diff --git a/database.php b/database.php index 558ed7f..81ee122 100644 --- a/database.php +++ b/database.php @@ -4,9 +4,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -304,6 +304,24 @@ class mxDatabase return NULL; } + function updatePassword($localpart, $old_password, $new_password) { + $user = $this->getUserForLogin($localpart, $old_password); + if ($user != NULL) { + throw new Exception ("user with that credentials not found"); + } + + // The credentials were fine. So now set the new password + $password_hash = password_hash($new_password, PASSWORD_BCRYPT, ["cost"=>12]); + + $sql = "UPDATE logins SET password_hash = '" . $password_hash . "'" + . "WHERE localpart = '" . $localpart . "'"; + + if ($this->db->exec($sql)) { + return true; + } + return false; + } + function searchUserByName($search_term) { $term = filter_var($search_term, FILTER_SANITIZE_STRING); $result = array(); diff --git a/helpers.php b/helpers.php new file mode 100644 index 0000000..b77d512 --- /dev/null +++ b/helpers.php @@ -0,0 +1,18 @@ + diff --git a/internal/intercept_change_password.php b/internal/intercept_change_password.php new file mode 100644 index 0000000..36d1b9e --- /dev/null +++ b/internal/intercept_change_password.php @@ -0,0 +1,73 @@ + "M_UNKNOWN", + "error" => "Unknown error while handling password changing", +]; +header('Access-Control-Allow-Origin: *'); +header('Access-Control-Allow-Methods: POST, OPTIONS'); +header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization'); +if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { + $response = []; + // return with success + exit(); +} +try { + $inputJSON = file_get_contents('php://input'); + $input = json_decode($inputJSON, TRUE); + if (empty($input)) { + throw new Exception('no valid json as input present'); + } + if (!isset($input["auth"])) { + throw new Exception('"auth" is not defined'); + } + if (!isset($input["auth"]["user"]) || !isset($input["auth"]["password"])) { + throw new Exception('"auth.user" or "auth.password" is not defined'); + } + if (!isset($input["auth"]["type"]) || $input["auth"]["type"] !== "m.login.password") { + throw new Exception('no or unknown auth.type'); + } + if (!isset($input["new_password"])) { + throw new Exception('"new_password" is not defined'); + } + + require_once("../helpers.php"); + $localpart = stripLocalpart($input["auth"]["user"]); + + if (empty($localpart)) { + throw new Exception ("localpart cannot be identified"); + } + + require_once("../database.php"); + if ($mx_db->updatePassword( + $localpart, + $input["auth"]["password"], + $input["new_password"] + )) { + $response=[]; + } else { + throw new Exception("invalid credentials or another error while updating"); + } + +} catch (Exception $e) { + header("HTTP/1.0 500 Internal Error"); + error_log("failed with error: " . $e->getMessage()); + $response["error"] = $e->getMessage(); +} +print (json_encode($response, JSON_PRETTY_PRINT) . "\n"); +?> diff --git a/internal/login.php b/internal/login.php index 9bd92e2..7aae7c9 100644 --- a/internal/login.php +++ b/internal/login.php @@ -4,9 +4,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -49,22 +49,15 @@ try { // prefer the localpart attribute of mxisd. But in case of matrix-synapse-rest-auth // we have to parse it on our own - if (empty($localpart) && !empty($mxid)) { - // A mxid would start with an @ so we start at the 2. position - $sepPos = strpos($mxid,':', 1); - if ($sepPos === false) { - // : not found. Assume mxid is localpart - // TODO: further checks - $localpart = $mxid; - } else { - $localpart = substr($mxid, 1, strpos($mxid,':') - 1 ); - } + if (empty($localpart)) + require_once("../helpers.php"); + $localpart = stripLocalpart($input["auth"]["user"]); } - + if (empty($localpart)) { throw new Exception ("localpart cannot be identified"); } - + $password = NULL; if (isset($input["user"]) && isset($input["user"]["password"])) { $password = $input["user"]["password"]; @@ -103,7 +96,7 @@ try { // we do not know how the data shall be transmitted so we do nothing with it $response["auth"]["success"] = false; break; - } + } } catch (Exception $e) { error_log("Auth failed with error: " . $e->getMessage()); $response["auth"]["error"] = $e->getMessage();