| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  | <?php | 
					
						
							|  |  |  | require_once __DIR__ . "/required.php"; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | require_once __DIR__ . "/lib/login.php"; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  | // If we're logged in, we don't need to be here.
 | 
					
						
							|  |  |  | if ($_SESSION['loggedin'] && !is_empty($_SESSION['password'])) { | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |     header('Location: home.php'); | 
					
						
							| 
									
										
										
										
											2017-05-26 00:04:30 -06:00
										 |  |  |     die(); | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  | // This branch will likely run if the user signed in from a different app.
 | 
					
						
							|  |  |  | } else if ($_SESSION['loggedin'] && is_empty($_SESSION['password'])) { | 
					
						
							|  |  |  |     $alert = lang("sign in again", false); | 
					
						
							|  |  |  |     $alerttype = "info"; | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  | /* Authenticate user */ | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  | $username_ok = false; | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  | $multiauth = false; | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  | $change_password = false; | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  | if ($VARS['progress'] == "1") { | 
					
						
							| 
									
										
										
										
											2017-06-16 18:40:12 -06:00
										 |  |  |     engageRateLimit(); | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |     if (!RECAPTCHA_ENABLED || (RECAPTCHA_ENABLED && verifyReCaptcha($VARS['g-recaptcha-response']))) { | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |         $autherror = ""; | 
					
						
							|  |  |  |         if (user_exists($VARS['username'])) { | 
					
						
							| 
									
										
										
										
											2017-05-07 13:02:18 -06:00
										 |  |  |             $status = get_account_status($VARS['username'], $error); | 
					
						
							|  |  |  |             switch ($status) { | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                 case "LOCKED_OR_DISABLED": | 
					
						
							|  |  |  |                     $alert = lang("account locked", false); | 
					
						
							|  |  |  |                     break; | 
					
						
							|  |  |  |                 case "TERMINATED": | 
					
						
							|  |  |  |                     $alert = lang("account terminated", false); | 
					
						
							|  |  |  |                     break; | 
					
						
							|  |  |  |                 case "CHANGE_PASSWORD": | 
					
						
							|  |  |  |                     $alert = lang("password expired", false); | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |                     $alerttype = "info"; | 
					
						
							|  |  |  |                     $_SESSION['username'] = strtolower($VARS['username']); | 
					
						
							|  |  |  |                     $change_password = true; | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |                     break; | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                 case "NORMAL": | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |                     $username_ok = true; | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                     break; | 
					
						
							|  |  |  |                 case "ALERT_ON_ACCESS": | 
					
						
							| 
									
										
										
										
											2017-06-21 21:01:02 -06:00
										 |  |  |                     $mail_resp = sendLoginAlertEmail($VARS['username']); | 
					
						
							|  |  |  |                     if (DEBUG) { | 
					
						
							|  |  |  |                         var_dump($mail_resp); | 
					
						
							|  |  |  |                     } | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |                     $username_ok = true; | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                     break; | 
					
						
							| 
									
										
										
										
											2017-05-07 13:02:18 -06:00
										 |  |  |                 default: | 
					
						
							|  |  |  |                     if (!is_empty($error)) { | 
					
						
							|  |  |  |                         $alert = $error; | 
					
						
							|  |  |  |                         break; | 
					
						
							|  |  |  |                     } | 
					
						
							|  |  |  |                     $alert = lang("login error", false); | 
					
						
							|  |  |  |                     break; | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |             if ($username_ok) { | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |                 if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) { | 
					
						
							|  |  |  |                     $_SESSION['passok'] = true; // stop logins using only username and authcode
 | 
					
						
							|  |  |  |                     if (userHasTOTP($VARS['username'])) { | 
					
						
							|  |  |  |                         $multiauth = true; | 
					
						
							| 
									
										
										
