From bec02fa2979878be7521d06f48671d853215ebd7 Mon Sep 17 00:00:00 2001
From: Thies Mueller <git@td00.de>
Date: Fri, 8 Jan 2021 21:09:12 +0100
Subject: [PATCH] maybe sometime else

---
 passwordchange.php | 79 --------------------------------------------
 secondauth.php     | 81 ----------------------------------------------
 2 files changed, 160 deletions(-)
 delete mode 100644 passwordchange.php
 delete mode 100644 secondauth.php

diff --git a/passwordchange.php b/passwordchange.php
deleted file mode 100644
index 2ff0423..0000000
--- a/passwordchange.php
+++ /dev/null
@@ -1,79 +0,0 @@
-<!DOCTYPE html> 
-<html> 
-<head>
-<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
-   
-  <title>Change Password</title>    
-</head> 
-<body>
-<?php
-$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
- 
-if(!isset($_GET['userid']) || !isset($_GET['code'])) {
- die('No code delivered. nothing to do here.<meta http-equiv="refresh" content="1; URL=secondauth.php">');
-}
- 
-$userid = $_GET['userid'];
-$code = $_GET['code'];
- 
-
-$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
-$result = $statement->execute(array('userid' => $userid));
-$user = $statement->fetch();
- 
-//check if theres a code for the user delivered
-if($user === null || $user['passwordcode'] === null) {
- die('No User matching your request.<meta http-equiv="refresh" content="1; URL=profile.php">');
-}
- 
-if($user['passwordcode_time'] === null || strtotime($user['passwordcode_time']) < (time()-24*3600) ) {
- die('Ooops. This code isnt valid anymore.<meta http-equiv="refresh" content="1; URL=profile.php">');
-}
- 
- 
-
-if(sha1($code) != $user['passwordcode']) {
- die('<meta http-equiv="refresh" content="0; URL=/">');
-}
- 
-
- 
-if(isset($_GET['send'])) {
- $password = $_POST['password'];
- $password_confirm = $_POST['password_confirm'];
-  //regexes for passvalidation:
-    $REuppercase = preg_match('@[A-Z]@', $password);
-    $RElowercase = preg_match('@[a-z]@', $password);
-    $REnumber    = preg_match('@[0-9]@', $password);
-    $REspecialChars = preg_match('@[^\w]@', $password);
- if($password != $password_confirm) {
- echo "password or confirmed password wrong";
- }
- if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) {
-    echo '<color="red">Password needs to be more complex.</color><br />';
-    echo '<i>Please implement at least 8 chars, upper & downer caser, one number & one special char.</i><br />';
-    $error = true;
-}  else { 
- $passwordhash = password_hash($password, PASSWORD_DEFAULT);
- $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
- $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
- 
- if($result) {
- die('Changed password. Going to <a href="login.php">login</a> now.<meta http-equiv="refresh" content="1; URL=login.php?userid='.$user['id'].'&code='.$passwordcode">');
- }
- }
-}
-?>
-  <script src="ressources/js/bootstrap.min.js"></script>
-<h1>Set new password</h1>
-<form action="?send=1&amp;userid=<?php echo htmlentities($userid); ?>&amp;code=<?php echo htmlentities($code); ?>" method="post">
-<div class="form-group">
-<label for="password">New Password</label>
-<input type="password" id="password" class="form-control" name="password"><br><br>
- </div>
- <div class=form-group>
- <label for="password_confirm">Confirm new Password</label>
-<input type="password" id="password" class="form-control" name="password_confirm"><br><br>
- </div>
- <button type="submit" class="btn btn-primary">Submit new password</button>
-</form>
\ No newline at end of file
diff --git a/secondauth.php b/secondauth.php
deleted file mode 100644
index 66c5289..0000000
--- a/secondauth.php
+++ /dev/null
@@ -1,81 +0,0 @@
-<?php 
-session_start();
-$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
-
-function random_string() {
-    if(function_exists('random_bytes')) {
-    $bytes = random_bytes(16);
-    $str = bin2hex($bytes); 
-    } else if(function_exists('openssl_random_pseudo_bytes')) {
-    $bytes = openssl_random_pseudo_bytes(16);
-    $str = bin2hex($bytes); 
-    } else if(function_exists('mcrypt_create_iv')) {
-    $bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
-    $str = bin2hex($bytes); 
-    } else {
-   //this should be a unique string. if we use this in prod we should change this.
-    $str = md5(uniqid('thisisnotreallyrandombutthisstringheresomakethislongandmaybewith12345numberskthxbye', true));
-    } 
-    return $str;
-   }
-
-   $passwordcode = random_string();
-   $statement = $pdo->prepare("UPDATE users SET passwordcode = :passwordcode, passwordcode_time = NOW() WHERE id = :userid");
-   $result = $statement->execute(array('passwordcode' => sha1($passwordcode), 'userid' => $user['id']));
-   
-
-if(isset($_GET['login'])) {
-    $username = $_POST['username'];
-    $password = $_POST['password'];
-    
-    $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
-    $result = $statement->execute(array('username' => $username));
-    $user = $statement->fetch();
-        
-    if ($user !== false && password_verify($password, $user['password'])) {
-        $_SESSION['userid'] = $user['id'];
-        $_SESSION['email'] = $user['email'];
-        $_SESSION['username'] = $user['username'];
-        $_SESSION['givenName'] = $user['givenName'];
-        $_SESSION['lastName'] = $user['lastName'];
-        die('successfull. please wait. youll be forwarded! <meta http-equiv="refresh" content="0; URL=passwordchange.php">');
-    } else {
-        $errorMessage = "somethings wrong (maybe wrong password or invalid session)<br>";
-    }
-    
-}
-?>
-<!DOCTYPE html> 
-<html> 
-<head>
-<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
-   
-  <title>2nd Auth</title>    
-</head> 
-<body>
- 
-<?php 
-if(isset($errorMessage)) {
-    echo $errorMessage;
-}
-?>
-
- <script src="ressources/js/bootstrap.min.js"></script>
-<h3 class="display-5">You want to change your password? Please prove that you know your old password first!</h5>
-<form action="?login=1" method="post">
-<div class="form-group">
-<label for="username">Username</label>
-<input type="text" class="form-control" size="40" id="username" placeholder="Username" name="username" ><br><br>
-</div>
- <div class="form-group">
-<label for="password">Password</label>
-<input type="password" class="form-control" size="40" id="password" placeholder="Password" name="password"><br>
- </div>
- <button type="submit" class="btn btn-primary">Login</button>
-</form> 
-<br />
-<br />
-<a href="forgotpass.php"><button class="btn btn-warning">I forgot my password</button></a>
-<br /> <br />
-</body>
-</html>