Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1105 Commits
2 Branches
Tree: 443a75e6db
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '443a75e6db'
${ noResults }
Gazelle/sections/login/index.php

index.php 22KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476 
  1. <?php

  2. #declare(strict_types=1);

  3. 

  4. $ENV = ENV::go();

  5. 

  6. /*-- todo ---------------------------//

  7. Add the JavaScript validation into the display page using the class

  8. //-----------------------------------*/

  9. 

  10. // Allow users to reset their password while logged in

  11. if (!empty($LoggedUser['ID']) && $_REQUEST['act'] !== 'recover') {

  12.     header('Location: index.php');

  13.     error();

  14. }

  15. 

  16. if ($ENV->BLOCK_OPERA_MINI && isset($_SERVER['HTTP_X_OPERAMINI_PHONE'])) {

  17.     error('Opera Mini is banned. Please use another browser.');

  18. }

  19. 

  20. // Check if IP is banned

  21. if (Tools::site_ban_ip($_SERVER['REMOTE_ADDR'])) {

  22.     error('Your IP address has been banned.');

  23. }

  24. 

  25. # Initialize

  26. require_once SERVER_ROOT.'/classes/twofa.class.php';

  27. require_once SERVER_ROOT.'/classes/u2f.class.php';

  28. require_once SERVER_ROOT.'/classes/validate.class.php';

  29. 

  30. $Validate = new Validate;

  31. $TwoFA = new TwoFactorAuth($ENV->SITE_NAME);

  32. $U2F = new u2f\U2F('https://'.SITE_DOMAIN);

  33. 

  34. if (array_key_exists('action', $_GET) && $_GET['action'] === 'disabled') {

  35.     require('disabled.php');

  36.     error();

  37. }

  38. 

  39. if (isset($_REQUEST['act']) && $_REQUEST['act'] === 'recover') {

  40.     // Recover password

  41.     if (!empty($_REQUEST['key'])) {

  42.         // User has entered a new password, use step 2

  43.         $DB->query("

  44.         SELECT

  45.           m.`ID`,

  46.           m.`Email`,

  47.           i.`ResetExpires`

  48.         FROM `users_main` AS m

  49.           INNER JOIN `users_info` AS i ON i.`UserID` = m.`ID`

  50.           WHERE i.`ResetKey` = ?

  51.           AND i.`ResetKey` != ''", $_REQUEST['key']);

  52.         list($UserID, $Email, $Country, $Expires) = $DB->next_record();

  53. 

  54.         if (!apcu_exists('DBKEY')) {

  55.             error('Database not fully decrypted. Please wait for staff to fix this and try again later.');

  56.         }

  57. 

  58.         $Email = Crypto::decrypt($Email);

  59. 

  60.         if ($UserID && strtotime($Expires) > time()) {

  61.             // If the user has requested a password change, and his key has not expired

  62.             $Validate->SetFields('password', '1', 'regex', 'You entered an invalid password. Any password at least 15 characters long is accepted, but a strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, contains at least a number or symbol', array('regex' => '/(?=^.{6,}$).*$/'));

  63.             $Validate->SetFields('verifypassword', '1', 'compare', 'Your passwords did not match.', array('comparefield' => 'password'));

  64. 

  65.             if (!empty($_REQUEST['password'])) {

  66.                 // If the user entered a password.

  67.                 // If not, $PassWasReset !== 1, success message hidden.

  68.                 $Err = $Validate->ValidateForm($_REQUEST);

  69.                 if ($Err == '') {

  70.                     // Form validates without error, set new secret and password.

  71.                     $DB->query(

  72.                         "

  73.                     UPDATE

  74.                       `users_main` AS m,

  75.                       `users_info` AS i

  76.                     SET

  77.                       m.`PassHash` = ?,

  78.                       i.`ResetKey` = '',

  79.                       m.`LastLogin` = NOW(),

  80.                       i.`ResetExpires` = NULL

  81.                       WHERE m.`ID` = ?

  82.                       AND i.`UserID` = m.`ID`",

  83.                         Users::make_sec_hash($_REQUEST['password']),

  84.                         $UserID

  85.                     );

  86. 

