misuzu/public/auth/password.php

<?php
namespace Misuzu;

use UnexpectedValueException;
use Misuzu\Net\IPAddress;

require_once '../../misuzu.php';

if(user_session_active()) {
    url_redirect('settings-account');
    return;
}

$reset = !empty($_POST['reset']) && is_array($_POST['reset']) ? $_POST['reset'] : [];
$forgot = !empty($_POST['forgot']) && is_array($_POST['forgot']) ? $_POST['forgot'] : [];
$userId = !empty($reset['user']) ? (int)$reset['user'] : (
    !empty($_GET['user']) ? (int)$_GET['user'] : 0
);
$username = $userId > 0 ? user_username_from_id($userId) : '';

if($userId > 0 && empty($username)) {
    url_redirect('auth-forgot');
    return;
}

$notices = [];
$siteIsPrivate = Config::get('private.enable', Config::TYPE_BOOL);
$canResetPassword = $siteIsPrivate ? Config::get('private.allow_password_reset', Config::TYPE_BOOL, true) : true;
$ipAddress = IPAddress::remote();
$remainingAttempts = user_login_attempts_remaining($ipAddress);

while($canResetPassword) {
    if(!empty($reset) && $userId > 0) {
        if(!CSRF::validateRequest()) {
            $notices[] = 'Was unable to verify the request, please try again!';
            break;
        }

        $verificationCode = !empty($reset['verification']) && is_string($reset['verification']) ? $reset['verification'] : '';

        if(!user_recovery_token_validate($userId, $verificationCode)) {
            $notices[] = 'Invalid verification code!';
            break;
        }

        $password = !empty($reset['password']) && is_array($reset['password']) ? $reset['password'] : [];
        $passwordNew = !empty($password['new']) && is_string($password['new']) ? $password['new'] : '';
        $passwordConfirm = !empty($password['confirm']) && is_string($password['confirm']) ? $password['confirm'] : '';

        if(empty($passwordNew) || empty($passwordConfirm)
            || $passwordNew !== $passwordConfirm) {
            $notices[] = "Password confirmation failed!";
            break;
        }

        if(user_validate_password($passwordNew) !== '') {
            $notices[] = 'Your password is too weak!';
            break;
        }

        if(user_password_set($userId, $passwordNew)) {
            audit_log(MSZ_AUDIT_PASSWORD_RESET, $userId);
        } else {
            throw new UnexpectedValueException('Password reset failed.');
        }

        // disable two factor auth to prevent getting locked out of account entirely
        user_totp_update($userId, null);

        user_recovery_token_invalidate($userId, $verificationCode);

        url_redirect('auth-login', ['redirect' => '/']);
        return;
    }

    if(!empty($forgot)) {
        if(!CSRF::validateRequest()) {
            $notices[] = 'Was unable to verify the request, please try again!';
            break;
        }

        if(empty($forgot['email']) || !is_string($forgot['email'])) {
            $notices[] = "You didn't supply an e-mail address.";
            break;
        }

        if($remainingAttempts < 1) {
            $notices[] = "There are too many failed login attempts from your IP address, please try again later.";
            break;
        }

        $forgotUser = user_find_for_reset($forgot['email']);

        if(empty($forgotUser)) {
            $notices[] = "This e-mail address is not registered with us.";
            break;
        }

        if(!user_recovery_token_sent($forgotUser['user_id'], $ipAddress)) {
            $verificationCode = user_recovery_token_create($forgotUser['user_id'], $ipAddress);

            if(empty($verificationCode)) {
                throw new UnexpectedValueException('A verification code failed to insert.');
            }

            $recoveryMessage = Mailer::template('password-recovery', [
                'username' => $forgotUser['username'],
                'token' => $verificationCode,
            ]);

