>';
+                }
+                echo '[' . htmlspecialchars($i) . ']';
+
+                if ($browse_page < $page_count) {
+                    echo '<span><a href="' . htmlspecialchars($app_root) . '?platform=' . htmlspecialchars($platform_id) . '&page=' . htmlspecialchars($page) . $param . '&p=' . (htmlspecialchars($browse_page) +1) . '">>></a></span>';
+                } else {
+                    echo '<span>>></span>';
+                }
+            } else {
+                // other pages
+                echo '<span><a href="' . htmlspecialchars($app_root) . '?platform=' . htmlspecialchars($platform_id) . '&page=' . htmlspecialchars($page) . $param . '&p=' . htmlspecialchars($i) . '">[' . htmlspecialchars($i) . ']</a></span>';
+            }
+        // show ellipses between distant pages
+        } elseif (
+            $i === $browse_page -3 ||
+            $i === $browse_page +3
+        ) {
+            echo '<span>...</span>';
+        }
+    }
+
+    if ($browse_page < $page_count) {
+        echo '<span><a href="' . htmlspecialchars($app_root) . '?platform=' . htmlspecialchars($platform_id) . '&page=' . htmlspecialchars($page) . $param . '&p=' . (htmlspecialchars($page_count)) . '">last</a></span>';
+    } else {
+        echo '<span>last</span>';
+    }
+?>
+                            </div>
+                        </div>

app/helpers/profile.php

@@ -0,0 +1,46 @@
+<?php
+
+// get the UTC offset of a specified timezone
+function getUTCOffset($timezone) {
+    $formattedOffset = '';
+    if (isset($timezone)) {
+
+        $datetime = new DateTime("now", new DateTimeZone($timezone));
+        $offsetInSeconds = $datetime->getOffset();
+
+        $hours = intdiv($offsetInSeconds, 3600);
+        $minutes = ($offsetInSeconds % 3600) / 60;
+        $formattedOffset = sprintf("UTC%+03d:%02d", $hours, $minutes); // Format UTC+01:00
+    }
+
+    return $formattedOffset;
+
+}
+
+// switch platforms
+function switchPlatform($platform_id) {
+    // get the current URL and parse it
+    $scheme = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
+    $current_url = "$scheme://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
+    $url_components = parse_url($current_url);
+
+    // parse query parameters if they exist
+    parse_str($url_components['query'] ?? '', $query_params);
+
+    // check if the 'platform' parameter is set
+    if (isset($query_params['platform'])) {
+        // change the platform to the new platform_id
+        $query_params['platform'] = $platform_id;
+        $new_query_string = http_build_query($query_params);
+
+    // there is no 'platform', we redirect to front page of the new platform_id
+    } else {
+        $new_query_string = 'platform=' . $platform_id;
+    }
+
+    // rebuild the query and the URL
+    $new_url = $scheme . '://' . $url_components['host'] . $url_components['path'] . '?' . $new_query_string;
+
+    // return the new URL with the new platform_id
+    return $new_url;
+}

app/helpers/render.php

@@ -1,69 +1,81 @@
 <?php
 
 // render config variables array
-function renderConfig($configPart, $indent, $platform=false, $parent='') {
-    global $app_root;
-    global $config;
-        if ($parent === 'platforms') {
-?>
-                        <div class="col-md-8 text-start">
-                            <a class="btn btn-secondary" style="padding: 0px;" href="<?= $app_root ?>?page=config&action=add">add</a>
-                        </div>
-                        <div class="border bg-light" style="padding-left: <?= $indent ?>px; padding-bottom: 20px; padding-top: 20px;">
-<?php   } else {
+function renderConfig($configPart, $indent) {
 ?>
                         <div style="padding-left: <?= $indent ?>px; padding-bottom: 20px;">
-<?php
-        }
-        foreach ($configPart as $config_item => $config_value) {
-            if ($parent === 'platforms') {
-                $indent = 0;
-            }
-?>
+<?php foreach ($configPart as $config_item => $config_value) { ?>
                             <div class="row mb-1" style="padding-left: <?= $indent ?>px;">
                                 <div class="col-md-4 text-end">
                                     <?= htmlspecialchars($config_item) ?>:
                                 </div>
 <?php
-            if ($parent === 'platforms') { ?>
-                                <div class="col-md-8 text-start">
-                                    <a class="btn btn-secondary" style="padding: 2px;" href="<?= $app_root ?>?platform=<?= htmlspecialchars($config_item) ?>&page=config&action=edit">edit</a>
-<?php
-            // we don't delete the last platform
-            if (count($configPart) <= 1) { ?>
-                                    <span class="btn btn-light" style="padding: 2px;" href="#" data-toggle="tooltip" data-placement="right" data-offset="30.0" title="can't delete the last platform">delete</span>
-<?php           } else { ?>
-                                    <a class="btn btn-danger" style="padding: 2px;" href="<?= $app_root ?>?platform=<?= htmlspecialchars($config_item) ?>&page=config&action=delete">delete</a>
-<?php           } ?>
-                                </div>
-<?php       }
-
             if (is_array($config_value)) {
                 // here we render recursively nested arrays
                 $indent = $indent + 50;
-                if ($parent === 'platforms') {
-                    $indent = 100;
-                }
-                if ($config_item === 'platforms') {
-                    renderConfig($config_value, $indent, $platform, 'platforms');
+                renderConfig($config_value, $indent);
+                $indent = 0;
             } else {
-                    renderConfig($config_value, $indent, $platform);
+                // if it's not array, just display it
+                if ($config_item === 'registration_enabled') { ?>
+                                <div class="border col-md-8 text-start">
+                                    <?= ($config_value === 1 || $config_value === true) ? 'true' : 'false' ?>
+                                </div>
+<?php           } else { ?>
+                                <div class="border col-md-8 text-start">
+                                    <?= htmlspecialchars($config_value ?? '')?>
+                                </div>
+<?php           } ?>
+<?php       } ?>
+                            </div>
+<?php } ?>
+                        </div>
+<?php
 }
+
+
+// render config variables array
+function editConfig($configPart, $indent) {
+?>
+                        <div style="padding-left: <?= $indent ?>px; padding-bottom: 20px;">
+<?php foreach ($configPart as $config_item => $config_value) { ?>
+                            <div class="row mb-1" style="padding-left: <?= $indent ?>px;">
+                                <div class="col-md-4 text-end">
+                                    <label for="<?= htmlspecialchars($config_item) ?>" class="form-label"><?= htmlspecialchars($config_item) ?></label>
+                                </div>
+
+<?php
+            if (is_array($config_value)) {
+                // here we render recursively nested arrays
+                $indent = $indent + 50;
+                editConfig($config_value, $indent);
                 $indent = 0;
             } else {
                 // if it's not array, just display it
 ?>
-                                <div class="border col-md-8 text-start">
-                                    <?= htmlspecialchars($config_value ?? '')?>
-<?= $platform ?>
+                                <div class="col-md-8 text-start">
+<?php if ($config_item === 'registration_enabled') { ?>
+                                    <input type="hidden" name="<?= htmlspecialchars($config_item) ?>" value="false" />
+                                    <input class="form-check-input" type="checkbox" role="switch" name="<?= htmlspecialchars($config_item) ?>" value="true" <?= ($config_value === 1 || $config_value === true) ? 'checked' : '' ?> />
+<?php } elseif ($config_item === 'environment') { ?>
+                                    <select class="form-control" type="text" name="<?= htmlspecialchars($config_item) ?>">
+                                        <option value="development"<?= ($config_value === 'development') ? ' selected' : '' ?>>development</option>
+                                        <option value="production"<?= ($config_value === 'production') ? ' selected' : '' ?>>production</option>
+                                    </select>
+<?php } elseif ($config_item === 'version') {?>
+                                    <input class="form-control" type="text" name="<?= htmlspecialchars($config_item) ?>" value="<?= htmlspecialchars($config_value ?? '') ?>" disabled />
+<?php } elseif ($config_item === 'db_type') {?>
+                                    <input class="form-control" type="text" name="<?= htmlspecialchars($config_item) ?>" value="<?= htmlspecialchars($config_value ?? '') ?>" disabled />
+<?php } else { ?>
+                                    <input class="form-control" type="text" name="<?= htmlspecialchars($config_item) ?>" value="<?= htmlspecialchars($config_value ?? '') ?>" />
+<?php } ?>
+                                </div>
+<?php       } ?>
+                            </div>
+<?php } ?>
                         </div>
 <?php
 }
-?>
-                            </div>
-<?php
-        }
-    echo '</div>';
-}
+
 
 ?>

app/helpers/security.php

@@ -0,0 +1,119 @@
+<?php
+
+/**
+ * Security Helper
+ *
+ * Security helper, to be used with all the forms in the app.
+ * Implements singleton pattern for consistent state management.
+ */
+class SecurityHelper {
+    private static $instance = null;
+    private $session;
+
+    private function __construct() {
+        // Don't start a new session, just reference the existing one
+        $this->session = &$_SESSION;
+    }
+
+    public static function getInstance() {
+        if (self::$instance === null) {
+            self::$instance = new SecurityHelper();
+        }
+        return self::$instance;
+    }
+
+    // Generate CSRF token
+    public function generateCsrfToken() {
+        if (empty($this->session['csrf_token'])) {
+            $this->session['csrf_token'] = bin2hex(random_bytes(32));
+        }
+        return $this->session['csrf_token'];
+    }
+
+    // Verify CSRF token
+    public function verifyCsrfToken($token) {
+        if (empty($this->session['csrf_token']) || empty($token)) {
+            return false;
+        }
+        return hash_equals($this->session['csrf_token'], $token);
+    }
+
+    // Sanitize string input
+    public function sanitizeString($input) {
+        if (is_string($input)) {
+            return htmlspecialchars(strip_tags(trim($input)), ENT_QUOTES, 'UTF-8');
+        }
+        return '';
+    }
+
+    // Validate email
+    public function validateEmail($email) {
+        return filter_var($email, FILTER_VALIDATE_EMAIL) !== false;
+    }
+
+    // Validate integer
+    public function validateInt($input) {
+        return filter_var($input, FILTER_VALIDATE_INT) !== false;
+    }
+
+    // Validate URL
+    public function validateUrl($url) {
+        return filter_var($url, FILTER_VALIDATE_URL) !== false;
+    }
+
+    // Sanitize array of inputs
+    public function sanitizeArray($array, $allowedKeys = []) {
+        $sanitized = [];
+        foreach ($array as $key => $value) {
+            if (empty($allowedKeys) || in_array($key, $allowedKeys)) {
+                if (is_array($value)) {
+                    $sanitized[$key] = $this->sanitizeArray($value);
+                } else {
+                    $sanitized[$key] = $this->sanitizeString($value);
+                }
+            }
+        }
+        return $sanitized;
+    }
+
+    // Validate form data based on rules
+    public function validateFormData($data, $rules) {
+        $errors = [];
+        foreach ($rules as $field => $rule) {
+            if (!isset($data[$field]) && $rule['required']) {
+                $errors[$field] = "Field is required";
+                continue;
+            }
+
+            if (isset($data[$field])) {
+                $value = $data[$field];
+                switch ($rule['type']) {
+                    case 'email':
+                        if (!$this->validateEmail($value)) {
+                            $errors[$field] = "Invalid email format";
+                        }
+                        break;
+                    case 'integer':
+                        if (!$this->validateInt($value)) {
+                            $errors[$field] = "Must be a valid integer";
+                        }
+                        break;
+                    case 'url':
+                        if (!$this->validateUrl($value)) {
+                            $errors[$field] = "Invalid URL format";
+                        }
+                        break;
+                    case 'string':
+                        if (isset($rule['min']) && strlen($value) < $rule['min']) {
+                            $errors[$field] = "Minimum length is {$rule['min']} characters";
+                        }
+                        if (isset($rule['max']) && strlen($value) > $rule['max']) {
+                            $errors[$field] = "Maximum length is {$rule['max']} characters";
+                        }
+                        break;
+                }
+            }
+        }
+        return $errors;
+    }
+}

app/helpers/theme-asset.php

@@ -0,0 +1,109 @@
+<?php
+/**
+ * Theme Asset handler
+ *
+ * Serves theme assets (images, CSS, JS, etc.) securely by checking if the requested
+ * theme and asset path are valid and accessible.
+ *
+ * This is a standalone handler that doesn't require the full application initialization.
+ */
+
+// Set error reporting
+error_reporting(E_ALL);
+ini_set('display_errors', '1');
+
+// Define base path if not defined
+if (!defined('APP_ROOT')) {
+    define('APP_ROOT', dirname(__DIR__));
+}
+
+// Basic security checks
+if (!isset($_GET['theme']) || !preg_match('/^[a-zA-Z0-9_-]+$/', $_GET['theme'])) {
+    http_response_code(400);
+    exit('Invalid theme specified');
+}
+
+if (!isset($_GET['path']) || empty($_GET['path'])) {
+    http_response_code(400);
+    exit('No asset path specified');
+}
+
+$themeId = $_GET['theme'];
+$assetPath = $_GET['path'];
+
+// Validate asset path (only alphanumeric, hyphen, underscore, dot, and forward slash)
+if (!preg_match('/^[a-zA-Z0-9_\-\.\/]+$/', $assetPath)) {
+    http_response_code(400);
+    exit('Invalid asset path');
+}
+
+// Prevent directory traversal
+if (strpos($assetPath, '..') !== false) {
+    http_response_code(400);
+    exit('Invalid asset path');
+}
+
+// Build full path to the asset
+$themesDir = dirname(dirname(__DIR__)) . '/themes';
+$fullPath = realpath("$themesDir/$themeId/$assetPath");
+
+// Additional security check to ensure the path is within the themes directory
+if ($fullPath === false) {
+    http_response_code(404);
+    header('Content-Type: text/plain');
+    error_log("Asset not found: $themesDir/$themeId/$assetPath");
+    exit("Asset not found: $themesDir/$themeId/$assetPath");
+}
+
+if (strpos($fullPath, realpath($themesDir)) !== 0) {
+    http_response_code(400);
+    header('Content-Type: text/plain');
+    error_log("Security violation: Attempted to access path outside themes directory: $fullPath");
+    exit('Invalid asset path');
+}
+
+// Check if the file exists and is readable
+if (!file_exists($fullPath) || !is_readable($fullPath)) {
+    http_response_code(404);
+    header('Content-Type: text/plain');
+    error_log("File not found or not readable: $fullPath");
+    exit("File not found or not readable: " . basename($fullPath));
+}
+
+// Clear any previous output
+if (ob_get_level()) {
+    ob_clean();
+}
+
+// Determine content type based on file extension
+$extension = strtolower(pathinfo($assetPath, PATHINFO_EXTENSION));
+$contentTypes = [
+    'css'  => 'text/css',
+    'js'   => 'application/javascript',
+    'json' => 'application/json',
+    'png'  => 'image/png',
+    'jpg'  => 'image/jpeg',
+    'jpeg' => 'image/jpeg',
+    'gif'  => 'image/gif',
+    'svg'  => 'image/svg+xml',
+    'webp' => 'image/webp',
+    'woff' => 'font/woff',
+    'woff2' => 'font/woff2',
+    'ttf'  => 'font/ttf',
+    'eot'  => 'application/vnd.ms-fontobject',
+];
+
+$contentType = $contentTypes[$extension] ?? 'application/octet-stream';
+
+// Set proper headers
+header('Content-Type: ' . $contentType);
+header('Content-Length: ' . filesize($fullPath));
+
+// Cache for 24 hours (86400 seconds)
+$expires = 86400;
+header('Cache-Control: public, max-age=' . $expires);
+header('Expires: ' . gmdate('D, d M Y H:i:s', time() + $expires) . ' GMT');
+header('Pragma: cache');
+
+// Output the file
+readfile($fullPath);

app/helpers/theme.php

@@ -0,0 +1,307 @@
+<?php
+
+/**
+ * Theme Helper
+ *
+ * Handles theme management and template/asset loading for the application.
+ * Supports multiple themes with fallback to default theme when needed.
+ * The default theme uses app/templates and public_html/static as fallbacks/
+ */
+
+namespace App\Helpers;
+
+use Exception;
+
+// Include Session class
+require_once __DIR__ . '/../classes/session.php';
+use Session;
+
+class Theme
+{
+    /**
+     * @var array Theme configuration
+     */
+    private static $config;
+
+
+    /**
+     * Get the theme configuration
+     *
+     * @return array
+     */
+    public static function getConfig()
+    {
+        // Always reload the config to get the latest changes
+        self::$config = require __DIR__ . '/../config/theme.php';
+        return self::$config;
+    }
+
+
+    /**
+     * @var string Current theme name
+     */
+    private static $currentTheme;
+
+
+    /**
+     * Initialize the theme system
+     */
+    public static function init()
+    {
+        // Only load config if not already loaded
+        if (self::$config === null) {
+            self::$config = require __DIR__ . '/../config/theme.php';
+        }
+        self::$currentTheme = self::getCurrentThemeName();
+    }
+
+
+    /**
+     * Get the current theme name
+     *
+     * @return string
+     */
+    public static function getCurrentThemeName()
+    {
+        // Ensure session is started
+        if (session_status() === PHP_SESSION_NONE) {
+            Session::startSession();
+        }
+
+        // Check if already determined
+        if (self::$currentTheme !== null) {
+            return self::$currentTheme;
+        }
+
+        // Try to get from session first
+        $sessionTheme = isset($_SESSION['theme']) ? $_SESSION['theme'] : null;
+        if ($sessionTheme && isset(self::$config['available_themes'][$sessionTheme])) {
+            self::$currentTheme = $sessionTheme;
+        } else {
+            // Fall back to default theme
+            self::$currentTheme = self::$config['active_theme'];
+        }
+
+        return self::$currentTheme;
+    }
+
+
+    /**
+     * Get the URL for a theme asset
+     *
+     * @param string $themeId Theme ID
+     * @param string $assetPath Path to the asset relative to theme directory (e.g., 'css/style.css')
+     * @return string|null URL to the asset or null if not found
+     */
+    public static function getAssetUrl($themeId, $assetPath = '')
+    {
+        // Clean and validate the asset path
+        $assetPath = ltrim($assetPath, '/');
+        if (empty($assetPath)) {
+            return null;
+        }
+
+        // Only allow alphanumeric, hyphen, underscore, dot, and forward slash
+        if (!preg_match('/^[a-zA-Z0-9_\-\.\/]+$/', $assetPath)) {
+            return null;
+        }
+
+        // Prevent directory traversal
+        if (strpos($assetPath, '..') !== false) {
+            return null;
+        }
+
+        $fullPath = __DIR__ . "/../../themes/$themeId/$assetPath";
+        if (!file_exists($fullPath) || !is_readable($fullPath)) {
+            return null;
+        }
+
+        // Generate URL that goes through index.php
+        global $app_root;
+        // Remove any trailing slash from app_root to avoid double slashes
+        $baseUrl = rtrim($app_root, '/');
+        return "$baseUrl/?page=theme-asset&theme=" . urlencode($themeId) . "&path=" . urlencode($assetPath);
+    }
+
+
+    /**
+     * Set the current theme for the session
+     *
+     * @param string $themeName
+     * @return bool
+     */
+    public static function setCurrentTheme(string $themeName): bool
+    {
+        if (!self::themeExists($themeName)) {
+            return false;
+        }
+
+        // Update session
+        if (Session::isValidSession()) {
+            $_SESSION['theme'] = $themeName;
+        } else {
+            return false;
+        }
+
+        // Clear the current theme cache
+        self::$currentTheme = null;
+
+        // Update config file
+        $configFile = __DIR__ . '/../config/theme.php';
+        if (file_exists($configFile) && is_writable($configFile)) {
+            $config = file_get_contents($configFile);
+            // Update the active_theme in the config
+            $newConfig = preg_replace(
+                "/'active_theme'\s*=>\s*'[^']*'/",
+                "'active_theme' => '" . addslashes($themeName) . "'",
+                $config
+            );
+
+            if ($newConfig !== $config) {
+                if (file_put_contents($configFile, $newConfig) === false) {
+                    return false;
+                }
+            }
+            self::$currentTheme = $themeName;
+            return true;
+        }
+
+        return false;
+    }
+
+
+    /**
+     * Check if a theme exists
+     *
+     * @param string $themeName
+     * @return bool
+     */
+    public static function themeExists(string $themeName): bool
+    {
+        // Default theme always exists as it uses core templates
+        if ($themeName === 'default') {
+            return true;
+        }
+
+        $themePath = self::getThemePath($themeName);
+        return is_dir($themePath) && file_exists("$themePath/config.php");
+    }
+
+
+    /**
+     * Get the path to a theme
+     *
+     * @param string|null $themeName
+     * @return string
+     */
+    public static function getThemePath(?string $themeName = null): string
+    {
+        $themeName = $themeName ?? self::getCurrentThemeName();
+        $config = self::getConfig();
+        return rtrim($config['paths']['themes'], '/') . "/$themeName";
+    }
+
+
+    /**
+     * Get the URL for a theme asset
+     *
+     * @param string $path
+     * @param bool $includeVersion
+     * @return string
+     */
+    public static function asset($path, $includeVersion = false)
+    {
+        $themeName = self::getCurrentThemeName();
+        $config = self::getConfig();
+        $baseUrl = rtrim($GLOBALS['app_root'] ?? '', '/');
+
+        // For non-default themes, use theme assets
+        if ($themeName !== 'default') {
+            $assetPath = "/themes/{$themeName}/assets/" . ltrim($path, '/');
+
+            // Add version query string for cache busting
+            if ($includeVersion) {
+                $version = self::getThemeVersion($themeName);
+                $assetPath .= (strpos($assetPath, '?') !== false ? '&' : '?') . 'v=' . $version;
+            }
+        } else {
+            // For default theme, use public_html directly
+            $assetPath = '/' . ltrim($path, '/');
+        }
+
+        return $baseUrl . $assetPath;
+    }
+
+
+    /**
+     * Include a theme template file
+     *
+     * @param string $template Template name without .php extension
+     * @return void
+     */
+    public static function include($template)
+    {
+        global $config;
+        $config = $config ?? [];
+
+        $themeConfig = self::getConfig();
+        $themeName = self::getCurrentThemeName();
+
+        // We need this here, otherwise because this helper
+        // between index and the views breaks the session vars
+        extract($GLOBALS, EXTR_SKIP | EXTR_REFS);
+
+        // Ensure config is always available in templates
+        $config = array_merge($config, $themeConfig);
+
+        // For non-default themes, look in the theme directory first
+        if ($themeName !== 'default') {
+            $themePath = $config['paths']['themes'] . '/' . $themeName . '/views/' . $template . '.php';
+            if (file_exists($themePath)) {
+                include $themePath;
+                return;
+            }
+        }
+
+        // Fallback to default template location
+        $defaultPath = $config['paths']['templates'] . '/' . $template . '.php';
+        if (file_exists($defaultPath)) {
+            include $defaultPath;
+            return;
+        }
+
+        // Log error if template not found
+        error_log("Template not found: {$template} in theme: {$themeName}");
+    }
+
+
+    /**
+     * Get all available themes
+     *
+     * @return array
+     */
+    public static function getAvailableThemes(): array
+    {
+        $config = self::getConfig();
+        $availableThemes = $config['available_themes'] ?? [];
+        $themes = [];
+
+        // Add default theme if not already present
+        if (!isset($availableThemes['default'])) {
+            $availableThemes['default'] = 'Default built-in theme';
+        }
+
+        // Verify each theme exists and has a config file
+        $themesDir = $config['paths']['themes'] ?? (__DIR__ . '/../../themes');
+        foreach ($availableThemes as $id => $name) {
+            if ($id === 'default' || (is_dir("$themesDir/$id") && file_exists("$themesDir/$id/config.php"))) {
+                $themes[$id] = $name;
+            }
+        }
+
+        return $themes;
+    }
+}
+
+// Initialize the theme system
+Theme::init();

app/helpers/time_range.php

@@ -1,17 +1,13 @@
 <?php
 
 $time_range_specified = false;
-if (!isset($_REQUEST['from_time']) || (isset($_REQUEST['from_time']) && $_REQUEST['from_time'] == '')) {
+if (!isset($from_time) || (isset($from_time) && $from_time == '')) {
     $from_time = '0000-01-01';
 } else {
-    $from_time = $_REQUEST['from_time'];
     $time_range_specified = true;
 }
-if (!isset($_REQUEST['until_time']) || (isset($_REQUEST['until_time']) && $_REQUEST['until_time'] == '')) {
+if (!isset($until_time) || (isset($until_time) && $until_time == '')) {
     $until_time = '9999-12-31';
 } else {
-    $until_time = $_REQUEST['until_time'];
     $time_range_specified = true;
 }
-
-?>

app/includes/constants.php

@@ -0,0 +1,5 @@
+<?php
+// Pages that should not be used as redirect targets
+const INVALID_REDIRECT_PAGES = [
+    '', 'login', 'logout', 'register', 'dashboard', '/'
+];