  87.                     $DB->query("

  88.                     INSERT INTO `users_history_passwords`

  89.                       (`UserID`, `ChangerIP`, `ChangeTime`)

  90.                     VALUES

  91.                       (?, ?, NOW())", $UserID, Crypto::encrypt($_SERVER['REMOTE_ADDR']));

  92. 

  93.                     $PassWasReset = true;

  94.                     $LoggedUser['ID'] = $UserID; // Set $LoggedUser['ID'] for logout_all_sessions() to work

  95.                     logout_all_sessions();

  96.                 }

  97.             }

  98. 

  99.             // Either a form asking for them to enter the password

  100.             // Or a success message if $PassWasReset is 1

  101.             require('recover_step2.php');

  102.         } else {

  103.             // Either his key has expired, or he hasn't requested a pass change at all

  104.             if (strtotime($Expires) < time() && $UserID) {

  105.                 // If his key has expired, clear all the reset information

  106.                 $DB->query("

  107.                 UPDATE users_info

  108.                 SET ResetKey = '',

  109.                   ResetExpires = NULL

  110.                   WHERE UserID = ?", $UserID);

  111.                 $_SESSION['reseterr'] = 'The link you were given has expired.'; // Error message to display on form

  112.             }

  113.             // Show him the first form (enter email address)

  114.             header('Location: login.php?act=recover');

  115.         }

  116.     } // End step 2

  117. 

  118.     // User has not clicked the link in his email, use step 1

  119.     else {

  120.         # Check for DBKEY before handling user inputs

  121.         if (!apcu_exists('DBKEY')) {

  122.             $Err = 'Database not fully decrypted. Please wait for staff to fix this and try again';

  123.         }

  124. 

  125.         if (!empty($_REQUEST['email'])) {

  126.             // User has entered email and submitted form

  127.             $Validate->SetFields('email', '1', 'email', 'You entered an invalid email address');

  128.             $Err = $Validate->ValidateForm($_REQUEST);

  129. 

  130.             if (!$Err) {

  131.                 // Form validates correctly

  132.                 $DB->query("

  133.                 SELECT

  134.                   `Email`

  135.                 FROM

  136.                   `users_main`

  137.                 ");

  138. 

  139.                 /**

  140.                  * Note that if any user has a blank email field,

  141.                  * the comparison will fail and the script will 500!

  142.                  */

  143.                 while (list($EncEmail) = $DB->next_record()) {

  144.                     if (trim(

  145.                         strtolower($_REQUEST['email'])

  146.                     ) === strtolower(Crypto::decrypt($EncEmail))) {

  147.                         break; // $EncEmail is now the encrypted form of the given email from the database

  148.                     }

  149.                 }

  150. 

  151.                 $DB->query("

  152.                 SELECT

  153.                   `ID`,

  154.                   `Username`,

  155.                   `Email`

  156.                 FROM

  157.                   `users_main`

  158.                 WHERE

  159.                   `Email` = '$EncEmail'

  160.                 ");

  161. 

  162.                 list($UserID, $Username, $Email) = $DB->next_record();

  163.                 $Email = Crypto::decrypt($Email);

  164. 

  165.                 if ($UserID) {

  166.                     // Email exists in the database

  167.                     // Set ResetKey, send out email, and set $Sent to 1 to show success page

  168.                     Users::reset_password($UserID, $Username, $Email);

  169.                     $Sent = 1; // If $Sent is 1, recover_step1.php displays a success message

  170. 

  171.                     //Log out all of the users current sessions

  172.                     $Cache->delete_value("user_info_$UserID");

  173.                     $Cache->delete_value("user_info_heavy_$UserID");

  174.                     $Cache->delete_value("user_stats_$UserID");

  175.                     $Cache->delete_value("enabled_$UserID");

  176. 

  177.                     $DB->query("

  178.                     SELECT

  179.                       `SessionID`

  180.                     FROM

  181.                       `users_sessions`

  182.                     WHERE

  183.                       `UserID` = '$UserID'

  184.                     ");

  185. 

  186.                     while (list($SessionID) = $DB->next_record()) {

  187.                         $Cache->delete_value("session_$UserID"."_$SessionID");

  188.                     }

  189. 

