From c1f5f4d4515f4939d27522ebf31763b64f7de9ce Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Sat, 10 Feb 2018 18:01:42 +0100
Subject: [PATCH 01/19] first WIP implementation

---
 .gitignore           |   1 +
 MatrixConnection.php |  77 +++++++++++++++++
 config.sample.php    |   6 ++
 functions.php        |  52 +++++++++++
 lang.de.php          |  13 +++
 language.php         |   7 ++
 register.php         | 200 +++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 356 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 MatrixConnection.php
 create mode 100644 config.sample.php
 create mode 100644 functions.php
 create mode 100644 lang.de.php
 create mode 100644 language.php
 create mode 100644 register.php

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4f4773f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+config.php
diff --git a/MatrixConnection.php b/MatrixConnection.php
new file mode 100644
index 0000000..55c2ee3
--- /dev/null
+++ b/MatrixConnection.php
@@ -0,0 +1,77 @@
+<?php
+class MatrixConnection
+{
+	private $hs;
+	private $at;
+
+	function __construct($homeserver, $access_token) {
+		$this->hs = $homeserver;
+		$this->at = $access_token;
+	}
+
+	function send($room_id, $message) {
+		$send_message = NULL;
+		if (!$message) {
+			error_log("no message to send");
+		} elseif(is_array($message)) {
+			$send_message = $message;
+		} elseif ($message instanceof MatrixMessage) {
+			$sendmessage = $message->get_object();
+		} else {
+			error_log("message is of not valid type\n");
+			return false;
+		}
+
+		$url="https://".$this->hs."/_matrix/client/r0/rooms/"
+			. urlencode($room_id) ."/send/m.room.message?access_token=".$this->at;
+		$handle = curl_init($url);
+		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
+		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
+		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($message));
+		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
+
+		return exec_curl_request($handle);
+	}
+
+	function send_msg($room_id, $message) {
+		return $this->send($room_id, array(
+					"msgtype" => "m.notice",
+					"body" => $message
+					)
+				);
+	}
+}
+
+class MatrixMessage
+{
+	private $message;
+
+	function __construct() {
+		$this->message = array(
+				"msgtype" => "m.notice",
+				);
+	}
+
+	function set_type($msgtype) {
+		$this->$message["msgtype"] = $msgtype;
+	}
+
+	function set_format($format) {
+		$this->message["format"] = $format;
+	}
+
+	function set_body($body) {
+		$this->message["body"] = $body;
+	}
+
+	function set_formatted_body($fbody, $format="org.matrix.custom.html") {
+		$this->message["formatted_body"] = $fbody;
+		$this->message["format"] = $format;
+	}
+
+	function get_object() {
+		return $this->message;
+	}
+}
+?>
diff --git a/config.sample.php b/config.sample.php
new file mode 100644
index 0000000..e998fdb
--- /dev/null
+++ b/config.sample.php
@@ -0,0 +1,6 @@
+<?php
+$homeserver = "example.com";
+$access_token = "To be used for sending the registration notification";
+$register_room = "$registerRoomID:example.com";
+$registration_shared_secret = "To be used for actually register the user";
+?>
diff --git a/functions.php b/functions.php
new file mode 100644
index 0000000..949df06
--- /dev/null
+++ b/functions.php
@@ -0,0 +1,52 @@
+<?php
+function abort($msg="Unknown")
+{
+	header("403 Forbidden");
+	$response = array(
+			"success" => false,
+			"message" => $msg
+			);
+	echo json_encode($response);
+	print("\n");
+	exit();
+}
+
+function exec_curl_request($handle)
+{
+	$response = curl_exec($handle);
+
+	if ($response === false) {
+		$errno = curl_errno($handle);
+		$error = curl_error($handle);
+		error_log("Curl returned error $errno: $error\n");
+		curl_close($handle);
+		return false;
+	}
+
+	$http_code = intval(curl_getinfo($handle, CURLINFO_HTTP_CODE));
+	curl_close($handle);
+
+	if ($http_code >= 500) {
+		// do not want to DDOS server if something goes wrong
+		sleep(10);
+		return false;
+	} else if ($http_code != 200) {
+		$response = json_decode($response, true);
+		error_log("Request has failed with error {$response['error']}\n");
+		if ($http_code == 401) {
+			throw new Exception('Invalid access token provided');
+		}
+		return false;
+	} else {
+		$response = json_decode($response, true);
+		if (isset($response["event_id"])) {
+			$response = true;
+		} else {
+			$response = false;
+		}
+	}
+
+	return $response;
+
+}
+?>
diff --git a/lang.de.php b/lang.de.php
new file mode 100644
index 0000000..c1f4489
--- /dev/null
+++ b/lang.de.php
@@ -0,0 +1,13 @@
+<?php
+$language = array(
+"UNKNOWN_SESSION" => "Sitzungstoken nicht vorhanden oder ungültig.",
+"UNKNOWN_USER_OR_PASSWORD" => "Nutzername und/oder Passwort(-Wiederholung) fehlen",
+"USERNAME_LENGTH_INVALID" => "Entweder mehr als 20 oder weniger als 3 Zeichen für den Nutzernamen verwendet",
+"USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
+"PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
+"NOTE_LENGTH_EXEEDED" => "Notiz ist länger als die erlaubten 50 Zeichen",
+"EMAIL_INVALID_FORMAT" => "Keine valide E-Mail-Adresse angegeben",
+"FIRSTNAME_INVALID_FORMAT" => "Vorname hat ungültiges Format",
+"SIRNAME_INVALID_FORMAT" => "Nachname hat ungültiges Format",
+);
+?>
diff --git a/language.php b/language.php
new file mode 100644
index 0000000..17c3004
--- /dev/null
+++ b/language.php
@@ -0,0 +1,7 @@
+<?php
+$lang = "en";
+if(isset($_GET['lang'])){
+	$lang = $_GET['lang'];
+}
+require_once("lang.".$lang.".php");
+?>
diff --git a/register.php b/register.php
new file mode 100644
index 0000000..92683dd
--- /dev/null
+++ b/register.php
@@ -0,0 +1,200 @@
+<html>
+	<head>
+<?php
+include config.php;
+include language.php;
+
+// enforce admin via https
+if (!isset($_SERVER['HTTPS'])) {
+	header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], true, 301);
+	exit();
+}
+
+session_start();
+
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+	$success = false;
+	if (!isset($_SESSION["token"]) || !isset($_POST["token"]) || $_SESSION["token"] != $_POST["token"]) {
+		// token not present or invalid
+		$message = $language["UNKNOWN_SESSION"];
+	}
+	elseif (!isset($_POST["username"], $_POST["password"], $_POST["password_confirm"])) {
+		$message = $language["UNKNOWN_USER_OR_PASSWORD"];
+	}
+	elseif (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
+		$message = $language["USERNAME_LENGTH_INVALID"];
+	}
+	elseif (ctype_alnum($_POST['username']) != true) {
+		$message = $language["USERNAME_NOT_ALNUM"];
+	}
+	elseif ($_POST["password"] != $_POST["password_confirm"]) {
+		$message = $language["PASSWORD_NOT_MATCH"];
+	}
+	elseif (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
+		$message = $language["NOTE_LENGTH_EXEEDED"];
+	}
+	elseif (!isset($_POST["email"]) || !filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
+		$message = $language["EMAIL_INVALID_FORMAT"];
+	}
+	elseif (isset($_POST["first_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["first_name"])) {
+		$message = $language["FIRSTNAME_INVALID_FORMAT"];
+	}
+	elseif (isset($_POST["last_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["last_name"])) {
+		$message = $language["SIRNAME_INVALID_FORMAT"];
+	}
+	else {
+	// check valid password
+
+		$first = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
+		$last  = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);
+		$user  = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
+		$pass  = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
+		$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
+		$note  = filter_var($_POST["note"], FILTER_SANITIZE_STRING);
+
+
+		$success = true;
+	}
+	if ($success) {
+		print("<title>Erfolgreich</title>");
+		print("</head><body>");
+		print("<h1>Erfolgreich</h1>");
+		print("<p>Bitte überprüfe deine E-Mails um deine E-Mail-Adresse zu bestätigen.</p>");
+		print("<a href=\"" . "/register.php" . "\">Zur Registrierungsseite</a>");
+	} else {
+		print("<title>".$message."</title>");
+		print("</head><body>");
+		print("<h1>" . $message . "</h1>");
+		print("<a href=\"" . "/register.php" . "\">Zur Registrierungsseite</a>");
+	}
+} else {
+	$_SESSION["token"] = bin2hex(random_bytes(16));
+?>
+		<title>Registriere dich für cg-s.tk</title>
+		<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
+		<style>
+body{
+	background-color: #525252;
+}
+.centered-form{
+	margin-top: 60px;
+}
+
+.centered-form .panel{
+	background: rgba(255, 255, 255, 0.8);
+	box-shadow: rgba(0, 0, 0, 0.3) 20px 20px 20px;
+}
+		</style>
+		<script type="text/javascript" src="//code.jquery.com/jquery-1.11.1.min.js"></script>
+		<script type="text/javascript" src="//netdna.bootstrapcdn.com/bootstrap/3.1.0/js/bootstrap.min.js"></script>
+	</head>
+	<body>
+		<div class="container">
+			<div class="row centered-form">
+				<div class="col-xs-12 col-sm-8 col-md-4 col-sm-offset-2 col-md-offset-4">
+					<div class="panel panel-default">
+						<div class="panel-heading">
+							<h3 class="panel-title">Bitte für <?php echo $homeserver; ?> registrieren<small>2-Schritt-Registrierung</small></h3>
+						</div>
+						<div class="panel-body">
+							<form name="regForm" role="form" action="register.php" method="post">
+								<div class="row">
+									<div class="col-xs-6 col-sm-6 col-md-6">
+										<div class="form-group">
+											<input type="text" name="first_name" id="first_name" class="form-control input-sm"
+								placeholder="Vorname" pattern="[A-Z][a-z]+">
+										</div>
+									</div>
+									<div class="col-xs-6 col-sm-6 col-md-6">
+										<div class="form-group">
+											<input type="text" name="last_name" id="last_name" class="form-control input-sm"
+							      placeholder="Nachname" pattern="[A-Z][a-z]+">
+										</div>
+									</div>
+								</div>
+
+								<div class="form-group">
+									<input type="email" name="email" id="email" class="form-control input-sm" placeholder="E-Mail-Adresse" required>
+								</div>
+
+								<div class="form-group">
+									<input type="text" name="note" id="note" class="form-control input-sm" placeholder="Notiz zu dir (max. 50 Zeichen)">
+								</div>
+
+								<div class="form-group">
+									<input type="text" name="username" id="username" class="form-control input-sm"
+							  placeholder="Nutzername (für den Login)"
+	 pattern="[a-z1-9]{3,20}"
+  required>
+								</div>
+<?php /**
+								<div class="row">
+									<div class="col-xs-6 col-sm-6 col-md-6">
+										<div class="form-group">
+											<input type="password" name="password" id="password" class="form-control input-sm" placeholder="Passwort" required>
+										</div>
+									</div>
+									<div class="col-xs-6 col-sm-6 col-md-6">
+										<div class="form-group">
+											<input type="password" name="password_confirm" id="password_confirm" class="form-control input-sm" placeholder="Passwort bestätigen" required>
+										</div>
+									</div>
+								</div>
+ */ ?>
+								<input type="hidden" name="token" id="token" value="<?php echo $_SESSION["token"]; ?>">
+								<input type="submit" value="Registrieren" class="btn btn-info btn-block">
+
+							</form>
+							<p>Hinweis: <br />
+							cg-s.tk is ein geschlossenes Chat-Netzwerk in dem jeder Nutzer bestätigt werden muss.<br />
+							Du bekommst eine E-Mail wenn jemand deine Mitgliedschaft bestätigt hat. An diese wird auch dein initiales Passwort gesendet.
+							Hinterlasse also bitte einen Hinweis zu dir (der nur den entsprechenden Personen gezeigt wird).<br />
+							Liebe Grüße vom Team von cg-s.tk
+							</p>
+						</div>
+					</div>
+				</div>
+			</div>
+		</div>
+		<script type="text/javascript">
+var first_name = document.getElementById("first_name");
+first_name.oninvalid = function(event) {
+	event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+}
+first_name.onkeyup = function(event) {
+	event.target.setCustomValidity("");
+}
+var last_name = document.getElementById("last_name");
+last_name.oninvalid = function(event) {
+	event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+}
+last_name.onkeyup = function(event) {
+	event.target.setCustomValidity("");
+}
+var user_name = document.getElementById("username");
+user_name.oninvalid = function(event) {
+	event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
+}
+user_name.onkeyup = function (event) {
+	event.target.setCustomValidity("");
+}
+<?php
+/** var password = document.getElementById("password")
+, confirm_password = document.getElementById("password_confirm");
+
+function validatePassword(){
+	if(password.value != confirm_password.value) {
+		confirm_password.setCustomValidity("Passwörter stimmen nicht überein");
+	} else {
+		confirm_password.setCustomValidity('');
+	}
+}
+
+password.onchange = validatePassword;
+confirm_password.onkeyup = validatePassword;
+*/
+} /* close METHOD != POST */
+?>
+		</script>
+	</body>
+</html>

