roundcube-password_recovery/password_recovery.php

534 lines
21 KiB
PHP

<?php
/**
* Password recovery
*
* Plugin to reset an account password
*
* @version 1.0
* @original_author Alexander Alferov
*
* @url https://github.com/AlfnRU/roundcube-password_recovery
*/
class password_recovery extends rcube_plugin {
public $task = 'login|logout|settings|mail';
public $rc;
public $db;
public $user;
public $use_password;
public $pwd_conf;
private $pwd;
private $fields;
private $send;
function init() {
$this->rc = rcmail::get_instance();
$this->load_config();
if (!$this->rc->config->get('pr_use_confirm_code') && !$this->rc->config->get('pr_use_question'))
return;
$this->init_ui();
$this->add_texts('localization/');
if ($this->rc->task == 'login' || $this->rc->task == 'logout') {
$this->add_hook('render_page', [$this, 'add_labels_to_login_page']);
$this->add_hook('startup', [$this, 'startup']);
$this->register_action('plugin.get_confirm_code_count', [$this, 'get_confirm_code_count']);
} else if ($this->rc->task == 'mail') {
$this->add_hook('render_page', [$this, 'add_labels_to_mail_page']);
$this->add_hook('messages_list', [$this, 'check_identities']);
} else if ($this->rc->task == 'settings') {
$this->add_hook('identity_form', [$this, 'identity_form']);
$this->add_hook('identity_update', [$this, 'identity_update']);
}
$this->include_script('password_recovery.js');
}
/*******************
* STARTUP
*******************/
function init_ui() {
if (!$this->fields) $this->fields = $this->rc->config->get('pr_fields');
if (!$this->db) $this->get_dbh();
if (!$this->user) $this->get_user_props();
$this->use_password = ($this->rc->config->get('pr_use_password_plugin') && $this->rc->plugins->load_plugin('password', true));
$new_fields = [
'token' => ['type' => 'VARCHAR(255)', 'default' => '\'\''],
'token_validity' => ['type' => 'DATETIME' , 'default' => '\'2000-01-01 00:00:00\'']
];
foreach($this->fields as $field => $field_name){
$new_fields[$field_name] = ['type' => ($field == 'phone' ? 'VARCHAR(30)' : 'VARCHAR(255)'), 'default' => '\'\''];
}
foreach($new_fields as $field_name => $field_props){
$query = "SELECT " . $field_name . " FROM " . $this->rc->config->get('pr_users_table');
$result = $this->db->query($query);
if (!$result) {
$query = "ALTER TABLE " . $this->rc->config->get('pr_users_table') . " ADD " . $field_name . " " . $field_props['type'] . " DEFAULT " . $field_props['default'];
$result = $this->db->query($query);
}
}
require_once $this->home . '/lib/send.php';
$this->send = new password_recovery_send($this);
require_once $this->home . '/lib/password.php';
$this->pwd = new password_recovery_pwd($this);
}
function startup($p) {
if ($this->rc->action != 'plugin.password_recovery' || !isset($_SESSION['temp']))
return $p;
switch ($this->get_action()) {
case 'init':
$this->recovery_password_form();
break;
case 'renew':
$this->renew_confirm_code();
break;
case 'new':
$this->new_password_form();
break;
case 'reset':
$this->reset_password();
break;
case 'save':
$this->save_password();
break;
case 'cancel':
$this->rc->kill_session();
$this->rc->output->command('redirect', './');
break;
}
return $p;
}
function add_labels_to_login_page($p) {
if ($p['template'] == 'login') {
$this->rc->output->add_label('password_recovery.forgot_password');
}
return $p;
}
function add_labels_to_mail_page($p) {
$this->rc->output->add_label('password_recovery.no_identities');
$this->rc->output->add_script('rcmail.message_time = 10000;');
return $p;
}
/*******************
* PASSWORD
*******************/
// Creating form for reset password
private function recovery_password_form() {
$this->rc->output->add_label(
'password_recovery.recovery_password',
'password_recovery.no_username'
);
$this->rc->output->set_pagetitle($this->gettext('recovery_password'));
$this->rc->output->add_gui_object('recoverypasswordform', 'recovery-password-form');
$this->rc->output->send('password_recovery.recovery_password_form');
}
// Creating form for new password
private function new_password_form() {
$this->rc->output->add_label(
'password_recovery.newpassword',
'password_recovery.newpassword_confirm',
'password_recovery.question',
'password_recovery.answer',
'password_recovery.code',
'password_recovery.recovery_password',
'password_recovery.renew_code',
'password_recovery.count_send_code_maximum',