										
											2017-05-26 00:04:30 -06:00
										 |  |  |                         $_SESSION['password'] = $VARS['password']; | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |                     } else { | 
					
						
							|  |  |  |                         doLoginUser($VARS['username'], $VARS['password']); | 
					
						
							|  |  |  |                         insertAuthLog(1, $_SESSION['uid']); | 
					
						
							|  |  |  |                         header('Location: home.php'); | 
					
						
							|  |  |  |                         die("Logged in, go to home.php"); | 
					
						
							|  |  |  |                     } | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                 } else { | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |                     if (!is_empty($autherror)) { | 
					
						
							|  |  |  |                         $alert = $autherror; | 
					
						
							|  |  |  |                         insertAuthLog(2, null, "Username: " . $VARS['username']); | 
					
						
							|  |  |  |                     } else { | 
					
						
							|  |  |  |                         $alert = lang("login incorrect", false); | 
					
						
							|  |  |  |                         insertAuthLog(2, null, "Username: " . $VARS['username']); | 
					
						
							|  |  |  |                     } | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                 } | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |         } else { // User does not exist anywhere
 | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |             $alert = lang("login incorrect", false); | 
					
						
							| 
									
										
										
										
											2017-05-02 19:19:27 -06:00
										 |  |  |             insertAuthLog(2, null, "Username: " . $VARS['username']); | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |         } | 
					
						
							|  |  |  |     } else { | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |         $alert = lang("captcha error", false); | 
					
						
							| 
									
										
										
										
											2017-05-02 19:19:27 -06:00
										 |  |  |         insertAuthLog(8, null, "Username: " . $VARS['username']); | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |     } | 
					
						
							|  |  |  | } else if ($VARS['progress'] == "2") { | 
					
						
							| 
									
										
										
										
											2017-06-16 18:40:12 -06:00
										 |  |  |     engageRateLimit(); | 
					
						
							| 
									
										
										
										
											2017-05-02 19:19:27 -06:00
										 |  |  |     if ($_SESSION['passok'] !== true) { | 
					
						
							|  |  |  |         // stop logins using only username and authcode
 | 
					
						
							|  |  |  |         sendError("Password integrity check failed!"); | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |     if (verifyTOTP($VARS['username'], $VARS['authcode'])) { | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |         doLoginUser($VARS['username'], $VARS['password']); | 
					
						
							|  |  |  |         insertAuthLog(1, $_SESSION['uid']); | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |         header('Location: home.php'); | 
					
						
							|  |  |  |         die("Logged in, go to home.php"); | 
					
						
							|  |  |  |     } else { | 
					
						
							|  |  |  |         $alert = lang("2fa incorrect", false); | 
					
						
							| 
									
										
										
										
											2017-05-02 19:19:27 -06:00
										 |  |  |         insertAuthLog(6, null, "Username: " . $VARS['username']); | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  | } else if ($VARS['progress'] == "chpasswd") { | 
					
						
							| 
									
										
										
										
											2017-06-16 18:40:12 -06:00
										 |  |  |     engageRateLimit(); | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |     if (!is_empty($_SESSION['username'])) { | 
					
						
							|  |  |  |         $error = []; | 
					
						
							|  |  |  |         $result = change_password($VARS['oldpass'], $VARS['newpass'], $VARS['conpass'], $error); | 
					
						
							|  |  |  |         if ($result === TRUE) { | 
					
						
							|  |  |  |             $alert = lang(MESSAGES["password_updated"]["string"], false); | 
					
						
							|  |  |  |             $alerttype = MESSAGES["password_updated"]["type"]; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         switch (count($error)) { | 
					
						
							|  |  |  |             case 1: | 
					
						
							|  |  |  |                 $alert = lang(MESSAGES[$error[0]]["string"], false); | 
					
						
							|  |  |  |                 $alerttype = MESSAGES[$error[0]]["type"]; | 
					
						
							|  |  |  |                 break; | 
					
						
							|  |  |  |             case 2: | 
					
						
							|  |  |  |                 $alert = lang2(MESSAGES[$error[0]]["string"], ["arg" => $error[1]], false); | 
					
						
							|  |  |  |                 $alerttype = MESSAGES[$error[0]]["type"]; | 
					
						
							|  |  |  |                 break; | 
					
						
							|  |  |  |             default: | 
					
						
							|  |  |  |                 $alert = lang(MESSAGES["generic_op_error"]["string"], false); | 
					
						
							|  |  |  |                 $alerttype = MESSAGES["generic_op_error"]["type"]; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |     } else { | 
					
						
							|  |  |  |         session_destroy(); | 
					
						
							|  |  |  |         header('Location: index.php'); | 
					
						
							|  |  |  |         die(); | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  | } | 
					
						
							|  |  |  | ?>
 | 
					
						
							| 
									
										
										
