pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
assetmgt/api/v2/authorization.php
“VeLiTi” ad51669e32 CMXX - Changed history to equipment_history
2024-12-02 15:40:05 +01:00

145 lines
5.7 KiB
PHP
Raw Permalink Blame History

<?php
defined($security_key) or exit;
//------------------------------------------
// Get user_details
//------------------------------------------
$user_credentials = json_decode($input,true);
//Connect to DB
$pdo = dbConnect($dbname);
//User username or clientID
$username = (isset($user_credentials['username']))? $user_credentials['username'] : (isset($user_credentials['clientID'])? $user_credentials['clientID'] : '');
//Define Query
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
//Excute Query
$stmt->execute([$username]);
//SETUP SQL FOR LOGIN_COUNT
$sql_login = 'UPDATE users SET login_count = ? WHERE id = ?';
// Check if username exists. Verify user exists then verify
if ($stmt->rowCount() == 1) {
$user_data = $stmt->fetch();
$permission = userRights($user_data['view']);
$profile = getProfile($user_data['settings'],$permission);
$password = (isset($user_credentials['password']))? $user_credentials['password'] : (isset($user_credentials['clientsecret'])? $user_credentials['clientsecret'] : '');
if ($user_data['login_count'] < 5){
if (array_key_exists('resetkey', $user_credentials)){
if ($user_credentials['resetkey'] == ''){
//Reset procedure
//STEP 1.A- Create resetkey
$headers = array('alg'=>'HS256','typ'=>'JWT');
$payload = array('username'=>$user_data['username'], 'exp'=>(time() + 600));
$resetkey = generate_jwt($headers, $payload);
//STEP 1.B Store in DB
$sql = 'UPDATE users SET resetkey = ? WHERE id = ?';
$stmt = $pdo->prepare($sql);
$stmt->execute([$resetkey,$user_data['id']]);
//STEP 2- Send to user
include_once './assets/mail/email_template_reset.php';
send_mail($user_data['email'],$subject,$message,'','');
//STEP 3- Update Login count
$login_attempt = $user_data['login_count'] + 1;
$stmt_login = $pdo->prepare($sql_login);
$stmt_login->execute([$login_attempt, $user_data['id']]);
}
} else { //STANDARD LOGIN
if (password_verify($password, $user_data['password'])) {
//Check valid userkey
$valid_key = strtotime('+30 minutes',strtotime($user_data['lastlogin']));
$valid = ($valid_key <= time())?0:1;
//REFRESH USERKEY
if ($user_data['userkey'] != '' && $valid == 0){
$user_data['userkey'] = bin2hex(random_bytes(25));
$sql_userkey = 'UPDATE users SET userkey = ? WHERE id = ?';
$stmt_userkey = $pdo->prepare($sql_userkey);
$stmt_userkey->execute([$user_data['userkey'], $user_data['id']]);
}
//REFRESH USERKEY
if ($user_data['service'] != '' && $valid == 0){
$user_data['service'] = bin2hex(random_bytes(25));
$sql_service = 'UPDATE users SET service = ? WHERE id = ?';
$stmt_service = $pdo->prepare($sql_service);
$stmt_service->execute([$user_data['service'], $user_data['id']]);
}
$token = createCommunicationToken($user_data['userkey']);
//RETURN JWT AND CLIENTSECRET
$user = array(
'clientID' => $user_data['username'],
'token' => $token,
'token_valid' => date('Y-m-d H:i:s',time() + 1800),
'userkey' => $user_data['userkey']
);
//Reset login count after succesfull attempt
$login_attempt = 0;
$stmt_login = $pdo->prepare($sql_login);
$stmt_login->execute([$login_attempt, $user_data['id']]);
//Encrypt results
$messages = json_encode($user, JSON_UNESCAPED_UNICODE);
//Send results
echo $messages;
}
else {
//Update Login count with failed attempt
$login_attempt = $user_data['login_count'] + 1;
$stmt_login = $pdo->prepare($sql_login);
$stmt_login->execute([$login_attempt, $user_data['id']]);
//Send Response
http_response_code(403); //Not authorized
}
}
} else {
//User is blocked & send error
$messages = '1';
//------------------------------------------
//Send results
//------------------------------------------
echo $messages;
}
} elseif (array_key_exists('resetkey', $user_credentials)) {
if ($user_credentials['resetkey'] != ''){
//check if resetkey is still valid
$is_resetkey_valid = is_jwt_valid($user_credentials['resetkey']);
if($is_resetkey_valid) {
$password = $user_credentials['password'];
if (strlen(trim($password)) < 6){
//Return bad request
http_response_code(400);
}
else {
//UPDATE PASSWORD BASED ON RESETKEY
$passwordvalid = password_hash($password, PASSWORD_DEFAULT);
$stmt = $pdo->prepare('UPDATE users SET password = ? WHERE resetkey = ? ');
$stmt->execute([$passwordvalid, $user_credentials['resetkey']]);
}
} else {
http_response_code(403);//Not authorized
}
//
} else {
http_response_code(403);//Not authorized
}
}
else
{
http_response_code(403);//Not authorized
}
?>
Reference in New Issue View Git Blame Copy Permalink