app/includes/csrf_middleware.php

@@ -0,0 +1,52 @@
+<?php
+
+require_once __DIR__ . '/../helpers/security.php';
+
+function applyCsrfMiddleware() {
+    global $logObject, $user_IP;
+    $security = SecurityHelper::getInstance();
+
+    // Skip CSRF check for GET requests
+    if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+        return true;
+    }
+
+    // Skip CSRF check for initial login, registration, and 2FA verification attempts
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
+        isset($_GET['page']) && isset($_GET['action']) &&
+        $_GET['page'] === 'login' && $_GET['action'] === 'verify' &&
+        isset($_SESSION['2fa_pending_user_id'])) {
+        return true;
+    }
+
+    // Skip CSRF check for initial login and registration attempts
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
+        isset($_GET['page']) &&
+        in_array($_GET['page'], ['login', 'register']) &&
+        !isset($_SESSION['username'])) {
+        return true;
+    }
+
+    // Check CSRF token for all other POST requests
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        // Check for token in POST data or headers
+        $token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+        if (!$security->verifyCsrfToken($token)) {
+            // Log CSRF attempt
+            $ipAddress = $user_IP;
+            $logMessage = sprintf(
+                "CSRF attempt detected - IP: %s, Page: %s, User: %s",
+                $ipAddress,
+                $_GET['page'] ?? 'unknown',
+                $_SESSION['username'] ?? 'anonymous'
+            );
+            $logObject->log('error', $logMessage, ['user_id' => null, 'scope' => 'system']);
+
+            // Return error message
+            http_response_code(403);
+            die('Invalid CSRF token. Please try again.');
+        }
+    }
+
+    return true;
+}

app/includes/csrf_token.php

@@ -0,0 +1,4 @@
+<?php
+$token = SecurityHelper::getInstance()->generateCsrfToken();
+?>
+<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($token) ?>" />

app/includes/database.php

@@ -0,0 +1,63 @@
+<?php
+
+// connect to database
+function connectDB($config) {
+    // sqlite database file
+    if ($config['db_type'] === 'sqlite') {
+        try {
+            $dbFile = $config['sqlite']['sqlite_file'] ?? null;
+            if (!$dbFile || !file_exists($dbFile)) {
+                throw new Exception(getError("Database file \"{$dbFile}\"not found."));
+            }
+            $db = new Database([
+                'type'		=> $config['db_type'],
+                'dbFile'	=> $dbFile,
+            ]);
+            $pdo = $db->getConnection();
+        } catch (Exception $e) {
+            Feedback::flash('ERROR', 'DEFAULT', getError('Error connecting to DB.', $e->getMessage()));
+            return false;
+        }
+        return $db;
+
+    // mysql/mariadb database
+    } elseif ($config['db_type'] === 'mysql' || $config['db_type'] === 'mariadb') {
+        $db = new Database([
+            'type'		=> $config['db_type'],
+            'host'		=> $config['sql']['sql_host'] ?? 'localhost',
+            'port'		=> $config['sql']['sql_port'] ?? '3306',
+            'dbname'		=> $config['sql']['sql_database'],
+            'user'		=> $config['sql']['sql_username'],
+            'password'		=> $config['sql']['sql_password'],
+        ]);
+        try {
+            $pdo = $db->getConnection();
+        } catch (Exception $e) {
+            Feedback::flash('ERROR', 'DEFAULT', getError('Error connecting to DB.', $e->getMessage()));
+            return false;
+        }
+        return $db;
+
+    // unknown database
+    } else {
+        Feedback::flash('ERROR', 'DEFAULT', getError("Error: unknown database type \"{$config['db_type']}\""));
+        return false;
+    }
+
+}
+
+// connect to Jilo database
+function connectJiloDB($config, $dbFile = '', $platformId = '') {
+    try {
+        if (!$dbFile || !file_exists($dbFile)) {
+            throw new Exception(getError("Invalid platform ID \"{$platformId}\", database file \"{$dbFile}\" not found."));
+        }
+        $db = new Database([
+            'type'		=> 'sqlite',
+            'dbFile'	=> $dbFile,
+        ]);
+        return ['db' => $db, 'error' => null];
+    } catch (Exception $e) {
+        return ['db' => null, 'error' => getError('Error connecting to DB.', $e->getMessage())];
+    }
+}

app/includes/errors.php

@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * Generate an error or notice message based on the environment.
+ *
+ * In a production environment, hides detailed error messages and returns
+ * a generic message. In other environments, returns the provided message.
+ *
+ * @param string $message            A user-friendly message to display.
+ * @param string $error              The detailed error message for debugging (optional).
+ * @param string|null $environment   The environment type ('production', 'development', etc.). If null, defaults to the configured environment.
+ *
+ * @return string                    The appropriate message based on the environment.
+ */
+function getError($message, $error = '', $environment = null) {
+    global $config;
+    $environment = $config['environment'] ?? 'production';
+
+    if ($environment === 'production') {
+        return 'There was an unexpected error. Please try again.';
+    } else {
+        return $error ?: $message;
+    }
+}
+
+/**
+ * Render a message if it exists, and optionally unset it after display.
+ *
+ * @param string $message   The message to display.
+ * @param string $type      The type of message (e.g., 'error', 'notice').
+ * @param bool   $unset     Whether to unset the message after display.
+ */
+function renderMessage(&$message, $type, $unset = false) {
+    if (isset($message)) {
+        echo "\t\t<div class=\"{$type}\">" . $message . "</div>\n";
+        if ($unset) {
+            $message = null;
+        }
+    }
+}

app/includes/rate_limit_middleware.php

@@ -0,0 +1,58 @@
+<?php
+
+require_once __DIR__ . '/../classes/ratelimiter.php';
+
+/**
+ * Rate limit middleware for page requests
+ * 
+ * @param Database $database Database connection
+ * @param string $endpoint The endpoint being accessed
+ * @param int|null $userId Current user ID if authenticated
+ * @param RateLimiter|null $existingRateLimiter Optional existing RateLimiter instance
+ * @return bool True if request is allowed, false if rate limited
+ */
+function checkRateLimit($database, $endpoint, $userId = null, $existingRateLimiter = null) {
+    global $app_root, $user_IP;
+    $isTest = defined('PHPUNIT_RUNNING');
+    $rateLimiter = $existingRateLimiter ?? new RateLimiter($database);
+    $ipAddress = $user_IP;
+
+    // Check if request is allowed
+    if (!$rateLimiter->isPageRequestAllowed($ipAddress, $endpoint, $userId)) {
+        // Get remaining requests for error message
+        $remaining = $rateLimiter->getRemainingPageRequests($ipAddress, $endpoint, $userId);
+
+        if (!$isTest) {
+            // Set rate limit headers
+            header('X-RateLimit-Remaining: ' . $remaining);
+            header('X-RateLimit-Reset: ' . (time() + 60)); // Reset in 1 minute
+
+            // Return 429 Too Many Requests
+            http_response_code(429);
+
+            // If AJAX request, return JSON
+            if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && 
+                strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
+                header('Content-Type: application/json');
+                echo json_encode([
+                    'success' => false,
+                    'message' => 'Too many requests. Please try again in a minute.',
+                    'messageData' => Feedback::getMessageData('ERROR', 'DEFAULT', 'Too many requests. Please try again in a minute.', true)
+                ]);
+            } else {
+                // For regular requests, set flash message and redirect
+                Feedback::flash('ERROR', 'DEFAULT', 'Too many requests. Please try again in a minute.', true);
+                header('Location: ' . htmlspecialchars($app_root));
+            }
+            exit;
+        }
+
+        // In test mode, just set the flash message
+        Feedback::flash('ERROR', 'DEFAULT', 'Too many requests. Please try again in a minute.', true);
+        return false;
+    }
+
+    // Record this request
+    $rateLimiter->recordPageRequest($ipAddress, $endpoint);
+    return true;
+}

app/includes/sanitize.php

@@ -0,0 +1,61 @@
+<?php
+
+// sanitize all input vars that may end up in URLs or forms
+
+$platform_id = htmlspecialchars($_REQUEST['platform'] ?? '');
+if (isset($_REQUEST['page'])) {
+    $page = htmlspecialchars($_REQUEST['page']);
+} else {
+    $page = 'dashboard';
+}
+if (isset($_REQUEST['item'])) {
+    $item = htmlspecialchars($_REQUEST['item']);
+} else {
+    $item = '';
+}
+
+if (isset($_REQUEST['from_time'])) {
+    $from_time = htmlspecialchars($_REQUEST['from_time']);
+}
+if (isset($_REQUEST['until_time'])) {
+    $until_time = htmlspecialchars($_REQUEST['until_time']);
+}
+
+// sanitize session vars
+if (isset($_SESSION)) {
+    foreach ($_SESSION as $key => $value) {
+        if (is_string($value)) {
+            $_SESSION[$key] = htmlspecialchars($value);
+        }
+    }
+}
+
+// hosts
+if (isset($_POST['address'])) {
+    $address = htmlspecialchars($_POST['address']);
+}
+if (isset($_POST['port'])) {
+    $port = htmlspecialchars($_POST['port']);
+}
+if (isset($_POST['name'])) {
+    $name = htmlspecialchars($_POST['name']);
+}
+
+// agents
+if (isset($_POST['type'])) {
+    $type = htmlspecialchars($_POST['type']);
+}
+if (isset($_POST['url'])) {
+    $url = htmlspecialchars($_POST['url']);
+}
+if (isset($_POST['secret_key'])) {
+    $secret_key = htmlspecialchars($_POST['secret_key']);
+}
+if (isset($_POST['check_period'])) {
+    $check_period = htmlspecialchars($_POST['check_period']);
+}
+
+// platforms
+if (isset($_POST['name'])) {
+    $name = htmlspecialchars($_POST['name']);
+}

app/includes/security_headers_middleware.php

@@ -0,0 +1,117 @@
+<?php
+
+/**
+ * Security Headers Middleware
+ *
+ * Sets various security headers to protect against common web vulnerabilities:
+ * - HSTS: Force HTTPS connections
+ * - CSP: Content Security Policy to prevent XSS and other injection attacks
+ * - X-Frame-Options: Prevent clickjacking
+ * - X-Content-Type-Options: Prevent MIME-type sniffing
+ * - Referrer-Policy: Control referrer information
+ * - Permissions-Policy: Control browser features
+ */
+
+function applySecurityHeaders($testMode = false) {
+    $headers = [];
+
+    // Get current page
+    $current_page = $_GET['page'] ?? 'dashboard';
+
+    // Define pages that need media access
+    $media_enabled_pages = [
+        // 'conference' => ['camera', 'microphone'],
+        // 'call' => ['microphone'],
+        // Add more pages and their required permissions as needed
+    ];
+
+    // Strict Transport Security (HSTS)
+    // Only enable if HTTPS is properly configured
+    if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
+        $headers[] = 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload';
+    }
+
+    // Content Security Policy (CSP)
+    $csp = [
+        "default-src 'self'",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'", // Required for Bootstrap and jQuery
+        "style-src 'self' 'unsafe-inline' https://use.fontawesome.com", // Allow FontAwesome CSS
+        "img-src 'self' data:", // Allow data: URLs for images
+        "font-src 'self' https://use.fontawesome.com", // Allow FontAwesome fonts
+        "connect-src 'self'",
+        "frame-ancestors 'none'", // Equivalent to X-Frame-Options: DENY
+        "form-action 'self'",
+        "base-uri 'self'",
+        "upgrade-insecure-requests" // Force HTTPS for all requests
+    ];
+    $headers[] = "Content-Security-Policy: " . implode('; ', $csp);
+
+    // X-Frame-Options (legacy support)
+    $headers[] = 'X-Frame-Options: DENY';
+
+    // X-Content-Type-Options
+    $headers[] = 'X-Content-Type-Options: nosniff';
+
+    // X-XSS-Protection
+    $headers[] = 'X-XSS-Protection: 1; mode=block';
+
+    // Referrer-Policy
+    $headers[] = 'Referrer-Policy: strict-origin-when-cross-origin';
+
+    // Permissions-Policy
+    $permissions = [
+        'geolocation=()',
+        'payment=()',
+        'usb=()',
+        'accelerometer=()',
+        'autoplay=()',
+        'document-domain=()',
+        'encrypted-media=()',
+        'fullscreen=(self)',
+        'magnetometer=()',
+        'midi=()',
+        'sync-xhr=(self)',
+        'usb=()'
+    ];
+
+    // Add camera/microphone permissions based on current page
+    $camera_allowed = false;
+    $microphone_allowed = false;
+
+    if (isset($media_enabled_pages[$current_page])) {
+        $allowed_media = $media_enabled_pages[$current_page];
+        if (in_array('camera', $allowed_media)) {
+            $camera_allowed = true;
+        }
+        if (in_array('microphone', $allowed_media)) {
+            $microphone_allowed = true;
+        }
+    }
+
+    // Add media permissions
+    $permissions[] = $camera_allowed ? 'camera=(self)' : 'camera=()';
+    $permissions[] = $microphone_allowed ? 'microphone=(self)' : 'microphone=()';
+
+    $headers[] = 'Permissions-Policy: ' . implode(', ', $permissions);
+
+    // Clear PHP version
+    if (!$testMode) {
+        header_remove('X-Powered-By');
+    }
+
+    // Prevent caching of sensitive pages
+    if (in_array($current_page, ['login', 'register', 'profile', 'security'])) {
+        $headers[] = 'Cache-Control: no-store, no-cache, must-revalidate, max-age=0';
+        $headers[] = 'Pragma: no-cache';
+        $headers[] = 'Expires: ' . gmdate('D, d M Y H:i:s', time() - 3600) . ' GMT';
+    }
+
+    if ($testMode) {
+        return $headers;
+    }
+
+    // Apply headers in production
+    foreach ($headers as $header) {
+        header($header);
+    }
+}

app/includes/strings.php

@@ -0,0 +1,48 @@
+<?php
+
+// Message strings for translation
+return [
+    'ERROR' => [
+        'CSRF_INVALID' => 'Invalid security token. Please try again.',
+        'INVALID_ACTION' => 'Invalid action requested.',
+        'DEFAULT' => 'An error occurred. Please try again.',
+    ],
+    'LOGIN' => [
+        'LOGIN_SUCCESS' => 'Login successful.',
+        'LOGIN_FAILED' => 'Login failed. Please check your credentials.',
+        'LOGOUT_SUCCESS' => 'Logout successful. You can log in again.',
+        'SESSION_TIMEOUT' => 'Your session has expired. Please log in again.',
+        'IP_BLACKLISTED' => 'Access denied. Your IP address is blacklisted.',
+        'IP_NOT_WHITELISTED' => 'Access denied. Your IP address is not whitelisted.',
+        'TOO_MANY_ATTEMPTS' => 'Too many login attempts. Please try again later.',
+    ],
+    'REGISTER' => [
+        'SUCCESS' => 'Registration successful. You can log in now.',
+        'FAILED' => 'Registration failed: %s',
+        'DISABLED' => 'Registration is disabled.',
+    ],
+    'SECURITY' => [
+        'WHITELIST_ADD_SUCCESS' => 'IP address successfully added to whitelist.',
+        'WHITELIST_ADD_FAILED' => 'Failed to add IP to whitelist.',
+        'WHITELIST_ADD_ERROR_IP' => 'Failed to add IP to whitelist. Please check the IP format.',
+        'WHITELIST_REMOVE_SUCCESS' => 'IP address successfully removed from whitelist.',
+        'WHITELIST_REMOVE_FAILED' => 'Failed to remove IP from whitelist.',
+        'BLACKLIST_ADD_SUCCESS' => 'IP address successfully added to blacklist.',
+        'BLACKLIST_ADD_FAILED' => 'Failed to add IP to blacklist.',
+        'BLACKLIST_ADD_ERROR_IP' => 'Failed to add IP to blacklist. Please check the IP format.',
+        'BLACKLIST_REMOVE_SUCCESS' => 'IP address successfully removed from blacklist.',
+        'BLACKLIST_REMOVE_FAILED' => 'Failed to remove IP from blacklist.',
+        'RATE_LIMIT_INFO' => 'Rate limiting is active. This helps protect against brute force attacks.',
+        'PERMISSION_DENIED' => 'Permission denied. You do not have the required rights.',
+        'IP_REQUIRED' => 'IP address is required.',
+    ],
+    'THEME' => [
+        'THEME_CHANGE_SUCCESS' => 'Theme has been changed successfully.',
+        'THEME_CHANGE_FAILED' => 'Failed to change theme. The selected theme may not be available.',
+    ],
+    'SYSTEM' => [
+        'DB_ERROR' => 'Error connecting to the database: %s',
+        'DB_CONNECT_ERROR' => 'Error connecting to DB: %s',
+        'DB_UNKNOWN_TYPE' => 'Error: unknown database type "%s"',
+    ],
+];

app/pages/agents.php

@@ -0,0 +1,174 @@
+<?php
+
+/**
+ * Agent cache management
+ *
+ * This page ("agents") handles caching for agents. It allows storing, clearing, and retrieving
+ * agent-related data in the session using AJAX requests. The cache is stored with a timestamp
+ * to allow time-based invalidation if needed.
+ */
+
+// Constants for session keys and cache settings
+define('SESSION_CACHE_SUFFIX', '_cache');
+define('SESSION_CACHE_TIME_SUFFIX', '_cache_time');
+define('CACHE_EXPIRY_TIME', 3600); // 1 hour in seconds
+
+// Input validation
+$action = isset($_GET['action']) ? htmlspecialchars(trim($_GET['action']), ENT_QUOTES, 'UTF-8') : '';
+$agentId = filter_input(INPUT_GET, 'agent', FILTER_VALIDATE_INT);
+
+require '../app/classes/agent.php';
+require '../app/classes/host.php';
+$agentObject = new Agent($db);
+$hostObject = new Host($db);
+
+/**
+ * Get the cache key for an agent
+ * @param int $agentId The agent ID
+ * @param string $suffix The suffix to append (_cache or _cache_time)
+ * @return string The cache key
+ */
+function getAgentCacheKey($agentId, $suffix) {
+    return "agent{$agentId}{$suffix}";
+}
+
+/**
+ * Check if cache is expired
+ * @param int $agentId The agent ID
+ * @return bool True if cache is expired or doesn't exist
+ */
+function isCacheExpired($agentId) {
+    $timeKey = getAgentCacheKey($agentId, SESSION_CACHE_TIME_SUFFIX);
+    if (!isset($_SESSION[$timeKey])) {
+        return true;
+    }
+    return (time() - $_SESSION[$timeKey]) > CACHE_EXPIRY_TIME;
+}
+
+// Handle POST request (saving to cache)
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+
+    // Apply rate limiting for adding new contacts
+    require '../app/includes/rate_limit_middleware.php';
+    checkRateLimit($db, 'contact', $userId);
+
+    // Validate agent ID for POST operations
+    if ($agentId === false || $agentId === null) {
+        Feedback::flash('ERROR', 'DEFAULT', 'Invalid agent ID format');
+        echo json_encode(['status' => 'error', 'message' => 'Invalid agent ID format']);
+        exit;
+    }
+
+    // Read and validate JSON data
+    $jsonData = file_get_contents("php://input");
+    if ($jsonData === false) {
+        Feedback::flash('ERROR', 'DEFAULT', 'Failed to read input data');
+        echo json_encode(['status' => 'error', 'message' => 'Failed to read input data']);
+        exit;
+    }
+
+    $data = json_decode($jsonData, true);
+
+    // Handle cache clearing
+    if ($data === null && !empty($agentId)) {
+        $cacheKey = getAgentCacheKey($agentId, SESSION_CACHE_SUFFIX);
+        $timeKey = getAgentCacheKey($agentId, SESSION_CACHE_TIME_SUFFIX);
+
+        unset($_SESSION[$cacheKey]);
+        unset($_SESSION[$timeKey]);
+
+        Feedback::flash('SUCCESS', 'DEFAULT', "Cache for agent {$agentId} is cleared.");
+        echo json_encode([
+            'status' => 'success',
+            'message' => "Cache for agent {$agentId} is cleared."
+        ]);
+    }
+    // Handle cache storing
+    elseif ($data) {
+        $cacheKey = getAgentCacheKey($agentId, SESSION_CACHE_SUFFIX);
+        $timeKey = getAgentCacheKey($agentId, SESSION_CACHE_TIME_SUFFIX);
+
+        $_SESSION[$cacheKey] = $data;
+        $_SESSION[$timeKey] = time();
+
+        Feedback::flash('SUCCESS', 'DEFAULT', "Cache for agent {$agentId} is stored.");
+        echo json_encode([
+            'status' => 'success',
+            'message' => "Cache for agent {$agentId} is stored."
+        ]);
+    }
+    else {
+        Feedback::flash('ERROR', 'DEFAULT', 'Invalid data format');
+        echo json_encode(['status' => 'error', 'message' => 'Invalid data format']);
+    }
+
+// Handle AJAX requests
+} elseif (isset($_GET['action'])) {
+    $action = $_GET['action'];
+    $agentId = filter_input(INPUT_GET, 'agent', FILTER_VALIDATE_INT);
+
+    if ($action === 'fetch') {
+        $response = ['status' => 'success', 'data' => $data];
+        echo json_encode($response);
+        exit;
+    }
+
+    if ($action === 'status') {
+        $response = ['status' => 'success', 'data' => $statusData];
+        echo json_encode($response);
+        exit;
+    }
+
+// Handle template display
+} else {
+
+    // Validate platform_id is set
+    if (!isset($platform_id)) {
+        Feedback::flash('ERROR', 'DEFAULT', 'Platform ID is not set');
+    }
+
+    // Get host details for this platform
+    $hostDetails = $hostObject->getHostDetails($platform_id);
+
+    // Group agents by host
+    $agentsByHost = [];
+    foreach ($hostDetails as $host) {
+        $hostId = $host['id'];
+        $agentsByHost[$hostId] = [
+            'host_name' => $host['name'],
+            'agents' => []
+        ];
+
+        // Get agents for this host
+        $hostAgents = $agentObject->getAgentDetails($hostId);
+        if ($hostAgents) {
+            $agentsByHost[$hostId]['agents'] = $hostAgents;
+        }
+
+        // Generate JWT tokens for each agent beforehand
+        $agentTokens = [];
+        foreach ($agentsByHost[$hostId]['agents'] as $agent) {
+            $payload = [
+                'iss' => 'Jilo Web',
+                'aud' => $config['domain'],
+                'iat' => time(),
+                'exp' => time() + 3600,
+                'agent_id' => $agent['id']
+            ];
+            $agentTokens[$agent['id']] = $agentObject->generateAgentToken($payload, $agent['secret_key']);
+        }
+
+        /**
+         * Now we have:
+         * $hostDetails - hosts in this platform
+         * $agentsByHost[$hostId]['agents'] - agents details by hostId
+         * $agentTokens[$agent['id']] - tokens for the agentsIds
+         */
+    }
+
+    // Get any new feedback messages
+    include '../app/helpers/feedback.php';
+
+    // Load the template
+    include '../app/templates/agents.php';
+}

app/pages/components.php

@@ -1,42 +1,78 @@
 <?php
 
-require_once '../app/classes/database.php';
-require '../app/classes/component.php';
+/**
+ * Components information
+ *
+ * This page ("components") retrieves and displays information about Jitsi components events.
+ * Allows filtering by component ID, name, or event name, and listing within a specified time range.
+ * Supports pagination.
+ */
 
 // connect to database
-require '../app/helpers/database.php';
-$db = connectDB($config, 'jilo', $platform_id);
+$response = connectJiloDB($config, $platformDetails[0]['jilo_database'], $platform_id);
+
+// if DB connection has error, display it and stop here
+if ($response['db'] === null) {
+    Feedback::flash('ERROR', 'DEFAULT', $response['error']);
+
+// otherwise if DB connection is OK, go on
+} else {
+    $db = $response['db'];
+
+    // Get current page for pagination
+    $currentPage = $_REQUEST['page_num'] ?? 1;
+    $currentPage = (int)$currentPage;
 
     // specify time range
     include '../app/helpers/time_range.php';
 
+    // Build params for pagination
+    $params = '';
+    if (!empty($_REQUEST['from_time'])) {
+        $params .= '&from_time=' . urlencode($_REQUEST['from_time']);
+    }
+    if (!empty($_REQUEST['until_time'])) {
+        $params .= '&until_time=' . urlencode($_REQUEST['until_time']);
+    }
+    if (!empty($_REQUEST['name'])) {
+        $params .= '&name=' . urlencode($_REQUEST['name']);
+    }
+    if (!empty($_REQUEST['id'])) {
+        $params .= '&id=' . urlencode($_REQUEST['id']);
+    }
+    if (isset($_REQUEST['event'])) {
+        $params .= '&event=' . urlencode($_REQUEST['event']);
+    }
+
+    // pagination variables
+    $items_per_page = 20;
+    $offset = ($currentPage -1) * $items_per_page;
+
     // jitsi component events list
     // we use $_REQUEST, so that both links and forms work
-if (isset($_REQUEST['name']) && $_REQUEST['name'] != '') {
-    $jitsi_component = "'" . $_REQUEST['name'] . "'";
-    $component_id = 'component_id';
-} elseif (isset($_REQUEST['id']) && $_REQUEST['id'] != '') {
-    $component_id = "'" . $_REQUEST['id'] . "'";
-    $jitsi_component = 'jitsi_component';
-} else {
-    // we need the variables to use them later in sql for columnname = columnname
-    $jitsi_component = 'jitsi_component';
-    $component_id = 'component_id';
-}
+    // if it's there, but empty, we make it same as the field name; otherwise assign the value
+    $jitsi_component = !empty($_REQUEST['name']) ? "'" . $_REQUEST['name'] . "'" : 'jitsi_component';
+    $component_id = !empty($_REQUEST['id']) ? "'" . $_REQUEST['id'] . "'" : 'component_id';
+    $event_type = !empty($_REQUEST['event']) ? "'" . $_REQUEST['event'] . "'" : 'event_type';
 
