Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1077 Commits
2 Branches
Tree: 45c60ee4e0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '45c60ee4e0'
${ noResults }
Gazelle/sections/login/index.php

index.php 22KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461 
  1. <?php

  2. #declare(strict_types=1);

  3. 

  4. # Unsure if require_once is needed here

  5. require_once 'classes/env.class.php';

  6. $ENV = ENV::go();

  7. 

  8. /*-- todo ---------------------------//

  9. Add the JavaScript validation into the display page using the class

  10. //-----------------------------------*/

  11. 

  12. // Allow users to reset their password while logged in

  13. if (!empty($LoggedUser['ID']) && $_REQUEST['act'] != 'recover') {

  14.     header('Location: index.php');

  15.     error();

  16. }

  17. 

  18. if ($ENV->BLOCK_OPERA_MINI && isset($_SERVER['HTTP_X_OPERAMINI_PHONE'])) {

  19.     error('Opera Mini is banned. Please use another browser.');

  20. }

  21. 

  22. // Check if IP is banned

  23. if (Tools::site_ban_ip($_SERVER['REMOTE_ADDR'])) {

  24.     error('Your IP address has been banned.');

  25. }

  26. 

  27. require_once SERVER_ROOT.'/classes/twofa.class.php';

  28. require_once SERVER_ROOT.'/classes/u2f.class.php';

  29. require_once SERVER_ROOT.'/classes/validate.class.php';

  30. 

  31. $Validate = new Validate;

  32. $TwoFA = new TwoFactorAuth($ENV->SITE_NAME);

  33. $U2F = new u2f\U2F('https://'.SITE_DOMAIN);

  34. 

  35. # todo: Test strict equality very gently here

  36. if (array_key_exists('action', $_GET) && $_GET['action'] == 'disabled') {

  37.     require('disabled.php');

  38.     error();

  39. }

  40. 

  41. if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {

  42.     // Recover password

  43.     if (!empty($_REQUEST['key'])) {

  44.         // User has entered a new password, use step 2

  45.         $DB->query("

  46.         SELECT

  47.           m.ID,

  48.           m.Email,

  49.           m.ipcc,

  50.           i.ResetExpires

  51.         FROM users_main AS m

  52.           INNER JOIN users_info AS i ON i.UserID = m.ID

  53.           WHERE i.ResetKey = ?

  54.           AND i.ResetKey != ''", $_REQUEST['key']);

  55.         list($UserID, $Email, $Country, $Expires) = $DB->next_record();

  56. 

  57.         if (!apcu_exists('DBKEY')) {

  58.             error('Database not fully decrypted. Please wait for staff to fix this and try again later');

  59.         }

  60. 

  61.         $Email = Crypto::decrypt($Email);

  62. 

  63.         if ($UserID && strtotime($Expires) > time()) {

  64.             // If the user has requested a password change, and his key has not expired

  65.             $Validate->SetFields('password', '1', 'regex', 'You entered an invalid password. Any password at least 15 characters long is accepted, but a strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, contains at least a number or symbol', array('regex' => '/(?=^.{6,}$).*$/'));

  66.             $Validate->SetFields('verifypassword', '1', 'compare', 'Your passwords did not match.', array('comparefield' => 'password'));

  67. 

  68.             if (!empty($_REQUEST['password'])) {

  69.                 // If the user has entered a password.

  70.                 // If the user has not entered a password, $PassWasReset is not set to 1, and the success message is not shown

  71.                 $Err = $Validate->ValidateForm($_REQUEST);

  72.                 if ($Err == '') {

  73.                     // Form validates without error, set new secret and password.

  74.                     $DB->query("

  75.                     UPDATE

  76.                       users_main AS m,

  77.                       users_info AS i

  78.                     SET

  79.                       m.PassHash = ?,

  80.                       i.ResetKey = '',

  81.                       m.LastLogin = NOW(),

  82.                       i.ResetExpires = NULL

  83.                       WHERE m.ID = ?

  84.                       AND i.UserID = m.ID", Users::make_sec_hash($_REQUEST['password']), $UserID);

  85.                     $DB->query("

  86.                     INSERT INTO users_history_passwords

  87.                       (UserID, ChangerIP, ChangeTime)

  88.                     VALUES

  89.                       (?, ?, NOW())", $UserID, Crypto::encrypt($_SERVER['REMOTE_ADDR']));

  90.                     $PassWasReset = true;

  91.                     $LoggedUser['ID'] = $UserID; // Set $LoggedUser['ID'] for logout_all_sessions() to work

  92.                     logout_all_sessions();

  93.                 }

  94.             }

  95. 

  96.             // Either a form asking for them to enter the password

  97.             // Or a success message if $PassWasReset is 1

  98.             require('recover_step2.php');

  99.         } else {

  100.             // Either his key has expired, or he hasn't requested a pass change at all

  101.             if (strtotime($Expires) < time() && $UserID) {

  102.                 // If his key has expired, clear all the reset information

  103.                 $DB->query("

  104.                 UPDATE users_info

  105.                 SET ResetKey = '',

  106.                   ResetExpires = NULL

  107.                   WHERE UserID = ?", $UserID);

  108.                 $_SESSION['reseterr'] = 'The link you were given has expired.'; // Error message to display on form

  109.             }

  110.             // Show him the first form (enter email address)

  111.             header('Location: login.php?act=recover');

  112.         }

  113.     } // End step 2

  114. 

  115.     // User has not clicked the link in his email, use step 1

  116.     else {

  117.         # Check for DBKEY before handling user inputs

  118.         if (!apcu_exists('DBKEY')) {

  119.             $Err = 'Database not fully decrypted. Please wait for staff to fix this and try again';

  120.         }

  121. 

  122.         if (!empty($_REQUEST['email'])) {

  123.             // User has entered email and submitted form

  124.             $Validate->SetFields('email', '1', 'email', 'You entered an invalid email address');

  125.             $Err = $Validate->ValidateForm($_REQUEST);

  126. 

  127.             if (!$Err) {

  128.                 // Form validates correctly

  129.                 $DB->query("

  130.                 SELECT

  131.                   `Email`

  132.                 FROM

  133.                   `users_main`

  134.                 ");

  135. 

  136.                 /**

  137.                  * Note that if any user has a blank email field,

  138.                  * the comparison will fail and the script will 500!

  139.                  */

  140.                 while (list($EncEmail) = $DB->next_record()) {

  141.                     if (trim(

  142.                         strtolower($_REQUEST['email'])

  143.                     ) === strtolower(Crypto::decrypt($EncEmail))) {

  144.                         break; // $EncEmail is now the encrypted form of the given email from the database

  145.                     }

  146.                 }

  147. 

  148.                 $DB->query("

  149.                 SELECT

  150.                   `ID`,

  151.                   `Username`,

  152.                   `Email`

  153.                 FROM

  154.                   `users_main`

  155.                 WHERE

  156.                   `Email` = '$EncEmail'

  157.                 ");

  158. 

  159.                 list($UserID, $Username, $Email) = $DB->next_record();

  160.                 $Email = Crypto::decrypt($Email);

  161. 

  162.                 if ($UserID) {

  163.                     // Email exists in the database

  164.                     // Set ResetKey, send out email, and set $Sent to 1 to show success page

  165.                     Users::reset_password($UserID, $Username, $Email);

  166.                     $Sent = 1; // If $Sent is 1, recover_step1.php displays a success message

  167. 

  168.                     //Log out all of the users current sessions

  169.                     $Cache->delete_value("user_info_$UserID");

  170.                     $Cache->delete_value("user_info_heavy_$UserID");

  171.                     $Cache->delete_value("user_stats_$UserID");

  172.                     $Cache->delete_value("enabled_$UserID");

  173. 

  174.                     $DB->query("

  175.                     SELECT

  176.                       `SessionID`

  177.                     FROM

  178.                       `users_sessions`

  179.                     WHERE

  180.                       `UserID` = '$UserID'

  181.                     ");

  182. 

  183.                     while (list($SessionID) = $DB->next_record()) {

  184.                         $Cache->delete_value("session_$UserID"."_$SessionID");

  185.                     }

  186. 

  187.                     $DB->query("

  188.                     UPDATE

  189.                       `users_sessions`

  190.                     SET

  191.                       `Active` = 0

  192.                     WHERE

  193.                       `UserID` = '$UserID'

  194.                       AND `Active` = 1

  195.                     ");

  196.                 } else {

  197.                     $Err = 'There is no user with that email address';

  198.                 }

  199.             }

  200.         } elseif (!empty($_SESSION['reseterr'])) {

  201.             // User has not entered email address, and there is an error set in session data

  202.             // This is typically because their key has expired.

  203.             // Stick the error into $Err so recover_step1.php can take care of it

  204.             $Err = $_SESSION['reseterr'];

  205.             unset($_SESSION['reseterr']);

  206.         }

  207. 

  208.         // Either a form for the user's email address, or a success message

  209.         require('recover_step1.php');

  210.     }

  211. } // End password recovery

  212. 

  213. elseif (isset($_REQUEST['act']) && $_REQUEST['act'] == 'newlocation') {

  214.     if (isset($_REQUEST['key'])) {

  215.         if ($ASNCache = $Cache->get_value('new_location_'.$_REQUEST['key'])) {

  216.             $Cache->cache_value('new_location_'.$ASNCache['UserID'].'_'.$ASNCache['ASN'], true);

  217.             require('newlocation.php');

  218.             error();

  219.         } else {

  220.             error(403);

  221.         }

  222.     } else {

  223.         error(403);

  224.     }

  225. } // End new location

  226. 

  227. // Normal login

  228. else {

  229.     $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username', array('regex' => USERNAME_REGEX));

  230.     $Validate->SetFields('password', '1', 'string', 'You entered an invalid password', array('minlength' => '6', 'maxlength' => '307200'));

  231. 

  232.     list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']));

  233. 

  234.     // Function to log a user's login attempt

  235.     function log_attempt()

  236.     {

  237.         global $Cache, $Attempts;

  238.         $Attempts = ($Attempts ?? 0) + 1;

  239.         $Cache->cache_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']), array($Attempts, ($Attempts > 5)), 60*60*$Attempts);

  240.         $AllAttempts = $Cache->get_value('login_attempts');

  241.         $AllAttempts[$_SERVER['REMOTE_ADDR']] = time()+(60*60*$Attempts);

  242.         foreach ($AllAttempts as $IP => $Time) {

  243.             if ($Time < time()) {

  244.                 unset($AllAttempts[$IP]);

  245.             }

  246.         }

  247.         $Cache->cache_value('login_attempts', $AllAttempts, 0);

  248.     }

  249. 

  250.     // If user has submitted form

  251.     if (isset($_POST['username']) && !empty($_POST['username']) && isset($_POST['password']) && !empty($_POST['password'])) {

  252.         if ($Banned) {

  253.             header("Location: login.php");

  254.             error();

  255.         }

  256.         $Err = $Validate->ValidateForm($_POST);

  257. 

  258.         if (!$Err) {

  259.             // Passes preliminary validation (username and password "look right")

  260.             $DB->query("

  261.             SELECT

  262.               ID,

  263.               PermissionID,

  264.               CustomPermissions,

  265.               PassHash,

  266.               TwoFactor,

  267.               Enabled

  268.             FROM users_main

  269.               WHERE Username = ?

  270.               AND Username != ''", $_POST['username']);

  271.             list($UserID, $PermissionID, $CustomPermissions, $PassHash, $TwoFactor, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));

  272.             if (!$Banned) {

  273.                 if ($UserID && Users::check_password($_POST['password'], $PassHash)) {

  274.                     // Update hash if better algorithm available

  275.                     if (password_needs_rehash($PassHash, PASSWORD_DEFAULT)) {

  276.                         $DB->query("

  277.                         UPDATE users_main

  278.                         SET PassHash = ?

  279.                           WHERE Username = ?", make_sec_hash($_POST['password']), $_POST['username']);

  280.                     }

  281. 

  282.                     if (empty($TwoFactor) || $TwoFA->verifyCode($TwoFactor, $_POST['twofa'])) {

  283.                         # todo: Make sure the type is (int)

  284.                         if ($Enabled === '1') {

  285. 

  286.               // Check if the current login attempt is from a location previously logged in from

  287.                             if (apcu_exists('DBKEY')) {

  288.                                 $DB->query("

  289.                                 SELECT IP

  290.                                 FROM users_history_ips

  291.                                   WHERE UserID = ?", $UserID);

  292.                                 $IPs = $DB->to_array(false, MYSQLI_NUM);

  293.                                 $QueryParts = [];

  294.                                 foreach ($IPs as $i => $IP) {

  295.                                     $IPs[$i] = Crypto::decrypt($IP[0]);

  296.                                 }

  297.                                 $IPs = array_unique($IPs);

  298.                                 if (count($IPs) > 0) { // Always allow first login

  299.                                     foreach ($IPs as $IP) {

  300.                                         $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";

  301.                                     }

  302.                                     $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));

  303.                                     $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);

  304.                                     $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");

  305.                                     list($CurrentASN) = $DB->next_record();

  306. 

  307.                                     // If FEATURE_ENFORCE_LOCATIONS is enabled, require users to confirm new logins

  308.                                     if (!in_array($CurrentASN, $PastASNs) && $ENV->FEATURE_ENFORCE_LOCATIONS) {

  309.                                         // Never logged in from this location before

  310.                                         if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {

  311.                                             $DB->query("

  312.                                             SELECT

  313.                                               UserName,

  314.                                               Email

  315.                                             FROM users_main

  316.                                               WHERE ID = ?", $UserID);

  317.                                             list($Username, $Email) = $DB->next_record();

  318.                                             Users::auth_location($UserID, $Username, $CurrentASN, Crypto::decrypt($Email));

  319.                                             require('newlocation.php');

  320.                                             error();

  321.                                         }

  322.                                     }

  323.                                 }

  324.                             }

  325. 

  326.                             $U2FRegs = [];

  327.                             $DB->query("

  328.                             SELECT KeyHandle, PublicKey, Certificate, Counter, Valid

  329.                             FROM u2f

  330.                               WHERE UserID = ?", $UserID);

  331.                             // Needs to be an array of objects, so we can't use to_array()

  332.                             while (list($KeyHandle, $PublicKey, $Certificate, $Counter, $Valid) = $DB->next_record()) {

  333.                                 $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter, 'valid'=>$Valid];

  334.                             }

  335. 

  336.                             if (sizeof($U2FRegs) > 0) {

  337.                                 // U2F is enabled for this account

  338.                                 if (isset($_POST['u2f-request']) && isset($_POST['u2f-response'])) {

  339.                                     // Data from the U2F login page is present. Verify it.

  340.                                     try {

  341.                                         $U2FReg = $U2F->doAuthenticate(json_decode($_POST['u2f-request']), $U2FRegs, json_decode($_POST['u2f-response']));

  342.                                         if ($U2FReg->valid != '1') {

  343.                                             error('Token disabled.');

  344.                                         }

  345.                                         $DB->query(

  346.                                             "UPDATE u2f

  347.                                 SET Counter = ?

  348.                                 WHERE KeyHandle = ?

  349.                                 AND UserID = ?",

  350.                                             $U2FReg->counter,

  351.                                             $U2FReg->keyHandle,

  352.                                             $UserID

  353.                                         );

  354.                                     } catch (Exception $e) {

  355.                                         $U2FErr = 'U2F key invalid. Error: '.($e->getMessage());

  356.                                         if ($e->getMessage() == 'Token disabled.') {

  357.                                             $U2FErr = 'This token was disabled due to suspected cloning. Contact staff for assistance';

  358.                                         }

  359.                                         if ($e->getMessage() == 'Counter too low.') {

  360.                                             $BadHandle = json_decode($_POST['u2f-response'], true)['keyHandle'];

  361.                                             $DB->query("UPDATE u2f

  362.                                   SET Valid = '0'

  363.                                   WHERE KeyHandle = ?

  364.                                   AND UserID = ?", $BadHandle, $UserID);

  365.                                             $U2FErr = 'U2F counter too low. This token has been disabled due to suspected cloning. Contact staff for assistance';

  366.                                         }

  367.                                     }

  368.                                 } else {

  369.                                     // Data from the U2F login page is not present. Go there

  370.                                     require('u2f.php');

  371.                                     error();

  372.                                 }

  373.                             }

  374. 

  375.                             if (sizeof($U2FRegs) == 0 || !isset($U2FErr)) {

  376.                                 $SessionID = Users::make_secret(64);

  377.                                 setcookie('session', $SessionID, (time()+60*60*24*365), '/', '', true, true);

  378.                                 setcookie('userid', $UserID, (time()+60*60*24*365), '/', '', true, true);

  379. 

  380.                                 // Because we <3 our staff

  381.                                 $Permissions = Permissions::get_permissions($PermissionID);

  382.                                 $CustomPermissions = unserialize($CustomPermissions);

  383.                                 if (isset($Permissions['Permissions']['site_disable_ip_history'])

  384.                                  || isset($CustomPermissions['site_disable_ip_history'])

  385.                 ) {

  386.                                     $_SERVER['REMOTE_ADDR'] = '127.0.0.1';

  387.                                 }

  388. 

  389.                                 $DB->query("

  390.                                 INSERT INTO users_sessions

  391.                                   (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)

  392.                                 VALUES

  393.                                   ('$UserID', '".db_string($SessionID)."', '1', '$Browser', '$OperatingSystem', '".db_string(apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', NOW(), '".db_string($_SERVER['HTTP_USER_AGENT'])."')");

  394. 

  395.                                 $Cache->begin_transaction("users_sessions_$UserID");

  396.                                 $Cache->insert_front($SessionID, [

  397.                                   'SessionID' => $SessionID,

  398.                                   'Browser' => $Browser,

  399.                                   'OperatingSystem' => $OperatingSystem,

  400.                                   'IP' => (apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),

  401.                                   'LastUpdate' => sqltime()

  402.                                 ]);

  403.                                 $Cache->commit_transaction(0);

  404. 

  405.                                 $Sql = "

  406.                                 UPDATE users_main

  407.                                 SET

  408.                                   LastLogin = NOW(),

  409.                                   LastAccess = NOW()

  410.                                   WHERE ID = '".db_string($UserID)."'";

  411. 

  412.                                 $DB->query($Sql);

  413. 

  414.                                 if (!empty($_COOKIE['redirect'])) {

  415.                                     $URL = $_COOKIE['redirect'];

  416.                                     setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);

  417.                                     header("Location: $URL");

  418.                                     error();

  419.                                 } else {

  420.                                     header('Location: index.php');

  421.                                     error();

  422.                                 }

  423.                             } else {

  424.                                 log_attempt();

  425.                                 $Err = $U2FErr;

  426.                                 setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  427.                             }

  428.                         } else {

  429.                             log_attempt();

  430.                             if ($Enabled == 2) {

  431. 

  432.                                 // Save the username in a cookie for the disabled page

  433.                                 setcookie('username', db_string($_POST['username']), time() + 60 * 60, '/', '', false);

  434.                                 header('Location: login.php?action=disabled');

  435.                             # todo: Make sure the type is (int)

  436.                             } elseif ($Enabled === '0') {

  437.                                 $Err = 'Your account has not been confirmed. Please check your email, including the spam folder';

  438.                             }

  439.                             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  440.                         }

  441.                     } else {

  442.                         log_attempt();

  443.                         $Err = 'Two-factor authentication failed';

  444.                         setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  445.                     }

  446.                 } else {

  447.                     log_attempt();

  448.                     $Err = 'Your username or password was incorrect';

  449.                     setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  450.                 }

  451.             } else {

  452.                 log_attempt();

  453.                 setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  454.             }

  455.         } else {

  456.             log_attempt();

  457.             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  458.         }

  459.     }

  460.     require('sections/login/login.php');

  461. }