actions/recoverpassword.php

   1 <?php
   2 /*
   3  * Laconica - a distributed open-source microblogging tool
   4  * Copyright (C) 2008, Controlez-Vous, Inc.
   5  *
   6  * This program is free software: you can redistribute it and/or modify
   7  * it under the terms of the GNU Affero General Public License as published by
   8  * the Free Software Foundation, either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU Affero General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Affero General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20 if (!defined('LACONICA')) { exit(1); }
  21
  22 # You have 24 hours to claim your password
  23
  24 define(MAX_RECOVERY_TIME, 24 * 60 * 60);
  25
  26 class RecoverpasswordAction extends Action {
  27
  28     function handle($args)
  29     {
  30         parent::handle($args);
  31         if (common_logged_in()) {
  32             $this->client_error(_('You are already logged in!'));
  33             return;
  34         } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  35             if ($this->arg('recover')) {
  36                 $this->recover_password();
  37             } else if ($this->arg('reset')) {
  38                 $this->reset_password();
  39             } else {
  40                 $this->client_error(_('Unexpected form submission.'));
  41             }
  42         } else {
  43             if ($this->trimmed('code')) {
  44                 $this->check_code();
  45             } else {
  46                 $this->show_form();
  47             }
  48         }
  49     }
  50
  51     function check_code()
  52     {
  53
  54         $code = $this->trimmed('code');
  55         $confirm = Confirm_address::staticGet('code', $code);
  56
  57         if (!$confirm) {
  58             $this->client_error(_('No such recovery code.'));
  59             return;
  60         }
  61         if ($confirm->address_type != 'recover') {
  62             $this->client_error(_('Not a recovery code.'));
  63             return;
  64         }
  65
  66         $user = User::staticGet($confirm->user_id);
  67
  68         if (!$user) {
  69             $this->server_error(_('Recovery code for unknown user.'));
  70             return;
  71         }
  72
  73         $touched = strtotime($confirm->modified);
  74         $email = $confirm->address;
  75
  76         # Burn this code
  77
  78         $result = $confirm->delete();
  79
  80         if (!$result) {
  81             common_log_db_error($confirm, 'DELETE', __FILE__);
  82             common_server_error(_('Error with confirmation code.'));
  83             return;
  84         }
  85
  86         # These should be reaped, but for now we just check mod time
  87         # Note: it's still deleted; let's avoid a second attempt!
  88
  89         if ((time() - $touched) > MAX_RECOVERY_TIME) {
  90             common_log(LOG_WARNING,
  91                        'Attempted redemption on recovery code ' .
  92                        'that is ' . $touched . ' seconds old. ');
  93             $this->client_error(_('This confirmation code is too old. ' .
  94                                    'Please start again.'));
  95             return;
  96         }
  97
  98         # If we used an outstanding confirmation to send the email,
  99         # it's been confirmed at this point.
 100
 101         if (!$user->email) {
 102             $orig = clone($user);
 103             $user->email = $email;
 104             $result = $user->updateKeys($orig);
 105             if (!$result) {
 106                 common_log_db_error($user, 'UPDATE', __FILE__);
 107                 $this->server_error(_('Could not update user with confirmed email address.'));
 108                 return;
 109             }
 110         }
 111
 112         # Success!
 113
 114         $this->set_temp_user($user);
 115         $this->show_password_form();
 116     }
 117
 118     function set_temp_user(&$user)
 119     {
 120         common_ensure_session();
 121         $_SESSION['tempuser'] = $user->id;
 122     }
 123
 124     function get_temp_user()
 125     {
 126         common_ensure_session();
 127         $user_id = $_SESSION['tempuser'];
 128         if ($user_id) {
 129             $user = User::staticGet($user_id);
 130         }
 131         return $user;
 132     }
 133
 134     function clear_temp_user()
 135     {
 136         common_ensure_session();
 137         unset($_SESSION['tempuser']);
 138     }
 139
 140     function show_top($msg=null)
 141     {
 142         if ($msg) {
 143             common_element('div', 'error', $msg);
 144         } else {
 145             common_element_start('div', 'instructions');
 146             common_element('p', null,
 147                            _('If you\'ve forgotten or lost your' .
 148                               ' password, you can get a new one sent to' .
 149                               ' the email address you have stored ' .
 150                               ' in your account.'));
 151             common_element_end('div');
 152         }
 153     }
 154
 155     function show_password_top($msg=null)
 156     {
 157         if ($msg) {
 158             common_element('div', 'error', $msg);
 159         } else {
 160             common_element('div', 'instructions',
 161                            _('You\'ve been identified. Enter a ' .
 162                               ' new password below. '));
 163         }
 164     }
 165
 166     function show_form($msg=null)
 167     {
 168
 169         common_show_header(_('Recover password'), null,
 170         $msg, array($this, 'show_top'));
 171
 172         common_element_start('form', array('method' => 'post',
 173                                            'id' => 'recoverpassword',
 174                                            'action' => common_local_url('recoverpassword')));
 175         common_input('nicknameoremail', _('Nickname or email'),
 176                      $this->trimmed('nicknameoremail'),
 177                      _('Your nickname on this server, ' .