 
     //
     // Component events listings
     //
 
+    require '../app/classes/component.php';
+    $componentObject = new Component($db);
 
-// list of all component events (default)
-$component = new Component($db);
 
     // prepare the result
-$search = $component->jitsiComponents($jitsi_component, $component_id, $from_time, $until_time);
+    $search = $componentObject->jitsiComponents($jitsi_component, $component_id, $event_type, $from_time, $until_time, $offset, $items_per_page);
+    $search_all = $componentObject->jitsiComponents($jitsi_component, $component_id, $event_type, $from_time, $until_time);
 
     if (!empty($search)) {
+        // we get total items and number of pages
+        $item_count = count($search_all);
+        $totalPages = ceil($item_count / $items_per_page);
+
         $components = array();
         $components['records'] = array();
 
@@ -56,29 +92,18 @@ if (!empty($search)) {
         }
     }
 
-// prepare the widget
-$widget['full'] = false;
-$widget['name'] = 'AllComponents';
-$widget['collapsible'] = false;
-$widget['collapsed'] = false;
-$widget['filter'] = true;
-
-// widget title
+    // filter message
+    $filterMessage = array();
     if (isset($_REQUEST['name']) && $_REQUEST['name'] != '') {
-    $widget['title'] = 'Jitsi events for component&nbsp;<strong>' . $_REQUEST['name'] . '</strong>';
+        array_push($filterMessage, 'Jitsi events for component&nbsp;"<strong>' . $_REQUEST['name'] . '</strong>"');
     } elseif (isset($_REQUEST['id']) && $_REQUEST['id'] != '') {
-    $widget['title'] = 'Jitsi events for component ID&nbsp;<strong>' . $_REQUEST['id'] . '</strong>';
-} else {
-    $widget['title'] = 'Jitsi events for&nbsp;<strong>all components</strong>';
-}
-// widget records
-if (!empty($components['records'])) {
-    $widget['full'] = true;
-    $widget['table_headers'] = array_keys($components['records'][0]);
-    $widget['table_records'] = $components['records'];
+        array_push($filterMessage, 'Jitsi events for component ID&nbsp;"<strong>' . $_REQUEST['id'] . '</strong>"');
     }
 
+    // Get any new feedback messages
+    include '../app/helpers/feedback.php';
+
     // display the widget
-include('../app/templates/widget.php');
+    include '../app/templates/components.php';
 
-?>
+}

app/pages/conferences.php

@@ -1,18 +1,34 @@
 <?php
 
-require_once '../app/classes/database.php';
-require '../app/classes/conference.php';
+/**
+ * Conference information
+ *
+ * This page ("conferences") retrieves and displays information about conferences.
+ * Allows filtering by conference ID or name, and listing within a specified time range.
+ * Supports pagination.
+ */
 
 // connect to database
-require '../app/helpers/database.php';
-$db = connectDB($config, 'jilo', $platform_id);
+$response = connectJiloDB($config, $platformDetails[0]['jilo_database'], $platform_id);
+
+// if DB connection has error, display it and stop here
+if ($response['db'] === null) {
+    Feedback::flash('ERROR', 'DEFAULT', $response['error']);
+
+// otherwise if DB connection is OK, go on
+} else {
+    $db = $response['db'];
 
     // specify time range
     include '../app/helpers/time_range.php';
 
     // conference id/name are specified when searching specific conference(s)
-// either id OR name, id has precedence
     // we use $_REQUEST, so that both links and forms work
+    // if it's there, but empty, we make it same as the field name; otherwise assign the value
+
+    //$conferenceName = !empty($_REQUEST['name']) ? "'" . $_REQUEST['name'] . "'" : 'conference_name';
+    //$conferenceId = !empty($_REQUEST['id']) ? "'" . $_REQUEST['id'] . "'" : 'conference_id';
+
     if (isset($_REQUEST['id']) && $_REQUEST['id'] != '') {
         $conferenceId = $_REQUEST['id'];
         unset($_REQUEST['name']);
@@ -30,21 +46,51 @@ if (isset($_REQUEST['id']) && $_REQUEST['id'] != '') {
     // Conference listings
     //
 
+    require '../app/classes/conference.php';
+    $conferenceObject = new Conference($db);
 
-$conference = new Conference($db);
+    // get current page for pagination
+    $currentPage = $_REQUEST['page_num'] ?? 1;
+    $currentPage = (int)$currentPage;
+
+    // pagination variables
+    $items_per_page = 20;
+    $offset = ($currentPage -1) * $items_per_page;
+
+    // Build params for pagination
+    $params = '';
+    if (!empty($_REQUEST['from_time'])) {
+        $params .= '&from_time=' . urlencode($_REQUEST['from_time']);
+    }
+    if (!empty($_REQUEST['until_time'])) {
+        $params .= '&until_time=' . urlencode($_REQUEST['until_time']);
+    }
+    if (!empty($_REQUEST['name'])) {
+        $params .= '&name=' . urlencode($_REQUEST['name']);
+    }
+    if (!empty($_REQUEST['id'])) {
+        $params .= '&id=' . urlencode($_REQUEST['id']);
+    }
 
     // search and list specific conference ID
     if (isset($conferenceId)) {
-    $search = $conference->conferenceById($conferenceId, $from_time, $until_time);
+        $search = $conferenceObject->conferenceById($conferenceId, $from_time, $until_time, $offset, $items_per_page);
+        $search_all = $conferenceObject->conferenceById($conferenceId, $from_time, $until_time);
     // search and list specific conference name
     } elseif (isset($conferenceName)) {
-    $search = $conference->conferenceByName($conferenceName, $from_time, $until_time);
+        $search = $conferenceObject->conferenceByName($conferenceName, $from_time, $until_time, $offset, $items_per_page);
+        $search_all = $conferenceObject->conferenceByName($conferenceName, $from_time, $until_time);
     // list of all conferences (default)
     } else {
-    $search = $conference->conferencesAllFormatted($from_time, $until_time);
+        $search = $conferenceObject->conferencesAllFormatted($from_time, $until_time, $offset, $items_per_page);
+        $search_all = $conferenceObject->conferencesAllFormatted($from_time, $until_time);
     }
 
     if (!empty($search)) {
+        // we get total items and number of pages
+        $item_count = count($search_all);
+        $totalPages = ceil($item_count / $items_per_page);
+
         $conferences = array();
         $conferences['records'] = array();
 
@@ -105,29 +151,18 @@ if (!empty($search)) {
         }
     }
 
-// prepare the widget
-$widget['full'] = false;
-$widget['name'] = 'Conferences';
-$widget['collapsible'] = false;
-$widget['collapsed'] = false;
-$widget['filter'] = true;
-
-// widget title
+    // filter message
+    $filterMessage = array();
     if (isset($_REQUEST['name']) && $_REQUEST['name'] != '') {
-    $widget['title'] = 'Conferences with name matching "<strong>' . $_REQUEST['name'] . '"</strong>';
+        array_push($filterMessage, 'Conferences with name matching "<strong>' . $_REQUEST['name'] . '</strong>"');
     } elseif (isset($_REQUEST['id']) && $_REQUEST['id'] != '') {
-    $widget['title'] = 'Conference with ID "<strong>' . $_REQUEST['id'] . '"</strong>';
-} else {
-    $widget['title'] = 'All conferences';
-}
-// widget records
-if (!empty($conferences['records'])) {
-    $widget['full'] = true;
-    $widget['table_headers'] = array_keys($conferences['records'][0]);
-    $widget['table_records'] = $conferences['records'];
+        array_push($filterMessage, 'Conference with ID "<strong>' . $_REQUEST['id'] . '</strong>"');
     }
 
+    // Get any new feedback messages
+    include '../app/helpers/feedback.php';
+
     // display the widget
-include('../app/templates/widget.php');
+    include '../app/templates/conferences.php';
 
-?>
+}

app/pages/config.php

@@ -1,140 +1,124 @@
 <?php
 
-$action = $_REQUEST['action'] ?? '';
-require_once '../app/classes/config.php';
-require '../app/helpers/errors.php';
-require '../app/helpers/config.php';
+/**
+ * Config management.
+ *
+ * This page handles the config file.
+ */
 
-$configure = new Config();
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
 
-// if a form is submitted, it's from the edit page
-if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+require '../app/classes/config.php';
+require '../app/classes/api_response.php';
 
-    // load the config file and initialize a copy
-    $content = file_get_contents($config_file);
-    $updatedContent = $content;
+// Initialize required objects
+$userObject = new User($db);
+$configObject = new Config();
 
-    // new platform adding
-    if (isset($_POST['new']) && $_POST['new'] === 'true') {
-        $newPlatform = [
-            'name'		=> $_POST['name'],
-            'jitsi_url'		=> $_POST['jitsi_url'],
-            'jilo_database'	=> $_POST['jilo_database'],
-        ];
+// For AJAX requests
+$isAjax = !empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
+          strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
 
-        // Determine the next available index for the new platform
-        $nextIndex = count($config['platforms']);
+// Set JSON content type for AJAX requests
+if ($isAjax) {
+    header('Content-Type: application/json');
+}
 
-        // Add the new platform to the platforms array
-        $config['platforms'][$nextIndex] = $newPlatform;
-
-        // Rebuild the PHP array syntax for the platforms
-        $platformsArray = formatArray($config['platforms']);
-
-        // Replace the platforms section in the config file
-        $updatedContent = preg_replace(
-            '/\'platforms\'\s*=>\s*\[[\s\S]+?\],/s',
-            "'platforms' => {$platformsArray}",
-            $content
-        );
-        $updatedContent = preg_replace('/\s*\]\n/s', "\n", $updatedContent);
-
-    // deleting a platform
-    } elseif (isset($_POST['delete']) && $_POST['delete'] === 'true') {
-        $platform = $_POST['platform'];
-
-        $config['platforms'][$platform]['name'] = $_POST['name'];
-        $config['platforms'][$platform]['jitsi_url'] = $_POST['jitsi_url'];
-        $config['platforms'][$platform]['jilo_database'] = $_POST['jilo_database'];
-
-        $platformsArray = formatArray($config['platforms'][$platform], 3);
-
-        $updatedContent = preg_replace(
-            "/\s*'$platform'\s*=>\s*\[\s*'name'\s*=>\s*'[^']*',\s*'jitsi_url'\s*=>\s*'[^']*,\s*'jilo_database'\s*=>\s*'[^']*',\s*\],/s",
-            "",
-            $content
-        );
-
-
-    // an update to an existing platform
+// Ensure config file path is set
+if (!isset($config_file) || empty($config_file)) {
+    if ($isAjax) {
+        ApiResponse::error('Config file path not set');
+        exit;
     } else {
-
-        $platform = $_POST['platform'];
-
-        $config['platforms'][$platform]['name'] = $_POST['name'];
-        $config['platforms'][$platform]['jitsi_url'] = $_POST['jitsi_url'];
-        $config['platforms'][$platform]['jilo_database'] = $_POST['jilo_database'];
-
-        $platformsArray = formatArray($config['platforms'][$platform], 3);
-
-        $updatedContent = preg_replace(
-            "/\s*'$platform'\s*=>\s*\[\s*'name'\s*=>\s*'[^']*',\s*'jitsi_url'\s*=>\s*'[^']*',\s*'jilo_database'\s*=>\s*'[^']*',\s*\],/s",
-            "\n        '{$platform}' => {$platformsArray},",
-            $content
-        );
-
+        Feedback::flash('ERROR', 'DEFAULT', 'Config file path not set');
+        header('Location: ' . htmlspecialchars($app_root));
+        exit;
+    }
 }
 
-
-
-    // check if file is writable
-    if (!is_writable($config_file)) {
-        $_SESSION['error'] = getError('Configuration file is not writable.');
-        header("Location: $app_root?platform=$platform_id&page=config");
-        exit();
+// Check if file is writable
+$isWritable = is_writable($config_file);
+$configMessage = '';
+if (!$isWritable) {
+    $configMessage = Feedback::render('ERROR', 'DEFAULT', 'Config file is not writable', false);
+    if ($isAjax) {
+        ApiResponse::error('Config file is not writable', null, 403);
+        exit;
+    }
 }
 
-    // try to update the config file
-    if (file_put_contents($config_file, $updatedContent) !== false) {
-        // update successful
-        $_SESSION['notice'] = "Configuration for {$_POST['name']} is updated.";
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    // Check if user has permission to edit config
+    if (!$userObject->hasRight($userId, 'edit config file')) {
+        $logObject->log('error', "Unauthorized: User \"$currentUser\" tried to edit config file. IP: $user_IP", ['user_id' => $userId, 'scope' => 'system']);
+        if ($isAjax) {
+            ApiResponse::error('Forbidden: You do not have permission to edit the config file', null, 403);
+            exit;
         } else {
-        // unsuccessful
-        $error = error_get_last();
-        $_SESSION['error'] = getError('Error updating the config: ' . ($error['message'] ?? 'unknown error'));
+            include '../app/templates/error-unauthorized.php';
+            exit;
+        }
     }
 
-// FIXME the new file is not loaded on first page load
-    unset($config);
-    header("Location: $app_root?platform=$platform_id&page=config");
-    exit();
+    // Apply rate limiting
+    require '../app/includes/rate_limit_middleware.php';
+    checkRateLimit($db, 'config', $userId);
 
-// no form submitted, show the templates
+    // Ensure no output before this point
+    ob_clean();
+
+    // For AJAX requests, get JSON data
+    if ($isAjax) {
+        // Get raw input
+        $jsonData = file_get_contents('php://input');
+        if ($jsonData === false) {
+            $logObject->log('error', "Failed to read request data for config update", ['user_id' => $userId, 'scope' => 'system']);
+            ApiResponse::error('Failed to read request data');
+            exit;
+        }
+
+        // Try to parse JSON
+        $postData = json_decode($jsonData, true);
+        if (json_last_error() !== JSON_ERROR_NONE) {
+            $error = json_last_error_msg();
+            ApiResponse::error('Invalid JSON data received: ' . $error);
+            exit;
+        }
+
+        // Try to update config file
+        $result = $configObject->editConfigFile($postData, $config_file);
+        if ($result['success']) {
+            ApiResponse::success($result['updated'], 'Config file updated successfully');
         } else {
-
-    // $item - config.js and interface_config.js are special case; remote loaded files
-    switch ($item) {
-        case 'configjs':
-            $mode = $_REQUEST['mode'] ?? '';
-            $raw = ($mode === 'raw');
-            $platformDetails = $configure->getPlatformDetails($config, $platform_id);
-            $platformConfigjs = $configure->getPlatformConfigjs($platformDetails, $raw);
-            include('../app/templates/config-list-configjs.php');
-            break;
-        case 'interfaceconfigjs':
-            $mode = $_REQUEST['mode'] ?? '';
-            $raw = ($mode === 'raw');
-            $platformDetails = $configure->getPlatformDetails($config, $platform_id);
-            $platformInterfaceConfigjs = $configure->getPlatformInterfaceConfigjs($platformDetails, $raw);
-            include('../app/templates/config-list-interfaceconfigjs.php');
-            break;
-
-    // if there is no $item, we work on the local config file
-        default:
-            switch ($action) {
-                case 'add':
-                    include('../app/templates/config-add-platform.php');
-                    break;
-                case 'edit':
-                    include('../app/templates/config-edit-platform.php');
-                    break;
-                case 'delete':
-                    include('../app/templates/config-delete-platform.php');
-                    break;
-                default:
-                    include('../app/templates/config-list.php');
+            ApiResponse::error($result['error']);
         }
+        exit;
+    } else {
+        // Handle non-AJAX POST
+        $result = $configObject->editConfigFile($_POST, $config_file);
+        if ($result['success']) {
+            Feedback::flash('NOTICE', 'DEFAULT', 'Config file updated successfully', true);
+        } else {
+            Feedback::flash('ERROR', 'DEFAULT', "Error updating config file: " . $result['error'], true);
+        }
+
+        header('Location: ' . htmlspecialchars($app_root) . '?page=config');
+        exit;
     }
 }
 
-?>
+// Only include template for non-AJAX requests
+if (!$isAjax) {
+    /**
+     * Handles GET requests to display templates.
+     */
+
+    if ($userObject->hasRight($userId, 'superuser') ||
+      $userObject->hasRight($userId, 'view config file')) {
+        include '../app/templates/config.php';
+    } else {
+        $logObject->log('error', "Unauthorized: User \"$currentUser\" tried to access \"config\" page. IP: $user_IP", ['user_id' => $userId, 'scope' => 'system']);
+        include '../app/templates/error-unauthorized.php';
+    }
+}

app/pages/credentials.php

@@ -0,0 +1,167 @@
+<?php
+
+/**
+ * User credentials management
+ *
+ * This page ("credentials") handles all credential-related actions including:
+ * - Two-factor authentication (2FA) setup, verification, and management
+ * - Password changes and resets
+ *
+ * Actions handled:
+ * - `setup`: Initial 2FA setup and verification
+ * - `verify`: Verify 2FA codes during login
+ * - `disable`: Disable 2FA
+ * - `password`: Change password
+ */
+
+// Initialize user object
+$userObject = new User($db);
+
+// Get action and item from request
+$action = $_REQUEST['action'] ?? '';
+$item = $_REQUEST['item'] ?? '';
+
+// if a form is submitted
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+    // Validate CSRF token
+    $security->verifyCsrfToken($_POST['csrf_token'] ?? '');
+    if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) {
+        Feedback::flash('ERROR', 'DEFAULT', 'Invalid security token. Please try again.');
+        header("Location: $app_root?page=credentials");
+        exit();
+    }
+
+    // Apply rate limiting
+    require_once '../app/includes/rate_limit_middleware.php';
+    checkRateLimit($db, 'credentials', $userId);
+
+    switch ($item) {
+        case '2fa':
+            switch ($action) {
+                case 'setup':
+                    // Validate the setup code
+                    $code = $_POST['code'] ?? '';
+                    $secret = $_POST['secret'] ?? '';
+
+                    if ($userObject->enableTwoFactor($userId, $secret, $code)) {
+                        Feedback::flash('NOTICE', 'DEFAULT', 'Two-factor authentication has been enabled successfully.');
+                        header("Location: $app_root?page=credentials");
+                        exit();
+                    } else {
+                        // Only show error if code was actually submitted
+                        if ($code !== '') {
+                            Feedback::flash('ERROR', 'DEFAULT', 'Invalid verification code. Please try again.');
+                        }
+                        header("Location: $app_root?page=credentials&action=setup");
+                        exit();
+                    }
+                    break;
+
+                case 'verify':
+                    // This is a user-initiated verification
+                    $code = $_POST['code'] ?? '';
+                    if ($userObject->verifyTwoFactor($userId, $code)) {
+                        $_SESSION['2fa_verified'] = true;
+                        header("Location: $app_root?page=dashboard");
+                        exit();
+                    } else {
+                        Feedback::flash('ERROR', 'DEFAULT', 'Invalid verification code. Please try again.');
+                        header("Location: $app_root?page=credentials&action=verify");
+                        exit();
+                    }
+                    break;
+
+                case 'disable':
+                    if ($userObject->disableTwoFactor($userId)) {
+                        Feedback::flash('NOTICE', 'DEFAULT', 'Two-factor authentication has been disabled.');
+                    } else {
+                        Feedback::flash('ERROR', 'DEFAULT', 'Failed to disable two-factor authentication.');
+                    }
+                    header("Location: $app_root?page=credentials");
+                    exit();
+                    break;
+            }
+            break;
+
+        case 'password':
+            require_once '../app/classes/validator.php';
+
+            $validator = new Validator($_POST);
+            $rules = [
+                'current_password' => [
+                    'required' => true
+                ],
+                'new_password' => [
+                    'required' => true,
+                    'min' => 8
+                ],
+                'confirm_password' => [
+                    'required' => true,
+                    'matches' => 'new_password'
+                ]
+            ];
+
+            if (!$validator->validate($rules)) {
+                Feedback::flash('ERROR', 'DEFAULT', $validator->getFirstError());
+                header("Location: $app_root?page=credentials");
+                exit();
+            }
+
+            if ($userObject->changePassword($userId, $_POST['current_password'], $_POST['new_password'])) {
+                Feedback::flash('NOTICE', 'DEFAULT', 'Password has been changed successfully.');
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', 'Failed to change password. Please verify your current password.');
+            }
+            header("Location: $app_root?page=credentials");
+            exit();
+            break;
+    }
+
+// no form submitted, show the templates
+} else {
+    // Get user timezone for templates
+    $userTimezone = !empty($userDetails[0]['timezone']) ? $userDetails[0]['timezone'] : 'UTC';
+
+    // Generate CSRF token if not exists
+    require_once '../app/helpers/security.php';
+    $security = SecurityHelper::getInstance();
+    $security->generateCsrfToken();
+
+    // Get 2FA status for the template
+    $has2fa = $userObject->isTwoFactorEnabled($userId);
+
+    switch ($action) {
+        case 'setup':
+            if (!$has2fa) {
+                $result = $userObject->enableTwoFactor($userId);
+                if ($result['success']) {
+                    $setupData = $result['data'];
+                } else {
+                    Feedback::flash('ERROR', 'DEFAULT', $result['message'] ?? 'Failed to generate 2FA setup data');
+                    header("Location: $app_root?page=credentials");
+                    exit();
+                }
+            }
+            // Get any new feedback messages
+            include '../app/helpers/feedback.php';
+
+            // Load the 2FA setup template
+            include '../app/templates/credentials-2fa-setup.php';
+            break;
+
+        case 'verify':
+            // Get any new feedback messages
+            include '../app/helpers/feedback.php';
+
+            // Load the 2FA verification template
+            include '../app/templates/credentials-2fa-verify.php';
+            break;
+
+        default:
+            // Get any new feedback messages
+            include '../app/helpers/feedback.php';
+
+            // Load the combined management template
+            include '../app/templates/credentials-manage.php';
+    }
+}