            $recoveryMail = Mailer::sendMessage(
                [$forgotUser['email'] => $forgotUser['username']],
                $recoveryMessage['subject'], $recoveryMessage['message']
            );

            if(!$recoveryMail) {
                $notices[] = "Failed to send reset email, please contact the administrator.";
                user_recovery_token_invalidate($forgotUser['user_id'], $verificationCode);
                break;
            }
        }

        url_redirect('auth-reset', ['user' => $forgotUser['user_id']]);
        return;
    }

    break;
}

Template::render($userId > 0 ? 'auth.password_reset' : 'auth.password_forgot', [
    'password_notices' => $notices,
    'password_email' => !empty($forget['email']) && is_string($forget['email']) ? $forget['email'] : '',
    'password_attempts_remaining' => $remainingAttempts,
    'password_user_id' => $userId,
    'password_username' => $username,
    'password_verification' => $verificationCode ?? '',
]);
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`<?php`
Added namespaces to all files in public. 2019-09-28 22:43:51 +00:00			`namespace Misuzu;`

Fixed namespacing issues. 2019-10-02 19:02:22 +00:00			`use UnexpectedValueException;`
Massive overhauls. 2019-12-12 00:42:28 +00:00			`use Misuzu\Net\IPAddress;`
Fixed namespacing issues. 2019-10-02 19:02:22 +00:00
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`require_once '../../misuzu.php';`

Code style updates. 2019-06-10 17:04:53 +00:00			`if(user_session_active()) {`
Split the changelog manage section up into multiple files. 2019-06-08 21:46:24 +00:00			`url_redirect('settings-account');`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`return;`
			`}`

Dropkick RequestVar 2019-03-18 21:30:19 +00:00			`$reset = !empty($_POST['reset']) && is_array($_POST['reset']) ? $_POST['reset'] : [];`
			`$forgot = !empty($_POST['forgot']) && is_array($_POST['forgot']) ? $_POST['forgot'] : [];`
			`$userId = !empty($reset['user']) ? (int)$reset['user'] : (`
			`!empty($_GET['user']) ? (int)$_GET['user'] : 0`
			`);`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$username = $userId > 0 ? user_username_from_id($userId) : '';`

Code style updates. 2019-06-10 17:04:53 +00:00			`if($userId > 0 && empty($username)) {`
Split the changelog manage section up into multiple files. 2019-06-08 21:46:24 +00:00			`url_redirect('auth-forgot');`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`return;`
			`}`

			`$notices = [];`
Made config functions into a static class. 2019-12-03 18:52:20 +00:00			`$siteIsPrivate = Config::get('private.enable', Config::TYPE_BOOL);`
			`$canResetPassword = $siteIsPrivate ? Config::get('private.allow_password_reset', Config::TYPE_BOOL, true) : true;`
Massive overhauls. 2019-12-12 00:42:28 +00:00			`$ipAddress = IPAddress::remote();`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$remainingAttempts = user_login_attempts_remaining($ipAddress);`

Code style updates. 2019-06-10 17:04:53 +00:00			`while($canResetPassword) {`
			`if(!empty($reset) && $userId > 0) {`
CSRF from Hanyuu. 2019-12-11 18:10:54 +00:00			`if(!CSRF::validateRequest()) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = 'Was unable to verify the request, please try again!';`
			`break;`
			`}`

Dropkick RequestVar 2019-03-18 21:30:19 +00:00			`$verificationCode = !empty($reset['verification']) && is_string($reset['verification']) ? $reset['verification'] : '';`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00
Code style updates. 2019-06-10 17:04:53 +00:00			`if(!user_recovery_token_validate($userId, $verificationCode)) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = 'Invalid verification code!';`
			`break;`
			`}`

Dropkick RequestVar 2019-03-18 21:30:19 +00:00			`$password = !empty($reset['password']) && is_array($reset['password']) ? $reset['password'] : [];`
			`$passwordNew = !empty($password['new']) && is_string($password['new']) ? $password['new'] : '';`
			`$passwordConfirm = !empty($password['confirm']) && is_string($password['confirm']) ? $password['confirm'] : '';`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00
Code style updates. 2019-06-10 17:04:53 +00:00			`if(empty($passwordNew) \|\| empty($passwordConfirm)`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`\|\| $passwordNew !== $passwordConfirm) {`
			`$notices[] = "Password confirmation failed!";`
			`break;`
			`}`