'password_recovery.no_code',
'password_recovery.no_answer',
'password_recovery.no_password',
'password_recovery.no_password_confirm',
'password_recovery.password_inconsistency',
'password_recovery.password_too_short'
);
$this->rc->output->set_pagetitle($this->gettext('recovery_password'));
$this->rc->output->add_gui_object('newpasswordform', 'new-password-form');
$password_minimum_length = ($this->use_password ? $this->rc->config->get('password_minimum_length',8) : $this->rc->config->get('pr_password_minimum_length',8));
$this->rc->output->set_env('pr_username', $this->user['username']);
$this->rc->output->set_env('pr_question', $this->user['question']);
$this->rc->output->set_env('pr_use_question', (bool) ($this->rc->config->get('pr_use_question') && $this->user['have_answer']));
$this->rc->output->set_env('pr_use_confirm_code', (bool) ($this->rc->config->get('pr_use_confirm_code') && $this->user['have_code']));
$this->rc->output->set_env('pr_password_minimum_length', (int) $password_minimum_length);
$this->rc->output->send('password_recovery.new_password_form');
}
// Renew and send confirmation code to user (to alternative email and phone)
private function renew_confirm_code() {
if ($this->get_confirm_code_count() < $this->rc->config->get('pr_confirm_code_count_max')) {
$result = $this->send->send_confirm_code_to_user();
if ($result['send']) {
$this->update_confirm_code_count(1);
$message = $result['message'];
$type = 'confirmation';
} else {
$message = $this->gettext('send_failed') . "\n" . $result['message'];
$type = 'error';
}
} else {
$message = $this->gettext('count_send_code_maximum');
$type = 'error';
}
$this->rc->output->command('display_message', $message, $type);
$this->rc->output->send('plugin');
}
// Creating and send confirmation code to user (to alternative email and phone) or send message to administrator
private function reset_password() {
// kill remember_me cookies
setcookie ('rememberme_user', '', time()-3600);
setcookie ('rememberme_pass', '', time()-3600);
$allow_answer = ($this->rc->config->get('pr_use_question') && $this->user['have_answer']);
$allow_code = ($this->rc->config->get('pr_use_confirm_code') && $this->user['have_code']);
if (!$this->user['username']) {
$message = $this->gettext('user_not_found');
$type = 'error';
} else if (!$allow_answer && !$allow_code) {
$this->send->send_alert_to_admin($this->user['username']);
$message = $this->gettext('sent_to_admin');
$type = 'error';
} else if ($allow_code) {
$result['send'] = false;
if ($this->user['token_validity'] && !$this->user['token_expired']) {
$this->update_confirm_code_count(1);
$result['send'] = true;
$message = $this->gettext('check_account_notice');
$type = 'notice';
} else {
$result = $this->send->send_confirm_code_to_user();
if ($result['send']) {
$this->update_confirm_code_count(1);
$message = $result['message'];
$type = 'confirmation';
} else {
$message = $this->gettext('send_failed') . "\n" . $result['message'];
$type = 'error';
}
}
}
$this->logging("Password recovery request for '" . $this->user['username'] . "' (IP: " . rcube_utils::remote_addr() . ")");
if ($message) {
$this->rc->output->command('display_message', $message, $type);
}
if ($type == 'error') {
$this->recovery_password_form();
} else {
$this->new_password_form();
}
}
// Save new password to DB
private function save_password() {
$params = rcube_utils::request2param(rcube_utils::INPUT_POST);
$this->debug("Save new password: " . print_r($params, true));
if ($this->rc->config->get('pr_use_question') && $this->user['have_answer'] && $this->user['answer'] != $params['answer']) {
$message = $this->gettext('answer_failed');
$type = 'error';
} else if ($this->rc->config->get('pr_use_confirm_code') && $this->user['token_expired']) {
$message = $this->gettext('code_expired');
$type = 'error';
} else if ($this->rc->config->get('pr_use_confirm_code') && $this->user['token'] != $params['code']) {
$message = $this->gettext('code_failed');
$type = 'error';
} else {
// props to save
$save = ['token'=>'', 'token_validity'=>''];
// check allowed characters according to the configured 'password_charset' option
// by converting the password entered by the user to this charset and back to UTF-8
$rc_charset = strtoupper($this->rc->output->get_charset());
$orig_pwd = $params['newpassword'];
