2020-06-03 15:31:18 +00:00
< ? php
$HTML = new HTML ();
$HTML -> setHTMLTitle ( " Login " );
2023-08-23 16:16:35 +00:00
$HTML -> importHTML ( " login.html " );
2023-08-23 16:16:34 +00:00
2023-08-23 16:16:35 +00:00
if ( $_SERVER [ 'REQUEST_METHOD' ] == 'POST' )
2020-06-03 15:31:18 +00:00
{
2023-08-23 16:16:35 +00:00
include_once 'app/FormValidator.php' ;
2023-08-23 16:16:34 +00:00
$validator = new FormValidator ( array (
2023-08-23 16:16:35 +00:00
'username' => array ( 'required' => true , 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/' ),
2023-08-23 16:16:34 +00:00
'password' => array ( 'required' => true , 'regex' => '/.{1,1000}/' )
2023-08-23 16:16:34 +00:00
));
if ( ! $validator -> isValid ( $_POST )) {
$HTML -> ReplaceLayoutInhalt ( " %%LOGINMESSAGE%% " , " Bitte gebe Benutzername und Passwort an. " );
}
else {
2023-08-23 16:16:34 +00:00
$statementUser = $RUNTIME [ 'PDO' ] -> prepare ( " SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1 " );
2020-06-03 15:31:18 +00:00
$statementUser -> execute ( explode ( " " , trim ( $_POST [ 'username' ])));
$RUNTIME [ 'MESSAGE' ][ 'LOGINERROR' ] = " Benutzername nicht gefunden! " ;
while ( $rowUser = $statementUser -> fetch ())
{
2023-08-23 16:16:34 +00:00
$statementAuth = $RUNTIME [ 'PDO' ] -> prepare ( " SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1 " );
2020-06-03 15:31:18 +00:00
$statementAuth -> execute ( array ( $rowUser [ 'PrincipalID' ]));
$RUNTIME [ 'DEBUG' ][ 'LOGIN' ][ 'UUID' ] = $rowUser [ 'PrincipalID' ];
while ( $rowAuth = $statementAuth -> fetch ())
{
2023-08-23 16:16:34 +00:00
$passwordCorrect = false ;
if ( strlen ( $rowAuth [ 'passwordHash' ]) == 32 ) {
if ( md5 ( md5 ( $_POST [ 'password' ]) . " : " . $rowAuth [ 'passwordSalt' ]) == $rowAuth [ 'passwordHash' ]) {
$passwordCorrect = true ;
$newHash = password_hash ( $_POST [ 'password' ], PASSWORD_ARGON2ID );
$updateHash = $RUNTIME [ 'PDO' ] -> prepare ( " UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ? " );
$updateHash -> execute ( array ( $newHash , '' , $rowUser [ 'PrincipalID' ]));
}
}
else {
$passwordCorrect = password_verify ( $_POST [ 'password' ], $rowAuth [ 'passwordHash' ]);
}
if ( $passwordCorrect )
2020-06-03 15:31:18 +00:00
{
2023-08-23 16:16:34 +00:00
session_unset (); // Unset pre-session variables, next request will generate a new CSRF token
2020-06-03 15:31:18 +00:00
$_SESSION [ 'USERNAME' ] = trim ( $_POST [ 'username' ]);
$_SESSION [ 'FIRSTNAME' ] = trim ( $rowUser [ 'FirstName' ]);
$_SESSION [ 'LASTNAME' ] = trim ( $rowUser [ 'LastName' ]);
$_SESSION [ 'EMAIL' ] = trim ( $rowUser [ 'Email' ]);
2020-08-02 02:44:32 +00:00
$_SESSION [ 'PASSWORD' ] = $rowAuth [ 'passwordHash' ];
$_SESSION [ 'SALT' ] = $rowAuth [ 'passwordSalt' ];
2020-06-03 15:31:18 +00:00
$_SESSION [ 'UUID' ] = $rowUser [ 'PrincipalID' ];
$_SESSION [ 'LEVEL' ] = $rowUser [ 'UserLevel' ];
$_SESSION [ 'DISPLAYNAME' ] = strtoupper ( trim ( $_POST [ 'username' ]));
$_SESSION [ 'LOGIN' ] = 'true' ;
2020-08-04 09:44:59 +00:00
2023-08-23 16:16:34 +00:00
header ( " Location: index.php?page= " . urlencode ( $_REQUEST [ 'page' ]));
2020-06-03 15:31:18 +00:00
die ();
}
}
$RUNTIME [ 'MESSAGE' ][ 'LOGINERROR' ] = " Passwort falsch! " ;
}
$HTML -> ReplaceLayoutInhalt ( " %%LOGINMESSAGE%% " , $RUNTIME [ 'MESSAGE' ][ 'LOGINERROR' ]);
2023-08-23 16:16:34 +00:00
$HTML -> ReplaceLayoutInhalt ( " %%LASTUSERNAME%% " , htmlspecialchars ( $_POST [ 'username' ]));
2020-06-03 15:31:18 +00:00
}
}
2023-08-23 16:16:34 +00:00
2023-08-23 16:16:34 +00:00
if ( isset ( $_REQUEST [ 'page' ]) && preg_match ( '/[0-9a-zA-Z]{1-100}/' , $_REQUEST [ 'page' ]) && file_exists ( " ./pages/ " . $_REQUEST [ 'page' ] . " .php " ))
2023-08-23 16:16:34 +00:00
$HTML -> ReplaceLayoutInhalt ( " %%PAGENAME%% " , urlencode ( $_REQUEST [ 'page' ]));
2020-06-03 15:31:18 +00:00
$HTML -> ReplaceLayoutInhalt ( " %%LOGINMESSAGE%% " , " " );
$HTML -> ReplaceLayoutInhalt ( " %%LASTUSERNAME%% " , " " );
$HTML -> ReplaceLayoutInhalt ( " %%PAGENAME%% " , " dashboard " );
$HTML -> build ();
echo $HTML -> ausgabe ();
?>