app/pages/dashboard.php

@@ -0,0 +1,229 @@
+<?php
+
+/**
+ * Main dashboard file for displaying conference statistics.
+ *
+ * This page ("dashboard") connects to the database and displays various widgets:
+ * 1. Monthly statistics for the past year.
+ * 2. Conferences from the last 2 days.
+ * 3. The most recent 10 conferences.
+ */
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+require '../app/classes/conference.php';
+require '../app/classes/participant.php';
+
+// connect to database
+$response = connectJiloDB($config, $platformDetails[0]['jilo_database'], $platform_id);
+
+// if DB connection has error, display it and stop here
+if ($response['db'] === null) {
+    Feedback::flash('ERROR', 'DEFAULT', $response['error']);
+
+// otherwise if DB connection is OK, go on
+} else {
+    $db = $response['db'];
+
+    $conferenceObject = new Conference($db);
+    $participantObject = new Participant($db);
+
+
+    /**
+     * Monthly usage statistics for the last year.
+     *
+     * Retrieves conference and participant numbers for each month within the past year.
+     */
+
+    // monthly conferences for the last year
+    $fromMonth = (new DateTime())->sub(new DateInterval('P1Y'));
+    $fromMonth->modify('first day of this month');
+    $thisMonth = new DateTime();
+    $from_time = $fromMonth->format('Y-m-d');
+    $until_time = $thisMonth->format('Y-m-d');
+
+    $widget['records'] = array();
+
+    // loop 1 year in the past
+    $i = 0;
+    while ($fromMonth < $thisMonth) {
+
+        $untilMonth = clone $fromMonth;
+        $untilMonth->modify('last day of this month');
+
+        $from_time = $fromMonth->format('Y-m-d');
+        $until_time = $untilMonth->format('Y-m-d');
+
+        $searchConferenceNumber = $conferenceObject->conferenceNumber($from_time, $until_time);
+        $searchParticipantNumber = $participantObject->participantNumber($from_time, $until_time);
+
+        // pretty format for displaying the month in the widget
+        $month = $fromMonth->format('F Y');
+
+        // populate the records
+        $widget['records'][$i] = array(
+            'from_time'	=> $from_time,
+            'until_time'	=> $until_time,
+            'table_headers'	=> $month,
+            'conferences'	=> $searchConferenceNumber[0]['conferences'],
+            'participants'	=> $searchParticipantNumber[0]['participants'],
+        );
+
+        // move everything one month in future
+        $untilMonth->add(new DateInterval('P1M'));
+        $fromMonth->add(new DateInterval('P1M'));
+        $i++;
+    }
+
+    $time_range_specified = true;
+
+    // prepare the widget
+    $widget['full'] = false;
+    $widget['name'] = 'LastYearMonths';
+    $widget['title'] = 'Conferences monthly stats for the last year';
+    $widget['collapsible'] = true;
+    $widget['collapsed'] = false;
+    $widget['filter'] = false;
+    if (!empty($searchConferenceNumber) && !empty($searchParticipantNumber)) {
+        $widget['full'] = true;
+    }
+    $widget['pagination'] = false;
+
+
+    // display the widget
+    include '../app/templates/widget-monthly.php';
+
+
+    /**
+     * Conferences in the last 2 days.
+     *
+     * Displays a summary of all conferences held in the past 48 hours.
+     */
+
+    // time range limit
+    $from_time = date('Y-m-d', time() - 60 * 60 * 24 * 2);
+    $until_time = date('Y-m-d', time());
+    $time_range_specified = true;
+
+    // prepare the result
+    $search = $conferenceObject->conferencesAllFormatted($from_time, $until_time);
+
+    if (!empty($search)) {
+        $conferences = array();
+        $conferences['records'] = array();
+
+        foreach ($search as $item) {
+            extract($item);
+
+            // we don't have duration field, so we calculate it
+            if (!empty($start) && !empty($end)) {
+                $duration = gmdate("H:i:s", abs(strtotime($end) - strtotime($start)));
+            } else {
+                $duration = '';
+            }
+            $conference_record = array(
+                // assign title to the field in the array record
+                'component'		=> $jitsi_component,
+                'start'			=> $start,
+                'end'			=> $end,
+                'duration'		=> $duration,
+                'conference ID'		=> $conference_id,
+                'conference name'	=> $conference_name,
+                'participants'		=> $participants,
+                'name count'		=> $name_count,
+                'conference host'	=> $conference_host
+            );
+            // populate the result array
+            array_push($conferences['records'], $conference_record);
+        }
+    }
+
+    // prepare the widget
+    $widget['full'] = false;
+    $widget['name'] = 'LastDays';
+    $widget['title'] = 'Conferences for the last 2 days';
+    $widget['collapsible'] = true;
+    $widget['collapsed'] = false;
+    $widget['filter'] = false;
+    if (!empty($conferences['records'])) {
+        $widget['full'] = true;
+        $widget['table_headers'] = array_keys($conferences['records'][0]);
+        $widget['table_records'] = $conferences['records'];
+    }
+    $widget['pagination'] = false;
+
+    // display the widget
+    include '../app/templates/widget.php';
+
+
+    /**
+     * Last 10 conferences.
+     *
+     * Displays the 10 most recent conferences in the database.
+     */
+
+    // all time
+    $from_time = '0000-01-01';
+    $until_time = '9999-12-31';
+    $time_range_specified = false;
+    // number of conferences to show
+    $conference_number = 10;
+
+    // prepare the result
+    $search = $conferenceObject->conferencesAllFormatted($from_time, $until_time);
+
+    if (!empty($search)) {
+        $conferences = array();
+        $conferences['records'] = array();
+
+        $i = 0;
+        foreach ($search as $item) {
+            extract($item);
+
+            // we don't have duration field, so we calculate it
+            if (!empty($start) && !empty($end)) {
+                $duration = gmdate("H:i:s", abs(strtotime($end) - strtotime($start)));
+            } else {
+                $duration = '';
+            }
+            $conference_record = array(
+                // assign title to the field in the array record
+                'component'		=> $jitsi_component,
+                'start'			=> $start,
+                'end'			=> $end,
+                'duration'		=> $duration,
+                'conference ID'		=> $conference_id,
+                'conference name'	=> $conference_name,
+                'participants'		=> $participants,
+                'name count'		=> $name_count,
+                'conference host'	=> $conference_host
+            );
+            // populate the result array
+            array_push($conferences['records'], $conference_record);
+
+            // we only take the first 10 results
+            $i++;
+            if ($i == 10) break;
+        }
+    }
+
+    // prepare the widget
+    $widget['full'] = false;
+    $widget['name'] = 'LastConferences';
+    $widget['title'] = 'The last ' . $conference_number . ' conferences';
+    $widget['collapsible'] = true;
+    $widget['collapsed'] = false;
+    $widget['filter'] = false;
+    $widget['pagination'] = false;
+
+    if (!empty($conferences['records'])) {
+        $widget['full'] = true;
+        $widget['table_headers'] = array_keys($conferences['records'][0]);
+        $widget['table_records'] = $conferences['records'];
+    }
+
+    // display the widget
+    include '../app/templates/widget.php';
+
+}

app/pages/front.php

@@ -1,204 +0,0 @@
-<?php
-
-require_once '../app/classes/database.php';
-require '../app/classes/conference.php';
-require '../app/classes/participant.php';
-
-// connect to database
-require '../app/helpers/database.php';
-$db = connectDB($config, 'jilo', $platform_id);
-
-
-//
-// dashboard widget listings
-//
-
-
-////
-// monthly usage
-$conference = new Conference($db);
-$participant = new Participant($db);
-
-// monthly conferences for the last year
-$fromMonth = (new DateTime())->sub(new DateInterval('P1Y'));
-$fromMonth->modify('first day of this month');
-$thisMonth = new DateTime();
-$from_time = $fromMonth->format('Y-m-d');
-$until_time = $thisMonth->format('Y-m-d');
-
-$widget['records'] = array();
-
-// loop 1 year in the past
-$i = 0;
-while ($fromMonth < $thisMonth) {
-
-    $untilMonth = clone $fromMonth;
-    $untilMonth->modify('last day of this month');
-
-    $from_time = $fromMonth->format('Y-m-d');
-    $until_time = $untilMonth->format('Y-m-d');
-
-    $searchConferenceNumber = $conference->conferenceNumber($from_time, $until_time);
-    $searchParticipantNumber = $participant->participantNumber($from_time, $until_time);
-
-    // pretty format for displaying the month in the widget
-    $month = $fromMonth->format('F Y');
-
-    // populate the records
-    $widget['records'][$i] = array(
-        'from_time'	=> $from_time,
-        'until_time'	=> $until_time,
-        'table_headers'	=> $month,
-        'conferences'	=> $searchConferenceNumber[0]['conferences'],
-        'participants'	=> $searchParticipantNumber[0]['participants'],
-    );
-
-    // move everything one month in future
-    $untilMonth->add(new DateInterval('P1M'));
-    $fromMonth->add(new DateInterval('P1M'));
-    $i++;
-}
-
-$time_range_specified = true;
-
-// prepare the widget
-$widget['full'] = false;
-$widget['name'] = 'LastYearMonths';
-$widget['title'] = 'Conferences monthly stats for the last year';
-$widget['collapsible'] = true;
-$widget['collapsed'] = false;
-$widget['filter'] = false;
-if (!empty($searchConferenceNumber) && !empty($searchParticipantNumber)) {
-    $widget['full'] = true;
-}
-
-// display the widget
-include('../app/templates/widget-monthly.php');
-
-
-////
-// conferences in last 2 days
-$conference = new Conference($db);
-
-// time range limit
-$from_time = date('Y-m-d', time() - 60 * 60 * 24 * 2);
-$until_time = date('Y-m-d', time());
-$time_range_specified = true;
-
-// prepare the result
-$search = $conference->conferencesAllFormatted($from_time, $until_time);
-
-if (!empty($search)) {
-    $conferences = array();
-    $conferences['records'] = array();
-
-    foreach ($search as $item) {
-        extract($item);
-
-        // we don't have duration field, so we calculate it
-        if (!empty($start) && !empty($end)) {
-            $duration = gmdate("H:i:s", abs(strtotime($end) - strtotime($start)));
-        } else {
-            $duration = '';
-        }
-        $conference_record = array(
-            // assign title to the field in the array record
-            'component'		=> $jitsi_component,
-            'start'			=> $start,
-            'end'			=> $end,
-            'duration'		=> $duration,
-            'conference ID'		=> $conference_id,
-            'conference name'	=> $conference_name,
-            'participants'		=> $participants,
-            'name count'		=> $name_count,
-            'conference host'	=> $conference_host
-        );
-        // populate the result array
-        array_push($conferences['records'], $conference_record);
-    }
-}
-
-// prepare the widget
-$widget['full'] = false;
-$widget['name'] = 'LastDays';
-$widget['title'] = 'Conferences for the last 2 days';
-$widget['collapsible'] = true;
-$widget['collapsed'] = false;
-$widget['filter'] = false;
-if (!empty($conferences['records'])) {
-    $widget['full'] = true;
-    $widget['table_headers'] = array_keys($conferences['records'][0]);
-    $widget['table_records'] = $conferences['records'];
-}
-
-// display the widget
-include('../app/templates/widget.php');
-
-
-////
-// last 10 conferences
-$conference = new Conference($db);
-
-// all time
-$from_time = '0000-01-01';
-$until_time = '9999-12-31';
-$time_range_specified = false;
-// number of conferences to show
-$conference_number = 10;
-
-// prepare the result
-$search = $conference->conferencesAllFormatted($from_time, $until_time);
-
-if (!empty($search)) {
-    $conferences = array();
-    $conferences['records'] = array();
-
-    $i = 0;
-    foreach ($search as $item) {
-        extract($item);
-
-        // we don't have duration field, so we calculate it
-        if (!empty($start) && !empty($end)) {
-            $duration = gmdate("H:i:s", abs(strtotime($end) - strtotime($start)));
-        } else {
-            $duration = '';
-        }
-        $conference_record = array(
-            // assign title to the field in the array record
-            'component'		=> $jitsi_component,
-            'start'			=> $start,
-            'end'			=> $end,
-            'duration'		=> $duration,
-            'conference ID'		=> $conference_id,
-            'conference name'	=> $conference_name,
-            'participants'		=> $participants,
-            'name count'		=> $name_count,
-            'conference host'	=> $conference_host
-        );
-        // populate the result array
-        array_push($conferences['records'], $conference_record);
-
-        // we only take the first 10 results
-        $i++;
-        if ($i == 10) break;
-    }
-}
-
-// prepare the widget
-$widget['full'] = false;
-$widget['name'] = 'LastConferences';
-$widget['title'] = 'The last ' . $conference_number . ' conferences';
-$widget['collapsible'] = true;
-$widget['collapsed'] = false;
-$widget['filter'] = false;
-
-if (!empty($conferences['records'])) {
-    $widget['full'] = true;
-    $widget['table_headers'] = array_keys($conferences['records'][0]);
-    $widget['table_records'] = $conferences['records'];
-}
-
-// display the widget
-include('../app/templates/widget.php');
-
-?>

app/pages/graphs.php

@@ -0,0 +1,91 @@
+<?php
+
+$action = $_REQUEST['action'] ?? '';
+$agent = $_REQUEST['agent'] ?? '';
+
+require '../app/classes/agent.php';
+require '../app/classes/conference.php';
+require '../app/classes/host.php';
+
+$agentObject = new Agent($db);
+$hostObject = new Host($db);
+
+// Connect to Jilo database for log data
+$response = connectJiloDB($config, $platformDetails[0]['jilo_database'], $platform_id);
+if ($response['db'] === null) {
+    Feedback::flash('ERROR', 'DEFAULT', $response['error']);
+} else {
+    $db = $response['db'];
+}
+$conferenceObject = new Conference($db);
+
+// Get date range for the last 7 days
+$from_time = date('Y-m-d', strtotime('-7 days'));
+$until_time = date('Y-m-d');
+
+// Define graphs to show
+$graphs = [
+    [
+        'graph_name' => 'conferences',
+        'graph_title' => 'Conferences in "' . htmlspecialchars($platformDetails[0]['name']) . '" over time',
+        'datasets' => []
+    ],
+    [
+        'graph_name' => 'participants',
+        'graph_title' => 'Participants in "' . htmlspecialchars($platformDetails[0]['name']) . '" over time',
+        'datasets' => []
+    ]
+];
+
+// Get Jitsi API data
+$conferences_api = $agentObject->getHistoricalData(
+    $platform_id, 
+    'jicofo',
+    'conferences',
+    $from_time,
+    $until_time
+);
+$graphs[0]['datasets'][] = [
+    'data' => $conferences_api,
+    'label' => 'Conferences from Jitsi API',
+    'color' => 'rgba(75, 192, 192, 1)'
+];
+
+// Get conference data from logs
+$conferences_logs = $conferenceObject->conferenceNumber(
+    $from_time,
+    $until_time
+);
+$graphs[0]['datasets'][] = [
+    'data' => $conferences_logs,
+    'label' => 'Conferences from Logs',
+    'color' => 'rgba(255, 99, 132, 1)'
+];
+
+// Get participants data
+$participants_api = $agentObject->getHistoricalData(
+    $platform_id, 
+    'jicofo',
+    'participants',
+    $from_time,
+    $until_time
+);
+$graphs[1]['datasets'][] = [
+    'data' => $participants_api,
+    'label' => 'Participants from Jitsi API',
+    'color' => 'rgba(75, 192, 192, 1)'
+];
+
+// Prepare data for template
+$graph = $graphs;
+
+// prepare the widget
+$widget['full'] = false;
+$widget['name'] = 'Graphs';
+$widget['title'] = 'Jitsi graphs';
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+// Load the template
+include '../app/templates/graphs.php';

app/pages/help.php

@@ -0,0 +1,6 @@
+<?php
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+include '../app/templates/help.php';

app/pages/latest.php

@@ -0,0 +1,106 @@
+<?php
+
+require '../app/classes/agent.php';
+require '../app/classes/host.php';
+
+$agentObject = new Agent($db);
+$hostObject = new Host($db);
+
+// Define metrics to display
+$metrics = [
+    'Basic stats' => [
+        'conferences' => ['label' => 'Current conferences', 'link' => 'conferences'],
+        'participants' => ['label' => 'Current participants', 'link' => 'participants'],
+        'total_conferences_created' => ['label' => 'Total conferences created'],
+        'total_participants' => ['label' => 'Total participants']
+    ],
+    'Bridge stats' => [
+        'bridge_selector.bridge_count' => ['label' => 'Bridge count'],
+        'bridge_selector.operational_bridge_count' => ['label' => 'Operational bridges'],
+        'bridge_selector.in_shutdown_bridge_count' => ['label' => 'Bridges in shutdown']
+    ],
+    'Jibri stats' => [
+        'jibri_detector.count' => ['label' => 'Jibri count'],
+        'jibri_detector.available' => ['label' => 'Jibri idle'],
+        'jibri.live_streaming_active' => ['label' => 'Jibri active streaming'],
+        'jibri.recording_active' => ['label' => 'Jibri active recording'],
+    ],
+    'System stats' => [
+        'threads' => ['label' => 'Threads'],
+        'stress_level' => ['label' => 'Stress level'],
+        'version' => ['label' => 'Version']
+    ]
+];
+
+// Get all hosts for this platform
+$hosts = $hostObject->getHostDetails($platform_id);
+$hostsData = [];
+
+// For each host, get its agents and their metrics
+foreach ($hosts as $host) {
+    $hostData = [
+        'id' => $host['id'],
+        'name' => $host['name'] ?: $host['address'],
+        'address' => $host['address'],
+        'agents' => []
+    ];
+
+    // Get agents for this host
+    $hostAgents = $agentObject->getAgentDetails($host['id']);
+    foreach ($hostAgents as $agent) {
+        $agentData = [
+            'id' => $agent['id'],
+            'type' => $agent['agent_description'],
+            'name' => strtoupper($agent['agent_description']),
+            'metrics' => [],
+            'timestamp' => null
+        ];
+
+        // Fetch all metrics for this agent
+        foreach ($metrics as $section => $section_metrics) {
+            foreach ($section_metrics as $metric => $metricConfig) {
+                // Get latest data
+                $latestData = $agentObject->getLatestData($host['id'], $agent['agent_description'], $metric);
+
+                if ($latestData !== null) {
+                    // Get the previous record
+                    $previousData = $agentObject->getPreviousRecord(
+                        $host['id'], 
+                        $agent['agent_description'], 
+                        $metric,
+                        $latestData['timestamp']
+                    );
+
+                    $agentData['metrics'][$section][$metric] = [
+                        'latest' => [
+                            'value' => $latestData['value'],
+                            'timestamp' => $latestData['timestamp']
+                        ],
+                        'previous' => $previousData,
+                        'label' => $metricConfig['label'],
+                        'link' => isset($metricConfig['link']) ? $metricConfig['link'] : null
+                    ];
+
+                    // Use the most recent timestamp for the agent
+                    if ($agentData['timestamp'] === null || strtotime($latestData['timestamp']) > strtotime($agentData['timestamp'])) {
+                        $agentData['timestamp'] = $latestData['timestamp'];
+                    }
+                }
+            }
+        }
+
+        if (!empty($agentData['metrics'])) {
+            $hostData['agents'][] = $agentData;
+        }
+    }
+
+    if (!empty($hostData['agents'])) {
+        $hostsData[] = $hostData;
+    }
+}
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+// Load the template
+include '../app/templates/latest.php';

app/pages/livejs.php

@@ -0,0 +1,16 @@
+<?php
+
+$mode = $_REQUEST['mode'] ?? '';
+$raw = ($mode === 'raw');
+$livejsFile = $_REQUEST['item'] ?? '';
+
+require '../app/classes/settings.php';
+$settingsObject = new Settings();
+
+$livejsData = $settingsObject->getPlatformJsFile($platformDetails[0]['jitsi_url'], $item, $raw);
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+// Load the template
+include '../app/templates/livejs.php';

app/pages/login.php

@@ -1,70 +1,305 @@
 <?php
 
-require_once '../app/classes/database.php';
-require '../app/classes/user.php';
+/**
+ * User login
+ *
+ * This page ("login") handles user login, session management, cookie handling, and error logging.
+ * Supports "remember me" functionality to extend session duration and two-factor authentication.
+ *
+ * Actions Performed:
+ * - Validates login credentials
+ * - Handles two-factor authentication if enabled
+ * - Manages session and cookies based on "remember me" option
+ * - Logs successful and failed login attempts
+ * - Displays login form and optional custom messages
+ */
 
 // clear the global error var before login
 unset($error);
 
 try {
-
     // connect to database
-    require '../app/helpers/database.php';
     $db = connectDB($config);
 
-    $user = new User($db);
+    // Initialize RateLimiter
+    require_once '../app/classes/ratelimiter.php';
+    $rateLimiter = new RateLimiter($db);
+    // Get user IP
+    require_once '../app/helpers/ip_helper.php';
+    $user_IP = getUserIP();
 
-    if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
-        $username = $_POST['username'];
-        $password = $_POST['password'];
+    $action = $_REQUEST['action'] ?? '';
 
-        // login successful
-        if ( $user->login($username, $password) ) {
-            // if remember_me is checked, max out the session
-            if (isset($_POST['remember_me'])) {
-                // 30*24*60*60 = 30 days
-                $cookie_lifetime = 30 * 24 * 60 * 60;
-                $setcookie_lifetime = time() + 30 * 24 * 60 * 60;
-                $gc_maxlifetime = 30 * 24 * 60 * 60;
-            } else {
-                // 0 - session end on browser close
-                // 1440 - 24 minutes (default)
-                $cookie_lifetime = 0;
-                $setcookie_lifetime = 0;
-                $gc_maxlifetime = 1440;
+    if ($action === 'verify' && isset($_SESSION['2fa_pending_user_id'])) {
+        // Handle 2FA verification
+        $code = $_POST['code'] ?? '';
+        $pending2FA = Session::get2FAPending();
+
+        if (!$pending2FA) {
+            header('Location: ' . htmlspecialchars($app_root) . '?page=login');
+            exit();
         }
 
-            // set session lifetime and cookies
-            setcookie('username', $username, [
-                'expires'	=> $setcookie_lifetime,
-                'path'		=> $config['folder'],
-                'domain'	=> $config['domain'],
-                'secure'	=> isset($_SERVER['HTTPS']),
-                'httponly'	=> true,
-                'samesite'	=> 'Strict'
-            ]);
+        require_once '../app/classes/twoFactorAuth.php';
+        $twoFactorAuth = new TwoFactorAuthentication($db);
 
-            // redirect to index
-            $_SESSION['notice'] = "Login successful";
-            header('Location: index.php');
+        if ($twoFactorAuth->verify($pending2FA['user_id'], $code)) {
+            // Complete login
+            handleSuccessfulLogin($pending2FA['user_id'], $pending2FA['username'],
+                $pending2FA['remember_me'], $config, $app_root, $logObject, $user_IP);
+
+            // Clean up 2FA session data
+            Session::clear2FAPending();
+
+            exit();
+        }
+
+        // If we get here (and we have code submitted), verification failed
+        if (!empty($code)) {
+            Feedback::flash('ERROR', 'DEFAULT', 'Invalid verification code');
+        }
+
+        // Get any new feedback messages
+        include '../app/helpers/feedback.php';
+
+        // Make userId available to template
+        $userId = $pending2FA['user_id'];
+
+        // Load the 2FA verification template
+        include '../app/templates/credentials-2fa-verify.php';
+        exit();
+    } elseif ($action === 'forgot') {
+        if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+            // Handle password reset request
+            try {
+                // Validate CSRF token
+                $security = SecurityHelper::getInstance();
+                if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) {
+                    throw new Exception('Invalid security token. Please try again.');
+                }
+
+                // Apply rate limiting
+                if (!$rateLimiter->isIpWhitelisted($user_IP)) {
+                    if ($rateLimiter->isIpBlacklisted($user_IP)) {
+                        throw new Exception(Feedback::get('LOGIN', 'IP_BLACKLISTED')['message']);
+                    }
+                    if ($rateLimiter->tooManyAttempts('password_reset', $user_IP)) {
+                        throw new Exception(Feedback::get('LOGIN', 'TOO_MANY_ATTEMPTS')['message']);
+                    }
+                    $rateLimiter->attempt('password_reset', $user_IP);
+                }
+
+                // Validate email
+                $email = filter_var($_POST['email'] ?? '', FILTER_VALIDATE_EMAIL);
+                if (!$email) {
+                    throw new Exception('Please enter a valid email address.');
+                }
+
+                // Process reset request
+                require_once '../app/classes/passwordReset.php';
+                $resetHandler = new PasswordReset($db, $config);
+                $result = $resetHandler->requestReset($email);
+
+                // Always show same message whether email exists or not for security
+                Feedback::flash('NOTICE', 'DEFAULT', $result['message']);
+                header("Location: $app_root?page=login");
                 exit();
 
