- elseif ($utils->verifyTimeCode(@$_POST['tcode'], $session)) {
- $result = $db->prepare('SELECT `id`, `pwdhash`, `email`, `status`, `verify_hash` FROM `auth_users` WHERE `email` = :email;');
- $result->execute(array(':email' => $_POST['email']));
- $user = $result->fetch(PDO::FETCH_ASSOC);
- if ($user['id'] && array_key_exists('pwd', $_POST)) {
- // existing user, check password
- if (($user['status'] == 'ok') && $utils->pwdVerify(@$_POST['pwd'], $user)) {
- // Check if a newer hashing algorithm is available
- // or the cost has changed
- if ($utils->pwdNeedsRehash($user)) {
- // If so, create a new hash, and replace the old one
- $newHash = $utils->pwdHash($_POST['pwd']);
- $result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash WHERE `id` = :userid;');
- if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $user['id']))) {
- $utils->log('user_hash_save_failure', 'user: '.$user['id']);
- }
- else {
- $utils->log('pwd_rehash_success', 'user: '.$user['id']);
- }
- }
-
- // Log user in - update session key for that, see https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Login
- $utils->log('login', 'user: '.$user['id']);
- $sesskey = $utils->createSessionKey();
- setcookie('sessionkey', $sesskey, 0, "", "", !$running_on_localhost, true); // Last two params are secure and httponly, secure is not set on localhost.
- // If the session has a user set, create a new one - otherwise take existing session entry.
- if (intval($session['user'])) {
- $result = $db->prepare('INSERT INTO `auth_sessions` (`sesskey`, `time_expire`, `user`, `logged_in`) VALUES (:sesskey, :expire, :userid, TRUE);');
- $result->execute(array(':sesskey' => $sesskey, ':userid' => $user['id'], ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day'))));
- // After insert, actually fetch the session row from the DB so we have all values.
- $result = $db->prepare('SELECT * FROM auth_sessions WHERE `sesskey` = :sesskey AND `time_expire` > :expire;');
- $result->execute(array(':sesskey' => $sesskey, ':expire' => gmdate('Y-m-d H:i:s')));
- $row = $result->fetch(PDO::FETCH_ASSOC);
- if ($row) {
- $session = $row;
- }
- else {
- $utils->log('create_session_failure', 'at login, prev session: '.$session['id'].', new user: '.$user['id']);
- $errors[] = _('The session system is not working. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
- }
- }
- else {
- $result = $db->prepare('UPDATE `auth_sessions` SET `sesskey` = :sesskey, `user` = :userid, `logged_in` = TRUE, `time_expire` = :expire WHERE `id` = :sessid;');
- if (!$result->execute(array(':sesskey' => $sesskey, ':userid' => $user['id'], ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day')), ':sessid' => $session['id']))) {
- $utils->log('login_failure', 'session: '.$session['id'].', user: '.$user['id']);
- $errors[] = _('Login failed unexpectedly. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
- }
- }
- // If a verify_hash if set on a verified user, a password reset had been requested. As a login works right now, cancel that reset request by deleting the hash.
- if (strlen(@$user['verify_hash'])) {
- $result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = \'\' WHERE `id` = :userid;');
- if (!$result->execute(array(':userid' => $user['id']))) {
- $utils->log('empty_vhash_failure', 'user: '.$user['id']);
- }
- else {
- $user['verify_hash'] = '';
- }
- }
+ if (!count($errors)) {
+ // Put user into the DB
+ if (!$user['id']) {
+ $newHash = $utils->pwdHash($_POST['pwd']);
+ $vcode = $utils->createVerificationCode();
+ $result = $db->prepare('INSERT INTO `auth_users` (`email`, `pwdhash`, `status`, `verify_hash`) VALUES (:email, :pwdhash, \'unverified\', :vcode);');
+ if (!$result->execute(array(':email' => $_POST['email'], ':pwdhash' => $newHash, ':vcode' => $vcode))) {
+ $utils->log('user_insert_failure', 'email: '.$_POST['email'].' - '.$result->errorInfo()[2]);
+ $errors[] = _('Could not add user. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
+ }
+ $user = array('id' => $db->lastInsertId(),
+ 'email' => $_POST['email'],
+ 'pwdhash' => $newHash,
+ 'status' => 'unverified',
+ 'verify_hash' => $vcode);
+ $utils->log('new_user', 'user: '.$user['id'].', email: '.$user['email']);
+ }
+ if ($user['status'] == 'unverified') {
+ // Send email for verification and show message to point to it.
+ $mail = new email();
+ $mail->setCharset('utf-8');
+ $mail->addHeader('X-KAIRO-AUTH', 'email_verification');
+ $mail->addRecipient($user['email']);
+ $mail->setSender('noreply@auth.kairo.at', _('KaiRo.at Authentication Service'));
+ $mail->setSubject('Email Verification for KaiRo.at Authentication');
+ $mail->addMailText(_('Welcome!')."\n\n");
+ $mail->addMailText(sprintf(_('This email address, %s, has been used for registration on "%s".'),
+ $user['email'], _('KaiRo.at Authentication Service'))."\n\n");
+ $mail->addMailText(_('Please confirm that registration by clicking the following link (or calling it up in your browser):')."\n");
+ $mail->addMailText($utils->getDomainBaseURL().strstr($_SERVER['REQUEST_URI'], '?', true)
+ .'?email='.rawurlencode($user['email']).'&verification_code='.rawurlencode($user['verify_hash'])."\n\n");
+ $mail->addMailText(_('With this confirmation, you accept that we handle your data for the purpose of logging you into other websites when you request that.')."\n");
+ $mail->addMailText(_('Those websites will get to know your email address but not your password, which we store securely.')."\n");
+ $mail->addMailText(_('If you do not call this confirmation link within 72 hours, your data will be deleted from our database.')."\n\n");
+ $mail->addMailText(sprintf(_('The %s team'), 'KaiRo.at'));
+ //$mail->setDebugAddress("robert@localhost");
+ $mailsent = $mail->send();
+ if ($mailsent) {
+ $pagetype = 'verification_sent';