File: /home/mmickelson/view-once.com/handlers/reveal.php
<?php
require_once __DIR__ . '/../src/config.php';
require_once __DIR__ . '/../src/helpers.php';
require_once __DIR__ . '/../src/db.php';
$db = $db ?? get_db();
$t = $t ?? null; // allow router to set
if (!$t) {
// Extract from URI if not provided
$uri = strtok($_SERVER['REQUEST_URI'], '?');
if (preg_match('#^/s/([a-f0-9]{32})$#', $uri, $m)) { $t = $m[1]; }
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (invalid_csrf()) { show_error('Invalid Request', 'Security token mismatch. Please try again.'); }
$db->beginTransaction();
try {
$stmt = $db->prepare('SELECT id, body, expires_at, is_file, filename, mime_type, file_size FROM secrets WHERE token = :t');
$stmt->execute([':t' => $t]);
$row = $stmt->fetch();
if ($row) {
if ($row['expires_at'] < time()) {
$db->prepare('DELETE FROM secrets WHERE id = :id')->execute([':id' => $row['id']]);
$db->commit();
show_error('Link Expired', 'This note has expired and been automatically deleted.', '410');
}
$db->prepare('DELETE FROM secrets WHERE id = :id')->execute([':id' => $row['id']]);
$db->commit();
if (!empty($row['is_file'])) {
$file_path = FILES_DIR . '/' . $t;
if (file_exists($file_path)) {
if (session_status() !== PHP_SESSION_ACTIVE) session_start();
$_SESSION['dl'][$t] = [
'filename' => ($row['filename'] ?? 'download'),
'mime' => ($row['mime_type'] ?? 'application/octet-stream'),
'size' => ($row['file_size'] ?? null)
];
$download_url = base_url() . '/f/' . $t;
?>
<!doctype html><meta charset="utf-8">
<title>Downloading…</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="<?php echo h(base_url()) ?>/assets/style.css">
<link rel="icon" href="<?php echo h(base_url()) ?>/assets/favicon.svg" type="image/svg+xml">
<script src="<?php echo h(base_url()) ?>/assets/app.js" defer></script>
<h1>Your download will start</h1>
<div class="card">
<p class="muted">This file is being delivered now. After the download begins, it will be permanently deleted from the server.</p>
<div id="st" class="status">Preparing…</div>
</div>
<p><a href="<?php echo h(base_url()) ?>">Create another</a></p>
<div class="burn">
<?php if (file_exists(__DIR__.'/../assets/burn.webm') || file_exists(__DIR__.'/../assets/burn.mp4')): ?>
<video class="burn-visual" autoplay muted playsinline>
<?php if (file_exists(__DIR__.'/../assets/burn.webm')): ?>
<source src="<?php echo h(base_url()) ?>/assets/burn.webm" type="video/webm">
<?php endif; if (file_exists(__DIR__.'/../assets/burn.mp4')): ?>
<source src="<?php echo h(base_url()) ?>/assets/burn.mp4" type="video/mp4">
<?php endif; ?>
</video>
<?php else: ?>
<img src="<?php echo h(base_url()) ?>/assets/burn.gif" alt="Note burns away" class="burn-visual once">
<?php endif; ?>
</div>
<script>
(function(){
var iframe = document.createElement('iframe');
iframe.style.display='none';
iframe.src = <?php echo json_encode($download_url) ?>;
document.body.appendChild(iframe);
var tries = 0;
function poll(){
fetch(<?php echo json_encode(base_url() . '/f-status/' . $t) ?>, {cache:'no-store'})
.then(function(r){return r.json()})
.then(function(j){
if (j && j.exists === false){
document.getElementById('st').textContent = 'File downloaded and deleted from the server.';
} else if (tries < 15) {
tries++; setTimeout(poll, 800);
} else {
document.getElementById('st').textContent = 'If your download did not start, check your browser\'s downloads. This link cannot be used again.';
}
}).catch(function(){ if (tries < 15){ tries++; setTimeout(poll, 1000); } });
}
setTimeout(poll, 700);
})();
</script>
<?php
exit;
} else {
show_error('File Not Found', 'The file associated with this note could not be found.', '404');
}
}
// Text note reveal
