ponepaste/login.php

<?php
define('IN_PONEPASTE', 1);
require_once('includes/common.php');
require_once('includes/functions.php');
require_once('includes/passwords.php');

// Current Date & User IP
$date = date('jS F Y');
$ip = $_SERVER['REMOTE_ADDR'];


// Check if already logged in
if ($current_user !== null) {
    header("Location: ./");
    die();
}

updatePageViews($conn);

if (isset($_POST['forgot'])) {
    if (!empty($_POST['username']) && !empty($_POST['recovery_code'])) {
        $username = trim($_POST['username']);
        $recovery_code = trim($_POST['recovery_code']);

        $query = $conn->query("SELECT id, recovery_code_hash FROM users WHERE username = ?", [$username]);
        $row = $query->fetch();

        if ($row && pp_password_verify($_POST['recovery_code'], $row['recovery_code_hash'])) {
            $new_password = pp_random_password();
            $new_password_hash = pp_password_hash($new_password);

            $recovery_code = pp_random_token();
            $new_recovery_code_hash = pp_password_hash($recovery_code);

            $conn->prepare('UPDATE users SET password = ?, recovery_code_hash = ? WHERE id = ?')
                ->execute([$new_password_hash, $new_recovery_code_hash, $row['id']]);

            $success = 'Your password has been changed. A new recovery code has also been generated. Please note the recovery code and then sign in with the new password.';
        } else {
            $error = 'Incorrect username or password.';
        }
    } else {
        $error = 'All fields must be filled out.';
    }
} elseif (isset($_POST['signin'])) { // Login process
    if (!empty($_POST['username']) && !empty($_POST['password'])) {
        $remember_me = (bool) $_POST['remember_me'];
        $username = trim($_POST['username']);
        $row = $conn->query("SELECT id, password, banned FROM users WHERE username = ?", [$username])
            ->fetch();

        $needs_rehash = false;

        /* This is designed to be a constant time lookup, hence the warning suppression operator so that
         * we always call pp_password_verify, even if row is null.
         */
        if (pp_password_verify($_POST['password'], @$row['password'], $needs_rehash)) {
            $user_id = $row['id'];

            if ($needs_rehash) {
                $new_password_hash = pp_password_hash($_POST['password']);

                $conn->query('UPDATE users SET password = ? WHERE id = ?',
                    [$new_password_hash, $user_id]);
            }

            if ($row['banned']) {
                // User is banned
                $error = 'You are banned.';
            } else {
                // Login successful
                $_SESSION['user_id'] = (string) $user_id;

                if ($remember_me) {
                    $remember_token = pp_random_token();
                    $expire_at = (new DateTime())->add(new DateInterval('P1Y'));

                    $conn->query('INSERT INTO user_sessions (user_id, token, expire_at) VALUES (?, ?, FROM_UNIXTIME(?))', [$user_id, $remember_token, $expire_at->format('U')]);

                    setcookie(User::REMEMBER_TOKEN_COOKIE, $remember_token, [
                        'expires' => (int) $expire_at->format('U'),
                        'secure' => !empty($_SERVER['HTTPS']), /* Local dev environment is non-HTTPS */
                        'httponly' => true,
                        'samesite' => 'Lax'
                    ]);
                }

                header('Location: ' . $_SERVER['HTTP_REFERER']);
                exit();
            }
        } else {
            // Username not found or password incorrect.
            $error = 'Incorrect username or password.';
        }
    } else {
        $error = 'All fields must be filled out.';
    }
} elseif (isset($_POST['signup'])) { // Registration process
    $username = htmlentities(trim($_POST['username'], ENT_QUOTES));
    $password = pp_password_hash($_POST['password']);

    if (empty($_POST['password']) || empty($_POST['username'])) {
        $error = 'All fields must be filled out.';
    } elseif (strlen($username) > 25) {
        $error = 'Username too long.'; // "Username already taken.";
    } elseif (preg_match('/[^A-Za-z0-9._\\-$]/', $username)) {
        $error = 'Username is invalid - please use A-Za-z0-9, periods, hyphens, and underscores only.';
    } else {
        if ($conn->querySelectOne('SELECT 1 FROM users WHERE username = ?', [$username])) {
            $error = 'That username has already been taken.';
        } else {
            $recovery_code = pp_random_token();
            $recovery_code_hash = pp_password_hash($recovery_code);
            $conn->query(
                "INSERT INTO users (username, password, recovery_code_hash, picture, date, ip, badge) VALUES (?, ?, ?, 'NONE', ?, ?, '0')",
                [$username, $password, $recovery_code_hash, $date, $ip]
            );

