<?php
// ====================================================================
// player.php — Single-file, header-aware video player (HTML+CSS+JS+PHP)
// Plays HLS (.m3u8), MP4, TS. Injects headers (Referer/Origin/UA/custom)
// via the built-in PHP proxy (?proxy=1).
// Requirements: PHP 7.4+ with cURL enabled.
// ====================================================================

// ------------------ CONFIG ------------------
const ALLOW_ALL = true;     // set to false to restrict to $ALLOWLIST
const SECRET    = '';       // optional HMAC secret for signed links
const TIMEOUT   = 25;       // cURL timeout (seconds)
$ALLOWLIST = [
  // 'example.com', 'cdn.example.org'
];

// ------------------ HELPERS ------------------
function bad($code, $msg){
  http_response_code($code);
  header('Content-Type: text/plain; charset=utf-8');
  header('Access-Control-Allow-Origin: *');
  echo $msg; exit;
}
function must($cond, $code, $msg){ if(!$cond) bad($code, $msg); }
function sw($s,$n){ return substr($s,0,strlen($n))===$n; }                   // starts_with
function ew($s,$n){ return $n==='' ? true : substr($s,-strlen($n))===$n; }   // ends_with
function abs_url($base, $rel){
  if (preg_match('~^https?://~i',$rel)) return $rel;
  $p = parse_url($base);
  if ($rel === '') return $base;
  if (sw($rel,'//')) return ($p['scheme'] ?? 'http').':'.$rel;
  $scheme = $p['scheme'] ?? 'http';
  $host   = $p['host']   ?? '';
  $port   = isset($p['port']) ? (':'.$p['port']) : '';
  $basePath = $p['path'] ?? '/';
  if (!ew($basePath,'/')) $basePath = preg_replace('~[^/]+$~','',$basePath);
  $path = sw($rel,'/') ? $rel : $basePath.$rel;
  $parts = [];
  foreach (explode('/',$path) as $seg){
    if ($seg==='' || $seg==='.') continue;
    if ($seg==='..') array_pop($parts); else $parts[]=$seg;
  }
  return $scheme.'://'.$host.$port.'/'.implode('/',$parts);
}

// ====================================================================
// PROXY MODE (same file): ?proxy=1&url=... (&referer=&origin=&ua=&x=&sig=)
// JS below constructs these URLs automatically when needed.
// ====================================================================
if (isset($_GET['proxy'])) {
  $url   = $_GET['url']     ?? '';
  $ref   = $_GET['referer'] ?? '';
  $org   = $_GET['origin']  ?? '';
  $ua    = $_GET['ua']      ?? '';
  $extra = isset($_GET['x']) ? (string)$_GET['x'] : '';
  $token = $_GET['sig']     ?? '';

  must($url !== '', 400, 'Missing url');
  must(preg_match('~^https?://~i',$url), 400, 'Only http/https allowed');

  $host = parse_url($url, PHP_URL_HOST);
  if (!ALLOW_ALL) { must(in_array($host, $ALLOWLIST, true), 403, 'Host not allowed'); }

  if (SECRET !== '') {
    $expected = hash_hmac('sha256', $url.$ref.$org.$ua.$extra, SECRET);
    if (!hash_equals($expected, $token)) bad(403,'Invalid signature');
  }

  $range = $_SERVER['HTTP_RANGE'] ?? null;

  $ch = curl_init($url);
  $headers = [ 'Accept: */*' ];
  if ($ref !== '') $headers[] = 'Referer: '.$ref;
  if ($org !== '') $headers[] = 'Origin: '.$org;
  if ($range)     $headers[] = 'Range: '.$range;

  if ($extra !== ''){
    $decoded = base64_decode($extra, true);
    if ($decoded === false) $decoded = '';
    foreach (preg_split("~\r?\n~", $decoded) as $line){
      if (trim($line)!=='') $headers[] = $line;
    }
  }

  curl_setopt_array($ch, [
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_MAXREDIRS      => 5,
    CURLOPT_CONNECTTIMEOUT => TIMEOUT,
    CURLOPT_TIMEOUT        => TIMEOUT,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HEADER         => true,
    CURLOPT_HTTPHEADER     => $headers,
    CURLOPT_ENCODING       => "", // enable gzip/deflate and auto-decode
  ]);
  if ($ua !== '') curl_setopt($ch, CURLOPT_USERAGENT, $ua);