-        // login failed
-        } else {
-            $_SESSION['error'] = "Login failed.";
-            header('Location: index.php');
+            } catch (Exception $e) {
+                Feedback::flash('ERROR', 'DEFAULT', $e->getMessage());
+            }
+        }
+
+        // Generate CSRF token
+        $security = SecurityHelper::getInstance();
+        $security->generateCsrfToken();
+
+        // Load the forgot password form
+        include '../app/helpers/feedback.php';
+        include '../app/templates/form-password-forgot.php';
         exit();
+
+    } elseif ($action === 'reset' && isset($_GET['token'])) {
+        // Handle password reset
+        try {
+            require_once '../app/classes/passwordReset.php';
+            $resetHandler = new PasswordReset($db, $config);
+            $token = $_GET['token'];
+
+            if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+                // Validate CSRF token
+                $security = SecurityHelper::getInstance();
+                if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) {
+                    throw new Exception('Invalid security token. Please try again.');
+                }
+
+                // Apply rate limiting
+                if (!$rateLimiter->isIpWhitelisted($user_IP)) {
+                    if ($rateLimiter->tooManyAttempts('password_reset', $user_IP)) {
+                        throw new Exception(Feedback::get('LOGIN', 'TOO_MANY_ATTEMPTS')['message']);
+                    }
+                    $rateLimiter->attempt('password_reset', $user_IP);
+                }
+
+                // Validate password
+                require_once '../app/classes/validator.php';
+                $validator = new Validator($_POST);
+                $rules = [
+                    'new_password' => [
+                        'required' => true,
+                        'min' => 8
+                    ],
+                    'confirm_password' => [
+                        'required' => true,
+                        'matches' => 'new_password'
+                    ]
+                ];
+
+                if (!$validator->validate($rules)) {
+                    throw new Exception($validator->getFirstError());
+                }
+
+                // Reset password
+                if ($resetHandler->resetPassword($token, $_POST['new_password'])) {
+                    Feedback::flash('NOTICE', 'DEFAULT', 'Your password has been reset successfully. You can now log in.');
+                    header("Location: $app_root?page=login");
+                    exit();
+                }
+                throw new Exception('Invalid or expired reset link. Please request a new one.');
+            }
+
+            // Verify token is valid
+            $validation = $resetHandler->validateToken($token);
+            if (!$validation['valid']) {
+                throw new Exception('Invalid or expired reset link. Please request a new one.');
+            }
+
+            // Show reset password form
+            include '../app/helpers/feedback.php';
+            include '../app/templates/form-password-reset.php';
+            exit();
+
+        } catch (Exception $e) {
+            Feedback::flash('ERROR', 'DEFAULT', $e->getMessage());
+            header("Location: $app_root?page=login&action=forgot");
+            exit();
+        }
+    }
+
+    if ( $_SERVER['REQUEST_METHOD'] == 'POST' && $action !== 'verify' ) {
+        try {
+            // Validate form data
+            $security = SecurityHelper::getInstance();
+            $formData = $security->sanitizeArray($_POST, ['username', 'password', 'remember_me', 'csrf_token']);
+
+            $validationRules = [
+                'username' => [
+                    'type' => 'string',
+                    'required' => true,
+                    'min' => 3,
+                    'max' => 20
+                ],
+                'password' => [
+                    'type' => 'string',
+                    'required' => true
+                ]
+            ];
+
+            $errors = $security->validateFormData($formData, $validationRules);
+            if (!empty($errors)) {
+                throw new Exception("Invalid input: " . implode(", ", $errors));
+            }
+
+            $username = $formData['username'];
+            $password = $formData['password'];
+
+            // Skip all checks if IP is whitelisted
+            if (!$rateLimiter->isIpWhitelisted($user_IP)) {
+                // Check if IP is blacklisted
+                if ($rateLimiter->isIpBlacklisted($user_IP)) {
+                    throw new Exception(Feedback::get('LOGIN', 'IP_BLACKLISTED')['message']);
+                }
+
+                // Check rate limiting before recording attempt
+                if ($rateLimiter->tooManyAttempts($username, $user_IP)) {
+                    throw new Exception(Feedback::get('LOGIN', 'TOO_MANY_ATTEMPTS')['message']);
+                }
+            }
+
+            // Attempt login
+            $loginResult = $userObject->login($username, $password);
+
+            if (is_array($loginResult)) {
+                switch ($loginResult['status']) {
+                    case 'requires_2fa':
+                        // Store pending 2FA info
+                        Session::store2FAPending($loginResult['user_id'], $loginResult['username'],
+                            isset($formData['remember_me']));
+
+                        // Redirect to 2FA verification
+                        header('Location: ?page=login&action=verify');
+                        exit();
+
+                    case 'success':
+                        // Complete login
+                        handleSuccessfulLogin($loginResult['user_id'], $loginResult['username'],
+                            isset($formData['remember_me']), $config, $app_root, $logObject, $user_IP);
+                        exit();
+
+                    default:
+                        throw new Exception($loginResult['message'] ?? 'Login failed');
+                }
+            }
+
+            throw new Exception(Feedback::get('LOGIN', 'LOGIN_FAILED')['message']);
+        } catch (Exception $e) {
+            // Log the failed attempt
+            Feedback::flash('ERROR', 'DEFAULT', $e->getMessage());
+            if (isset($username)) {
+                $userId = $userObject->getUserId($username)[0]['id'] ?? 0;
+                $logObject->log('error', "Login: Failed login attempt for user \"$username\". IP: $user_IP. Reason: {$e->getMessage()}", ['user_id' => $userId, 'scope' => 'user']);
+                $rateLimiter->attempt($username, $user_IP);
+            }
         }
     }
 } catch (Exception $e) {
-    $error = getError('There was an unexpected error. Please try again.', $e->getMessage());
+    Feedback::flash('ERROR', 'DEFAULT');
 }
 
+// Show configured login message if any
 if (!empty($config['login_message'])) {
-    $notice = $config['login_message'];
-    include '../app/templates/block-message.php';
+    echo Feedback::render('NOTICE', 'DEFAULT', $config['login_message'], false, false, false);
 }
 
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+// Load the template
 include '../app/templates/form-login.php';
 
-?>
+/**
+ * Handle successful login by setting up session and cookies
+ */
+function handleSuccessfulLogin($userId, $username, $rememberMe, $config, $app_root, $logObject, $userIP) {
+    // Create authenticated session
+    Session::createAuthSession($userId, $username, $rememberMe, $config);
+
+    // Log successful login
+    $logObject->log('info', "Login: User \"$username\" logged in. IP: $userIP", ['user_id' => $userId, 'scope' => 'user']);
+
+    // Set success message
+    Feedback::flash('LOGIN', 'LOGIN_SUCCESS');
+
+    // After successful login, redirect to original page if provided in URL param or POST
+    $redirect = $app_root;
+    $candidate = $_POST['redirect'] ?? $_GET['redirect'] ?? '';
+    $trimmed = trim($candidate, '/?');
+    if (
+        (strpos($candidate, '/') === 0 || strpos($candidate, '?') === 0)
+        && !in_array($trimmed, INVALID_REDIRECT_PAGES, true)
+    ) {
+        $redirect = $candidate;
+    }
+    header('Location: ' . htmlspecialchars($redirect));
+    exit();
+}

app/pages/participants.php

@@ -1,11 +1,23 @@
 <?php
 
-require_once '../app/classes/database.php';
-require '../app/classes/participant.php';
+/**
+ * Participants information
+ *
+ * This page ("participants") retrieves and displays participant information for conferences.
+ * Allows filtering by participant ID, name, or IP address, and listing within a specified time range.
+ * Supports pagination.
+ */
 
 // connect to database
-require '../app/helpers/database.php';
-$db = connectDB($config, 'jilo', $platform_id);
+$response = connectJiloDB($config, $platformDetails[0]['jilo_database'], $platform_id);
+
+// if DB connection has error, display it and stop here
+if ($response['db'] === null) {
+    Feedback::flash('ERROR', 'DEFAULT', $response['error']);
+
+// otherwise if DB connection is OK, go on
+} else {
+    $db = $response['db'];
 
     // specify time range
     include '../app/helpers/time_range.php';
@@ -34,24 +46,59 @@ if (isset($_REQUEST['id']) && $_REQUEST['id'] != '') {
     // Participant listings
     //
 
-$participant = new Participant($db);
+    require '../app/classes/participant.php';
+    $participantObject = new Participant($db);
+
+    // get current page for pagination
+    $currentPage = $_REQUEST['page_num'] ?? 1;
+    $currentPage = (int)$currentPage;
+
+    // pagination variables
+    $items_per_page = 20;
+    $offset = ($currentPage -1) * $items_per_page;
+
+    // Build params for pagination
+    $params = '';
+    if (!empty($_REQUEST['from_time'])) {
+        $params .= '&from_time=' . urlencode($_REQUEST['from_time']);
+    }
+    if (!empty($_REQUEST['until_time'])) {
+        $params .= '&until_time=' . urlencode($_REQUEST['until_time']);
+    }
+    if (!empty($_REQUEST['name'])) {
+        $params .= '&name=' . urlencode($_REQUEST['name']);
+    }
+    if (!empty($_REQUEST['id'])) {
+        $params .= '&id=' . urlencode($_REQUEST['id']);
+    }
+    if (isset($_REQUEST['event'])) {
+        $params .= '&ip=' . urlencode($_REQUEST['ip']);
+    }
 
     // search and list specific participant ID
     if (isset($participantId)) {
-    $search = $participant->conferenceByParticipantId($participantId, $from_time, $until_time, $participantId, $from_time, $until_time);
+        $search = $participantObject->conferenceByParticipantId($participantId, $from_time, $until_time, $offset, $items_per_page);
+        $search_all = $participantObject->conferenceByParticipantId($participantId, $from_time, $until_time);
     // search and list specific participant name (stats_id)
     } elseif (isset($participantName)) {
-    $search = $participant->conferenceByParticipantName($participantName, $from_time, $until_time);
+        $search = $participantObject->conferenceByParticipantName($participantName, $from_time, $until_time, $offset, $items_per_page);
+        $search_all = $participantObject->conferenceByParticipantName($participantName, $from_time, $until_time);
     // search and list specific participant IP
     } elseif (isset($participantIp)) {
-    $search = $participant->conferenceByParticipantIP($participantIp, $from_time, $until_time);
+        $search = $participantObject->conferenceByParticipantIP($participantIp, $from_time, $until_time, $offset, $items_per_page);
+        $search_all = $participantObject->conferenceByParticipantIP($participantIp, $from_time, $until_time);
     // list of all participants (default)
     } else {
     // prepare the result
-    $search = $participant->participantsAll($from_time, $until_time);
+        $search = $participantObject->participantsAll($from_time, $until_time, $offset, $items_per_page);
+        $search_all = $participantObject->participantsAll($from_time, $until_time);
     }
 
     if (!empty($search)) {
+        // we get total items and number of pages
+        $item_count = count($search_all);
+        $totalPages = ceil($item_count / $items_per_page);
+
         $participants = array();
         $participants['records'] = array();
 
@@ -112,31 +159,20 @@ if (!empty($search)) {
         }
     }
 
-// prepare the widget
-$widget['full'] = false;
-$widget['name'] = 'Participants';
-$widget['collapsible'] = false;
-$widget['collapsed'] = false;
-$widget['filter'] = true;
-
-// widget title
+    // filter message
+    $filterMessage = array();
     if (isset($_REQUEST['name']) && $_REQUEST['name'] != '') {
-    $widget['title'] = 'Conferences with participant name (stats_id) matching "<strong>' . $_REQUEST['name'] . '"</strong>';
+        array_push($filterMessage, 'Conferences with participant name (stats_id) matching "<strong>' . $_REQUEST['name'] . '</strong>"');
     } elseif (isset($_REQUEST['id']) && $_REQUEST['id'] != '') {
-    $widget['title'] = 'Conference with participant ID matching "<strong>' . $_REQUEST['id'] . '"</strong>';
+        array_push($filterMessage, 'Conferences with participant ID matching "<strong>' . $_REQUEST['id'] . '</strong>"');
     } elseif (isset($participantIp)) {
-    $widget['title'] = 'Conference with participant IP matching "<strong>' . $participantIp . '"</strong>';
-} else {
-    $widget['title'] = 'All participants';
-}
-// widget records
-if (!empty($participants['records'])) {
-    $widget['full'] = true;
-    $widget['table_headers'] = array_keys($participants['records'][0]);
-    $widget['table_records'] = $participants['records'];
+        array_push($filterMessage, 'Conferences with participant IP matching "<strong>' . $participantIp . '</strong>"');
     }
 
+    // Get any new feedback messages
+    include '../app/helpers/feedback.php';
+
     // display the widget
-include('../app/templates/widget.php');
+    include '../app/templates/participants.php';
 
-?>
+}

app/pages/profile.php

@@ -1,5 +1,176 @@
 <?php
 
-include('../app/templates/widget-profile.php');
+/**
+ * User profile management
+ *
+ * This page ("profile") handles user profile actions such as updating user details,
+ * avatar management, and assigning or removing user rights.
+ * It supports both form submissions and displaying profile templates.
+ *
+ * Actions handled:
+ * - `remove`: Remove a user's avatar.
+ * - `edit`: Edit user profile details, rights, or avatar.
+ */
 
-?>
+$action = $_REQUEST['action'] ?? '';
+$item = $_REQUEST['item'] ?? '';
+
+// if a form is submitted, it's from the edit page
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+    // Validate CSRF token
+    require_once '../app/helpers/security.php';
+    $security = SecurityHelper::getInstance();
+    if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) {
+        Feedback::flash('ERROR', 'DEFAULT', 'Invalid security token. Please try again.');
+        header("Location: $app_root?page=profile");
+        exit();
+    }
+
+    require_once '../app/classes/validator.php';
+
+    // Apply rate limiting for profile operations
+    require_once '../app/includes/rate_limit_middleware.php';
+    checkRateLimit($db, 'profile', $userId);
+
+    // avatar removal
+    if ($item === 'avatar' && $action === 'remove') {
+        $validator = new Validator(['user_id' => $userId]);
+        $rules = [
+            'user_id' => [
+                'required' => true,
+                'numeric' => true
+            ]
+        ];
+
+        if (!$validator->validate($rules)) {
+            Feedback::flash('ERROR', 'DEFAULT', $validator->getFirstError());
+            header("Location: $app_root?page=profile");
+            exit();
+        }
+
+        $result = $userObject->removeAvatar($userId, $config['avatars_path'].$userDetails[0]['avatar']);
+        if ($result === true) {
+            Feedback::flash('NOTICE', 'DEFAULT', "Avatar for user \"{$userDetails[0]['username']}\" is removed.");
+        } else {
+            Feedback::flash('ERROR', 'DEFAULT', "Removing the avatar failed. Error: $result");
+        }
+
+        header("Location: $app_root?page=profile");
+        exit();
+    }
+
+    // update the profile
+    $validator = new Validator($_POST);
+    $rules = [
+        'name' => [
+            'max' => 100
+        ],
+        'email' => [
+            'email' => true,
+            'max' => 100
+        ],
+        'timezone' => [
+            'max' => 50
+        ],
+        'bio' => [
+            'max' => 1000
+        ]
+    ];
+
+    if (!$validator->validate($rules)) {
+        Feedback::flash('ERROR', 'DEFAULT', $validator->getFirstError());
+        header("Location: $app_root?page=profile");
+        exit();
+    }
+
+    $updatedUser = [
+        'name' => htmlspecialchars($_POST['name'] ?? ''),
+        'email' => filter_var($_POST['email'] ?? '', FILTER_VALIDATE_EMAIL),
+        'timezone' => htmlspecialchars($_POST['timezone'] ?? ''),
+        'bio' => htmlspecialchars($_POST['bio'] ?? ''),
+    ];
+    $result = $userObject->editUser($userId, $updatedUser);
+    if ($result === true) {
+        Feedback::flash('NOTICE', 'DEFAULT', "User details for \"{$userDetails[0]['username']}\" are edited.");
+    } else {
+        Feedback::flash('ERROR', 'DEFAULT', "Editing the user details failed. Error: $result");
+    }
+
+    // update the rights
+    // Get current rights IDs
+    $userRightsIds = array_column($userRights, 'right_id');
+
+    // If no rights are selected, remove all rights
+    if (!isset($_POST['rights'])) {
+        $_POST['rights'] = [];
+    }
+
+    $validator = new Validator(['rights' => $_POST['rights']]);
+    $rules = [
+        'rights' => [
+            'array' => true
+        ]
+    ];
+
+    if (!$validator->validate($rules)) {
+        Feedback::flash('ERROR', 'DEFAULT', $validator->getFirstError());
+        header("Location: $app_root?page=profile");
+        exit();
+    }
+
+    $newRights = $_POST['rights'];
+    // what rights we need to add
+    $rightsToAdd = array_diff($newRights, $userRightsIds);
+    if (!empty($rightsToAdd)) {
+        foreach ($rightsToAdd as $rightId) {
+            $userObject->addUserRight($userId, $rightId);
+        }
+    }
+    // what rights we need to remove
+    $rightsToRemove = array_diff($userRightsIds, $newRights);
+    if (!empty($rightsToRemove)) {
+        foreach ($rightsToRemove as $rightId) {
+            $userObject->removeUserRight($userId, $rightId);
+        }
+    }
+
+    // update the avatar
+    if (!empty($_FILES['avatar_file']['tmp_name'])) {
+        $result = $userObject->changeAvatar($userId, $_FILES['avatar_file'], $config['avatars_path']);
+    }
+
+    header("Location: $app_root?page=profile");
+    exit();
+
+// no form submitted, show the templates
+} else {
+    $avatar = !empty($userDetails[0]['avatar']) ? $config['avatars_path'] . $userDetails[0]['avatar'] : $config['default_avatar'];
+    $default_avatar = empty($userDetails[0]['avatar']) ? true : false;
+
+    // Generate CSRF token if not exists
+    require_once '../app/helpers/security.php';
+    $security = SecurityHelper::getInstance();
+    $security->generateCsrfToken();
+
+    switch ($action) {
+        case 'edit':
+            $allRights = $userObject->getAllRights();
+            $allTimezones = timezone_identifiers_list();
+            // if timezone is already set, we pass a flag for JS to not autodetect browser timezone
+            $isTimezoneSet = !empty($userDetails[0]['timezone']);
+
+            // Get any new feedback messages
+            include '../app/helpers/feedback.php';
+
+            // Load the template
+            include '../app/templates/profile-edit.php';
+            break;
+
+        default:
+            // Get any new feedback messages
+            include '../app/helpers/feedback.php';
+
+            // Load the template
+            include '../app/templates/profile.php';
+    }
+}

app/pages/register.php

@@ -1,47 +0,0 @@
-<?php
-
-// registration is allowed, go on
-if ($config['registration_enabled'] === true) {
-
-    require_once '../app/classes/database.php';
-    require '../app/classes/user.php';
-    unset($error);
-
-    try {
-
-        // connect to database
-        require '../app/helpers/database.php';
-        $db = connectDB($config);
-
-        $user = new User($db);
-
-        if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
-            $username = $_POST['username'];
-            $password = $_POST['password'];
-
-            // redirect to login
-            if ( $user->register($username, $password) ) {
-                $_SESSION['notice'] = "Registration successful.<br />You can log in now.";
-                header('Location: index.php');
-                exit();
-            // registration fail, redirect to login
-            } else {
-                $_SESSION['error'] = "Registration failed.";
-                header('Location: index.php');
-                exit();
-            }
-        }
-    } catch (Exception $e) {
-        $error = getError('There was an unexpected error. Please try again.', $e->getMessage());
-    }
-
-    include '../app/templates/block-message.php';
-    include '../app/templates/form-register.php';
-
-// registration disabled
-} else {
-    $notice = 'Registration is disabled';
-    include '../app/templates/block-message.php';
-}
-
-?>

app/pages/security.php

@@ -0,0 +1,174 @@
+<?php
+
+// Check if user has any of the required rights
+if (!($userObject->hasRight($userId, 'superuser') ||
+      $userObject->hasRight($userId, 'edit whitelist') ||
+      $userObject->hasRight($userId, 'edit blacklist') ||
+      $userObject->hasRight($userId, 'edit ratelimiting'))) {
+    include '../app/templates/error-unauthorized.php';
+    exit;
+}
+
+// Get current section
+$section = isset($_POST['section']) ? $_POST['section'] : (isset($_GET['section']) ? $_GET['section'] : 'whitelist');
+
+// Initialize RateLimiter
+require_once '../app/classes/ratelimiter.php';
+$rateLimiter = new RateLimiter($db);
+
+// Handle form submissions
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {
+    require_once '../app/classes/validator.php';
+
+    // Apply rate limiting for security operations
+    require_once '../app/includes/rate_limit_middleware.php';
+    checkRateLimit($db, 'security', $userId);
+
+    $action = $_POST['action'];
+    $validator = new Validator($_POST);
+
+    try {
+        switch ($action) {
+            case 'add_whitelist':
+                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit whitelist')) {
+                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
+                    break;
+                }
+
+                $rules = [
+                    'ip_address' => [
+                        'required' => true,
+                        'max' => 45, // Max length for IPv6
+                        'ip' => true
+                    ],
+                    'description' => [
+                        'required' => true,
+                        'max' => 255
+                    ]
+                ];
+
+                if ($validator->validate($rules)) {
+                    $is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';
+                    if (!$rateLimiter->addToWhitelist($_POST['ip_address'], $is_network, $_POST['description'] ?? '', $currentUser, $userId)) {
+                        Feedback::flash('SECURITY', 'WHITELIST_ADD_FAILED');
+                    } else {
+                        Feedback::flash('SECURITY', 'WHITELIST_ADD_SUCCESS');
+                    }
+                } else {
+                    Feedback::flash('SECURITY', 'WHITELIST_ADD_ERROR_IP', $validator->getFirstError());
+                }
+                break;
+
+            case 'remove_whitelist':
+                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit whitelist')) {
+                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
+                    break;
+                }
+
+                $rules = [
+                    'ip_address' => [
+                        'required' => true,
+                        'max' => 45,
+                        'ip' => true
+                    ]
+                ];
+
+                if ($validator->validate($rules)) {
+                    if (!$rateLimiter->removeFromWhitelist($_POST['ip_address'], $currentUser, $userId)) {
+                        Feedback::flash('SECURITY', 'WHITELIST_REMOVE_FAILED');
+                    } else {
+                        Feedback::flash('SECURITY', 'WHITELIST_REMOVE_SUCCESS');
+                    }
+                } else {
+                    Feedback::flash('SECURITY', 'WHITELIST_REMOVE_FAILED', $validator->getFirstError());
+                }
+                break;
+
+            case 'add_blacklist':
+                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit blacklist')) {
+                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
+                    break;
+                }
+
+                $rules = [
+                    'ip_address' => [
+                        'required' => true,
+                        'max' => 45,
+                        'ip' => true
+                    ],
+                    'reason' => [
+                        'required' => true,
+                        'max' => 255
+                    ],
+                    'expiry_hours' => [
+                        'numeric' => true,
+                        'min' => 0,
+                        'max' => 8760 // 1 year in hours
+                    ]
+                ];
+
+                if ($validator->validate($rules)) {
+                    $is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';
+                    $expiry_hours = !empty($_POST['expiry_hours']) ? (int)$_POST['expiry_hours'] : null;
+
+                    if (!$rateLimiter->addToBlacklist($_POST['ip_address'], $is_network, $_POST['reason'], $currentUser, $userId, $expiry_hours)) {
+                        Feedback::flash('SECURITY', 'BLACKLIST_ADD_FAILED');
+                    } else {
+                        Feedback::flash('SECURITY', 'BLACKLIST_ADD_SUCCESS');
+                    }
+                } else {
+                    Feedback::flash('SECURITY', 'BLACKLIST_ADD_ERROR_IP', $validator->getFirstError());
+                }
+                break;
+
+            case 'remove_blacklist':
+                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit blacklist')) {
+                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
+                    break;
+                }
+
+                $rules = [
+                    'ip_address' => [
+                        'required' => true,
+                        'max' => 45,
+                        'ip' => true
+                    ]
+                ];
+
+                if ($validator->validate($rules)) {
+                    if (!$rateLimiter->removeFromBlacklist($_POST['ip_address'], $currentUser, $userId)) {
+                        Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_FAILED');
+                    } else {
+                        Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_SUCCESS');
+                    }
+                } else {
+                    Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_FAILED', $validator->getFirstError());
+                }
+                break;
+
+            default:
+                Feedback::flash('ERROR', 'INVALID_ACTION');
+        }
+    } catch (Exception $e) {
+        Feedback::flash('ERROR', $e->getMessage());
+    }
+
+    // Redirect back to the appropriate section
+    header("Location: $app_root?page=security&section=" . urlencode($section));
+    exit;
+}
+
+// Always show rate limit info message for rate limiting section
+if ($section === 'ratelimit') {
+    $system_messages[] = ['category' => 'SECURITY', 'key' => 'RATE_LIMIT_INFO'];
+}
+
+// Get current lists
+$whitelisted = $rateLimiter->getWhitelistedIps();
+$blacklisted = $rateLimiter->getBlacklistedIps();
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+// Load the template
+include '../app/templates/security.php';