$body = $row['body'];
?>
<!doctype html><meta charset="utf-8">
<title>Your secret</title>
<link rel="stylesheet" href="<?php echo h(base_url()) ?>/assets/style.css">
<link rel="icon" href="<?php echo h(base_url()) ?>/assets/favicon.svg" type="image/svg+xml">
<script src="<?php echo h(base_url()) ?>/assets/app.js" defer></script>
<h1>Revealed (now deleted)</h1>
<pre id="revealed"><?php echo h($body) ?></pre>
<p><button type="button" data-copy-target="#revealed">Copy to clipboard</button></p>
<p class="note">This note has been permanently deleted from the server.</p>
<p><a href="<?php echo h(base_url()) ?>">Create a new note</a></p>
<div class="burn">
<?php if (file_exists(__DIR__.'/../assets/burn.webm') || file_exists(__DIR__.'/../assets/burn.mp4')): ?>
<video class="burn-visual" autoplay muted playsinline>
<?php if (file_exists(__DIR__.'/../assets/burn.webm')): ?>
<source src="<?php echo h(base_url()) ?>/assets/burn.webm" type="video/webm">
<?php endif; if (file_exists(__DIR__.'/../assets/burn.mp4')): ?>
<source src="<?php echo h(base_url()) ?>/assets/burn.mp4" type="video/mp4">
<?php endif; ?>
</video>
<?php else: ?>
<img src="<?php echo h(base_url()) ?>/assets/burn.gif" alt="Note burns away" class="burn-visual once">
<?php endif; ?>
</div>
<?php
exit;
} else {
$db->rollBack();
show_error('Not Found', 'This link is invalid or the note was already viewed and deleted.', '404');
}
} catch (PDOException $e) {
$db->rollBack();
show_error('Database Error', 'Unable to retrieve the note. Please try again.', '500');
}
} else {
// GET: preview page with tailored wording for files
header('X-Robots-Tag: noindex, nofollow, noarchive');
try {
$stmt = $db->prepare('SELECT id, is_file, expires_at FROM secrets WHERE token = :t');
$stmt->execute([':t' => $t]);
$meta = $stmt->fetch();
if ($meta) {
if ((int)$meta['expires_at'] < time()) {
$db->prepare('DELETE FROM secrets WHERE id = :id')->execute([':id' => $meta['id']]);
show_error('Link Expired', 'This note has expired and been automatically deleted.', '410');
}
$is_file = !empty($meta['is_file']);
} else {
show_error('Not Found', 'This link is invalid or the note was already viewed and deleted.', '404');
}
} catch (PDOException $e) {
show_error('Database Error', 'Unable to load the link. Please try again.', '500');
}
$csrf_reveal = get_csrf();
$title = $is_file ? 'Download file' : 'Reveal note';
$button = $is_file ? 'Download now' : 'Reveal now';
?>
<!doctype html><meta charset="utf-8">
<title><?php echo h($title) ?></title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="<?php echo h(base_url()) ?>/assets/style.css">
<link rel="icon" href="<?php echo h(base_url()) ?>/assets/favicon.svg" type="image/svg+xml">
<script src="<?php echo h(base_url()) ?>/assets/app.js" defer></script>
<h1><?php echo h($title) ?></h1>
<div class="card">
<?php if ($is_file): ?>
<p class="muted">This link will download a file and then permanently delete it from the server as soon as the download begins. For a smooth download:</p>
<ul>
<li>Keep this page open until the download starts.</li>
<li>Allow downloads for this site (disable strict download/pop‑up blockers if prompted).</li>
<li>This link can only be used once.</li>
</ul>
<?php else: ?>
<p class="muted">For your privacy, this content is only revealed on request. Revealing will permanently delete it from the server.</p>
<?php endif; ?>
<form method="post" action="<?php echo h(base_url() . '/s/' . $t) ?>" class="mt-1">
<input type="hidden" name="_csrf" value="<?php echo h($csrf_reveal) ?>">
<button type="submit"><?php echo h($button) ?></button>
</form>
</div>
<p><a href="<?php echo h(base_url()) ?>">Create your own</a></p>
<?php
exit;
}