Implement decline with reason (now with radio buttons)

Fix broken links to mxisd docs

.gitignore

@@ -1,2 +1,5 @@
 config.php
 db_file.sqlite
+
+# do not track sources which will be built by composer
+/vendor/

MatrixConnection.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,8 +14,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-class MatrixConnection
+
-{
+require_once(__DIR__ . "/helpers.php");
+
+class MatrixConnection {
+
     private $hs;
     private $at;
 
@@ -44,12 +48,8 @@ class MatrixConnection
 
         $url = "https://" . $this->hs . "/_matrix/client/r0/rooms/"
                 . urlencode($room_id) . "/send/m.room.message?access_token=" . $this->at;
-		$handle = curl_init($url);
+        $handle = getCurlHandle($url);
-		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
-		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
-		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
         curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($send_message));
-		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
 
         $response = $this->exec_curl_request($handle);
         return isset($response["event_id"]);
@@ -69,45 +69,66 @@ class MatrixConnection
         }
 
         $url = "https://" . $this->hs . "/_matrix/client/r0/profile/@" . $username . ":" . $this->hs;
-		$handle = curl_init($url);
+        $handle = getCurlHandle($url);
-		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
-		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
-		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
-		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
 
         $res = $this->exec_curl_request($handle);
         return !(isset($res["errcode"]) && $res["errcode"] == "M_UNKNOWN");
     }
 
+    function getRegisterNonce() {
+        $url = "https://" . $this->hs . "/_matrix/client/r0/admin/register";
+        $handle = getCurlHandle($url);
+
+        try {
+            $response = $this->exec_curl_request($handle);
+            if (is_array($response) && isset($response["nonce"])) {
+                return $response["nonce"];
+            }
+            throw new Exception("INVALID_RESPONSE_FROM_SERVER");
+        } catch (Exception $e) {
+            if (strcmp("AUTHENTICATION_FAILED", $e->getMessage()) == 0) {
+                throw new Exception("WRONG_REGISTRATION_SHARED_SECRET");
+            } else {
+                throw $e;
+            }
+        }
+    }
+
     function register($username, $password, $shared_secret) {
         if (!$username) {
             error_log("no username provided");
         }
         if (!$password) {
-			error_log("no message to send");
+            error_log("no password provided");
         }
-
+        $nonce = $this->getRegisterNonce();
-		$mac = hash_hmac('sha1', $username, $shared_secret);
+        //TODO allow registering of admin.
+        $hmac_content = $nonce . "\x00" . $username . "\x00" . $password . "\x00notadmin";
+        $mac = hash_hmac('sha1', $hmac_content, $shared_secret);
 
         $data = array(
+            "nonce" => $nonce,
             "username" => $username,
             "password" => $password,
             "mac" => $mac,
         );
-		$url = "https://".$this->hs."/_matrix/client/v2_alpha/register";
+        $url = "https://" . $this->hs . "/_matrix/client/r0/admin/register";
-		$handle = curl_init($url);
+        $handle = getCurlHandle($url);
-		curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
-		curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
-		curl_setopt($handle, CURLOPT_TIMEOUT, 60);
-		curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
         curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($data));
 
+        try {
             return $this->exec_curl_request($handle);
+        } catch (Exception $e) {
+            if (strcmp("AUTHENTICATION_FAILED", $e->getMessage()) == 0) {
+                throw new Exception("WRONG_REGISTRATION_SHARED_SECRET");
+            } else {
+                throw $e;
+            }
+        }
     }
 
     function exec_curl_request($handle) {
         $response = curl_exec($handle);
-
         if ($response === false) {
             $errno = curl_errno($handle);
             $error = curl_error($handle);
@@ -115,7 +136,6 @@ class MatrixConnection
             curl_close($handle);
             return false;
         }
-
         $http_code = intval(curl_getinfo($handle, CURLINFO_HTTP_CODE));
         curl_close($handle);
 
@@ -127,18 +147,18 @@ class MatrixConnection
             $response = json_decode($response, true);
             error_log("Request has failed with error {$response['error']}\n");
             if ($http_code == 401) {
-				throw new Exception('Invalid access token provided');
+                throw new Exception("AUTHENTICATION_FAILED");
             }
         } else {
             $response = json_decode($response, true);
         }
-
         return $response;
     }
+
 }
 
-class MatrixMessage
+class MatrixMessage {
-{
+
     private $message;
 
     function __construct() {
@@ -166,4 +186,5 @@ class MatrixMessage
         return $this->message;
     }
 }
+
 ?>

README.md

@@ -1,27 +1,55 @@
 # matrix-register-bot
+![state: alpha](https://img.shields.io/badge/state-alpha-yellowgreen.svg)
+[![#matrix-register-bot:msg-net.de](https://img.shields.io/badge/matrix-%23matrix--register--bot%3Amsg--net.de-brightgreen.svg)](https://matrix.to/#/#matrix-register-bot:msg-net.de)
 
-This bot provides a two-step-registration for matrix.
+This bot provides a two-step-registration for matrix ([synapse](https://github.com/matrix-org/synapse)).
 
 This is done in several steps:
-- potential new user registers on a bot-provided side
+- potential new user registers on a bot-provided site
+- user has to verify its mail address
 - bot sends a message to predefined room with a registration notification.
 - users in that room now can approve or decline the registration.
 - When approved
-  - the bot creates credentials
+  - the bot creates short time credentials
   - sends them to the user
-  - stores them encrypted in own database
+  - stores them encrypted in own databas or uses that as initial password for registration
-  - provides that credentials to [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth#integrate) which has to be configured to query login.php
 
-2nd step: Implement the other apis to integrade [mxisd](https://github.com/kamax-io/mxisd/blob/master/docs/backends/rest.md)
+There are two operation modes available:
+- `operationMode=synapse`
+    - No adjustments on your running environment are required. This bot uses the the [Shared-Secret Registration of synapse](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/register_api.rst) to register the users.
+- `operationMode=local`:
+    - Bot handles user management. Therefore it stores the user-data and uses [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth#integrate) to authenticate the users.
+    - This way it is possible to set the display name of a user on first login (first- and lastname instead of username)
+    - The email address of the user can be used to implement third party lookup (requires [mxisd](https://github.com/kamax-io/mxisd/blob/master/docs/stores/rest.md))
+    - search for users you have not seen yet but are available on the server
+
+## Requirements
+
+- Working PHP environment with
+  - database connection provider \[one of sqlite, mysql, postgres\]
+  - curl extension
+  - mail capability to interact with the users (verification, approval (+ initial password), notifications)
+      - either via sendmail or with credentials
+- [composer](https://getcomposer.org) installed
+- [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) when using `operationMode=local`
 
