function auth_sign_in($next_page = "/")
{
global $AUTH_EXP;
global $AUTH_KEY;
$username = http_post_string("username", array("len" => 50, "valid" => "[a-z][0-9]"));
$password = http_post_string("password", array("len" => 50));
if (!string_uses(substr($username, 0, 1), "[a-z]")) {
die("invalid username [{$username}]");
}
$row = run_sql("select user_id, password, salt from auth.user_list where username = ?", array($username));
if (count($row) == 0) {
die("no such user [{$username}]");
}
if (crypt_sha256($password . $row[0]["salt"]) != $row[0]["password"]) {
die("wrong password");
}
$expire = time() + $AUTH_EXP;
$cookie = "exp=" . date("YmdHis", $expire) . "&user="******"user_id"];
$cookie .= "&hash=" . crypt_sha256($AUTH_KEY . $cookie);
setcookie("auth", $cookie, $expire);
header("Location: {$next_page}");
die;
}
function check_auth()
{
global $auth_key;
global $auth_zid;
global $auth_user;
global $request_script;
global $javascript_enabled;
$auth_zid = "";
$javascript_enabled = false;
$auth = @$_COOKIE["auth"];
$map = map_from_url_string($auth);
$expire = @$map["expire"];
$zid = @$map["zid"];
$hash = @$map["hash"];
if ($zid == "") {
return;
}
if (!string_uses($expire, "[0-9]")) {
expire_auth();
die("invalid expire");
}
if (time() > $expire) {
expire_auth();
die("auth expired");
}
if (!string_uses($zid, "[a-z][0-9]@.-")) {
expire_auth();
die("invalid zid [{$zid}]");
}
$test = crypt_sha256($auth_key . "expire={$expire}&zid={$zid}");
if ($hash != $test) {
expire_auth();
die("wrong auth hash");
}
$auth_zid = $zid;
$auth_user = db_get_conf("user_conf", $auth_zid);
$javascript_enabled = $auth_user["javascript_enabled"];
}
function generate_message_id()
{
global $server_name;
return time() . "." . substr(crypt_sha256(rand()), 0, 8) . "@{$server_name}";
}
$s .= "\n";
$s .= "date_default_timezone_set(\"UTC\");\n";
$s .= "\$https_enabled = true;\n";
$s .= "\$story_image_enabled = false;\n";
$sql_server = "mysql:host={$sql_server}";
$sql_open = false;
open_database();
fs_slap("{$top_root}/conf.php", $s);
if (!db_has_database($sql_database)) {
run_sql("create database {$sql_database}");
run_sql("use {$sql_database}");
run_sql_file("{$top_root}/schema.sql");
run_sql_file("{$top_root}/default.sql");
$zid = "{$admin_username}@{$server_name}";
$salt = random_hash();
$pass = crypt_sha256("{$admin_password}{$salt}");
run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "admin", "1"));
run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "editor", "1"));
run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "password", $pass));
run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "salt", $salt));
}
header("Location: /");
die;
}
writeln('<!DOCTYPE html>');
writeln('<html>');
writeln('<head>');
writeln('<title>Pipecode Setup</title>');
writeln('<meta http-equiv="Content-type" content="text/html;charset=UTF-8">');
writeln('<link rel="stylesheet" href="/style.css" type="text/css"/>');
writeln('</head>');
$user_conf["salt"] = $salt;
db_set_conf("user_conf", $user_conf, $zid);
db_del_rec("email_challenge", $verify);
print_header("Password Reset");
writeln('<h1>Password Reset</h1>');
writeln('<p>Don\'t forget it this time!</p>');
print_footer();
die;
}
$username = http_post_string("username", array("len" => 20, "valid" => "[a-z][A-Z][0-9]"));
$zid = strtolower($username) . "@{$site_name}";
if (!is_local_user($zid)) {
die("no such user [{$zid}]");
}
$user_conf = db_get_conf("user_conf", $zid);
$hash = crypt_sha256(rand());
if (db_has_rec("email_challenge", array("username" => $username))) {
db_del_rec("email_challenge", array("username" => $username));
}
$email_challenge = array();
$email_challenge["challenge"] = $hash;
$email_challenge["username"] = $username;
$email_challenge["email"] = $user["email"];
$email_challenge["expires"] = time() + 86400 * 3;
db_set_rec("email_challenge", $email_challenge);
$subject = "Forgot Password";
$body = "Did you forget your password for \"{$username}\" on {$server_name}?\n";
$body .= "\n";
$body .= "In order to reset your password, you must visit the following link:\n";
$body .= "\n";
if ($https_enabled) {
//
// You should have received a copy of the GNU General Public License
// along with Pipecode. If not, see <http://www.gnu.org/licenses/>.
//
if (http_post()) {
$username = http_post_string("username", array("len" => 20, "valid" => "[a-z][A-Z][0-9]"));
$password = http_post_string("password", array("len" => 64, "valid" => "[KEYBOARD]"));
$referer = http_get_string("referer", array("required" => false, "len" => 200, "valid" => "[a-z][A-Z][0-9].+-_/?&#=;~"));
$zid = strtolower($username) . "@{$server_name}";
$user_conf = db_get_conf("user_conf", $zid);
if ($user_conf["password"] != crypt_sha256($password . $user_conf["salt"])) {
die("wrong password");
}
$expire = time() + $auth_expire;
$cookie = "expire={$expire}&zid={$zid}";
$cookie .= "&hash=" . crypt_sha256($auth_key . $cookie);
setcookie("auth", $cookie, time() + $auth_expire, "/", ".{$server_name}");
if ($referer != "") {
header("Location: {$referer}");
} else {
header("Location: ./");
}
}
if ($protocol != "https" && $https_enabled) {
header("Location: https://{$server_name}/sign_in");
die;
}
print_header("Sign In");
writeln('<hr/>');
writeln('<h1>Sign In</h1>');
if ($https_enabled) {
