diff options
| author | ilotterytea <iltsu@alright.party> | 2025-12-08 21:53:36 +0500 |
|---|---|---|
| committer | ilotterytea <iltsu@alright.party> | 2025-12-08 21:53:36 +0500 |
| commit | 57472eab3c7b035392c6a5aa240593ecaa7d1ccf (patch) | |
| tree | 9da30829290f225be2dab3d383549cbfda82ed19 /account | |
| parent | 6541d0f3888862ab049055fd418b700f73eed367 (diff) | |
upd: moved all /public/ files to the root folder
Diffstat (limited to 'account')
| -rw-r--r-- | account/change_emoteset.php | 36 | ||||
| -rw-r--r-- | account/delete.php | 50 | ||||
| -rw-r--r-- | account/index.php | 306 | ||||
| -rw-r--r-- | account/login/index.php | 99 | ||||
| -rw-r--r-- | account/login/twitch.php | 175 | ||||
| -rw-r--r-- | account/register.php | 111 | ||||
| -rw-r--r-- | account/security.php | 52 | ||||
| -rw-r--r-- | account/signout.php | 16 |
8 files changed, 845 insertions, 0 deletions
diff --git a/account/change_emoteset.php b/account/change_emoteset.php new file mode 100644 index 0000000..c2fc209 --- /dev/null +++ b/account/change_emoteset.php @@ -0,0 +1,36 @@ +<?php +include_once "../../src/config.php"; +include_once "../../src/alert.php"; +include_once "../../src/accounts.php"; + +if (!authorize_user(true)) { + generate_alert("/404.php", "Unauthorized", 401); + exit; +} + +if ($_SERVER["REQUEST_METHOD"] != "POST") { + generate_alert("/404.php", "Method not allowed", 405); + exit; +} + +if (!isset($_POST["id"])) { + generate_alert("/404.php", "Emote set ID is not provided"); + exit; +} + +$emote_set_id = $_POST["id"]; +$user_id = $_SESSION["user_id"]; + +$db = new PDO(DB_URL, DB_USER, DB_PASS); + +$stmt = $db->prepare("SELECT id FROM acquired_emote_sets WHERE emote_set_id = ? AND user_id = ?"); +$stmt->execute([$emote_set_id, $user_id]); + +if ($stmt->rowCount() == 0) { + generate_alert("/404.php", "You don't own emote set ID $emote_set_id", 403); + exit; +} + +$_SESSION["user_active_emote_set_id"] = $emote_set_id; + +header("Location: " . $_POST["redirect"] ?? "/");
\ No newline at end of file diff --git a/account/delete.php b/account/delete.php new file mode 100644 index 0000000..ec8c040 --- /dev/null +++ b/account/delete.php @@ -0,0 +1,50 @@ +<?php +include "../../src/utils.php"; +include_once "../../src/config.php"; + +session_start(); + +if (!isset($_SESSION["user_id"])) { + header("Location: /account"); + exit; +} + +$db = new PDO(DB_URL, DB_USER, DB_PASS); + +$id = $_SESSION["user_id"]; + +$profile = ($_GET["profile"] ?? "false") == "true"; +$pfp = ($_GET["pfp"] ?? "false") == "true"; +$banner = ($_GET["banner"] ?? "false") == "true"; +$badge = ($_GET["badge"] ?? "false") == "true"; + +if ($pfp || $profile) { + $path = "../static/userdata/avatars/$id"; + if (is_dir($path)) { + array_map("unlink", glob("$path/*.*")); + rmdir($path); + } +} + +if ($banner || $profile) { + $path = "../static/userdata/banners/$id"; + if (is_dir($path)) { + array_map("unlink", glob("$path/*.*")); + rmdir($path); + } +} + +if ($badge || $profile) { + $db->prepare("DELETE FROM user_badges WHERE user_id = ?")->execute([$id]); +} + +if ($profile) { + $db->prepare("DELETE FROM users WHERE id = ?")->execute([$id]); + + session_unset(); + session_destroy(); + + setcookie("secret_key", "", time() - 1000); +} + +header("Location: /account");