app/pages/settings.php

@@ -0,0 +1,179 @@
+<?php
+
+/**
+ * Jilo settings management.
+ *
+ * This page ("settings") handles Jilo settings by
+ * adding, editing, and deleting platforms, hosts, agents.
+ */
+
+// Check if this is an AJAX request
+$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) && 
+          strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+$action = $_REQUEST['action'] ?? '';
+$agent = $_REQUEST['agent'] ?? '';
+$host = $_REQUEST['host'] ?? '';
+
+require '../app/classes/host.php';
+require '../app/classes/agent.php';
+
+$hostObject = new Host($db);
+$agentObject = new Agent($db);
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+    /**
+     * Handles form submissions from editing
+     */
+
+    // Apply rate limiting for profile operations
+    require_once '../app/includes/rate_limit_middleware.php';
+    checkRateLimit($db, 'profile', $userId);
+
+    // Get hash from URL if present
+    $hash = parse_url($_SERVER['REQUEST_URI'], PHP_URL_FRAGMENT) ?? '';
+    $redirectUrl = htmlspecialchars($app_root) . '?page=settings';
+    if ($hash) {
+        $redirectUrl .= '#' . $hash;
+    }
+
+    // host operations
+    if (isset($_POST['item']) && $_POST['item'] === 'host') {
+        if (isset($_POST['delete']) && $_POST['delete'] === 'true') { // This is a host delete
+            $host_id = $_POST['host'];
+            $result = $hostObject->deleteHost($host_id);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "Host deleted successfully.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Deleting the host failed. Error: $result", true);
+            }
+        } else if (!isset($_POST['host'])) { // This is a new host
+            $newHost = [
+                'address'       => $_POST['address'],
+                'platform_id'   => $_POST['platform'],
+                'name'          => empty($_POST['name']) ? $_POST['address'] : $_POST['name'],
+            ];
+            $result = $hostObject->addHost($newHost);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "New Jilo host added.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Adding the host failed. Error: $result", true);
+            }
+        } else { // This is an edit of existing host
+            $host_id = $_POST['host'];
+            $platform_id = $_POST['platform'];
+            $updatedHost = [
+                'id'      => $host_id,
+                'address' => $_POST['address'],
+                'name'    => empty($_POST['name']) ? $_POST['address'] : $_POST['name'],
+            ];
+            $result = $hostObject->editHost($platform_id, $updatedHost);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "Host edited.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Editing the host failed. Error: $result", true);
+            }
+        }
+        if (!$isAjax) {
+            header('Location: ' . $redirectUrl);
+            exit;
+        }
+
+    // agent operations
+    } elseif (isset($_POST['item']) && $_POST['item'] === 'agent') {
+        if (isset($_POST['delete']) && $_POST['delete'] === 'true') { // This is an agent delete
+            $agent_id = $_POST['agent'];
+            $result = $agentObject->deleteAgent($agent_id);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "Agent deleted successfully.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Deleting the agent failed. Error: $result", true);
+            }
+        } else if (isset($_POST['new']) && $_POST['new'] === 'true') { // This is a new agent
+            $newAgent = [
+                'type_id'       => $_POST['type'],
+                'url'           => $_POST['url'],
+                'secret_key'    => empty($_POST['secret_key']) ? null : $_POST['secret_key'],
+                'check_period'  => empty($_POST['check_period']) ? 0 : $_POST['check_period'],
+            ];
+            $result = $agentObject->addAgent($_POST['host'], $newAgent);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "New Jilo agent added.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Adding the agent failed. Error: $result", true);
+            }
+        } else { // This is an edit of existing agent
+            $agent_id = $_POST['agent'];
+            $updatedAgent = [
+                'agent_type_id' => $_POST['agent_type_id'],
+                'url'          => $_POST['url'],
+                'secret_key'   => empty($_POST['secret_key']) ? null : $_POST['secret_key'],
+                'check_period' => empty($_POST['check_period']) ? 0 : $_POST['check_period'],
+            ];
+            $result = $agentObject->editAgent($agent_id, $updatedAgent);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "Agent edited.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Editing the agent failed. Error: $result", true);
+            }
+        }
+        if (!$isAjax) {
+            header('Location: ' . $redirectUrl);
+            exit;
+        }
+
+    // platform operations
+    } elseif (isset($_POST['item']) && $_POST['item'] === 'platform') {
+        if (isset($_POST['delete']) && $_POST['delete'] === 'true') { // This is a platform delete
+            $platform_id = $_POST['platform'];
+            $result = $platformObject->deletePlatform($platform_id);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "Platform deleted successfully.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Deleting the platform failed. Error: $result", true);
+            }
+        } else if (!isset($_POST['platform'])) { // This is a new platform
+            $newPlatform = [
+                'name'          => $_POST['name'],
+                'jitsi_url'     => $_POST['jitsi_url'],
+                'jilo_database' => $_POST['jilo_database'],
+            ];
+            $result = $platformObject->addPlatform($newPlatform);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "New Jitsi platform added.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Adding the platform failed. Error: $result", true);
+            }
+        } else { // This is an edit of existing platform
+            $platform_id = $_POST['platform'];
+            $updatedPlatform = [
+                'name'          => $_POST['name'],
+                'jitsi_url'     => $_POST['jitsi_url'],
+                'jilo_database' => $_POST['jilo_database'],
+            ];
+            $result = $platformObject->editPlatform($platform_id, $updatedPlatform);
+            if ($result === true) {
+                Feedback::flash('NOTICE', 'DEFAULT', "Platform edited.", true);
+            } else {
+                Feedback::flash('ERROR', 'DEFAULT', "Editing the platform failed. Error: $result", true);
+            }
+        }
+        header('Location: ' . $redirectUrl);
+        exit;
+    }
+
+} else {
+    /**
+     * Handles GET requests to display templates.
+     */
+
+    if ($userObject->hasRight($userId, 'view settings') || $userObject->hasRight($userId, 'superuser')) {
+        $jilo_agent_types = $agentObject->getAgentTypes();
+        include '../app/templates/settings.php';
+    } else {
+        include '../app/templates/error-unauthorized.php';
+    }
+}

app/pages/status.php

@@ -0,0 +1,81 @@
+<?php
+
+/**
+ * Jilo components status checks
+ *
+ * This page ("status") checks the status of various Jilo platform components
+ * by fetching data from agents and determining their availability.
+ * It generates output for each platform and agent.
+ */
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+require '../app/classes/agent.php';
+require '../app/classes/host.php';
+$agentObject = new Agent($db);
+$hostObject = new Host($db);
+
+include '../app/templates/status-server.php';
+
+// loop through all platforms to check their agents
+foreach ($platformsAll as $platform) {
+
+    // check if we can connect to the jilo database
+    $response = connectJiloDB($config, $platform['jilo_database'], $platform['id']);
+    if ($response['error'] !== null) {
+        $jilo_database_status = $response['error'];
+    } else {
+        $jilo_database_status = 'Connected';
+    }
+
+    include '../app/templates/status-platform.php';
+
+    // fetch hosts for the current platform
+    $hostDetails = $hostObject->getHostDetails($platform['id']);
+    foreach ($hostDetails as $host) {
+        // fetch agent details for the current host
+        $agentDetails = $agentObject->getAgentDetails($host['id']);
+        foreach ($agentDetails as $agent) {
+            // we try to parse the URL to scheme:/host:port
+            $agent_url = parse_url($agent['url']);
+            $agent_protocol = isset($agent_url['scheme']) ? $agent_url['scheme']: '';
+            // on failure we keep the full value for displaying purpose
+            $agent_host = isset($agent_url['host']) ? $agent_url['host']: $agent['url'];
+            $agent_port = isset($agent_url['port']) ? $agent_url['port']: '';
+
+            // we get agent data to check availability
+            $agent_response = $agentObject->fetchAgent($agent['id'], true);
+            $agent_data = json_decode($agent_response);
+
+            // determine agent availability based on response data
+            if (json_last_error() === JSON_ERROR_NONE) {
+                $agent_availability = 'unknown';
+                foreach ($agent_data as $key => $value) {
+                    if ($key === 'error') {
+                        $agent_availability = $value;
+                        break;
+                    }
+                    if (preg_match('/_state$/', $key)) {
+                        if ($value === 'error') {
+                            $agent_availability = 'not running';
+                            break;
+                        }
+                        if ($value === 'running') {
+                            $agent_availability = 'running';
+                            break;
+                        }
+                    }
+                }
+            } else {
+                $agent_availability = 'json error';
+            }
+
+            include '../app/templates/status-agent.php';
+        }
+    }
+    echo "\n\t\t\t\t\t\t\t</div>\n";
+}
+echo "\n\t\t\t\t\t\t</div>";
+echo "\n\t\t\t\t\t</div>";
+echo "\n\t\t\t\t</div>";

app/pages/theme-asset.php

@@ -0,0 +1,10 @@
+<?php
+/**
+ * Theme Asset handler
+ *
+ * Serves theme assets through the main application router.
+ * This provides a secure way to serve theme files that are outside the web root.
+ */
+
+// Include the theme asset handler
+require_once __DIR__ . '/../helpers/theme-asset.php';

app/pages/theme.php

@@ -0,0 +1,71 @@
+<?php
+/**
+ * Theme Management Controller
+ *
+ * Handles theme switching and management functionality.
+ * Allows users to view available themes and change the active theme.
+ *
+ * Actions:
+ * - switch_to: Changes the active theme for the current user
+ */
+
+// Initialize security
+require_once '../app/helpers/security.php';
+$security = SecurityHelper::getInstance();
+
+// Only allow access to logged-in users
+if (!Session::isValidSession()) {
+    header('Location: ' . $app_root . '?page=login');
+    exit;
+}
+
+// Handle theme switching
+if (isset($_GET['switch_to'])) {
+    $themeName = $_GET['switch_to'];
+
+    // Validate CSRF token for state-changing operations
+    if (!$security->verifyCsrfToken($_GET['csrf_token'] ?? '')) {
+        Feedback::flash('SECURITY', 'CSRF_INVALID');
+        header("Location: $app_root?page=theme");
+        exit();
+    }
+
+    if (\App\Helpers\Theme::setCurrentTheme($themeName)) {
+        // Set success message
+        Feedback::flash('THEME', 'THEME_CHANGED');
+    } else {
+        // Set error message
+        Feedback::flash('THEME', 'THEME_CHANGE_FAILED');
+    }
+
+    // Redirect back to prevent form resubmission
+    $redirect = $app_root . '?page=theme';
+    header("Location: $redirect");
+    exit;
+}
+
+// Get available themes and current theme for the view
+$themes = \App\Helpers\Theme::getAvailableThemes();
+$currentTheme = \App\Helpers\Theme::getCurrentThemeName();
+
+// Prepare theme data with screenshot URLs for the view
+$themeData = [];
+foreach ($themes as $id => $name) {
+    $themeData[$id] = [
+        'name' => $name,
+        'screenshotUrl' => \App\Helpers\Theme::getAssetUrl($id, 'screenshot.png'),
+        'isActive' => $id === $currentTheme
+    ];
+}
+
+// Make theme data available to the view
+$themes = $themeData;
+
+// Generate CSRF token for the form
+$csrf_token = $security->generateCsrfToken();
+
+// Get any new feedback messages
+include '../app/helpers/feedback.php';
+
+// Load the template
+include '../app/templates/theme.php';

app/templates/agents.php

@@ -0,0 +1,94 @@
+
+                <!-- agents live data -->
+                <div class="container-fluid mt-2">
+                    <div class="row mb-4">
+                        <div class="col-12 mb-4">
+                            <h2 class="mb-0">Jilo Agents status</h2>
+                            <small>manage and monitor agents on platform <strong><?= htmlspecialchars($platformDetails[0]['name']) ?></strong></small>
+                        </div>
+                    </div>
+
+                    <!-- hosts and their agents -->
+                    <div class="row">
+                        <?php foreach ($agentsByHost as $hostId => $hostData): ?>
+                            <div class="col-12 mb-4">
+                                <div class="card">
+                                    <div class="card-header bg-light">
+                                        <h5 class="mb-0">
+                                            <i class="fas fa-network-wired me-2 text-secondary"></i>
+                                            Host: <?= htmlspecialchars($hostData['host_name']) ?>
+                                            <a href="<?= htmlspecialchars($app_root) ?>?page=settings#platform-<?= htmlspecialchars($platform_id) ?>host-<?= htmlspecialchars($hostId) ?>" class="text-decoration-none">
+                                                <i class="fas fa-edit ms-2"></i>
+                                            </a>
+                                        </h5>
+                                    </div>
+                                    <div class="card-body">
+                                        <?php if (empty($hostData['agents'])): ?>
+                                            <p class="text-muted">No agents on this host.</p>
+                                        <?php else: ?>
+                                            <?php foreach ($hostData['agents'] as $agent): ?>
+                                                <div class="agent-item mb-4 pb-3 border-bottom">
+                                                    <div class="d-flex align-items-center mb-2">
+                                                        <div class="flex-grow-1">
+                                                            <i class="fas fa-robot me-2 text-secondary"></i>
+                                                            <strong>Agent ID:</strong> <?= htmlspecialchars($agent['id']) ?> |
+                                                            <strong>Type:</strong> <?= htmlspecialchars($agent['agent_type_id']) ?> (<?= htmlspecialchars($agent['agent_description']) ?>) |
+                                                            <strong>Endpoint:</strong> <?= htmlspecialchars($agent['url']) ?><?= htmlspecialchars($agent['agent_endpoint']) ?>
+                                                            <a href="<?= htmlspecialchars($app_root) ?>?page=settings#platform-<?= htmlspecialchars($platform_id) ?>agent-<?= htmlspecialchars($agent['id']) ?>" class="text-decoration-none">
+                                                                <i class="fas fa-edit ms-2"></i>
+                                                            </a>
+                                                        </div>
+                                                    </div>
+
+                                                    <div class="btn-group" role="group">
+                                                        <button id="agent<?= htmlspecialchars($agent['id']) ?>-status" 
+                                                                class="btn btn-primary" 
+                                                                data-toggle="tooltip" 
+                                                                data-trigger="hover" 
+                                                                data-placement="bottom" 
+                                                                title="Get the agent status" 
+                                                                onclick="fetchData('<?= htmlspecialchars($agent['id']) ?>', '<?= htmlspecialchars($agent['url']) ?>', '/status', '<?= htmlspecialchars($agentTokens[$agent['id']]) ?>', true)">
+                                                            Get Status
+                                                        </button>
+                                                        <button id="agent<?= htmlspecialchars($agent['id']) ?>-fetch" 
+                                                                class="btn btn-primary" 
+                                                                data-toggle="tooltip" 
+                                                                data-trigger="hover" 
+                                                                data-placement="bottom" 
+                                                                title="Get data from the agent" 
+                                                                onclick="fetchData('<?= htmlspecialchars($agent['id']) ?>', '<?= htmlspecialchars($agent['url']) ?>', '<?= htmlspecialchars($agent['agent_endpoint']) ?>', '<?= htmlspecialchars($agentTokens[$agent['id']]) ?>', <?= isset($_SESSION["agent{$agent['id']}_cache"]) ? 'true' : 'false' ?>)">
+                                                            Fetch Data
+                                                        </button>
+                                                        <button id="agent<?= htmlspecialchars($agent['id']) ?>-cache" 
+                                                                <?= !isset($_SESSION["agent{$agent['id']}_cache"]) ? 'style="display:none;" ' : '' ?>
+                                                                class="btn btn-secondary" 
+                                                                data-toggle="tooltip" 
+                                                                data-trigger="hover" 
+                                                                data-placement="bottom" 
+                                                                title="Load cache" 
+                                                                onclick="loadCache('<?= htmlspecialchars($agent['id']) ?>')">
+                                                            Load Cache
+                                                        </button>
+                                                        <button id="agent<?= htmlspecialchars($agent['id']) ?>-clear" 
+                                                                <?= !isset($_SESSION["agent{$agent['id']}_cache"]) ? 'style="display:none;" ' : '' ?>
+                                                                class="btn btn-danger" 
+                                                                data-toggle="tooltip" 
+                                                                data-trigger="hover" 
+                                                                data-placement="bottom" 
+                                                                title="Clear cache" 
+                                                                onclick="clearCache('<?= htmlspecialchars($agent['id']) ?>')">
+                                                            Clear Cache
+                                                        </button>
+                                                    </div>
+                                                    <span id="cacheInfo<?= htmlspecialchars($agent['id']) ?>" class="ms-2 <?= isset($_SESSION["agent{$agent['id']}_cache"]) ? '' : 'd-none' ?>"></span>
+                                                    <pre class="results mt-3" id="result<?= htmlspecialchars($agent['id']) ?>">Click a button to display data from the agent.</pre>
+                                                </div>
+                                            <?php endforeach; ?>
+                                        <?php endif; ?>
+                                    </div>
+                                </div>
+                            </div>
+                        <?php endforeach; ?>
+                    </div>
+                </div>
+                <!-- agents live data -->

app/templates/block-message.php

@@ -1,7 +0,0 @@
-<?php if (isset($error)) { ?>
-        <div class="error"><?php echo $error; ?></div>
-<?php } ?>
-
-<?php if (isset($notice)) { ?>
-        <div class="notice"><?php echo $notice; ?></div>
-<?php } ?>

app/templates/block-results-filter.php

@@ -1,15 +1,15 @@
 
                     <!-- Results filter -->
                     <div class="card w-auto bg-light border-light card-body text-right" style="text-align: right;">
-                        <form method="POST" id="filter_form" action="?platform=<?= $platform_id?>&page=<?= $page ?>">
+                        <form method="POST" id="filter_form" class="filter-results" action="?platform=<?= htmlspecialchars($platform_id) ?>&page=<?= htmlspecialchars($page) ?>">
                             <label for="from_time">from</label>
-                            <input type="date" id="from_time" name="from_time"<?php if (isset($_REQUEST['from_time'])) echo " value=\"" . $_REQUEST['from_time'] . "\"" ?> />
+                            <input type="date" id="from_time" name="from_time"<?php if (isset($_REQUEST['from_time'])) echo " value=\"" . htmlspecialchars($from_time) . "\"" ?> />
                             <label for="until_time">until</label>
-                            <input type="date" id="until_time" name="until_time"<?php if (isset($_REQUEST['until_time'])) echo " value=\"" . $_REQUEST['until_time'] . "\"" ?> />
-                            <input type="text" name="id" placeholder="ID"<?php if (isset($_REQUEST['id'])) echo " value=\"" . $_REQUEST['id'] . "\"" ?> />
-                            <input type="text" name="name" placeholder="name"<?php if (isset($_REQUEST['name'])) echo " value=\"" . $_REQUEST['name'] . "\"" ?> />
+                            <input type="date" id="until_time" name="until_time"<?php if (isset($_REQUEST['until_time'])) echo " value=\"" . htmlspecialchars($until_time) . "\"" ?> />
+                            <input type="text" name="id" placeholder="ID"<?php if (isset($_REQUEST['id'])) echo " value=\"" . htmlspecialchars($_REQUEST['id']) . "\"" ?> />
+                            <input type="text" name="name" placeholder="name"<?php if (isset($_REQUEST['name'])) echo " value=\"" . htmlspecialchars($_REQUEST['name']) . "\"" ?> />
 <?php if ($page == 'participants') { ?>
-                            <input type="text" name="ip" placeholder="ip address"<?php if (isset($_REQUEST['ip'])) echo " value=\"" . $_REQUEST['ip'] . "\"" ?> maxlength="15" size="15" />
+                            <input type="text" name="ip" placeholder="ip address"<?php if (isset($_REQUEST['ip'])) echo " value=\"" . htmlspecialchars($_REQUEST['ip']) . "\"" ?> maxlength="15" size="15" />
 <?php } ?>
                             <input type="button" onclick="clearFilter()" value="clear" />
                             <input type="submit" value="search" />

app/templates/components.php

@@ -0,0 +1,110 @@
+
+                <!-- jitsi components events -->
+                <div class="container-fluid mt-2">
+                    <div class="row mb-4">
+                        <div class="col-md-6 mb-5">
+                            <h2 class="mb-0">Jitsi components events</h2>
+                            <small>log events related to Jitsi Meet components like Jicofo, Videobridge, Jigasi, etc.</small>
+                        </div>
+                        <div class="row mb-4">
+
+                            <!-- component events filter -->
+                            <div class="card mb-3">
+                                <div class="card-body">
+                                    <form method="get" action="" class="row g-3 align-items-end">
+                                        <input type="hidden" name="page" value="components">
+                                        <div class="col-md-auto">
+                                            <label for="from_time" class="form-label">From date</label>
+                                            <input type="date" class="form-control" id="from_time" name="from_time" value="<?= htmlspecialchars($_REQUEST['from_time'] ?? '') ?>">
+                                        </div>
+                                        <div class="col-md-auto">
+                                            <label for="until_time" class="form-label">Until date</label>
+                                            <input type="date" class="form-control" id="until_time" name="until_time" value="<?= htmlspecialchars($_REQUEST['until_time'] ?? '') ?>">
+                                        </div>
+                                        <div class="col-md-2">
+                                            <label for="name" class="form-label">Component name</label>
+                                            <input type="text" class="form-control" id="name" name="name" value="<?= htmlspecialchars($_REQUEST['name'] ?? '') ?>" placeholder="Component name">
+                                        </div>
+                                        <div class="col-md-4">
+                                            <input type="text" class="form-control" id="id" name="id" value="<?= htmlspecialchars($_REQUEST['id'] ?? '') ?>" placeholder="Search in component IDs">
+                                            <input type="text" class="form-control" id="event" name="event" value="<?= htmlspecialchars($_REQUEST['event'] ?? '') ?>" placeholder="Search in event messages">
+                                        </div>
+                                        <div class="col-md-auto align-middle">
+                                            <button type="submit" class="btn btn-primary me-2">
+                                                <i class="fas fa-search me-2"></i>Search
+                                            </button>
+                                            <a href="?page=components" class="btn btn-outline-secondary">
+                                                <i class="fas fa-times me-2"></i>Clear
+                                            </a>
+                                        </div>
+                                    </form>
+                                </div>
+                            </div>
+                            <!-- /component events filter -->
+
+                            <!-- component events -->
+<?php if ($time_range_specified || count($filterMessage)) { ?>
+                            <div class="alert alert-info m-0 mb-3 small">
+<?php   if ($time_range_specified) { ?>
+                              <p class="mb-0"><i class="fas fa-calendar-alt me-2"></i>Time period:
+                                  <strong>
+                                      <?= $from_time == '0000-01-01' ? 'beginning' : date('d M Y', strtotime($from_time)) ?> - <?= $until_time == '9999-12-31' ? 'now' : date('d M Y', strtotime($until_time)) ?>
+                                  </strong>
+                              </p>
+<?php   } ?>
+<?php   if (count($filterMessage)) {
+          foreach ($filterMessage as $message) { ?>
+                                <p class="mb-0"><i class="fas fa-users me-2"></i><?= $message ?></strong></p>
+<?php     } ?>
+<?php   } ?>
+                            </div>
+<?php } ?>
+
+
+                            <div class="mb-5">
+<?php if (!empty($components['records'])) { ?>
+                                <div class="table-responsive border">
+                                    <table class="table table-results table-hover mb-0">
+                                        <thead class="table-light">
+                                            <tr>
+                                                <th>component</th>
+                                                <th>log level</th>
+                                                <th>time</th>
+                                                <th>component ID</th>
+                                                <th>event</th>
+                                                <th>parameter</th>
+                                            </tr>
+                                        </thead>
+                                        <tbody>
+<?php     foreach ($components['records'] as $row) { ?>
+                                            <tr>
+                                                <td>
+                                                    <a href="<?= htmlspecialchars($app_root) ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=components&name=<?= htmlspecialchars($row['component'] ?? '') ?>">
+                                                        <?= htmlspecialchars($row['component'] ?? '') ?>
+                                                    </a>
+                                                </td>
+                                                <td><?= htmlspecialchars($row['loglevel']) ?></td>
+                                                <td><span class="text-muted"><?= date('d M Y H:i:s', strtotime($row['time'])) ?></span></td>
+                                                <td>
+                                                    <a href="<?= htmlspecialchars($app_root) ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=components&id=<?= htmlspecialchars($row['component ID'] ?? '') ?>">
+                                                        <?= htmlspecialchars($row['component ID'] ?? '') ?>
+                                                    </a>
+                                                </td>
+                                                <td><?= htmlspecialchars($row['event']) ?></td>
+                                                <td><?= htmlspecialchars($row['param']) ?></td>
+                                            </tr>
+<?php     } ?>
+                                        </tbody>
+                                    </table>
+                                </div>
+<?php include '../app/templates/pagination.php'; ?>
+<?php } else { ?>
+                                <div class="alert alert-danger m-0">
+                                    <i class="fas fa-info-circle me-2"></i>No component events found for the specified criteria.
+                                </div>
+<?php } ?>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+                <!-- /jitsi components events -->