  $response = curl_exec($ch);
  if ($response === false) bad(502, 'cURL error: '.curl_error($ch));

  $code        = curl_getinfo($ch, CURLINFO_HTTP_CODE);
  $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
  $ctype       = curl_getinfo($ch, CURLINFO_CONTENT_TYPE) ?: '';
  $resp_headers_raw = substr($response, 0, $header_size);
  $body            = substr($response, $header_size);

  // Filter upstream headers
  $resp_headers = [];
  $content_length = null;
  $content_range  = null;
  foreach (preg_split("~\r?\n~", $resp_headers_raw) as $line){
    if (strpos($line, ':') !== false){
      [$k,$v] = array_map('trim', explode(':', $line, 2));
      $kl = strtolower($k);
      if (in_array($kl, ['connection','keep-alive','proxy-authenticate','proxy-authorization','te','trailer','upgrade'])) continue;
      if ($kl === 'transfer-encoding') continue;
      if ($kl === 'content-encoding') continue;  // already decoded by CURLOPT_ENCODING
      if ($kl === 'content-length') { $content_length = $v; continue; }
      if ($kl === 'content-range')  { $content_range  = $v; continue; }
      $resp_headers[$k] = $v;
    }
  }

  header('Access-Control-Allow-Origin: *');
  header('Accept-Ranges: bytes');

  // HLS playlist rewrite: route segments/keys/MAP through this same file
  $is_m3u8 = preg_match('~(application/(vnd\.apple\.mpegurl|x-mpegURL))|\.m3u8(\b|\?)~i', ($ctype.' '.$url));
  if ($is_m3u8){
    header('Content-Type: application/vnd.apple.mpegurl; charset=utf-8');
    $lines = preg_split("~\r?\n~", $body);
    $out = [];
    foreach ($lines as $ln){
      if ($ln === '' || $ln[0] === '#'){
        // Rewrite EXT-X-KEY URI
        if (sw($ln, '#EXT-X-KEY:')){
          $ln = preg_replace_callback('~URI="([^"]+)"~', function($m) use($url,$ref,$org,$ua,$extra){
            $abs = abs_url($url, $m[1]);
            $p = $_SERVER['PHP_SELF'].'?proxy=1&url='.rawurlencode($abs);
            if($ref!=='')   $p.='&referer='.rawurlencode($ref);
            if($org!=='')   $p.='&origin='.rawurlencode($org);
            if($ua!=='')    $p.='&ua='.rawurlencode($ua);
            if($extra!=='') $p.='&x='.rawurlencode($extra);
            if(SECRET!=='') $p.='&sig='.hash_hmac('sha256', $abs.$ref.$org.$ua.$extra, SECRET);
            return 'URI="'.$p.'"';
          }, $ln);
        }
        // Rewrite EXT-X-MAP (init segment) URI
        if (sw($ln, '#EXT-X-MAP:')){
          $ln = preg_replace_callback('~URI="([^"]+)"~', function($m) use($url,$ref,$org,$ua,$extra){
            $abs = abs_url($url, $m[1]);
            $p = $_SERVER['PHP_SELF'].'?proxy=1&url='.rawurlencode($abs);
            if($ref!=='')   $p.='&referer='.rawurlencode($ref);
            if($org!=='')   $p.='&origin='.rawurlencode($org);
            if($ua!=='')    $p.='&ua='.rawurlencode($ua);
            if($extra!=='') $p.='&x='.rawurlencode($extra);
            if(SECRET!=='') $p.='&sig='.hash_hmac('sha256', $abs.$ref.$org.$ua.$extra, SECRET);
            return 'URI="'.$p.'"';
          }, $ln);
        }
        $out[] = $ln; continue;
      }
      // Media/variant line (URI)
      $abs = abs_url($url, $ln);
      $prox = $_SERVER['PHP_SELF'].'?proxy=1&url='.rawurlencode($abs);
      if($ref!=='')   $prox.='&referer='.rawurlencode($ref);
      if($org!=='')   $prox.='&origin='.rawurlencode($org);
      if($ua!=='')    $prox.='&ua='.rawurlencode($ua);
      if($extra!=='') $prox.='&x='.rawurlencode($extra);
      if(SECRET!=='') $prox.='&sig='.hash_hmac('sha256', $abs.$ref.$org.$ua.$extra, SECRET);
      $out[] = $prox;
    }
    echo implode("\n", $out);
    exit;
  }