\ No newline at end of file diff --git a/account/index.php b/account/index.php new file mode 100644 index 0000000..2b9e790 --- /dev/null +++ b/account/index.php @@ -0,0 +1,306 @@ +<?php +include_once "../../src/alert.php"; +include "../../src/accounts.php"; +include "../../src/partials.php"; +include_once "../../src/config.php"; +include_once "../../src/utils.php"; +include_once "../../src/images.php"; + +authorize_user(); + +if (!isset($_SESSION["user_id"], $_SESSION["user_name"])) { + header("Location: /account/login"); + exit; +} + +$db = new PDO(DB_URL, DB_USER, DB_PASS); + +if ($_SERVER['REQUEST_METHOD'] == "POST") { + $username = str_safe($_POST["username"] ?? "", ACCOUNT_USERNAME_LENGTH[1]); + + if (!empty($username) && $username != $_SESSION["user_name"]) { + if (!preg_match(ACCOUNT_USERNAME_REGEX, $username)) { + generate_alert("/account", "Bad username"); + exit; + } + + $stmt = $db->prepare("SELECT id FROM users WHERE username = ?"); + $stmt->execute([$username]); + + if ($stmt->rowCount() == 0) { + $stmt = $db->prepare("UPDATE users SET username = ? WHERE id = ?"); + $stmt->execute([$username, $_SESSION["user_id"]]); + } else { + generate_alert("/account", "The username has already taken"); + exit; + } + } + + if (isset($_FILES["pfp"]) && !empty($_FILES["pfp"]["tmp_name"])) { + $pfp = $_FILES["pfp"]; + + if ( + $err = create_image_bundle( + $pfp["tmp_name"], + $_SERVER["DOCUMENT_ROOT"] . "/static/userdata/avatars/" . $_SESSION["user_id"], + ACCOUNT_PFP_MAX_SIZE[0], + ACCOUNT_PFP_MAX_SIZE[1], + true, + true + ) + ) { + generate_alert("/account", sprintf("Error occurred while processing the profile picture (%d)", $err)); + exit; + } + } + + if (isset($_FILES["banner"]) && !empty($_FILES["banner"]["tmp_name"])) { + $banner = $_FILES["banner"]; + + if ( + $err = create_image_bundle( + $banner["tmp_name"], + $_SERVER["DOCUMENT_ROOT"] . "/static/userdata/banners/" . $_SESSION["user_id"], + ACCOUNT_BANNER_MAX_SIZE[0], + ACCOUNT_BANNER_MAX_SIZE[1], + true, + true + ) + ) { + generate_alert("/account", sprintf("Error occurred while processing the profile banner (%d)", $err)); + exit; + } + } + + if (isset($_FILES["badge"]) && !empty($_FILES["badge"]["tmp_name"])) { + $badge = $_FILES["badge"]; + $badge_id = bin2hex(random_bytes(16)); + if ( + $err = create_image_bundle( + $badge["tmp_name"], + $_SERVER["DOCUMENT_ROOT"] . "/static/userdata/badges/" . $badge_id, + ACCOUNT_BADGE_MAX_SIZE[0], + ACCOUNT_BADGE_MAX_SIZE[1], + true, + true + ) + ) { + generate_alert("/account", sprintf("Error occurred while processing the personal badge (%d)", $err)); + exit; + } + + $db->prepare("DELETE FROM user_badges WHERE badge_id != ? AND user_id = ?")->execute([$badge_id, $_SESSION["user_id"]]); + $db->prepare("INSERT INTO badges(id, uploaded_by) VALUES (?, ?)")->execute([$badge_id, $_SESSION["user_id"]]); + $db->prepare("INSERT INTO user_badges(badge_id, user_id) VALUES (?, ?)")->execute([$badge_id, $_SESSION["user_id"]]); + } + + $db = null; + generate_alert("/account", "Your changes have been applied!", 200); + exit; +} + +?> + +<html> + +<head> + <title>Account management - <?php echo INSTANCE_NAME ?></title> + <link rel="stylesheet" href="/static/style.css"> + <link rel="shortcut icon" href="/static/favicon.ico" type="image/x-icon"> +</head> + +<body> + <div class="container"> + <div class="wrapper"> + <?php html_navigation_bar() ?> + + <section class="content"> + <?php display_alert() ?> + <section class="box accman"> + <h1>Account management</h1> + + <form action="/account/" method="POST" enctype="multipart/form-data"> + <h2>Profile</h2> + <h3>Profile picture</h3> + <?php + $has_pfp = is_dir("../static/userdata/avatars/" . $_SESSION["user_id"]); + if ($has_pfp) { + echo '<img src="/static/userdata/avatars/' . $_SESSION["user_id"] . '/2x.webp" id="pfp" width="64" height="64">'; + } else { + echo "<p>You don't have profile picture</p>"; + } + ?> + <div> + <input type="file" name="pfp"> + <?php if ($has_pfp): ?> + <a href="/account/delete.php?pfp=true"> + <img src="/static/img/icons/bin.png" alt="Remove profile picture" + title="Remove profile picture"> + </a> + <?php endif; ?