password.php3 6.9 KB
Newer Older
1
<?php
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
#
3
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
23
#
24 25
include("defs.php3");

26 27 28 29 30 31 32 33 34 35 36
#
# Verify page arguments.
#
$optargs = OptionalPageArguments("simple", PAGEARG_BOOLEAN,
				 "reset",  PAGEARG_STRING,
				 "email",  PAGEARG_STRING,
				 "phone",  PAGEARG_STRING);

# Display a simpler version of this page.
if (!isset($simple)) {
    $simple = 0;
37 38
}

39
#
40
# Turn off some of the decorations and menus for the simple view
41
#
42 43 44 45 46 47
if ($simple) {
    $view = array('hide_banner' => 1, 'hide_copyright' => 1,
	'hide_sidebar' => 1);
} else {
    $view = array();
}
48

49
# Must use https!
50
if (!isset($_SERVER["SSL_PROTOCOL"])) {
51
    PAGEHEADER("Forgot Your Password?", $view);
52 53
    USERERROR("Must use https:// to access this page!", 1);
}
54

55 56 57
#
# Must not be logged in.
# 
58 59
if (CheckLogin($check_status)) {
    PAGEHEADER("Forgot Your Password?", $view);
60

61
    echo "<h3>
62
              You are logged in. You must already know your password!
63 64 65 66
          </h3>\n";
    
    PAGEFOOTER($view);
    die("");
67
}
68 69

#
70
# Spit out the form.
71
# 
72 73 74
function SPITFORM($email, $phone, $failed, $simple, $view)
{
    global	$TBBASE;
75
    global	$WIKIDOCURL;
76 77 78 79

    # XSS prevention
    $phone  = CleanString($phone);
    $email  = CleanString($email);
80
    
81
    PAGEHEADER("Forgot Your Password?", $view);
82 83

    if ($failed) {
84
	$failed = CleanString($failed);
85 86
	echo "<center>
              <font size=+1 color=red>
Leigh B. Stoller's avatar
Leigh B. Stoller committed
87
              $failed
88
	      Please try again.
89 90 91 92 93 94 95 96 97 98
              </font>
              </center><br>\n";
    }
    else {
	echo "<center>
              <font size=+1>
              Please provide your email address and phone number.<br><br>
              </font>
              </center>\n";
    }
99

100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
    echo "<table align=center border=1>
          <form action=${TBBASE}/password.php3 method=post>
          <tr>
              <td>Email Address:</td>
              <td><input type=text
                         value=\"$email\"
                         name=email size=30></td>
          </tr>
          <tr>
              <td>Phone Number:</td>
              <td><input type=text
                         value=\"$phone\"
                         name=phone size=20></td>
          </tr>
          <tr>
             <td align=center colspan=2>
                 <b><input type=submit value=\"Reset Password\"
117 118
                           name=reset></b>
             </td>
119 120 121 122 123
          </tr>\n";
    
    if ($simple) {
	echo "<input type=hidden name=simple value=$simple>\n";
    }
124

125 126
    echo "</form>
          </table>\n";
127

128 129 130 131 132 133 134 135
    echo "<br><blockquote>
          Please provide your phone number in standard dashed notation;
          no extensions or room numbers, etc. We will do our best to match it up
          against our user records.
          <br><br>
          If the email address and phone number you give us matches
          our user records, we will email a URL that will allow you to change
          your password.
136 137

          <br><br>
138
          <b>Please read this <a href='$WIKIDOCURL/kb69'>
139
          Knowledge Base Entry</a> if you get an error
140
          when trying to use the link we email to you!</b>
141 142
          </blockquote>\n";
}
143

144 145 146
#
# If not clicked, then put up a form.
#
147
if (!isset($reset)) {
148 149 150 151 152 153
    if (!isset($email))
	$email = "";
    if (!isset($phone))
	$phone = "";
    
    SPITFORM($email, $phone, 0, $simple, $view);
154 155 156 157 158 159 160 161 162
    return;
}

#
# Reset clicked. See if we find a user with the given email/phone. If not
# zap back to the form. 
#
if (!isset($phone) || $phone == "" || !TBvalid_phone($phone) ||
    !isset($email) || $email == "" || !TBvalid_email($email)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
163 164 165
    SPITFORM($email, $phone,
	     "The email or phone contains invalid characters.",
	     $simple, $view);
166 167 168
    return;
}

169
if (! ($user = User::LookupByEmail($email))) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
170 171 172
    SPITFORM($email, $phone,
	     "The email or phone does not match an existing user.",
	     $simple, $view);
173 174
    return;
}
175 176 177 178
$uid       = $user->uid();
$usr_phone = $user->phone();
$uid_name  = $user->name();
$uid_email = $user->email();
179

180 181 182 183 184
#
# Compare phone by striping out anything but the numbers.
#
if (preg_replace("/[^0-9]/", "", $phone) !=
    preg_replace("/[^0-9]/", "", $usr_phone)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203
    SPITFORM($email, $phone,
	     "The email or phone does not match an existing user.",
	     $simple, $view);
    return;
}

#
# A matched user, but if frozen do not go further. Confuses users.
#
if ($user->weblogin_frozen()) {
    PAGEHEADER("Forgot Your Password?", $view);
    echo "<center>
	     The password cannot be changed; please contact $TBMAILADDR.<br>
             <br>
          <font size=+1 color=red>
            Please do not attempt to change your password again;
                it will not work!
          </font>
          </center><br>\n";
204 205 206 207 208 209 210 211 212 213 214 215 216
    return;
}

#
# Yep. Generate a random key and send the user an email message with a URL
# that will allow them to change their password. 
#
$key  = md5(uniqid(rand(),1));
$keyA = substr($key, 0, 16);
$keyB = substr($key, 16);

# Send half of the key to the browser and half in the email message.
setcookie($TBAUTHCOOKIE, $keyA, 0, "/",
217
	  $WWWHOST, $TBSECURECOOKIES);
218 219

# It is okay to spit this now that we have sent the cookie.
220
PAGEHEADER("Forgot Your Password?", $view);
221

222
$user->SetChangePassword($key, "UNIX_TIMESTAMP(now())+(60*30)");
223 224 225 226 227 228 229 230 231

TBMAIL("$uid_name <$uid_email>",
       "Password Reset requested by '$uid'",
       "\n".
       "Here is your password reset authorization URL. Click on this link\n".
       "within the next 30 minutes, and you will be allowed to reset your\n".
       "password. If the link expires, you can request a new one from the\n".
       "web interface.\n".
       "\n".
232
       "    ${TBBASE}/chpasswd.php3?user=$uid&key=$keyB&simple=$simple\n".
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253
       "\n".
       "The request originated from IP: " . $_SERVER['REMOTE_ADDR'] . "\n".
       "\n".
       "Thanks,\n".
       "Testbed Operations\n",
       "From: $TBMAIL_OPS\n".
       "Bcc: $TBMAIL_AUDIT\n".
       "Errors-To: $TBMAIL_WWW");

echo "<br>
      An email message has been sent to your account. In it you will find a
      URL that will allow you to change your password. The link will <b>expire 
      in 30 minutes</b>. If the link does expire before you have a chance to
      use it, simply come back and request a <a href='password.php3'>new one</a>.
      \n";

#
# Standard Testbed Footer
# 
PAGEFOOTER();
?>