Code style updates. 2019-06-10 17:04:53 +00:00			`if(user_validate_password($passwordNew) !== '') {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = 'Your password is too weak!';`
			`break;`
			`}`

Code style updates. 2019-06-10 17:04:53 +00:00			`if(user_password_set($userId, $passwordNew)) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`audit_log(MSZ_AUDIT_PASSWORD_RESET, $userId);`
			`} else {`
			`throw new UnexpectedValueException('Password reset failed.');`
			`}`

Disable two factor authentication on password reset. 2019-03-10 16:01:45 +00:00			`// disable two factor auth to prevent getting locked out of account entirely`
			`user_totp_update($userId, null);`

Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`user_recovery_token_invalidate($userId, $verificationCode);`

Split the changelog manage section up into multiple files. 2019-06-08 21:46:24 +00:00			`url_redirect('auth-login', ['redirect' => '/']);`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`return;`
			`}`

Code style updates. 2019-06-10 17:04:53 +00:00			`if(!empty($forgot)) {`
CSRF from Hanyuu. 2019-12-11 18:10:54 +00:00			`if(!CSRF::validateRequest()) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = 'Was unable to verify the request, please try again!';`
			`break;`
			`}`

Code style updates. 2019-06-10 17:04:53 +00:00			`if(empty($forgot['email']) \|\| !is_string($forgot['email'])) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = "You didn't supply an e-mail address.";`
			`break;`
			`}`

Code style updates. 2019-06-10 17:04:53 +00:00			`if($remainingAttempts < 1) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = "There are too many failed login attempts from your IP address, please try again later.";`
			`break;`
			`}`

Dropkick RequestVar 2019-03-18 21:30:19 +00:00			`$forgotUser = user_find_for_reset($forgot['email']);`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00
Code style updates. 2019-06-10 17:04:53 +00:00			`if(empty($forgotUser)) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = "This e-mail address is not registered with us.";`
			`break;`
			`}`

Code style updates. 2019-06-10 17:04:53 +00:00			`if(!user_recovery_token_sent($forgotUser['user_id'], $ipAddress)) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$verificationCode = user_recovery_token_create($forgotUser['user_id'], $ipAddress);`

Code style updates. 2019-06-10 17:04:53 +00:00			`if(empty($verificationCode)) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`throw new UnexpectedValueException('A verification code failed to insert.');`
			`}`

Ported Mailer class from Hanyuu. 2019-12-03 19:09:18 +00:00			`$recoveryMessage = Mailer::template('password-recovery', [`
			`'username' => $forgotUser['username'],`
			`'token' => $verificationCode,`
			`]);`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00
Ported Mailer class from Hanyuu. 2019-12-03 19:09:18 +00:00			`$recoveryMail = Mailer::sendMessage(`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`[$forgotUser['email'] => $forgotUser['username']],`
Ported Mailer class from Hanyuu. 2019-12-03 19:09:18 +00:00			`$recoveryMessage['subject'], $recoveryMessage['message']`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`);`

Ported Mailer class from Hanyuu. 2019-12-03 19:09:18 +00:00			`if(!$recoveryMail) {`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`$notices[] = "Failed to send reset email, please contact the administrator.";`
			`user_recovery_token_invalidate($forgotUser['user_id'], $verificationCode);`
			`break;`
			`}`
			`}`

Split the changelog manage section up into multiple files. 2019-06-08 21:46:24 +00:00			`url_redirect('auth-reset', ['user' => $forgotUser['user_id']]);`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`return;`
			`}`

			`break;`
			`}`

Ported Template class from Hanyuu project. 2019-12-04 18:16:22 +00:00			`Template::render($userId > 0 ? 'auth.password_reset' : 'auth.password_forgot', [`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`'password_notices' => $notices,`
Dropkick RequestVar 2019-03-18 21:30:19 +00:00			`'password_email' => !empty($forget['email']) && is_string($forget['email']) ? $forget['email'] : '',`
Split auth.php up into multiple files. 2019-03-08 00:35:53 +00:00			`'password_attempts_remaining' => $remainingAttempts,`
			`'password_user_id' => $userId,`
			`'password_username' => $username,`
			`'password_verification' => $verificationCode ?? '',`
			`]);`