From b56798dc35a68f409bd5ea857c089fadf9e526eb Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Sun, 11 Feb 2018 19:47:35 +0100
Subject: [PATCH 02/19] move language to lang-directory

---
 lang.de.php => lang/lang.de.php | 0
 language.php                    | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename lang.de.php => lang/lang.de.php (100%)

diff --git a/lang.de.php b/lang/lang.de.php
similarity index 100%
rename from lang.de.php
rename to lang/lang.de.php
diff --git a/language.php b/language.php
index 17c3004..d44568c 100644
--- a/language.php
+++ b/language.php
@@ -3,5 +3,5 @@ $lang = "en";
 if(isset($_GET['lang'])){
 	$lang = $_GET['lang'];
 }
-require_once("lang.".$lang.".php");
+require_once("lang/lang.".$lang.".php");
 ?>

From f306dda4f91d32e4c24adc6d022604854e5a7028 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Sun, 11 Feb 2018 19:48:38 +0100
Subject: [PATCH 03/19] do not request password on register request

the aim is that the initial password is
generated and send on register approval
---
 lang/lang.de.php |  2 +-
 register.php     | 24 ++----------------------
 2 files changed, 3 insertions(+), 23 deletions(-)

diff --git a/lang/lang.de.php b/lang/lang.de.php
index c1f4489..4ba80f9 100644
--- a/lang/lang.de.php
+++ b/lang/lang.de.php
@@ -1,7 +1,7 @@
 <?php
 $language = array(
 "UNKNOWN_SESSION" => "Sitzungstoken nicht vorhanden oder ungültig.",
-"UNKNOWN_USER_OR_PASSWORD" => "Nutzername und/oder Passwort(-Wiederholung) fehlen",
+"UNKNOWN_USERNAME" => "Nutzername fehlt",
 "USERNAME_LENGTH_INVALID" => "Entweder mehr als 20 oder weniger als 3 Zeichen für den Nutzernamen verwendet",
 "USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
 "PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
diff --git a/register.php b/register.php
index 92683dd..eb177b4 100644
--- a/register.php
+++ b/register.php
@@ -18,8 +18,8 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 		// token not present or invalid
 		$message = $language["UNKNOWN_SESSION"];
 	}
-	elseif (!isset($_POST["username"], $_POST["password"], $_POST["password_confirm"])) {
-		$message = $language["UNKNOWN_USER_OR_PASSWORD"];
+	elseif (!isset($_POST["username"])) {
+		$message = $language["UNKNOWN_USERNAME"];
 	}
 	elseif (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
 		$message = $language["USERNAME_LENGTH_INVALID"];
@@ -27,9 +27,6 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 	elseif (ctype_alnum($_POST['username']) != true) {
 		$message = $language["USERNAME_NOT_ALNUM"];
 	}
-	elseif ($_POST["password"] != $_POST["password_confirm"]) {
-		$message = $language["PASSWORD_NOT_MATCH"];
-	}
 	elseif (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
 		$message = $language["NOTE_LENGTH_EXEEDED"];
 	}
@@ -178,23 +175,6 @@ user_name.oninvalid = function(event) {
 user_name.onkeyup = function (event) {
 	event.target.setCustomValidity("");
 }
-<?php
-/** var password = document.getElementById("password")
-, confirm_password = document.getElementById("password_confirm");
-
-function validatePassword(){
-	if(password.value != confirm_password.value) {
-		confirm_password.setCustomValidity("Passwörter stimmen nicht überein");
-	} else {
-		confirm_password.setCustomValidity('');
-	}
-}
-
-password.onchange = validatePassword;
-confirm_password.onkeyup = validatePassword;
-*/
-} /* close METHOD != POST */
-?>
 		</script>
 	</body>
 </html>

From bd06342ccf295e370febdf44203f4ad2098987d3 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Sun, 11 Feb 2018 20:22:40 +0100
Subject: [PATCH 04/19] add saving registrations to sqlite

---
 config.sample.php |  2 +-
 database.php      | 29 +++++++++++++++++++++++++++++
 register.php      | 15 +++++++++++----
 3 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 database.php

diff --git a/config.sample.php b/config.sample.php
index e998fdb..72f7162 100644
--- a/config.sample.php
+++ b/config.sample.php
@@ -1,6 +1,6 @@
 <?php
 $homeserver = "example.com";
 $access_token = "To be used for sending the registration notification";
-$register_room = "$registerRoomID:example.com";
+$register_room = '"$registerRoomID:example.com';
 $registration_shared_secret = "To be used for actually register the user";
 ?>
diff --git a/database.php b/database.php
new file mode 100644
index 0000000..3bd1b81
--- /dev/null
+++ b/database.php
@@ -0,0 +1,29 @@
+<?php  
+$db_file = "db_file.sqlite"; 
+
+// create database file when not existent yet
+if (!file_exists($db_file)) { 
+ $db = new PDO('sqlite:' . $db_file); 
+ $db->exec("CREATE TABLE registrations(
+  id INTEGER PRIMARY KEY AUTOINCREMENT, 
+  first_name TEXT,
+  last_name TEXT,
+  username TEXT,
+  note TEXT,
+  email TEXT,
+  verify_token TEXT,
+  request_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP)"); 
+} 
+else { 
+ // establish connection 
+ $db = new PDO('sqlite:' . $db_file);
+ $ins_stmt = $db->prepare("INSERT INTO registrations
+    (first_name, last_name, note, email, username, verify_token)
+    VALUES (:first_name, :last_name, :note, :email, :username, :verify_token);
+} 
+
+// set writeable when not set already
+if (!is_writable($db_file)) {
+ chmod($db_file, 0777); 
+} 
+?>
\ No newline at end of file
diff --git a/register.php b/register.php
index eb177b4..02ccca9 100644
--- a/register.php
+++ b/register.php
@@ -41,15 +41,22 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 	}
 	else {
 	// check valid password
+		require_once("../database.php");
+		$ins_stmt->bindParam(':first_name', $first);
+		$ins_stmt->bindParam(':last_name', $last);
+		$ins_stmt->bindParam(':username', $user);
+		$ins_stmt->bindParam(':note', $note);
+		$ins_stmt->bindParam(':email', $email);
+		$ins_stmt->bindParam(':verify_token ', $vToken);
 
 		$first = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
 		$last  = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);
 		$user  = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
-		$pass  = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
-		$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
 		$note  = filter_var($_POST["note"], FILTER_SANITIZE_STRING);
+		$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
+		$vToken= bin2hex(random_bytes(16));
 
-
+		$ins_stmt->execute();
 		$success = true;
 	}
 	if ($success) {
@@ -67,7 +74,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 } else {
 	$_SESSION["token"] = bin2hex(random_bytes(16));
 ?>
-		<title>Registriere dich für cg-s.tk</title>
+		<title>Registriere dich für <?php echo $homeserver; ?></title>
 		<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
 		<style>
 body{

From b8f8fc1f6982fa71a20bd09631514f79a32d167f Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Sun, 11 Feb 2018 21:29:24 +0100
Subject: [PATCH 05/19] fix compilation errors; add public folder

---
 config.sample.php                   |  2 +-
 database.php                        | 10 +++---
 lang/lang.de.php                    | 19 ++++++-----
 language.php                        |  2 +-
 register.php => public/register.php | 51 ++++++++++++++++-------------
 5 files changed, 45 insertions(+), 39 deletions(-)
 rename register.php => public/register.php (85%)

diff --git a/config.sample.php b/config.sample.php
index 72f7162..57399d6 100644
--- a/config.sample.php
+++ b/config.sample.php
@@ -3,4 +3,4 @@ $homeserver = "example.com";
 $access_token = "To be used for sending the registration notification";
 $register_room = '"$registerRoomID:example.com';
 $registration_shared_secret = "To be used for actually register the user";
-?>
+?>
\ No newline at end of file
diff --git a/database.php b/database.php
index 3bd1b81..1d9d41b 100644
--- a/database.php
+++ b/database.php
@@ -2,8 +2,8 @@
 $db_file = "db_file.sqlite"; 
 
 // create database file when not existent yet
-if (!file_exists($db_file)) { 
- $db = new PDO('sqlite:' . $db_file); 
+if (!file_exists($db_file)) {
+ $db = new PDO('sqlite:' . $db_file);
  $db->exec("CREATE TABLE registrations(
   id INTEGER PRIMARY KEY AUTOINCREMENT, 
   first_name TEXT,
@@ -14,16 +14,16 @@ if (!file_exists($db_file)) {
   verify_token TEXT,
   request_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP)"); 
 } 
-else { 
+else {
  // establish connection 
  $db = new PDO('sqlite:' . $db_file);
  $ins_stmt = $db->prepare("INSERT INTO registrations
     (first_name, last_name, note, email, username, verify_token)
-    VALUES (:first_name, :last_name, :note, :email, :username, :verify_token);
+    VALUES (:first_name, :last_name, :note, :email, :username, :verify_token)");
 } 
 
 // set writeable when not set already
 if (!is_writable($db_file)) {
  chmod($db_file, 0777); 
-} 
+}
 ?>
\ No newline at end of file
diff --git a/lang/lang.de.php b/lang/lang.de.php
index 4ba80f9..98ef520 100644
--- a/lang/lang.de.php
+++ b/lang/lang.de.php
@@ -1,13 +1,14 @@
 <?php
 $language = array(
-"UNKNOWN_SESSION" => "Sitzungstoken nicht vorhanden oder ungültig.",
-"UNKNOWN_USERNAME" => "Nutzername fehlt",
-"USERNAME_LENGTH_INVALID" => "Entweder mehr als 20 oder weniger als 3 Zeichen für den Nutzernamen verwendet",
-"USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
-"PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
-"NOTE_LENGTH_EXEEDED" => "Notiz ist länger als die erlaubten 50 Zeichen",
-"EMAIL_INVALID_FORMAT" => "Keine valide E-Mail-Adresse angegeben",
-"FIRSTNAME_INVALID_FORMAT" => "Vorname hat ungültiges Format",
-"SIRNAME_INVALID_FORMAT" => "Nachname hat ungültiges Format",
+    "NO_CONFIGURATION" => "Es konnte keine Konfiguration gefunden werden.",
+    "UNKNOWN_SESSION" => "Sitzungstoken nicht vorhanden oder ungültig.",
+    "UNKNOWN_USERNAME" => "Nutzername fehlt",
+    "USERNAME_LENGTH_INVALID" => "Entweder mehr als 20 oder weniger als 3 Zeichen für den Nutzernamen verwendet",
+    "USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
+    "PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
+    "NOTE_LENGTH_EXEEDED" => "Notiz ist länger als die erlaubten 50 Zeichen",
+    "EMAIL_INVALID_FORMAT" => "Keine valide E-Mail-Adresse angegeben",
+    "FIRSTNAME_INVALID_FORMAT" => "Vorname hat ungültiges Format",
+    "SIRNAME_INVALID_FORMAT" => "Nachname hat ungültiges Format",
 );
 ?>
diff --git a/language.php b/language.php
index d44568c..68cdde1 100644
--- a/language.php
+++ b/language.php
@@ -1,5 +1,5 @@
 <?php
-$lang = "en";
+$lang = "de";
 if(isset($_GET['lang'])){
 	$lang = $_GET['lang'];
 }
diff --git a/register.php b/public/register.php
similarity index 85%
rename from register.php
rename to public/register.php
index 02ccca9..e4362d1 100644
--- a/register.php
+++ b/public/register.php
@@ -1,8 +1,12 @@
 <html>
 	<head>
 <?php
-include config.php;
-include language.php;
+require_once "../language.php";
+if (!file_exists("../config.php")) {
+	print($language["NO_CONFIGURATION"]);
+	exit();
+}
+require_once "../config.php";
 
 // enforce admin via https
 if (!isset($_SERVER['HTTPS'])) {
@@ -161,27 +165,28 @@ body{
 			</div>
 		</div>
 		<script type="text/javascript">
-var first_name = document.getElementById("first_name");
-first_name.oninvalid = function(event) {
-	event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
-}
-first_name.onkeyup = function(event) {
-	event.target.setCustomValidity("");
-}
-var last_name = document.getElementById("last_name");
-last_name.oninvalid = function(event) {
-	event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
-}
-last_name.onkeyup = function(event) {
-	event.target.setCustomValidity("");
-}
-var user_name = document.getElementById("username");
-user_name.oninvalid = function(event) {
-	event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
-}
-user_name.onkeyup = function (event) {
-	event.target.setCustomValidity("");
-}
+			var first_name = document.getElementById("first_name");
+			first_name.oninvalid = function(event) {
+				event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+			}
+			first_name.onkeyup = function(event) {
+				event.target.setCustomValidity("");
+			}
+			var last_name = document.getElementById("last_name");
+			last_name.oninvalid = function(event) {
+				event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+			}
+			last_name.onkeyup = function(event) {
+				event.target.setCustomValidity("");
+			}
+			var user_name = document.getElementById("username");
+			user_name.oninvalid = function(event) {
+				event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
+			}
+			user_name.onkeyup = function (event) {
+				event.target.setCustomValidity("");
+			}
 		</script>
 	</body>
 </html>
+		<?php } ?>
\ No newline at end of file