app/templates/conferences.php

@@ -0,0 +1,145 @@
+
+                <!-- jitsi conferences events -->
+                <div class="container-fluid mt-2">
+                    <div class="row mb-4">
+                        <div class="col-md-6 mb-5">
+                            <h2 class="mb-0">Jitsi conferences events</h2>
+                            <small>log events related to conferences in Jitsi Meet</small>
+                        </div>
+                        <div class="row mb-4">
+
+                            <!-- conference events filter -->
+                            <div class="card mb-3">
+                                <div class="card-body">
+                                    <form method="get" action="" class="row g-3 align-items-end">
+                                        <input type="hidden" name="page" value="conferences">
+                                        <div class="col-md-auto">
+                                            <label for="from_time" class="form-label">From date</label>
+                                            <input type="date" class="form-control" id="from_time" name="from_time" value="<?= htmlspecialchars($_REQUEST['from_time'] ?? '') ?>">
+                                        </div>
+                                        <div class="col-md-auto">
+                                            <label for="until_time" class="form-label">Until date</label>
+                                            <input type="date" class="form-control" id="until_time" name="until_time" value="<?= htmlspecialchars($_REQUEST['until_time'] ?? '') ?>">
+                                        </div>
+                                        <div class="col-md-2">
+                                            <label for="name" class="form-label">Conference ID</label>
+                                            <input type="text" class="form-control" id="id" name="name" value="<?= htmlspecialchars($_REQUEST['id'] ?? '') ?>" placeholder="Conference ID">
+                                        </div>
+                                        <div class="col-md-4">
+                                            <label for="name" class="form-label">Conference name</label>
+                                            <input type="text" class="form-control" id="name" name="name" value="<?= htmlspecialchars($_REQUEST['name'] ?? '') ?>" placeholder="Search in conference names">
+                                        </div>
+                                        <div class="col-md-auto align-middle">
+                                            <button type="submit" class="btn btn-primary me-2">
+                                                <i class="fas fa-search me-2"></i>Search
+                                            </button>
+                                            <a href="?page=conferences" class="btn btn-outline-secondary">
+                                                <i class="fas fa-times me-2"></i>Clear
+                                            </a>
+                                        </div>
+                                    </form>
+                                </div>
+                            </div>
+                            <!-- /conference events filter -->
+
+                            <!-- conference events -->
+<?php if ($time_range_specified || count($filterMessage)) { ?>
+                            <div class="alert alert-info m-0 mb-3 small">
+<?php   if ($time_range_specified) { ?>
+                                <p class="mb-0"><i class="fas fa-calendar-alt me-2"></i>Time period:
+                                    <strong>
+                                        <?= $from_time == '0000-01-01' ? 'beginning' : date('d M Y', strtotime($from_time)) ?> - <?= $until_time == '9999-12-31' ? 'now' : date('d M Y', strtotime($until_time)) ?>
+                                    </strong>
+                                </p>
+<?php   } ?>
+<?php   if (count($filterMessage)) {
+          foreach ($filterMessage as $message) { ?>
+                                <p class="mb-0"><i class="fas fa-users me-2"></i><?= $message ?></strong></p>
+<?php     } ?>
+<?php   } ?>
+                            </div>
+<?php } ?>
+
+                            <div class="mb-5">
+<?php if (!empty($conferences['records'])) { ?>
+                                <div class="table-responsive border">
+                                    <table class="table table-results table-hover">
+                                        <thead class="table-light">
+                                            <tr>
+<?php     foreach (array_keys($conferences['records'][0]) as $header) { ?>
+                                                <th scope="col" class="text-nowrap"><?= htmlspecialchars($header) ?></th>
+<?php     } ?>
+                                            </tr>
+                                        </thead>
+                                        <tbody>
+<?php     foreach ($conferences['records'] as $row) { ?>
+                                            <tr>
+<?php       foreach ($row as $key => $column) {
+                    if ($key === 'conference ID' && isset($conferenceId) && $conferenceId === $column) { ?>
+                                                <td class="text-nowrap">
+                                                    <strong <?= (strlen($column ?? '') > 20) ? 'data-toggle="tooltip" title="' . htmlspecialchars($column) . '"' : '' ?>>
+                                                        <?= htmlspecialchars(strlen($column ?? '') > 20 ? substr($column, 0, 20) . '...' : $column ?? '') ?>
+                                                    </strong>
+                                                </td>
+<?php               } elseif ($key === 'conference ID') { ?>
+                                                <td class="text-nowrap">
+                                                    <a href="<?= htmlspecialchars($app_root) ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=conferences&id=<?= htmlspecialchars($column ?? '') ?>"
+                                                       <?= (strlen($column ?? '') > 16) ? 'data-toggle="tooltip" title="' . htmlspecialchars($column) . '"' : '' ?>>
+                                                        <?= htmlspecialchars(strlen($column ?? '') > 16 ? substr($column, 0, 16) . '...' : $column ?? '') ?>
+                                                    </a>
+                                                </td>
+<?php               } elseif ($key === 'conference name' && isset($conferenceName) && $conferenceName === $column) { ?>
+                                                <td class="text-nowrap">
+                                                    <strong <?= (strlen($column ?? '') > 20) ? 'data-toggle="tooltip" title="' . htmlspecialchars($column) . '"' : '' ?>>
+                                                        <?= htmlspecialchars(strlen($column ?? '') > 20 ? substr($column, 0, 20) . '...' : $column ?? '') ?>
+                                                    </strong>
+                                                </td>
+<?php               } elseif ($key === 'conference name') { ?>
+                                                <td class="text-nowrap">
+                                                    <a href="<?= htmlspecialchars($app_root) ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=conferences&name=<?= htmlspecialchars($column ?? '') ?>"
+                                                       <?= (strlen($column ?? '') > 16) ? 'data-toggle="tooltip" title="' . htmlspecialchars($column) . '"' : '' ?>>
+                                                        <?= htmlspecialchars(strlen($column ?? '') > 16 ? substr($column, 0, 16) . '...' : $column ?? '') ?>
+                                                    </a>
+                                                </td>
+<?php               } elseif ($key === 'conference host') { ?>
+                                                <td class="text-nowrap">
+                                                    <span <?= (strlen($column ?? '') > 30) ? 'data-toggle="tooltip" title="' . htmlspecialchars($column) . '"' : '' ?>>
+                                                        <?= htmlspecialchars(strlen($column ?? '') > 30 ? substr($column, 0, 30) . '...' : $column ?? '') ?>
+                                                    </span>
+                                                </td>
+<?php               } elseif ($key === 'participant ID') { ?>
+                                                <td class="text-nowrap">
+                                                    <a href="<?= htmlspecialchars($app_root) ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=participants&id=<?= htmlspecialchars($column ?? '') ?>"
+                                                       <?= (strlen($column ?? '') > 16) ? 'data-toggle="tooltip" title="' . htmlspecialchars($column) . '"' : '' ?>>
+                                                        <?= htmlspecialchars(strlen($column ?? '') > 16 ? substr($column, 0, 16) . '...' : $column ?? '') ?>
+                                                    </a>
+                                                </td>
+<?php               } elseif ($key === 'component') { ?>
+                                                <td class="text-nowrap">
+                                                    <a href="<?= htmlspecialchars($app_root) ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=components&name=<?= htmlspecialchars($column ?? '') ?>"
+                                                       <?= (strlen($column ?? '') > 16) ? 'data-toggle="tooltip" title="' . htmlspecialchars($column) . '"' : '' ?>>
+                                                        <?= htmlspecialchars(strlen($column ?? '') > 16 ? substr($column, 0, 16) . '...' : $column ?? '') ?>
+                                                    </a>
+                                                </td>
+<?php               } elseif ($key === 'time' || $key === 'start' || $key === 'end') { ?>
+                                                <td class="text-nowrap"><?= !empty($column) ? date('d M Y H:i:s',strtotime($column)) : '<small class="text-muted">n/a</small>' ?></td>
+<?php               } else { ?>
+                                                <td><?= htmlspecialchars($column ?? '') ?></td>
+<?php               }
+            } ?>
+                                            </tr>
+<?php     } ?>
+                                        </tbody>
+                                    </table>
+                                </div>
+<?php include '../app/templates/pagination.php'; ?>
+<?php } else { ?>
+                                <div class="alert alert-danger m-0">
+                                    <i class="fas fa-info-circle me-2"></i>No conference events found for the specified criteria.
+                                </div>
+<?php } ?>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+                <!-- /jitsi conferences events -->

app/templates/config-add-platform.php

@@ -1,50 +0,0 @@
-
-                <!-- widget "config" -->
-                <div class="card text-center w-50 mx-auto">
-                    <p class="h4 card-header">Add new Jitsi platform</p>
-                    <div class="card-body">
-                        <!--p class="card-text">add new platform:</p-->
-                        <form method="POST" action="<?= $app_root ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=config">
-
-                            <div class="row mb-3">
-                                <div class="col-md-4 text-end">
-                                    <label for="name" class="form-label">name</label>
-                                    <span class="text-danger" style="margin-right: -12px;">*</span>
-                                </div>
-                                <div class="col-md-8">
-                                    <input class="form-control" type="text" name="name" value="" required />
-                                    <p class="text-start"><small>descriptive name for the platform</small></p>
-                                </div>
-                            </div>
-
-                            <div class="row mb-3">
-                                <div class="col-md-4 text-end">
-                                    <label for="jitsi_url" class="form-label">Jitsi URL</label>
-                                    <span class="text-danger" style="margin-right: -12px;">*</span>
-                                </div>
-                                <div class="col-md-8">
-                                    <input class="form-control" type="text" name="jitsi_url" value="https://" required />
-                                    <p class="text-start"><small>URL of the Jitsi Meet (used for checks and for loading config.js)</small></p>
-                                </div>
-                            </div>
-
-                            <div class="row mb-3">
-                                <div class="col-md-4 text-end">
-                                    <label for="jilo_database" class="form-label">jilo_database</label>
-                                    <span class="text-danger" style="margin-right: -12px;">*</span>
-                                </div>
-                                <div class="col-md-8">
-                                    <input class="form-control" type="text" name="jilo_database" value="" required />
-                                    <p class="text-start"><small>path to the database file (relative to the app root)</small></p>
-                                </div>
-                            </div>
-
-                            <input type="hidden" name="new" value="true" />
-
-                            <br />
-                            <a class="btn btn-secondary" href="<?= $app_root ?>?page=config" />Cancel</a>
-                            <input type="submit" class="btn btn-primary" value="Save" />
-                        </form>
-                    </div>
-                </div>
-                <!-- /widget "config" -->

app/templates/config-delete-platform.php

@@ -1,29 +0,0 @@
-
-                <!-- widget "config" -->
-                <div class="card text-center w-50 mx-auto">
-                    <p class="h4 card-header">Jilo web configuration for Jitsi platform "<?= htmlspecialchars($platform_id) ?>"</p>
-                    <div class="card-body">
-                        <p class="card-text">delete a platform:</p>
-                        <form method="POST" action="<?= $app_root ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=config">
-<?php foreach ($config['platforms'][$platform_id] as $config_item => $config_value) { ?>
-                            <div class="row mb-3">
-                                <div class="col-md-4 text-end">
-                                    <label for="<?= htmlspecialchars($config_item) ?>" class="form-label"><?= htmlspecialchars($config_item) ?>:</label>
-                                </div>
-                                <div class="col-md-8">
-                                    <div class="text-start"><?= htmlspecialchars($config_value ?? '')?></div>
-                                    <input type="hidden" name="<?= htmlspecialchars($config_item) ?>" value="<?= htmlspecialchars($config_value ?? '')?>" />
-                                </div>
-                            </div>
-<?php } ?>
-                            <br />
-                            <input type="hidden" name="platform" value="<?= htmlspecialchars($platform_id) ?>" />
-                            <input type="hidden" name="delete" value="true" />
-                            <p class="h5 text-danger">Are you sure you want to delete this platform?</p>
-                            <br />
-                            <a class="btn btn-secondary" href="<?= $app_root ?>?page=config" />Cancel</a>
-                            <input type="submit" class="btn btn-danger" value="Delete" />
-                        </form>
-                    </div>
-                </div>
-                <!-- /widget "config" -->

app/templates/config-edit-platform.php

@@ -1,33 +0,0 @@
-
-                <!-- widget "config" -->
-                <div class="card text-center w-50 mx-auto">
-                    <p class="h4 card-header">Jilo web configuration for Jitsi platform "<?= htmlspecialchars($platform_id) ?>"</p>
-                    <div class="card-body">
-                        <p class="card-text">edit the platform details:</p>
-                        <form method="POST" action="<?= $app_root ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=config">
-<?php foreach ($config['platforms'][$platform_id] as $config_item => $config_value) { ?>
-                            <div class="row mb-3">
-                                <div class="col-md-4 text-end">
-                                    <label for="<?= htmlspecialchars($config_item) ?>" class="form-label"><?= htmlspecialchars($config_item) ?></label>
-                                    <span class="text-danger" style="margin-right: -12px;">*</span>
-                                </div>
-                                <div class="col-md-8">
-                                    <input class="form-control" type="text" name="<?= htmlspecialchars($config_item) ?>" value="<?= htmlspecialchars($config_value ?? '')?>" required />
-<?php if ($config_item === 'name') { ?>
-                                    <p class="text-start"><small>descriptive name for the platform</small></p>
-<?php } elseif ($config_item === 'jitsi_url') { ?>
-                                    <p class="text-start"><small>URL of the Jitsi Meet (used for checks and for loading config.js)</small></p>
-<?php } elseif ($config_item === 'jilo_database') { ?>
-                                    <p class="text-start"><small>path to the database file (relative to the app root)</small></p>
-<?php } ?>
-                                </div>
-                            </div>
-<?php } ?>
-                            <br />
-                            <input type="hidden" name="platform" value="<?= htmlspecialchars($platform_id) ?>" />
-                            <a class="btn btn-secondary" href="<?= $app_root ?>?page=config" />Cancel</a>
-                            <input type="submit" class="btn btn-primary" value="Save" />
-                        </form>
-                    </div>
-                </div>
-                <!-- /widget "config" -->

app/templates/config-list-configjs.php

@@ -1,22 +0,0 @@
-
-                <!-- widget "config" -->
-                <div class="card text-center w-75 mx-lef">
-                    <p class="h4 card-header">Configuration of the Jitsi platform <strong><?= htmlspecialchars($platformDetails['name']) ?></strong></p>
-                    <div class="card-body">
-                        <p class="card-text">
-                            <span class="m-3">URL: <?= htmlspecialchars($platformDetails['jitsi_url']) ?></span>
-                            <span class="m-3">FILE: config.js</span>
-<?php if ($mode === 'raw') { ?>
-                            <span class="m-3"><a class="btn btn-light" href="<?= $app_root ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=config&item=configjs">view only active lines</a></span>
-<?php } else { ?>
-                            <span class="m-3"><a class="btn btn-light" href="<?= $app_root ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=config&item=configjs&mode=raw">view raw file contents</a></span>
-<?php } ?>
-                        </p>
-<pre style="text-align: left;">
-<?php
-echo htmlspecialchars($platformConfigjs);
-?>
-</pre>
-                    </div>
-                </div>
-                <!-- /widget "config" -->

app/templates/config-list-interfaceconfigjs.php

@@ -1,22 +0,0 @@
-
-                <!-- widget "config" -->
-                <div class="card text-center w-75 mx-lef">
-                    <p class="h4 card-header">Configuration of the Jitsi platform <strong><?= htmlspecialchars($platformDetails['name']) ?></strong></p>
-                    <div class="card-body">
-                        <p class="card-text">
-                            <span class="m-3">URL: <?= htmlspecialchars($platformDetails['jitsi_url']) ?></span>
-                            <span class="m-3">FILE: interface_config.js</span>
-<?php if ($mode === 'raw') { ?>
-                            <span class="m-3"><a class="btn btn-light" href="<?= $app_root ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=config&item=interfaceconfigjs">view only active lines</a></span>
-<?php } else { ?>
-                            <span class="m-3"><a class="btn btn-light" href="<?= $app_root ?>?platform=<?= htmlspecialchars($platform_id) ?>&page=config&item=interfaceconfigjs&mode=raw">view raw file contents</a></span>
-<?php } ?>
-                        </p>
-<pre style="text-align: left;">
-<?php
-echo htmlspecialchars($platformInterfaceConfigjs);
-?>
-</pre>
-                    </div>
-                </div>
-                <!-- /widget "config" -->

app/templates/config-list.php

@@ -1,14 +0,0 @@
-
-                <!-- widget "config" -->
-                <div class="card text-center w-75 mx-lef">
-                    <p class="h4 card-header">Jilo web configuration</p>
-                    <div class="card-body">
-                        <p class="card-text">platform variables</p>
-<?php
-include '../app/helpers/render.php';
-renderConfig($config, '0');
-echo "\n";
-?>
-                    </div>
-                </div>
-                <!-- /widget "config" -->

app/templates/config.php

@@ -0,0 +1,198 @@
+
+<!-- config file -->
+<div class="container-fluid mt-2">
+    <div class="row mb-4">
+        <div class="col-12 mb-4">
+            <h2>Configuration</h2>
+            <small><?= htmlspecialchars($config['site_name']) ?> configuration file: <em><?= htmlspecialchars($localConfigPath) ?></em></small>
+<?php if ($configMessage) { ?>
+            <?= $configMessage ?>
+<?php } ?>
+        </div>
+    </div>
+
+    <div class="card shadow-sm">
+        <div class="card-header bg-light d-flex justify-content-between align-items-center py-3">
+            <h5 class="card-title mb-0">
+                <i class="fas fa-wrench me-2 text-secondary"></i>
+                <?= htmlspecialchars($config['site_name']) ?> app configuration
+            </h5>
+<?php if ($userObject->hasRight($userId, 'superuser') ||
+          $userObject->hasRight($userId, 'edit config file')) { ?>
+            <div>
+                <button type="button" class="btn btn-outline-primary btn-sm toggle-edit" <?= !$isWritable ? 'disabled' : '' ?>>
+                    <i class="fas fa-edit me-2"></i>Edit
+                </button>
+                <div class="edit-controls d-none">
+                    <button type="button" class="btn btn-danger btn-sm save-config">
+                        <i class="fas fa-save me-2"></i>Save
+                    </button>
+                    <button type="button" class="btn btn-outline-secondary btn-sm ms-2 cancel-edit">
+                        Cancel
+                    </button>
+                </div>
+            </div>
+<?php } ?>
+        </div>
+
+        <div class="card-body p-4">
+            <form id="configForm">
+<?php
+include CSRF_TOKEN_INCLUDE;
+
+function renderConfigItem($key, $value, $path = '') {
+    $fullPath = $path ? $path . '[' . $key . ']' : $key;
+    // Only capitalize first letter, not every word
+    $displayName = ucfirst(str_replace('_', ' ', $key));
+
+    if (is_array($value)) {
+        echo "\t\t\t\t\t\t\t\t<div class=\"config-section mb-4\">";
+        echo "\n\t\t\t\t\t\t\t\t\t<h6 class=\"border-bottom pb-2 mb-3\">" . htmlspecialchars($displayName) . '</h6>';
+        echo "\n\t\t\t\t\t\t\t\t\t<div class=\"ps-4\">\n";
+        foreach ($value as $subKey => $subValue) {
+            renderConfigItem($subKey, $subValue, $fullPath);
+        }
+        echo "\t\t\t\t\t\t\t\t\t</div>\n";
+        echo "\t\t\t\t\t\t\t\t</div>\n";
+    } else {
+?>
+                <div class="config-item row mb-3 align-items-center">
+                    <div class="col-md-4 text-end">
+                        <label class="form-label mb-0"><?= htmlspecialchars($displayName) ?></label>
+                    </div>
+                    <div class="col-md-8">
+                        <div class="view-mode">
+<?php if (is_bool($value) || $key === 'registration_enabled') { ?>
+                            <span class="badge <?= $value ? 'bg-success' : 'bg-secondary' ?>"><?= $value ? 'Enabled' : 'Disabled' ?></span>
+<?php } elseif ($key === 'environment') { ?>
+                            <span class="badge <?= $value === 'production' ? 'bg-danger' : 'bg-info' ?>"><?= htmlspecialchars($value) ?></span>
+<?php } else {
+        if (empty($value) && $value !== '0') { ?>
+                            <span class="text-muted fst-italic">blank</span>
+<?php   } else { ?>
+                            <span class="text-body"><?= htmlspecialchars($value) ?></span>
+<?php   } ?>
+<?php } ?>
+                        </div>
+                        <div class="edit-mode d-none">
+<?php if (is_bool($value) || $key === 'registration_enabled') { ?>
+                            <div class="form-check form-switch">
+                                <input class="form-check-input" type="checkbox" name="<?= htmlspecialchars($fullPath) ?>" <?= $value ? 'checked' : '' ?>>
+                            </div>
+<?php } elseif ($key === 'environment') { ?>
+                            <select class="form-select form-select-sm" name="<?= htmlspecialchars($fullPath) ?>">
+                                <option value="development" <?= $value === 'development' ? 'selected' : '' ?>>development</option>
+                                <option value="production" <?= $value === 'production' ? 'selected' : '' ?>>production</option>
+                            </select>
+<?php } else { ?>
+                            <input type="text" class="form-control form-control-sm" name="<?= htmlspecialchars($fullPath) ?>" value="<?= htmlspecialchars($value) ?>">
+<?php } ?>
+                        </div>
+                    </div>
+                </div>
+<?php
+    }
+}
+
+    foreach ($config as $key => $value) {
+        renderConfigItem($key, $value);
+    } ?>
+            </form>
+        </div>
+    </div>
+</div>
+</div>
+
+<script>
+$(function() {
+    // Toggle edit mode
+    $('.toggle-edit').click(function() {
+        $(this).hide();
+        $('.edit-controls').removeClass('d-none');
+        $('.view-mode').hide();
+        $('.edit-mode').removeClass('d-none');
+    });
+
+    // Cancel edit
+    $('.cancel-edit').click(function() {
+        $('.toggle-edit').show();
+        $('.edit-controls').addClass('d-none');
+        $('.view-mode').show();
+        $('.edit-mode').addClass('d-none');
+    });
+
+    // Save config
+    $('.save-config').click(function() {
+        const $btn = $(this).prop('disabled', true).html('<i class="fas fa-spinner fa-spin me-2"></i>Saving...');
+
+        // Build form data object
+        const data = {};
+
+        // Handle text inputs
+        $('#configForm input[type="text"]').each(function() {
+            data[$(this).attr('name')] = $(this).val();
+        });
+
+        // Handle checkboxes
+        $('#configForm input[type="checkbox"]').each(function() {
+            data[$(this).attr('name')] = $(this).prop('checked') ? '1' : '0';
+        });
+
+        // Handle selects
+        $('#configForm select').each(function() {
+            data[$(this).attr('name')] = $(this).val();
+        });
+
+        $.ajax({
+            url: '<?= htmlspecialchars($app_root) ?>?page=config',
+            method: 'POST',
+            data: JSON.stringify(data),
+            contentType: 'application/json',
+            headers: {
+                'X-Requested-With': 'XMLHttpRequest',
+                'X-CSRF-Token': $('input[name="csrf_token"]').val()
+            },
+            success: function(response) {
+                if (response.success) {
+                    JsMessages.success(response.message || 'Config file updated successfully');
+
+                    $('#configForm input[type="text"], #configForm input[type="checkbox"], #configForm select').each(function() {
+                        const $input = $(this);
+                        const $item = $input.closest('.config-item');
+                        const $viewMode = $item.find('.view-mode');
+
+                        if ($item.length) {
+                            let value;
+                            if ($input.is('[type="checkbox"]')) {
+                                value = $input.prop('checked') ? '1' : '0';
+                                const isEnabled = value === '1';
+                                $viewMode.html(`<span class="badge ${isEnabled ? 'bg-success' : 'bg-secondary'}">${isEnabled ? 'Enabled' : 'Disabled'}</span>`);
+                            } else if ($input.is('select')) {
+                                value = $input.val();
+                                $viewMode.html(`<span class="badge ${value === 'production' ? 'bg-danger' : 'bg-info'}">${value}</span>`);
+                            } else {
+                                value = $input.val();
+                                $viewMode.html(value === '' ? '<span class="text-muted fst-italic">blank</span>' : `<span class="text-body">${value}</span>`);
+                            }
+                        }
+                    });
+                    // Finally, exit edit mode
+                    $('.toggle-edit').show();
+                    $('.edit-controls').addClass('d-none');
+                    $('.view-mode').show();
+                    $('.edit-mode').addClass('d-none');
+                } else {
+                    JsMessages.error(response.error || 'Error saving config');
+                }
+            },
+            error: function(xhr, status, error) {
+                JsMessages.error('Error saving config: ' + error);
+            },
+            complete: function() {
+                $btn.prop('disabled', false).html('<i class="fas fa-save me-2"></i>Save');
+            }
+        });
+    });
+});
+</script>
+<!-- /config file -->

app/templates/credentials-2fa-setup.php

@@ -0,0 +1,108 @@
+<?php
+/**
+ * Two-factor authentication setup template
+ */
+?>
+
+<div class="container mt-4">
+    <div class="row justify-content-center">
+        <div class="col-md-8">
+            <div class="card">
+                <div class="card-header">
+                    <h3>Set up two-factor authentication</h3>
+                </div>
+                <div class="card-body">
+                    <div class="alert alert-info">
+                        <p>Two-factor authentication adds an extra layer of security to your account. Once enabled, you'll need to enter both your password and a code from your authenticator app when signing in.</p>
+                    </div>
+
+                    <?php if (isset($error)): ?>
+                        <div class="alert alert-danger">
+                            <?php echo htmlspecialchars($error); ?>
+                        </div>
+                    <?php endif; ?>
+
+                    <?php if (isset($setupData) && is_array($setupData)): ?>
+                        <div class="setup-steps">
+                            <h4>1. Install an authenticator app</h4>
+                            <p>If you haven't already, install an authenticator app on your mobile device:</p>
+                            <ul>
+                                <li>Google Authenticator</li>
+                                <li>Microsoft Authenticator</li>
+                                <li>Authy</li>
+                            </ul>
+
+                            <h4 class="mt-4">2. Scan the QR code</h4>
+                            <p>Open your authenticator app and scan this QR code:</p>
+
+                            <div class="text-center my-4">
+                                <div id="qrcode"></div>
+                                <div class="mt-2">
+                                    <small class="text-muted">Can't scan? Use this code instead:</small><br>
+                                    <code class="secret-key"><?php echo htmlspecialchars($setupData['secret']); ?></code>
+                                </div>
+                            </div>
+
+                            <h4 class="mt-4">3. Verify setup</h4>
+                            <p>Enter the 6-digit code from your authenticator app to verify the setup:</p>
+
+                            <form method="post" action="?page=credentials&item=2fa&action=setup" class="mt-3">
+                                <div class="form-group">
+                                    <input type="text" 
+                                           name="code" 
+                                           class="form-control" 
+                                           pattern="[0-9]{6}" 
+                                           maxlength="6"
+                                           required
+                                           placeholder="Enter 6-digit code">
+                                </div>
+
+                                <input type="hidden" name="secret" value="<?php echo htmlspecialchars($setupData['secret']); ?>">
+                                <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
+
+                                <button type="submit" class="btn btn-primary mt-3">
+                                    Verify and enable 2FA
+                                </button>
+                            </form>
+
+                            <div class="mt-4">
+                                <h4>Backup codes</h4>
+                                <p class="text-warning">
+                                    <strong>Important:</strong> Save these backup codes in a secure place. 
+                                    If you lose access to your authenticator app, you can use these codes to sign in.
+                                    Each code can only be used once.
+                                </p>
+                                <div class="backup-codes bg-light p-3 rounded">
+                                    <?php foreach ($setupData['backupCodes'] as $code): ?>
+                                        <code class="d-block"><?php echo htmlspecialchars($code); ?></code>
+                                    <?php endforeach; ?>
+                                </div>
+                                <button class="btn btn-secondary mt-2" onclick="window.print()">
+                                    Print backup codes
+                                </button>
+                            </div>
+                        </div>
+                    <?php else: ?>
+                        <div class="alert alert-danger">
+                            Failed to generate 2FA setup data. Please try again.
+                        </div>
+                        <a href="?page=credentials" class="btn btn-primary">Back to credentials</a>
+                    <?php endif; ?>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+<?php if (isset($setupData) && is_array($setupData)): ?>
+<script src="https://cdn.jsdelivr.net/npm/qrcodejs@1.0.0/qrcode.min.js"></script>
+<script>
+document.addEventListener('DOMContentLoaded', function() {
+    new QRCode(document.getElementById("qrcode"), {
+        text: <?php echo json_encode($setupData['otpauthUrl']); ?>,
+        width: 200,
+        height: 200
+    });
+});
+</script>
+<?php endif; ?>

