CIM67 - Block Users after 5 failed login attempts
This commit is contained in:
“VeLiTi”
@@ -9,9 +9,13 @@ $user_credentials = json_decode(decode_payload($input),true);
|
||||
$pdo = dbConnect($dbname);
|
||||
$username = $user_credentials['username'] ?? '';
|
||||
//Define Query
|
||||
$stmt = $pdo->prepare('SELECT id, username, password, salesID, partnerhierarchy, view, service, settings, lastlogin, userkey, language FROM users WHERE username = ?');
|
||||
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
|
||||
//Excute Query
|
||||
$stmt->execute([$username]);
|
||||
|
||||
//SETUP SQL FOR LOGIN_COUNT
|
||||
$sql_login = 'UPDATE users SET login_count = ? WHERE id = ?';
|
||||
|
||||
// Check if username exists. Verify user exists then verify
|
||||
if ($stmt->rowCount() == 1) {
|
||||
$user_data = $stmt->fetch();
|
||||
@@ -19,47 +23,71 @@ if ($stmt->rowCount() == 1) {
|
||||
$profile = getProfile($user_data['settings'],$permission);
|
||||
$password = $user_credentials['password'];
|
||||
|
||||
if (array_key_exists('resetkey', $user_credentials)){
|
||||
|
||||
if ($user_credentials['resetkey'] == ''){
|
||||
//Reset procedure
|
||||
//STEP 1.A- Create resetkey
|
||||
$headers = array('alg'=>'HS256','typ'=>'JWT');
|
||||
$payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800));
|
||||
$resetkey = generate_jwt($headers, $payload);
|
||||
//STEP 1.B Store in DB
|
||||
$sql = 'UPDATE users SET resetkey = ? WHERE id = ?';
|
||||
$stmt = $pdo->prepare($sql);
|
||||
$stmt->execute([$resetkey,$user_data['id']]);
|
||||
//STEP 2- Send to user
|
||||
include_once './assets/mail/email_template_reset.php';
|
||||
send_mail($user_data['username'],$subject,$message,'','');
|
||||
}
|
||||
if ($user_data['login_count'] < 5){
|
||||
if (array_key_exists('resetkey', $user_credentials)){
|
||||
|
||||
if ($user_credentials['resetkey'] == ''){
|
||||
//Reset procedure
|
||||
//STEP 1.A- Create resetkey
|
||||
$headers = array('alg'=>'HS256','typ'=>'JWT');
|
||||
$payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800));
|
||||
$resetkey = generate_jwt($headers, $payload);
|
||||
//STEP 1.B Store in DB
|
||||
$sql = 'UPDATE users SET resetkey = ? WHERE id = ?';
|
||||
$stmt = $pdo->prepare($sql);
|
||||
$stmt->execute([$resetkey,$user_data['id']]);
|
||||
//STEP 2- Send to user
|
||||
include_once './assets/mail/email_template_reset.php';
|
||||
send_mail($user_data['email'],$subject,$message,'','');
|
||||
//STEP 3- Update Login count
|
||||
$login_attempt = $user_data['login_count'] + 1;
|
||||
$stmt_login = $pdo->prepare($sql_login);
|
||||
$stmt_login->execute([$login_attempt, $user_data['id']]);
|
||||
}
|
||||
|
||||
} else { //STANDARD LOGIN
|
||||
if (password_verify($password, $user_data['password'])) {
|
||||
$token = createCommunicationToken($user_data['service']);
|
||||
} else { //STANDARD LOGIN
|
||||
if (password_verify($password, $user_data['password'])) {
|
||||
$token = createCommunicationToken($user_data['service']);
|
||||
|
||||
$user = array(
|
||||
'id' => $user_data['id'],
|
||||
'username' => $user_data['username'],
|
||||
'salesID' => $user_data['salesID'],
|
||||
'partnerhierarchy' => $user_data['partnerhierarchy'],
|
||||
'permission' => $permission,
|
||||
'profile' => $profile,
|
||||
'service' => $user_data['service'],
|
||||
'userkey' => $user_data['userkey'],
|
||||
'language' => $user_data['language'],
|
||||
'token' => $token
|
||||
);
|
||||
//Encrypt results
|
||||
$messages = generate_payload($user);
|
||||
//Send results
|
||||
print_r($messages);
|
||||
} else {
|
||||
http_response_code(403); //Not authorized
|
||||
$user = array(
|
||||
'id' => $user_data['id'],
|
||||
'username' => $user_data['username'],
|
||||
'salesID' => $user_data['salesID'],
|
||||
'partnerhierarchy' => $user_data['partnerhierarchy'],
|
||||
'permission' => $permission,
|
||||
'profile' => $profile,
|
||||
'service' => $user_data['service'],
|
||||
'userkey' => $user_data['userkey'],
|
||||
'language' => $user_data['language'],
|
||||
'token' => $token
|
||||
);
|
||||
|
||||
//Reset login count after succesfull attempt
|
||||
$login_attempt = 0;
|
||||
$stmt_login = $pdo->prepare($sql_login);
|
||||
$stmt_login->execute([$login_attempt, $user_data['id']]);
|
||||
|
||||
//Encrypt results
|
||||
$messages = generate_payload($user);
|
||||
//Send results
|
||||
print_r($messages);
|
||||
} else {
|
||||
//Update Login count with failed attempt
|
||||
$login_attempt = $user_data['login_count'] + 1;
|
||||
$stmt_login = $pdo->prepare($sql_login);
|
||||
$stmt_login->execute([$login_attempt, $user_data['id']]);
|
||||
//Send Response
|
||||
http_response_code(403); //Not authorized
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
//User is blocked & send error
|
||||
$messages = generate_payload('1');
|
||||
//------------------------------------------
|
||||
//Send results
|
||||
//------------------------------------------
|
||||
echo $messages;
|
||||
}
|
||||
} elseif (array_key_exists('resetkey', $user_credentials)) {
|
||||
if ($user_credentials['resetkey'] != ''){
|
||||
//UPDATE PASSWORD BASED ON RESETKEY
|
||||
@@ -67,6 +95,8 @@ if ($stmt->rowCount() == 1) {
|
||||
$passwordvalid = password_hash($password, PASSWORD_DEFAULT);
|
||||
$stmt = $pdo->prepare('UPDATE users SET password = ? WHERE resetkey = ? ');
|
||||
$stmt->execute([$passwordvalid, $user_credentials['resetkey']]);
|
||||
|
||||
//
|
||||
} else {
|
||||
http_response_code(403);//Not authorized
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user