public function post($data)
{
// check present, token ok, password and password confirm ok
if (!isset($data["token"], $data["passwords"]["password"], $data["passwords"]["repeat_password"])) {
$this->response("Bad data", null, 400);
}
if (empty($data["token"]) || strlen($data["token"]) < 20) {
$this->response("Bad data", null, 400);
}
if (empty($data["passwords"]["password"]) || empty($data["passwords"]["repeat_password"]) || $data["passwords"]["password"] !== $data["passwords"]["repeat_password"]) {
$this->response("Bad data", null, 400);
}
$token_data = explode("_", $data["token"]);
if (count($token_data) != 2 || empty($token_data[0]) || empty($token_data[1])) {
$this->response("Bad data", null, 400);
}
/* data present and pre check good, lets do a user search and check */
// try find user
$user = $this->razor_db->get_first('user', '*', array('id' => (int) $token_data[1]));
// no valid user found
if (empty($user)) {
$this->response("Bad data", null, 400);
}
// check token
if (empty($user["reminder_token"]) || $token_data[0] != $user["reminder_token"] || $user["reminder_time"] + 3600 < time()) {
$this->response("Bad data", null, 400);
}
/* user ok, token ok, lets change password */
$password = RazorAPI::create_hash($data["passwords"]["password"]);
// set new reminder
$row = array("password" => $password, "reminder_token" => "");
$this->razor_db->edit_data('user', $row, array('id' => $user['id']));
$this->response("success", "json");
}
public function post($data)
{
// check present, token ok, password and password confirm ok
if (!isset($data["token"], $data["passwords"]["password"], $data["passwords"]["repeat_password"])) {
$this->response("Bad data", null, 400);
}
if (empty($data["token"]) || strlen($data["token"]) < 20) {
$this->response("Bad data", null, 400);
}
if (empty($data["passwords"]["password"]) || empty($data["passwords"]["repeat_password"]) || $data["passwords"]["password"] !== $data["passwords"]["repeat_password"]) {
$this->response("Bad data", null, 400);
}
$token_data = explode("_", $data["token"]);
if (count($token_data) != 2 || empty($token_data[0]) || empty($token_data[1])) {
$this->response("Bad data", null, 400);
}
/* data present and pre check good, lets do a user search and check */
// try find user
$db = new RazorDB();
$db->connect("user");
$search = array("column" => "id", "value" => (int) $token_data[1]);
$user = $db->get_rows($search);
$db->disconnect();
// no valid user found
if ($user["count"] != 1) {
$this->response("Bad data", null, 400);
}
$user = $user["result"][0];
// check token
if (empty($user["reminder_token"]) || $token_data[0] != $user["reminder_token"] || $user["reminder_time"] + 3600 < time()) {
$this->response("Bad data", null, 400);
}
/* user ok, token ok, lets change password */
$password = RazorAPI::create_hash($data["passwords"]["password"]);
// set new reminder
$db->connect("user");
$search = array("column" => "id", "value" => $user["id"]);
$row = array("password" => $password, "reminder_token" => "");
$db->edit_rows($search, $row);
$db->disconnect();
$this->response("success", "json");
}
public function login($data)
{
// check if email set
if (!isset($data["username"])) {
throw new Exception("No Login username");
}
if (!isset($data["password"])) {
throw new Exception("No Login password");
}
$ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50));
$user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250));
// check ban list if active before doing anything else
if (RARS_ACCESS_BAN_ATTEMPS > 0) {
// find banned rows
$banned = $this->razor_db->get_first('banned', '*', array('ip_address' => $ip_address, 'user_agent' => $user_agent));
if (!empty($banned)) {
return RazorAPI::response(array("message" => "Login failed: ip banned", "login_error_code" => 104), "json");
}
}
/* carry on with login */
// find user
$user = $this->razor_db->get_first('user', '*', array('email_address' => $data['username']));
// check user found
if (empty($user)) {
return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json");
}
// check if user is locked out here
if (!empty($user["lock_until"]) && $user["lock_until"] > time()) {
return RazorAPI::response(array("message" => "Login failed: user locked out please try later", "login_error_code" => 102, "time_left" => $user["lock_until"] - time()), "json");
}
// check active user
if (!$user["active"]) {
return RazorAPI::response(array("message" => "Login failed: user not active", "login_error_code" => 103), "json");
}
// now check if password ok (we need password first to get salt from it before we can check it), if not then send response
if (RazorAPI::create_hash($data["password"], substr($user["password"], 0, strlen($user["password"]) / 2), 'sha1') !== $user["password"]) {
// data to update
$update_data = array('failed_attempts' => $user['failed_attempts']++);
if ($user["failed_attempts"] > 0 && $user["failed_attempts"] % RARS_ACCESS_ATTEMPTS == 0) {
$update_data['lock_until'] = time() + RARS_ACCESS_LOCKOUT;
}
// update