$chk_pwd = rcube_charset::convert($orig_pwd, $rc_charset, 'UTF-8');
$chk_pwd = rcube_charset::convert($chk_pwd, 'UTF-8', $rc_charset);
// We're doing this for consistence with Roundcube core
$newpassword = rcube_charset::convert($params['newpassword'], $rc_charset, 'UTF-8');
if ($chk_pwd != $orig_pwd || preg_match('/[\x00-\x1F\x7F]/', $newpassword)) {
$message = $this->gettext('password_forbidden');
$type = 'error';
} else if (!$this->use_password && ($chk_strength = $this->pwd->_check_strength($newpassword))) {
$message = $chk_strength;
$type = 'error';
} else {
if ($this->use_password) {
$result = $this->pwd->_save($newpassword, $this->user['username']);
if ($result != 0) {
$message = $this->gettext('write_failed') . ": " . $result;
$type = 'error';
$this->debug($message);
}
} else {
$save['password'] = crypt($newpassword, '$1$' . rcube_utils::random_bytes(9));
//$save['password'] = crypt($newpassword, '$6$' . rcube_utils::random_bytes(16));
}
if ($type != 'error' && $this->set_user_props($save)) {
$this->logging("Save new password for '" . $this->user['username'] . "' (IP: " . rcube_utils::remote_addr() . ")");
$message = $this->gettext('password_changed');
$type = 'confirmation';
} else if (!$this->use_password) {
$message = $this->gettext('password_not_changed');
$type = 'error';
}
}
}
$this->rc->output->command('display_message', $message, $type);
if ($type != 'error') {
$this->rc->kill_session();
$this->rc->output->command('redirect', './', 2);
// $this->rc->output->send('login');
}
}
/*******************
* IDENTITIES
*******************/
// Verifying the user identities needed to recover the password
function check_identities() {
if (!isset($_SESSION['show_notice_identities']) && !$this->user['have_altemail'] && !$this->user['have_phone']) {
$link = "<a href='./?_task=settings&_action=identities'>". $this->gettext('click_here') ."</a>";
$this->rc->output->command('display_message', sprintf($this->gettext('no_identities'), $link), 'notice');
$_SESSION['show_notice_identities'] = true;
}
}
// Handler for 'identity_form' hook (executed on identities form create)
function identity_form($p) {
if (isset($p['form']['addressing']) && !empty($p['record']['identity_id'])) {
$new_fields = [];
foreach ($p['form']['addressing']['content'] as $col => $colprop) {
$new_fields[$col] = $colprop;
if ($col == 'email') {
// add ext fields after 'email'
foreach ($this->fields as $field => $field_name){
$new_fields[$field] = ['type' => 'text', 'size' => 40, 'label' => $this->gettext($field)];
}
}
}
if (!$this->rc->config->get('pr_use_question')) {
unset($new_fields['question']);
unset($new_fields['answer']);
}
$p['form']['addressing']['content'] = $new_fields;
if($this->user['username']){
foreach ($this->fields as $field => $field_name){
$p['record'][$field] = $this->user[$field];
}
}
}
return $p;
}
// Handler for identity_update hook (executed on identities form submit)
function identity_update($p) {
$save = [];
foreach ($this->fields as $field => $field_name) {
$save[$field] = rcube_utils::get_input_value("_".$field,rcube_utils::INPUT_POST);
}
foreach ($save as $par => $val) {
if ((!$this->user['username'] && empty($val)) || ($this->user['username'] && $val == $this->user[$par])) {
unset($save[$par]);
}
}
if ($save['altemail']) {
$save['altemail'] = rcube_utils::idn_to_ascii($save['altemail']);
if (empty($save['altemail'])) {
$this->rc->output->command('display_message', $this->gettext('altemail_cleared'), 'confirmation');
} else if($save['altemail'] == $p['record']['email']) {
unset($save['altemail']);
$p['abort'] = true;
$p['message'] = $this->gettext('altemail_match_primary');
return $p;
} else if(!rcube_utils::check_email($save['altemail'])) {
unset($save['altemail']);
$p['abort'] = true;
$p['message'] = $this->gettext('altemail_invalid');
return $p;
}
}
if (count($save)) {
$this->debug("Save user identities: " . print_r($save, true));
$this->set_user_props($save);
}
return $p;
}
// Return array - user props (username must be user@domain.ltd)
function get_user_props($username = null, $with_alias = true) {
if (!$username) {
$username = ($this->rc->get_user_name() ? $this->rc->get_user_name() : rcube_utils::get_input_value("_username", rcube_utils::INPUT_GPC));
}
$ret = [];
$user = trim(urldecode($username));
if ($user) {
// get user row
$query = "SELECT u.user_id, u.username, i.email" .
" FROM users u" .
" INNER JOIN identities i ON i.user_id = u.user_id" .
" WHERE username=?";
$result = $this->rc->db->query($query, $user);
if ($result && ($arr = $this->rc->db->fetch_assoc($result))) {
$fields = [];
foreach ($this->fields as $field => $field_name) {
$fields[] = $field_name . " as " . $field;
}
$query = "SELECT " . implode(",",$fields) . ", token, token_validity, token='' OR token_validity < NOW() as token_expired" .
" FROM " . $this->rc->config->get('pr_users_table') .
" WHERE username=?";
$result = $this->db->query($query, $arr['email']);
$ret = array_merge($arr, $this->db->fetch_assoc($result));
} else {
// for alias (with users_alias plugin)
if ($with_alias && $this->rc->plugins->load_plugin('users_alias', true)) {
$users_alias = new users_alias($this->api);
$result = $users_alias->alias2user(['user' => $user]);
if ($result['user']) {
$ret = $this->get_user_props($result['user'], false);
}
}
}
$_SESSION['username'] = $ret['username']; //for password plugin
$ret['have_altemail'] = ($ret['altemail'] && !empty($ret['altemail']));
$ret['have_phone'] = ($ret['phone'] && !empty($ret['phone']));
$ret['have_code'] = ($ret['have_altemail'] || $ret['have_phone']);
$ret['have_answer'] = ($ret['question'] && !empty($ret['question']) && $ret['answer'] && !empty($ret['answer']));
}
$this->user = $ret;
return $ret;
}
// Save user props to DB
function set_user_props($props) {
$fields = [];
foreach ($this->fields as $field => $field_name) {
if (isset($props[$field])) {
$fields[] = $field_name . " = '" . $props[$field] . "'";
}
}
if (isset($props['token'])) {
if (empty($props['token'])) {
$code_validity_time = 0;
} else {
$code_validity_time = (int) $this->rc->config->get('pr_confirm_code_validity_time', 30);
}
$fields[] = "token = '" . $props['token'] . "', token_validity = NOW() + INTERVAL " . $code_validity_time . " MINUTE";
//$fields[] = "token = '" . $props['token'] . "', token_validity = NOW() + '" . $code_validity_time . " MINUTE'";
}
if ($props['password']) {
$fields[] = "password = '" . $props['password'] . "'";
$fields[] = "mdp = '{SHA512-CRYPT}" . $props['password'] . "'";
}
if (count($fields)) {
$query = "UPDATE " . $this->rc->config->get('pr_users_table') . " SET " . implode(",",$fields) . " WHERE username=?";
$this->db->query($query, $this->user['username']);
$this->get_user_props(); //update user props
$this->debug("Update user '" . $this->user['username'] . "' props: " . print_r($fields, true));
return $this->db->affected_rows() == 1;
}
return false;
}
function update_confirm_code_count($plus = 0) {
$count = $this->get_confirm_code_count() + $plus;
$_SESSION['pr_confirm_code_count'] = $count;
}
function get_confirm_code_count() {
if (!isset($_SESSION['pr_confirm_code_count'])) {
$_SESSION['pr_confirm_code_count'] = 0;
}
return $_SESSION['pr_confirm_code_count'];
}
/*******************
* service functions
*******************/
function get_dbh() {
if (!$this->db) {
if ($dsn = $this->rc->config->get('pr_db_dsn')) {
$this->db = rcube_db::factory($dsn);
$this->db->set_debug((bool)$this->rc->config->get('sql_debug'));
}
else {
$this->db = $this->rc->get_dbh();
}
}
return $this->db;
}
function get_action() {
$action = rcube_utils::get_input_value('_a', rcube_utils::INPUT_GPC);
if (!$action || empty($action)) {
$action = 'init';
}
return $action;
}
function logging($text) {
if ($this->rc->config->get('pr_password_log') == true) {
rcube::write_log('password', $text);
}
}
function debug($text) {
if ($this->rc->config->get('pr_debug') == true) {
$msg = (is_array($text) ? print_r($text, true) : $text);
rcube::write_log('console', $msg);
}
}
}
?>