> + </div> + + <h3>Profile banner</h3> + <?php + $has_banner = is_dir("../static/userdata/banners/" . $_SESSION["user_id"]); + if ($has_banner) { + echo '<img src="/static/userdata/banners/' . $_SESSION["user_id"] . '/2x.webp" id="banner" width="256">'; + } else { + echo "<p>You don't have profile banner</p>"; + } + ?> + <div> + <input type="file" name="banner"> + <?php if ($has_banner): ?> + <a href="/account/delete.php?banner=true"> + <img src="/static/img/icons/bin.png" alt="Remove banner" title="Remove banner"> + </a> + <?php endif; ?> + </div> + + <h3>Personal badge</h3> + <?php + $stmt = $db->prepare("SELECT badge_id FROM user_badges WHERE user_id = ?"); + $stmt->execute([$_SESSION["user_id"]]); + + $has_badge = false; + + if ($row = $stmt->fetch()) { + echo '<div class="box row items-center justify-between">'; + echo '<img src="/static/userdata/badges/' . $row["badge_id"] . '/1x.webp" id="badge">'; + echo '<img src="/static/userdata/badges/' . $row["badge_id"] . '/2x.webp" id="badge">'; + echo '<img src="/static/userdata/badges/' . $row["badge_id"] . '/3x.webp" id="badge">'; + echo '</div>'; + $has_badge = true; + } else { + echo "<p>You don't have personal badge</p>"; + } + ?> + <div> + <input type="file" name="badge"> + <?php if ($has_badge): ?> + <a href="/account/delete.php?badge=true"> + <img src="/static/img/icons/bin.png" alt="Remove badge" title="Remove badge"> + </a> + <?php endif; ?> + </div> + + <h3>Username</h3> + <input type="text" name="username" id="username" value="<?php echo $_SESSION["user_name"] ?>"> + + <button type="submit">Save</button> + </form> + + <hr> + + <div> + <h2>Connections</h2> + <div> + <?php + $stmt = $db->prepare("SELECT * FROM connections WHERE user_id = ?"); + $stmt->execute([$_SESSION["user_id"]]); + $connections = $stmt->fetchAll(); + $platforms = ["twitch"]; + + foreach ($platforms as $platform) { + $connection = null; + $key = array_search($platform, array_column($connections, "platform")); + + if (!is_bool($key)) { + $connection = $connections[$key]; + } + + echo "<div class='box $platform row small-gap items-center'>"; + echo "<div><img src='/static/img/icons/connections/$platform.webp' alt='' width='52' height='52' /></div>"; + + echo "<div class='column grow'>"; + echo "<b>" . ucfirst($platform) . "</b>"; + + // TODO: check if connection is still alive + if ($connection == null) { + echo "<i>Not connected</i>"; + } else { + echo "<i>" . $connection["alias_id"] . "</i>"; + } + + echo "</div>"; + + echo "<div class='column'>"; + + if ($connection == null) { + echo "<a href='/account/login/$platform.php'>"; + echo '<img src="/static/img/icons/disconnect.png" alt="Connect" title="Connect" />'; + echo "</a>"; + } else { + echo "<a href='/account/login/$platform.php?disconnect'>"; + echo '<img src="/static/img/icons/connect.png" alt="Disconnect" title="Disconnect" />'; + echo "</a>"; + } + + echo "</div></div>"; + } + ?> + </div> + </div> + + <hr> + + <form action="/account/security.php" method="post"> + <h2>Security & Privacy</h2> + <div> + <?php + $stmt = $db->prepare("SELECT CASE WHEN password IS NOT NULL THEN 1 ELSE 0 END as set_password FROM users WHERE id = ?"); + $stmt->execute([$_SESSION["user_id"]]); + $set_password = $stmt->fetch()[0]; + if ($set_password): ?> + <label for="password-current">Current password:</label> + <input type="password" name="password-current" id="form-password-current" required> + <?php endif; ?> + <label for="password-new">New password:</label> + <input type="password" name="password-new" id="form-password-new"> + </div> + <div> + <input type="checkbox" name="make-private" value="1" id="form-make-private" <?php + $stmt = $db->prepare("SELECT private_profile FROM user_preferences WHERE id = ?"); + $stmt->execute([$_SESSION["user_id"]]); + if (intval($stmt->fetch()[0]) == 1) { + echo 'checked'; + } + ?