From c62bd216467e12992c5fa4eb2bac97fb63c404ae Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Tue, 20 Feb 2018 20:10:44 +0100
Subject: [PATCH 06/19] add
 MatrixConnection->register(username,passwort,registration_secret);

---
 MatrixConnection.php | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/MatrixConnection.php b/MatrixConnection.php
index 55c2ee3..36b6d4d 100644
--- a/MatrixConnection.php
+++ b/MatrixConnection.php
@@ -4,12 +4,20 @@ class MatrixConnection
 	private $hs;
 	private $at;
 
+	function __construct($homeserver) {
+		$this->hs = $homeserver;
+	}
 	function __construct($homeserver, $access_token) {
 		$this->hs = $homeserver;
 		$this->at = $access_token;
 	}
 
 	function send($room_id, $message) {
+		if (!$this->at) {
+			error_log("No access token defined");
+			return false;
+		}
+
 		$send_message = NULL;
 		if (!$message) {
 			error_log("no message to send");
@@ -41,6 +49,32 @@ class MatrixConnection
 					)
 				);
 	}
+
+	function register($username, $password, $shared_secret) {
+		if (!$username) {
+			error_log("no username provided")
+		}
+		if (!$password) {
+			error_log("no message to send");
+		}
+
+		$mac = hash_hmac('sha1', $username, $registration_shared_secret);
+
+		$data = array(
+			"username" => $user,
+			"password" => $password,
+			"mac" => $mac,
+		}
+		$url="https://".$this->hs."/_matrix/client/v2_alpha/register";
+		$handle = curl_init($url);
+		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
+		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
+		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
+		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($data));
+
+		return exec_curl_request($handle);
+	}
 }
 
 class MatrixMessage

From 8fff520b2894689f2041d8fa7c8f4246d6e6aba4 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Tue, 20 Feb 2018 20:37:15 +0100
Subject: [PATCH 07/19] first try for a database for pending registrations

---
 database.php        |  9 ++++-----
 public/register.php | 13 ++++++++-----
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/database.php b/database.php
index 1d9d41b..9db93e2 100644
--- a/database.php
+++ b/database.php
@@ -1,9 +1,10 @@
 <?php  
-$db_file = "db_file.sqlite"; 
+$db_file = dirname(__DIR__)."/db_file.sqlite";
 
 // create database file when not existent yet
 if (!file_exists($db_file)) {
  $db = new PDO('sqlite:' . $db_file);
+ $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  $db->exec("CREATE TABLE registrations(
   id INTEGER PRIMARY KEY AUTOINCREMENT, 
   first_name TEXT,
@@ -17,13 +18,11 @@ if (!file_exists($db_file)) {
 else {
  // establish connection 
  $db = new PDO('sqlite:' . $db_file);
- $ins_stmt = $db->prepare("INSERT INTO registrations
-    (first_name, last_name, note, email, username, verify_token)
-    VALUES (:first_name, :last_name, :note, :email, :username, :verify_token)");
+ $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
 } 
 
 // set writeable when not set already
 if (!is_writable($db_file)) {
  chmod($db_file, 0777); 
 }
-?>
\ No newline at end of file
+?>
diff --git a/public/register.php b/public/register.php
index e4362d1..4e6f0eb 100644
--- a/public/register.php
+++ b/public/register.php
@@ -44,14 +44,17 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 		$message = $language["SIRNAME_INVALID_FORMAT"];
 	}
 	else {
-	// check valid password
+		// check valid password
 		require_once("../database.php");
-		$ins_stmt->bindParam(':first_name', $first);
-		$ins_stmt->bindParam(':last_name', $last);
-		$ins_stmt->bindParam(':username', $user);
+		$ins_stmt = $db->prepare("INSERT INTO registrations
+			(first_name, last_name, note, email, username, verify_token)
+			VALUES (:first, :last, :note, :email, :username, :token )");
+		$ins_stmt->bindParam(':first', $first);
+		$ins_stmt->bindParam(':last', $last);
 		$ins_stmt->bindParam(':note', $note);
 		$ins_stmt->bindParam(':email', $email);
-		$ins_stmt->bindParam(':verify_token ', $vToken);
+		$ins_stmt->bindParam(':username', $user);
+		$ins_stmt->bindParam(':token ', $vToken);
 
 		$first = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
 		$last  = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);

From e88eb13d9104959af42b9b2460aea003444f4bf5 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 15:28:50 +0100
Subject: [PATCH 08/19] implement hasUser(localpart), RegisterState add
 verify{_admin}.php

- fixes
---
 MatrixConnection.php    |  33 +++++--
 config.sample.php       |   7 +-
 database.php            |  59 ++++++++----
 functions.php           |   1 -
 lang/lang.de.php        |  10 ++
 public/register.php     | 203 +++++++++++++++++++++++-----------------
 public/verify.php       |  86 +++++++++++++++++
 public/verify_admin.php | 164 ++++++++++++++++++++++++++++++++
 8 files changed, 448 insertions(+), 115 deletions(-)
 create mode 100644 public/verify.php
 create mode 100644 public/verify_admin.php

diff --git a/MatrixConnection.php b/MatrixConnection.php
index 36b6d4d..21df64f 100644
--- a/MatrixConnection.php
+++ b/MatrixConnection.php
@@ -1,12 +1,10 @@
 <?php
+require_once("functions.php");
 class MatrixConnection
 {
 	private $hs;
 	private $at;
 
-	function __construct($homeserver) {
-		$this->hs = $homeserver;
-	}
 	function __construct($homeserver, $access_token) {
 		$this->hs = $homeserver;
 		$this->at = $access_token;
@@ -24,7 +22,7 @@ class MatrixConnection
 		} elseif(is_array($message)) {
 			$send_message = $message;
 		} elseif ($message instanceof MatrixMessage) {
-			$sendmessage = $message->get_object();
+			$send_message = $message->get_object();
 		} else {
 			error_log("message is of not valid type\n");
 			return false;
@@ -36,7 +34,7 @@ class MatrixConnection
 		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
 		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
 		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
-		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($message));
+		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($send_message));
 		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
 
 		return exec_curl_request($handle);
@@ -50,9 +48,26 @@ class MatrixConnection
 				);
 	}
 
+	function hasUser($username) {
+		if (!$username) {
+			throw new Exception ("no user given to lookup");
+		}
+
+		$url = "https://".$this->hs."/_matrix/client/r0/profile/%40" . $username . "%3A" . $this->hs;
+		$handle = curl_init($url);
+		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
+		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
+		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
+		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($data));
+
+		$res = exec_curl_request($handle);
+		return ($res ? true: false);
+	}
+
 	function register($username, $password, $shared_secret) {
 		if (!$username) {
-			error_log("no username provided")
+			error_log("no username provided");
 		}
 		if (!$password) {
 			error_log("no message to send");
@@ -64,8 +79,8 @@ class MatrixConnection
 			"username" => $user,
 			"password" => $password,
 			"mac" => $mac,
-		}
-		$url="https://".$this->hs."/_matrix/client/v2_alpha/register";
+		);
+		$url = "https://".$this->hs."/_matrix/client/v2_alpha/register";
 		$handle = curl_init($url);
 		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
 		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
@@ -88,7 +103,7 @@ class MatrixMessage
 	}
 
 	function set_type($msgtype) {
-		$this->$message["msgtype"] = $msgtype;
+		$this->message["msgtype"] = $msgtype;
 	}
 
 	function set_format($format) {
diff --git a/config.sample.php b/config.sample.php
index 57399d6..419a682 100644
--- a/config.sample.php
+++ b/config.sample.php
@@ -1,6 +1,9 @@
 <?php
 $homeserver = "example.com";
 $access_token = "To be used for sending the registration notification";
-$register_room = '"$registerRoomID:example.com';
+$register_room = '$registerRoomID:example.com';
 $registration_shared_secret = "To be used for actually register the user";
-?>
\ No newline at end of file
+
+$webroot="https://myregisterdomain.net/";
+$howToURL = "https://my-url-for-storing-howTos.net";
+?>
diff --git a/database.php b/database.php
index 9db93e2..eee73a0 100644
--- a/database.php
+++ b/database.php
@@ -1,28 +1,55 @@
 <?php  
 $db_file = dirname(__DIR__)."/db_file.sqlite";
 
+abstract class RegisterState
+{
+	// Sending an E-Mail failed in the first attempt. Will retry later
+	const PendingEmailSend = 0;
+	// User got a mail. We wait for it to verfiy
+	const PendingEmailVerify = 1;
+	// Sending a message to the register room failed on first attempt
+	const PendingAdminSend = 5;
+	// No admin has verified the registration yet
+	const PendingAdminVerify = 6;
+	// Registration failed on first attempt. Will retry
+	const PendingRegistration = 7;
+
+	// in this case we have to reset the password of the user (or should we store it for this case?)
+	const PendingSendRegistrationMail = 8;
+
+	// State to allow persisting in the database although an admin declined it.
+	// Will be removed regularly
+	const RegistrationAccepted = 12;
+	const RegistrationDeclined = 13;
+
+	// User got successfully registered. Will be cleaned up later
+	const AllDone = 100;
+}
+
 // create database file when not existent yet
 if (!file_exists($db_file)) {
- $db = new PDO('sqlite:' . $db_file);
- $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
- $db->exec("CREATE TABLE registrations(
-  id INTEGER PRIMARY KEY AUTOINCREMENT, 
-  first_name TEXT,
-  last_name TEXT,
-  username TEXT,
-  note TEXT,
-  email TEXT,
-  verify_token TEXT,
-  request_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP)"); 
-} 
+	$db = new PDO('sqlite:' . $db_file);
+	$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+	$db->exec("CREATE TABLE registrations(
+		id INTEGER PRIMARY KEY AUTOINCREMENT,
+		state INT DEFAULT 0,
+		first_name TEXT,
+		last_name TEXT,
+		username TEXT,
+		note TEXT,
+		email TEXT,
+		verify_token TEXT,
+		admin_token TEXT,
+		request_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP)");
+}
 else {
- // establish connection 
- $db = new PDO('sqlite:' . $db_file);
- $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+	// establish connection
+	$db = new PDO('sqlite:' . $db_file);
+	$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
 } 
 
 // set writeable when not set already
 if (!is_writable($db_file)) {
- chmod($db_file, 0777); 
+	chmod($db_file, 0777);
 }
 ?>
diff --git a/functions.php b/functions.php
index 949df06..5559eea 100644
--- a/functions.php
+++ b/functions.php
@@ -47,6 +47,5 @@ function exec_curl_request($handle)
 	}
 
 	return $response;
-
 }
 ?>
diff --git a/lang/lang.de.php b/lang/lang.de.php
index 98ef520..0b044ef 100644
--- a/lang/lang.de.php
+++ b/lang/lang.de.php
@@ -3,12 +3,22 @@ $language = array(
     "NO_CONFIGURATION" => "Es konnte keine Konfiguration gefunden werden.",
     "UNKNOWN_SESSION" => "Sitzungstoken nicht vorhanden oder ungültig.",
     "UNKNOWN_USERNAME" => "Nutzername fehlt",
+    "UNKNOWN_TOKEN" => "Token ist unbekannt",
     "USERNAME_LENGTH_INVALID" => "Entweder mehr als 20 oder weniger als 3 Zeichen für den Nutzernamen verwendet",
     "USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
+    "USERNAME_PENDING_REGISTRATION" => "Dieser Nutzername wurde bereits zur Registrierung vorgemerkt. Versuche es später noch einmal oder wähle einen anderen Nutzernamen",
+    "USERNAME_REGISTERED" => "Dieser Nutzername wurde bereits registriert. Bitte wähle einen anderen Nutzernamen",
     "PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
     "NOTE_LENGTH_EXEEDED" => "Notiz ist länger als die erlaubten 50 Zeichen",
     "EMAIL_INVALID_FORMAT" => "Keine valide E-Mail-Adresse angegeben",
     "FIRSTNAME_INVALID_FORMAT" => "Vorname hat ungültiges Format",
     "SIRNAME_INVALID_FORMAT" => "Nachname hat ungültiges Format",
+    "SEND_MAIL_FAIL" => "Senden der E-Mail fehlgeschlagen",
+    "SEND_MATRIX_FAIL" => "Senden einer Nachricht an die Administratoren fehlgeschlagen",
+    "REGISTRATION_REQUEST_FAILED" => "Registrierungsanfrage ist fehlgeschlagen",
+    "VERIFICATION_SUCCEEDED" => "Verifizierung erfolgreich",
+    "VERIFICATION_FAILED" => "Verifizierung fehlgeschlagen",
+    "VERIFICATION_SUCCESS_BODY" => "Vielen Dank. Die Administratoren wurden informiert",
+    "ADMIN_VERIFY_SITE_TITLE" => "Registrierungsanfrage bearbeiten",
 );
 ?>
diff --git a/public/register.php b/public/register.php
index 4e6f0eb..8a1e2b5 100644
--- a/public/register.php
+++ b/public/register.php
@@ -7,6 +7,7 @@ if (!file_exists("../config.php")) {
 	exit();
 }
 require_once "../config.php";
+require_once "../mail_templates.php";
 
 // enforce admin via https
 if (!isset($_SERVER['HTTPS'])) {
@@ -16,67 +17,95 @@ if (!isset($_SERVER['HTTPS'])) {
 
 session_start();
 
