feat: reset_password

web/app/controllers/forgot_pw.php

@@ -1,59 +1,115 @@
 <?php
-	requirePHPLib('form');
+requirePHPLib('form');
-	
+
-	$forgot_form = new UOJBs4Form('forgot');
+use Gregwar\Captcha\PhraseBuilder;
-	$forgot_form->addInput('username', 'text', '用户名', '',
+
-		function($username, &$vdata) {
+$forgot_form = new UOJBs4Form('forgot');
-			if (!validateUsername($username)) {
+$forgot_form->addInput(
-				return '用户名不合法';
+	'username',
-			}
+	'text',
-			$vdata['user'] = UOJUser::query($username);
+	'用户名',
-			if (!$vdata['user']) {
+	'',
-				return '该用户不存在';
+	function ($username, &$vdata) {
-			}
+		if (!validateUsername($username)) {
-			return '';
+			return '用户名不合法';
-		},
+		}
-		null
+		$vdata['user'] = UOJUser::query($username);
-	);
+		if (!$vdata['user']) {
-	$forgot_form->handle = function(&$vdata) {
+			return '该用户不存在';
-		$user = $vdata['user'];
+		}
-		$password = $user["password"];
+		return '';
-		
+	},
-		$oj_name = UOJConfig::$data['profile']['oj-name'];
+	null
-		$oj_name_short = UOJConfig::$data['profile']['oj-name-short'];
+);
-		$sufs = base64url_encode($user['username'] . "." . md5($user['username'] . "+" . $password));
+$forgot_form->appendHTML(<<<EOD
-		$url = HTML::url("/reset-password", array('params' => array('p' => $sufs)));
+<div id="div-captcha" class="form-group">
-		$html = <<<EOD
+	<label for="input-captcha" class="col-sm-2 control-label">验证码</label>
+	<div class="col-sm-3" style="max-width: 60%">
+		<input type="text" class="form-control" id="input-captcha" name="captcha" placeholder="请输入验证码" maxlength="20" style="display: inline-block; width: 12em;" />
+		<div style="display: inline-block; margin-left: 8px; position: relative; top: -2px; cursor: pointer;">
+			<img id="captcha" src="" />
+		</div>
+		<span class="help-block" id="help-captcha" style="display: block"></span>
+	</div>
+</div>
+EOD);
+$forgot_form->handle = function (&$vdata) {
+	$user = $vdata['user'];
+	$password = $user["password"];
+
+	if (!isset($_SESSION['phrase']) || !PhraseBuilder::comparePhrases($_SESSION['phrase'], $_POST['captcha'])) {
+		becomeMsgPage('验证码错误！');
+	}
+
+	if (!$user['email']) {
+		becomeMsgPage('用户未填写邮件地址，请联系管理员重置！');
+	}
+
+	$oj_name = UOJConfig::$data['profile']['oj-name'];
+	$oj_name_short = UOJConfig::$data['profile']['oj-name-short'];
+	$check_code = md5($user['username'] . "+" . $password . '+' . UOJTime::$time_now_str);
+	$sufs = base64url_encode($user['username'] . "." . $check_code);
+	$url = HTML::url("/reset-password", ['params' => ['p' => $sufs]]);
+	$oj_url = HTML::url('/');
+	$name = $user['username'];
+
+	if ($user['realname']) {
+		$name .= ' (' . $user['realname'] . ')';
+	}
+
+	$html = <<<EOD
 <base target="_blank" />
 
-<p>{$user['username']}您好，</p>
+<p>{$name} 您好，</p>
-<p>您刚刚启用了{$oj_name_short}密码找回功能，请进入下面的链接重设您的密码：</p>
-<p><a href="$url">$url</a></p>
-<p>{$oj_name}</p>
 
-<style type="text/css">
+<p>您最近告知我们需要重置您在 {$oj_name_short} 上账号的密码。请访问以下链接：<a href="{$url}">{$url}</a> (如果无法点击链接，请试着复制链接并粘贴至浏览器中打开。)</p>
-body{font-size:14px;font-family:arial,verdana,sans-serif;line-height:1.666;padding:0;margin:0;overflow:auto;white-space:normal;word-wrap:break-word;min-height:100px}
+<p>如果您没有请求重置密码，则忽略此信息。该链接将在 72 小时后自动过期失效。</p>
-pre {white-space:pre-wrap;white-space:-moz-pre-wrap;white-space:-pre-wrap;white-space:-o-pre-wrap;word-wrap:break-word}
+
-</style>
+<p>{$oj_name}</p>
+<p><a href="{$oj_url}">{$oj_url}</a></p>
 EOD;
-		
+
-		$mailer = UOJMail::noreply();
+	$mailer = UOJMail::noreply();
-		$mailer->addAddress($user['email'], $user['username']);
+	$mailer->addAddress($user['email'], $user['username']);
-		$mailer->Subject = $oj_name_short."密码找回";
+	$mailer->Subject = $oj_name_short . " 密码找回";
-		$mailer->msgHTML($html);
+	$mailer->msgHTML($html);
-		if (!$mailer->send()) {
+	if (!$mailer->send()) {
-			error_log($mailer->ErrorInfo);
+		error_log($mailer->ErrorInfo);
-			becomeMsgPage('<div class="text-center"><h2>邮件发送失败，请重试 <span class="glyphicon glyphicon-remove"></span></h2></div>');
+		becomeMsgPage('<div class="text-center"><h2>邮件发送失败，请重试！</h2></div>');
-		} else {
+	} else {
-			becomeMsgPage('<div class="text-center"><h2>邮件发送成功 <span class="glyphicon glyphicon-ok"></span></h2></div>');
+		DB::update([
-		}
+			"update user_info",
-	};
+			"set", [
-	$forgot_form->submit_button_config['align'] = 'offset';
+				'extra' => DB::json_set('extra', '$.reset_password_check_code', $check_code, '$.reset_password_time', UOJTime::$time_now_str),
-	
+			],
-	$forgot_form->runAtServer();
+			"where", [
-	?>
+				"username" => $user['username'],
+			],
+		]);
+
+		becomeMsgPage('<div class="text-center"><h2>邮件发送成功，请检查收件箱！</h2><span>如果邮件未出现在收件箱中，请检查垃圾箱。</span></div>');
+	}
+};
+$forgot_form->submit_button_config['align'] = 'offset';
+
+$forgot_form->runAtServer();
+?>
 <?php echoUOJPageHeader('找回密码') ?>
 <h2 class="page-header">找回密码</h2>
 <h4>请输入需要找回密码的用户名：</h4>
 <?php $forgot_form->printHTML(); ?>
+<script>
+	function refreshCaptcha() {
+		var timestamp = new Date().getTime();
+		$("#captcha").attr("src", "/captcha" + '?' + timestamp);
+	}
+
+	$(document).ready(function() {
+		refreshCaptcha();
+
+		$("#captcha").click(function(e) {
+			refreshCaptcha();
+		});
+	});
+</script>
 <?php echoUOJPageFooter() ?>

web/app/controllers/reset_pw.php

@@ -1,39 +1,55 @@
 <?php
-	if (!isset($_GET['p'])) {
+if (!isset($_GET['p'])) {
-		become404Page();
+	become404Page();
+}
+
+list($username, $check_code) = explode('.', base64url_decode($_GET['p']));
+$user = UOJUser::query($username);
+
+if (!$user) become404Page();
+if (!isset($check_code) || strlen($check_code) != 32) become404Page();
+
+$extra = UOJUser::getExtra($user);
+
+if ($check_code !== $extra['reset_password_check_code']) {
+	become404Page();
+}
+
+if (UOJTime::str2time($extra['reset_password_time'])->add(new DateInterval('P3D')) < UOJTime::$time_now) {
+	becomeMsgPage('链接已过期');
+}
+
+function resetPassword() {
+	global $user;
+
+	if (!isset($_POST['newPW']) || !validatePassword($_POST['newPW'])) {
+		return '操作失败，无效密码';
 	}
-	function resetPassword() {
+
-		list($username, $check_code) = explode('.', base64url_decode($_GET['p']));
+	$newPW = $_POST['newPW'];
-		if (!isset($_POST['newPW']) || !validatePassword($_POST['newPW'])) {
+	$newPW = getPasswordToStore($newPW, $user['username']);
-			return '操作失败，无效密码';
+
-		}
+	DB::update([
-		if (!isset($username) || !validateUsername($username)) {
+		"update user_info",
-			return '不明错误';
+		"set", [
-		}
+			"password" => $newPW,
-		if (!isset($check_code)) {
+			"extra" => DB::json_remove('extra', '$.reset_password_check_code', '$.reset_password_time'),
-			return '不明错误';
+		],
-		}
+		"where", [
-		
+			"username" => $user['username'],
-		$newPW = $_POST['newPW'];
+		],
-		$user = UOJUser::query($username);
+	]);
-		if ($user == null) {
+
-			return '不明错误';
+	return 'ok';
-		}
+}
-		if ($check_code !== md5($user['username'] . '+' . $user['password'])) {
+if (isset($_POST['reset'])) {
-			return '不明错误';
+	die(resetPassword());
-		}
+}
-		$newPW = getPasswordToStore($newPW, $user['username']);
+?>
-		DB::update("update user_info set password = '$newPW' where username = '{$user['username']}'");
-		return 'ok';
-	}
-	if (isset($_POST['reset'])) {
-		die(resetPassword());
-	}
-	?>
 <?php
-	$REQUIRE_LIB['dialog'] = '';
+$REQUIRE_LIB['dialog'] = '';
-	$REQUIRE_LIB['md5'] = '';
+$REQUIRE_LIB['md5'] = '';
-	?>
+?>
 <?php echoUOJPageHeader('更改密码') ?>
 <h2 class="page-header">更改密码</h2>
 <form id="form-reset" class="form-horizontal">
@@ -44,60 +60,60 @@
 			<input type="password" class="form-control top-buffer-sm" id="input-confirm_password" placeholder="再次输入新密码" maxlength="20" />
 			<span class="help-block" id="help-password"></span>
 		</div>
-  </div>
-  <div class="form-group">
-	<div class="col-sm-offset-2 col-sm-3">
-	  <button type="submit" id="button-submit" class="btn btn-secondary">提交</button>
 	</div>
-  </div>
+	<div class="form-group">
+		<div class="col-sm-offset-2 col-sm-3">
+			<button type="submit" id="button-submit" class="btn btn-secondary">提交</button>
+		</div>
+	</div>
 </form>
 
 <script type="text/javascript">
-function validateResetPwPost() {
+	function validateResetPwPost() {
-	var ok = true;
+		var ok = true;
-	ok &= getFormErrorAndShowHelp('password', validateSettingPassword);
+		ok &= getFormErrorAndShowHelp('password', validateSettingPassword);
-	return ok;
+		return ok;
-}
+	}
-$(document).ready(function() {
+	$(document).ready(function() {
-	$('#form-reset').submit(function(e) {
+		$('#form-reset').submit(function(e) {
-		if (!validateResetPwPost()) {
+			if (!validateResetPwPost()) {
-			return false;
+				return false;
-		}
+			}
-		$.post(<?= json_encode($_SERVER['REQUEST_URI']) ?>, {
+			$.post(<?= json_encode($_SERVER['REQUEST_URI']) ?>, {
-			reset : '',
+				reset: '',
-			newPW : md5($('#input-password').val(), "<?= getPasswordClientSalt() ?>")
+				newPW: md5($('#input-password').val(), "<?= getPasswordClientSalt() ?>")
-		}, function(res) {
+			}, function(res) {
-			if (res == 'ok') {
+				if (res == 'ok') {
-				BootstrapDialog.show({
+					BootstrapDialog.show({
-					title   : '提示',
+						title: '提示',
-					message : '密码更改成功',
+						message: '密码更改成功',
-					type    : BootstrapDialog.TYPE_SUCCESS,
+						type: BootstrapDialog.TYPE_SUCCESS,
-					buttons: [{
+						buttons: [{
-						label: '好的',
-						action: function(dialog) {
-							dialog.close();
-						}
-					}],
-					onhidden : function(dialog) {
-						window.location.href = '/login';
-					}
-				});
-			} else {
-				BootstrapDialog.show({
-					title   : '提示',
-					message : res,
-					type	: BootstrapDialog.TYPE_DANGER,
-					buttons: [{
 							label: '好的',
 							action: function(dialog) {
 								dialog.close();
 							}
-					}]
+						}],
-				});
+						onhidden: function(dialog) {
-			}
+							window.location.href = '/login';
+						}
+					});
+				} else {
+					BootstrapDialog.show({
+						title: '提示',
+						message: res,
+						type: BootstrapDialog.TYPE_DANGER,
+						buttons: [{
+							label: '好的',
+							action: function(dialog) {
+								dialog.close();
+							}
+						}]
+					});
+				}
+			});
+			return false;
 		});
-		return false;
 	});
-});
 </script>
 <?php echoUOJPageFooter() ?>