$this->razor_db->edit_data('user', $update_data, array('id' => $user['id']));
// add to banned list if banned active and too many attempts
if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user["failed_attempts"] + 1 >= RARS_ACCESS_BAN_ATTEMPS) {
// add ip and agent to banned
$this->razor_db->add_data('banned', array('ip_address' => $ip_address, 'user_agent' => $user_agent));
}
return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json");
}
/* we are now authenticated, respond and send token back */
// need to create a token and last logged stamp and save it in the db
$last_logged = time();
$pass_hash = $user["password"];
$token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . "_" . $user["id"];
// update data
$update_data = array('id' => $user['id'], 'last_logged_in' => $last_logged, 'last_accessed' => $last_logged, 'ip_address' => $ip_address);
$user = $this->razor_db->edit_data('user', $update_data, array('id' => $user['id']), '*');
$user = $user[0];
// collect user data
$user = array("id" => $user["id"], "name" => $user["name"], "email_address" => $user["email_address"], "last_logged_in" => $user["last_logged_in"], "access_level" => $user["access_level"]);
// setup response
return RazorAPI::response(array("token" => $token, "user" => $user), "json");
}
public function login($data)
{
// check if email set
if (!isset($data["username"])) {
throw new Exception("No Login username");
}
if (!isset($data["password"])) {
throw new Exception("No Login password");
}
$ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50));
$user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250));
// check ban list if active before doing anything else
if (RARS_ACCESS_BAN_ATTEMPS > 0) {
// find banned rows
$db = new RazorDB();
$db->connect("banned");
$search = array(array("column" => "ip_address", "value" => $ip_address), array("column" => "user_agent", "value" => $user_agent, "and" => true));
$count = $db->get_rows($search);
$count = $count["count"];
$db->disconnect();
if ($count > 0) {
return RazorAPI::response(array("message" => "Login failed: ip banned", "login_error_code" => 104), "json");
}
}
/* carry on with login */
// find user
$db = new RazorDB();
$db->connect("user");
$search = array("column" => "email_address", "value" => $data["username"]);
$options = array("amount" => 1);
$res = $db->get_rows($search, $options);
$db->disconnect();
// check user found
if ($res["count"] != 1) {
return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json");
}
// grab user details
$user = $res["result"][0];
// check if user is locked out here
if (!empty($user["lock_until"]) && $user["lock_until"] > time()) {
return RazorAPI::response(array("message" => "Login failed: user locked out please try later", "login_error_code" => 102, "time_left" => $user["lock_until"] - time()), "json");
}
// check active user
if (!$user["active"]) {
return RazorAPI::response(array("message" => "Login failed: user not active", "login_error_code" => 103), "json");
}
// now check if password ok (we need password first to get salt from it before we can check it), if not then send response
if (RazorAPI::create_hash($data["password"], substr($user["password"], 0, strlen($user["password"]) / 2), 'sha1') !== $user["password"]) {
// update failed attempts and lockout
$db = new RazorDB();
$db->connect("user");
$search = array("column" => "id", "value" => $user["id"]);
$changes = array("failed_attempts" => $user["failed_attempts"] + 1);
if ($user["failed_attempts"] > 0 && $user["failed_attempts"] % RARS_ACCESS_ATTEMPTS == 0) {
$changes["lock_until"] = time() + RARS_ACCESS_LOCKOUT;
}
$db->edit_rows($search, $changes);
$db->disconnect();
// add to banned list if banned active and too many attempts
if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user["failed_attempts"] + 1 >= RARS_ACCESS_BAN_ATTEMPS) {
$db = new RazorDB();
$db->connect("banned");
$row = array("ip_address" => $ip_address, "user_agent" => $user_agent);
$db->add_rows($row);
$db->disconnect();
}
return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json");
}
/* we are now authenticated, respond and send token back */
// need to create a token and last logged stamp and save it in the db
$last_logged = time();
$pass_hash = $user["password"];
$token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . "_" . $user["id"];
// store last logged and reset lockout/attempts
$db = new RazorDB();
$db->connect("user");
$search = array("column" => "id", "value" => $user["id"]);
$changes = array("last_logged_in" => $last_logged, "last_accessed" => $last_logged, "failed_attempts" => 0, "lock_until" => null, "ip_address" => $ip_address);
$db->edit_rows($search, $changes);
$db->disconnect();
// collect user data
$user = array("id" => $user["id"], "name" => $user["name"], "email_address" => $user["email_address"], "last_logged_in" => $user["last_logged_in"], "access_level" => $user["access_level"]);
// setup response
return RazorAPI::response(array("token" => $token, "user" => $user), "json");
}