+require_once("../database.php");
+
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
-	$success = false;
-	if (!isset($_SESSION["token"]) || !isset($_POST["token"]) || $_SESSION["token"] != $_POST["token"]) {
-		// token not present or invalid
-		$message = $language["UNKNOWN_SESSION"];
-	}
-	elseif (!isset($_POST["username"])) {
-		$message = $language["UNKNOWN_USERNAME"];
-	}
-	elseif (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
-		$message = $language["USERNAME_LENGTH_INVALID"];
-	}
-	elseif (ctype_alnum($_POST['username']) != true) {
-		$message = $language["USERNAME_NOT_ALNUM"];
-	}
-	elseif (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
-		$message = $language["NOTE_LENGTH_EXEEDED"];
-	}
-	elseif (!isset($_POST["email"]) || !filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
-		$message = $language["EMAIL_INVALID_FORMAT"];
-	}
-	elseif (isset($_POST["first_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["first_name"])) {
-		$message = $language["FIRSTNAME_INVALID_FORMAT"];
-	}
-	elseif (isset($_POST["last_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["last_name"])) {
-		$message = $language["SIRNAME_INVALID_FORMAT"];
-	}
-	else {
+	try {
+		if (!isset($_SESSION["token"]) || !isset($_POST["token"]) || $_SESSION["token"] != $_POST["token"]) {
+			// token not present or invalid
+			throw new Exception($language["UNKNOWN_SESSION"]);
+		}
+		if (!isset($_POST["username"])) {
+			throw new Exception($language["UNKNOWN_USERNAME"]);
+		}
+		if (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
+			throw new Exception($language["USERNAME_LENGTH_INVALID"]);
+		}
+		if (ctype_alnum($_POST['username']) != true) {
+			throw new Exception($language["USERNAME_NOT_ALNUM"]);
+		}
+		if (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
+			throw new Exception($language["NOTE_LENGTH_EXEEDED"]);
+		}
+		if (!isset($_POST["email"]) || !filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
+			throw new Exception($language["EMAIL_INVALID_FORMAT"]);
+		}
+		if (isset($_POST["first_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["first_name"])) {
+			throw new Exception($language["FIRSTNAME_INVALID_FORMAT"]);
+		}
+		if (isset($_POST["last_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["last_name"])) {
+			throw new Exception($language["SIRNAME_INVALID_FORMAT"]);
+		}
+
 		// check valid password
-		require_once("../database.php");
-		$ins_stmt = $db->prepare("INSERT INTO registrations
-			(first_name, last_name, note, email, username, verify_token)
-			VALUES (:first, :last, :note, :email, :username, :token )");
-		$ins_stmt->bindParam(':first', $first);
-		$ins_stmt->bindParam(':last', $last);
-		$ins_stmt->bindParam(':note', $note);
-		$ins_stmt->bindParam(':email', $email);
-		$ins_stmt->bindParam(':username', $user);
-		$ins_stmt->bindParam(':token ', $vToken);
+		$first_name = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
+		$last_name = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);
+		$username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
+		$note   = filter_var($_POST["note"], FILTER_SANITIZE_STRING);
+		$email  = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
+		$verify_token = bin2hex(random_bytes(16));
+		$admin_token = bin2hex(random_bytes(16));
 
-		$first = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
-		$last  = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);
-		$user  = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
-		$note  = filter_var($_POST["note"], FILTER_SANITIZE_STRING);
-		$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
-		$vToken= bin2hex(random_bytes(16));
+		#	$first="test"; $last="test2"; $user="test3"; $note="empty"; $email="mail+test1@matthias-kesler.de";
+
+		$sql = "SELECT COUNT(*) FROM registrations WHERE username = '" . $username . "' LIMIT 1;";
+		$res = $db->query($sql);
+		if ($res->fetchColumn() > 0) {
+			throw new Exception($language["USERNAME_PENDING_REGISTRATION"]);
+		}
+		require_once("MatrixConnection.php");
+		$mxConn = new MatrixConnection($homeserver, $access_token);
+		if ($mxConn->hasUser($username)) {
+			throw new Exception($language["USERNAME_REGISTERED"]);
+		}
+
+		$db->exec('INSERT INTO registrations
+			(first_name, last_name, username, note, email, verify_token, admin_token)
+			VALUES ("' . $first_name.'","' . $last_name . '","' . $username . '","'	. $note . '","'
+			. $email.'","'	.$verify_token.'","'	.$admin_token.'")');
+		#		$ins_stmt->bindValue(':first_name', $first);
+		#		$ins_stmt->bindValue(':last_lame', $last);
+		#		$ins_stmt->bindValue(':username', $user);
+		#		$ins_stmt->bindValue(':note', $note);
+		#		$ins_stmt->bindValue(':email', $email);
+		#		$ins_stmt->bindValue(':verify_token', $vToken);
+		#		$ins_stmt->bindValue(':admin_token', $adminToken);
+		#		$ins_stmt->bindValue(':now', date('Y-m-d H:i:s'));
+		#
+		#		$ins_stmt->execute();
+
+		$verify_url = $webroot . "/verify.php?t=" . $verify_token;
+		$success = send_mail_pending_verification(
+			$homeserver,
+			$first_name . " " . $last_name,
+			$email,
+			$verify_url);
+
+		$db->exec("UPDATE registrations SET state = " .
+			($success ? RegisterState::PendingEmailVerify : RegisterState::PendingEmailSend)
+			. " WHERE verify_token = \"" . $verify_token. "\";");
 
-		$ins_stmt->execute();
-		$success = true;
-	}
-	if ($success) {
 		print("<title>Erfolgreich</title>");
 		print("</head><body>");
 		print("<h1>Erfolgreich</h1>");
 		print("<p>Bitte überprüfe deine E-Mails um deine E-Mail-Adresse zu bestätigen.</p>");
 		print("<a href=\"" . "/register.php" . "\">Zur Registrierungsseite</a>");
-	} else {
-		print("<title>".$message."</title>");
+	} catch (Exception $e) {
+		print("<title>" . $language["REGISTRATION_REQUEST_FAILED"] . "</title>");
 		print("</head><body>");
-		print("<h1>" . $message . "</h1>");
-		print("<a href=\"" . "/register.php" . "\">Zur Registrierungsseite</a>");
+		print("<h1>" . $language["REGISTRATION_REQUEST_FAILED"] . "</h1>");
+		print("<p>" . $e->getMessage() . "</p>");
+		print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
 	}
 } else {
 	$_SESSION["token"] = bin2hex(random_bytes(16));
@@ -139,18 +168,18 @@ body{
   required>
 								</div>
 <?php /**
-								<div class="row">
-									<div class="col-xs-6 col-sm-6 col-md-6">
-										<div class="form-group">
-											<input type="password" name="password" id="password" class="form-control input-sm" placeholder="Passwort" required>
-										</div>
-									</div>
-									<div class="col-xs-6 col-sm-6 col-md-6">
-										<div class="form-group">
-											<input type="password" name="password_confirm" id="password_confirm" class="form-control input-sm" placeholder="Passwort bestätigen" required>
-										</div>
-									</div>
-								</div>
+<div class="row">
+<div class="col-xs-6 col-sm-6 col-md-6">
+<div class="form-group">
+<input type="password" name="password" id="password" class="form-control input-sm" placeholder="Passwort" required>
+</div>
+</div>
+<div class="col-xs-6 col-sm-6 col-md-6">
+<div class="form-group">
+<input type="password" name="password_confirm" id="password_confirm" class="form-control input-sm" placeholder="Passwort bestätigen" required>
+</div>
+</div>
+</div>
  */ ?>
 								<input type="hidden" name="token" id="token" value="<?php echo $_SESSION["token"]; ?>">
 								<input type="submit" value="Registrieren" class="btn btn-info btn-block">
@@ -167,29 +196,29 @@ body{
 				</div>
 			</div>
 		</div>
-		<script type="text/javascript">
-			var first_name = document.getElementById("first_name");
-			first_name.oninvalid = function(event) {
-				event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
-			}
-			first_name.onkeyup = function(event) {
-				event.target.setCustomValidity("");
-			}
-			var last_name = document.getElementById("last_name");
-			last_name.oninvalid = function(event) {
-				event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
-			}
-			last_name.onkeyup = function(event) {
-				event.target.setCustomValidity("");
-			}
-			var user_name = document.getElementById("username");
-			user_name.oninvalid = function(event) {
-				event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
-			}
-			user_name.onkeyup = function (event) {
-				event.target.setCustomValidity("");
-			}
-		</script>
+ <script type="text/javascript">
+ var first_name = document.getElementById("first_name");
+	first_name.oninvalid = function(event) {
+		event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+	}
+	first_name.onkeyup = function(event) {
+		event.target.setCustomValidity("");
+	}
+	var last_name = document.getElementById("last_name");
+	last_name.oninvalid = function(event) {
+		event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+	}
+	last_name.onkeyup = function(event) {
+		event.target.setCustomValidity("");
+	}
+	var user_name = document.getElementById("username");
+	user_name.oninvalid = function(event) {
+		event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
+	}
+	user_name.onkeyup = function (event) {
+		event.target.setCustomValidity("");
+	}
+	</script>
+		<?php } ?>
 	</body>
 </html>
-		<?php } ?>
\ No newline at end of file
diff --git a/public/verify.php b/public/verify.php
new file mode 100644
index 0000000..52e9896
--- /dev/null
+++ b/public/verify.php
@@ -0,0 +1,86 @@
+<html>
+	<head>
+<?php
+require_once "../language.php";
+if (!file_exists("../config.php")) {
+	print($language["NO_CONFIGURATION"]);
+	exit();
+}
+require_once "../config.php";
+require_once "../mail_templates.php";
+
+// enforce admin via https
+if (!isset($_SERVER['HTTPS'])) {
+	header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], true, 301);
+	exit();
+}
+
+session_start();
+
+try {
+	if ($_SERVER["REQUEST_METHOD"] != "GET") {
+		throw new Exception("Method not allowed");
+	}
+	if (!isset($_GET["t"])) {
+		throw new Exception($language["UNKNOWN_TOKEN"]);
+	}
+	$token = filter_var($_GET["t"], FILTER_SANITIZE_STRING);
+
+	require_once("../database.php");
+
+	$sql = "SELECT COUNT(*) FROM registrations WHERE verify_token = '" . $token . "' LIMIT 1;";
+	$res = $db->query($sql);
+
+	$first_name = NULL; $last_name = NULL; $note = NULL; $email = NULL; $admin_token = NULL;
+
+	if ($res->fetchColumn() > 0) {
+		$sql = "SELECT first_name, last_name, note, email, admin_token FROM registrations WHERE verify_token = '" . $token . "' LIMIT 1;";
+		foreach ($db->query($sql) as $row) {
+			// will only be executed once
+			$first_name = $row["first_name"];
+			$last_name = $row["last_name"];
+			$note = $row["note"];
+			$email = $row["email"];
+			$admin_token = $row["admin_token"];
+		}
+	} else {
+		throw new Exception($language["UNKNOWN_TOKEN"]);
+	}
+
+	require_once("../MatrixConnection.php");
+	$adminUrl = $webroot . "/admin_verify.php?t=" . $admin_token;
+	$mxConn = new MatrixConnection($homeserver, $access_token);
+	$mxMsg = new MatrixMessage();
+	$mxMsg->set_body($first_name . ' ' . $last_name . "möchte sich registrieren und hat folgende Notiz hinterlassen:\r\n"
+		. $note . "\r\n"
+		. "Zum Bearbeiten hier klicken:\r\n" . $adminUrl);
+	$mxMsg->set_formatted_body($first_name . ' ' . $last_name . " möchte sich registrieren und hat folgende Notiz hinterlassen:<br />"
+		. $note . "<br />"
+		. "Zum Bearbeiten <a href=\"". $adminUrl . "\">hier</a> klicken");
+	$mxMsg->set_type("m.text");
+	$response = $mxConn->send($register_room, $mxMsg);
+
+	if ($response) {
+		$message = $language["SEND_MATRIX_FAIL"];
+	}
+	$db->exec("UPDATE registrations SET state = " .
+		($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend)
+		. " WHERE verify_token = \"" . $verify_token. "\";");
+
+	send_mail_pending_approval($homeserver, $first_name . " " . $last_name, $email);
+
+	print("<title>" . $language["VERIFICATION_SUCEEDED"] . "</title>");
+	print("</head><body>");
+	print("<h1>" . $language["VERIFICATION_SUCEEDED"] . "</h1>");
+	print("<p>" . $language["VERIFICATION_SUCCESS_BODY"] . "</p>");
+	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
+} catch (Exception $e) {
+	print("<title>" . $language["VERIFICATION_FAILED"] . "</title>");
+	print("</head><body>");
+	print("<h1>" . $language["VERIFICATION_FAILED"] . "</h1>");
+	print("<p>" . $e->getMessage() . "</p>");
+	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
+}
+?>
+	</body>
+</html>
diff --git a/public/verify_admin.php b/public/verify_admin.php
new file mode 100644
index 0000000..fb9243a
--- /dev/null
+++ b/public/verify_admin.php
@@ -0,0 +1,164 @@
+<html>
+	<head>
+<?php
+require_once "../language.php";
+if (!file_exists("../config.php")) {
+	print($language["NO_CONFIGURATION"]);
+	exit();
+}
+require_once "../config.php";
+require_once "../mail_templates.php";
+
+// enforce admin via https
+if (!isset($_SERVER['HTTPS'])) {
+	header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], true, 301);
+	exit();
+}
+
+session_start();
+
+try {
+	if ($_SERVER["REQUEST_METHOD"] == "GET") {
+		throw new Exception("Method not allowed");
+	}
+	if (!isset($_GET["t"])) {
+		throw new Exception($language["UNKNOWN_TOKEN"]);
+	}
+	$token = filter_var($_GET["t"], FILTER_SANITIZE_STRING);
+
+	$action = NULL;
+	if (isset($_GET("allow")) {
+		$action = RegisterState::RegistrationAccepted;
+	}
+	if (isset($_GET("deny")) {
+		$action = RegisterState::RegistrationDeclined;
+	}
+
+	require_once("../database.php");
+
+	$sql = "SELECT COUNT(*) FROM registrations WHERE admin_token = '" . $token . "' LIMIT 1;";
+	$res = $db->query($sql);
+
+	$first_name = NULL; $last_name = NULL; $username = NULL; $note = NULL; $email = NULL;
+
+	if ($res->fetchColumn() > 0) {
+		$sql = "SELECT first_name, last_name, username, note, email FROM registrations WHERE admin_token = '" . $token . "' LIMIT 1;";
+		foreach ($db->query($sql) as $row) {
+			// will only be executed once
+			$first_name = $row["first_name"];
+			$last_name = $row["last_name"];
+			$username = $row["username"];
+			$note = $row["note"];
+			$email = $row["email"];
+		}
+	} else {
+		throw new Exception($language["UNKNOWN_TOKEN"]);
+	}
+
+	if ($action == RegisterState::RegistrationAccepted) {
+		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted)
+			. " WHERE admin_token = \"" . $token. "\";");
+
+		// register user
+		require_once("MatrixConnection.php");
+		$mxConn = new MatrixConnection($homeserver, $access_token);
+
+		// generate a password with 8 characters
+		$password = bin2hex(openssl_random_pseudo_bytes(4));
+
+		$res = $mxConn->register($username, $password, $shared_secret);
+
+		// send registration_success
+		send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL)
+	} elseif ($action == RegisterState::RegistrationDeclined) {
+		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted)
+			. " WHERE admin_token = \"" . $token. "\";");
+	}
+
+	$adminUrl = $webroot . "/admin_verify.php?t=" . $admin_token;
+	print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
+?>
+		<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
+		<style>
+body{
+	background-color: #525252;
+}
+.centered-form{
+	margin-top: 60px;
+}
+
+.centered-form .panel{
+	background: rgba(255, 255, 255, 0.8);
+	box-shadow: rgba(0, 0, 0, 0.3) 20px 20px 20px;
+}
+		</style>
+		<script type="text/javascript" src="//code.jquery.com/jquery-1.11.1.min.js"></script>
+		<script type="text/javascript" src="//netdna.bootstrapcdn.com/bootstrap/3.1.0/js/bootstrap.min.js"></script>
+	</head>
+	<body>
+		<div class="container">
+			<div class="row centered-form">
+				<div class="col-xs-12 col-sm-8 col-md-4 col-sm-offset-2 col-md-offset-4">
+					<div class="panel panel-default">
+						<div class="panel-heading">
+							<h3 class="panel-title"><?php echo $language["ADMIN_VERIFY_SITE_TITLE"] ; ?></h3>
+						</div>
+						<div class="panel-body">
+							<form name="appForm" role="form" action="verify_admin.php" method="GET">
+								<div class="row">
+									<div class="col-xs-6 col-sm-6 col-md-6">
+										<div class="form-group">
+											<input type="text" id="first_name" class="form-control input-sm"
+											value="<?php echo $first_name; ?>" disabled=true>
+										</div>
+									</div>
+									<div class="col-xs-6 col-sm-6 col-md-6">
+										<div class="form-group">
+											<input type="text" id="last_name" class="form-control input-sm"
+											value="<?php echo $last_name; ?>" disabled=true>
+										</div>
+									</div>
+								</div>
+
+								<div class="form-group">
+								<input type="text" id="note" class="form-control input-sm" value="<?php echo $note; ?>" disabled=true>
+								</div>
+
+								<div class="form-group">
+									<input type="text" id="username" class="form-control input-sm"
+									value="<?php echo $username; ?>" disabled=true>
+								</div>
+								<input type="hidden" name="t" id="token" value="<?php echo $token; ?>">
+								<input type="submit" name="allow" value="Bestätigen" class="btn btn-info btn-block">
+								<input type="submit" name="deny" value="Ablehnen" class="btn btn-info btn-block">
+
+							</form>
+						</div>
+					</div>
+				</div>
+			</div>
+		</div>
+ <script type="text/javascript">
+
+	if ($response) {
+		$message = $language["SEND_MATRIX_FAIL"];
+	}
+	$db->exec("UPDATE registrations SET state = " .
+		($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend)
+		. " WHERE verify_token = \"" . $verify_token. "\";");
+
+	print("<title>" . $language["VERIFICATION_SUCEEDED"] . "</title>");
+	print("</head><body>");
+	print("<h1>" . $language["VERIFICATION_SUCEEDED"] . "</h1>");
+	print("<p>" . $language["VERIFICATION_SUCCESS_BODY"] . "</p>");
+	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
+} catch (Exception $e) {
+	print("<title>" . $language["VERIFICATION_FAILED"] . "</title>");
+	print("</head><body>");
+	print("<h1>" . $language["VERIFICATION_FAILED"] . "</h1>");
+	print("<p>" . $e->getMessage() . "</p>");
+	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
+}
+?>
+	</body>
+</html>

