Merge branch 'develop' into phoenix

Author: carlbennett

etc/config.sample.json

@@ -41,12 +41,18 @@
     }
   },
   "email": {
-    "recipient_from": "",
-    "recipient_reply_to": "",
-    "smtp_host": "smtp.example.com",
+    "recipient_from": [
+      "root@localhost",
+      "BNETDocs"
+    ],
+    "recipient_reply_to": [
+      "root@localhost",
+      "root"
+    ],
+    "smtp_host": "localhost",
     "smtp_password": "",
-    "smtp_port": 587,
-    "smtp_tls": true,
+    "smtp_port": 25,
+    "smtp_tls": false,
     "smtp_user": ""
   },
   "memcache": {

src/controllers/User/Activate.php

@@ -41,14 +41,16 @@ public function &run( Router &$router, View &$view, array &$args ) {
     }
 
     if ( $model->user ) {
-      $model->user->invalidateVerificationToken();
       $user_token = $model->user->getVerificationToken();
 
       if ( $user_token === $model->token ) {
+        $model->user->invalidateVerificationToken();
+
         if (!$model->user->setVerified()) {
           $model->error = 'INTERNAL_ERROR';
         } else {
           $model->error = false;
+
           Logger::logEvent(
             EventTypes::USER_VERIFIED,
             $model->user_id,

src/controllers/User/Register.php

@@ -172,7 +172,25 @@ protected function tryRegister(Router &$router, UserRegisterModel &$model) {
 
     }
 
-    if ($success) {
+    if (!$success) {
+      $model->error = 'INTERNAL_ERROR';
+    } else {
+      $model->error = false;
+
+      Logger::logEvent(
+        EventTypes::USER_CREATED,
+        $user_id,
+        getenv("REMOTE_ADDR"),
+        json_encode([
+          "error"           => $model->error,
+          "requirements"    => $req,
+          "email"           => $email,
+          "username"        => $username,
+          "display_name"    => null,
+          "options_bitmask" => 0,
+        ])
+      );
+
       $state = new StdClass();
 
       $mail = new PHPMailer( true ); // true enables exceptions
@@ -195,14 +213,20 @@ protected function tryRegister(Router &$router, UserRegisterModel &$model) {
         $mail->Port       = $mail_config->smtp_port;
 
         //Recipients
-        if (!empty($mail_config->recipient_from)) {
-          $mail->setFrom($mail_config->recipient_from, 'BNETDocs');
+        if (isset($mail_config->recipient_from[0])) {
+          $mail->setFrom(
+            $mail_config->recipient_from[0],
+            $mail_config->recipient_from[1]
+          );
         }
 
         $mail->addAddress($email, $username);
 
-        if (!empty($mail_config->recipient_reply_to)) {
-          $mail->addReplyTo($mail_config->recipient_reply_to);
+        if (isset($mail_config->recipient_reply_to[0])) {
+          $mail->addReplyTo(
+            $mail_config->recipient_reply_to[0],
+            $mail_config->recipient_reply_to[1]
+          );
         }
 
         // Content
@@ -239,25 +263,6 @@ protected function tryRegister(Router &$router, UserRegisterModel &$model) {
         $model->error = "EMAIL_FAILURE";
       }
     }
-
-    if (!$success) {
-      $model->error = "INTERNAL_ERROR";
-    } else {
-      $model->error = false;
-    }
-    Logger::logEvent(
-      EventTypes::USER_CREATED,
-      $user_id,
-      getenv("REMOTE_ADDR"),
-      json_encode([
-        "error"           => $model->error,
-        "requirements"    => $req,
-        "email"           => $email,
-        "username"        => $username,
-        "display_name"    => null,
-        "options_bitmask" => 0,
-      ])
-    );
   }
 
 }

src/controllers/User/ResetPassword.php

@@ -2,26 +2,239 @@
 
 namespace BNETDocs\Controllers\User;
 
-use \BNETDocs\Models\User\ResetPassword as UserResetPasswordModel;
 use \CarlBennett\MVC\Libraries\Common;
 use \CarlBennett\MVC\Libraries\Controller;
 use \CarlBennett\MVC\Libraries\Router;
+use \CarlBennett\MVC\Libraries\Template;
 use \CarlBennett\MVC\Libraries\View;
 
