Require authorization for logins from new locations

classes/users.class.php

@@ -670,4 +670,27 @@ class Users {
 
     Misc::send_email($Email, 'Password reset information for ' . SITE_NAME, $TPL->get(), 'noreply');
   }
+
+
+  /*
+   * Authorize a new location
+   *
+   * @param int $UserID The user ID
+   * @param string $Username The username
+   * @param string $Email The email address
+   */
+  public static function authLocation($UserID, $Username, $ASN, $Email) {
+    $AuthKey = Users::make_secret();
+    G::$Cache->cache_value('new_location_'.$AuthKey, array('UserID'=>$UserID, 'ASN'=>$ASN), 3600*2);
+    require(SERVER_ROOT . '/classes/templates.class.php');
+    $TPL = NEW TEMPLATE;
+    $TPL->open(SERVER_ROOT . '/templates/new_location.tpl');
+    $TPL->set('Username', $Username);
+    $TPL->set('AuthKey', $AuthKey);
+    $TPL->set('IP', $_SERVER['REMOTE_ADDR']);
+    $TPL->set('SITE_NAME', SITE_NAME);
+    $TPL->set('SITE_DOMAIN', SITE_DOMAIN);
+
+    Misc::send_email($Email, 'Login from new location for '.SITE_NAME, $TPL->get(), 'noreply');
+  }
 }

sections/login/index.php

@@ -184,6 +184,20 @@ if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {
 
 } // End password recovery
 
+else if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'newlocation') {
+  if (isset($_REQUEST['key'])) {
+    if ($ASNCache = $Cache->get_value('new_location_'.$_REQUEST['key'])) {
+      $Cache->cache_value('new_location_'.$ASNCache['UserID'].'_'.$ASNCache['ASN'], true);
+      require('newlocation.php');
+      die();
+    } else {
+      error(403);
+    }
+  } else {
+    error(403);
+  }
+} // End new location
+
 // Normal login
 else {
   $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username.', array('regex' => USERNAME_REGEX));
@@ -235,6 +249,46 @@ else {
               WHERE Username = '".db_string($_POST['username'])."'");
           }
           if ($Enabled == 1) {
+
+            // Check if the current login attempt is from a location previously logged in from
+            if (apc_exists('DBKEY')) {
+              $DB->query("
+                SELECT IP
+                FROM users_history_ips
+                WHERE UserID = $UserID");
+              $IPs = $DB->to_array(false, MYSQLI_NUM);
+              $QueryParts = array();
+              foreach ($IPs as $i => $IP) {
+                $IPs[$i] = DBCrypt::decrypt($IP[0]);
+              }
+              $IPs = array_unique($IPs);
+              if (count($IPs) > 0) { // Always allow first login
+                foreach ($IPs as $IP) {
+                  $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";
+                }
+                $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));
+                $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);
+                $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET_ATON('$_SERVER[REMOTE_ADDR]')");
+                list($CurrentASN) = $DB->next_record();
+
+                if (!in_array($CurrentASN, $PastASNs)) {
+                  // Never logged in from this location before
+                  if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {
+                    $DB->query("
+                      SELECT
+                        UserName,
+                        Email
+                      FROM users_main
+                      WHERE ID = $UserID");
+                    list($Username, $Email) = $DB->next_record();
+                    Users::authLocation($UserID, $Username, $CurrentASN, DBCrypt::decrypt($Email));
+                    require('newlocation.php');
+                    die();
+                  }
+                }
+              }
+            }
+
             $SessionID = Users::make_secret(64);
             $KeepLogged = ($_POST['keeplogged'] ?? false) ? 1 : 0;
             setcookie('session', $SessionID, (time()+60*60*24*365)*$KeepLogged, '/', '', true, true);

sections/login/newlocation.php

@@ -0,0 +1,25 @@
+<?
+if (!empty($LoggedUser['ID'])) {
+  header('Location: login.php');
+  die();
+}
+
+View::show_header('Authorize Location');
+
+if (isset($_REQUEST['act'])) {
+?>
+
+Your location is now authorized to access this account.<br /><br />
+Click <a href="login.php">here</a> to login again.
+
+<? } else { ?>
+
+This appears to be the first time you've logged in from this location.<br /><br />
+
+As a security measure to ensure that you are really the owner of this account,<br />
+an email has been sent to the address in your profile settings. Please<br />
+click the link contained in that email to allow access from<br />
+your location, and then log in again.
+
+<? }
+View::show_footer(); ?>

templates/new_location.tpl

@@ -0,0 +1,10 @@
+A login from a new location was detected for the user {{Username}} from the IP address {{IP}}.
+
+To allow logins from this location, click the link below (you have 2 hours)
+
+https://{{SITE_DOMAIN}}/login.php?act=newlocation&key={{AuthKey}}
+
+If this login attempt was not you, change your password and contact staff immediately.
+
+Thank you,
+{{SITE_NAME}} Staff