misuzu/public/auth.php

<?php
use Carbon\Carbon;
use Misuzu\Database;
use Misuzu\Net\IPAddress;
use Misuzu\Users\Session;

require_once __DIR__ . '/../misuzu.php';

$config = $app->getConfig();
$templating = $app->getTemplating();

$usernameValidationErrors = [
    'trim' => 'Your username may not start or end with spaces!',
    'short' => sprintf('Your username is too short, it has to be at least %d characters!', MSZ_USERNAME_MIN_LENGTH),
    'long' => sprintf("Your username is too long, it can't be longer than %d characters!", MSZ_USERNAME_MAX_LENGTH),
    'double-spaces' => "Your username can't contain double spaces.",
    'invalid' => 'Your username contains invalid characters.',
    'spacing' => 'Please use either underscores or spaces, not both!',
    'in-use' => 'This username is already taken!',
];

$authMode = $_GET['m'] ?? 'login';
$preventRegistration = $config->get('Auth', 'prevent_registration', 'bool', false);
$templating->addPath('auth', __DIR__ . '/../views/auth');

$templating->vars([
    'prevent_registration' => $preventRegistration,
    'auth_mode' => $authMode,
    'auth_username' => $_REQUEST['username'] ?? '',
    'auth_email' => $_REQUEST['email'] ?? '',
]);

switch ($authMode) {
    case 'logout':
        if (!$app->hasActiveSession()) {
            header('Location: /');
            return;
        }

        if (isset($_GET['s']) && tmp_csrf_verify($_GET['s'])) {
            set_cookie_m('uid', '', -3600);
            set_cookie_m('sid', '', -3600);
            user_session_delete($app->getSessionId());
            header('Location: /');
            return;
        }

        echo $templating->render('@auth.logout');
        break;

    case 'login':
        if ($app->hasActiveSession()) {
            header('Location: /');
            break;
        }

        $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
        $authLoginError = '';

        while ($_SERVER['REQUEST_METHOD'] === 'POST') {
            $ipAddress = IPAddress::remote()->getString();

            if (!isset($_POST['username'], $_POST['password'])) {
                $authLoginError = "You didn't fill all the forms!";
                break;
            }

            $remainingAttempts = user_login_attempts_remaining($ipAddress);

            if ($remainingAttempts < 1) {
                $authLoginError = 'Too many failed login attempts, try again later.';
                break;
            }

            $username = $_POST['username'] ?? '';
            $password = $_POST['password'] ?? '';

            $getUser = Database::prepare('
                SELECT `user_id`, `password`
                FROM `msz_users`
                WHERE LOWER(`email`) = LOWER(:email)
                OR LOWER(`username`) = LOWER(:username)
            ');
            $getUser->bindValue('email', $username);
            $getUser->bindValue('username', $username);
            $userData = $getUser->execute() ? $getUser->fetch() : [];
            $userId = (int)($userData['user_id'] ?? 0);

            $loginFailedError = sprintf(
                "Invalid username or password, %d attempt%s remaining.",
                $remainingAttempts - 1,
                $remainingAttempts === 2 ? '' : 's'
            );

            if ($userId < 1) {
                user_login_attempt_record(false, null, $ipAddress, $userAgent);
                $authLoginError = $loginFailedError;
                break;
            }

            if (!password_verify($password, $userData['password'])) {
                user_login_attempt_record(false, $userId, $ipAddress, $userAgent);
                $authLoginError = $loginFailedError;
                break;
            }

            user_login_attempt_record(true, $userId, $ipAddress, $userAgent);
            $sessionKey = user_session_create($userId, $ipAddress, $userAgent);

            if ($sessionKey === '') {
                $authLoginError = 'Unable to create new session, contact an administrator ASAP.';
                break;
            }

            $app->startSession($userId, $sessionKey);
            $cookieLife = Carbon::now()->addMonth()->timestamp;
            set_cookie_m('uid', $userId, $cookieLife);
            set_cookie_m('sid', $sessionKey, $cookieLife);

            header('Location: /');
            return;
        }

        if (!empty($authLoginError)) {
            $templating->var('auth_login_error', $authLoginError);
        }

        echo $templating->render('auth');
        break;

    case 'register':
        if ($app->hasActiveSession()) {
            header('Location: /');
        }

        $authRegistrationError = '';

        while ($_SERVER['REQUEST_METHOD'] === 'POST') {
            if ($preventRegistration) {
                $authRegistrationError = 'Registration is not allowed on this instance.';
                break;
            }

            if (!isset($_POST['username'], $_POST['password'], $_POST['email'])) {
                $authRegistrationError = "You didn't fill all the forms!";
                break;
            }

            $username = $_POST['username'] ?? '';
            $password = $_POST['password'] ?? '';
            $email = $_POST['email'] ?? '';

            $usernameValidation = user_validate_username($username, true);
            if ($usernameValidation !== '') {
                $authRegistrationError = $usernameValidationErrors[$usernameValidation];
                break;
            }

