svrjs/svrjs-mods-directory
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
svrjs-mods-directory/includes/page_confirmpassword.php

147 lines
6.1 KiB
PHP
Raw Normal View History

chore: init
2024-12-27 15:05:54 +01:00
<?php
if (!defined('SVRJS_MOD_DIRECTORY')) die;
$errorMessage = null;
$passwordChanged = false;
$userData = null;
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (!isset($_POST['_csrf']) || $_POST['_csrf'] != $_SESSION['csrf']) {
$errorMessage = "Potential CSRF attack detected.";
} elseif (!isset($_POST['password'], $_POST['password2']) || !$_POST['password'] || !$_POST['password2']) {
$errorMessage = "You need to input passwords.";
} elseif ($_POST['password'] != $_POST['password2']) {
$errorMessage = "Passwords don't match.";
} elseif (!isset($_POST['id']) || !$_POST['id']) {
$errorMessage = "Password change request ID is not specified.";
} else {
$statement = $connection->prepare("SELECT user, (NOW() > request_date + INTERVAL 1 DAY) AS expired FROM requests_password WHERE id = ?");
if (!$statement) {
$errorMessage = "An unexpected error occurred while changing the password.";
} else {
$statement->bind_param('i', $_POST['id']);
$statement->execute();
$result = $statement->get_result();
if (!$result) {
$errorMessage = "An unexpected error occurred while changing the password.";
$statement->close();
} else {
$request = $result->fetch_assoc();
$statement->close();
if (!$request) {
$errorMessage = "Invalid request ID.";
} else {
$expired = false;
if ($request['expired']) {
$expired = true;
$errorMessage = "Invalid request ID.";
}
if (!$expired) {
$statement = $connection->prepare("SELECT id, username, email, is_suspended, is_verified FROM users WHERE id = ? AND is_deleted = 0");
if (!$statement) {
$errorMessage = "An unexpected error occurred while changing the password.";
} else {
$statement->bind_param('i', $request['user']);
$statement->execute();
$result = $statement->get_result();
if (!$result) {
$errorMessage = "An unexpected error occurred while changing the password.";
$statement->close();
} else {
$userData = $result->fetch_assoc();
$statement->close();
if (!$userData) {
$errorMessage = "Your account doesn't exist.";
} elseif ($userData['is_suspended']) {
$errorMessage = "Your account is suspended.";
} elseif (!$userData['is_verified']) {
$errorMessage = "Your account is not activated yet.";
} else {
$statement = $connection->prepare("UPDATE users SET password = ? WHERE id = ?");
if (!$statement) {
$errorMessage = "An unexpected error occurred while changing the password.";
} else {
$hashedPassword = password_hash($_POST['password'], PASSWORD_DEFAULT);
$statement->bind_param('si', $hashedPassword, $request['user']);
if (!$statement->execute()) {
$errorMessage = "An unexpected error occurred while changing the password.";
} else {
$passwordChanged = true;
session_regenerate_id(true);
$_SESSION['user'] = $request['user'];
}
$statement->close();
}
}
}
}
}
}
$statement = $connection->prepare("DELETE FROM requests_password WHERE id = ?");
if (!$statement) {
$errorMessage = "An unexpected error occurred while changing the password.";
} else {
$statement->bind_param('s', $_POST['id']);
if (!$statement->execute()) {
$errorMessage = "An unexpected error occurred while changing the password.";
}
$statement->close();
}
}
}
}
}
if ($passwordChanged) {
$pageTitle = "Password changed";
$pageDescription = "Your password has been changed.";
} else {
$pageTitle = "Change password";
$pageDescription = "Change your password in SVR.JS Mods directory.";
}
include 'header.php';
?>
<main class="content">
<?php if ($passwordChanged) { ?>
<h1>Password changed</h1>
<p>Your password has been changed.</p>
<p><a href="<?php echo htmlspecialchars(URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') ?>" class="btn">Return to home</a></p>
<?php } else { ?>
<h1>Change password</h1>
<form action="<?php echo htmlspecialchars((URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'confirm-password') ?>" method="post" class="form" enctype="multipart/form-data">
<div class="form-block">
<label for="password">New password:</label>
<input type="password" name="password" id="password" required>
<p>Password strength: <span id="password-strength"></span></p>
</div>
<div class="form-block">
<label for="password2">Confirm password:</label>
<input type="password" name="password2" id="password2" required>
</div>
<?php if ($errorMessage) echo '<p class="form-error">' . htmlspecialchars($errorMessage) . '</p>'; ?>
<div class="form-block">
<input type="submit" value="Change password">
</div>
<input type="hidden" name="_csrf" value="<?php echo htmlspecialchars($_SESSION['csrf']) ?>">
<input type="hidden" name="id" value="<?php echo htmlspecialchars(isset($_POST['id']) && $_POST['id'] ? $_POST['id'] : (isset($_GET['id']) && $_GET['id'] ? $_GET['id'] : '')); ?>">
</form>
<?php } ?>
</main>
<?php
$passwordStrengthMeter = !$passwordChanged;
include 'footer.php';
if ($passwordChanged && $userData) {
sendEmail(
[[
"name" => $userData['username'],
"address" => $userData['email']
]],
'Your password has been changed.',
"Your password has been changed. If you did it, you are safe - you can ignore the message. If not, contact the administrator of SVR.JS Mods directory immediately, as your account might be compromised."
);
}
?>
Reference in a new issue Copy permalink