mirror of
https://github.com/Neetpone/ponepaste.git
synced 2025-03-12 06:30:07 +01:00
Begin work on recovery code system
This commit is contained in:
Floorb
parent
bc017af020
commit
a4b03295ad
2 changed files with 82 additions and 45 deletions
96
login.php
96
login.php
|
|
@ -34,52 +34,66 @@ $p_title = $lang['login/register']; // "Login/Register";
|
|||
|
||||
updatePageViews($conn);
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
// Check if logged in
|
||||
if (isset($_SESSION['token'])) {
|
||||
header("Location: ./");
|
||||
exit;
|
||||
if (isset($_POST['forgot'])) {
|
||||
if (!empty($_POST['username']) && !empty($_POST['recovery_code'])) {
|
||||
$username = trim($_POST['username']);
|
||||
$recovery_code = trim($_POST['recovery_code']);
|
||||
|
||||
$query = $conn->prepare("SELECT id, recovery_code_hash FROM users WHERE username = ?");
|
||||
$query->execute([$username]);
|
||||
$row = $query->fetch();
|
||||
if ($row && password_verify($_POST['recovery_code'], $row['recovery_code_hash'])) {
|
||||
$new_password = md5(random_bytes(64));
|
||||
$new_password_hash = password_hash($new_password, PASSWORD_DEFAULT);
|
||||
|
||||
$recovery_code = hash('SHA512', random_bytes(64));
|
||||
$new_recovery_code_hash = password_hash($recovery_code, PASSWORD_BCRYPT);
|
||||
|
||||
$conn->prepare('UPDATE users SET password = ?, recovery_code_hash = ? WHERE id = ?')
|
||||
->execute([$new_password_hash, $new_recovery_code_hash, $row['id']]);
|
||||
|
||||
$success = 'Your password has been changed. A new recovery code has also been generated. Please note the recovery code and then sign in with the new password.';
|
||||
} else {
|
||||
$error = $lang['incorrect'];
|
||||
}
|
||||
} else {
|
||||
$error = $lang['missingfields']; // "All fields must be filled out";
|
||||
}
|
||||
} else if (isset($_POST['signin'])) { // Login process
|
||||
if (!empty($_POST['username']) && !empty($_POST['password'])) {
|
||||
$username = trim($_POST['username']);
|
||||
$query = $conn->prepare("SELECT id, password, banned, verified FROM users WHERE username = ?");
|
||||
$query->execute([$username]);
|
||||
$row = $query->fetch();
|
||||
if ($row && password_verify($_POST['password'], $row['password'])) {
|
||||
// Username found
|
||||
$db_oauth_uid = $row['oauth_uid'];
|
||||
$db_ip = $row['ip'];
|
||||
$db_id = $row['id'];
|
||||
|
||||
// Login process
|
||||
if (isset($_POST['signin'])) {
|
||||
if (!empty($_POST['username']) && !empty($_POST['password'])) {
|
||||
$username = trim($_POST['username']);
|
||||
$query = $conn->prepare("SELECT id, password, banned, verified FROM users WHERE username = ?");
|
||||
$query->execute([$username]);
|
||||
$row = $query->fetch();
|
||||
if ($row && password_verify($_POST['password'], $row['password'])) {
|
||||
// Username found
|
||||
$db_oauth_uid = $row['oauth_uid'];
|
||||
$db_ip = $row['ip'];
|
||||
$db_id = $row['id'];
|
||||
if ($row['banned']) {
|
||||
// User is banned
|
||||
$error = $lang['banned'];
|
||||
} if ($row['verified']) {
|
||||
// Login successful
|
||||
$_SESSION['token'] = md5($db_id . $username);
|
||||
$_SESSION['oauth_uid'] = $db_oauth_uid;
|
||||
$_SESSION['username'] = $username;
|
||||
|
||||
if ($row['banned']) {
|
||||
// User is banned
|
||||
$error = $lang['banned'];
|
||||
} if ($row['verified']) {
|
||||
// Login successful
|
||||
$_SESSION['token'] = md5($db_id . $username);
|
||||
$_SESSION['oauth_uid'] = $db_oauth_uid;
|
||||
$_SESSION['username'] = $username;
|
||||
|
||||
header('Location: ' . $_SERVER['HTTP_REFERER']);
|
||||
exit();
|
||||
} else {
|
||||
// Account not verified
|
||||
$error = $lang['notverified'];
|
||||
}
|
||||
header('Location: ' . $_SERVER['HTTP_REFERER']);
|
||||
exit();
|
||||
} else {
|
||||
// Username not found or password incorrect.