From e38d201ec1b19c6bd04c7a0808ec70c0be307025 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 17:43:08 +0100
Subject: [PATCH 09/19] only allow actions (admin) when in right state; prepare
 decline reason

- fixes on path's and varnames
---
 MatrixConnection.php    |  4 +--
 functions.php           |  2 +-
 lang/lang.de.php        |  3 ++
 public/register.php     |  5 +--
 public/verify.php       |  4 +--
 public/verify_admin.php | 80 +++++++++++++++++++++++------------------
 6 files changed, 57 insertions(+), 41 deletions(-)

diff --git a/MatrixConnection.php b/MatrixConnection.php
index 21df64f..7ff2966 100644
--- a/MatrixConnection.php
+++ b/MatrixConnection.php
@@ -73,10 +73,10 @@ class MatrixConnection
 			error_log("no message to send");
 		}
 
-		$mac = hash_hmac('sha1', $username, $registration_shared_secret);
+		$mac = hash_hmac('sha1', $username, $shared_secret);
 
 		$data = array(
-			"username" => $user,
+			"username" => $username,
 			"password" => $password,
 			"mac" => $mac,
 		);
diff --git a/functions.php b/functions.php
index 5559eea..45d259f 100644
--- a/functions.php
+++ b/functions.php
@@ -36,7 +36,7 @@ function exec_curl_request($handle)
 		if ($http_code == 401) {
 			throw new Exception('Invalid access token provided');
 		}
-		return false;
+		throw new Exception("Server responds: '" . $response['error'] . "'");
 	} else {
 		$response = json_decode($response, true);
 		if (isset($response["event_id"])) {
diff --git a/lang/lang.de.php b/lang/lang.de.php
index 0b044ef..c2f072e 100644
--- a/lang/lang.de.php
+++ b/lang/lang.de.php
@@ -16,9 +16,12 @@ $language = array(
     "SEND_MAIL_FAIL" => "Senden der E-Mail fehlgeschlagen",
     "SEND_MATRIX_FAIL" => "Senden einer Nachricht an die Administratoren fehlgeschlagen",
     "REGISTRATION_REQUEST_FAILED" => "Registrierungsanfrage ist fehlgeschlagen",
+    "REGISTRATION_FAILED" => "Registrierung ist fehlgeschlagen",
     "VERIFICATION_SUCCEEDED" => "Verifizierung erfolgreich",
     "VERIFICATION_FAILED" => "Verifizierung fehlgeschlagen",
     "VERIFICATION_SUCCESS_BODY" => "Vielen Dank. Die Administratoren wurden informiert",
     "ADMIN_VERIFY_SITE_TITLE" => "Registrierungsanfrage bearbeiten",
+    "ADMIN_REGISTER_ACCEPTED_BODY" => "Die Registrierungsanfrage wurde akzeptiert. Der Nutzer wurde per Mail informiert.",
+    "ADMIN_REGISTER_DECLINED_BODY" => "Die Registrierungsanfrage wurde angelehnt. Der Nutzer wurde per Mail informiert.",
 );
 ?>
diff --git a/public/register.php b/public/register.php
index 8a1e2b5..d52a2c7 100644
--- a/public/register.php
+++ b/public/register.php
@@ -58,12 +58,13 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 
 		#	$first="test"; $last="test2"; $user="test3"; $note="empty"; $email="mail+test1@matthias-kesler.de";
 
-		$sql = "SELECT COUNT(*) FROM registrations WHERE username = '" . $username . "' LIMIT 1;";
+		$sql = "SELECT COUNT(*) FROM registrations WHERE username = '" . $username . "' AND NOT state = "
+		       . RegisterState::RegistrationDeclined . " LIMIT 1;";
 		$res = $db->query($sql);
 		if ($res->fetchColumn() > 0) {
 			throw new Exception($language["USERNAME_PENDING_REGISTRATION"]);
 		}
-		require_once("MatrixConnection.php");
+		require_once("../MatrixConnection.php");
 		$mxConn = new MatrixConnection($homeserver, $access_token);
 		if ($mxConn->hasUser($username)) {
 			throw new Exception($language["USERNAME_REGISTERED"]);
diff --git a/public/verify.php b/public/verify.php
index 52e9896..ed358af 100644
--- a/public/verify.php
+++ b/public/verify.php
@@ -48,7 +48,7 @@ try {
 	}
 
 	require_once("../MatrixConnection.php");
-	$adminUrl = $webroot . "/admin_verify.php?t=" . $admin_token;
+	$adminUrl = $webroot . "/verify_admin.php?t=" . $admin_token;
 	$mxConn = new MatrixConnection($homeserver, $access_token);
 	$mxMsg = new MatrixMessage();
 	$mxMsg->set_body($first_name . ' ' . $last_name . "möchte sich registrieren und hat folgende Notiz hinterlassen:\r\n"
@@ -65,7 +65,7 @@ try {
 	}
 	$db->exec("UPDATE registrations SET state = " .
 		($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend)
-		. " WHERE verify_token = \"" . $verify_token. "\";");
+		. " WHERE verify_token = \"" . $token. "\";");
 
 	send_mail_pending_approval($homeserver, $first_name . " " . $last_name, $email);
 
diff --git a/public/verify_admin.php b/public/verify_admin.php
index fb9243a..0b56954 100644
--- a/public/verify_admin.php
+++ b/public/verify_admin.php
@@ -18,7 +18,7 @@ if (!isset($_SERVER['HTTPS'])) {
 session_start();
 
 try {
-	if ($_SERVER["REQUEST_METHOD"] == "GET") {
+	if ($_SERVER["REQUEST_METHOD"] != "GET") {
 		throw new Exception("Method not allowed");
 	}
 	if (!isset($_GET["t"])) {
@@ -26,23 +26,28 @@ try {
 	}
 	$token = filter_var($_GET["t"], FILTER_SANITIZE_STRING);
 
-	$action = NULL;
-	if (isset($_GET("allow")) {
-		$action = RegisterState::RegistrationAccepted;
-	}
-	if (isset($_GET("deny")) {
-		$action = RegisterState::RegistrationDeclined;
-	}
-
 	require_once("../database.php");
 
-	$sql = "SELECT COUNT(*) FROM registrations WHERE admin_token = '" . $token . "' LIMIT 1;";
-	$res = $db->query($sql);
+	$action = NULL;
+	if (isset($_GET["allow"])) {
+		$action = RegisterState::RegistrationAccepted;
+	}
+	$decline_reason = "Noch nicht implementiert";
+	if (isset($_GET["deny"])) {
+		$action = RegisterState::RegistrationDeclined;
+		if (isset($_GET["reason"])) {
+			$decline_reason = filter_var($_GET["reason"], FILTER_SANITIZE_STRING);
+		}
+	}
 
+	$sql = "SELECT COUNT(*) FROM registrations WHERE admin_token = '" . $token
+		. "' AND state = " . RegisterState::PendingAdminVerify . " LIMIT 1;";
+	$res = $db->query($sql);
 	$first_name = NULL; $last_name = NULL; $username = NULL; $note = NULL; $email = NULL;
 
 	if ($res->fetchColumn() > 0) {
-		$sql = "SELECT first_name, last_name, username, note, email FROM registrations WHERE admin_token = '" . $token . "' LIMIT 1;";
+		$sql = "SELECT first_name, last_name, username, note, email FROM registrations WHERE admin_token = '" . $token
+			. "' AND state = " . RegisterState::PendingAdminVerify . " LIMIT 1;";
 		foreach ($db->query($sql) as $row) {
 			// will only be executed once
 			$first_name = $row["first_name"];
@@ -56,26 +61,43 @@ try {
 	}
 
 	if ($action == RegisterState::RegistrationAccepted) {
-		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted)
+		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted
 			. " WHERE admin_token = \"" . $token. "\";");
 