  190.                     $DB->query("

  191.                     UPDATE

  192.                       `users_sessions`

  193.                     SET

  194.                       `Active` = 0

  195.                     WHERE

  196.                       `UserID` = '$UserID'

  197.                       AND `Active` = 1

  198.                     ");

  199.                 } else {

  200.                     $Err = 'There is no user with that email address.';

  201.                 }

  202.             }

  203.         } elseif (!empty($_SESSION['reseterr'])) {

  204.             // User has not entered email address, and there is an error set in session data

  205.             // This is typically because their key has expired.

  206.             // Stick the error into $Err so recover_step1.php can take care of it

  207.             $Err = $_SESSION['reseterr'];

  208.             unset($_SESSION['reseterr']);

  209.         }

  210. 

  211.         // Either a form for the user's email address, or a success message

  212.         require('recover_step1.php');

  213.     }

  214. } // End password recovery

  215. 

  216. elseif (isset($_REQUEST['act']) && $_REQUEST['act'] === 'newlocation') {

  217.     if (isset($_REQUEST['key'])) {

  218.         if ($ASNCache = $Cache->get_value('new_location_'.$_REQUEST['key'])) {

  219.             $Cache->cache_value('new_location_'.$ASNCache['UserID'].'_'.$ASNCache['ASN'], true);

  220.             require('newlocation.php');

  221.             error();

  222.         } else {

  223.             error(403);

  224.         }

  225.     } else {

  226.         error(403);

  227.     }

  228. } // End new location

  229. 

  230. // Normal login

  231. else {

  232.     $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username', array('regex' => USERNAME_REGEX));

  233.     $Validate->SetFields('password', '1', 'string', 'You entered an invalid password', array('minlength' => '15', 'maxlength' => '307200'));

  234. 

  235.     list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']));

  236. 

  237.     // Function to log a user's login attempt

  238.     function log_attempt()

  239.     {

  240.         global $Cache, $Attempts;

  241.         $Attempts = ($Attempts ?? 0) + 1;

  242.         $Cache->cache_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']), array($Attempts, ($Attempts > 5)), 60*60*$Attempts);

  243.         $AllAttempts = $Cache->get_value('login_attempts');

  244.         $AllAttempts[$_SERVER['REMOTE_ADDR']] = time()+(60*60*$Attempts);

  245.         foreach ($AllAttempts as $IP => $Time) {

  246.             if ($Time < time()) {

  247.                 unset($AllAttempts[$IP]);

  248.             }

  249.         }

  250.         $Cache->cache_value('login_attempts', $AllAttempts, 0);

  251.     }

  252. 

  253.     // If user has submitted form

  254.     if (isset($_POST['username']) && !empty($_POST['username']) && isset($_POST['password']) && !empty($_POST['password'])) {

  255.         if ($Banned) {

  256.             header("Location: login.php");

  257.             error();

  258.         }

  259.         $Err = $Validate->ValidateForm($_POST);

  260. 

  261.         if (!$Err) {

  262.             // Passes preliminary validation (username and password "look right")

  263.             $DB->query("

  264.             SELECT

  265.               ID,

  266.               PermissionID,

  267.               CustomPermissions,

  268.               PassHash,

  269.               TwoFactor,

  270.               Enabled

  271.             FROM users_main

  272.               WHERE Username = ?

  273.               AND Username != ''", $_POST['username']);

  274.             list($UserID, $PermissionID, $CustomPermissions, $PassHash, $TwoFactor, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));

  275.             if (!$Banned) {

  276.                 if ($UserID && Users::check_password($_POST['password'], $PassHash)) {

  277.                     // Update hash if better algorithm available

  278.                     if (password_needs_rehash($PassHash, PASSWORD_DEFAULT)) {

  279.                         $DB->query("

  280.                         UPDATE users_main

  281.                         SET PassHash = ?

  282.                           WHERE Username = ?", make_sec_hash($_POST['password']), $_POST['username']);

  283.                     }

  284. 