            $emailValidation = user_validate_email($email, true);
            if ($emailValidation !== '') {
                $authRegistrationError = $emailValidation === 'in-use'
                    ? 'This e-mail address has already been used!'
                    : 'The e-mail address you entered is invalid!';
                break;
            }

            if (user_validate_password($password) !== '') {
                $authRegistrationError = 'Your password is too weak!';
                break;
            }

            $createUser = user_create(
                $username,
                $password,
                $email,
                IPAddress::remote()->getString()
            );

            if ($createUser < 1) {
                $authRegistrationError = 'Something happened?';
                break;
            }

            user_role_add($createUser, MSZ_ROLE_MAIN);

            $templating->var('auth_register_message', 'Welcome to Flashii! You may now log in.');
            break;
        }

        if (!empty($authRegistrationError)) {
            $templating->var('auth_register_error', $authRegistrationError);
        }

        echo $templating->render('@auth.auth');
        break;
}
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00			`<?php`
Use custom session system. 2018-02-11 00:18:49 +01:00			`use Carbon\Carbon;`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`use Misuzu\Database;`
Rework IP address handling. 2018-03-16 03:01:24 +01:00			`use Misuzu\Net\IPAddress;`
Use custom session system. 2018-02-11 00:18:49 +01:00			`use Misuzu\Users\Session;`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`require_once __DIR__ . '/../misuzu.php';`

Smol optimisations and fixes a few things, mainly auth.php. 2018-04-26 17:01:59 +02:00			`$config = $app->getConfig();`
			`$templating = $app->getTemplating();`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$usernameValidationErrors = [`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`'trim' => 'Your username may not start or end with spaces!',`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`'short' => sprintf('Your username is too short, it has to be at least %d characters!', MSZ_USERNAME_MIN_LENGTH),`
			`'long' => sprintf("Your username is too long, it can't be longer than %d characters!", MSZ_USERNAME_MAX_LENGTH),`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`'double-spaces' => "Your username can't contain double spaces.",`
			`'invalid' => 'Your username contains invalid characters.',`
			`'spacing' => 'Please use either underscores or spaces, not both!',`
Add profile fields to database and add changing logic. 2018-03-23 01:01:42 +01:00			`'in-use' => 'This username is already taken!',`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`];`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$authMode = $_GET['m'] ?? 'login';`
			`$preventRegistration = $config->get('Auth', 'prevent_registration', 'bool', false);`
Smol optimisations and fixes a few things, mainly auth.php. 2018-04-26 17:01:59 +02:00			`$templating->addPath('auth', __DIR__ . '/../views/auth');`
Welcome back, mio! 2018-03-22 02:56:41 +00:00
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$templating->vars([`
			`'prevent_registration' => $preventRegistration,`
			`'auth_mode' => $authMode,`
			`'auth_username' => $_REQUEST['username'] ?? '',`
			`'auth_email' => $_REQUEST['email'] ?? '',`
			`]);`
Prevent users from being able to register while logged in. 2018-02-22 17:37:10 +01:00
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`switch ($authMode) {`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`case 'logout':`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`if (!$app->hasActiveSession()) {`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`header('Location: /');`
			`return;`
			`}`

Add temp CSRF functions, for reusage. 2018-03-22 19:07:02 +01:00			`if (isset($_GET['s']) && tmp_csrf_verify($_GET['s'])) {`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`set_cookie_m('uid', '', -3600);`
			`set_cookie_m('sid', '', -3600);`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`user_session_delete($app->getSessionId());`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`header('Location: /');`
			`return;`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`}`

Smol optimisations and fixes a few things, mainly auth.php. 2018-04-26 17:01:59 +02:00			`echo $templating->render('@auth.logout');`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`break;`

			`case 'login':`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`if ($app->hasActiveSession()) {`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`header('Location: /');`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`break;`
Prevent users from being able to register while logged in. 2018-02-22 17:37:10 +01:00			`}`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';`
			`$authLoginError = '';`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`while ($_SERVER['REQUEST_METHOD'] === 'POST') {`
VERY basic topic viewer exist now yeet 2018-05-20 22:12:45 +02:00			`$ipAddress = IPAddress::remote()->getString();`
Add login rate limiting. 2018-03-22 04:45:59 +01:00
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`if (!isset($_POST['username'], $_POST['password'])) {`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$authLoginError = "You didn't fill all the forms!";`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`break;`
			`}`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$remainingAttempts = user_login_attempts_remaining($ipAddress);`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00
			`if ($remainingAttempts < 1) {`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$authLoginError = 'Too many failed login attempts, try again later.';`
Add login rate limiting. 2018-03-22 04:45:59 +01:00			`break;`
			`}`

