-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpwd_reset.php
120 lines (109 loc) · 4.9 KB
/
pwd_reset.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
<?php
/*
* MIT Licence
* Copyright (c) 2023 Simon Frankenberger
*
* Please see LICENCE.md for complete licence text.
*/
require_once __DIR__ . '/../include/functions.inc.php';
require_once __DIR__ . '/../include/database.class.php';
require_once __DIR__ . '/../include/captcha.class.php';
ob_start();
$email = trim(getOrDefault($_POST, 'email'));
function sendRecoveryMail(string $email, string $name, string $resetLink): bool
{
return sendMail($email, Config::get(Config::SECTION_BASE, 'game_title') . ': Passwort vergessen', 'password_recovery', array(
'{{USERNAME}}' => escapeForOutput($name),
'{{RESET_LINK}}' => $resetLink,
));
}
function sendPasswordMail(string $email, string $name, string $password): bool
{
return sendMail($email, Config::get(Config::SECTION_BASE, 'game_title') . ': Dein neues Passwort', 'password_reset', array(
'{{USERNAME}}' => escapeForOutput($name),
'{{PASSWORD}}' => $password,
));
}
switch (getOrDefault($_REQUEST, 'a')) {
// request reset token
case 1:
$captcha_code = getOrDefault($_POST, 'captcha_code');
$captcha_id = getOrDefault($_POST, 'captcha_id', 0);
$back_link = sprintf('/?p=passwort_vergessen&email=%s', urlencode($email));
if (!Config::getBoolean(Config::SECTION_BASE, 'testing') && !Captcha::verifyCode($captcha_code, $captcha_id)) {
redirectTo($back_link, 130, __LINE__);
}
$data = Database::getInstance()->getPlayerIdAndNameByEmail($email);
requireEntryFound($data, '/?p=anmelden', 244);
$request = Database::getInstance()->getPasswordRequestByUserId($data['ID']);
if ($request !== null) {
// existing request found, resend mail if older than 4h
if (strtotime($request['created']) < time() - (3600 * 4)) {
Database::getInstance()->begin();
if (Database::getInstance()->updateTableEntry(Database::TABLE_PASSWORD_RESET, $request['ID'],
array('created' => date('Y-m-d H:i:s'))) !== 1) {
Database::getInstance()->rollBack();
redirectTo($back_link, 142, __LINE__);
}
$link = sprintf('%s/actions/pwd_reset.php?a=2&id=%d&token=%s',
Config::get(Config::SECTION_BASE, 'base_url'),
$data['ID'],
$request['token']
);
if (!sendRecoveryMail($email, $data['Name'], $link)) {
Database::getInstance()->rollBack();
redirectTo($back_link, 172, __LINE__);
}
Database::getInstance()->commit();
} else {
// mail was sent within the last 4h, so just ignore this request
// insert minimum delay for security reasons
usleep(random_int(300000, 800000));
}
redirectTo('/?p=anmelden', 244);
}
$token = createRandomCode();
Database::getInstance()->begin();
if (Database::getInstance()->createTableEntry(Database::TABLE_PASSWORD_RESET, array(
'user_id' => $data['ID'],
'token' => $token
)) !== 1) {
Database::getInstance()->rollBack();
redirectTo($back_link, 141, __LINE__);
}
$link = sprintf('%s/actions/pwd_reset.php?a=2&id=%d&token=%s',
Config::get(Config::SECTION_BASE, 'base_url'),
$data['ID'],
$token
);
if (!sendRecoveryMail($email, $data['Name'], $link)) {
Database::getInstance()->rollBack();
redirectTo($back_link, 172, __LINE__);
}
Database::getInstance()->commit();
redirectTo('/?p=anmelden', 244);
break;
case 2:
$id = getOrDefault($_GET, 'id', 0);
$token = getOrDefault($_GET, 'token');
Database::getInstance()->begin();
if (Database::getInstance()->deleteTableEntryWhere(Database::TABLE_PASSWORD_RESET, array('user_id' => $id, 'token' => $token)) !== 1) {
Database::getInstance()->rollBack();
redirectTo('/?p=passwort_vergessen', 154);
}
$data = Database::getInstance()->getPlayerNameAndEmailById($id);
$pwd = createRandomPassword();
if (Database::getInstance()->updateTableEntry(Database::TABLE_USERS, $id, array('Passwort' => hashPassword($pwd))) !== 1) {
Database::getInstance()->rollBack();
redirectTo('/?p=passwort_vergessen', 142, __LINE__);
}
if (!sendPasswordMail($data['EMail'], $data['Name'], $pwd)) {
Database::getInstance()->rollBack();
redirectTo('/?p=passwort_vergessen', 172, __LINE__);
}
Database::getInstance()->commit();
redirectTo('/?p=anmelden', 245);
break;
default:
redirectTo('/?p=anmelden', 112, __LINE__);
}