 		// register user
-		require_once("MatrixConnection.php");
+		require_once("../MatrixConnection.php");
 		$mxConn = new MatrixConnection($homeserver, $access_token);
 
 		// generate a password with 8 characters
 		$password = bin2hex(openssl_random_pseudo_bytes(4));
 
-		$res = $mxConn->register($username, $password, $shared_secret);
+		$res = $mxConn->register($username, $password, $registration_shared_secret);
+		if ($res) {
+			// send registration_success
+			send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL);
+		} else {
+			send_mail_registration_allowed_but_failed($homeserver, $first_name . " " . $last_name, $email);
+			$mxMsg = new MatrixMessage();
+			$mxMsg->set_type("m.text");
+			$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
+			$mxConn->send($register_room, $mxMsg);
+			throw new Exception($language["REGISTRATION_FAILED"]);
+		}
 
-		// send registration_success
-		send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL)
+		print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
+		print("</head><body>");
+		print("<h1>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</h1>");
+		print("<p>" . $language["ADMIN_REGISTER_ACCEPTED_BODY"] . "</p>");
 	} elseif ($action == RegisterState::RegistrationDeclined) {
-		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted)
+		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationDeclined
 			. " WHERE admin_token = \"" . $token. "\";");
-	}
+		send_mail_registration_decline($homeserver, $first_name . " " . $last_name, $email, $decline_reason);
+		print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
+		print("</head><body>");
+		print("<h1>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</h1>");
+		print("<p>" . $language["ADMIN_REGISTER_DECLINED_BODY"] . "</p>");
+	} else {
 
-	$adminUrl = $webroot . "/admin_verify.php?t=" . $admin_token;
 	print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
 ?>
 		<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
@@ -140,22 +162,12 @@ body{
 		</div>
  <script type="text/javascript">
 
-	if ($response) {
-		$message = $language["SEND_MATRIX_FAIL"];
-	}
-	$db->exec("UPDATE registrations SET state = " .
-		($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend)
-		. " WHERE verify_token = \"" . $verify_token. "\";");
-
-	print("<title>" . $language["VERIFICATION_SUCEEDED"] . "</title>");
-	print("</head><body>");
-	print("<h1>" . $language["VERIFICATION_SUCEEDED"] . "</h1>");
-	print("<p>" . $language["VERIFICATION_SUCCESS_BODY"] . "</p>");
-	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
+<?php
+	} // else - no action provided
 } catch (Exception $e) {
-	print("<title>" . $language["VERIFICATION_FAILED"] . "</title>");
+	print("<title>" . $language["REGISTRATION_FAILED"] . "</title>");
 	print("</head><body>");
-	print("<h1>" . $language["VERIFICATION_FAILED"] . "</h1>");
+	print("<h1>" . $language["REGISTRATION_FAILED"] . "</h1>");
 	print("<p>" . $e->getMessage() . "</p>");
 	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
 }

From a51f44c01b17ac25c45ffd7a1e3d62ea2b94572b Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 17:50:02 +0100
Subject: [PATCH 10/19] add mail_templates and prepare cron.php

---
 cron.php           | 50 ++++++++++++++++++++++++++
 mail_templates.php | 90 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 140 insertions(+)
 create mode 100644 cron.php
 create mode 100644 mail_templates.php

diff --git a/cron.php b/cron.php
new file mode 100644
index 0000000..0a01e65
--- /dev/null
+++ b/cron.php
@@ -0,0 +1,50 @@
+<?php
+// This file is meant to do tasks that failed on the first attempt
+
+
+$sql = "SELECT first_name, last_name, username, email, state FROM registrations WHERE admin_token = '" . $token
+. "' AND state = " . RegisterState::PendingAdminVerify . " LIMIT 1;";
+foreach ($db->query($sql) as $row) {
+	// will only be executed once
+	$first_name = $row["first_name"];
+	$last_name = $row["last_name"];
+	$username = $row["username"];
+	$email = $row["email"];
+	$state = $row["state"];
+
+	try {
+
+		switch ($state) {
+		case RegisterState::RegistrationAccepted:
+			// Registration got accepted but registration failed
+
+			// register user
+			require_once("MatrixConnection.php");
+			$mxConn = new MatrixConnection($homeserver, $access_token);
+
+			// generate a password with 8 characters
+			$password = bin2hex(openssl_random_pseudo_bytes(4));
+
+			$res = $mxConn->register($username, $password, $shared_secret);
+			if ($res) {
+				// send registration_success
+				send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL);
+			} else {
+				send_mail_registration_allowed_but_failed($homeserver, $first_name . " " . $last_name, $email);
+				$mxMsg = new MatrixMessage();
+				$mxMsg->set_type("m.text");
+				$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
+				$mxConn->send($mxMsg);
+				throw new Exception($language["REGISTRATION_FAILED"]);
+			}
+			break;
+
+		case RegisterState::RegistrationDeclined:
+			break;
+		}
+	} catch (Exception $e) {
+		print("Error while handling cron for " . $first_name . " " . $last_name . " (" . $username . ")");
+		print($e->getMessage());
+	}
+}
+?>
diff --git a/mail_templates.php b/mail_templates.php
new file mode 100644
index 0000000..4245b69
--- /dev/null
+++ b/mail_templates.php
@@ -0,0 +1,90 @@
+<?php
+
+function send_mail($receiver, $subject, $body) {
+	$headers = "From: registration@cg-s.tk\r\n"
+		. "Content-Type: text/plain;charset=utf-8";
+	return mail($receiver, $subject, $body, $headers);
+}
+
+function send_mail_pending_verification($homeserver, $user, $receiver, $verify_url) {
+	$subject = "Bitte bestätige Registrierung auf $homeserver";
+	$body = "Guten Tag " . $user . ",
+
+Du hast anscheinend versucht dich auf $homeserver zu registrieren.
+Hier gibt es eine zweistufige Registrierung.
+
+Wir möchten dich bitten, dass du kurz bestätigst, dass du die Registrierung durchgeführt hast.
+Gehe dafür auf folgenden Link:
+$verify_url
+
+Erst anschließend werden die Administratoren über deine Registrierungsanfrage informiert.
+
+Vielen Dank für dein Verständnis.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+function send_mail_pending_approval($homeserver, $user, $receiver) {
+	$subject = "Registrierung wartet auf Bestätigung durch Administratoren";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde verifiziert und wird nun durch die Administratoren überprüft.
+
+Du bekommst eine E-Mail auf diese Adresse sobald sie die Registrierung bestätigen oder ablehnen.
+
+Vielen Dank für dein Verständnis.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+
+function send_mail_registration_allowed_but_failed($homeserver, $user, $receiver) {
+	$subject = "Registrierung auf $homeserver genehmigt.";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
+
+Leider ist beim Registrieren ein Fehler aufgetaucht. Der Registrierungversuch wird bald wiederholt.
+Wir hoffen, das Problem ist bald behoben.
+Wir melden uns, wenn die Registrierung erfolgreich war.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body);
+
+}
+
+function send_mail_registration_success($homeserver, $user, $receiver, $username, $password, $howToURL) {
+	$subject = "Registrierung auf $homeserver erfolgreich.";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
+
+Zum Anmelden kannst du folgende Zugangsdaten verwenden:
+Nutzername: $username
+Passwort: $password
+
+Zu weiteren Hilfestellungen findest du hier eine Auflistung von verschiedenen
+Anleitungen zu verschiedenen Clients:
+$howToURL
+
+Viel Spaß bei der Verwendung von $homeserver.
+Bei Fragen findest du nach der Anmeldung ein paar Räume in denen du sie stellen kannst.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body);
+
+}
+function send_mail_registration_decline($homeserver, $user, $receiver, $reason) {
+	$subject = "Registrierung auf $homeserver abgelehnt.";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren abgelehnt.
+
+Als Grund wurde folgendes angegeben:
+$reason
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+
+}
+?>

From 076138a0a4a24b9eeb31304b55eff680b1c54690 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 18:27:58 +0100
Subject: [PATCH 11/19] move exec_curl_request from functions to
 MatrixConnection

---
 MatrixConnection.php | 49 ++++++++++++++++++++++++++++++++++++--------
 functions.php        | 38 ----------------------------------
 2 files changed, 40 insertions(+), 47 deletions(-)

diff --git a/MatrixConnection.php b/MatrixConnection.php
index 7ff2966..8f59b84 100644
--- a/MatrixConnection.php
+++ b/MatrixConnection.php
@@ -1,5 +1,4 @@
 <?php
-require_once("functions.php");
 class MatrixConnection
 {
 	private $hs;
@@ -37,7 +36,8 @@ class MatrixConnection
 		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($send_message));
 		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
 
-		return exec_curl_request($handle);
+		$response = exec_curl_request($handle);
+		return isset($response["event_id"]);
 	}
 
 	function send_msg($room_id, $message) {
@@ -53,16 +53,15 @@ class MatrixConnection
 			throw new Exception ("no user given to lookup");
 		}
 
-		$url = "https://".$this->hs."/_matrix/client/r0/profile/%40" . $username . "%3A" . $this->hs;
+		$url = "https://".$this->hs."/_matrix/client/r0/profile/@" . $username . ":" . $this->hs;
 		$handle = curl_init($url);
 		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
 		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
 		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
 		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
-		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($data));
 
 		$res = exec_curl_request($handle);
-		return ($res ? true: false);
+		return !(isset($res["errcode"]) && $res["errcode"] == "M_UNKNOWN");
 	}
 
 	function register($username, $password, $shared_secret) {
@@ -76,10 +75,10 @@ class MatrixConnection
 		$mac = hash_hmac('sha1', $username, $shared_secret);
 
 		$data = array(
-			"username" => $username,
-			"password" => $password,
-			"mac" => $mac,
-		);
+				"username" => $username,
+				"password" => $password,
+				"mac" => $mac,
+			     );
 		$url = "https://".$this->hs."/_matrix/client/v2_alpha/register";
 		$handle = curl_init($url);
 		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
@@ -90,6 +89,38 @@ class MatrixConnection
 
 		return exec_curl_request($handle);
 	}
+
+	function exec_curl_request($handle)
+	{
+		$response = curl_exec($handle);
+
+		if ($response === false) {
+			$errno = curl_errno($handle);
+			$error = curl_error($handle);
+			error_log("Curl returned error $errno: $error\n");
+			curl_close($handle);
+			return false;
+		}
+
+		$http_code = intval(curl_getinfo($handle, CURLINFO_HTTP_CODE));
+		curl_close($handle);
+
+		if ($http_code >= 500) {
+			// do not want to DDOS server if something goes wrong
+			sleep(10);
+			return false;
+		} else if ($http_code != 200) {
+			$response = json_decode($response, true);
+			error_log("Request has failed with error {$response['error']}\n");
+			if ($http_code == 401) {
+				throw new Exception('Invalid access token provided');
+			}
+		} else {
+			$response = json_decode($response, true);
+		}
+
+		return $response;
+	}
 }
 
 class MatrixMessage
diff --git a/functions.php b/functions.php
index 45d259f..49d5099 100644
--- a/functions.php
+++ b/functions.php
@@ -10,42 +10,4 @@ function abort($msg="Unknown")
 	print("\n");
 	exit();
 }
-
-function exec_curl_request($handle)
-{
-	$response = curl_exec($handle);
-
-	if ($response === false) {
-		$errno = curl_errno($handle);
-		$error = curl_error($handle);
-		error_log("Curl returned error $errno: $error\n");
-		curl_close($handle);
-		return false;
-	}
-
-	$http_code = intval(curl_getinfo($handle, CURLINFO_HTTP_CODE));
-	curl_close($handle);
-
-	if ($http_code >= 500) {
-		// do not want to DDOS server if something goes wrong
-		sleep(10);
-		return false;
-	} else if ($http_code != 200) {
-		$response = json_decode($response, true);
-		error_log("Request has failed with error {$response['error']}\n");
-		if ($http_code == 401) {
-			throw new Exception('Invalid access token provided');
-		}
-		throw new Exception("Server responds: '" . $response['error'] . "'");
-	} else {
-		$response = json_decode($response, true);
-		if (isset($response["event_id"])) {
-			$response = true;
-		} else {
-			$response = false;
-		}
-	}
-
-	return $response;
-}
 ?>

From ff9969b04e47ba7a6b710876a858ba7da4d7106e Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 18:32:41 +0100
Subject: [PATCH 12/19] restore reference to exec_curl_request

---
 MatrixConnection.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/MatrixConnection.php b/MatrixConnection.php
index 8f59b84..f0d8aff 100644
--- a/MatrixConnection.php
+++ b/MatrixConnection.php
@@ -36,7 +36,7 @@ class MatrixConnection
 		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($send_message));
 		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
 
-		$response = exec_curl_request($handle);
+		$response = $this->exec_curl_request($handle);
 		return isset($response["event_id"]);
 	}
 
@@ -60,7 +60,7 @@ class MatrixConnection
 		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
 		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
 