 ## How to install
 
-- Copy `config.sample.php` to `config.php` and configure the bot as you can find there
+```
-- Configure your webserver to publish the folder `public` and configure.
+git clone https://github.com/krombel/matrix-register-bot
-  The folder `internal` contains files that can be accessed by mxisd or matrix-synapse-rest-auth
+cd matrix-register-bot
-- To integrate with matrix-synapse-rest-auth:
+composer install
+cp config.sample.php config.php
+editor config.php
+```
+- Configure your webserver to have the folder `public` accessible via web.
+
+
+When running `operationMode=local`:
+- Configure your webserver to provide the folder `internal` internally. This is only meant to be accessible by mxisd and matrix-synapse-rest-auth 
+- To integrate with [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth):
   - `/_matrix-internal/identity/v1/check_credentials` should map to `internal/login.php`
-- To integrate with mxisd: Have a look at [the docs](https://github.com/kamax-io/mxisd/blob/master/docs/backends/rest.md) and apply as follows:
+- To integrate with [mxisd](https://github.com/kamax-io/mxisd): Have a look at [the docs of mxisd](https://github.com/kamax-io/mxisd/blob/master/docs/stores/rest.md) and apply as follows:
 
 
 | Key                            | file which handles that       | Description                                          |
@@ -30,3 +58,27 @@ This is done in several steps:
 | rest.endpoints.directory       | internal/directory_search.php | Search for users by arbitrary input                  |
 | rest.endpoints.identity.single | internal/identity_single.php  | Endpoint to query a single 3PID                      |
 | rest.endpoints.identity.bulk   | internal/identity_bulk.php    | Endpoint to query a list of 3PID                     |
+
+
+## Further notes:
+
+### Security: Passwords from registration form are stored in clear text
+Currently the passwords which are typed in while capturing the register request are stored in clear text.
+The bot needs to access them to trigger a register request with correct credentials.
+It is currently strongly recommended to set `"getPasswordOnRegistration" => false` in your config!
+This leads to autocreating passwords which will then be send to the users directly without storing it.
+
+### Use the ChangePasswortInterceptor (if `operationMode=local`)
+
+To allow users to change their pasword you need a reverse proxy which maps `/_matrix/client/r0/account/password` to `internal/intercept_change_password.php`.
+Here is an example for nginx:
+```
+        location /_matrix/client/r0/account/password {
+                proxy_pass http://localhost/mxbot/internal/intercept_change_password.php;
+                proxy_set_header X-Forwarded-For $remote_addr;
+        }
+```
+### The bot postpones some actions
+There is a cron.php which implements retries and database cleanups (e.g. to remove a username claim)
+For this run cron.php regularly with your system of choice.
+A suggested interval is once per day

composer.json

@@ -0,0 +1,15 @@
+{
+    "name": "krombel/matrix-register-bot",
+    "description": "Register-Bot which implements a 2-factor registration for synapse servers to take part on matrix-communication",
+    "type": "project",
+    "require": {
+        "phpmailer/phpmailer": "^6.0"
+    },
+    "license": "Apache-2.0",
+    "authors": [
+        {
+            "name": "Krombel",
+            "email": "krombel@krombel.de"
+        }
+    ]
+}

composer.lock

@@ -0,0 +1,84 @@
+{
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
+        "This file is @generated automatically"
+    ],
+    "content-hash": "6d67203b6e9fc952ae681c538683a497",
+    "packages": [
+        {
+            "name": "phpmailer/phpmailer",
+            "version": "v6.0.6",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/PHPMailer/PHPMailer.git",
+                "reference": "8190d73eb5def11a43cfb020b7f36db65330698c"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/8190d73eb5def11a43cfb020b7f36db65330698c",
+                "reference": "8190d73eb5def11a43cfb020b7f36db65330698c",
+                "shasum": ""
+            },
+            "require": {
+                "ext-ctype": "*",
+                "ext-filter": "*",
+                "php": ">=5.5.0"
+            },
+            "require-dev": {
+                "doctrine/annotations": "1.2.*",
+                "friendsofphp/php-cs-fixer": "^2.2",
+                "phpdocumentor/phpdocumentor": "2.*",
+                "phpunit/phpunit": "^4.8 || ^5.7",
+                "zendframework/zend-eventmanager": "3.0.*",
+                "zendframework/zend-i18n": "2.7.3",
+                "zendframework/zend-serializer": "2.7.*"
+            },
+            "suggest": {
+                "ext-mbstring": "Needed to send email in multibyte encoding charset",
+                "hayageek/oauth2-yahoo": "Needed for Yahoo XOAUTH2 authentication",
+                "league/oauth2-google": "Needed for Google XOAUTH2 authentication",
+                "psr/log": "For optional PSR-3 debug logging",
+                "stevenmaguire/oauth2-microsoft": "Needed for Microsoft XOAUTH2 authentication",
+                "symfony/polyfill-mbstring": "To support UTF-8 if the Mbstring PHP extension is not enabled (^1.2)"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "PHPMailer\\PHPMailer\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "LGPL-2.1"
+            ],
+            "authors": [
+                {
+                    "name": "Jim Jagielski",
+                    "email": "jimjag@gmail.com"
+                },
+                {
+                    "name": "Marcus Bointon",
+                    "email": "phpmailer@synchromedia.co.uk"
+                },
+                {
+                    "name": "Andy Prevost",
+                    "email": "codeworxtech@users.sourceforge.net"
+                },
+                {
+                    "name": "Brent R. Matzelle"
+                }
+            ],
+            "description": "PHPMailer is a full-featured email creation and transfer class for PHP",
+            "time": "2018-11-16T00:41:32+00:00"
+        }
+    ],
+    "packages-dev": [],
+    "aliases": [],
+    "minimum-stability": "stable",
+    "stability-flags": [],
+    "prefer-stable": false,
+    "prefer-lowest": false,
+    "platform": [],
+    "platform-dev": []
+}

config.sample.php

@@ -5,6 +5,18 @@ $config = [
 
     // Which e-mail-adresse shall the bot use to send e-mails?
     "register_email" => 'register_bot@example.com',
+
+    // which settings should be used to send via SMTP Gateway?
+    "smtp" => [
+        "host" => "localhost",
+        "port" => "25",
+        // use authentication?
+        "user" => "register@example.com",
+        "password" => "SecretEMailPassword",
+        // Use some encryption to SMTP-Server? [ssl, tls] or unset
+        "encryption" => False
+    ],
+
     // Where should the bot post registration requests to?
     "register_room" => '$registerRoomID:example.com',
 
