public function post($data) { // check present, token ok, password and password confirm ok if (!isset($data["token"], $data["passwords"]["password"], $data["passwords"]["repeat_password"])) { $this->response("Bad data", null, 400); } if (empty($data["token"]) || strlen($data["token"]) < 20) { $this->response("Bad data", null, 400); } if (empty($data["passwords"]["password"]) || empty($data["passwords"]["repeat_password"]) || $data["passwords"]["password"] !== $data["passwords"]["repeat_password"]) { $this->response("Bad data", null, 400); } $token_data = explode("_", $data["token"]); if (count($token_data) != 2 || empty($token_data[0]) || empty($token_data[1])) { $this->response("Bad data", null, 400); } /* data present and pre check good, lets do a user search and check */ // try find user $user = $this->razor_db->get_first('user', '*', array('id' => (int) $token_data[1])); // no valid user found if (empty($user)) { $this->response("Bad data", null, 400); } // check token if (empty($user["reminder_token"]) || $token_data[0] != $user["reminder_token"] || $user["reminder_time"] + 3600 < time()) { $this->response("Bad data", null, 400); } /* user ok, token ok, lets change password */ $password = RazorAPI::create_hash($data["passwords"]["password"]); // set new reminder $row = array("password" => $password, "reminder_token" => ""); $this->razor_db->edit_data('user', $row, array('id' => $user['id'])); $this->response("success", "json"); }
public function post($data) { // check present, token ok, password and password confirm ok if (!isset($data["token"], $data["passwords"]["password"], $data["passwords"]["repeat_password"])) { $this->response("Bad data", null, 400); } if (empty($data["token"]) || strlen($data["token"]) < 20) { $this->response("Bad data", null, 400); } if (empty($data["passwords"]["password"]) || empty($data["passwords"]["repeat_password"]) || $data["passwords"]["password"] !== $data["passwords"]["repeat_password"]) { $this->response("Bad data", null, 400); } $token_data = explode("_", $data["token"]); if (count($token_data) != 2 || empty($token_data[0]) || empty($token_data[1])) { $this->response("Bad data", null, 400); } /* data present and pre check good, lets do a user search and check */ // try find user $db = new RazorDB(); $db->connect("user"); $search = array("column" => "id", "value" => (int) $token_data[1]); $user = $db->get_rows($search); $db->disconnect(); // no valid user found if ($user["count"] != 1) { $this->response("Bad data", null, 400); } $user = $user["result"][0]; // check token if (empty($user["reminder_token"]) || $token_data[0] != $user["reminder_token"] || $user["reminder_time"] + 3600 < time()) { $this->response("Bad data", null, 400); } /* user ok, token ok, lets change password */ $password = RazorAPI::create_hash($data["passwords"]["password"]); // set new reminder $db->connect("user"); $search = array("column" => "id", "value" => $user["id"]); $row = array("password" => $password, "reminder_token" => ""); $db->edit_rows($search, $row); $db->disconnect(); $this->response("success", "json"); }
public function login($data) { // check if email set if (!isset($data["username"])) { throw new Exception("No Login username"); } if (!isset($data["password"])) { throw new Exception("No Login password"); } $ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50)); $user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250)); // check ban list if active before doing anything else if (RARS_ACCESS_BAN_ATTEMPS > 0) { // find banned rows $banned = $this->razor_db->get_first('banned', '*', array('ip_address' => $ip_address, 'user_agent' => $user_agent)); if (!empty($banned)) { return RazorAPI::response(array("message" => "Login failed: ip banned", "login_error_code" => 104), "json"); } } /* carry on with login */ // find user $user = $this->razor_db->get_first('user', '*', array('email_address' => $data['username'])); // check user found if (empty($user)) { return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } // check if user is locked out here if (!empty($user["lock_until"]) && $user["lock_until"] > time()) { return RazorAPI::response(array("message" => "Login failed: user locked out please try later", "login_error_code" => 102, "time_left" => $user["lock_until"] - time()), "json"); } // check active user if (!$user["active"]) { return RazorAPI::response(array("message" => "Login failed: user not active", "login_error_code" => 103), "json"); } // now check if password ok (we need password first to get salt from it before we can check it), if not then send response if (RazorAPI::create_hash($data["password"], substr($user["password"], 0, strlen($user["password"]) / 2), 'sha1') !