-		$res = exec_curl_request($handle);
+		$res = $this->exec_curl_request($handle);
 		return !(isset($res["errcode"]) && $res["errcode"] == "M_UNKNOWN");
 	}
 
@@ -87,7 +87,7 @@ class MatrixConnection
 		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
 		curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($data));
 
-		return exec_curl_request($handle);
+		return $this->exec_curl_request($handle);
 	}
 
 	function exec_curl_request($handle)

From 4e33985cfc231a8e3055b8c45e12b25b9cb24b80 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 19:22:14 +0100
Subject: [PATCH 13/19] further implement cron.php; autoformat

- set Register_Accept to 6 internally as it reflects the same state as PendingSendRequest
- cleanups
---
 cron.php                |  99 ++++++++++++++++++++--------
 database.php            |   2 +-
 public/verify_admin.php | 139 +++++++++++++++++++++-------------------
 3 files changed, 148 insertions(+), 92 deletions(-)

diff --git a/cron.php b/cron.php
index 0a01e65..4caedad 100644
--- a/cron.php
+++ b/cron.php
@@ -1,9 +1,17 @@
 <?php
 // This file is meant to do tasks that failed on the first attempt
 
+require_once("config.php");
+require_once("mail_templates.php");
+require_once("database.php");
 
-$sql = "SELECT first_name, last_name, username, email, state FROM registrations WHERE admin_token = '" . $token
-. "' AND state = " . RegisterState::PendingAdminVerify . " LIMIT 1;";
+$sql = "SELECT id, first_name, last_name, username, email, state, verify_token FROM registrations "
+."WHERE state = ". RegisterState::PendingEmailSend
+. " OR state = " . RegisterState::PendingAdminSend
+. " OR state = " . RegisterState::PendingRegistration
+. " OR state = " . RegisterState::PendingSendRegistrationMail
+. " OR state = " . RegisterState::RegistrationDeclined
+. " OR state = " . RegisterState::AllDone . ";";
 foreach ($db->query($sql) as $row) {
 	// will only be executed once
 	$first_name = $row["first_name"];
@@ -13,34 +21,75 @@ foreach ($db->query($sql) as $row) {
 	$state = $row["state"];
 
 	try {
-
 		switch ($state) {
-		case RegisterState::RegistrationAccepted:
-			// Registration got accepted but registration failed
+			case RegisterState::PendingEmailSend:
+				$verify_url = $webroot . "/verify.php?t=" . $row["verify_token"];
+				$success = send_mail_pending_verification(
+						$homeserver,
+						$row["first_name"] . " " . $row["last_name"],
+						$row["email"],
+						$row["verify_url"]);
 
-			// register user
-			require_once("MatrixConnection.php");
-			$mxConn = new MatrixConnection($homeserver, $access_token);
-
-			// generate a password with 8 characters
-			$password = bin2hex(openssl_random_pseudo_bytes(4));
-
-			$res = $mxConn->register($username, $password, $shared_secret);
-			if ($res) {
-				// send registration_success
-				send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL);
-			} else {
-				send_mail_registration_allowed_but_failed($homeserver, $first_name . " " . $last_name, $email);
+				if ($success) {
+					$db->exec("UPDATE registrations SET state = " . RegisterState::PendingEmailVerify)
+						. " WHERE id = " . $row["id"] . ";");
+				} else {
+					throw new Exception("Could not send mail to ".$row["first_name"]." ".$row["last_name"]."(".$row["id"].")");
+				}
+				break;
+			case RegisterState::PendingAdminSend:
+				require_once("../MatrixConnection.php");
+				$adminUrl = $webroot . "/verify_admin.php?t=" . $admin_token;
+				$mxConn = new MatrixConnection($homeserver, $access_token);
 				$mxMsg = new MatrixMessage();
+				$mxMsg->set_body($first_name . ' ' . $last_name . "möchte sich registrieren und hat folgende Notiz hinterlassen:\r\n"
+						. $note . "\r\n"
+						. "Zum Bearbeiten hier klicken:\r\n" . $adminUrl);
+				$mxMsg->set_formatted_body($first_name . ' ' . $last_name . " möchte sich registrieren und hat folgende Notiz hinterlassen:<br />"
+						. $note . "<br />"
+						. "Zum Bearbeiten <a href=\"". $adminUrl . "\">hier</a> klicken");
 				$mxMsg->set_type("m.text");
-				$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
-				$mxConn->send($mxMsg);
-				throw new Exception($language["REGISTRATION_FAILED"]);
-			}
-			break;
+				$response = $mxConn->send($register_room, $mxMsg);
 
-		case RegisterState::RegistrationDeclined:
-			break;
+				if ($response) {
+					$db->exec("UPDATE registrations SET state = " . RegisterState::PendingAdminVerify
+							. " WHERE id = " . $row["id"] . "';");
+
+					send_mail_pending_approval($homeserver, $first_name . " " . $last_name, $email);
+				} else {
+					throw new Exception("Could not send notification for ".$row["first_name"]." ".$row["last_name"]."(".$row["id"].") to admins.");
+				}
+				break;
+			case RegisterState::PendingRegistration:
+				// Registration got accepted but registration failed
+
+				// register user
+				require_once("MatrixConnection.php");
+				$mxConn = new MatrixConnection($homeserver, $access_token);
+
+				// generate a password with 8 characters
+				$password = bin2hex(openssl_random_pseudo_bytes(4));
+
+				$res = $mxConn->register($username, $password, $shared_secret);
+				if ($res) {
+					// send registration_success
+					send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL);
+				} else {
+					send_mail_registration_allowed_but_failed($homeserver, $first_name . " " . $last_name, $email);
+					$mxMsg = new MatrixMessage();
+					$mxMsg->set_type("m.text");
+					$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
+					$mxConn->send($mxMsg);
+					throw new Exception($language["REGISTRATION_FAILED"]);
+				}
+				break;
+			case RegisterState::PendingSendRegistrationMail:
+				print ("Error: Unhandled state: PendingSendRegistrationMail for " . $first_name . " " . $last_name . " (" . $username . ")");
+				break;
+			case RegisterState::RegistrationDeclined:
+			case RegisterState::AllDone:
+				// do reqular cleanup
+				break;
 		}
 	} catch (Exception $e) {
 		print("Error while handling cron for " . $first_name . " " . $last_name . " (" . $username . ")");
diff --git a/database.php b/database.php
index eee73a0..bf57af9 100644
--- a/database.php
+++ b/database.php
@@ -19,7 +19,7 @@ abstract class RegisterState
 
 	// State to allow persisting in the database although an admin declined it.
 	// Will be removed regularly
-	const RegistrationAccepted = 12;
+	const RegistrationAccepted = 6;
 	const RegistrationDeclined = 13;
 
 	// User got successfully registered. Will be cleaned up later
diff --git a/public/verify_admin.php b/public/verify_admin.php
index 0b56954..7ba51fd 100644
--- a/public/verify_admin.php
+++ b/public/verify_admin.php
@@ -1,5 +1,5 @@
 <html>
-	<head>
+<head>
 <?php
 require_once "../language.php";
 if (!file_exists("../config.php")) {
@@ -61,8 +61,8 @@ try {
 	}
 
 	if ($action == RegisterState::RegistrationAccepted) {
-		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted
-			. " WHERE admin_token = \"" . $token. "\";");
+		$db->exec("UPDATE registrations SET state = " . RegisterState::PendingRegistration
+				. " WHERE admin_token = '" . $token. "';");
 
 		// register user
 		require_once("../MatrixConnection.php");
@@ -74,7 +74,14 @@ try {
 		$res = $mxConn->register($username, $password, $registration_shared_secret);
 		if ($res) {
 			// send registration_success
-			send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL);
+			$res = send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL);
+			if ($res) {
+				$db->exec("UPDATE registrations SET state = " . RegisterState::AllDone
+						. " WHERE admin_token = '" . $token. "';");
+			} else {
+				$db->exec("UPDATE registrations SET state = " . RegisterState::PendingSendRegistrationMail
+						. " WHERE admin_token = '" . $token. "';");
+			}
 		} else {
 			send_mail_registration_allowed_but_failed($homeserver, $first_name . " " . $last_name, $email);
 			$mxMsg = new MatrixMessage();
@@ -90,7 +97,7 @@ try {
 		print("<p>" . $language["ADMIN_REGISTER_ACCEPTED_BODY"] . "</p>");
 	} elseif ($action == RegisterState::RegistrationDeclined) {
 		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationDeclined
-			. " WHERE admin_token = \"" . $token. "\";");
+				. " WHERE admin_token = '" . $token. "';");
 		send_mail_registration_decline($homeserver, $first_name . " " . $last_name, $email, $decline_reason);
 		print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
 		print("</head><body>");
@@ -98,71 +105,71 @@ try {
 		print("<p>" . $language["ADMIN_REGISTER_DECLINED_BODY"] . "</p>");
 	} else {
 
-	print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
-?>
-		<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
-		<style>
-body{
-	background-color: #525252;
-}
-.centered-form{
-	margin-top: 60px;
-}
+		print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
+		?>
+			<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
+			<style>
+			body{
+				background-color: #525252;
+			}
+		.centered-form{
+			margin-top: 60px;
+		}
 
-.centered-form .panel{
-	background: rgba(255, 255, 255, 0.8);
-	box-shadow: rgba(0, 0, 0, 0.3) 20px 20px 20px;
-}
+		.centered-form .panel{
+background: rgba(255, 255, 255, 0.8);
+	    box-shadow: rgba(0, 0, 0, 0.3) 20px 20px 20px;
+		}
 		</style>
-		<script type="text/javascript" src="//code.jquery.com/jquery-1.11.1.min.js"></script>
-		<script type="text/javascript" src="//netdna.bootstrapcdn.com/bootstrap/3.1.0/js/bootstrap.min.js"></script>
-	</head>
-	<body>
-		<div class="container">
+			<script type="text/javascript" src="//code.jquery.com/jquery-1.11.1.min.js"></script>
+			<script type="text/javascript" src="//netdna.bootstrapcdn.com/bootstrap/3.1.0/js/bootstrap.min.js"></script>
+			</head>
+			<body>
+			<div class="container">
 			<div class="row centered-form">
-				<div class="col-xs-12 col-sm-8 col-md-4 col-sm-offset-2 col-md-offset-4">
-					<div class="panel panel-default">
-						<div class="panel-heading">
-							<h3 class="panel-title"><?php echo $language["ADMIN_VERIFY_SITE_TITLE"] ; ?></h3>
-						</div>
-						<div class="panel-body">
-							<form name="appForm" role="form" action="verify_admin.php" method="GET">
-								<div class="row">
-									<div class="col-xs-6 col-sm-6 col-md-6">
-										<div class="form-group">
-											<input type="text" id="first_name" class="form-control input-sm"
-											value="<?php echo $first_name; ?>" disabled=true>
-										</div>
-									</div>
-									<div class="col-xs-6 col-sm-6 col-md-6">
-										<div class="form-group">
-											<input type="text" id="last_name" class="form-control input-sm"
-											value="<?php echo $last_name; ?>" disabled=true>
-										</div>
-									</div>
-								</div>
-
-								<div class="form-group">
-								<input type="text" id="note" class="form-control input-sm" value="<?php echo $note; ?>" disabled=true>
-								</div>
-
-								<div class="form-group">
-									<input type="text" id="username" class="form-control input-sm"
-									value="<?php echo $username; ?>" disabled=true>
-								</div>
-								<input type="hidden" name="t" id="token" value="<?php echo $token; ?>">
-								<input type="submit" name="allow" value="Bestätigen" class="btn btn-info btn-block">
-								<input type="submit" name="deny" value="Ablehnen" class="btn btn-info btn-block">
-
-							</form>
-						</div>
-					</div>
-				</div>
+			<div class="col-xs-12 col-sm-8 col-md-4 col-sm-offset-2 col-md-offset-4">
+			<div class="panel panel-default">
+			<div class="panel-heading">
+			<h3 class="panel-title"><?php echo $language["ADMIN_VERIFY_SITE_TITLE"] ; ?></h3>
+			</div>
+			<div class="panel-body">
+			<form name="appForm" role="form" action="verify_admin.php" method="GET">
+			<div class="row">
+			<div class="col-xs-6 col-sm-6 col-md-6">
+			<div class="form-group">
+			<input type="text" id="first_name" class="form-control input-sm"
+			value="<?php echo $first_name; ?>" disabled=true>
+			</div>
+			</div>
+			<div class="col-xs-6 col-sm-6 col-md-6">
+			<div class="form-group">
+			<input type="text" id="last_name" class="form-control input-sm"
+			value="<?php echo $last_name; ?>" disabled=true>
+			</div>
+			</div>
 			</div>
-		</div>
- <script type="text/javascript">
 
-<?php
+			<div class="form-group">
+			<input type="text" id="note" class="form-control input-sm" value="<?php echo $note; ?>" disabled=true>
+			</div>
+
+			<div class="form-group">
+			<input type="text" id="username" class="form-control input-sm"
+			value="<?php echo $username; ?>" disabled=true>
+			</div>
+			<input type="hidden" name="t" id="token" value="<?php echo $token; ?>">
+			<input type="submit" name="allow" value="Bestätigen" class="btn btn-info btn-block">
+			<input type="submit" name="deny" value="Ablehnen" class="btn btn-info btn-block">
+
+			</form>
+			</div>
+			</div>
+			</div>
+			</div>
+			</div>
+			<script type="text/javascript">
+
+			<?php
 	} // else - no action provided
 } catch (Exception $e) {
 	print("<title>" . $language["REGISTRATION_FAILED"] . "</title>");
@@ -172,5 +179,5 @@ body{
 	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
 }
 ?>
-	</body>
+</body>
 </html>