 178                         'or your registered email address.'));
 179         common_submit('recover', _('Recover'));
 180         common_element_end('form');
 181         common_show_footer();
 182     }
 183
 184     function show_password_form($msg=null)
 185     {
 186
 187         common_show_header(_('Reset password'), null,
 188         $msg, array($this, 'show_password_top'));
 189
 190         common_element_start('form', array('method' => 'post',
 191                                            'id' => 'recoverpassword',
 192                                            'action' => common_local_url('recoverpassword')));
 193         common_hidden('token', common_session_token());
 194         common_password('newpassword', _('New password'),
 195                         _('6 or more characters, and don\'t forget it!'));
 196         common_password('confirm', _('Confirm'),
 197                         _('Same as password above'));
 198         common_submit('reset', _('Reset'));
 199         common_element_end('form');
 200         common_show_footer();
 201     }
 202
 203     function recover_password()
 204     {
 205         $nore = $this->trimmed('nicknameoremail');
 206         if (!$nore) {
 207             $this->show_form(_('Enter a nickname or email address.'));
 208             return;
 209         }
 210
 211         $user = User::staticGet('email', common_canonical_email($nore));
 212
 213         if (!$user) {
 214             $user = User::staticGet('nickname', common_canonical_nickname($nore));
 215         }
 216
 217         # See if it's an unconfirmed email address
 218
 219         if (!$user) {
 220             $confirm_email = Confirm_address::staticGet('address', common_canonical_email($nore));
 221             if ($confirm_email && $confirm_email->address_type == 'email') {
 222                 $user = User::staticGet($confirm_email->user_id);
 223             }
 224         }
 225
 226         if (!$user) {
 227             $this->show_form(_('No user with that email address or username.'));
 228             return;
 229         }
 230
 231         # Try to get an unconfirmed email address if they used a user name
 232
 233         if (!$user->email && !$confirm_email) {
 234             $confirm_email = Confirm_address::staticGet('user_id', $user->id);
 235             if ($confirm_email && $confirm_email->address_type != 'email') {
 236                 # Skip non-email confirmations
 237                 $confirm_email = null;
 238             }
 239         }
 240
 241         if (!$user->email && !$confirm_email) {
 242             $this->client_error(_('No registered email address for that user.'));
 243             return;
 244         }
 245
 246         # Success! We have a valid user and a confirmed or unconfirmed email address
 247
 248         $confirm = new Confirm_address();
 249         $confirm->code = common_confirmation_code(128);
 250         $confirm->address_type = 'recover';
 251         $confirm->user_id = $user->id;
 252         $confirm->address = (isset($user->email)) ? $user->email : $confirm_email->address;
 253
 254         if (!$confirm->insert()) {
 255             common_log_db_error($confirm, 'INSERT', __FILE__);
 256             $this->server_error(_('Error saving address confirmation.'));
 257             return;
 258         }
 259
 260         $body = "Hey, $user->nickname.";
 261         $body .= "\n\n";
 262         $body .= 'Someone just asked for a new password ' .
 263                  'for this account on ' . common_config('site', 'name') . '.';
 264         $body .= "\n\n";
 265         $body .= 'If it was you, and you want to confirm, use the URL below:';
 266         $body .= "\n\n";
 267         $body .= "\t".common_local_url('recoverpassword',
 268                                    array('code' => $confirm->code));
 269         $body .= "\n\n";
 270         $body .= 'If not, just ignore this message.';
 271         $body .= "\n\n";
 272         $body .= 'Thanks for your time, ';
 273         $body .= "\n";
 274         $body .= common_config('site', 'name');
 275         $body .= "\n";
 276
 277         mail_to_user($user, _('Password recovery requested'), $body, $confirm->address);
 278
 279         common_show_header(_('Password recovery requested'));
 280         common_element('p', null,
 281                        _('Instructions for recovering your password ' .
 282                           'have been sent to the email address registered to your ' .
 283                           'account.'));
 284         common_show_footer();
 285     }
 286
 287     function reset_password()
 288     {
 289
 290         # CSRF protection
 291         $token = $this->trimmed('token');
 292         if (!$token || $token != common_session_token()) {
 293             $this->show_form(_('There was a problem with your session token. Try again, please.'));
 294             return;
 295         }
 296
 297         $user = $this->get_temp_user();
 298
 299         if (!$user) {
 300             $this->client_error(_('Unexpected password reset.'));
 301             return;
 302         }
 303
 304         $newpassword = $this->trimmed('newpassword');
 305         $confirm = $this->trimmed('confirm');
 306
 307         if (!$newpassword || strlen($newpassword) < 6) {
 308             $this->show_password_form(_('Password must be 6 chars or more.'));
 309             return;
 310         }
 311         if ($newpassword != $confirm) {
 312             $this->show_password_form(_('Password and confirmation do not match.'));
 313             return;
 314         }
 315
 316         # OK, we're ready to go
 317
 318         $original = clone($user);
 319
 320         $user->password = common_munge_password($newpassword, $user->id);
 321
 322         if (!$user->update($original)) {
 323             common_log_db_error($user, 'UPDATE', __FILE__);
 324             common_server_error(_('Can\'t save new password.'));
 325             return;
 326         }
 327
 328         $this->clear_temp_user();
 329
 330         if (!common_set_user($user->nickname)) {
 331             common_server_error(_('Error setting user.'));
 332             return;
 333         }
 334
 335         common_real_login(true);
 336
 337         common_show_header(_('Password saved.'));
 338         common_element('p', null, _('New password successfully saved. ' .
 339                                      'You are now logged in.'));
 340         common_show_footer();
 341     }
 342 }