From da57beb574fb9f756a7de036e8003f75ec47432c Mon Sep 17 00:00:00 2001 From: arf20 Date: Sat, 16 Mar 2024 02:51:06 +0100 Subject: Email verification --- README.md | 13 +++++-- config.php.example | 18 +++++++++ dbinit.sql | 1 + login.php | 84 +++++++++++++++++++++--------------------- register.php | 21 ++++++++++- verify.php | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 193 insertions(+), 49 deletions(-) create mode 100644 verify.php diff --git a/README.md b/README.md index b7441af..556781f 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ -# arfnet2-csti -ARFNET2 Client, Service, Ticket and Invoice management system +# arfnet2-cstims +ARFNET2 Client, Service, Ticket and Invoice Management System + +Depends on PHPMailer ``` User types: @@ -23,11 +25,14 @@ FILES: logout.php -> login.php stops session + verify.php -> login.php + from a link, has the base64 code generated at registration sent to email for verification + client.php -> { order.php, openticket.php } shows ordered services and opened tickets helpdesk.php view, self-assign and close tickets - accounting.php + accountant.php view invoices and change status admin.php -> { manageusers.php, manageservices.php, managetickets.php } shows users, services, tickets and invoices @@ -58,7 +63,7 @@ FILES: SQL: Tables: users User logins - id autoincrement, username, password (hash), email, email verification code, user type { client, helpdesk, accountant, admin }, register date + id autoincrement, username, password (hash), email, email verification code, status { verified, unverified }, type { client, helpdesk, accountant, admin }, register date services Available services and management notes etc id autoincrement, name, type, billing, description orders diff --git a/config.php.example b/config.php.example index 5057641..6520aaa 100644 --- a/config.php.example +++ b/config.php.example @@ -6,6 +6,12 @@ define('DB_SERVER', 'hostname'); define('DB_USERNAME', 'username'); define('DB_PASSWORD', 'password'); define('DB_NAME', 'dbname'); + +define('MAIL_SERVER', 'mail.example.com'); +define('MAIL_PORT', 587); +define('MAIL_USER', 'user'); +define('MAIL_PASSWORD', 'password'); +define('MAIL_FROM', 'system@example.com'); /* Attempt to connect to MySQL database */ $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); @@ -14,4 +20,16 @@ $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); if($link === false){ die("ERROR: Could not connect. " . mysqli_connect_error()); } + +$mailer = new PHPMailer(); +$mailer->isSMTP(); +$mailer->SMTPDebug = SMTP::DEBUG_SERVER; +$mailer->Host = MAIL_SERVER; +$mailer->Port = MAIL_PORT; +$mailer->SMTPAuth = true; +$mailer->Username = MAIL_USER; +$mailer->Password = MAIL_PASSWORD; +$mailer->setFrom(MAIL_FROM); +$mailer->isHTML(false); + ?> diff --git a/dbinit.sql b/dbinit.sql index 95cdf2f..5a989ab 100644 --- a/dbinit.sql +++ b/dbinit.sql @@ -6,6 +6,7 @@ CREATE TABLE `arfnet2`.`users` ( `password` VARCHAR(255) NOT NULL , `email` VARCHAR(127) NOT NULL , `verifycode` VARCHAR(31) NOT NULL , + `status` ENUM('verified','unverified') NOT NULL DEFAULT 'unverified' , `type` ENUM('client','helpdesk','accountant','admin') NOT NULL , `regdate` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP , PRIMARY KEY (`id`) diff --git a/login.php b/login.php index 214eb2e..c7c4115 100755 --- a/login.php +++ b/login.php @@ -3,8 +3,8 @@ session_start(); // Check if the user is already logged in, if yes then redirect him to welcome page -if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){ - header("location: welcome.php"); +if (isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true) { + header("location: /".$_SESSION["type"].".php"); exit; } @@ -18,35 +18,29 @@ $username_err = $password_err = ""; // Processing form data when form is submitted if($_SERVER["REQUEST_METHOD"] == "POST"){ // Validate username - if(empty(trim($_POST["username"]))){ - $username_err = "Please enter username."; - } else{ - if (preg_match("[a-zA-Z0-9_]+", $_POST["username"]) == 1) { - $username_err = "Invalid username."; - } - else { - $username = trim($_POST["username"]); - } - } + if (empty($_POST["username"])) + $username_err = "Enter a username."; + else if (preg_match("/[a-zA-Z0-9_]+/", $_POST["username"]) != 1) + $username_err = "Invalid username."; + else + $username = $_POST["username"]; - // Validated password - if(empty(trim($_POST["password"]))){ - $password_err = "Please enter your password."; - } else{ - if (preg_match("[a-zA-Z0-9_]+", $_POST["password"]) == 1) { - $username_err = "Invalid password."; - } - else { - $password = trim($_POST["password"]); - } - } + // Validate password + if (empty($_POST["password"])) + $password_err = "Enter a password."; + else if (strlen($_POST["password"]) < 8) + $password_err = "Password must have at least 8 characters."; + else if (preg_match("/[a-zA-Z0-9!