CMXX - Changed history to equipment_history

api/v2/authorization.php

@@ -31,7 +31,7 @@ if ($stmt->rowCount() == 1) {
                     //Reset procedure
                     //STEP 1.A- Create resetkey
                     $headers = array('alg'=>'HS256','typ'=>'JWT');
-                    $payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800));
+                    $payload = array('username'=>$user_data['username'], 'exp'=>(time() + 600));
                     $resetkey = generate_jwt($headers, $payload);
                     //STEP 1.B Store in DB
                     $sql = 'UPDATE users SET resetkey = ? WHERE id = ?';
@@ -108,12 +108,29 @@ if ($stmt->rowCount() == 1) {
         echo $messages; 
     }
 } elseif (array_key_exists('resetkey', $user_credentials)) {
+    
     if ($user_credentials['resetkey'] != ''){
-    //UPDATE PASSWORD BASED ON RESETKEY
-    $password = $user_credentials['password'];
-    $passwordvalid = password_hash($password, PASSWORD_DEFAULT);
-    $stmt = $pdo->prepare('UPDATE users SET password = ? WHERE resetkey = ? ');
-    $stmt->execute([$passwordvalid, $user_credentials['resetkey']]);
+
+    //check if resetkey is still valid
+    $is_resetkey_valid = is_jwt_valid($user_credentials['resetkey']);
+
+    if($is_resetkey_valid) {
+        $password = $user_credentials['password'];
+
+        if (strlen(trim($password)) < 6){
+            //Return bad request
+            http_response_code(400);    
+        } 
+        else {
+            //UPDATE PASSWORD BASED ON RESETKEY
+            $passwordvalid = password_hash($password, PASSWORD_DEFAULT);
+            $stmt = $pdo->prepare('UPDATE users SET password = ? WHERE resetkey = ? ');
+            $stmt->execute([$passwordvalid, $user_credentials['resetkey']]);
+        }
+
+    } else {
+        http_response_code(403);//Not authorized
+    }
 
     //
     } else {