@@ -14,9 +26,22 @@ $config = [
     // optional: Do you have a place where howTo's are located? If not leave this value out
     "howToURL" => "https://my-url-for-storing-howTos.net",
 
+    // set the mode of operation. Basically this defines where the data is stored:
+    // - synapse (using the register endpoint - so no further auth config necessary
+    // - local (recommended; using a table in the database to store credentials;
+    //   synapse has to be configured to use that)
+    "operationMode" => "local",
+
+    // This setting is only required for operationMode = synapse
+    "registration_shared_secret" => "SOME_SECRET_KEY_FROM_HOMESERVER_CONFIG",
+
     // When you want to collect the password on registration set this to true
+    // only evaluated when operationMode = local
     "getPasswordOnRegistration" => false,
 
+    // default language: one of [ en-gb | de-de ]
+    "defaultLanguage" => "en-gb",
+
     // to define where the data should be stored:
     "databaseURI" => "sqlite:" . dirname(__FILE__) . "/db_file.sqlite",
     // credentials for sqlite not used

cron.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,17 +14,18 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once("config.php");
+require_once(__DIR__ . "/config.php");
-require_once("mail_templates.php");
+require_once(__DIR__ . "/language.php");
-require_once("database.php");
+require_once(__DIR__ . "/mail_templates.php");
+require_once(__DIR__ . "/database.php");
 
-$sql = "SELECT id, first_name, last_name, username, email, state, note, verify_token, admin_token FROM registrations "
+$sql = "SELECT id, first_name, last_name, username, password, email,"
+        . " state, note, verify_token, admin_token "
+        . "FROM registrations "
         . "WHERE state = " . RegisterState::PendingEmailSend
         . " OR state = " . RegisterState::PendingAdminSend
         . " OR state = " . RegisterState::PendingRegistration
-. " OR state = " . RegisterState::PendingSendRegistrationMail
+        . " OR state = " . RegisterState::PendingSendRegistrationMail . ";";
-. " OR state = " . RegisterState::RegistrationDeclined
-. " OR state = " . RegisterState::AllDone . ";";
 foreach ($mx_db->query($sql) as $row) {
     $first_name = $row["first_name"];
     $last_name = $row["last_name"];
@@ -36,10 +38,7 @@ foreach ($mx_db->query($sql) as $row) {
             case RegisterState::PendingEmailSend:
                 $verify_url = $config["webroot"] . "/verify.php?t=" . $row["verify_token"];
                 $success = send_mail_pending_verification(
-						$config["homeserver"],
+                        $config["homeserver"], $row["first_name"] . " " . $row["last_name"], $row["email"], $verify_url);
-						$row["first_name"] . " " . $row["last_name"],
-						$row["email"],
-						$verify_url);
 
                 if ($success) {
                     $mx_db->setRegistrationStateById(RegisterState::PendingEmailVerify, $row["id"]);
@@ -48,16 +47,22 @@ foreach ($mx_db->query($sql) as $row) {
                 }
                 break;
             case RegisterState::PendingAdminSend:
-				require_once("MatrixConnection.php");
+                require_once(__DIR__ . "/MatrixConnection.php");
                 $adminUrl = $config["webroot"] . "/verify_admin.php?t=" . $row["admin_token"];
                 $mxConn = new MatrixConnection($config["homeserver"], $config["access_token"]);
                 $mxMsg = new MatrixMessage();
-				$mxMsg->set_body($first_name . ' ' . $last_name . " möchte sich registrieren und hat folgende Notiz hinterlassen:\r\n"
+                $mxMsg->set_body(strtr($language["MSG_USER_WANTS_REGISTER"], [
-						. $row["note"] . "\r\n"
+                    "@name" => (strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username),
-						. "Zum Bearbeiten hier klicken:\r\n" . $adminUrl);
+                    "@note" => $note,
-				$mxMsg->set_formatted_body($first_name . ' ' . $last_name . " möchte sich registrieren und hat folgende Notiz hinterlassen:<br />"
+                    "@adminUrl" => $adminUrl
-						. $row["note"] . "<br />"
+                ]));
-						. "Zum Bearbeiten <a href=\"". $adminUrl . "\">hier</a> klicken");
+                if (isset($language["MSG_USER_WANTS_REGISTER_FORMATTED"])) {
+                    $mxMsg->set_formatted_body(strtr($language["MSG_USER_WANTS_REGISTER_FORMATTED"], [
+                        "@name" => (strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username),
+                        "@note" => $note,
+                        "@adminUrl" => $adminUrl
+                    ]));
+                }
                 $mxMsg->set_type("m.text");
                 $response = $mxConn->send($config["register_room"], $mxMsg);
 