										
											2017-04-14 19:05:58 -06:00
										 |  |  | <!DOCTYPE html> | 
					
						
							|  |  |  | <html> | 
					
						
							|  |  |  |     <head> | 
					
						
							|  |  |  |         <meta charset="UTF-8"> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |         <meta http-equiv="X-UA-Compatible" content="IE=edge"> | 
					
						
							| 
									
										
										
										
											2017-05-05 17:15:00 -06:00
										 |  |  |         <meta name="viewport" content="width=device-width, initial-scale=1"> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |         <title><?php echo SITE_TITLE; ?></title>
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         <link href="static/css/bootstrap.min.css" rel="stylesheet"> | 
					
						
							| 
									
										
										
										
											2017-05-06 23:19:22 -06:00
										 |  |  |         <link href="static/css/font-awesome.min.css" rel="stylesheet"> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |         <link href="static/css/app.css" rel="stylesheet"> | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |         <?php if (RECAPTCHA_ENABLED) { ?>
 | 
					
						
							|  |  |  |             <script src='https://www.google.com/recaptcha/api.js'></script> | 
					
						
							|  |  |  |         <?php } ?>
 | 
					
						
							| 
									
										
										
										
											2017-04-14 19:05:58 -06:00
										 |  |  |     </head> | 
					
						
							|  |  |  |     <body> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |         <div class="container"> | 
					
						
							|  |  |  |             <div class="row"> | 
					
						
							|  |  |  |                 <div class="col-xs-12 col-sm-6 col-md-4 col-lg-4 col-sm-offset-3 col-md-offset-4 col-lg-offset-4"> | 
					
						
							|  |  |  |                     <div> | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                         <img class="img-responsive banner-image" src="static/img/logo.svg" /> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                     </div> | 
					
						
							|  |  |  |                     <div class="panel panel-primary"> | 
					
						
							|  |  |  |                         <div class="panel-heading"> | 
					
						
							|  |  |  |                             <h3 class="panel-title"><?php lang("sign in"); ?></h3>
 | 
					
						
							|  |  |  |                         </div> | 
					
						
							|  |  |  |                         <div class="panel-body"> | 
					
						
							|  |  |  |                             <form action="" method="POST"> | 
					
						
							|  |  |  |                                 <?php | 
					
						
							|  |  |  |                                 if (!is_empty($alert)) { | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |                                     $alerttype = isset($alerttype) ? $alerttype : "danger"; | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                                     ?>
 | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |                                     <div class="alert alert-<?php echo $alerttype ?>"> | 
					
						
							|  |  |  |                                         <?php | 
					
						
							|  |  |  |                                         switch ($alerttype) { | 
					
						
							|  |  |  |                                             case "danger": | 
					
						
							|  |  |  |                                                 $alerticon = "times"; | 
					
						
							|  |  |  |                                                 break; | 
					
						
							|  |  |  |                                             case "warning": | 
					
						
							|  |  |  |                                                 $alerticon = "exclamation-triangle"; | 
					
						
							|  |  |  |                                                 break; | 
					
						
							|  |  |  |                                             case "info": | 
					
						
							|  |  |  |                                                 $alerticon = "info-circle"; | 
					
						
							|  |  |  |                                                 break; | 
					
						
							|  |  |  |                                             case "success": | 
					
						
							|  |  |  |                                                 $alerticon = "check"; | 
					
						
							|  |  |  |                                                 break; | 
					
						
							|  |  |  |                                             default: | 
					
						
							|  |  |  |                                                 $alerticon = "square-o"; | 
					
						
							|  |  |  |                                         } | 
					
						
							|  |  |  |                                         ?>
 | 
					
						
							|  |  |  |                                         <i class="fa fa-fw fa-<?php echo $alerticon ?>"></i> <?php echo $alert ?> 
 | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                                     </div> | 
					
						
							|  |  |  |                                     <?php | 
					
						
							|  |  |  |                                 } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |                                 if (!$multiauth && !$change_password) { | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                                     ?>
 | 
					
						
							| 
									
										
										
