162 lines
No EOL
6.8 KiB
PHP
162 lines
No EOL
6.8 KiB
PHP
<?php
|
|
if (!defined('SVRJS_MOD_DIRECTORY')) die;
|
|
|
|
$errorMessage = null;
|
|
$emailExists = false;
|
|
$passwordChanged = false;
|
|
$passwordRequestID = null;
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
|
if (!isset($_POST['_csrf']) || $_POST['_csrf'] != $_SESSION['csrf']) {
|
|
$errorMessage = "Potential CSRF attack detected.";
|
|
} else {
|
|
if (!isset($_POST['email']) || !$_POST['email']) {
|
|
$errorMessage = "You need to input fields.";
|
|
} elseif (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
|
|
$errorMessage = "Invalid email address.";
|
|
} else {
|
|
$statement = $connection->prepare('SELECT id, username, email, is_suspended, is_verified FROM users WHERE email = ?;');
|
|
if (!$statement) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
} else {
|
|
$statement->bind_param('s', $_POST['email']);
|
|
$statement->execute();
|
|
$result = $statement->get_result();
|
|
if (!$result) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
$statement->close();
|
|
} else {
|
|
$userData = $result->fetch_assoc();
|
|
$statement->close();
|
|
$emailExists = boolval($userData);
|
|
if ($emailExists) {
|
|
if ($userData['is_suspended']) {
|
|
$errorMessage = "Your account is suspended.";
|
|
} elseif (!$userData['is_verified']) {
|
|
$errorMessage = "Your account is not activated yet.";
|
|
} else {
|
|
$passwordRequestIDError = false;
|
|
|
|
while (!$passwordRequestID) {
|
|
$tempPasswordRequestID = "";
|
|
if (function_exists('random_bytes')) {
|
|
$tempPasswordRequestID = bin2hex(random_bytes(32));
|
|
} else {
|
|
$tempPasswordRequestID = '';
|
|
for ($i = 0; $i < 32; $i++) {
|
|
$tempPasswordRequestID = $tempPasswordRequestID . bin2hex(rand(0, 255));
|
|
}
|
|
}
|
|
|
|
$statement = $connection->prepare("SELECT id FROM requests_password WHERE id = ?");
|
|
if (!$statement) {
|
|
$passwordRequestIDError = true;
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
break;
|
|
} else {
|
|
$statement->bind_param('s', $tempPasswordRequestID);
|
|
$statement->execute();
|
|
$passwordRequestIDExistsResult = $statement->get_result();
|
|
if (!$passwordRequestIDExistsResult) {
|
|
$passwordRequestIDError = true;
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
$statement->close();
|
|
break;
|
|
} else {
|
|
$passwordRequestIDExists = boolval($passwordRequestIDExistsResult->fetch_assoc());
|
|
$statement->close();
|
|
if (!$passwordRequestIDExists) {
|
|
$passwordRequestID = $tempPasswordRequestID;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!$passwordRequestIDError) {
|
|
$statement = $connection->prepare("REPLACE INTO requests_password (
|
|
id,
|
|
user,
|
|
request_date
|
|
) VALUES (
|
|
?,
|
|
?,
|
|
NOW()
|
|
)");
|
|
if (!$statement) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
} else {
|
|
$statement->bind_param('si', $passwordRequestID, $userData['id']);
|
|
if (!$statement->execute()) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
} else {
|
|
$passwordRequestToSend = true;
|
|
}
|
|
$statement->close();
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
$passwordRequestToSend = true;
|
|
}
|
|
if ($passwordRequestToSend) {
|
|
$sent = false;
|
|
if ($emailExists) {
|
|
$sent = sendEmail(
|
|
[[
|
|
"name" => $userData['username'],
|
|
"address" => $_POST['email']
|
|
]],
|
|
'Password change request',
|
|
"You have requested the change of your password on SVR.JS Mods directory. Copy and paste the link below to change the password. The link will expire after one day.\n\n" . str_replace(["\r\n", "\n", "\r"], "", (isset($_SERVER['HTTPS']) ? 'https://' : 'http://') . (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : (isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : 'localhost')) . (URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'confirm-password?id=' . urlencode($passwordRequestID))
|
|
);
|
|
} else {
|
|
$sent = sendEmail(
|
|
[[
|
|
"address" => $_POST['email']
|
|
]],
|
|
'Email address not associated with an account - password change request failed',
|
|
"Someone attempted to change the password of an account which is not associated with your email address. No action is required."
|
|
);
|
|
}
|
|
if (!$sent) {
|
|
$errorMessage = "Can't send password change request email message.";
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($passwordRequestToSend) {
|
|
$pageTitle = "Password change request sent";
|
|
$pageDescription = "Check your inbox for the request.";
|
|
} else {
|
|
$pageTitle = "Forgot password?";
|
|
$pageDescription = "Change your user data in SVR.JS Mods directory.";
|
|
}
|
|
include 'header.php';
|
|
?>
|
|
<main class="content">
|
|
<?php if ($passwordRequestToSend) { ?>
|
|
<h1>Password change request sent</h1>
|
|
<p>Check your inbox for the request.</p>
|
|
<?php } else { ?>
|
|
<h1>Forgot password?</h1>
|
|
<p>If you forgot your password, you can change it - just input your email address associated with your account.</p>
|
|
<form action="<?php echo htmlspecialchars((URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'forgot-password') ?>" method="post" class="form" enctype="multipart/form-data">
|
|
<div class="form-block">
|
|
<label for="email">Email address:</label>
|
|
<input type="email" name="email" id="email" maxlength="255" placeholder="<?php echo htmlspecialchars($userData['email']) ?>" required>
|
|
</div>
|
|
<?php if ($errorMessage) echo '<p class="form-error">' . htmlspecialchars($errorMessage) . '</p>'; ?>
|
|
<div class="form-block">
|
|
<input type="submit" value="Send password change request">
|
|
</div>
|
|
<input type="hidden" name="_csrf" value="<?php echo htmlspecialchars($_SESSION['csrf']) ?>">
|
|
</form>
|
|
<?php } ?>
|
|
</main>
|
|
<?php
|
|
include 'footer.php';
|
|
?>
|