Initial commit

core/controllers/Password.php

@@ -0,0 +1,105 @@
+<?php
+
+namespace Controllers;
+
+class Password
+{
+    public function getReset()
+    {
+        return view('password.reset');
+    }
+
+    public function getCreate()
+    {
+        if ($this->hasToken() && $this->tokenValid()) {
+            return view('password.create');
+        }
+        header('HTTP/1.0 403 Forbidden');
+        die();
+        return false;
+    }
+
+    public function reset()
+    {
+        if ($id = $this->getUserId()) {
+            $db = db();
+            $forget_token = \Illuminate\Support\Str::random(40);
+            $sql = 'INSERT INTO forget_tokens VALUES (:id, :token)';
+            $query = $db->prepare($sql);
+            $query->bindValue(':id', $id, \PDO::PARAM_INT);
+            $query->bindValue(':token', $forget_token);
+            $query->execute();
+            send_mail([
+                'email' => $_POST['email'],
+                'title' => '[Blog App] A Password Reset Requested!',
+                'body' => 'Click <a href="http://localhost' . port() . '/user/password/create?id=' . $id .
+                          '&forget_token=' . $forget_token . '">here</a> to confirm that ' .
+                          'you really want to reset your password.'
+            ]);
+            $sql = 'SET global event_scheduler = 1;' .
+                   'DROP EVENT IF EXISTS clear_forget_token_:id;' .
+                   'CREATE EVENT clear_forget_token_:id ' .
+                   'ON SCHEDULE AT CURRENT_TIMESTAMP + INTERVAL 1 HOUR ' .
+                   'DO DELETE FROM forget_tokens WHERE id=:id';
+            $query = $db->prepare($sql);
+            $query->bindValue(':id', $id, \PDO::PARAM_INT);
+            $query->execute();
+            $message = 'Check your email inbox. We have sent you a confirmation mail.';
+            return view('redirect', ['message' => $message]);
+        }
+        $_SESSION['errors'] = ['This E-mail is not registered or is already requested.'];
+        header('Location: /user/password/reset');
+        return false;
+    }
+
+    public function create()
+    {
+        if (! valid_password($_POST['password'], $_POST['confirm-password'])) {
+            $_SESSION['errors'] = ['Invalid password.'];
+            header("Location: /user/password/create?id={$_POST['id']}&forget_token={$_POST['forget_token']}");
+            return false;
+        }
+        $sql = 'UPDATE users SET password=? WHERE id=?';
+        $db = db();
+        $query = $db->prepare($sql);
+        $query->execute([
+            password_hash($_POST['password'], PASSWORD_DEFAULT),
+            $_POST['id']
+        ]);
+        $sql = 'DELETE FROM forget_tokens WHERE id=?';
+        $db = db();
+        $query = $db->prepare($sql);
+        $query->execute([$_POST['id']]);
+        header('Location: /user/login');
+        return false;
+    }
+
+    private function hasToken()
+    {
+        return (isset($_GET['id']) &&
+                isset($_GET['forget_token']));
+    }
+
+    private function tokenValid()
+    {
+        $sql = 'SELECT * FROM (users AS u JOIN ' .
+               'forget_tokens AS t ON u.id=t.id) WHERE u.id=? AND token=?';
+        $query = db()->prepare($sql);
+        $query->execute([$_GET['id'], $_GET['forget_token']]);
+        $user = $query->fetchAll(\PDO::FETCH_CLASS, 'Core\\Record');
+        return (count($user) != 0);
+    }
+
+    private function getUserId()
+    {
+        $sql = 'SELECT u.id FROM users AS u WHERE email=? AND NOT EXISTS (' .
+               'SELECT * FROM forget_tokens AS t WHERE u.id=t.id)';
+        $query = db()->prepare($sql);
+        $query->execute([$_POST['email']]);
+        $user = $query->fetchAll(\PDO::FETCH_CLASS, 'Core\\Record');
+        if (count($user) != 0) {
+            return $user[0]->id;
+        }
+        return null;
+    }
+}