@@ -71,11 +76,29 @@ foreach ($mx_db->query($sql) as $row) {
                 break;
             case RegisterState::PendingRegistration:
                 // Registration got accepted but registration failed
-
+                switch ($config["operationMode"]) {
-				$password = $mx_db->addUser($row["first_name"], $row["last_name"], $row["username"], $row["email"]);
+                    case "synapse":
+                        // register with registration_shared_secret
+                        // generate a password with 10 characters
+                        $password = bin2hex(openssl_random_pseudo_bytes(5));
+                        $res = $mxConn->register($row["username"], $password, $config["registration_shared_secret"]);
+                        if (!$res) {
+                            // something went wrong while registering
+                            $password = NULL;
+                        }
+                        break;
+                    case "local":
+                        // register by adding a user to the local database
+                        $password = $mx_db->addUser($row["first_name"], $row["last_name"], $row["username"], $row["password"], $row["email"]);
+                        break;
+                    default:
+                        throw new Exception("Unknown operationMode");
+                }
                 if ($password != NULL) {
                     // send registration_success
-					$res = send_mail_registration_success($config["homeserver"], $first_name . " " . $last_name, $email, $username, $password, $config["howToURL"]);
+                    $res = send_mail_registration_success(
+                            $config["homeserver"], strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username, $email, $username, $password, $config["howToURL"]
+                    );
                     if ($res) {
                         $mx_db->setRegistrationStateById(RegisterState::AllDone, $row["id"]);
                     } else {
@@ -85,7 +108,9 @@ foreach ($mx_db->query($sql) as $row) {
                     send_mail_registration_allowed_but_failed($config["homeserver"], $first_name . " " . $last_name, $email);
                     $mxMsg = new MatrixMessage();
                     $mxMsg->set_type("m.text");
-					$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
+                    $mxMsg->set_body(strtr($language["REGISTRATION_FAILED_FOR"], [
+                        "@name" => strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username,
+                    ]));
                     $mxConn->send($config["register_room"], $mxMsg);
                     throw new Exception($language["REGISTRATION_FAILED"]);
                 }
@@ -93,14 +118,29 @@ foreach ($mx_db->query($sql) as $row) {
             case RegisterState::PendingSendRegistrationMail:
                 print ("Error: Unhandled state: PendingSendRegistrationMail for " . $first_name . " " . $last_name . " (" . $username . ")\n");
                 break;
-			case RegisterState::RegistrationDeclined:
-			case RegisterState::AllDone:
-				// do reqular cleanup
-				break;
         }
     } catch (Exception $e) {
         print("Error while handling cron for " . $first_name . " " . $last_name . " (" . $username . ")\n");
         print($e->getMessage());
     }
 }
+
+try {
+    //cleanup: all finished entries older than one month
+    $timestamp = date('Y-m-d H:m:s', strtotime("-1 month"));
+    $mx_db->query("DELETE FROM registrations "
+            . "WHERE request_date < '$timestamp'"
+            . " AND (state = " . RegisterState::RegistrationDeclined
+            . " OR state = " . RegisterState::AllDone . " );"
+    );
+    //cleanup: all entries which are pending email registration older than two days
+    $timestamp = date('Y-m-d H:m:s', strtotime("-2 days"));
+    $mx_db->query("DELETE FROM registrations "
+            . "WHERE request_date < '$timestamp'"
+            . " AND state = " . RegisterState::PendingEmailVerify . ";"
+    );
+} catch (Exception $e) {
+    print("Error while database cleanup\n");
+    print($e->getMessage());
+}
 ?>

database.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,13 +14,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once("config.php");
+require_once(__DIR__ . "/config.php");
 if (!isset($config["databaseURI"])) {
     throw new Exception("malformed configuration: databaseURI not defined");
 }
 
-abstract class RegisterState
+abstract class RegisterState {
-{
+
     // Sending an E-Mail failed in the first attempt. Will retry later
     const PendingEmailSend = 0;
     // User got a mail. We wait for it to verfiy
@@ -30,21 +31,19 @@ abstract class RegisterState
     const PendingAdminVerify = 6;
     // Registration failed on first attempt. Will retry
     const PendingRegistration = 7;
-
     // in this case we have to reset the password of the user (or should we store it for this case?)
     const PendingSendRegistrationMail = 8;
-
     // State to allow persisting in the database although an admin declined it.
     // Will be removed regularly
     const RegistrationAccepted = 7;
     const RegistrationDeclined = 13;
-
     // User got successfully registered. Will be cleaned up later
     const AllDone = 100;
+
 }
 
-class mxDatabase
+class mxDatabase {
-{
+
     private $db = NULL;
 
     /**
@@ -79,7 +78,7 @@ class mxDatabase
 			first_name TEXT,
 			last_name TEXT,
 			username TEXT,
-			password_hash TEXT DEFAULT '',
+			password TEXT DEFAULT '',
 			note TEXT,
 			email TEXT,
 			verify_token TEXT,
@@ -99,7 +98,7 @@ class mxDatabase
 			)");
         // make sure the bot is allowed to login
         if (!$this->userRegistered("register_bot")) {
-			$password = $this->addUser("Register", "Bot", "register_bot", $config["register_email"]);
+            $password = $this->addUser("Register", "Bot", "register_bot", NULL, $config["register_email"]);
             $config["register_password"] = $password;
             $myfile = fopen(dirname(__FILE__) . "/config.json", "w");
             fwrite($myfile, json_encode($config, JSON_PRETTY_PRINT));
@@ -164,6 +163,7 @@ class mxDatabase
         }
         return false;
     }
+
     function userRegistered($username) {
         $sql = "SELECT COUNT(*) FROM logins WHERE localpart = '" . $username . "' LIMIT 1;";
         $res = $this->db->query($sql);
@@ -184,7 +184,7 @@ class mxDatabase
      *
      * @return ["verify_token"]
      */
-	function addRegistration($first_name, $last_name, $username, $note, $email) {
+    function addRegistration($first_name, $last_name, $username, $password, $note, $email) {
         if ($this->userPendingRegistrations($username)) {
             throw new Exception("USERNAME_PENDING_REGISTRATION");
         }
@@ -196,8 +196,9 @@ class mxDatabase
         $admin_token = bin2hex(random_bytes(16));
 
         $this->db->exec("INSERT INTO registrations
-			(first_name, last_name, username, note, email, verify_token, admin_token)
+                (first_name, last_name, username, password, note, email, verify_token, admin_token)
-			VALUES ('" . $first_name."','" . $last_name . "','" . $username . "','"	. $note . "','"
+		VALUES ('" . $first_name . "','" . $last_name . "','"
+                . $username . "','" . $password . "','" . $note . "','"
                 . $email . "','" . $verify_token . "','" . $admin_token . "')");
 
         return [
@@ -215,10 +216,9 @@ class mxDatabase
         $sql = "SELECT COUNT(*) FROM registrations WHERE admin_token = '" . $admin_token . "'"
                 . " AND state = " . RegisterState::PendingAdminVerify . " LIMIT 1;";
         $res = $this->db->query($sql);
-		$first_name = NULL; $last_name = NULL; $username = NULL; $note = NULL; $email = NULL;
 
         if ($res->fetchColumn() > 0) {
-			$sql = "SELECT first_name, last_name, username, note, email FROM registrations"
+            $sql = "SELECT first_name, last_name, username, password, note, email FROM registrations"
                     . " WHERE admin_token = '" . $admin_token . "'"
                     . " AND state = " . RegisterState::PendingAdminVerify
                     . " LIMIT 1;";
@@ -240,10 +240,9 @@ class mxDatabase
         $sql = "SELECT COUNT(*) FROM registrations WHERE verify_token = '" . $verify_token . "'"
                 . " AND state = " . RegisterState::PendingEmailVerify . " LIMIT 1;";
         $res = $this->db->query($sql);
-		$first_name = NULL; $last_name = NULL; $username = NULL; $note = NULL; $email = NULL;
 
         if ($res->fetchColumn() > 0) {
-			$sql = "SELECT first_name, last_name, note, email, admin_token FROM registrations "
+            $sql = "SELECT first_name, last_name, note, email, username, admin_token FROM registrations "
                     . " WHERE verify_token = '" . $verify_token . "'"
                     . " AND state = " . RegisterState::PendingEmailVerify . " LIMIT 1;";
             foreach ($this->db->query($sql) as $row) {
@@ -284,14 +283,16 @@ class mxDatabase
      * 			NULL when failed
      *
      */
-	function addUser($first_name, $last_name, $username, $email) {
+    function addUser($first_name, $last_name, $username, $password, $email) {
         // check if user already exists and abort in that case
         if ($this->userRegistered($username)) {
             return NULL;
         }
 
