Commit 415c08bc authored by Benjamin Sonntag's avatar Benjamin Sonntag

lost password is now working properly

parent 38f508db
RewriteEngine On
RewriteRule /recover/([0-9]*)/([0-9a-fA-F]*) lost.php?id=$1&key=$2 [L]
RewriteRule recover/([0-9]*)/([0-9a-fA-F]*) lost.php?id=$1&key=$2 [L]
<?php
/*
Prosody Account Manager
Copyright (C) 2014 Benjamin Sonntag <benjamin@sonntag.fr>, SKhaen <skhaen@cyphercat.eu>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
You can find the source code of this software at https://github.com/LaQuadratureDuNet/JabberService
*/
require_once("config.php");
require_once("dochangepass.php");
require_once("header.php");
require_once("css.php");
?>
<p>
<b><?php __("Menu:"); ?></b>
<a href="create.php"><?php __("Create an account"); ?></a> -
<?php __("I lost my password"); ?> -
<a href="recover.php"><?php __("My account is disabled"); ?></a>
</p>
<h1><?php __("Change your password"); ?></h1>
<?php
if (count($error)) {
echo "<div class=\"error\">";
foreach($error as $e) echo $e."<br>\n";
echo "</div>";
}
if (count($info)) {
echo "<div class=\"info\">";
foreach($info as $e) echo $e."<br>\n";
echo "</div>";
}
?>
<form method="post" action="/my/changepass.php">
<input type="hidden" name="csrf" value="<?php echo csrf_gen(); ?>" />
<input type="hidden" name="id" value="<?php echo $id; ?>" />
<input type="hidden" name="key" value="<?php echo $key; ?>" />
<table style="width: 700px">
<tr><th style="width: 250px"><?php __("New password"); ?><sup>*</sup></th>
<td style="width: 450px"><input type="password" name="pass1" id="pass1" value="<?php eher("pass1"); ?>" style="width: 200px"/></td></tr>
<tr><th><?php __("New password (again)"); ?><sup>*</sup></th>
<td><input type="password" name="pass2" id="pass2" value="<?php eher("pass2"); ?>" style="width: 200px"/></td></tr>
</table>
<div class="wichtig">
<?php __("Don't put anything in this field"); ?><input type="text" name="url" id="url" value="" style="width: 200px"/>
</div>
<input type="submit" name="go" value="<?php __("Change my password"); ?>" class="btn" id="go"/>
</form>
<p>&nbsp;</p>
<?php
require_once("footer.php");
?>
<?php
/*
Prosody Account Manager
Copyright (C) 2014 Benjamin Sonntag <benjamin@sonntag.fr>, SKhaen <skhaen@cyphercat.eu>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
You can find the source code of this software at https://github.com/LaQuadratureDuNet/JabberService
*/
require_once("config.php");
$debug=false;
$fields=array("csrf","id","key","pass1","pass2","url");
$found=0;
foreach($fields as $f) if (isset($_POST[$f])) $found++;
$error=array();
$info=array();
if ($found==6 && $_POST["url"]=="") {
$_GET["id"]=$_POST["id"];
$_GET["key"]=$_POST["key"];
if ($_SESSION["captcha"]!=$_POST["cap"]) {
$error[]=_("The captcha is incorrect, please try again");
}
if (!csrf_check($_POST["csrf"])) {
$error[]=_("The captcha is incorrect, please try again (2)");
}
$id=intval($_POST["id"]);
if (!$id || !preg_match('#^[0-9a-f]{16}$#',$_POST["key"])) {
$error[]=_("The url is incorrect. please check your mail or contact us.");
}
if (count($error)==0) {
// Does it exist?
$already=@mysql_fetch_assoc(mysql_query("SELECT * FROM accounts WHERE id='".$id."';"));
if (!$already) {
$error[]=sprintf(_("This account doesn't exist, or have been permanently destroyed. <a href=\"%s\">Click here to create a new account with this login</a>."),"create.php");
}
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]),0,16);
if ($key!=$_POST["key"]) {
$error[]=_("The provided key is incorrect, please check your mail or contact us.");
}
$pass=fixlogin($_POST["pass1"]);
if ($_POST["pass1"]!=$_POST["pass2"] || $pass!=$_POST["pass1"]) {
$error[]=_("Your passwords are not the same, or contains special characters (unicode and accents authorized though), please try again");
}
if ($already["disabledate"]!="") {
$error[]=sprintf(_("This account have been disabled. <a href=\"%s\">Click here to restore it</a>."),"recover.php");
}
if (count($error)==0) {
// change the password for good (form)
// Connect to the telnet console of prosody.
