2019-03-08 00:35:53 +00:00
|
|
|
<?php
|
2019-09-28 22:43:51 +00:00
|
|
|
namespace Misuzu;
|
|
|
|
|
|
2019-03-08 00:35:53 +00:00
|
|
|
require_once '../../misuzu.php';
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(user_session_active()) {
|
2019-06-08 21:46:24 +00:00
|
|
|
url_redirect('settings-account');
|
2019-03-08 00:35:53 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-18 21:30:19 +00:00
|
|
|
$reset = !empty($_POST['reset']) && is_array($_POST['reset']) ? $_POST['reset'] : [];
|
|
|
|
|
$forgot = !empty($_POST['forgot']) && is_array($_POST['forgot']) ? $_POST['forgot'] : [];
|
|
|
|
|
$userId = !empty($reset['user']) ? (int)$reset['user'] : (
|
|
|
|
|
!empty($_GET['user']) ? (int)$_GET['user'] : 0
|
|
|
|
|
);
|
2019-03-08 00:35:53 +00:00
|
|
|
$username = $userId > 0 ? user_username_from_id($userId) : '';
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if($userId > 0 && empty($username)) {
|
2019-06-08 21:46:24 +00:00
|
|
|
url_redirect('auth-forgot');
|
2019-03-08 00:35:53 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$notices = [];
|
2019-08-14 19:40:36 +00:00
|
|
|
$siteIsPrivate = config_get('private.enable', MSZ_CFG_BOOL);
|
|
|
|
|
$canResetPassword = $siteIsPrivate ? config_get('private.allow_password_reset', MSZ_CFG_BOOL, true) : true;
|
2019-03-08 00:35:53 +00:00
|
|
|
$ipAddress = ip_remote_address();
|
|
|
|
|
$remainingAttempts = user_login_attempts_remaining($ipAddress);
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
while($canResetPassword) {
|
|
|
|
|
if(!empty($reset) && $userId > 0) {
|
|
|
|
|
if(!csrf_verify_request()) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = 'Was unable to verify the request, please try again!';
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-18 21:30:19 +00:00
|
|
|
$verificationCode = !empty($reset['verification']) && is_string($reset['verification']) ? $reset['verification'] : '';
|
2019-03-08 00:35:53 +00:00
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(!user_recovery_token_validate($userId, $verificationCode)) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = 'Invalid verification code!';
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-18 21:30:19 +00:00
|
|
|
$password = !empty($reset['password']) && is_array($reset['password']) ? $reset['password'] : [];
|
|
|
|
|
$passwordNew = !empty($password['new']) && is_string($password['new']) ? $password['new'] : '';
|
|
|
|
|
$passwordConfirm = !empty($password['confirm']) && is_string($password['confirm']) ? $password['confirm'] : '';
|
2019-03-08 00:35:53 +00:00
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(empty($passwordNew) || empty($passwordConfirm)
|
2019-03-08 00:35:53 +00:00
|
|
|
|| $passwordNew !== $passwordConfirm) {
|
|
|
|
|
$notices[] = "Password confirmation failed!";
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(user_validate_password($passwordNew) !== '') {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = 'Your password is too weak!';
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(user_password_set($userId, $passwordNew)) {
|
2019-03-08 00:35:53 +00:00
|
|
|
audit_log(MSZ_AUDIT_PASSWORD_RESET, $userId);
|
|
|
|
|
} else {
|
|
|
|
|
throw new UnexpectedValueException('Password reset failed.');
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-10 16:01:45 +00:00
|
|
|
// disable two factor auth to prevent getting locked out of account entirely
|
|
|
|
|
user_totp_update($userId, null);
|
|
|
|
|
|
2019-03-08 00:35:53 +00:00
|
|
|
user_recovery_token_invalidate($userId, $verificationCode);
|
|
|
|
|
|
2019-06-08 21:46:24 +00:00
|
|
|
url_redirect('auth-login', ['redirect' => '/']);
|
2019-03-08 00:35:53 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(!empty($forgot)) {
|
|
|
|
|
if(!csrf_verify_request()) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = 'Was unable to verify the request, please try again!';
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(empty($forgot['email']) || !is_string($forgot['email'])) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = "You didn't supply an e-mail address.";
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if($remainingAttempts < 1) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = "There are too many failed login attempts from your IP address, please try again later.";
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-18 21:30:19 +00:00
|
|
|
$forgotUser = user_find_for_reset($forgot['email']);
|
2019-03-08 00:35:53 +00:00
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(empty($forgotUser)) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = "This e-mail address is not registered with us.";
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(!user_recovery_token_sent($forgotUser['user_id'], $ipAddress)) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$verificationCode = user_recovery_token_create($forgotUser['user_id'], $ipAddress);
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(empty($verificationCode)) {
|
2019-03-08 00:35:53 +00:00
|
|
|
throw new UnexpectedValueException('A verification code failed to insert.');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$messageBody = <<<MSG
|
|
|
|
|
Hey {$forgotUser['username']},
|
|
|
|
|
|
|
|
|
|
You, or someone pretending to be you, has requested a password reset for your account.
|
|
|
|
|
|
|
|
|
|
Your verification code is: {$verificationCode}
|
|
|
|
|
|
|
|
|
|
If you weren't the person who requested this reset, please send a reply to this e-mail.
|
|
|
|
|
MSG;
|
|
|
|
|
|
|
|
|
|
$message = mail_compose(
|
|
|
|
|
[$forgotUser['email'] => $forgotUser['username']],
|
|
|
|
|
'Flashii Password Reset',
|
|
|
|
|
$messageBody
|
|
|
|
|
);
|
|
|
|
|
|
2019-06-10 17:04:53 +00:00
|
|
|
if(!mail_send($message)) {
|
2019-03-08 00:35:53 +00:00
|
|
|
$notices[] = "Failed to send reset email, please contact the administrator.";
|
|
|
|
|
user_recovery_token_invalidate($forgotUser['user_id'], $verificationCode);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-08 21:46:24 +00:00
|
|
|
url_redirect('auth-reset', ['user' => $forgotUser['user_id']]);
|
2019-03-08 00:35:53 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
echo tpl_render($userId > 0 ? 'auth.password_reset' : 'auth.password_forgot', [
|
|
|
|
|
'password_notices' => $notices,
|
2019-03-18 21:30:19 +00:00
|
|
|
'password_email' => !empty($forget['email']) && is_string($forget['email']) ? $forget['email'] : '',
|
2019-03-08 00:35:53 +00:00
|
|
|
'password_attempts_remaining' => $remainingAttempts,
|
|
|
|
|
'password_user_id' => $userId,
|
|
|
|
|
'password_username' => $username,
|
|
|
|
|
'password_verification' => $verificationCode ?? '',
|
|
|
|
|
]);
|