  // Forward headers for non-m3u8
  if (!headers_sent()){
    if ($ctype) header('Content-Type: '.$ctype);
    if ($content_range)  header('Content-Range: '.$content_range);
    if ($content_length) header('Content-Length: '.$content_length);
    foreach ($resp_headers as $k=>$v){ header($k.': '.$v); }
  }
  http_response_code($code);
  echo $body;
  exit;
}

// ====================================================================
// UI MODE (no ?proxy): serve the player page
// ====================================================================
?>
<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Header-Aware Video Player (Single File)</title>
  <style>
    :root { font-family: system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, "Helvetica Neue", Arial; }
    body { margin: 0; background: #0b0f19; color: #e6e9ef; }
    header { padding: 16px 20px; border-bottom: 1px solid #1b2131; display:flex; align-items:center; gap:10px; }
    header h1{ font-size: 18px; margin:0; font-weight:600; }
    .wrap { max-width: 1040px; margin: 24px auto; padding: 0 20px 40px; }
    .grid { display: grid; grid-template-columns: 1.5fr 1fr; gap: 16px; }
    @media (max-width: 900px){ .grid{ grid-template-columns: 1fr; } }
    .card { background: #121829; border: 1px solid #1b2131; border-radius: 16px; box-shadow: 0 10px 30px rgba(0,0,0,.25); }
    .card .hd { padding: 14px 16px; border-bottom: 1px solid #1b2131; font-size: 14px; color:#a8b3cf; }
    .card .bd { padding: 14px 16px; }
    label { font-size: 13px; color: #a8b3cf; margin-bottom: 6px; display:block; }
    input[type="text"], input[type="url"], textarea, select { width:100%; background:#0f1525; border:1px solid #233049; color:#e6e9ef; border-radius:12px; padding:10px 12px; outline:none; }
    textarea { min-height: 72px; resize: vertical; }
    .row{ display:grid; grid-template-columns: 1fr 1fr; gap: 12px; }
    .actions { display:flex; flex-wrap:wrap; gap: 10px; margin-top: 10px; align-items:center; }
    button { background:#2f5aff; color:white; border:0; border-radius: 12px; padding: 10px 14px; font-weight:600; cursor:pointer; }
    button.secondary{ background:#1b2131; color:#c5d0ea; border:1px solid #2a3652; }
    .pill { display:inline-flex; gap:6px; align-items:center; padding:6px 10px; border-radius:999px; background:#0f1525; border:1px solid #233049; color:#a8b3cf; font-size:12px; }
    .badge { background:#0f1525; border:1px solid #233049; border-radius:8px; padding:4px 8px; font-size:12px; color:#a8b3cf; }
    .log{ white-space: pre-wrap; font-family: ui-monospace, SFMono-Regular, Menlo, monospace; background:#0b1020; border:1px dashed #2a3652; border-radius:12px; padding:10px; min-height:56px; }
    video { width: 100%; height: 62vh; background:#000; border-radius: 16px; }
  </style>
</head>
<body>
  <header>
    <h1>Header-Aware Video Player</h1>
    <span class="pill">Single File · HLS (.m3u8), MP4, TS</span>
  </header>

  <div class="wrap">
    <div class="grid">
      <div class="card">
        <div class="hd">Player</div>
        <div class="bd">
          <video id="video" controls playsinline></video>
          <div class="actions">
            <button id="playBtn">Play</button>
            <button id="stopBtn" class="secondary">Stop</button>
            <span id="status" class="badge">idle</span>
          </div>
          <div class="bd" style="padding-left:0; padding-right:0">
            <div class="log" id="log"></div>
          </div>
        </div>
      </div>

      <div class="card">
        <div class="hd">Source & Headers</div>
        <div class="bd">
          <label>Source URL</label>
          <input id="src" type="url" placeholder="https://example.com/video.m3u8 or .mp4 or .ts" />

          <div class="row" style="margin-top:10px;">
            <div>
              <label>Referer (optional)</label>
              <input id="ref" type="text" placeholder="https://example.com" />
            </div>
            <div>
              <label>Origin (optional)</label>
              <input id="org" type="text" placeholder="https://example.com" />
            </div>
          </div>