            $success = 'Your account was successfully registered.';
        }
    }
}
// Theme
$page_template = 'login';
$page_title = 'Login / Register';
require_once('theme/' . $default_theme . '/common.php');
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`<?php`
Signup and login should now work. 2021-07-12 10:44:39 -04:00			`define('IN_PONEPASTE', 1);`
More cleanup, mostly surrounding ads 2021-07-10 18:21:03 -04:00			`require_once('includes/common.php');`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`require_once('includes/functions.php');`
Implement password peppering. 2021-07-17 12:33:08 -04:00			`require_once('includes/passwords.php');`
Rework registration & login page a little bit. 2021-07-15 12:40:12 -04:00
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`// Current Date & User IP`
Reformat login.php so I can read it 2021-07-11 12:50:24 -04:00			`$date = date('jS F Y');`
			`$ip = $_SERVER['REMOTE_ADDR'];`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00
Rework registration & login page a little bit. 2021-07-15 12:40:12 -04:00
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`// Check if already logged in`
Introduce User and DatabaseHandle class 2021-07-17 18:17:29 -04:00			`if ($current_user !== null) {`
Reformat login.php so I can read it 2021-07-11 12:50:24 -04:00			`header("Location: ./");`
Introduce User and DatabaseHandle class 2021-07-17 18:17:29 -04:00			`die();`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`}`

More cleanup, mostly surrounding ads 2021-07-10 18:21:03 -04:00			`updatePageViews($conn);`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`if (isset($_POST['forgot'])) {`
			`if (!empty($_POST['username']) && !empty($_POST['recovery_code'])) {`
			`$username = trim($_POST['username']);`
			`$recovery_code = trim($_POST['recovery_code']);`

Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00			`$query = $conn->query("SELECT id, recovery_code_hash FROM users WHERE username = ?", [$username]);`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`$row = $query->fetch();`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00
Implement password peppering. 2021-07-17 12:33:08 -04:00			`if ($row && pp_password_verify($_POST['recovery_code'], $row['recovery_code_hash'])) {`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00			`$new_password = pp_random_password();`
Implement password peppering. 2021-07-17 12:33:08 -04:00			`$new_password_hash = pp_password_hash($new_password);`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00			`$recovery_code = pp_random_token();`
Implement password peppering. 2021-07-17 12:33:08 -04:00			`$new_recovery_code_hash = pp_password_hash($recovery_code);`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00
			`$conn->prepare('UPDATE users SET password = ?, recovery_code_hash = ? WHERE id = ?')`
			`->execute([$new_password_hash, $new_recovery_code_hash, $row['id']]);`

			`$success = 'Your password has been changed. A new recovery code has also been generated. Please note the recovery code and then sign in with the new password.';`
			`} else {`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'Incorrect username or password.';`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`}`
			`} else {`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'All fields must be filled out.';`
Rework registration & login page a little bit. 2021-07-15 12:40:12 -04:00			`}`
Code format. 2021-07-26 17:42:43 -04:00			`} elseif (isset($_POST['signin'])) { // Login process`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`if (!empty($_POST['username']) && !empty($_POST['password'])) {`
Reformat code. 2021-08-22 22:05:26 -04:00			`$remember_me = (bool) $_POST['remember_me'];`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`$username = trim($_POST['username']);`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00			`$row = $conn->query("SELECT id, password, banned FROM users WHERE username = ?", [$username])`
Code format. 2021-07-26 17:42:43 -04:00			`->fetch();`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00
Implement password peppering. 2021-07-17 12:33:08 -04:00			`$needs_rehash = false;`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00
			`/* This is designed to be a constant time lookup, hence the warning suppression operator so that`
			`* we always call pp_password_verify, even if row is null.`
			`*/`
			`if (pp_password_verify($_POST['password'], @$row['password'], $needs_rehash)) {`
			`$user_id = $row['id'];`
Reformat login.php so I can read it 2021-07-11 12:50:24 -04:00
Implement password peppering. 2021-07-17 12:33:08 -04:00			`if ($needs_rehash) {`
			`$new_password_hash = pp_password_hash($_POST['password']);`

Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00			`$conn->query('UPDATE users SET password = ? WHERE id = ?',`
Code format. 2021-07-26 17:42:43 -04:00			`[$new_password_hash, $user_id]);`
Implement password peppering. 2021-07-17 12:33:08 -04:00			`}`

Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`if ($row['banned']) {`
			`// User is banned`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'You are banned.';`
Remove verified check 2021-07-17 12:36:21 -04:00			`} else {`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`// Login successful`
Reformat code. 2021-08-22 22:05:26 -04:00			`$_SESSION['user_id'] = (string) $user_id;`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00
			`if ($remember_me) {`
			`$remember_token = pp_random_token();`
Improve logout and remember me 2021-07-24 15:12:19 -04:00			`$expire_at = (new DateTime())->add(new DateInterval('P1Y'));`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00
Improve logout and remember me 2021-07-24 15:12:19 -04:00			`$conn->query('INSERT INTO user_sessions (user_id, token, expire_at) VALUES (?, ?, FROM_UNIXTIME(?))', [$user_id, $remember_token, $expire_at->format('U')]);`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00
			`setcookie(User::REMEMBER_TOKEN_COOKIE, $remember_token, [`
Reformat code. 2021-08-22 22:05:26 -04:00			`'expires' => (int) $expire_at->format('U'),`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00			`'secure' => !empty($_SERVER['HTTPS']), /* Local dev environment is non-HTTPS */`
			`'httponly' => true,`
			`'samesite' => 'Lax'`
			`]);`
			`}`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00
			`header('Location: ' . $_SERVER['HTTP_REFERER']);`
			`exit();`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`}`
Rework registration & login page a little bit. 2021-07-15 12:40:12 -04:00			`} else {`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`// Username not found or password incorrect.`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'Incorrect username or password.';`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`}`
Begin work on recovery code system 2021-07-16 10:32:25 -04:00			`} else {`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'All fields must be filled out.';`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`}`
Code format. 2021-07-26 17:42:43 -04:00			`} elseif (isset($_POST['signup'])) { // Registration process`
Reformat login.php so I can read it 2021-07-11 12:50:24 -04:00			`$username = htmlentities(trim($_POST['username'], ENT_QUOTES));`
Implement password peppering. 2021-07-17 12:33:08 -04:00			`$password = pp_password_hash($_POST['password']);`
Reformat login.php so I can read it 2021-07-11 12:50:24 -04:00
Remove most email stuff. 2021-07-16 10:08:21 -04:00			`if (empty($_POST['password']) \|\| empty($_POST['username'])) {`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'All fields must be filled out.';`
			`} elseif (strlen($username) > 25) {`
			`$error = 'Username too long.'; // "Username already taken.";`
Fix broken username verification. 2021-08-20 16:41:49 -04:00			`} elseif (preg_match('/[^A-Za-z0-9._\\-$]/', $username)) {`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'Username is invalid - please use A-Za-z0-9, periods, hyphens, and underscores only.';`
Reformat login.php so I can read it 2021-07-11 12:50:24 -04:00			`} else {`
Some admin page fixes. 2021-08-09 04:21:39 -04:00			`if ($conn->querySelectOne('SELECT 1 FROM users WHERE username = ?', [$username])) {`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$error = 'That username has already been taken.';`
Reformat login.php so I can read it 2021-07-11 12:50:24 -04:00			`} else {`
Various fixes and improvements, implement remember me (I think) 2021-07-24 14:45:46 -04:00			`$recovery_code = pp_random_token();`
Implement password peppering. 2021-07-17 12:33:08 -04:00			`$recovery_code_hash = pp_password_hash($recovery_code);`
Some admin page fixes. 2021-08-09 04:21:39 -04:00			`$conn->query(`
			`"INSERT INTO users (username, password, recovery_code_hash, picture, date, ip, badge) VALUES (?, ?, ?, 'NONE', ?, ?, '0')",`
			`[$username, $password, $recovery_code_hash, $date, $ip]`
Remove most email stuff. 2021-07-16 10:08:21 -04:00			`);`
Rework registration & login page a little bit. 2021-07-15 12:40:12 -04:00
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$success = 'Your account was successfully registered.';`
Initial commit Initial commit 2021-07-10 19:18:17 +01:00			`}`
			`}`
			`}`
			`// Theme`
New page template system kinda. 2021-08-22 21:45:26 -04:00			`$page_template = 'login';`
Get rid of lang files 2021-08-26 05:35:21 -04:00			`$page_title = 'Login / Register';`
New page template system kinda. 2021-08-22 21:45:26 -04:00			`require_once('theme/' . $default_theme . '/common.php');`