+        if ($password == NULL) {
             // generate a password with 10 characters
             $password = bin2hex(openssl_random_pseudo_bytes(5));
+        }
         $password_hash = password_hash($password, PASSWORD_BCRYPT, ["cost" => 12]);
 
         $sql = "INSERT INTO logins (first_name, last_name, localpart, password_hash, email) VALUES "
@@ -361,6 +362,7 @@ class mxDatabase
         }
         return $result;
     }
+
 }
 
 if (!isset($mx_db)) {

helpers.php

@@ -1,4 +1,19 @@
 <?php
+
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 function stripLocalpart($mxid) {
     $localpart = NULL;
     if (!empty($mxid)) {
@@ -15,4 +30,13 @@ function stripLocalpart($mxid) {
     return $localpart;
 }
 
+function getCurlHandle($url) {
+    $handle = curl_init($url);
+    curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
+    curl_setopt($handle, CURLOPT_TIMEOUT, 60);
+    curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
+    return $handle;
+}
+
 ?>

internal/directory_search.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once("../database.php");
+require_once(__DIR__ . "/../database.php");
 $response = [
     "limited" => false,
     "result" => [],
@@ -39,12 +40,11 @@ try {
             $response["result"] = $mx_db->searchUserByEmail($input["search_term"]);
             break;
         default:
-            throw new Exception("unknown type for \"by\" param");
+            throw new Exception('unknown type for "by" param');
     }
-    
 } catch (Exception $e) {
     error_log("failed with error: " . $e->getMessage());
     $response["error"] = $e->getMessage();
 }
-print (json_encode($response, JSON_PRETTY_PRINT) . "\n");
+print (json_encode($response, JSON_PRETTY_PRINT));
 ?>

internal/identity_bulk.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once("../database.php");
+require_once(__DIR__ . "/../database.php");
 $response = [
     "lookup" => []
 ];
@@ -37,7 +38,7 @@ try {
         if (!isset($lookup["address"])) {
             throw new Exception('"lookup.address" is not defined');
         }
-        $res2 = array();
+        $res2 = NULL;
         switch ($lookup["medium"]) {
             case "email":
                 $res2 = $mx_db->searchUserByEmail($lookup["address"]);
@@ -54,14 +55,16 @@ try {
                 }
                 break;
             case "msisdn":
+                // This is reserved for number lookups
+                throw new Exception("unimplemented lookup medium");
                 break;
             default:
-                throw new Exception("unknown type for \"by\" param");
+                throw new Exception("unknown lookup medium");
         }
     }
 } catch (Exception $e) {
     error_log("ídentity_bulk failed with error: " . $e->getMessage());
     $response["error"] = $e->getMessage();
 }
-print (json_encode($response, JSON_PRETTY_PRINT) . "\n");
+print (json_encode($response, JSON_PRETTY_PRINT));
 ?>

internal/identity_single.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once("../database.php");
+require_once(__DIR__ . "/../database.php");
 $response = new stdClass;
 try {
     $inputJSON = file_get_contents('php://input');
@@ -30,7 +31,7 @@ try {
     if (!isset($input["lookup"]["address"])) {
         throw new Exception('"lookup.address" is not defined');
     }
-    $res2 = array();
+    $res2 = NULL;
     switch ($input["lookup"]["medium"]) {
         case "email":
             $res2 = $mx_db->searchUserByEmail($input["lookup"]["address"]);
@@ -46,15 +47,19 @@ try {
                     ]
                 ];
             }
-            
+            break;
-
+        case "msisdn":
+            // This is reserved for number lookups
+            throw new Exception("unimplemented lookup medium");
             break;
         default:
-            throw new Exception("unknown type for \"by\" param");
+            throw new Exception("unknown lookup medium");
     }
 } catch (Exception $e) {
-    error_log("ídentity_bulk failed with error: " . $e->getMessage());
+    error_log("ídentity_single failed with error: " . $e->getMessage());
-    $response["error"] = $e->getMessage();
+    $response = [
+        "error" => $e->getMessage()
+    ];
 }
-print (json_encode($response, JSON_PRETTY_PRINT) . "\n");
+print (json_encode($response, JSON_PRETTY_PRINT));
 ?>

internal/intercept_change_password.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,7 +14,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 // URL for this: /_matrix/client/r0/account/password?access_token=$ACCESS_TOKEN
 
 header('Access-Control-Allow-Origin: *');
@@ -44,22 +44,19 @@ try {
         throw new Exception('"new_password" is not defined');
     }
 
-	require_once("../helpers.php");
+    require_once(__DIR__ . "/../helpers.php");
     $localpart = stripLocalpart($input["auth"]["user"]);
 
     if (empty($localpart)) {
         throw new Exception("localpart cannot be identified");
     }
 
-	require_once("../database.php");
+    require_once(__DIR__ . "/../database.php");
     if (!$mx_db->updatePassword(
-		$localpart,
+                    $localpart, $input["auth"]["password"], $input["new_password"]
-		$input["auth"]["password"],
-		$input["new_password"]
             )) {
         throw new Exception("invalid credentials or another error while updating");
     }
-
 } catch (Exception $e) {
     header("HTTP/1.0 500 Internal Error");
     error_log("failed with error: " . $e->getMessage());

internal/login.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,19 +20,22 @@ $response = [
     ]
 ];
 
-require_once("../database.php");
+require_once(__DIR__ . "/../database.php");
+
 abstract class LoginRequester {
+
     const UNDEFINED = 0;
     const MXISD = 1;
     const RestAuth = 2;
+
 }
+
 $loginRequester = LoginRequester::UNDEFINED;
 
 try {
     $inputJSON = file_get_contents('php://input');
     $input = json_decode($inputJSON, TRUE);
-    $mxid = NULL;
+    $mxid = $localpart = NULL;
-    $localpart = NULL;
     if (isset($input["user"])) {
         if (isset($input["user"]["localpart"])) {
             $localpart = $input["user"]["localpart"];
@@ -45,12 +49,14 @@ try {
             $mxid = $input["user"]["mxid"];
             $loginRequester = LoginRequester::MXISD;
         }
+    } else {
+        throw new Exception('"user" not in request body');
     }
 