@^*$%&)(=+çñÇ][}{\-.,_:;]+/", $_POST["password"]) != false) + $password_err = "Password must be in the format [a-zA-Z0-9!@^*$%&)(=+çñÇ][}{-.,_:;]."; + else + $password = $_POST["password"]; // Validate credentials - if(empty($username_err) && empty($password_err)){ + if (empty($username_err) && empty($password_err)) { // Prepare a select statement - $sql = "SELECT id, username, password FROM users WHERE username = ?"; + $sql = "SELECT id, username, password, status, type FROM users WHERE username = ?"; - if($stmt = mysqli_prepare($link, $sql)){ + if ($stmt = mysqli_prepare($link, $sql)) { // Bind variables to the prepared statement as parameters mysqli_stmt_bind_param($stmt, "s", $param_username); @@ -54,29 +48,33 @@ if($_SERVER["REQUEST_METHOD"] == "POST"){ $param_username = $username; // Attempt to execute the prepared statement - if(mysqli_stmt_execute($stmt)){ + if (mysqli_stmt_execute($stmt)){ // Store result mysqli_stmt_store_result($stmt); // Check if username exists, if yes then verify password - if(mysqli_stmt_num_rows($stmt) == 1){ + if (mysqli_stmt_num_rows($stmt) == 1) { // Bind result variables - mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password); - if(mysqli_stmt_fetch($stmt)){ - if(password_verify($password, $hashed_password)){ - // Password is correct, so start a new session - session_start(); - - // Store data in session variables - $_SESSION["loggedin"] = true; - $_SESSION["id"] = $id; - $_SESSION["username"] = $username; + mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $status, $type); + if (mysqli_stmt_fetch($stmt)){ + if (password_verify($password, $hashed_password)) { + // Password is correct, check verification + if ($status == "verified") { + session_start(); - // Redirect user to welcome page - header("location: welcome.php"); - } else{ - // Display an error message if password is not valid - $password_err = "The password you entered was not valid."; + // Store data in session variables + $_SESSION["loggedin"] = true; + $_SESSION["id"] = $id; + $_SESSION["username"] = $username; + $_SESSION["type"] = $type; + + // Redirect user to appropiate page + header("location: /".$type.".php"); + } else { + $username_err = "Unverified account, check your email."; + } + } else { + $password_err = "Incorrect password."; } } } else{ diff --git a/register.php b/register.php index 37565c5..3ef957a 100755 --- a/register.php +++ b/register.php @@ -1,13 +1,28 @@ addAddress($rcpt); + $mailer->Subject = 'ARFNET Email Verification'; + $mailer->Body = "Welcome to ARFNET\n\nUse the following link to verify your email address\n\n" + ."https://".DOMAIN."/verify.php?code=".$code + ."\n\n--\nARFNET Client, Service, Ticket and Invoice Management System\nhttps://arf20.com"; + if (!$mailer->send()) { + echo 'Mailer Error [ask arf20]: ' . $mailer->ErrorInfo; + } +} + // Include config file require_once "config.php"; // Define variables and initialize with empty values $username = $password = $confirm_password = $email = ""; $username_err = $password_err = $confirm_password_err = $email_err = ""; +$verification_mail_sent = false; // Processing form data when form is submitted -if ($_SERVER["REQUEST_METHOD"] == "POST"){ +if ($_SERVER["REQUEST_METHOD"] == "POST") { // Validate username if (empty($_POST["username"])) $username_err = "Enter a username."; @@ -84,7 +99,8 @@ if ($_SERVER["REQUEST_METHOD"] == "POST"){ // Attempt to execute the prepared statement if (mysqli_stmt_execute($stmt)) { // Send verification email - + send_verification_email($email, $param_verifycode); + $verification_mail_sent = true; // Redirect to login page header("location: login.php"); } else { @@ -142,6 +158,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST"){

Login.

+ diff --git a/verify.php b/verify.php new file mode 100644 index 0000000..5382f4f --- /dev/null +++ b/verify.php @@ -0,0 +1,105 @@ + + + + + + + CSTIMS Login + + + +
+ ARFNET +
+
+
+
+

CSTIMS Verification

+ +
+
+ + -- cgit v1.2.3