          <div class="row" style="margin-top:10px;">
            <div>
              <label>User-Agent (optional)</label>
              <input id="ua" type="text" placeholder="Mozilla/5.0 ..." />
            </div>
            <div>
              <label>Force Proxy</label>
              <select id="useProxy">
                <option value="auto" selected>Auto (use if headers set or CORS blocked)</option>
                <option value="yes">Yes (always proxy)</option>
                <option value="no">No (direct)</option>
              </select>
            </div>
          </div>
          <div style="margin-top:10px;">
            <label>Custom Headers (optional, one per line as &lt;name&gt;: &lt;value&gt;)</label>
            <textarea id="extraHeaders" placeholder="X-Requested-With: XMLHttpRequest
X-Custom: abc"></textarea>
            <p style="font-size:12px;color:#8b97b3">
              Note: Browsers can’t set <em>Referer</em>, <em>Origin</em>, or <em>User-Agent</em> via JS.
              This page injects them server-side through itself.
            </p>
          </div>
        </div>
      </div>
    </div>
  </div>

  <!-- hls.js for HLS playback in non-Safari browsers -->
  <script src="https://cdn.jsdelivr.net/npm/hls.js@1.5.8/dist/hls.min.js"></script>
  <script>
    const logEl = document.getElementById('log');
    const statusEl = document.getElementById('status');
    const video = document.getElementById('video');
    let hls = null;

    function log(msg){
      logEl.textContent += `\n${new Date().toLocaleTimeString()} — ${msg}`.trim();
      logEl.scrollTop = logEl.scrollHeight;
    }
    function setStatus(s){ statusEl.textContent = s; }

    function buildProxyUrl(rawUrl){
      const url = new URL(window.location.href);
      url.search = '';                   // clear current query
      url.searchParams.set('proxy','1'); // route to proxy mode
      url.searchParams.set('url', rawUrl);
      const ref = document.getElementById('ref').value.trim();
      const org = document.getElementById('org').value.trim();
      const ua  = document.getElementById('ua').value.trim();
      if (ref) url.searchParams.set('referer', ref);
      if (org) url.searchParams.set('origin', org);
      if (ua)  url.searchParams.set('ua', ua);
      const extra = document.getElementById('extraHeaders').value.trim();
      if (extra){ url.searchParams.set('x', btoa(unescape(encodeURIComponent(extra)))); }
      return url.toString();
    }

    function isHls(u){ return /(\.m3u8($|\?))|application\/(vnd\.apple\.mpegurl|x-mpegURL)/i.test(u); }

    function stop(){
      setStatus('stopped');
      if (hls){ hls.destroy(); hls = null; }
      video.pause();
      video.removeAttribute('src');
      video.load();
    }

    async function play(){
      stop();
      const src = document.getElementById('src').value.trim();
      if(!src){ alert('Enter a source URL'); return; }
      const useProxySel = document.getElementById('useProxy').value;
      const anyHeader = ['ref','org','ua','extraHeaders'].some(id => document.getElementById(id).value.trim());
      let finalUrl = src;
      if (useProxySel === 'yes' || (useProxySel === 'auto' && anyHeader)){
        finalUrl = buildProxyUrl(src);
      }

      const hlsNeeded = isHls(src) || /m3u8/i.test(finalUrl);
      if (hlsNeeded) {
        if (Hls.isSupported()){
          hls = new Hls({lowLatencyMode: true, enableWorker: true});
          hls.on(Hls.Events.ERROR, (e,data)=>{ log(`[HLS] ${data.type} — ${data.details || ''}`); });
          hls.loadSource(finalUrl);
          hls.attachMedia(video);
          video.play().catch(err=>log('Autoplay blocked: ' + err.message));
          setStatus('playing (HLS)');
        } else if (video.canPlayType('application/vnd.apple.mpegurl')){
          video.src = finalUrl; video.play(); setStatus('playing (native HLS)');
        } else {
          log('HLS not supported by this browser.'); setStatus('error');
        }
      } else {
        video.src = finalUrl;
        video.play().catch(err=>log('Autoplay blocked: ' + err.message));
        setStatus('playing');
      }
      log('Source: ' + finalUrl);
    }

    document.getElementById('playBtn').addEventListener('click', play);
    document.getElementById('stopBtn').addEventListener('click', stop);
  </script>
</body>
</html>