     // prefer the localpart attribute of mxisd. But in case of matrix-synapse-rest-auth
     // we have to parse it on our own
     if (empty($localpart)) {
-	require_once("../helpers.php");
+        require_once(__DIR__ . "/../helpers.php");
         $localpart = stripLocalpart($mxid);
     }
 
@@ -59,7 +65,7 @@ try {
     }
 
     $password = NULL;
-    if (isset($input["user"]) && isset($input["user"]["password"])) {
+    if (isset($input["user"]["password"])) {
         $password = $input["user"]["password"];
     }
     if (empty($password)) {
@@ -95,11 +101,12 @@ try {
             // only return that it was successful.
             // we do not know how the data shall be transmitted so we do nothing with it
             $response["auth"]["success"] = false;
+            $response["auth"]["error"] = "unidentified requester";
             break;
     }
 } catch (Exception $e) {
     error_log("Auth failed with error: " . $e->getMessage());
     $response["auth"]["error"] = $e->getMessage();
 }
-print (json_encode($response, JSON_PRETTY_PRINT) . "\n");
+print (json_encode($response, JSON_PRETTY_PRINT));
 ?>

lang/lang.de-de.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,28 +15,60 @@
  * limitations under the License.
  */
 $language = array(
+    "ACCEPT" => "Akzeptieren",
+    "DECLINE" => "Ablehnen",
+    "DECLINE_REASON" => "Grund für die Ablehnung",
+    "SUBMIT" => "Abschicken",
+    "MAKE_A_SELECTION" => "Treffe eine Auswahl",
+    "SUCCESS" => "Erfolgreich",
+    "FIRST_NAME" => "Vorname",
+    "LAST_NAME" => "Nachname",
+    "USERNAME" => "Nutzername (für den Login)",
+    "PASSWORD" => "Passwort",
+    "PASSWORD_CONFIRM" => "Passwort bestätigen",
+    "EMAIL_ADDRESS" => "E-Mail-Adresse",
+    "REGISTER" => "Registrieren",
+    "NOTE" => "Hinweis",
     "NO_CONFIGURATION" => "Es konnte keine Konfiguration gefunden werden.",
+    "UNKNOWN_ERROR" => "Unbekannter Fehler",
     "UNKNOWN_SESSION" => "Sitzungstoken nicht vorhanden oder ungültig.",
     "UNKNOWN_USERNAME" => "Nutzername fehlt",
     "UNKNOWN_TOKEN" => "Token ist unbekannt",
-    "USERNAME_LENGTH_INVALID" => "Entweder mehr als 20 oder weniger als 3 Zeichen für den Nutzernamen verwendet",
+    "AUTHENTICATION_FAILED" => "Authentifizierung fehlgeschlagen",
+    "WRONG_REGISTRATION_SHARED_SECRET" => "registration_shared_secret fehlerhaft",
+    "USERNAME_INVALID" => "Nutzername muss aus 3 bis 20 Kleinbuchstaben und Zahlen bestehen",
     "USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
     "USERNAME_PENDING_REGISTRATION" => "Dieser Nutzername wurde bereits zur Registrierung vorgemerkt. Versuche es später noch einmal oder wähle einen anderen Nutzernamen",
     "USERNAME_REGISTERED" => "Dieser Nutzername wurde bereits registriert. Bitte wähle einen anderen Nutzernamen",
+    "PASSWORD_NOT_PROVIDED" => "Ein oder beide Passwörter wurden nicht gesetzt",
     "PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
     "NOTE_LENGTH_EXEEDED" => "Notiz ist länger als die erlaubten 50 Zeichen",
+    "PLACEHOLDER_NOTE_ABOUT_YOURSELF" => "Notiz zu dir (max. 50 Zeichen)",
     "EMAIL_INVALID_FORMAT" => "Keine valide E-Mail-Adresse angegeben",
-    "FIRSTNAME_INVALID_FORMAT" => "Vorname hat ungültiges Format",
+    "FIRSTNAME_INVALID_FORMAT" => "Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben",
-    "SIRNAME_INVALID_FORMAT" => "Nachname hat ungültiges Format",
+    "SIRNAME_INVALID_FORMAT" => "Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben",
     "SEND_MAIL_FAIL" => "Senden der E-Mail fehlgeschlagen",
     "SEND_MATRIX_FAIL" => "Senden einer Nachricht an die Administratoren fehlgeschlagen",
+    "TASK_CHECK_YOUR_EMAIL_VERIFY" => "Bitte prüfe deine E-Mails um deine Adresse zu bestätigen",
     "REGISTRATION_REQUEST_FAILED" => "Registrierungsanfrage ist fehlgeschlagen",
     "REGISTRATION_FAILED" => "Registrierung ist fehlgeschlagen",
+    "REGISTRATION_FAILED_FOR" => "Registrierung für @user ist fehlgeschlagen",
     "VERIFICATION_SUCEEDED" => "Verifizierung erfolgreich",
     "VERIFICATION_FAILED" => "Verifizierung fehlgeschlagen",
     "VERIFICATION_SUCCESS_BODY" => "Vielen Dank. Die Administratoren wurden informiert",
     "ADMIN_VERIFY_SITE_TITLE" => "Registrierungsanfrage bearbeiten",
     "ADMIN_REGISTER_ACCEPTED_BODY" => "Die Registrierungsanfrage wurde akzeptiert. Der Nutzer wurde per Mail informiert.",
     "ADMIN_REGISTER_DECLINED_BODY" => "Die Registrierungsanfrage wurde angelehnt. Der Nutzer wurde per Mail informiert.",
+    "JUMP_TO_HOMEPAGE" => "Zur Startseite",
+    "TOPIC_PLEASE_REGISTER" => "Bitte für @homeserver registrieren",
+    "TOPIC_PLEASE_REGISTER_NOTE" => "2-Schritt-Registrierung",
+    "NOTE_FOR_REGISTRATION" => "@homeserver ist ein geschlossenes Chat-Netzwerk in dem jeder Nutzer bestätigt werden muss.<br />
+        Du bekommst eine E-Mail wenn jemand deine Mitgliedschaft bestätigt hat. An diese wird auch dein initiales Passwort gesendet.
+        Hinterlasse also bitte einen Hinweis zu dir (den nur die Administratoren sehen werden).<br />
+        Liebe Grüße vom Team von @homeserver",
+    "MSG_USER_WANTS_REGISTER" => "@name möchte sich registrieren und hat folgende Notiz hinterlassen:
+            @note \r\nZum Bearbeiten hier klicken:\r\n @adminUrl",
+    "MSG_USER_WANTS_REGISTER_FORMATTED" => "@name möchte sich registrieren und hat folgende Notiz hinterlassen:<br />
+                @note <br />Zum Bearbeiten <a href=\"@adminUrl\">hier</a> klicken",
 );
 ?>