>> + <label for="make-private" class="inline">Make profile private</label> + <p class="font-small">Enabling this feature will hide your authorship of uploaded emotes and + actions.</p> + + </div> + <div> + <input type="checkbox" name="signout-everywhere" value="1" id="form-signout-everywhere"> + <label for="signout-everywhere" class="inline">Sign out everywhere</label> + </div> + + <button type="submit">Apply</button> + </form> + + <a href="/account/delete.php?profile=true" class="red button" style="text-align: center;">Delete + me</a> + </section> + </section> + </div> + </div> +</body> + +<script> + const username = document.getElementById("username"); + let validUsername = ""; + + username.addEventListener("input", (e) => { + const regex = <?php echo ACCOUNT_USERNAME_REGEX ?>; + + if (regex.test(e.target.value) && e.target.value.length <= <?php echo ACCOUNT_USERNAME_LENGTH[1] ?>) { + validUsername = e.target.value; + } else { + e.target.value = validUsername; + } + }); +</script> + +</html>
\ No newline at end of file diff --git a/account/login/index.php b/account/login/index.php new file mode 100644 index 0000000..ace116d --- /dev/null +++ b/account/login/index.php @@ -0,0 +1,99 @@ +<?php +include "../../../src/accounts.php"; + +if (authorize_user()) { + header("Location: /account"); + exit; +} + +include "../../../src/partials.php"; +include_once "../../../src/config.php"; +include_once "../../../src/alert.php"; +include_once "../../../src/utils.php"; + +if ($_SERVER["REQUEST_METHOD"] == "POST") { + if (!isset($_POST["username"], $_POST["password"])) { + generate_alert("/account/login", "Not enough POST fields"); + exit; + } + + $username = $_POST["username"]; + $password = $_POST["password"]; + $remember = intval($_POST["remember"] ?? "0") != 0; + + $db = new PDO(DB_URL, DB_USER, DB_PASS); + $stmt = $db->prepare("SELECT secret_key, password FROM users WHERE username = ? AND password IS NOT NULL"); + $stmt->execute([$username]); + + if ($row = $stmt->fetch()) { + if (password_verify($password, $row["password"])) { + setcookie("secret_key", $row["secret_key"], $remember ? (time() + ACCOUNT_COOKIE_MAX_LIFETIME) : 0, "/"); + header("Location: /account"); + exit; + } else { + generate_alert("/account/login", "Passwords do not match!", 403); + exit; + } + } else { + generate_alert("/account/login", "User not found or is not accessable", 404); + exit; + } +} +?> + +<html> + +<head> + <title>Login - <?php echo INSTANCE_NAME ?></title> + <link rel="stylesheet" href="/static/style.css"> + <link rel="shortcut icon" href="/static/favicon.ico" type="image/x-icon"> +</head> + +<body> + <div class="container"> + <div class="wrapper"> + <?php html_navigation_bar(); ?> + <section class="content" style="width: 400px;"> + <?php display_alert() ?> + <section class="box"> + <div class="box navtab"> + <p>Log in to <?php echo INSTANCE_NAME ?></p> + </div> + <div class="box content"> + <form action="/account/login/" method="post"> + <div> + <label for="username">Username</label> + <input type="text" name="username" id="form-username" required> + </div> + <div> + <label for="password">Password</label> + <input type="password" name="password" id="form-password" required> + </div> + <div> + <input type="checkbox" name="remember" value="1" id="form-remember"> + <label for="remember" class="inline">Remember me</label> + </div> + <div> + <button type="submit">Log in</button> + <?php if (ACCOUNT_REGISTRATION_ENABLE): ?> + <a href="/account/register.php">Register</a> + <?php endif; ?> + </div> + </form> + </div> + </section> + + <?php if (TWITCH_REGISTRATION_ENABLE): ?> + <section class="box column"> + <a href="/account/login/twitch.php" class="button purple big">Login with Twitch</a> + <p style="font-size: 12px;">Logging in via Twitch gives you the ability to use + <?php echo INSTANCE_NAME ?> emotes in your Twitch chat. + </p> + </section> + <?php endif; ?> + </section> + </div> + </div> +</body> + +</html>