+use \BNETDocs\Libraries\CSRF;
+use \BNETDocs\Libraries\EventTypes;
+use \BNETDocs\Libraries\Exceptions\UserNotFoundException;
+use \BNETDocs\Libraries\Logger;
+use \BNETDocs\Libraries\User;
+
+use \BNETDocs\Models\User\ResetPassword as UserResetPasswordModel;
+
+use \PHPMailer\PHPMailer\Exception;
+use \PHPMailer\PHPMailer\PHPMailer;
+
+use \InvalidArgumentException;
+use \StdClass;
+
 class ResetPassword extends Controller {
+  const RET_FAILURE = 0;
+  const RET_SUCCESS = 1;
+  const RET_EMAIL   = 2;
 
-  public function &run(Router &$router, View &$view, array &$args) {
+  public function &run( Router &$router, View &$view, array &$args ) {
+
+    if ( $router->getRequestMethod() == 'GET' ) {
+      $data = $router->getRequestQueryArray();
+    } else {
+      $data = $router->getRequestBodyArray();
+    }
 
     $model = new UserResetPasswordModel();
 
-    $view->render($model);
+    $model->error = null;
+    $model->csrf_id = mt_rand();
+    $model->csrf_token = CSRF::generate( $model->csrf_id );
+    $model->pw1 = isset( $data[ 'pw1' ]) ? $data[ 'pw1' ] : null;
+    $model->pw2 = isset( $data[ 'pw2' ]) ? $data[ 'pw2' ] : null;
+    $model->token = isset( $data[ 't' ]) ? $data[ 't' ] : null;
+    $model->user = null;
+    $model->username = isset( $data[ 'username' ]) ? $data[ 'username' ] : null;
+
+    if ( $router->getRequestMethod() == 'POST' ) {
+      $ret = $this->doPasswordReset( $model, $data );
+      if ( $ret !== self::RET_EMAIL ) {
+        Logger::logEvent(
+          EventTypes::USER_PASSWORD_RESET,
+          ( $model->user ? $model->user->getId() : null ),
+          getenv( 'REMOTE_ADDR' ),
+          json_encode([
+            'error' => $model->error,
+            'user' => ( $model->user ? true : false ),
+            'username' => $model->username,
+          ])
+        );
+      }
+    }
+
+    $view->render( $model );
 
     $model->_responseCode = 200;
-    $model->_responseHeaders["Content-Type"] = $view->getMimeType();
+    $model->_responseHeaders[ 'Content-Type' ] = $view->getMimeType();
     $model->_responseTTL = 0;
 
     return $model;
 
