teendevops-web/reset.php at master · teendevops/teendevops-web · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<html>
<?php include "header.php"; ?>
<body>
<br>
<?php
    if(!SECURE)
        echo '<center><div style="color:red;"><b>Warning:</b> Development mode is enabled. Unless you know what you are doing, it may not be safe for you to login.</div></center><br>';

    if(!isSignedIn()) {
        if($_SERVER['REQUEST_METHOD'] == "POST") {
            if(checkCSRFToken($_POST['csrf'])) {
                if(isset($_POST['email'])) { // first time visiting-- send email and stuff
                    if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
                        $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
                        $user = getUserByEmail($email);

                        // TODO: Work on preventing timing attacks
                        if(!gone($user['username'])) {
                            $id = $user['id'];
                            $token = generateToken($id, 1);
                            $url = toAbsoluteURL('/reset/?token=' . $token . '&id=' . $id);

                            sendEmail($email, 'teendevops', 'info@teendevops.net', 'Forgotten Password Reset', 'Someone (hopefully you) requested a new password for the teendevops account <b>' . $user['username'] . '</b><br><br>If you own this account and you requested the reset, please click the link below:
                                <br><a href="' . $url . '">' . $url . '</a><br><br>If you did not request the password reset, you can safely ignore this email. Only someone who has access to your email can reset your password.  If you have any questions, please let us know by responding to this email.<br><br>Thanks,<br>    the teendevops team');
                        } else if(!SECURE)
                            echo 'The user does not exist. ';
                        echo '<center>If a user with that email exists, an email will be sent containing a link to reset your password.<br>If you don\'t receive the email in the next 20 minutes, try <a href="javascript:window.location.reload(true)">requesting the email again</a></center>';
                    } else {
                        echo "<center>Error: Email validation failed.</center>";
                    }
                } else { // second time visiting-- reset password
                    if(!(isset($_POST['id']) && isset($_POST['token']) && isset($_POST['password']))) {
                        echo ERROR_FIELDS_EMPTY;
                    } else {
                        $id = $_POST['id'];
                        $password = $_POST['password'];
                        $token = $_POST['token'];

                        if(validToken($id, 1, $token)) {
                            $ok = false;
                            $message = 'Password has been changed! Click <a href="/login/">here</a> to login.';

                            if(strlen($password) < 8)
                                $message = 'Please choose a password longer than 8 characters.'; // todo: use strings
                            else if(!isPasswordSecure($password))
                                $message = 'Please choose a stronger password.';
                            else
                                $ok = true;

                            if($ok) {
                                invalidateToken($id, 1);
                                setPassword($id, $password);
                                echo '<center style="color:green">' . $message . '</center>';
                            } else {
                                echo '<center style="color:red">' . $message .'</center>';
                                echo "<form class=\"form-horizontal\" action=\"/reset/\" method=\"post\"> <fieldset> <!-- Form Name --> <center><legend>Reset Password</legend></center><!-- Text input--> <div class=\"form-group\"><label class=\"col-md-4 control-label\" for=\"password\">New Password</label> <div class=\"col-md-5\"> <input id=\"password\" name=\"password\" type=\"password\" placeholder=\"Enter a new password...\" class=\"form-control input-md\" required=\"\"> <span class=\"help-block\">Simply enter a new password.</span> </div> </div>  <!-- Button --> <div class=\"form-group\"> <label class=\"col-md-4 control-label\" for=\"reset\"></label> <div class=\"col-md-4\"> <button id=\"reset\" name=\"reset\" class=\"btn btn-primary\">Reset password</button> </div> </div> </fieldset> " . printCSRFToken();
                                echo '<input type="hidden" id="token" name="token" value="' . $token . '">' . '<input type="hidden" id="id" name="id" value="' . $id . '">' . " </form>";
                            }
                        } else {
                            echo 'Error: Invalid token or id.';
                        }
                    }
                }
            } else {
                error("Error: Invalid CSRF token.");
                http_response_code(401);
            }
        } else { // HTTP GET
            if(isset($_REQUEST['token']) && isset($_REQUEST['id'])) { // second visit after clicking the email link
                if(validToken($_REQUEST['id'], 1, $_REQUEST['token'])) {
                    echo "<form class=\"form-horizontal\" action=\"/reset/\" method=\"post\"> <fieldset> <!-- Form Name --> <center><legend>Reset Password</legend></center><!-- Text input--> <div class=\"form-group\"><label class=\"col-md-4 control-label\" for=\"password\">New Password</label> <div class=\"col-md-5\"> <input id=\"password\" name=\"password\" type=\"password\" placeholder=\"Enter a new password...\" class=\"form-control input-md\" required=\"\"> <span class=\"help-block\">Simply enter a new password.</span> </div> </div>  <!-- Button --> <div class=\"form-group\"> <label class=\"col-md-4 control-label\" for=\"reset\"></label> <div class=\"col-md-4\"> <button id=\"reset\" name=\"reset\" class=\"btn btn-primary\">Reset password</button> </div> </div> </fieldset> " . printCSRFToken();
                    echo '<input type="hidden" id="token" name="token" value="' . htmlspecialchars($_REQUEST['token']) . '">' . '<input type="hidden" id="id" name="id" value="' . htmlspecialchars($_REQUEST['id']) . '">' . " </form>";
                } else {
                    echo "Error: Either the password reset link expired, or it never existed.";
                }
            } else { // first visit
                echo "<form class=\"form-horizontal\" action=\"/reset/\" method=\"post\"> <fieldset> <!-- Form Name --> <center><legend>Reset Password</legend></center><!-- Text input--> <div class=\"form-group\"><label class=\"col-md-4 control-label\" for=\"email\">Email</label> <div class=\"col-md-5\"> <input id=\"email\" name=\"email\" type=\"text\" placeholder=\"Enter your email address...\" class=\"form-control input-md\" required=\"\"> <span class=\"help-block\">Simply enter your email address.</span> </div> </div>  <!-- Button --> <div class=\"form-group\"> <label class=\"col-md-4 control-label\" for=\"reset\"></label> <div class=\"col-md-4\"> <button id=\"reset\" name=\"reset\" class=\"btn btn-primary\">Send email</button> </div> </div> </fieldset> " . printCSRFToken() . " </form>";
            }
        }
    } else {
        echo '<center>You\'re already signed in! <a href="/">Go home</a>.</center>';
    }
?>
    <?php include "footer.php"; ?>
    </body>
</html>