\ No newline at end of file diff --git a/account/login/twitch.php b/account/login/twitch.php new file mode 100644 index 0000000..38fd6cc --- /dev/null +++ b/account/login/twitch.php @@ -0,0 +1,175 @@ +<?php +include_once "../../../src/config.php"; +include_once "../../../src/utils.php"; +include_once "../../../src/alert.php"; + +if (!TWITCH_REGISTRATION_ENABLE) { + generate_alert("/404.php", "Registration via Twitch is disabled", 405); + exit; +} + +session_start(); + +$db = new PDO(DB_URL, DB_USER, DB_PASS); + +if (isset($_GET["disconnect"], $_SESSION["user_id"])) { + $stmt = $db->prepare("SELECT c.id, + CASE WHEN ( + SELECT u.password FROM users u WHERE u.id = c.user_id + ) IS NOT NULL + THEN 1 ELSE 0 + END AS set_password + FROM connections c + WHERE c.user_id = ? + "); + $stmt->execute([$_SESSION["user_id"]]); + + if ($row = $stmt->fetch()) { + if ($row["set_password"]) { + $db->prepare("DELETE FROM connections WHERE user_id = ? AND platform = 'twitch'")->execute([$_SESSION["user_id"]]); + generate_alert("/account", "Successfully disconnected from Twitch!", 200); + } else { + generate_alert("/account", "You must set a password before deleting any connections", 403); + } + } else { + generate_alert("/account", "No Twitch connection found", 404); + } + exit; +} + +$client_id = TWITCH_CLIENT_ID; +$client_secret = TWITCH_SECRET_KEY; +$redirect_uri = TWITCH_REDIRECT_URI; + +if (isset($_GET["error"])) { + header("Location: /account/login"); + exit; +} + +if (!isset($_GET["code"])) { + header("Location: https://id.twitch.tv/oauth2/authorize?client_id=$client_id&redirect_uri=$redirect_uri&response_type=code"); + exit; +} + +$code = $_GET["code"]; + +// obtaining twitch token +$request = curl_init(); +curl_setopt($request, CURLOPT_URL, "https://id.twitch.tv/oauth2/token"); +curl_setopt($request, CURLOPT_POST, 1); +curl_setopt( + $request, + CURLOPT_POSTFIELDS, + "client_id=$client_id&client_secret=$client_secret&code=$code&grant_type=authorization_code&redirect_uri=$redirect_uri" +); +curl_setopt($request, CURLOPT_RETURNTRANSFER, true); + +$response = curl_exec($request); +curl_close($request); + +$response = json_decode($response, true); + +if (array_key_exists("status", $response)) { + header("Location: /account/login"); + exit; +} + +// identifying user +$request = curl_init(); +curl_setopt($request, CURLOPT_URL, "https://api.twitch.tv/helix/users"); +curl_setopt($request, CURLOPT_HTTPHEADER, [ + "Authorization: Bearer " . $response["access_token"], + "Client-Id: $client_id" +]); +curl_setopt($request, CURLOPT_RETURNTRANSFER, true); + +$twitch_user = curl_exec($request); +curl_close($request); + +$twitch_user = json_decode($twitch_user, true); + +if (empty($twitch_user["data"])) { + generate_alert("/account", "Failed to identify Twitch user", 500); + exit; +} + +$twitch_user = $twitch_user["data"][0]; + +// saving it +$twitch_access_token = $response["access_token"]; +$twitch_refresh_token = $response["refresh_token"]; +$twitch_expires_on = time() + intval($response["expires_in"]); + +// creating user if not exists +$stmt = $db->prepare("SELECT * FROM users u + INNER JOIN connections c ON c.alias_id = ? + WHERE c.user_id = u.id AND c.platform = 'twitch' +"); +$stmt->execute([$twitch_user["id"]]); + +$user_id = ""; +$user_secret_key = ""; +$user_name = ""; + +if ($row = $stmt->fetch()) { + if (isset($_SESSION["user_id"]) && $_SESSION["user_id"] != $row["id"]) { + generate_alert("/account", "There is another " . INSTANCE_NAME . " account associated