										
											2017-04-15 12:59:13 -06:00
										 |  |  |                                     <input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autofocus /><br /> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                                     <input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" /><br /> | 
					
						
							| 
									
										
										
										
											2017-04-29 02:35:49 -06:00
										 |  |  |                                     <?php if (RECAPTCHA_ENABLED) { ?>
 | 
					
						
							|  |  |  |                                         <div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div> | 
					
						
							|  |  |  |                                         <br /> | 
					
						
							|  |  |  |                                     <?php } ?>
 | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                                     <input type="hidden" name="progress" value="1" /> | 
					
						
							|  |  |  |                                     <?php | 
					
						
							|  |  |  |                                 } else if ($multiauth) { | 
					
						
							|  |  |  |                                     ?>
 | 
					
						
							|  |  |  |                                     <div class="alert alert-info"> | 
					
						
							|  |  |  |                                         <?php lang("2fa prompt"); ?>
 | 
					
						
							|  |  |  |                                     </div> | 
					
						
							| 
									
										
										
										
											2017-05-03 13:32:31 -06:00
										 |  |  |                                     <input type="text" class="form-control" name="authcode" placeholder="<?php lang("authcode"); ?>" required="required" autocomplete="off" autofocus /><br /> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                                     <input type="hidden" name="progress" value="2" /> | 
					
						
							|  |  |  |                                     <input type="hidden" name="username" value="<?php echo $VARS['username']; ?>" /> | 
					
						
							|  |  |  |                                     <?php | 
					
						
							| 
									
										
										
										
											2017-05-13 16:17:58 -06:00
										 |  |  |                                 } else if ($change_password) { | 
					
						
							|  |  |  |                                     ?>
 | 
					
						
							|  |  |  |                                     <input type="password" class="form-control" name="oldpass" placeholder="Current password" required="required" autocomplete="new-password" autofocus /><br /> | 
					
						
							|  |  |  |                                     <input type="password" class="form-control" name="newpass" placeholder="New password" required="required" autocomplete="off" /><br /> | 
					
						
							|  |  |  |                                     <input type="password" class="form-control" name="conpass" placeholder="New password (again)" required="required" autocomplete="off" /><br /> | 
					
						
							|  |  |  |                                     <input type="hidden" name="progress" value="chpasswd" /> | 
					
						
							|  |  |  |                                     <?php | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |                                 } | 
					
						
							|  |  |  |                                 ?>
 | 
					
						
							|  |  |  |                                 <button type="submit" class="btn btn-primary"> | 
					
						
							|  |  |  |                                     <?php lang("continue"); ?>
 | 
					
						
							|  |  |  |                                 </button> | 
					
						
							|  |  |  |                             </form> | 
					
						
							|  |  |  |                         </div> | 
					
						
							|  |  |  |                     </div> | 
					
						
							|  |  |  |                 </div> | 
					
						
							|  |  |  |             </div> | 
					
						
							| 
									
										
										
										
											2017-04-16 02:05:18 -06:00
										 |  |  |             <div class="footer"> | 
					
						
							|  |  |  |                 <?php echo LICENSE_TEXT; ?><br />
 | 
					
						
							|  |  |  |                 Copyright © <?php echo date('Y'); ?> <?php echo COPYRIGHT_NAME; ?>
 | 
					
						
							|  |  |  |             </div> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  |         </div> | 
					
						
							|  |  |  |         <script src="static/js/jquery-3.2.1.min.js"></script> | 
					
						
							|  |  |  |         <script src="static/js/bootstrap.min.js"></script> | 
					
						
							| 
									
										
										
										
											2017-04-14 19:05:58 -06:00
										 |  |  |     </body> | 
					
						
							| 
									
										
										
										
											2017-04-14 21:40:24 -06:00
										 |  |  | </html> |