lang/lang.en-gb.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+$language = array(
+    "ACCEPT" => "Accept",
+    "DECLINE" => "Decline",
+    "DECLINE_REASON" => "Reason for declining",
+    "SUBMIT" => "Submit",
+    "MAKE_A_SELECTION" => "Make a selection",
+    "SUCCESS" => "Success",
+    "FIRST_NAME" => "First name",
+    "LAST_NAME" => "Last name",
+    "USERNAME" => "username (for login)",
+    "PASSWORD" => "Password",
+    "PASSWORD_CONFIRM" => "Confirm password",
+    "EMAIL_ADDRESS" => "EMail Address",
+    "REGISTER" => "Register",
+    "NOTE" => "Note",
+    "NO_CONFIGURATION" => "No configuration found",
+    "UNKNOWN_ERROR" => "Unknown Error",
+    "UNKNOWN_SESSION" => "Session token not found of invalid.",
+    "UNKNOWN_USERNAME" => "username unknown",
+    "UNKNOWN_TOKEN" => "Token is unknown",
+    "AUTHENTICATION_FAILED" => "Authentication failed",
+    "WRONG_REGISTRATION_SHARED_SECRET" => "wrong registration_shared_secret",
+    "USERNAME_INVALID" => "Username has to consist of 3 to 20 small letters and numbers",
+    "USERNAME_NOT_ALNUM" => "Username is not alphanumeric",
+    "USERNAME_PENDING_REGISTRATION" => "This username is locked for registration. Try again later or try again with a different username",
+    "USERNAME_REGISTERED" => "This username is already registered. Please try again with another username",
+    "PASSWORD_NOT_PROVIDED" => "One or both passwords are not provided",
+    "PASSWORD_NOT_MATCH" => "passwords do not match",
+    "NOTE_LENGTH_EXEEDED" => "Note consists of more than 50 characters",
+    "PLACEHOLDER_NOTE_ABOUT_YOURSELF" => "Note about yourself (max. 50 characters)",
+    "EMAIL_INVALID_FORMAT" => "no valid email address",
+    "FIRSTNAME_INVALID_FORMAT" => "First name with invalid formatting",
+    "SIRNAME_INVALID_FORMAT" => "Sirname with invalid formatting",
+    "SEND_MAIL_FAIL" => "Email could not be sent",
+    "SEND_MATRIX_FAIL" => "Sending a message to the admins failed",
+    "TASK_CHECK_YOUR_EMAIL_VERIFY" => "Please check your emails to verify your email address",
+    "REGISTRATION_REQUEST_FAILED" => "Registration request failed",
+    "REGISTRATION_FAILED" => "Registration failed",
+    "REGISTRATION_FAILED_FOR" => "Registrierung für @user ist fehlgeschlagen",
+    "VERIFICATION_SUCEEDED" => "Verification suceeded",
+    "VERIFICATION_FAILED" => "Verification failed",
+    "VERIFICATION_SUCCESS_BODY" => "Thank you. The admins got informed",
+    "ADMIN_VERIFY_SITE_TITLE" => "Handle registration request",
+    "ADMIN_REGISTER_ACCEPTED_BODY" => "The registration request got accepted. The user got notified per email.",
+    "ADMIN_REGISTER_DECLINED_BODY" => "The registration request got declined. The user got notified per email.",
+    "JUMP_TO_HOMEPAGE" => "To homepage",
+    "TOPIC_PLEASE_REGISTER" => "Please register for @homeserver",
+    "TOPIC_PLEASE_REGISTER_NOTE" => "2-Step-Registration",
+    "NOTE_FOR_REGISTRATION" => "@homeserver is a closed chat network where every user has to be confirmed.<br />
+        You will get an email once sb. approved your registration. An initial password will be send to you afterwards.
+        Please leave a note about yourself (that will only be shown to the admins).<br />
+        Greetings from the team of @homeserver",
+    "MSG_USER_WANTS_REGISTER" => "@name wants to register and left the following note:
+            @note \r\nTo handle that request:\r\n @adminUrl",
+    "MSG_USER_WANTS_REGISTER_FORMATTED" => "@name wants to register and left the following note:<br />
+                @note <br />To handle that request click <a href=\"@adminUrl\">here</a>",
+);
+?>