  285.                     if (empty($TwoFactor) || $TwoFA->verifyCode($TwoFactor, $_POST['twofa'])) {

  286.                         # todo: Make sure the type is (int)

  287.                         if ($Enabled === '1') {

  288. 

  289.                             // Check if the current login attempt is from a location previously logged in from

  290.                             if (apcu_exists('DBKEY')) {

  291.                                 $DB->query("

  292.                                 SELECT

  293.                                   `IP`

  294.                                 FROM

  295.                                   `users_history_ips`

  296.                                 WHERE

  297.                                   `UserID` = '$UserID'

  298.                                 ");

  299. 

  300.                                 $IPs = $DB->to_array(false, MYSQLI_NUM);

  301.                                 $QueryParts = [];

  302. 

  303.                                 foreach ($IPs as $i => $IP) {

  304.                                     $IPs[$i] = Crypto::decrypt($IP[0]);

  305.                                 }

  306. 

  307.                                 $IPs = array_unique($IPs);

  308.                                 if (count($IPs) > 0) { // Always allow first login

  309.                                     foreach ($IPs as $IP) {

  310.                                         $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";

  311.                                     }

  312. 

  313.                                     $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));

  314.                                     $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);

  315.                                     $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");

  316.                                     list($CurrentASN) = $DB->next_record();

  317. 

  318.                                     // If FEATURE_ENFORCE_LOCATIONS is enabled, require users to confirm new logins

  319.                                     if (!in_array($CurrentASN, $PastASNs) && $ENV->FEATURE_ENFORCE_LOCATIONS) {

  320.                                         // Never logged in from this location before

  321.                                         if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {

  322.                                             $DB->query("

  323.                                             SELECT

  324.                                               `UserName`,

  325.                                               `Email`

  326.                                             FROM

  327.                                               `users_main`

  328.                                             WHERE

  329.                                               `ID` = '$UserID'

  330.                                             ");

  331.                                             

  332.                                             list($Username, $Email) = $DB->next_record();

  333.                                             Users::auth_location($UserID, $Username, $CurrentASN, Crypto::decrypt($Email));

  334.                                             require('newlocation.php');

  335.                                             error();

  336.                                         }

  337.                                     }

  338.                                 }

  339.                             }

  340. 

  341.                             $U2FRegs = [];

  342.                             $DB->query("

  343.                             SELECT KeyHandle, PublicKey, Certificate, Counter, Valid

  344.                             FROM u2f

  345.                               WHERE UserID = ?", $UserID);

  346.                             // Needs to be an array of objects, so we can't use to_array()

  347.                             while (list($KeyHandle, $PublicKey, $Certificate, $Counter, $Valid) = $DB->next_record()) {

  348.                                 $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter, 'valid'=>$Valid];

  349.                             }

  350. 

  351.                             if (sizeof($U2FRegs) > 0) {

  352.                                 // U2F is enabled for this account

  353.                                 if (isset($_POST['u2f-request']) && isset($_POST['u2f-response'])) {

  354.                                     // Data from the U2F login page is present. Verify it.

  355.                                     try {

  356.                                         $U2FReg = $U2F->doAuthenticate(json_decode($_POST['u2f-request']), $U2FRegs, json_decode($_POST['u2f-response']));

  357.                                         if ($U2FReg->valid != '1') {

  358.                                             error('Token disabled.');

  359.                                         }

  360.                                         $DB->query(

  361.                                             "UPDATE u2f

  362.                                 SET Counter = ?

  363.                                 WHERE KeyHandle = ?

  364.                                 AND UserID = ?",

  365.                                             $U2FReg->counter,

  366.                                             $U2FReg->keyHandle,

  367.                                             $UserID

  368.                                         );

  369.                                     } catch (Exception $e) {

  370.                                         $U2FErr = 'U2F key invalid. Error: '.($e->getMessage());

  371.                                         if ($e->getMessage() == 'Token disabled.') {

  372.                                             $U2FErr = 'This token was disabled due to suspected cloning. Contact staff for assistance';

  373.                                         }

  374.                                         if ($e->getMessage() == 'Counter too low.') {

  375.                                             $BadHandle = json_decode($_POST['u2f-response'], true)['keyHandle'];

  376.                                             $DB->query("UPDATE u2f

  377.                                   SET Valid = '0'

  378.                                   WHERE KeyHandle = ?

  379.                                   AND UserID = ?", $BadHandle, $UserID);

  380.                                             $U2FErr = 'U2F counter too low. This token has been disabled due to suspected cloning. Contact staff for assistance';

  381.                                         }

  382.                                     }

  383.                                 } else {

  384.                                     // Data from the U2F login page is not present. Go there

  385.                                     require('u2f.php');

  386.                                     error();

  387.                                 }

  388.                             }

  389. 