From 83cf11149b2c074ad849e0d705d57987e5e107ed Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 19:25:30 +0100
Subject: [PATCH 14/19] fix for cron.php

---
 cron.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cron.php b/cron.php
index 4caedad..f0ce4ea 100644
--- a/cron.php
+++ b/cron.php
@@ -31,7 +31,7 @@ foreach ($db->query($sql) as $row) {
 						$row["verify_url"]);
 
 				if ($success) {
-					$db->exec("UPDATE registrations SET state = " . RegisterState::PendingEmailVerify)
+					$db->exec("UPDATE registrations SET state = " . RegisterState::PendingEmailVerify
 						. " WHERE id = " . $row["id"] . ";");
 				} else {
 					throw new Exception("Could not send mail to ".$row["first_name"]." ".$row["last_name"]."(".$row["id"].")");

From 40b6970c1c1df38146bb32d155694b7aed0b4a1a Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Tue, 27 Feb 2018 10:31:51 +0100
Subject: [PATCH 15/19] remove abort(); change lang-def de => de-de; cleanup

---
 MatrixConnection.php                 |  3 +--
 cron.php                             |  3 ---
 functions.php                        | 13 -------------
 lang/{lang.de.php => lang.de-de.php} |  0
 language.php                         | 11 ++++++++---
 5 files changed, 9 insertions(+), 21 deletions(-)
 delete mode 100644 functions.php
 rename lang/{lang.de.php => lang.de-de.php} (100%)

diff --git a/MatrixConnection.php b/MatrixConnection.php
index f0d8aff..e97a39e 100644
--- a/MatrixConnection.php
+++ b/MatrixConnection.php
@@ -90,8 +90,7 @@ class MatrixConnection
 		return $this->exec_curl_request($handle);
 	}
 
-	function exec_curl_request($handle)
-	{
+	function exec_curl_request($handle) {
 		$response = curl_exec($handle);
 
 		if ($response === false) {
diff --git a/cron.php b/cron.php
index f0ce4ea..7b33fc0 100644
--- a/cron.php
+++ b/cron.php
@@ -1,6 +1,4 @@
 <?php
-// This file is meant to do tasks that failed on the first attempt
-
 require_once("config.php");
 require_once("mail_templates.php");
 require_once("database.php");
@@ -13,7 +11,6 @@ $sql = "SELECT id, first_name, last_name, username, email, state, verify_token F
 . " OR state = " . RegisterState::RegistrationDeclined
 . " OR state = " . RegisterState::AllDone . ";";
 foreach ($db->query($sql) as $row) {
-	// will only be executed once
 	$first_name = $row["first_name"];
 	$last_name = $row["last_name"];
 	$username = $row["username"];
diff --git a/functions.php b/functions.php
deleted file mode 100644
index 49d5099..0000000
--- a/functions.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-function abort($msg="Unknown")
-{
-	header("403 Forbidden");
-	$response = array(
-			"success" => false,
-			"message" => $msg
-			);
-	echo json_encode($response);
-	print("\n");
-	exit();
-}
-?>
diff --git a/lang/lang.de.php b/lang/lang.de-de.php
similarity index 100%
rename from lang/lang.de.php
rename to lang/lang.de-de.php
diff --git a/language.php b/language.php
index 68cdde1..bd50c04 100644
--- a/language.php
+++ b/language.php
@@ -1,7 +1,12 @@
 <?php
-$lang = "de";
+$lang = "de-de";
 if(isset($_GET['lang'])){
-	$lang = $_GET['lang'];
+	$lang = filter_var($_GET['lang'], FILTER_SANITIZE_STRING);
 }
-require_once("lang/lang.".$lang.".php");
+$lang_file = "lang/lang.".$lang.".php";
+if (!file_exists($lang_file)) {
+	throw new Exception("Translation for " . $lang . " not found");
+}
+require_once($lang_file);
+unset($lang_file);
 ?>

From b68f6afa97aa93e38cb7e642a3169ed327bd7ac6 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Wed, 28 Feb 2018 20:00:17 +0100
Subject: [PATCH 16/19] fix cron.php

---
 cron.php         | 12 ++++++------
 lang/lang.de.php |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/cron.php b/cron.php
index f0ce4ea..6140d53 100644
--- a/cron.php
+++ b/cron.php
@@ -5,7 +5,7 @@ require_once("config.php");
 require_once("mail_templates.php");
 require_once("database.php");
 
-$sql = "SELECT id, first_name, last_name, username, email, state, verify_token FROM registrations "
+$sql = "SELECT id, first_name, last_name, username, email, state, note, verify_token, admin_token FROM registrations "
 ."WHERE state = ". RegisterState::PendingEmailSend
 . " OR state = " . RegisterState::PendingAdminSend
 . " OR state = " . RegisterState::PendingRegistration
@@ -38,22 +38,22 @@ foreach ($db->query($sql) as $row) {
 				}
 				break;
 			case RegisterState::PendingAdminSend:
-				require_once("../MatrixConnection.php");
-				$adminUrl = $webroot . "/verify_admin.php?t=" . $admin_token;
+				require_once("MatrixConnection.php");
+				$adminUrl = $webroot . "/verify_admin.php?t=" . $row["admin_token"];
 				$mxConn = new MatrixConnection($homeserver, $access_token);
 				$mxMsg = new MatrixMessage();
 				$mxMsg->set_body($first_name . ' ' . $last_name . "möchte sich registrieren und hat folgende Notiz hinterlassen:\r\n"
-						. $note . "\r\n"
+						. $row["note"] . "\r\n"
 						. "Zum Bearbeiten hier klicken:\r\n" . $adminUrl);
 				$mxMsg->set_formatted_body($first_name . ' ' . $last_name . " möchte sich registrieren und hat folgende Notiz hinterlassen:<br />"
-						. $note . "<br />"
+						. $row["note"] . "<br />"
 						. "Zum Bearbeiten <a href=\"". $adminUrl . "\">hier</a> klicken");
 				$mxMsg->set_type("m.text");
 				$response = $mxConn->send($register_room, $mxMsg);
 
 				if ($response) {
 					$db->exec("UPDATE registrations SET state = " . RegisterState::PendingAdminVerify
-							. " WHERE id = " . $row["id"] . "';");
+							. " WHERE id = " . $row["id"] . ";");
 
 					send_mail_pending_approval($homeserver, $first_name . " " . $last_name, $email);
 				} else {
diff --git a/lang/lang.de.php b/lang/lang.de.php
index c2f072e..84dafb0 100644
--- a/lang/lang.de.php
+++ b/lang/lang.de.php
@@ -17,7 +17,7 @@ $language = array(
     "SEND_MATRIX_FAIL" => "Senden einer Nachricht an die Administratoren fehlgeschlagen",
     "REGISTRATION_REQUEST_FAILED" => "Registrierungsanfrage ist fehlgeschlagen",
     "REGISTRATION_FAILED" => "Registrierung ist fehlgeschlagen",
-    "VERIFICATION_SUCCEEDED" => "Verifizierung erfolgreich",
+    "VERIFICATION_SUCEEDED" => "Verifizierung erfolgreich",
     "VERIFICATION_FAILED" => "Verifizierung fehlgeschlagen",
     "VERIFICATION_SUCCESS_BODY" => "Vielen Dank. Die Administratoren wurden informiert",
     "ADMIN_VERIFY_SITE_TITLE" => "Registrierungsanfrage bearbeiten",

From b736721a1c7b00bb98639635754ce8b51736ed7b Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Wed, 28 Feb 2018 23:08:05 +0100
Subject: [PATCH 17/19] fix: const RegistrationAccepted is equal to another
 internal number

---
 database.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/database.php b/database.php
index bf57af9..abfeae3 100644
--- a/database.php
+++ b/database.php
@@ -19,7 +19,7 @@ abstract class RegisterState
 
 	// State to allow persisting in the database although an admin declined it.
 	// Will be removed regularly
-	const RegistrationAccepted = 6;
+	const RegistrationAccepted = 7;
 	const RegistrationDeclined = 13;
 
 	// User got successfully registered. Will be cleaned up later

From 9b1a9f9a796ed14e09a9cdc98fb9b007f0a68b67 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Wed, 28 Feb 2018 23:20:58 +0100
Subject: [PATCH 18/19] fix sending error message to room; add \n for
 cron-output

---
 cron.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cron.php b/cron.php
index 125c487..861137e 100644
--- a/cron.php
+++ b/cron.php
@@ -76,12 +76,12 @@ foreach ($db->query($sql) as $row) {
 					$mxMsg = new MatrixMessage();
 					$mxMsg->set_type("m.text");
 					$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
-					$mxConn->send($mxMsg);
+					$mxConn->send($register_room, $mxMsg);
 					throw new Exception($language["REGISTRATION_FAILED"]);
 				}
 				break;
 			case RegisterState::PendingSendRegistrationMail:
-				print ("Error: Unhandled state: PendingSendRegistrationMail for " . $first_name . " " . $last_name . " (" . $username . ")");
+				print ("Error: Unhandled state: PendingSendRegistrationMail for " . $first_name . " " . $last_name . " (" . $username . ")\n");
 				break;
 			case RegisterState::RegistrationDeclined:
 			case RegisterState::AllDone:
@@ -89,7 +89,7 @@ foreach ($db->query($sql) as $row) {
 				break;
 		}
 	} catch (Exception $e) {
-		print("Error while handling cron for " . $first_name . " " . $last_name . " (" . $username . ")");
+		print("Error while handling cron for " . $first_name . " " . $last_name . " (" . $username . ")\n");
 		print($e->getMessage());
 	}
 }

From f595c445f2a17473a50f355221b46845a44df7f0 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Wed, 28 Feb 2018 23:37:02 +0100
Subject: [PATCH 19/19] changed wording for mail_templates to allow unset
 values

---
 mail_templates.php | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/mail_templates.php b/mail_templates.php
index 4245b69..5db7b81 100644
--- a/mail_templates.php
+++ b/mail_templates.php
@@ -19,18 +19,22 @@ $verify_url
 
 Erst anschließend werden die Administratoren über deine Registrierungsanfrage informiert.
 
+Hinweis: Du hast ca. 48 Stunden Zeit um die Bestätigung durchzuführen.
+Danach ist eine Re-Registrierung mit deinem gewünschten Nutzernamen für andere wieder möglich.
+
 Vielen Dank für dein Verständnis.
 
 Das Administratoren-Team von " . $homeserver;
 	return send_mail($receiver, $subject, $body );
 }
+
 function send_mail_pending_approval($homeserver, $user, $receiver) {
 	$subject = "Registrierung wartet auf Bestätigung durch Administratoren";
 	$body = "Guten Tag " . $user . ",
 
 Deine Registrierungsanfrage wurde verifiziert und wird nun durch die Administratoren überprüft.
 
-Du bekommst eine E-Mail auf diese Adresse sobald sie die Registrierung bestätigen oder ablehnen.
+Du bekommst eine weitere E-Mail, sobald deine Registrierung bestätigt oder ablehnt wurde.
 
 Vielen Dank für dein Verständnis.
 
@@ -63,10 +67,17 @@ Zum Anmelden kannst du folgende Zugangsdaten verwenden:
 Nutzername: $username
 Passwort: $password
 
+Wichtig: Bitte ändere das Passwort direkt nach der Anmeldung.
+Es wird zwar von unserer Seite nicht gespeichert, doch fremde könnten Zugriff auf diese E-Mail
+erhalten und so deinen Account kompromittieren.
+";
+if (!empty($howToURL)) {
+	$body .= "
 Zu weiteren Hilfestellungen findest du hier eine Auflistung von verschiedenen
 Anleitungen zu verschiedenen Clients:
-$howToURL
-
+$howToURL\n";
+}
+	$body .= "
 Viel Spaß bei der Verwendung von $homeserver.
 Bei Fragen findest du nach der Anmeldung ein paar Räume in denen du sie stellen kannst.
 
@@ -78,13 +89,15 @@ function send_mail_registration_decline($homeserver, $user, $receiver, $reason)
 	$subject = "Registrierung auf $homeserver abgelehnt.";
 	$body = "Guten Tag " . $user . ",
 
-Deine Registrierungsanfrage wurde durch die Administratoren abgelehnt.
+Deine Registrierungsanfrage wurde durch die Administratoren abgelehnt.\n";
 
-Als Grund wurde folgendes angegeben:
-$reason
+	if (empty($reason)) {
+		$body .= "\nEs wurde kein Grund angegeben\n";
+	} else {
+		$body .= "\nAls Grund wurde folgendes angegeben:\n$reason\n";
+	}
 
-Das Administratoren-Team von " . $homeserver;
+	$body .= "\nDas Administratoren-Team von " . $homeserver;
 	return send_mail($receiver, $subject, $body );
-
 }
 ?>