|
||||
$error = $lang['incorrect'];
|
||||
// Account not verified
|
||||
$error = $lang['notverified'];
|
||||
}
|
||||
} else {
|
||||
$error = $lang['missingfields']; // "All fields must be filled out.";
|
||||
// Username not found or password incorrect.
|
||||
$error = $lang['incorrect'];
|
||||
}
|
||||
} else {
|
||||
$error = $lang['missingfields']; // "All fields must be filled out.";
|
||||
}
|
||||
}
|
||||
// Register process
|
||||
if (isset($_POST['signup'])) {
|
||||
} else if (isset($_POST['signup'])) { // Registration process
|
||||
$username = htmlentities(trim($_POST['username'], ENT_QUOTES));
|
||||
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
|
||||
$chara_max = 25; //characters for max input
|
||||
|
|
@ -97,10 +111,12 @@ if (isset($_POST['signup'])) {
|
|||
if ($query->fetch()) {
|
||||
$error = $lang['userexists']; // "Username already taken.";
|
||||
} else {
|
||||
$recovery_code = hash('SHA512', random_bytes('64'));
|
||||
$recovery_code_hash = password_hash($recovery_code, PASSWORD_BCRYPT);
|
||||
$query = $conn->prepare(
|
||||
"INSERT INTO users (username, password, picture, date, ip, badge) VALUES (?, ?, 'NONE', ?, ?, '0')"
|
||||
"INSERT INTO users (username, password, recovery_code_hash, picture, date, ip, badge) VALUES (?, ?, ?, 'NONE', ?, ?, '0')"
|
||||
);
|
||||
$query->execute([$username, $password, $date, $ip]);
|
||||
$query->execute([$username, $password, $recovery_code_hash, $date, $ip]);
|
||||
|
||||
$success = $lang['registered']; // "Your account was successfully registered.";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,6 +24,17 @@
|
|||
// Logged in
|
||||
if (isset($success)) {
|
||||
echo '<p class="help is-success subtitle is-6">' . $success . '</p>';
|
||||
if (isset($new_password)) {
|
||||
echo '<p>Your new password is as follows:</p>';
|
||||
echo "<code>${new_password}</code>";
|
||||
}
|
||||
|
||||
if (isset($recovery_code)) {
|
||||
echo '<h2>IMPORTANT!</h2>';
|
||||
echo '<p><b>If you wish to recover your account later, you will need the following code. Store it in a safe place!</b></p>';
|
||||
echo "<code>${recovery_code}</code>";
|
||||
echo '<p>If you do not save this code and you forget your password, there is no way to get your account back!</p>';
|
||||
}
|
||||
} // Errors
|
||||
elseif (isset($error)) {
|
||||
echo '<p class="help is-danger subtitle is-6">' . $error . '</p>';
|
||||
|
|
@ -209,19 +220,29 @@
|
|||
<div class="columns">
|
||||
<div class="column">
|
||||
<h1 class="title is-4">Forgot Password</h1>
|
||||
<p>You <i>did</i> save your recovery code, right?</p>
|
||||
<div class="field">
|
||||
<label class="label">Email</label>
|
||||
<label class="label">Username</label>
|
||||
<div class="control has-icons-left has-icons-right">
|
||||
<input type="text" class="input" name="email"
|
||||
placeholder="Enter your email address">
|
||||
<input type="text" class="input" name="username"
|
||||
placeholder="Enter your account username">
|
||||
<span class="icon is-small is-left">
|
||||
<i class="fas fa-envelope"></i>
|
||||
</span>
|
||||
</div>
|
||||
</div>
|
||||
<div class="field">
|
||||
<input class="button" type="submit" name="forgot" value="Submit"
|
||||
value="<?php echo md5($date . $ip); ?>"/>
|
||||
<label class="label">Recovery Code</label>
|
||||
<div class="control has-icons-left has-icons-right">
|
||||
<input type="password" class="input" name="recovery_code"
|
||||
placeholder="Recovery code">
|
||||
<span class="icon is-small is-left">
|
||||
<i class="fas fa-key"></i>
|
||||
</span>
|
||||
</div>
|
||||
</div>
|
||||
<div class="field">
|
||||
<input class="button" type="submit" name="forgot" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="column">
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue