Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1088 Commits
2 Branches
Tree: fd1641228e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fd1641228e'
${ noResults }
Gazelle/sections/login/index.php

index.php 22KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479 
  1. <?php

  2. #declare(strict_types=1);

  3. 

  4. # Unsure if require_once is needed here

  5. require_once 'classes/env.class.php';

  6. $ENV = ENV::go();

  7. 

  8. /*-- todo ---------------------------//

  9. Add the JavaScript validation into the display page using the class

  10. //-----------------------------------*/

  11. 

  12. // Allow users to reset their password while logged in

  13. if (!empty($LoggedUser['ID']) && $_REQUEST['act'] !== 'recover') {

  14.     header('Location: index.php');

  15.     error();

  16. }

  17. 

  18. if ($ENV->BLOCK_OPERA_MINI && isset($_SERVER['HTTP_X_OPERAMINI_PHONE'])) {

  19.     error('Opera Mini is banned. Please use another browser.');

  20. }

  21. 

  22. // Check if IP is banned

  23. if (Tools::site_ban_ip($_SERVER['REMOTE_ADDR'])) {

  24.     error('Your IP address has been banned.');

  25. }

  26. 

  27. # Initialize

  28. require_once SERVER_ROOT.'/classes/twofa.class.php';

  29. require_once SERVER_ROOT.'/classes/u2f.class.php';

  30. require_once SERVER_ROOT.'/classes/validate.class.php';

  31. 

  32. $Validate = new Validate;

  33. $TwoFA = new TwoFactorAuth($ENV->SITE_NAME);

  34. $U2F = new u2f\U2F('https://'.SITE_DOMAIN);

  35. 

  36. # todo: Test strict equality very gently here

  37. if (array_key_exists('action', $_GET) && $_GET['action'] === 'disabled') {

  38.     require('disabled.php');

  39.     error();

  40. }

  41. 

  42. if (isset($_REQUEST['act']) && $_REQUEST['act'] === 'recover') {

  43.     // Recover password

  44.     if (!empty($_REQUEST['key'])) {

  45.         // User has entered a new password, use step 2

  46.         $DB->query("

  47.         SELECT

  48.           m.`ID`,

  49.           m.`Email`,

  50.           i.`ResetExpires`

  51.         FROM `users_main` AS m

  52.           INNER JOIN `users_info` AS i ON i.`UserID` = m.`ID`

  53.           WHERE i.`ResetKey` = ?

  54.           AND i.`ResetKey` != ''", $_REQUEST['key']);

  55.         list($UserID, $Email, $Country, $Expires) = $DB->next_record();

  56. 

  57.         if (!apcu_exists('DBKEY')) {

  58.             error('Database not fully decrypted. Please wait for staff to fix this and try again later.');

  59.         }

  60. 

  61.         $Email = Crypto::decrypt($Email);

  62. 

  63.         if ($UserID && strtotime($Expires) > time()) {

  64.             // If the user has requested a password change, and his key has not expired

  65.             $Validate->SetFields('password', '1', 'regex', 'You entered an invalid password. Any password at least 15 characters long is accepted, but a strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, contains at least a number or symbol', array('regex' => '/(?=^.{6,}$).*$/'));

  66.             $Validate->SetFields('verifypassword', '1', 'compare', 'Your passwords did not match.', array('comparefield' => 'password'));

  67. 

  68.             if (!empty($_REQUEST['password'])) {

  69.                 // If the user entered a password.

  70.                 // If not, $PassWasReset !== 1, success message hidden.

  71.                 $Err = $Validate->ValidateForm($_REQUEST);

  72.                 if ($Err == '') {

  73.                     // Form validates without error, set new secret and password.

  74.                     $DB->query(

  75.                         "

  76.                     UPDATE

  77.                       `users_main` AS m,

  78.                       `users_info` AS i

  79.                     SET

  80.                       m.`PassHash` = ?,

  81.                       i.`ResetKey` = '',

  82.                       m.`LastLogin` = NOW(),

  83.                       i.`ResetExpires` = NULL

  84.                       WHERE m.`ID` = ?

  85.                       AND i.`UserID` = m.`ID`",

  86.                         Users::make_sec_hash($_REQUEST['password']),

  87.                         $UserID

  88.                     );

  89. 

  90.                     $DB->query("

  91.                     INSERT INTO `users_history_passwords`

  92.                       (`UserID`, `ChangerIP`, `ChangeTime`)

  93.                     VALUES

  94.                       (?, ?, NOW())", $UserID, Crypto::encrypt($_SERVER['REMOTE_ADDR']));

  95. 

  96.                     $PassWasReset = true;

  97.                     $LoggedUser['ID'] = $UserID; // Set $LoggedUser['ID'] for logout_all_sessions() to work

  98.                     logout_all_sessions();

  99.                 }

  100.             }

  101. 

  102.             // Either a form asking for them to enter the password

  103.             // Or a success message if $PassWasReset is 1

  104.             require('recover_step2.php');

  105.         } else {

  106.             // Either his key has expired, or he hasn't requested a pass change at all

  107.             if (strtotime($Expires) < time() && $UserID) {

  108.                 // If his key has expired, clear all the reset information

  109.                 $DB->query("

  110.                 UPDATE users_info

  111.                 SET ResetKey = '',

  112.                   ResetExpires = NULL

  113.                   WHERE UserID = ?", $UserID);

  114.                 $_SESSION['reseterr'] = 'The link you were given has expired.'; // Error message to display on form

  115.             }

  116.             // Show him the first form (enter email address)

  117.             header('Location: login.php?act=recover');

  118.         }

  119.     } // End step 2

  120. 

  121.     // User has not clicked the link in his email, use step 1

  122.     else {

  123.         # Check for DBKEY before handling user inputs

  124.         if (!apcu_exists('DBKEY')) {

  125.             $Err = 'Database not fully decrypted. Please wait for staff to fix this and try again';

  126.         }

  127. 

  128.         if (!empty($_REQUEST['email'])) {

  129.             // User has entered email and submitted form

  130.             $Validate->SetFields('email', '1', 'email', 'You entered an invalid email address');

  131.             $Err = $Validate->ValidateForm($_REQUEST);

  132. 

  133.             if (!$Err) {

  134.                 // Form validates correctly

  135.                 $DB->query("

  136.                 SELECT

  137.                   `Email`

  138.                 FROM

  139.                   `users_main`

  140.                 ");

  141. 

  142.                 /**

  143.                  * Note that if any user has a blank email field,

  144.                  * the comparison will fail and the script will 500!

  145.                  */

  146.                 while (list($EncEmail) = $DB->next_record()) {

  147.                     if (trim(

  148.                         strtolower($_REQUEST['email'])

  149.                     ) === strtolower(Crypto::decrypt($EncEmail))) {

  150.                         break; // $EncEmail is now the encrypted form of the given email from the database

  151.                     }

  152.                 }

  153. 

  154.                 $DB->query("

  155.                 SELECT

  156.                   `ID`,

  157.                   `Username`,

  158.                   `Email`

  159.                 FROM

  160.                   `users_main`

  161.                 WHERE

  162.                   `Email` = '$EncEmail'

  163.                 ");

  164. 

  165.                 list($UserID, $Username, $Email) = $DB->next_record();

  166.                 $Email = Crypto::decrypt($Email);

  167. 

  168.                 if ($UserID) {

  169.                     // Email exists in the database

  170.                     // Set ResetKey, send out email, and set $Sent to 1 to show success page

  171.                     Users::reset_password($UserID, $Username, $Email);

  172.                     $Sent = 1; // If $Sent is 1, recover_step1.php displays a success message

  173. 

  174.                     //Log out all of the users current sessions

  175.                     $Cache->delete_value("user_info_$UserID");

  176.                     $Cache->delete_value("user_info_heavy_$UserID");

  177.                     $Cache->delete_value("user_stats_$UserID");

  178.                     $Cache->delete_value("enabled_$UserID");

  179. 

  180.                     $DB->query("

  181.                     SELECT

  182.                       `SessionID`

  183.                     FROM

  184.                       `users_sessions`

  185.                     WHERE

  186.                       `UserID` = '$UserID'

  187.                     ");

  188. 

  189.                     while (list($SessionID) = $DB->next_record()) {

  190.                         $Cache->delete_value("session_$UserID"."_$SessionID");

  191.                     }

  192. 

  193.                     $DB->query("

  194.                     UPDATE

  195.                       `users_sessions`

  196.                     SET

  197.                       `Active` = 0

  198.                     WHERE

  199.                       `UserID` = '$UserID'

  200.                       AND `Active` = 1

  201.                     ");

  202.                 } else {

  203.                     $Err = 'There is no user with that email address.';

  204.                 }

  205.             }

  206.         } elseif (!empty($_SESSION['reseterr'])) {

  207.             // User has not entered email address, and there is an error set in session data

  208.             // This is typically because their key has expired.

  209.             // Stick the error into $Err so recover_step1.php can take care of it

  210.             $Err = $_SESSION['reseterr'];

  211.             unset($_SESSION['reseterr']);

  212.         }

  213. 

  214.         // Either a form for the user's email address, or a success message

  215.         require('recover_step1.php');

  216.     }

  217. } // End password recovery

  218. 

  219. elseif (isset($_REQUEST['act']) && $_REQUEST['act'] === 'newlocation') {

  220.     if (isset($_REQUEST['key'])) {

  221.         if ($ASNCache = $Cache->get_value('new_location_'.$_REQUEST['key'])) {

  222.             $Cache->cache_value('new_location_'.$ASNCache['UserID'].'_'.$ASNCache['ASN'], true);

  223.             require('newlocation.php');

  224.             error();

  225.         } else {

  226.             error(403);

  227.         }

  228.     } else {

  229.         error(403);

  230.     }

  231. } // End new location

  232. 

  233. // Normal login

  234. else {

  235.     $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username', array('regex' => USERNAME_REGEX));

  236.     $Validate->SetFields('password', '1', 'string', 'You entered an invalid password', array('minlength' => '15', 'maxlength' => '307200'));

  237. 

  238.     list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']));

  239. 

  240.     // Function to log a user's login attempt

  241.     function log_attempt()

  242.     {

  243.         global $Cache, $Attempts;

  244.         $Attempts = ($Attempts ?? 0) + 1;

  245.         $Cache->cache_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']), array($Attempts, ($Attempts > 5)), 60*60*$Attempts);

  246.         $AllAttempts = $Cache->get_value('login_attempts');

  247.         $AllAttempts[$_SERVER['REMOTE_ADDR']] = time()+(60*60*$Attempts);

  248.         foreach ($AllAttempts as $IP => $Time) {

  249.             if ($Time < time()) {

  250.                 unset($AllAttempts[$IP]);

  251.             }

  252.         }

  253.         $Cache->cache_value('login_attempts', $AllAttempts, 0);

  254.     }

  255. 

  256.     // If user has submitted form

  257.     if (isset($_POST['username']) && !empty($_POST['username']) && isset($_POST['password']) && !empty($_POST['password'])) {

  258.         if ($Banned) {

  259.             header("Location: login.php");

  260.             error();

  261.         }

  262.         $Err = $Validate->ValidateForm($_POST);

  263. 

  264.         if (!$Err) {

  265.             // Passes preliminary validation (username and password "look right")

  266.             $DB->query("

  267.             SELECT

  268.               ID,

  269.               PermissionID,

  270.               CustomPermissions,

  271.               PassHash,

  272.               TwoFactor,

  273.               Enabled

  274.             FROM users_main

  275.               WHERE Username = ?

  276.               AND Username != ''", $_POST['username']);

  277.             list($UserID, $PermissionID, $CustomPermissions, $PassHash, $TwoFactor, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));

  278.             if (!$Banned) {

  279.                 if ($UserID && Users::check_password($_POST['password'], $PassHash)) {

  280.                     // Update hash if better algorithm available

  281.                     if (password_needs_rehash($PassHash, PASSWORD_DEFAULT)) {

  282.                         $DB->query("

  283.                         UPDATE users_main

  284.                         SET PassHash = ?

  285.                           WHERE Username = ?", make_sec_hash($_POST['password']), $_POST['username']);

  286.                     }

  287. 

  288.                     if (empty($TwoFactor) || $TwoFA->verifyCode($TwoFactor, $_POST['twofa'])) {

  289.                         # todo: Make sure the type is (int)

  290.                         if ($Enabled === '1') {

  291. 

  292.                             // Check if the current login attempt is from a location previously logged in from

  293.                             if (apcu_exists('DBKEY')) {

  294.                                 $DB->query("

  295.                                 SELECT

  296.                                   `IP`

  297.                                 FROM

  298.                                   `users_history_ips`

  299.                                 WHERE

  300.                                   `UserID` = '$UserID'

  301.                                 ");

  302. 

  303.                                 $IPs = $DB->to_array(false, MYSQLI_NUM);

  304.                                 $QueryParts = [];

  305. 

  306.                                 foreach ($IPs as $i => $IP) {

  307.                                     $IPs[$i] = Crypto::decrypt($IP[0]);

  308.                                 }

  309. 

  310.                                 $IPs = array_unique($IPs);

  311.                                 if (count($IPs) > 0) { // Always allow first login

  312.                                     foreach ($IPs as $IP) {

  313.                                         $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";

  314.                                     }

  315. 

  316.                                     $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));

  317.                                     $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);

  318.                                     $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");

  319.                                     list($CurrentASN) = $DB->next_record();

  320. 

  321.                                     // If FEATURE_ENFORCE_LOCATIONS is enabled, require users to confirm new logins

  322.                                     if (!in_array($CurrentASN, $PastASNs) && $ENV->FEATURE_ENFORCE_LOCATIONS) {

  323.                                         // Never logged in from this location before

  324.                                         if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {

  325.                                             $DB->query("

  326.                                             SELECT

  327.                                               `UserName`,

  328.                                               `Email`

  329.                                             FROM

  330.                                               `users_main`

  331.                                             WHERE

  332.                                               `ID` = '$UserID'

  333.                                             ");

  334.                                             

  335.                                             list($Username, $Email) = $DB->next_record();

  336.                                             Users::auth_location($UserID, $Username, $CurrentASN, Crypto::decrypt($Email));

  337.                                             require('newlocation.php');

  338.                                             error();

  339.                                         }

  340.                                     }

  341.                                 }

  342.                             }

  343. 

  344.                             $U2FRegs = [];

  345.                             $DB->query("

  346.                             SELECT KeyHandle, PublicKey, Certificate, Counter, Valid

  347.                             FROM u2f

  348.                               WHERE UserID = ?", $UserID);

  349.                             // Needs to be an array of objects, so we can't use to_array()

  350.                             while (list($KeyHandle, $PublicKey, $Certificate, $Counter, $Valid) = $DB->next_record()) {

  351.                                 $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter, 'valid'=>$Valid];

  352.                             }

  353. 

  354.                             if (sizeof($U2FRegs) > 0) {

  355.                                 // U2F is enabled for this account

  356.                                 if (isset($_POST['u2f-request']) && isset($_POST['u2f-response'])) {

  357.                                     // Data from the U2F login page is present. Verify it.

  358.                                     try {

  359.                                         $U2FReg = $U2F->doAuthenticate(json_decode($_POST['u2f-request']), $U2FRegs, json_decode($_POST['u2f-response']));

  360.                                         if ($U2FReg->valid != '1') {

  361.                                             error('Token disabled.');

  362.                                         }

  363.                                         $DB->query(

  364.                                             "UPDATE u2f

  365.                                 SET Counter = ?

  366.                                 WHERE KeyHandle = ?

  367.                                 AND UserID = ?",

  368.                                             $U2FReg->counter,

  369.                                             $U2FReg->keyHandle,

  370.                                             $UserID

  371.                                         );

  372.                                     } catch (Exception $e) {

  373.                                         $U2FErr = 'U2F key invalid. Error: '.($e->getMessage());

  374.                                         if ($e->getMessage() == 'Token disabled.') {

  375.                                             $U2FErr = 'This token was disabled due to suspected cloning. Contact staff for assistance';

  376.                                         }

  377.                                         if ($e->getMessage() == 'Counter too low.') {

  378.                                             $BadHandle = json_decode($_POST['u2f-response'], true)['keyHandle'];

  379.                                             $DB->query("UPDATE u2f

  380.                                   SET Valid = '0'

  381.                                   WHERE KeyHandle = ?

  382.                                   AND UserID = ?", $BadHandle, $UserID);

  383.                                             $U2FErr = 'U2F counter too low. This token has been disabled due to suspected cloning. Contact staff for assistance';

  384.                                         }

  385.                                     }

  386.                                 } else {

  387.                                     // Data from the U2F login page is not present. Go there

  388.                                     require('u2f.php');

  389.                                     error();

  390.                                 }

  391.                             }

  392. 

  393.                             if (sizeof($U2FRegs) == 0 || !isset($U2FErr)) {

  394.                                 $SessionID = Users::make_secret(64);

  395.                                 setcookie('session', $SessionID, (time()+60*60*24*365), '/', '', true, true);

  396.                                 setcookie('userid', $UserID, (time()+60*60*24*365), '/', '', true, true);

  397. 

  398.                                 // Because we <3 our staff

  399.                                 $Permissions = Permissions::get_permissions($PermissionID);

  400.                                 $CustomPermissions = unserialize($CustomPermissions);

  401.                                 if (isset($Permissions['Permissions']['site_disable_ip_history'])

  402.                                  || isset($CustomPermissions['site_disable_ip_history'])

  403.                 ) {

  404.                                     $_SERVER['REMOTE_ADDR'] = '127.0.0.1';

  405.                                 }

  406. 

  407.                                 $DB->query("

  408.                                 INSERT INTO users_sessions

  409.                                   (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)

  410.                                 VALUES

  411.                                   ('$UserID', '".db_string($SessionID)."', '1', '$Browser', '$OperatingSystem', '".db_string(apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', NOW(), '".db_string($_SERVER['HTTP_USER_AGENT'])."')");

  412. 

  413.                                 $Cache->begin_transaction("users_sessions_$UserID");

  414.                                 $Cache->insert_front($SessionID, [

  415.                                   'SessionID' => $SessionID,

  416.                                   'Browser' => $Browser,

  417.                                   'OperatingSystem' => $OperatingSystem,

  418.                                   'IP' => (apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),

  419.                                   'LastUpdate' => sqltime()

  420.                                 ]);

  421.                                 $Cache->commit_transaction(0);

  422. 

  423.                                 $Sql = "

  424.                                 UPDATE users_main

  425.                                 SET

  426.                                   LastLogin = NOW(),

  427.                                   LastAccess = NOW()

  428.                                   WHERE ID = '".db_string($UserID)."'";

  429. 

  430.                                 $DB->query($Sql);

  431. 

  432.                                 if (!empty($_COOKIE['redirect'])) {

  433.                                     $URL = $_COOKIE['redirect'];

  434.                                     setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);

  435.                                     header("Location: $URL");

  436.                                     error();

  437.                                 } else {

  438.                                     header('Location: index.php');

  439.                                     error();

  440.                                 }

  441.                             } else {

  442.                                 log_attempt();

  443.                                 $Err = $U2FErr;

  444.                                 setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  445.                             }

  446.                         } else {

  447.                             log_attempt();

  448.                             if ($Enabled == 2) {

  449. 

  450.                                 // Save the username in a cookie for the disabled page

  451.                                 setcookie('username', db_string($_POST['username']), time() + 60 * 60, '/', '', false);

  452.                                 header('Location: login.php?action=disabled');

  453.                             # todo: Make sure the type is (int)

  454.                             } elseif ($Enabled === '0') {

  455.                                 $Err = 'Your account has not been confirmed. Please check your email, including the spam folder';

  456.                             }

  457.                             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  458.                         }

  459.                     } else {

  460.                         log_attempt();

  461.                         $Err = 'Two-factor authentication failed';

  462.                         setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  463.                     }

  464.                 } else {

  465.                     log_attempt();

  466.                     $Err = 'Your username or password was incorrect';

  467.                     setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  468.                 }

  469.             } else {

  470.                 log_attempt();

  471.                 setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  472.             }

  473.         } else {

  474.             log_attempt();

  475.             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);

  476.         }

  477.     }

  478.     require('sections/login/login.php');

  479. }