== $user["password"]) { // data to update $update_data = array('failed_attempts' => $user['failed_attempts']++); if ($user["failed_attempts"] > 0 && $user["failed_attempts"] % RARS_ACCESS_ATTEMPTS == 0) { $update_data['lock_until'] = time() + RARS_ACCESS_LOCKOUT; } // update $this->razor_db->edit_data('user', $update_data, array('id' => $user['id'])); // add to banned list if banned active and too many attempts if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user["failed_attempts"] + 1 >= RARS_ACCESS_BAN_ATTEMPS) { // add ip and agent to banned $this->razor_db->add_data('banned', array('ip_address' => $ip_address, 'user_agent' => $user_agent)); } return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } /* we are now authenticated, respond and send token back */ // need to create a token and last logged stamp and save it in the db $last_logged = time(); $pass_hash = $user["password"]; $token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . "_" . $user["id"]; // update data $update_data = array('id' => $user['id'], 'last_logged_in' => $last_logged, 'last_accessed' => $last_logged, 'ip_address' => $ip_address); $user = $this->razor_db->edit_data('user', $update_data, array('id' => $user['id']), '*'); $user = $user[0]; // collect user data $user = array("id" => $user["id"], "name" => $user["name"], "email_address" => $user["email_address"], "last_logged_in" => $user["last_logged_in"], "access_level" => $user["access_level"]); // setup response return RazorAPI::response(array("token" => $token, "user" => $user), "json"); }
public function login($data) { // check if email set if (!isset($data["username"])) { throw new Exception("No Login username"); } if (!isset($data["password"])) { throw new Exception("No Login password"); } $ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50)); $user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250)); // check ban list if active before doing anything else if (RARS_ACCESS_BAN_ATTEMPS > 0) { // find banned rows $db = new RazorDB(); $db->connect("banned"); $search = array(array("column" => "ip_address", "value" => $ip_address), array("column" => "user_agent", "value" => $user_agent, "and" => true)); $count = $db->get_rows($search); $count = $count["count"]; $db->disconnect(); if ($count > 0) { return RazorAPI::response(array("message" => "Login failed: ip banned", "login_error_code" => 104), "json"); } } /* carry on with login */ // find user $db = new RazorDB(); $db->connect("user"); $search = array("column" => "email_address", "value" => $data["username"]); $options = array("amount" => 1); $res = $db->get_rows($search, $options); $db->disconnect(); // check user found if ($res["count"] != 1) { return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } // grab user details $user = $res["result"][0]; // check if user is locked out here if (!empty($user["lock_until"]) && $user["lock_until"] > time()) { return RazorAPI::response(array("message" => "Login failed: user locked out please try later", "login_error_code" => 102, "time_left" => $user["lock_until"] - time()), "json"); } // check active user if (!$user["active"]) { return RazorAPI::response(array("message" => "Login failed: user not active", "login_error_code" => 103), "json"); } // now check if password ok (we need password first to get salt from it before we can check it), if not then send response if (RazorAPI::create_hash($data["password"], substr($user["password"], 0, strlen($user["password"]) / 2), 'sha1') !== $user["password"]) { // update failed attempts and lockout $db = new RazorDB(); $db->connect("user"); $search = array("column" => "id", "value" => $user["id"]); $changes = array("failed_attempts" => $user["failed_attempts"] + 1); if ($user["failed_attempts"] > 0 && $user["failed_attempts"] % RARS_ACCESS_ATTEMPTS == 0) { $changes["lock_until"] = time() + RARS_ACCESS_LOCKOUT; } $db->edit_rows($search, $changes); $db->disconnect(); // add to banned list if banned active and too many attempts if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user["failed_attempts"] + 1 >= RARS_ACCESS_BAN_ATTEMPS) { $db = new RazorDB(); $db->connect("banned"); $row = array("ip_address" => $ip_address, "user_agent" => $user_agent); $db->add_rows($row); $db->disconnect(); } return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } /* we are now authenticated, respond and send token back */ // need to create a token and last logged stamp and save it in the db $last_logged = time(); $pass_hash = $user["password"]; $token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . "_" . $user["id"]; // store last logged and reset lockout/attempts $db = new RazorDB(); $db->connect("user"); $search = array("column" => "id", "value" => $user["id"]); $changes = array("last_logged_in" => $last_logged, "last_accessed" => $last_logged, "failed_attempts" => 0, "lock_until" => null, "ip_address" => $ip_address); $db->edit_rows($search, $changes); $db->disconnect(); // collect user data $user = array("id" => $user["id"], "name" => $user["name"], "email_address" => $user["email_address"], "last_logged_in" => $user["last_logged_in"], "access_level" => $user["access_level"]); // setup response return RazorAPI::response(array("token" => $token, "user" => $user), "json"); }