CWops Award Tools
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

188 lines
5.3 KiB

<?
session_start();
include_once('db.php');
if (array_key_exists('f', $_GET)) {
switch ($_GET['f']) {
case 'logout':
logout();
break;
case 'lostpassword':
lostpassword();
break;
case 'recover':
recover();
break;
default:
echo "Invalid";
return;
}
}
else {
login();
}
return;
function logout () {
$redis = new Redis();
$redis->connect('127.0.0.1', 6379);
$redis->hset("cwops_sessions", $_SESSION['id'], "logout");
setcookie("cwops_id", "", 1);
setcookie("cwops_hash", "", 1);
session_destroy();
header("Location: https://cwops.telegraphy.de/");
return;
}
function lostpassword () {
global $db;
$call = $_POST['recover'];
if (!valid_call($call)) {
echo "Callsign can only contain A-Z, 0-9 and /.<br>";
echo "<a href='/'>Return to home page</a>";
return;
}
$q = mysqli_query($db, "SELECT * from cwops_users where `callsign`='$call'");
$r = mysqli_fetch_object($q);
if ($r->email) {
echo "Sending recovery email to the saved email address. If you don't receive it, check your spam folder or get in touch with Fabian, DJ1YFK (fabian@fkurz.net) to request a new password.<br>";
$link = "https://cwops.telegraphy.de/recovery/".sha1($r->password)."/".$r->callsign;
$subject = "Account recovery for CWops Award Tools";
$mailtext = "Hello,\n
someone, probably you requested an account recovery mail for https://cwops.telegraphy.de/.
You can immediately log in to the site with the following link, and then set a new password in your 'Account' tab:
$link
If you didn't request this mail yourself, please disregard this message.
73,
Fabian, DJ1YFK (Administrator of CWops Award Tools)
";
mail($r->email, $subject, $mailtext, "From: CWops Award Tools <help@cwops.telegraphy.de>\r\nBcc: fabian@fkurz.net", "-fhelp@cwops.telegraphy.de");
echo "<a href='/'>Return to home page</a>";
}
else {
echo "No email address in the database. Please get in touch with Fabian, DJ1YFK (fabian@fkurz.net) to request a new password.<br>";
echo "<a href='/'>Return to home page</a>";
}
return;
} # lostpassword
function recover () {
global $db;
$call = $_GET['u'];
$hash = $_GET['h'];
error_log("recovery: $call - $hash");
if (valid_call($call) and valid_call($hash)) {
$q = mysqli_query($db, "SELECT * from cwops_users where callsign='$call'");
$user = mysqli_fetch_object($q);
if ($user->callsign == $call and sha1($user->password) == $hash) {
header("Location: https://cwops.telegraphy.de/");
$_SESSION['id'] = $user->id;
$_SESSION['callsign'] = $user->callsign;
$_SESSION['email'] = $user->email;
$_SESSION['manual'] = $user->manual;
echo "Login successful! Forwarding...";
error_log("successful recovery of ".$user->callsign);
}
else {
echo "Invalid data";
}
}
else {
echo "Invalid data";
}
return;
}
function login () {
$call = strtoupper($_POST['callsign']);
$password = $_POST['password'];
# check validity
if (!valid_call($call)) {
echo "Callsign can only contain A-Z, 0-9 and /.<br>";
echo "<a href='/'>Return to home page</a>";
return;
}
if (!strlen($password)) {
echo "Password must not be empty.<br>";
echo "<a href='/'>Return to home page</a>";
return;
}
log_in_or_create($call, $password, true);
}
function log_in_or_create ($call, $password, $recursive) {
global $db;
$q = mysqli_query($db, "SELECT * from cwops_users where callsign='$call'");
$user = mysqli_fetch_object($q);
if ($user) {
if (password_verify($password, $user->password)) {
header("Location: https://cwops.telegraphy.de/");
$_SESSION['id'] = $user->id;
$_SESSION['callsign'] = $user->callsign;
$_SESSION['email'] = $user->email;
$_SESSION['manual'] = $user->manual;
$redis = new Redis();
$redis->connect('127.0.0.1', 6379);
$token = sha1(random_bytes(64));
$redis->hset("cwops_sessions", $user->id, $token);
setcookie("cwops_hash", $token, time() + (60 * 60 * 24 * 365));
setcookie("cwops_id", $user->id, time() + (60 * 60 * 24 * 365));
echo "Login successful! Forwarding...";
error_log("successful login of ".$user->callsign);
return;
}
else {
?>
Password incorrect. <br>
<a href='/'>Return to home page</a> or<br>
<form action='/lostpassword' method="POST">
<input type="hidden" name="recover" value="<?=$call;?>">
<input type="submit" value="Request account recovery email for <?=$call;?>">
</form>
<?
return;
}
}
else { # create account
$hash = password_hash($password, PASSWORD_DEFAULT);
$q = mysqli_query($db, "INSERT into cwops_users (`callsign`, `password`) VALUES ('$call', '$hash');");
# now log in
if ($recursive) {
log_in_or_create($call, $password, false);
}
}
}
function valid_call($call)
{
return preg_match('/^[a-z0-9\/]+$/i', $call);
}
?>