  390.                             if (sizeof($U2FRegs) == 0 || !isset($U2FErr)) {

  391.                                 $SessionID = Users::make_secret(64);

  392.                                 setcookie('session', $SessionID, (time()+60*60*24*365), '/', '', true, true);

  393.                                 setcookie('userid', $UserID, (time()+60*60*24*365), '/', '', true, true);

  394. 

  395.                                 // Because we <3 our staff

  396.                                 $Permissions = Permissions::get_permissions($PermissionID);

  397.                                 $CustomPermissions = unserialize($CustomPermissions);

  398.                                 if (isset($Permissions['Permissions']['site_disable_ip_history'])

  399.                                  || isset($CustomPermissions['site_disable_ip_history'])

  400.                 ) {

  401.                                     $_SERVER['REMOTE_ADDR'] = '127.0.0.1';

  402.                                 }

  403. 

  404.                                 $DB->query("

  405.                                 INSERT INTO users_sessions

  406.                                   (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)

  407.                                 VALUES

  408.                                   ('$UserID', '".db_string($SessionID)."', '1', '$Browser', '$OperatingSystem', '".db_string(apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', NOW(), '".db_string($_SERVER['HTTP_USER_AGENT'])."')");

  409. 

  410.                                 $Cache->begin_transaction("users_sessions_$UserID");

  411.                                 $Cache->insert_front($SessionID, [

  412.                                   'SessionID' => $SessionID,

  413.                                   'Browser' => $Browser,

  414.                                   'OperatingSystem' => $OperatingSystem,

  415.                                   'IP' => (apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),

  416.                                   'LastUpdate' => sqltime()

  417.                                 ]);

  418.                                 $Cache->commit_transaction(0);

  419. 

  420.                                 $Sql = "

  421.                                 UPDATE users_main

  422.                                 SET

  423.                                   LastLogin = NOW(),

  424.                                   LastAccess = NOW()

  425.                                   WHERE ID = '".db_string($UserID)."'";

  426. 

  427.                                 $DB->query($Sql);

  428. 

  429.                                 if (!empty($_COOKIE['redirect'])) {

  430.                                     $URL = $_COOKIE['redirect'];

  431.                                     setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);

  432.                                     header("Location: $URL");

  433.                                     error();

  434.                                 } else {

  435.                                     header('Location: index.php');

  436.                                     error();

  437.                                 }

  438.                             } else {

  439.                                 log_attempt();

  440.                                 $Err = $U2FErr;

  441.                                 setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  442.                             }

  443.                         } else {

  444.                             log_attempt();

  445.                             if ($Enabled == 2) {

  446. 

  447.                                 // Save the username in a cookie for the disabled page

  448.                                 setcookie('username', db_string($_POST['username']), time() + 60 * 60, '/', '', false);

  449.                                 header('Location: login.php?action=disabled');

  450.                             # todo: Make sure the type is (int)

  451.                             } elseif ($Enabled === '0') {

  452.                                 $Err = 'Your account has not been confirmed. Please check your email, including the spam folder';

  453.                             }

  454.                             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  455.                         }

  456.                     } else {

  457.                         log_attempt();

  458.                         $Err = 'Two-factor authentication failed';

  459.                         setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  460.                     }

  461.                 } else {

  462.                     log_attempt();

  463.                     $Err = 'Your username or password was incorrect';

  464.                     setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  465.                 }

  466.             } else {

  467.                 log_attempt();

  468.                 setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  469.             }

  470.         } else {

  471.             log_attempt();

  472.             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  473.         }

  474.     }

  475.     require('sections/login/login.php');

  476. }