blog-app/core/controllers/Password.php

106 lines
3.6 KiB
PHP
Raw Permalink Normal View History

2021-09-16 20:27:51 +08:00
<?php
namespace Controllers;
class Password
{
public function getReset()
{
return view('password.reset');
}
public function getCreate()
{
if ($this->hasToken() && $this->tokenValid()) {
return view('password.create');
}
header('HTTP/1.0 403 Forbidden');
die();
return false;
}
public function reset()
{
if ($id = $this->getUserId()) {
$db = db();
$forget_token = \Illuminate\Support\Str::random(40);
$sql = 'INSERT INTO forget_tokens VALUES (:id, :token)';
$query = $db->prepare($sql);
$query->bindValue(':id', $id, \PDO::PARAM_INT);
$query->bindValue(':token', $forget_token);
$query->execute();
send_mail([
'email' => $_POST['email'],
'title' => '[Blog App] A Password Reset Requested!',
'body' => 'Click <a href="http://localhost' . port() . '/user/password/create?id=' . $id .
'&forget_token=' . $forget_token . '">here</a> to confirm that ' .
'you really want to reset your password.'
]);
$sql = 'SET global event_scheduler = 1;' .
'DROP EVENT IF EXISTS clear_forget_token_:id;' .
'CREATE EVENT clear_forget_token_:id ' .
'ON SCHEDULE AT CURRENT_TIMESTAMP + INTERVAL 1 HOUR ' .
'DO DELETE FROM forget_tokens WHERE id=:id';
$query = $db->prepare($sql);
$query->bindValue(':id', $id, \PDO::PARAM_INT);
$query->execute();
$message = 'Check your email inbox. We have sent you a confirmation mail.';
return view('redirect', ['message' => $message]);
}
$_SESSION['errors'] = ['This E-mail is not registered or is already requested.'];
header('Location: /user/password/reset');
return false;
}
public function create()
{
if (! valid_password($_POST['password'], $_POST['confirm-password'])) {
$_SESSION['errors'] = ['Invalid password.'];
header("Location: /user/password/create?id={$_POST['id']}&forget_token={$_POST['forget_token']}");
return false;
}
$sql = 'UPDATE users SET password=? WHERE id=?';
$db = db();
$query = $db->prepare($sql);
$query->execute([
password_hash($_POST['password'], PASSWORD_DEFAULT),
$_POST['id']
]);
$sql = 'DELETE FROM forget_tokens WHERE id=?';
$db = db();
$query = $db->prepare($sql);
$query->execute([$_POST['id']]);
header('Location: /user/login');
return false;
}
private function hasToken()
{
return (isset($_GET['id']) &&
isset($_GET['forget_token']));
}
private function tokenValid()
{
$sql = 'SELECT * FROM (users AS u JOIN ' .
'forget_tokens AS t ON u.id=t.id) WHERE u.id=? AND token=?';
$query = db()->prepare($sql);
$query->execute([$_GET['id'], $_GET['forget_token']]);
$user = $query->fetchAll(\PDO::FETCH_CLASS, 'Core\\Record');
return (count($user) != 0);
}
private function getUserId()
{
$sql = 'SELECT u.id FROM users AS u WHERE email=? AND NOT EXISTS (' .
'SELECT * FROM forget_tokens AS t WHERE u.id=t.id)';
$query = db()->prepare($sql);
$query->execute([$_POST['email']]);
$user = $query->fetchAll(\PDO::FETCH_CLASS, 'Core\\Record');
if (count($user) != 0) {
return $user[0]->id;
}
return null;
}
}