Merge branch 'friendica:2023.09-rc' into Leftovers-from-PR-#13339

[friendica.git] / mod / lostpass.php

diff --git a/mod/lostpass.php b/mod/lostpass.php
index 34daeffd7d30809c15dd11d4b152e0df8de42255..5eb53ae2f393d0022c365d398f2aa3523dd59dee 100644 (file)
--- a/mod/lostpass.php
+++ b/mod/lostpass.php
@@ -1,7 +1,22 @@
 <?php
-
 /**
- * @file mod/lostpass.php
+ * @copyright Copyright (C) 2010-2023, the Friendica project
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
  */
 
 use Friendica\App;
@@ -14,27 +29,27 @@ use Friendica\Util\Strings;
 
 function lostpass_post(App $a)
 {
-       $loginame = Strings::escapeTags(trim($_POST['login-name']));
+       $loginame = trim($_POST['login-name']);
        if (!$loginame) {
                DI::baseUrl()->redirect();
        }
 
-       $condition = ['(`email` = ? OR `nickname` = ?) AND `verified` = 1 AND `blocked` = 0', $loginame, $loginame];
+       $condition = ['(`email` = ? OR `nickname` = ?) AND `verified` AND NOT `blocked` AND NOT `account_removed` AND NOT `account_expired`', $loginame, $loginame];
        $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'language'], $condition);
        if (!DBA::isResult($user)) {
-               notice(DI::l10n()->t('No valid account found.') . EOL);
+               DI::sysmsg()->addNotice(DI::l10n()->t('No valid account found.'));
                DI::baseUrl()->redirect();
        }
 
-       $pwdreset_token = Strings::getRandomName(12) . random_int(1000, 9999);
+       $pwdreset_token = Strings::getRandomHex(32);
 
        $fields = [
-               'pwdreset' => $pwdreset_token,
+               'pwdreset' => hash('sha256', $pwdreset_token),
                'pwdreset_time' => DateTimeFormat::utcNow()
        ];
        $result = DBA::update('user', $fields, ['uid' => $user['uid']]);
        if ($result) {
-               info(DI::l10n()->t('Password reset request issued. Check your email.') . EOL);
+               DI::sysmsg()->addInfo(DI::l10n()->t('Password reset request issued. Check your email.'));
        }
 
        $sitename = DI::config()->get('config', 'sitename');
@@ -65,9 +80,9 @@ function lostpass_post(App $a)
                Login Name:     %3$s', $resetlink, DI::baseUrl(), $user['nickname']));
 
        $email = DI::emailer()
-               ->newSystemMail((!empty($user['language'])) ? DI::l10n()->withLang($user['language']) : DI::l10n())
+               ->newSystemMail()
                ->withMessage(DI::l10n()->t('Password reset requested at %s', $sitename), $preamble, $body)
-               ->forUser($user['uid'] ?? 0)
+               ->forUser($user)
                ->withRecipient($user['email'])
                ->build();
 
@@ -77,12 +92,12 @@ function lostpass_post(App $a)
 
 function lostpass_content(App $a)
 {
-       if ($a->argc > 1) {
-               $pwdreset_token = $a->argv[1];
+       if (DI::args()->getArgc() > 1) {
+               $pwdreset_token = DI::args()->getArgv()[1];
 
-               $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => $pwdreset_token]);
+               $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => hash('sha256', $pwdreset_token)]);
                if (!DBA::isResult($user)) {
-                       notice(DI::l10n()->t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed."));
+                       DI::sysmsg()->addNotice(DI::l10n()->t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed."));
 
                        return lostpass_form();
                }
@@ -95,7 +110,7 @@ function lostpass_content(App $a)
                        ];
                        DBA::update('user', $fields, ['uid' => $user['uid']]);
 
-                       notice(DI::l10n()->t('Request has expired, please make a new one.'));
+                       DI::sysmsg()->addNotice(DI::l10n()->t('Request has expired, please make a new one.'));
 
                        return lostpass_form();
                }
@@ -137,7 +152,7 @@ function lostpass_generate_password($user)
                        '$newpass' => $new_password,
                ]);
 
-               info("Your password has been reset." . EOL);
+               DI::sysmsg()->addInfo(DI::l10n()->t("Your password has been reset."));
 
                $sitename = DI::config()->get('config', 'sitename');
                $preamble = Strings::deindent(DI::l10n()->t('
@@ -157,9 +172,9 @@ function lostpass_generate_password($user)
                ', DI::baseUrl(), $user['nickname'], $new_password));
 
                $email = DI::emailer()
-                       ->newSystemMail((!empty($user['language'])) ? DI::l10n()->withLang($user['language']) : DI::l10n())
+                       ->newSystemMail()
                        ->withMessage(DI::l10n()->t('Your password has been changed at %s', $sitename), $preamble, $body)
-                       ->forUser($user['uid'] ?? 0)
+                       ->forUser($user)
                        ->withRecipient($user['email'])
                        ->build();
                DI::emailer()->send($email);