+ elseif (array_key_exists('verification_code', $_GET)) {
+ $result = $db->prepare('SELECT `id`,`email` FROM `auth_users` WHERE `email` = :email AND `status` = \'unverified\' AND `verify_hash` = :vcode;');
+ $result->execute(array(':email' => @$_GET['email'], ':vcode' => $_GET['verification_code']));
+ $user = $result->fetch(PDO::FETCH_ASSOC);
+ if ($user['id']) {
+ $result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = \'\', `status` = \'ok\' WHERE `id` = :userid;');
+ if (!$result->execute(array(':userid' => $user['id']))) {
+ $utils->log('verification_save_failure', 'user: '.$user['id']);
+ $errors[] = _('Could not save confirmation. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
+ }
+ $pagetype = 'verification_done';
+ }
+ else {
+ $errors[] = _('The confirmation link you called is not valid. Possibly it has expired and you need to try registering again.');
+ }
+ }
+ elseif (array_key_exists('reset_code', $_GET)) {
+ $reset_fail = true;
+ $result = $db->prepare('SELECT `id`,`email`,`verify_hash` FROM `auth_users` WHERE `email` = :email');
+ $result->execute(array(':email' => @$_GET['email']));
+ $user = $result->fetch(PDO::FETCH_ASSOC);
+ if ($user['id']) {
+ // Deconstruct reset code and verify it.
+ if (preg_match('/^([0-9a-f]{'.strlen($user['verify_hash']).'})([0-9a-f]+)_(\d+\.\d+)$/', $_GET['reset_code'], $regs)) {
+ $tcode_sessid = hexdec($regs[2]) - $user['id'];
+ $result = $db->prepare('SELECT `id`,`sesskey` FROM `auth_sessions` WHERE `id` = :sessid;');
+ $result->execute(array(':sessid' => $tcode_sessid));
+ $row = $result->fetch(PDO::FETCH_ASSOC);
+ if ($row) {
+ $tcode_session = $row;
+ if (($regs[1] == $user['verify_hash']) &&
+ $utils->verifyTimeCode($regs[3], $session, 60)) {
+ // Set a new verify_hash for the actual password reset.
+ $user['verify_hash'] = $utils->createVerificationCode();
+ $result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = :vcode WHERE `id` = :userid;');
+ if (!$result->execute(array(':vcode' => $user['verify_hash'], ':userid' => $user['id']))) {
+ $utils->log('vhash_reset_failure', 'user: '.$user['id']);
+ }
+ $result = $db->prepare('UPDATE `auth_sessions` SET `user` = :userid WHERE `id` = :sessid;');
+ if (!$result->execute(array(':userid' => $user['id'], ':sessid' => $session['id']))) {
+ $utils->log('reset_session_set_user_failure', 'session: '.$session['id']);
+ }
+ $pagetype = 'resetpwd';
+ $reset_fail = false;
+ }
+ }
+ }
+ }
+ if ($reset_fail) {
+ $errors[] = _('The password reset link you called is not valid. Possibly it has expired and you need to call the "Password forgotten?" function again.');
+ }
+ }
+ elseif (array_key_exists('clients', $_GET)) {
+ $result = $db->prepare('SELECT `id`,`email` FROM `auth_users` WHERE `id` = :userid;');
+ $result->execute(array(':userid' => $session['user']));
+ $user = $result->fetch(PDO::FETCH_ASSOC);
+ if ($session['logged_in'] && $user['id']) {
+ if (array_key_exists('client_id', $_POST) && (strlen($_POST['client_id']) >= 5)) {
+ $clientid = $_POST['client_id'];
+ $clientsecret = $utils->createClientSecret();
+ $rediruri = strval(@$_POST['redirect_uri']);
+ $scope = strval(@$_POST['scope']);
+ $result = $db->prepare('INSERT INTO `oauth_clients` (`client_id`, `client_secret`, `redirect_uri`, `scope`, `user_id`) VALUES (:clientid, :secret, :rediruri, :scope, :userid);');
+ if (!$result->execute(array(':clientid' => $clientid,
+ ':secret' => $clientsecret,
+ ':rediruri' => $rediruri,
+ ':scope' => $scope,
+ ':userid' => $user['id']))) {
+ $utils->log('client_save_failure', 'client: '.$clientid);
+ $errors[] = 'Unexpectedly failed to save new client information. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.';
+ }
+ }
+ if (!count($errors)) {
+ // List clients
+ $result = $db->prepare('SELECT `client_id`,`client_secret`,`redirect_uri`,`scope` FROM `oauth_clients` WHERE `user_id` = :userid;');
+ $result->execute(array(':userid' => $user['id']));
+ $clients = $result->fetchAll(PDO::FETCH_ASSOC);
+ if (!$clients) { $clients = array(); }
+ $pagetype = 'clientlist';
+ }
+ }
+ else {
+ $errors[] = _('This function is only available if you are logged in.');
+ }
+ }
+ elseif (intval($session['user'])) {
+ $result = $db->prepare('SELECT `id`,`email`,`verify_hash` FROM `auth_users` WHERE `id` = :userid;');
+ $result->execute(array(':userid' => $session['user']));
+ $user = $result->fetch(PDO::FETCH_ASSOC);
+ if (!$user['id']) {
+ $utils->log('user_read_failure', 'user: '.$session['user']);
+ }
+ // Password reset requested.
+ if (array_key_exists('pwd', $_POST) && array_key_exists('reset', $_POST) && array_key_exists('tcode', $_POST)) {
+ // If not logged in, a password reset needs to have the proper vcode set.
+ if (!$session['logged_in'] && (!strlen(@$_POST['vcode']) || ($_POST['vcode'] != $user['verify_hash']))) {
+ $errors[] = _('Password reset failed. The reset form you used was not valid. Possibly it has expired and you need to initiate the password reset again.');
+ }
+ // If not logged in, a password reset also needs to have the proper email set.
+ if (!$session['logged_in'] && !count($errors) && (@$_POST['email_hidden'] != $user['email'])) {
+ $errors[] = _('Password reset failed. The reset form you used was not valid. Possibly it has expired and you need to initiate the password reset again.');
+ }
+ // Check validity of time code.
+ if (!count($errors) && !$utils->verifyTimeCode($_POST['tcode'], $session)) {
+ $errors[] = _('Password reset failed. The reset form you used was not valid. Possibly it has expired and you need to initiate the password reset again.');
+ }
+ $errors += $utils->checkPasswordConstraints(strval($_POST['pwd']), $user['email']);
+ if (!count($errors)) {
+ $newHash = $utils->pwdHash($_POST['pwd']);
+ $result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash, `verify_hash` = \'\' WHERE `id` = :userid;');
+ if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $session['user']))) {
+ $utils->log('pwd_reset_failure', 'user: '.$session['user']);
+ $errors[] = _('Password reset failed. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
+ }
+ else {
+ $pagetype = 'reset_done';
+ }
+ }