PonyMirrors/ponepaste
1
0
Fork 0
mirror of https://github.com/Neetpone/ponepaste.git synced 2025-03-12 22:50:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Begin work on recovery code system

Browse source
This commit is contained in:
Floorb 2021-07-16 10:32:25 -04:00
parent bc017af020
commit a4b03295ad
2 changed files with 82 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
login.php
View file

@ -34,15 +34,32 @@ $p_title = $lang['login/register']; // "Login/Register";
updatePageViews($conn); updatePageViews($conn);
if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (isset($_POST['forgot'])) {
// Check if logged in if (!empty($_POST['username']) && !empty($_POST['recovery_code'])) {
if (isset($_SESSION['token'])) { $username = trim($_POST['username']);
header("Location: ./"); $recovery_code = trim($_POST['recovery_code']);
exit;
}
// Login process $query = $conn->prepare("SELECT id, recovery_code_hash FROM users WHERE username = ?");
if (isset($_POST['signin'])) { $query->execute([$username]);
$row = $query->fetch();
if ($row && password_verify($_POST['recovery_code'], $row['recovery_code_hash'])) {
$new_password = md5(random_bytes(64));
$new_password_hash = password_hash($new_password, PASSWORD_DEFAULT);
$recovery_code = hash('SHA512', random_bytes(64));
$new_recovery_code_hash = password_hash($recovery_code, PASSWORD_BCRYPT);
$conn->prepare('UPDATE users SET password = ?, recovery_code_hash = ? WHERE id = ?')
->execute([$new_password_hash, $new_recovery_code_hash, $row['id']]);
$success = 'Your password has been changed. A new recovery code has also been generated. Please note the recovery code and then sign in with the new password.';
} else {
$error = $lang['incorrect'];
}
} else {
$error = $lang['missingfields']; // "All fields must be filled out";
}
} else if (isset($_POST['signin'])) { // Login process
if (!empty($_POST['username']) && !empty($_POST['password'])) { if (!empty($_POST['username']) && !empty($_POST['password'])) {
$username = trim($_POST['username']); $username = trim($_POST['username']);
$query = $conn->prepare("SELECT id, password, banned, verified FROM users WHERE username = ?"); $query = $conn->prepare("SELECT id, password, banned, verified FROM users WHERE username = ?");
@ -76,10 +93,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
} else { } else {
$error = $lang['missingfields']; // "All fields must be filled out."; $error = $lang['missingfields']; // "All fields must be filled out.";
} }
} } else if (isset($_POST['signup'])) { // Registration process
}
// Register process
if (isset($_POST['signup'])) {
$username = htmlentities(trim($_POST['username'], ENT_QUOTES)); $username = htmlentities(trim($_POST['username'], ENT_QUOTES));
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$chara_max = 25; //characters for max input $chara_max = 25; //characters for max input
@ -97,10 +111,12 @@ if (isset($_POST['signup'])) {
if ($query->fetch()) { if ($query->fetch()) {
$error = $lang['userexists']; // "Username already taken."; $error = $lang['userexists']; // "Username already taken.";
} else { } else {
$recovery_code = hash('SHA512', random_bytes('64'));
$recovery_code_hash = password_hash($recovery_code, PASSWORD_BCRYPT);
$query = $conn->prepare( $query = $conn->prepare(
"INSERT INTO users (username, password, picture, date, ip, badge) VALUES (?, ?, 'NONE', ?, ?, '0')" "INSERT INTO users (username, password, recovery_code_hash, picture, date, ip, badge) VALUES (?, ?, ?, 'NONE', ?, ?, '0')"
); );
$query->execute([$username, $password, $date, $ip]); $query->execute([$username, $password, $recovery_code_hash, $date, $ip]);
$success = $lang['registered']; // "Your account was successfully registered."; $success = $lang['registered']; // "Your account was successfully registered.";
} }

31
theme/bulma/login.php
View file

@ -24,6 +24,17 @@
// Logged in // Logged in
if (isset($success)) { if (isset($success)) {
echo '<p class="help is-success subtitle is-6">' . $success . '</p>'; echo '<p class="help is-success subtitle is-6">' . $success . '</p>';
if (isset($new_password)) {
echo '<p>Your new password is as follows:</p>';
echo "<code>${new_password}</code>";
}
if (isset($recovery_code)) {
echo '<h2>IMPORTANT!</h2>';
echo '<p><b>If you wish to recover your account later, you will need the following code. Store it in a safe place!</b></p>';
echo "<code>${recovery_code}</code>";
echo '<p>If you do not save this code and you forget your password, there is no way to get your account back!</p>';
}
} // Errors } // Errors
elseif (isset($error)) { elseif (isset($error)) {
echo '<p class="help is-danger subtitle is-6">' . $error . '</p>'; echo '<p class="help is-danger subtitle is-6">' . $error . '</p>';
@ -209,19 +220,29 @@
<div class="columns"> <div class="columns">
<div class="column"> <div class="column">
<h1 class="title is-4">Forgot Password</h1> <h1 class="title is-4">Forgot Password</h1>
<p>You <i>did</i> save your recovery code, right?</p>
<div class="field"> <div class="field">
<label class="label">Email</label> <label class="label">Username</label>
<div class="control has-icons-left has-icons-right"> <div class="control has-icons-left has-icons-right">
<input type="text" class="input" name="email" <input type="text" class="input" name="username"
placeholder="Enter your email address"> placeholder="Enter your account username">
<span class="icon is-small is-left"> <span class="icon is-small is-left">
<i class="fas fa-envelope"></i> <i class="fas fa-envelope"></i>
</span> </span>
</div> </div>
</div> </div>
<div class="field"> <div class="field">
<input class="button" type="submit" name="forgot" value="Submit" <label class="label">Recovery Code</label>
value="<?php echo md5($date . $ip); ?>"/> <div class="control has-icons-left has-icons-right">
<input type="password" class="input" name="recovery_code"
placeholder="Recovery code">
<span class="icon is-small is-left">
<i class="fas fa-key"></i>
</span>
</div>
</div>
<div class="field">
<input class="button" type="submit" name="forgot" />
</div> </div>
</div> </div>
<div class="column"> <div class="column">