with that Twitch account", 409); + exit; + } + + $user_name = $row["username"]; + $user_secret_key = $row["secret_key"]; + $user_id = $row["id"]; +} else { + $user_secret_key = generate_random_string(32); + $user_name = $twitch_user["login"]; + $user_id = bin2hex(random_bytes(16)); + + list($user_secret_key, $user_name, $user_id) = match (isset($_SESSION["user_id"])) { + true => [$_COOKIE["secret_key"], $_SESSION["user_name"], $_SESSION["user_id"]], + default => [generate_random_string(32), $twitch_user["login"], bin2hex(random_bytes(16))] + }; + + if (!isset($_SESSION["user_id"])) { + // checking for duplicates + $stmt = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ?"); + $stmt->execute([$user_name]); + $duplicates = intval($stmt->fetch()[0]); + if ($duplicates > 0) { + $i = 1; + while (true) { + $stmt = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ?"); + $stmt->execute(["$user_name$i"]); + + if ($stmt->fetch()[0] == 0) { + break; + } + + $i++; + } + $user_name .= $i; + } + + $stmt = $db->prepare("INSERT INTO users(id, username, secret_key) VALUES (?, ?, ?)"); + if (!$stmt->execute([$user_id, $user_name, $user_secret_key])) { + $db = null; + echo "Failed to create a user"; + exit; + } + } + + $stmt = $db->prepare("INSERT INTO connections(user_id, alias_id, platform, data) VALUES (?, ?, 'twitch', ?)"); + $stmt->execute([ + $user_id, + $twitch_user["id"], + sprintf("%s:%s:%s", $twitch_access_token, $twitch_refresh_token, $twitch_expires_on) + ]); +} + +$_SESSION["user_id"] = $user_id; +$_SESSION["user_name"] = $user_name; +setcookie("secret_key", $user_secret_key, time() + ACCOUNT_COOKIE_MAX_LIFETIME, "/"); + +$db = null; + +header("Location: /account");
\ No newline at end of file diff --git a/account/register.php b/account/register.php new file mode 100644 index 0000000..1da89a0 --- /dev/null +++ b/account/register.php @@ -0,0 +1,111 @@ +<?php +include "../../src/accounts.php"; +include_once "../../src/alert.php"; + +if (authorize_user()) { + header("Location: /account"); + exit; +} + +if (!ACCOUNT_REGISTRATION_ENABLE) { + generate_alert("/404.php", "Account registration is disabled", 403); + exit; +} + +include "../../src/partials.php"; +include_once "../../src/config.php"; +include_once "../../src/utils.php"; + +if ($_SERVER["REQUEST_METHOD"] == "POST") { + if (!isset($_POST["username"], $_POST["password"])) { + generate_alert("/account/register.php", "Not enough POST fields"); + exit; + } + + $username = $_POST["username"]; + $username_length = strlen($username); + if (ACCOUNT_USERNAME_LENGTH[0] > $username_length || $username_length > ACCOUNT_USERNAME_LENGTH[1]) { + generate_alert("/account/register.php", sprintf("Username must be between %d-%d characters long", ACCOUNT_USERNAME_LENGTH[0], ACCOUNT_USERNAME_LENGTH[1])); + exit; + } + + if (!preg_match(ACCOUNT_USERNAME_REGEX, $username)) { + generate_alert("/account/register.php", "Bad username"); + exit; + } + + $password = $_POST["password"]; + if (ACCOUNT_PASSWORD_MIN_LENGTH > strlen($password)) { + generate_alert("/account/register.php", "Password must be at least " . ACCOUNT_PASSWORD_MIN_LENGTH . " characters"); + exit; + } + + $db = new PDO(DB_URL, DB_USER, DB_PASS); + + $stmt = $db->prepare("SELECT id FROM users WHERE username = ?"); + $stmt->execute([$username]); + + if ($stmt->rowCount() != 0) { + generate_alert("/account/register.php", "The username has already been taken"); + exit; + } + + $secret_key = generate_random_string(ACCOUNT_SECRET_KEY_LENGTH); + $password = password_hash($password, PASSWORD_DEFAULT); + + $id = bin2hex(random_bytes(16)); + + $stmt = $db->prepare("INSERT INTO users(id, username, password, secret_key) VALUES (?, ?, ?, ?)"); + $stmt->execute([$id, $username, $password, $secret_key]); + + setcookie("secret_key", $secret_key, time() + ACCOUNT_COOKIE_MAX_LIFETIME, "/"); + header("Location: /account"); + exit; +} +?