app/templates/credentials-2fa-verify.php

@@ -0,0 +1,86 @@
+<?php
+/**
+ * Two-factor authentication verification template
+ */
+?>
+
+<div class="container mt-4">
+    <div class="row justify-content-center">
+        <div class="col-md-6">
+            <div class="card">
+                <div class="card-header">
+                    <h3>Two-factor authentication</h3>
+                </div>
+                <div class="card-body">
+                    <?php if (isset($error)): ?>
+                        <div class="alert alert-danger">
+                            <?php echo htmlspecialchars($error); ?>
+                        </div>
+                    <?php endif; ?>
+
+                    <p>Enter the 6-digit code from your authenticator app:</p>
+
+                    <form method="post" action="?page=login&action=verify" class="mt-3">
+                        <div class="form-group">
+                            <input type="text" 
+                                   name="code" 
+                                   class="form-control form-control-lg text-center" 
+                                   pattern="[0-9]{6}" 
+                                   maxlength="6"
+                                   inputmode="numeric"
+                                   autocomplete="one-time-code"
+                                   required
+                                   autofocus
+                                   placeholder="000000">
+                        </div>
+
+                        <input type="hidden" name="user_id" value="<?php echo htmlspecialchars($userId); ?>">
+
+                        <button type="submit" class="btn btn-primary btn-block mt-4">
+                            Verify code
+                        </button>
+                    </form>
+
+                    <div class="mt-4">
+                        <p class="text-muted text-center">
+                            Lost access to your authenticator app?<br>
+                            <a href="#" data-toggle="collapse" data-target="#backupCodeForm">
+                                Use a backup code
+                            </a>
+                        </p>
+
+                        <div class="collapse mt-3" id="backupCodeForm">
+                            <form method="post" action="?page=login&action=verify" class="mt-3">
+                                <div class="form-group">
+                                    <label>Enter backup code:</label>
+                                    <input type="text" 
+                                           name="backup_code" 
+                                           class="form-control"
+                                           pattern="[a-f0-9]{8}"
+                                           maxlength="8"
+                                           required
+                                           placeholder="Enter backup code">
+                                </div>
+
+                                <input type="hidden" name="user_id" value="<?php echo htmlspecialchars($userId); ?>">
+
+                                <button type="submit" class="btn btn-secondary btn-block">
+                                    Use backup code
+                                </button>
+                            </form>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+<script>
+// Auto-submit when 6 digits are entered
+document.querySelector('input[name="code"]').addEventListener('input', function(e) {
+    if (e.target.value.length === 6 && e.target.checkValidity()) {
+        e.target.form.submit();
+    }
+});
+</script>

app/templates/credentials-manage.php

@@ -0,0 +1,100 @@
+<?php
+/**
+ * Combined credentials management template
+ * Handles both password changes and 2FA management
+ */
+?>
+
+<div class="container mt-4">
+    <div class="row justify-content-center">
+        <div class="col-md-8">
+            <!-- Password Management -->
+            <div class="card mb-4">
+                <div class="card-header">
+                    <h3>change password</h3>
+                </div>
+                <div class="card-body">
+                    <form method="post" action="?page=credentials&item=password">
+                        <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
+
+                        <div class="form-group">
+                            <label for="current_password">current password</label>
+                            <input type="password" 
+                                   class="form-control" 
+                                   id="current_password" 
+                                   name="current_password" 
+                                   required>
+                        </div>
+
+                        <div class="form-group mt-3">
+                            <label for="new_password">new password</label>
+                            <input type="password" 
+                                   class="form-control" 
+                                   id="new_password" 
+                                   name="new_password"
+                                   pattern=".{8,}"
+                                   title="Password must be at least 8 characters long"
+                                   required>
+                            <small class="form-text text-muted">minimum 8 characters</small>
+                        </div>
+
+                        <div class="form-group mt-3">
+                            <label for="confirm_password">confirm new password</label>
+                            <input type="password" 
+                                   class="form-control" 
+                                   id="confirm_password" 
+                                   name="confirm_password"
+                                   pattern=".{8,}"
+                                   required>
+                        </div>
+
+                        <div class="mt-4">
+                            <button type="submit" class="btn btn-primary">change password</button>
+                        </div>
+                    </form>
+                </div>
+            </div>
+
+            <!-- 2FA Management -->
+            <div class="card">
+                <div class="card-header">
+                    <h3>two-factor authentication</h3>
+                </div>
+                <div class="card-body">
+                    <p class="mb-4">Two-factor authentication adds an extra layer of security to your account. Once enabled, you'll need to enter both your password and a code from your authenticator app when signing in.</p>
+
+                    <?php if ($has2fa): ?>
+                        <div class="alert alert-success">
+                            <i class="fas fa-check-circle"></i> two-factor authentication is enabled
+                        </div>
+                        <form method="post" action="?page=credentials&item=2fa&action=disable">
+                            <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
+                            <button type="submit" class="btn btn-danger" onclick="return confirm('Are you sure you want to disable two-factor authentication? This will make your account less secure.')">
+                                disable two-factor authentication
+                            </button>
+                        </form>
+                    <?php else: ?>
+                        <div class="alert alert-warning">
+                            <i class="fas fa-exclamation-triangle"></i> two-factor authentication is not enabled
+                        </div>
+                        <form method="post" action="?page=credentials&item=2fa&action=setup">
+                            <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
+                            <button type="submit" class="btn btn-primary">
+                                set up two-factor authentication
+                            </button>
+                        </form>
+                    <?php endif; ?>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+<script>
+document.getElementById('confirm_password').addEventListener('input', function() {
+    if (this.value !== document.getElementById('new_password').value) {
+        this.setCustomValidity('Passwords do not match');
+    } else {
+        this.setCustomValidity('');
+    }
+});</script>

app/templates/credentials.php

@@ -0,0 +1,51 @@
+
+                <!-- Two-Factor Authentication -->
+                <div class="card mt-4">
+                    <div class="card-header">
+                        <h3>Two-factor authentication</h3>
+                    </div>
+                    <div class="card-body">
+                        <?php if ($has2fa): ?>
+                            <div class="d-flex align-items-center">
+                                <div class="flex-grow-1">
+                                    <p class="mb-0">
+                                        <i class="fas fa-shield-alt text-success"></i>
+                                        Two-factor authentication is enabled
+                                    </p>
+                                    <small class="text-muted">
+                                        Your account is protected with an authenticator app
+                                    </small>
+                                </div>
+                                <form method="post" class="ml-3">
+                                    <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
+                                    <input type="hidden" name="item" value="2fa">
+                                    <input type="hidden" name="action" value="disable">
+                                    <button type="submit" class="btn btn-outline-danger" 
+                                            onclick="return confirm('Are you sure you want to disable two-factor authentication? This will make your account less secure.')">
+                                        Disable 2FA
+                                    </button>
+                                </form>
+                            </div>
+                        <?php else: ?>
+                            <div class="d-flex align-items-center">
+                                <div class="flex-grow-1">
+                                    <p class="mb-0">
+                                        <i class="fas fa-shield-alt text-muted"></i>
+                                        Two-factor authentication is not enabled
+                                    </p>
+                                    <small class="text-muted">
+                                        Add an extra layer of security to your account by requiring both your password and an authentication code
+                                    </small>
+                                </div>
+                                <form method="post" class="ml-3">
+                                    <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
+                                    <input type="hidden" name="item" value="2fa">
+                                    <input type="hidden" name="action" value="enable">
+                                    <button type="submit" class="btn btn-primary">
+                                        Enable 2FA
+                                    </button>
+                                </form>
+                            </div>
+                        <?php endif; ?>
+                    </div>
+                </div>

app/templates/error-notfound.php

@@ -0,0 +1,8 @@
+
+<div class="text-center">
+    <div class="mt-3 h5">The page is not found.</div>
+    <div>
+        <small>go to <a href="<?= htmlspecialchars($app_root) ?>">front page</a> or to <a href="<?= htmlspecialchars($app_root) ?>?page=profile">your profile</a></small>
+    </div>
+</div>
+

app/templates/error-unauthorized.php

@@ -0,0 +1,8 @@
+
+<div class="text-center">
+    <div class="mt-3 h5">You have no access to this page.</div>
+    <div>
+        <small>go to <a href="<?= htmlspecialchars($app_root) ?>">front page</a> or to <a href="<?= htmlspecialchars($app_root) ?>?page=profile">your profile</a></small>
+    </div>
+</div>
+

app/templates/form-login.php

@@ -2,19 +2,33 @@
         <div class="card text-center w-50 mx-auto">
             <h2 class="card-header">Login</h2>
             <div class="card-body">
-                <p class="card-text"><strong>Welcome to JILO!</strong><br />Please enter login credentials:</p>
-                <form method="POST" action="<?= $app_root ?>?page=login">
-                    <input type="text" name="username" placeholder="Username" required />
-                    <br />
-                    <input type="password" name="password" placeholder="Password" required />
-                    <br />
+                <p class="card-text"><strong>Welcome to <?= htmlspecialchars($config['site_name']); ?>!</strong><br />Please enter login credentials:</p>
+                <form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=login">
+<?php include CSRF_TOKEN_INCLUDE; ?>
+                    <div class="form-group mb-3">
+                        <input type="text" class="form-control w-50 mx-auto" name="username" placeholder="Username" 
+                            pattern="[A-Za-z0-9_\-]{3,20}" title="3-20 characters, letters, numbers, - and _"
+                            required />
+                    </div>
+                    <div class="form-group mb-3">
+                        <input type="password" class="form-control w-50 mx-auto" name="password" placeholder="Password" 
+                            pattern=".{8,}" title="Eight or more characters"
+                            required />
+                    </div>
+                    <div class="form-group mb-3">
                         <label for="remember_me">
                             <input type="checkbox" id="remember_me" name="remember_me" />
                             remember me
                         </label>
-                    <br />&nbsp;<br />
+                    </div>
+<?php if (isset($_GET['redirect'])): ?>
+                    <input type="hidden" name="redirect" value="<?php echo htmlspecialchars($_GET['redirect']); ?>">
+<?php endif; ?>
                     <input type="submit" class="btn btn-primary" value="Login" />
                 </form>
+                <div class="mt-3">
+                    <a href="?page=login&action=forgot">forgot password?</a>
+                </div>
             </div>
         </div>
         <!-- /login form -->

app/templates/form-password-forgot.php

@@ -0,0 +1,32 @@
+
+        <div class="container">
+            <div class="row justify-content-center">
+                <div class="col-md-6">
+                    <div class="card mt-5">
+                        <div class="card-body">
+                            <h3 class="card-title mb-4">Reset password</h3>
+                            <p>Enter your email address and we will send you<br />
+                                instructions to reset your password.</p>
+                            <form method="post" action="?page=login&action=forgot">
+<?php include CSRF_TOKEN_INCLUDE; ?>
+                                <div class="form-group">
+                                    <label for="email">email address:</label>
+                                    <input type="email"
+                                           class="form-control"
+                                           id="email"
+                                           name="email"
+                                           required
+                                           autocomplete="email">
+                                </div>
+                                <button type="submit" class="btn btn-primary btn-block mt-4">
+                                    Send reset instructions
+                                </button>
+                            </form>
+                            <div class="mt-3 text-center">
+                                <a href="?page=login">back to login</a>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>

app/templates/form-password-reset.php

@@ -0,0 +1,38 @@
+
+        <div class="container">
+            <div class="row justify-content-center">
+                <div class="col-md-6">
+                    <div class="card mt-5">
+                        <div class="card-body">
+                            <h3 class="card-title mb-4">Set new password</h3>
+                            <form method="post" action="?page=login&action=reset&token=<?= htmlspecialchars(urlencode($token)) ?>">
+<?php include CSRF_TOKEN_INCLUDE; ?>
+                                <div class="form-group">
+                                    <label for="new_password">new password:</label>
+                                    <input type="password"
+                                        class="form-control"
+                                        id="new_password"
+                                        name="new_password"
+                                        required
+                                        minlength="8"
+                                        autocomplete="new-password">
+                                </div>
+                                <div class="form-group mt-3">
+                                    <label for="confirm_password">confirm password:</label>
+                                    <input type="password"
+                                        class="form-control"
+                                        id="confirm_password"
+                                        name="confirm_password"
+                                        required 
+                                        minlength="8"
+                                        autocomplete="new-password">
+                                </div>
+                                <button type="submit" class="btn btn-primary btn-block mt-4">
+                                    Set new password
+                                </button>
+                            </form>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>

app/templates/form-register.php

@@ -1,15 +0,0 @@
-        <!-- registration form -->
-        <div class="card text-center w-50 mx-auto">
-            <h2 class="card-header">Register</h2>
-            <div class="card-body">
-                <p class="card-text">Enter credentials for registration:</p>
-                <form method="POST" action="<?php= $app_root ?>?page=register">
-                    <input type="text" name="username" placeholder="Username" required />
-                    <br />
-                    <input type="password" name="password" placeholder="Password" required />
-                    <br />&nbsp;<br />
-                    <input type="submit" class="btn btn-primary" value="Register" />
-                </form>
-            </div>
-        </div>
-        <!-- /registration form -->

app/templates/graphs.php

@@ -0,0 +1,144 @@
+
+                <!-- jitsi graphs -->
+                <div class="container-fluid mt-2">
+                    <div class="row mb-4">
+                        <div class="col-12 mb-4">
+                            <h2 class="mb-0">Jitsi graphs</h2>
+                            <small>usage graphs for platform <strong><?= htmlspecialchars($platformDetails[0]['name']) ?></strong></small>
+                        </div>
+                    </div>
+
+                    <div class="row">
+                        <div class="card w-auto bg-light border-light card-body filter-results">
+                            <div class="btn-group" role="group">
+                                <input type="button" class="button" style="margin-right: 3px;" onclick="setTimeRange('today'); setActive(this)" value="today" />
+                                <input type="button" class="button" style="margin-right: 3px;" onclick="setTimeRange('last2days'); setActive(this)" value="last 2 days" />
+                                <input type="button" class="button active" style="margin-right: 3px;" onclick="setTimeRange('last7days'); setActive(this)" value="last 7 days" />
+                                <input type="button" class="button" style="margin-right: 3px;" onclick="setTimeRange('thisMonth'); setActive(this)" value="month" />
+                                <input type="button" class="button" style="margin-right: 18px;" onclick="setTimeRange('thisYear'); setActive(this)" value="year" />
+                                <input type="date" style="margin-right: 3px;" id="start-date">
+                                <input type="date" style="margin-right: 3px;" id="end-date">
+                                <input type="button" id="custom_range" class="button" onclick="setCustomTimeRange(); setActive(this)" value="custom range" />
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+<script>
+// Define an array to store all graph instances
+var graphs = [];
+</script>
+
+<?php foreach ($graph as $data) {
+    include '../app/helpers/graph.php';
+} ?>
+
+<script>
+// Function to update the label and propagate zoom across charts
+function propagateZoom(chart) {
+    var startDate = chart.scales.x.min;
+    var endDate = chart.scales.x.max;
+
+    // Update the datetime input fields
+    document.getElementById('start-date').value = new Date(startDate).toISOString().slice(0, 10);
+    document.getElementById('end-date').value = new Date(endDate).toISOString().slice(0, 10);
+
+    // Update all charts with the new date range
+    graphs.forEach(function(graphObj) {
+        if (graphObj.graph !== chart) {
+            graphObj.graph.options.scales.x.min = startDate;
+            graphObj.graph.options.scales.x.max = endDate;
+            graphObj.graph.update(); // Redraw chart with new range
+        }
+        updatePeriodLabel(graphObj.graph, graphObj.label); // Update period label
+    });
+}
+
+// Predefined time range buttons
+function setTimeRange(range) {
+    var startDate, endDate;
+    var now = new Date();
+
+    switch (range) {
+        case 'today':
+            startDate = new Date(now.setHours(0, 0, 0, 0));
+            endDate = new Date(now.setHours(23, 59, 59, 999));
+            timeRangeName = 'today';
+            break;
+        case 'last2days':
+            startDate = new Date(now.setDate(now.getDate() - 2));
+            endDate = new Date();
+            timeRangeName = 'last 2 days';
+            break;
+        case 'last7days':
+            startDate = new Date(now.setDate(now.getDate() - 7));
+            endDate = new Date();
+            timeRangeName = 'last 7 days';
+            break;
+        case 'thisMonth':
+            startDate = new Date(now.getFullYear(), now.getMonth(), 1);
+            endDate = new Date();
+            timeRangeName = 'this month so far';
+            break;
+        case 'thisYear':
+            startDate = new Date(now.getFullYear(), 0, 1);
+            endDate = new Date();
+            timeRangeName = 'this year so far';
+            break;
+        default:
+            return;
+    }
+
+    // We set the date input fields to match the selected period
+    document.getElementById('start-date').value = startDate.toISOString().slice(0, 10);
+    document.getElementById('end-date').value = endDate.toISOString().slice(0, 10);
+
+    // Loop through all graphs and update their time range and label
+    graphs.forEach(function(graphObj) {
+        graphObj.graph.options.scales.x.min = startDate;
+        graphObj.graph.options.scales.x.max = endDate;
+        graphObj.graph.update();
+        updatePeriodLabel(graphObj.graph, graphObj.label); // Update the period label
+    });
+}
+
+// Custom date range
+function setCustomTimeRange() {
+    var startDate = document.getElementById('start-date').value;
+    var endDate = document.getElementById('end-date').value;
+
+    if (!startDate || !endDate) return;
+
+    // Convert the input dates to JavaScript Date objects
+    startDate = new Date(startDate);
+    endDate = new Date(endDate);
+    timeRangeName = 'custom range';
+
+    // Loop through all graphs and update the custom time range
+    graphs.forEach(function(graphObj) {
+        graphObj.graph.options.scales.x.min = startDate;
+        graphObj.graph.options.scales.x.max = endDate;
+        graphObj.graph.update();
+        updatePeriodLabel(graphObj.graph, graphObj.label); // Update the period label
+    });
+}
+
+// Set the clicked button state to active
+function setActive(element) {
+    // Remove 'active' class from all buttons
+    var buttons = document.querySelectorAll('.button');
+    buttons.forEach(function(btn) {
+        btn.classList.remove('active');
+    });
+
+    // Add 'active' class only to the clicked button
+    element.classList.add('active');
+}
+
+// Call setTimeRange('last7days') on page load to pre-load last 7 days by default
+window.onload = function() {
+    setTimeRange('last7days');
+};
+</script>
+
+                <!-- /jitsi graphs -->

app/templates/help.php

@@ -0,0 +1,128 @@
+
+                <!-- help -->
+                <div class="container-fluid mt-2">
+                    <div class="row mb-4">
+                        <div class="col-12 mb-4">
+                            <h2 class="mb-0">Help</h2>
+                            <small>about this program</small>
+                        </div>
+                    </div>
+
+                    <div class="card shadow-sm">
+                        <div class="card-body p-4">
+                            <!-- Introduction -->
+                            <div class="mb-5">
+                                <p class="lead">
+                                    <a href="https://lindeas.com/jilo" class="text-decoration-none">Jilo</a> is a software tools suite developed by 
+                                    <a href="https://lindeas.com" class="text-decoration-none">Lindeas Ltd.</a> designed to help in maintaining a Jitsi Meet platform.
+                                </p>
+                                <p>It consists of several parts meant to run together, although some of them can be used separately.</p>
+                            </div>
+
+                            <!-- Components -->
+                            <div class="row g-4">
+                                <!-- Jilo CLI -->
+                                <div class="col-12">
+                                    <div class="card border bg-light">
+                                        <div class="card-header bg-light d-flex align-items-center">
+                                            <i class="fas fa-terminal me-2 text-secondary"></i>
+                                            <h5 class="card-title mb-0">JILO</h5>
+                                        </div>
+                                        <div class="card-body">
+                                            <p class="card-text">
+                                                This is the command-line tool for extracting information about important events from the Jitsi Meet log files, 
+                                                storing them in a database and searching through that database.
+                                            </p>
+                                            <p class="card-text">
+                                                Jilo is written in Bash and has very minimal external dependencies. That means that you can run it on almost 
+                                                any Linux system with jitsi log files.
+                                            </p>
+                                            <div class="mt-3">
+                                                <p class="mb-2">It can either:</p>
+                                                <ul class="list-unstyled ps-4">
+                                                    <li><i class="fas fa-check text-success me-2"></i>Show the data directly in the terminal</li>
+                                                    <li><i class="fas fa-check text-success me-2"></i>Provide it to an instance of "Jilo Web" for displaying statistics</li>
+                                                    <li><i class="fas fa-check text-success me-2"></i>Send the data output to a "Jilo Agent"</li>
+                                                </ul>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- Jilo Agent -->
+                                <div class="col-12">
+                                    <div class="card border bg-light">
+                                        <div class="card-header bg-light d-flex align-items-center">
+                                            <i class="fas fa-robot me-2 text-secondary"></i>
+                                            <h5 class="card-title mb-0">Jilo Agent</h5>
+                                        </div>
+                                        <div class="card-body">
+                                            <p class="card-text">
+                                                The Jilo Agent is a small program, written in Go. It runs on remote servers in the Jitsi Meet platform, 
+                                                and provides info about the operation of the different components of the platform.
+                                            </p>
+                                            <div class="mt-3">
+                                                <h6 class="fw-bold mb-2">Key Features:</h6>
+                                                <ul class="list-unstyled ps-4">
+                                                    <li><i class="fas fa-shield-alt text-primary me-2"></i>Secured with JWT tokens authentication</li>
+                                                    <li><i class="fas fa-lock text-primary me-2"></i>HTTPS support</li>
+                                                    <li><i class="fas fa-network-wired text-primary me-2"></i>Single port for all services</li>
+                                                    <li><i class="fas fa-box text-primary me-2"></i>No external dependencies</li>
+                                                </ul>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- Jilo Web -->
+                                <div class="col-12">
+                                    <div class="card border bg-light">
+                                        <div class="card-header bg-light d-flex align-items-center">
+                                            <i class="fas fa-globe me-2 text-secondary"></i>
+                                            <h5 class="card-title mb-0">Jilo Web</h5>
+                                        </div>
+                                        <div class="card-body">
+                                            <p class="card-text">
+                                                Jilo Web is the web app that combines all the information received from Jilo and Jilo Agents and shows 
+                                                statistics and graphs of the usage, the events and the issues.
+                                            </p>
+                                            <p class="card-text">
+                                                It is a multi-user web tool with user levels and access rights integrated into it, making it suitable 
+                                                for the different levels in an enterprise.
+                                            </p>
+                                            <div class="alert alert-info mt-3 mb-0">
+                                                <i class="fas fa-info-circle me-2"></i>
+                                                The current website you are looking at is running a Jilo Web instance.
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- Jilo Server -->
+                                <div class="col-12">
+                                    <div class="card border bg-light">
+                                        <div class="card-header bg-light d-flex align-items-center">
+                                            <i class="fas fa-server me-2 text-secondary"></i>
+                                            <h5 class="card-title mb-0">Jilo Server</h5>
+                                        </div>
+                                        <div class="card-body">
+                                            <p class="card-text">
+                                                Jilo Server is a server component written in Go, meant to work alongside Jilo Web. It is responsible for 
+                                                all automated tasks - health checks, periodic retrieval of data from the remote Jilo Agents, etc.
+                                            </p>
+                                            <p class="card-text">
+                                                It generally works on the same machine as the web interface Jilo Web and shares its database, although 
+                                                if needed it could be deployed on a separate machine.
+                                            </p>
+                                            <div class="alert alert-warning mt-3 mb-0">
+                                                <i class="fas fa-exclamation-triangle me-2"></i>
+                                                Jilo Web checks for the Jilo Server availability and displays a warning if there is a problem with the server.
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+                <!-- /help -->