Browse Source

account recovery via email link

master
Fabian Kurz 4 years ago
parent
commit
f97e67cc47
  1. 2
      .htaccess
  2. 87
      login.php

2
.htaccess

@ -4,3 +4,5 @@ RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^logout(/)?$ /login.php?f=logout [L]
RewriteRule ^lostpassword(/)?$ /login.php?f=lostpassword [L]
RewriteRule ^recovery/([a-z0-9]+)/([a-zA-Z0-9]+) /login.php?f=recover&h=$1&u=$2 [L]

87
login.php

@ -2,19 +2,91 @@
session_start();
include_once('db.php');
# Logout
if (array_key_exists('f', $_GET) && $_GET['f'] == 'logout') {
session_destroy();
header("Location: http://cwops.telegraphy.de/");
header("Location: https://cwops.telegraphy.de/");
return;
}
# Lost password, send mail (if possible)
if (array_key_exists('f', $_GET) && $_GET['f'] == 'lostpassword') {
$call = $_POST['recover'];
if (!valid_call($call)) {
echo "Callsign can only contain A-Z, 0-9 and /.<br>";
echo "<a href='/'>Return to home page</a>";
return;
}
$q = mysqli_query($db, "SELECT * from cwops_users where `callsign`='$call'");
$r = mysqli_fetch_object($q);
if ($r->email) {
echo "Sending recovery email to the saved email address. If you don't receive it, check your spam folder or get in touch with Fabian, DJ1YFK (fabian@fkurz.net) to request a new password.<br>";
$link = "https://cwops.telegraphy.de/recovery/".sha1($r->password)."/".$r->callsign;
$subject = "Account recovery for CWops Award Tools";
$mailtext = "Hello,\n
someone, probably you requested an account recovery mail for https://cwops.telegraphy.de/.
You can immediately log in to the site with the following link, and then set a new password in your 'Account' tab:
$link
If you didn't request this mail yourself, please disregard this message.
73,
Fabian, DJ1YFK (Administrator of CWops Award Tools)
";
mail($r->email, $subject, $mailtext, "From: CWops Award Tools <help@cwops.telegraphy.de>\r\nBcc: fabian@fkurz.net", "-fhelp@cwops.telegraphy.de");
echo "<a href='/'>Return to home page</a>";
}
else {
echo "No email address in the database. Please get in touch with Fabian, DJ1YFK (fabian@fkurz.net) to request a new password.<br>";
echo "<a href='/'>Return to home page</a>";
}
return;
}
# recovery / instant login link
if (array_key_exists('f', $_GET) && $_GET['f'] == 'recover') {
$call = $_GET['u'];
$hash = $_GET['h'];
error_log("recovery: $call - $hash");
if (valid_call($call) and valid_call($hash)) {
$q = mysqli_query($db, "SELECT * from cwops_users where callsign='$call'");
$user = mysqli_fetch_object($q);
if ($user->callsign == $call and sha1($user->password) == $hash) {
header("Location: https://cwops.telegraphy.de/");
$_SESSION['id'] = $user->id;
$_SESSION['callsign'] = $user->callsign;
$_SESSION['email'] = $user->email;
echo "Login successful! Forwarding...";
error_log("successful recovery of ".$user->callsign);
}
else {
echo "Invalid data";
}
}
else {
echo "Invalid data";
}
return;
}
$call = strtoupper($_POST['callsign']);
$password = $_POST['password'];
# check validity
if (!preg_match('/^[a-z0-9\/]+$/i', $call)) {
if (!valid_call($call)) {
echo "Callsign can only contain A-Z, 0-9 and /.<br>";
echo "<a href='/'>Return to home page</a>";
return;
@ -48,7 +120,11 @@ function log_in_or_create ($call, $password, $recursive) {
else {
?>
Password incorrect. <br>
<a href='/'>Return to home page</a><br>
<a href='/'>Return to home page</a> or<br>
<form action='/lostpassword' method="POST">
<input type="hidden" name="recover" value="<?=$call;?>">
<input type="submit" value="Request account recovery email for <?=$call;?>">
</form>
<?
return;
}
@ -64,8 +140,13 @@ function log_in_or_create ($call, $password, $recursive) {
}
}
}
function valid_call($call)
{
return preg_match('/^[a-z0-9\/]+$/i', $call);
}
?>

Loading…
Cancel
Save