> + +<html> + +<head> + <title>Register an account - <?php echo INSTANCE_NAME ?></title> + <link rel="stylesheet" href="/static/style.css"> + <link rel="shortcut icon" href="/static/favicon.ico" type="image/x-icon"> +</head> + +<body> + <div class="container"> + <div class="wrapper"> + <?php html_navigation_bar(); ?> + + <section class="content" style="width: 400px;"> + <?php display_alert() ?> + <section class="box"> + <div class="box navtab"> + <p>Register an account in <?php echo INSTANCE_NAME ?></p> + </div> + <div class="box content"> + <form action="/account/register.php" method="post"> + <div> + <label for="username">Username</label> + <input type="text" name="username" id="form-username" required> + </div> + <div> + <label for="password">Password</label> + <input type="password" name="password" id="form-password" required> + </div> + <div> + <button type="submit">Register</button> + </div> + </form> + <p style="font-size: 12px;"> + Since <?php echo INSTANCE_NAME ?> doesn't require email and password reset via email is + not supported, please remember your passwords! + </p> + </div> + </section> + </section> + </div> + </div> +</body> + +</html>
\ No newline at end of file diff --git a/account/security.php b/account/security.php new file mode 100644 index 0000000..5545b60 --- /dev/null +++ b/account/security.php @@ -0,0 +1,52 @@ +<?php + +include_once "../../src/accounts.php"; +include_once "../../src/alert.php"; +include_once "../../src/config.php"; +include_once "../../src/utils.php"; + +if ($_SERVER["REQUEST_METHOD"] != "POST" || !authorize_user(true)) { + header("Location: /account"); + exit; +} + +$db = new PDO(DB_URL, DB_USER, DB_PASS); + +$stmt = $db->prepare("SELECT * FROM users WHERE id = ?"); +$stmt->execute([$_SESSION["user_id"]]); + +$user = $stmt->fetch(); +$current_password = $_POST["password-current"] ?? ""; + +if ($user["password"] != null && !password_verify($current_password, $user["password"])) { + generate_alert("/account", "Password is required to apply changes in 'Security' section"); + exit; +} + +if (!empty($_POST["password-new"])) { + $password = $_POST["password-new"]; + if (ACCOUNT_PASSWORD_MIN_LENGTH > strlen($password)) { + generate_alert("/account", "Your password must be at least " . ACCOUNT_PASSWORD_MIN_LENGTH . " characters"); + exit; + } + + $db->prepare("UPDATE users SET password = ? WHERE id = ?") + ->execute([password_hash($password, PASSWORD_DEFAULT), $user["id"]]); +} + +$private_profile = (int) (intval($_POST["make-private"] ?? "0") == 1); + +$db->prepare("UPDATE user_preferences SET private_profile = ? WHERE id = ?") + ->execute([$private_profile, $user["id"]]); + +if (intval($_POST["signout-everywhere"] ?? "0") == 1) { + $db->prepare("UPDATE users SET secret_key = ? WHERE id = ?") + ->execute([generate_random_string(ACCOUNT_SECRET_KEY_LENGTH), $_SESSION["user_id"]]); + + session_unset(); + session_destroy(); + + setcookie("secret_key", "", time() - 1000); +} + +generate_alert("/account", "Your changes have been applied!", 200);
\ No newline at end of file diff --git a/account/signout.php b/account/signout.php new file mode 100644 index 0000000..f971d4a --- /dev/null +++ b/account/signout.php @@ -0,0 +1,16 @@ +<?php +include_once $_SERVER["DOCUMENT_ROOT"] . '/../src/accounts.php'; +include_once $_SERVER["DOCUMENT_ROOT"] . '/../src/alert.php'; + +if (!isset($_GET["local"])) { + header("Location: /"); + exit; +} + +session_start(); + +setcookie("secret_key", "", time() - 1000, "/"); +session_unset(); +session_destroy(); + +generate_alert("/", "Signed out!", 200);
\ No newline at end of file |