   }
 
+  protected function doPasswordReset( UserResetPasswordModel &$model, &$data ) {
+    $model->error = 'INTERNAL_ERROR';
+
+    $csrf_id = isset( $data[ 'csrf_id' ]) ? $data[ 'csrf_id' ] : null;
+    $csrf_token = (
+      isset( $data[ 'csrf_token' ]) ? $data[ 'csrf_token' ] : null
+    );
+    $csrf_valid = CSRF::validate( $csrf_id, $csrf_token );
+
+    if ( !$csrf_valid ) {
+      $model->error = 'INVALID_CSRF';
+      return self::RET_FAILURE;
+    }
+    CSRF::invalidate( $csrf_id );
+
+    if ( empty( $model->username )) {
+      $model->error = 'EMPTY_USERNAME';
+      return self::RET_FAILURE;
+    }
+
+    try {
+      $model->user = new User( User::findIdByUsername( $model->username ));
+    } catch ( UserNotFoundException $e ) {
+      $model->user = null;
+    } catch ( InvalidArgumentException $e ) {
+      $model->user = null;
+    }
+
+    if ( !$model->user ) {
+      $model->error = 'USER_NOT_FOUND';
+      return self::RET_FAILURE;
+    }
+
+    if ( empty( $model->token )) {
+      $state = new StdClass();
+
+      $mail = new PHPMailer( true ); // true enables exceptions
+      $mail_config = Common::$config->email;
+
+      $state->mail &= $mail;
+      $state->token = $model->user->getVerificationToken();
+      $state->user = $model->user;
+
+      try {
+        //Server settings
+        $mail->Timeout = 10; // default is 300 per RFC2821 $ 4.5.3.2
+        $mail->SMTPDebug = 0;
+        $mail->isSMTP();
+        $mail->Host       = $mail_config->smtp_host;
+        $mail->SMTPAuth   = !empty($mail_config->smtp_user);
+        $mail->Username   = $mail_config->smtp_user;
+        $mail->Password   = $mail_config->smtp_password;
+        $mail->SMTPSecure = $mail_config->smtp_tls ? 'tls' : '';
+        $mail->Port       = $mail_config->smtp_port;
+
+        //Recipients
+        if (isset($mail_config->recipient_from[0])) {
+          $mail->setFrom(
+            $mail_config->recipient_from[0],
+            $mail_config->recipient_from[1]
+          );
+        }
+
+        $mail->addAddress($model->user->getEmail(), $model->user->getName());
+
+        if (isset($mail_config->recipient_reply_to[0])) {
+          $mail->addReplyTo(
+            $mail_config->recipient_reply_to[0],
+            $mail_config->recipient_reply_to[1]
+          );
+        }
+
+        // Content
+        $mail->isHTML(true);
+        $mail->Subject = 'Reset Password';
+        $mail->CharSet = PHPMailer::CHARSET_UTF8;
+
+        ob_start();
+        (new Template($state, 'Email/User/ResetPassword.rich'))->render();
+        $mail->Body = ob_get_clean();
+
+        ob_start();
+        (new Template($state, 'Email/User/ResetPassword.plain'))->render();
+        $mail->AltBody = ob_get_clean();
+
+        $mail->send();
+
+        $model->error = false;
+
+        Logger::logEvent(
+          EventTypes::EMAIL_SENT,
+          $model->user->getId(),
+          getenv( 'REMOTE_ADDR' ),
+          json_encode([
+            'from' => $mail->From,
+            'to' => $mail->getToAddresses(),
+            'reply_to' => $mail->getReplyToAddresses(),
+            'subject' => $mail->Subject,
+            'content_type' => $mail->ContentType,
+            'body' => $mail->Body,
+            'alt_body' => $mail->AltBody,
+          ])
+        );
+
+      } catch (\Exception $e) {
+        $model->error = 'EMAIL_FAILURE';
+      }
+
+      return self::RET_EMAIL;
+    }
+
+    if ( $model->token !== $model->user->getVerificationToken() ) {
+      $model->error = 'INVALID_TOKEN';
+      return self::RET_FAILURE;
+    }
+
+    if ( $model->pw1 !== $model->pw2 ) {
+      $model->error = 'PASSWORD_MISMATCH';
+      return self::RET_FAILURE;
+    }
+
+    $req = Common::$config->bnetdocs->user_register_requirements;
+    $pwlen = strlen( $model->pw1 );
+
+    if ( is_numeric( $req->password_length_max )
+      && $pwlen > $req->password_length_max ) {
+      $model->error = 'PASSWORD_TOO_LONG';
+      return self::RET_FAILURE;
+    }
+
+    if ( is_numeric( $req->password_length_min )
+      && $pwlen < $req->password_length_min ) {
+      $model->error = 'PASSWORD_TOO_SHORT';
+      return self::RET_FAILURE;
+    }
+
+    if ( !$req->password_allow_email
+      && stripos( $model->pw1, $model->user->getEmail() )) {
+      $model->error = 'PASSWORD_CONTAINS_EMAIL';
+      return self::RET_FAILURE;
+    }
+
+    if ( !$req->password_allow_username
+      && stripos( $model->pw1, $model->user->getUsername() )) {
+      $model->error = 'PASSWORD_CONTAINS_USERNAME';
+      return self::RET_FAILURE;
+    }
+
+    // --
+    $model->user->invalidateVerificationToken();
+    // --
+
+    if ( $model->user->getAcl( User::OPTION_DISABLED )) {
+      $model->error = 'USER_DISABLED';
+      return self::RET_FAILURE;
+    }
+
+    if (!$model->user->changePassword( $model->pw1 )) {
+      $model->error = 'INTERNAL_ERROR';
+      return self::RET_FAILURE;
+    }
+
+    $model->error = false;
+    return self::RET_SUCCESS;
+  }
 }

src/models/User/ResetPassword.php

@@ -8,7 +8,9 @@ class ResetPassword extends Model {
 
   public $csrf_id;
   public $csrf_token;
-  public $email;
   public $error;
+  public $token;
+  public $user;
+  public $username;
 
 }

src/templates/Email/User/Register.plain.phtml

@@ -1,7 +1,7 @@
 <?php
 namespace BNETDocs\Templates\Email\User;
 use \CarlBennett\MVC\Libraries\Common;
-require("./Email/header.plain.inc.phtml");
+require('./Email/header.plain.inc.phtml');
 ?>
 Welcome to BNETDocs!
 
@@ -13,4 +13,4 @@ or copy and paste the link below into your browser to activate your account.
 
 Note: This link will only be available for 24 hours after registering. If you
 wait until it expires, you will need to complete a password reset.
-<?php require("./Email/footer.plain.inc.phtml"); ?>
+<?php require('./Email/footer.plain.inc.phtml'); ?>