Welcome back, mio! 2018-03-22 02:56:41 +00:00			`$username = $_POST['username'] ?? '';`
			`$password = $_POST['password'] ?? '';`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
Use shorthand database operations everywhere. 2018-07-16 00:59:14 +02:00			`$getUser = Database::prepare('`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			SELECT `user_id`, `password`
			FROM `msz_users`
			WHERE LOWER(`email`) = LOWER(:email)
			OR LOWER(`username`) = LOWER(:username)
			`');`
			`$getUser->bindValue('email', $username);`
			`$getUser->bindValue('username', $username);`
			`$userData = $getUser->execute() ? $getUser->fetch() : [];`
			`$userId = (int)($userData['user_id'] ?? 0);`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$loginFailedError = sprintf(`
			`"Invalid username or password, %d attempt%s remaining.",`
			`$remainingAttempts - 1,`
			`$remainingAttempts === 2 ? '' : 's'`
			`);`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00
			`if ($userId < 1) {`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`user_login_attempt_record(false, null, $ipAddress, $userAgent);`
			`$authLoginError = $loginFailedError;`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`break;`
			`}`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`if (!password_verify($password, $userData['password'])) {`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`user_login_attempt_record(false, $userId, $ipAddress, $userAgent);`
			`$authLoginError = $loginFailedError;`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`break;`
			`}`
Use custom session system. 2018-02-11 00:18:49 +01:00
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`user_login_attempt_record(true, $userId, $ipAddress, $userAgent);`
			`$sessionKey = user_session_create($userId, $ipAddress, $userAgent);`

			`if ($sessionKey === '') {`
			`$authLoginError = 'Unable to create new session, contact an administrator ASAP.';`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`break;`
			`}`
Add login rate limiting. 2018-03-22 04:45:59 +01:00
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`$app->startSession($userId, $sessionKey);`
			`$cookieLife = Carbon::now()->addMonth()->timestamp;`
			`set_cookie_m('uid', $userId, $cookieLife);`
			`set_cookie_m('sid', $sessionKey, $cookieLife);`
Welcome back, mio! 2018-03-22 02:56:41 +00:00
			`header('Location: /');`
			`return;`
			`}`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`if (!empty($authLoginError)) {`
			`$templating->var('auth_login_error', $authLoginError);`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`}`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
Smol optimisations and fixes a few things, mainly auth.php. 2018-04-26 17:01:59 +02:00			`echo $templating->render('auth');`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`break;`
Add disappointment. 2018-01-28 04:32:28 +01:00
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`case 'register':`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`if ($app->hasActiveSession()) {`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`header('Location: /');`
Prevent users from being able to register while logged in. 2018-02-22 17:37:10 +01:00			`}`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$authRegistrationError = '';`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`while ($_SERVER['REQUEST_METHOD'] === 'POST') {`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`if ($preventRegistration) {`
			`$authRegistrationError = 'Registration is not allowed on this instance.';`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`break;`
			`}`
Add means to prevent registration on the testing site. 2018-03-13 23:04:01 +01:00
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`if (!isset($_POST['username'], $_POST['password'], $_POST['email'])) {`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$authRegistrationError = "You didn't fill all the forms!";`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`break;`
			`}`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`$username = $_POST['username'] ?? '';`
			`$password = $_POST['password'] ?? '';`
			`$email = $_POST['email'] ?? '';`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$usernameValidation = user_validate_username($username, true);`
			`if ($usernameValidation !== '') {`
			`$authRegistrationError = $usernameValidationErrors[$usernameValidation];`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`break;`
			`}`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$emailValidation = user_validate_email($email, true);`
			`if ($emailValidation !== '') {`
			`$authRegistrationError = $emailValidation === 'in-use'`
Add profile fields to database and add changing logic. 2018-03-23 01:01:42 +01:00			`? 'This e-mail address has already been used!'`
			`: 'The e-mail address you entered is invalid!';`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`break;`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00			`}`

bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`if (user_validate_password($password) !== '') {`
A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$authRegistrationError = 'Your password is too weak!';`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`break;`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00			`}`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`$createUser = user_create(`
			`$username,`
			`$password,`
			`$email,`
			`IPAddress::remote()->getString()`
			`);`

			`if ($createUser < 1) {`
			`$authRegistrationError = 'Something happened?';`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00			`break;`
			`}`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`user_role_add($createUser, MSZ_ROLE_MAIN);`
bye bye ORM (successfully this time!) 2018-05-16 04:58:21 +02:00
Smol optimisations and fixes a few things, mainly auth.php. 2018-04-26 17:01:59 +02:00			`$templating->var('auth_register_message', 'Welcome to Flashii! You may now log in.');`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`break;`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00			`}`

A bunch of housekeeping. 2018-05-27 02:20:35 +02:00			`if (!empty($authRegistrationError)) {`
			`$templating->var('auth_register_error', $authRegistrationError);`
Welcome back, mio! 2018-03-22 02:56:41 +00:00			`}`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00
Smol optimisations and fixes a few things, mainly auth.php. 2018-04-26 17:01:59 +02:00			`echo $templating->render('@auth.auth');`
You say 'a step backwards', I say 'modern web development'. 2018-03-14 02:39:02 +01:00			`break;`
Add very based authentication system + users table. 2018-01-16 08:26:29 +01:00			`}`