$f=fsockopen("localhost",5582,$errno,$errstr,5);
if (!$f) {
$error[]=_("Can't connect to jabber server");
} else {
for($i=0;$i<$pass_line_count_telnet;$i++) {
$s=fgets($f,1024);
if ($debug) echo ":".$s.":<br>";
}
fputs($f,'user:password("'.$already["jabberid"].'","'.$pass."\")\n");
$s=fgets($f,1024);
if ($debug) echo ":".$s.":<br>";
if (trim($s)=="| OK: User password changed") {
$info[]=sprintf(_("Your password for account %s has been changed, you can use your new password right now."),$already["jabberid"]);
unset($_POST);
unset($_REQUEST);
require_once("nothing.php");
exit();
} else {
if ($debug) { $s=fgets($f,1024); echo ":".$s.":<br>"; }
$error[]=_("An error occurred trying to change your password, please try again later");
// TODO : send an email to us ;)
}
fclose($f);
}
} // still no error ?
} // no error ?
} // isset ?
......@@ -63,7 +63,7 @@ if ($found==5 && $_POST["url"]=="") {
$mail->FromName = $mail_fromname;
$mail->addAddress($_POST["email"]);
$mail->Subject = sprintf(_("Password lost on %s"),$domain);
$mail->Body = sprintf(_("You receive this email because you created an Jabber Chat account on %s and lost your pasword.\n\nPlease click the link below to reset your password.\n\n%s\n\nIf you didn't asked for this password reminder, please ignore this message or contact us.\n\nThanks a lot for your understanding.\nRegards\nThe Jabber Chat Team\n"),$domain,$rooturl."/recover/".$already["id"]."/".$key);
$mail->Body = sprintf(_("You receive this email because you created a Jabber Chat account on %s and lost your pasword.\n\nPlease click the link below to reset your password.\n\n%s\n\nIf you didn't asked for this password reminder, please ignore this message or contact us.\n\nThanks a lot for your understanding.\nRegards\nThe Jabber Chat Team\n"),$domain,$rooturl."/recover/".$already["id"]."/".$key);
if(!$mail->send()) {
$error[]=_("The email has NOT been sent, please try again later or contact us");
} else {
......@@ -73,3 +73,32 @@ if ($found==5 && $_POST["url"]=="") {
} // no error ?
} // isset ?
// Recover step 2
if (isset($_GET["id"]) && isset($_GET["key"])) {
$id=intval($_GET["id"]);
if (!$id || !preg_match('#^[0-9a-f]{16}$#',$_GET["key"])) {
$error[]=_("The url is incorrect. please check your mail or contact us.");
}
if (count($error)==0) {
// Does it exist?
$already=@mysql_fetch_assoc(mysql_query("SELECT * FROM accounts WHERE id='".$id."';"));
if (!$already) {
$error[]=sprintf(_("This account doesn't exist, or have been permanently destroyed. <a href=\"%s\">Click here to create a new account with this login</a>."),"create.php");
}
if ($already["disabledate"]!="") {
$error[]=sprintf(_("This account have been disabled. <a href=\"%s\">Click here to restore it</a>."),"recover.php");
}
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]),0,16);
if ($key!=$_GET["key"]) {
$error[]=_("The provided key is incorrect, please check your mail or contact us.");
}
if (count($error)==0) {
// change the password (form)
$info[]=sprintf(_("Please enter a new password (twice) for your account %s"),$already["jabberid"]);
require_once("changepass.php");
exit();
} // still no error ?
} // no error ?
} // isset ?
<?php
/*
Prosody Account Manager
Copyright (C) 2014 Benjamin Sonntag <benjamin@sonntag.fr>, SKhaen <skhaen@cyphercat.eu>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
You can find the source code of this software at https://github.com/LaQuadratureDuNet/JabberService
*/
require_once("config.php");
require_once("header.php");
require_once("css.php");
?>
<p>
<b><?php __("Menu:"); ?></b>
<a href="create.php"><?php __("Create an account"); ?></a> -
<?php __("I lost my password"); ?> -
<a href="recover.php"><?php __("My account is disabled"); ?></a>
</p>
<h1><?php __("Change your password"); ?></h1>
<?php
if (count($error)) {
echo "<div class=\"error\">";
foreach($error as $e) echo $e."<br>\n";
echo "</div>";
}
if (count($info)) {
echo "<div class=\"info\">";
foreach($info as $e) echo $e."<br>\n";
echo "</div>";
}
?>
<p>&nbsp;</p>
<?php
require_once("footer.php");
?>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment