summaryrefslogtreecommitdiffstats
path: root/web/html/passreset.php
AgeCommit message (Collapse)AuthorFilesLines
2020-02-02Add support for backup email addressesLukas Fleischer1-3/+3
Support secondary email addresses that can be used to recover an account in case access to the primary email address is lost. Reset keys for an account are always sent to both the primary and the backup email address. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add option to send reset key for a given user nameLukas Fleischer1-13/+12
In addition to supporting email addresses in the reset key form, also support user names. The reset key is then sent to the email address in the user's profile. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer1-3/+0
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-24Use bcrypt to hash passwordsLukas Fleischer1-4/+1
Replace the default hash function used for storing passwords by password_hash() which internally uses bcrypt. Legacy MD5 hashes are still supported and are immediately converted to the new format when a user logs in. Since big parts of the authentication system needed to be rewritten in this context, this patch also includes some simplification and refactoring of all code related to password checking and resetting. Fixes FS#52297. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Port notification routines to PythonLukas Fleischer1-8/+1
Use a Python script for sending notification emails. The notification action and additional parameters are passed via command line arguments. For comment and package request notifications, the text is passed via stdin. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-05-22Include user name in password reset emailsLukas Fleischer1-4/+6
Fixes FS#44320. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-05-21Fix email body of password reset emailsLukas Fleischer1-1/+1
When the password reset function was factored out in 5d31bb2 (Move reset key submission to a separate function, 2013-03-19), a semicolon was accidentally replaced by a concatenation operator. As a result of this, all password reset emails sent since mid-2013 only contained a password reset link without any description. Fix this by terminating the assignment with a semicolon again. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-02-04Rename the AUR software to aurwebLukas Fleischer1-1/+1
Rename the project to help differentiate between the software providing access to the Arch User Repository and the collection of source packages itself. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-11-21Check password length on the password reset formLukas Fleischer1-0/+4
We already check for a minimum password length on the account edit page. Add the same check to the password reset form (which is also used to set an initial password). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-06-05Do not return "None" in user functionsLukas Fleischer1-1/+1
Return null instead of the string "None" in username_from_id(), uid_from_email() and uid_from_username(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-22Be friendly to newly registered usersLukas Fleischer1-1/+2
Use "Welcome to the Arch User Repository" instead of "AUR Password Reset" as subject for the initial password reset email. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-02-10passreset.php: Make error messages translatableLukas Fleischer1-2/+2
This fixes a regression introduced in commit 48b7407 (passreset.php: Refactor HTML, 2014-01-08). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-11passreset.php: Error out if e-mail is emptyLukas Fleischer1-7/+12
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-11passreset.php: Refactor HTMLLukas Fleischer1-13/+12
* Use the "errorlist" class for errors. * Refactor some code. * Properly display error messages when requesting a key. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-03-19Move reset key submission to a separate functionLukas Fleischer1-17/+5
This allows for reusing reset key submission for other things, such as sending an initial password reset code during account registration. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Use HTTPS links everywhere for Arch sitesDan McGee1-1/+1
The main site, wiki, and BBS are using HTTPS exclusively, so link directly to the correct protocol rather than forcing a redirect. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11Remove character limit on password lengthcanyonknight1-2/+2
As all new passwords are hashed and therefore stored in the database at the same length, this limitation is no longer needed. Fixes FS#31855 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Use echo shortcut syntaxLukas Fleischer1-9/+9
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to reduce noise in templates. Note that as of PHP 5.4.0, "<?=" is always available and no longer requires "short_open_tag" to be set. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual path feature for linksLukas Fleischer1-3/+3
Use virtual paths in links (e.g. link to "/packages/" instead of "/packages.php" etc.) if the virtual path feature is enabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06passreset.php: Pull out DB codecanyonknight1-22/+3
* Move DB code in passreset.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06passreset.php: Overhaul to match archwebcanyonknight1-45/+42
* Switch to CSS used by archweb * General fixups in XHTML Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Remove all traces of "pgboxtitle"Lukas Fleischer1-3/+1
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-03-08Always set the "To:" header when sending mailLukas Fleischer1-2/+2
Use "undisclosed-recipients: ;" when sending mass notifications (such as comment notifications and the like. Addresses FS#28229. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02Add a new AUR_LOCATION settingDan McGee1-1/+1
This should be set to something like 'http://localhost' for development or 'https://aur.archlinux.org' in production. It ensures all links in the site stay in the development site and there is no sudden jump from development to production environments. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer1-2/+2
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Use "%s" instead of "%h" in format stringsLukas Fleischer1-1/+1
Use the standard string type specifier instead of "%h" in format strings. Both specifiers are treated equally in __() so we shouldn't break anything here. This also allows us to replace the hacky substitution algorithm in __() by vsprintf(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-1/+1
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27SQL: treat all UID/ID values as numbers, not stringsDan McGee1-2/+2
Ensure we are not quoting these values in any of our SQL queries. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-19Use HTTPs for links in password reset confirmation mails.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2010-10-08Modify some strings for translation.Loui Chang1-4/+3
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2010-04-17Support for storing salted passwordsDenis1-1/+4
To upgrade existing databases: ALTER TABLE Users ADD Salt CHAR(32) NOT NULL DEFAULT ''; Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-11-13Implement 'Password Reset' facility (FS#3061)Evangelos Foutras1-0/+137
This works by adding a new field to the 'Users' table called 'ResetKey', which is a 32 characters long, random string. When the user requests a password reset, a new 'reset key' is generated and sent to the user's e-mail address in the form of a link in the following format: http://aur.archlinux.org/passreset.php?resetkey=<reset key> When the above link is followed, the user is presented with a form to verify his/her e-mail address and specify the new desired password. If the e-mail address matches the reset key in the database, the new password is assigned to the account. If there is an error, a relevant message is displayed and the user is prompted to re-enter the required information. Upon successful completion of this procedure, the ResetKey field in the database is blanked and the specific key cannot be reused. One SQL query is needed to add the ResetKey field to the 'Users' table: ALTER TABLE `Users` ADD `ResetKey` CHAR(32) NOT NULL DEFAULT ''; Signed-off-by: Loui Chang <louipc.ist@gmail.com>