lang/mail.de-de.php

@@ -0,0 +1,118 @@
+<?php
+
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+function send_mail_pending_verification($homeserver, $user, $receiver, $verify_url) {
+    $subject = "Bitte bestätige Registrierung auf $homeserver";
+    $body = "Guten Tag " . $user . ",
+
+Du hast anscheinend versucht dich auf $homeserver zu registrieren.
+Hier gibt es eine zweistufige Registrierung.
+
+Wir möchten dich bitten, dass du kurz bestätigst, dass du die Registrierung durchgeführt hast.
+Gehe dafür auf folgenden Link:
+$verify_url
+
+Erst anschließend werden die Administratoren über deine Registrierungsanfrage informiert.
+
+Hinweis: Du hast ca. 48 Stunden Zeit um die Bestätigung durchzuführen.
+Danach ist eine Re-Registrierung mit deinem gewünschten Nutzernamen für andere wieder möglich.
+
+Vielen Dank für dein Verständnis.
+
+Das Administratoren-Team von " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_pending_approval($homeserver, $user, $receiver) {
+    $subject = "Registrierung wartet auf Bestätigung durch Administratoren";
+    $body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde verifiziert und wird nun durch die Administratoren überprüft.
+
+Du bekommst eine weitere E-Mail, sobald deine Registrierung bestätigt oder ablehnt wurde.
+
+Vielen Dank für dein Verständnis.
+
+Das Administratoren-Team von " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_registration_allowed_but_failed($homeserver, $user, $receiver) {
+    $subject = "Registrierung auf $homeserver genehmigt";
+    $body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
+
+Leider ist beim Registrieren ein Fehler aufgetaucht. Der Registrierungversuch wird bald wiederholt.
+Wir hoffen, das Problem ist bald behoben.
+Wir melden uns, wenn die Registrierung erfolgreich war.
+
+Das Administratoren-Team von " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_registration_success($homeserver, $user, $receiver, $username, $password, $howToURL) {
+    $subject = "Registrierung auf $homeserver erfolgreich";
+    $body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
+
+Zum Anmelden kannst du folgende Zugangsdaten verwenden:
+Nutzername: $username
+Passwort: " . (empty($password) ? "wie selbst gesetzt": $password) . "
+
+Hinweis: Das Passwort kannst du aktuell über die App selbst ändern. Auch wenn das Passwort nirgends
+im Klartext gespeichert wird, kann jemand Zugriff auf diese Mail erlangen und so den Zugriff bekommen.
+";
+    /*
+      Wichtig: Bitte ändere das Passwort direkt nach der Anmeldung.
+      Es wird zwar von unserer Seite nicht gespeichert, doch fremde könnten Zugriff auf diese E-Mail
+      erhalten und so deinen Account kompromittieren.
+     */
+    if (!empty($howToURL)) {
+        $body .= "
+Zu weiteren Hilfestellungen findest du hier eine Auflistung von verschiedenen
+Anleitungen zu verschiedenen Clients:
+$howToURL\n";
+    }
+    $body .= "
+Viel Spaß bei der Verwendung von $homeserver.
+Bei Fragen findest du nach der Anmeldung ein paar Räume in denen du sie stellen kannst.
+
+Das Administratoren-Team von " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_registration_decline($homeserver, $user, $receiver, $reason) {
+    $subject = "Registrierung auf $homeserver abgelehnt";
+    $body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren abgelehnt.\n";
+
+    if (empty($reason)) {
+        $body .= "\nEs wurde kein Grund angegeben\n";
+    } else {
+        $body .= "\nAls Grund wurde folgendes angegeben:\n$reason\n";
+    }
+
+    $body .= "
+Wir hoffen, dass du dies akzeptieren kannst.
+
+Das Administratoren-Team von " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+?>

lang/mail.en-gb.php

@@ -0,0 +1,112 @@
+<?php
+
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+function send_mail_pending_verification($homeserver, $user, $receiver, $verify_url) {
+    $subject = "Pleast approve your registration request on $homeserver";
+    $body = "Dear " . $user . ",
+
+It seems that you tried to register on $homeserver.
+This homeserver requires a two step registration.
+
+For this we want you to verify that you want to register. For this please click on this link:
+$verify_url
+
+The admins will informed about your registration request once you clicked on this link.
+
+Note: This registration request will be cleaned up in 48 hours.
+Others might take your username afterwards.
+
+Thanks for your patience.
+
+The admin team of " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_pending_approval($homeserver, $user, $receiver) {
+    $subject = "Registration is pending verification from an admin";
+    $body = "Dear " . $user . ",
+
+You have verified your registration request. The admins are now checking your request.
+
+You will get an email once they approve or decline your request.
+
+Sincerely,
+
+The admin team of " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_registration_allowed_but_failed($homeserver, $user, $receiver) {
+    $subject = "Registration on $homeserver got approved";
+    $body = "Dear " . $user . ",
+
+Your registration request got approved by the admin team.
+
+But there was a problem when triggering the registration request. It will be retried in a few minutes.
+We hope that the issue will be fixed soon.
+You will get another email with initial credentials once the registration got handled completely.
+
+The admin team of " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_registration_success($homeserver, $user, $receiver, $username, $password, $howToURL) {
+    $subject = "Registration on $homeserver got approved";
+    $body = "Dear " . $user . ",
+
+Your registration request got verified by the admin team.
+
+To log in you can use the following credentials::
+Username: $username
+Passwort: " . (empty($password) ? "as self-set": $password) . "
+
+Important: Please change your password as soon as possible after your first login.
+The password is not stored in clear text on the server but people could get access to this mail
+and compromise your account.
+";
+    if (!empty($howToURL)) {
+        $body .= "
+You can find further help here::
+$howToURL\n";
+    }
+    $body .= "
+Enjoy your usage of $homeserver.
+You can ask further questions inside of the chat system.
+
+The admin team of " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+function send_mail_registration_decline($homeserver, $user, $receiver, $reason) {
+    $subject = "Registration on $homeserver declined.";
+    $body = "Guten Tag " . $user . ",
+
+Your registration request got declined by the admin team.\n";
+
+    if (empty($reason)) {
+        $body .= "\nThey did not provide any reason for this\n";
+    } else {
+        $body .= "\nThey provide following hint for you:\n$reason\n";
+    }
+
+    $body .= "
+We hope that you can understand this reason.
+
+The admin team of " . $homeserver;
+    return send_mail($receiver, $subject, $body);
+}
+
+?>

language.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,7 +14,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-$lang = "de-de";
+require_once(__DIR__ . "/config.php");
+$lang = $config["defaultLanguage"];
+
 if (isset($_GET['lang'])) {
     $lang = filter_var($_GET['lang'], FILTER_SANITIZE_STRING);
 }
@@ -22,6 +25,7 @@ if (!file_exists($lang_file)) {
     error_log("Translation for " . $lang . " not found. Fallback to 'de-de'");
     $lang = "de-de";
 }
+$lang_file = __DIR__ . "/lang/lang." . $lang . ".php";
 require_once($lang_file);
 unset($lang_file);
 ?>

mail_templates.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright 2018 Matthias Kesler
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,109 +14,65 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+require_once(__DIR__ . "/config.php");
+
+use PHPMailer\PHPMailer\PHPMailer;
+use PHPMailer\PHPMailer\Exception;
+require_once(__DIR__ . "/vendor/autoload.php");
+
+// standard mail implementation
 function send_mail($receiver, $subject, $body) {
-	include("config.php");
+    // somehow $config is not available when called again => reinit here
-	$headers = "From: " . $config["register_email"] . "\r\n"
+    include(__DIR__ . "/config.php");
-		. "Content-Type: text/plain;charset=utf-8";
+
-	return mail($receiver, $subject, $body, $headers);
+    $mail = new PHPMailer(true);
+    try {
+        $mail->CharSet = 'utf-8';                             // Enable utf-8 support for umlauts
+
+        if (is_array($config["smtp"])) {
+            $smtp_conf = $config["smtp"];
+            $mail->isSMTP();                                  // Set mailer to use SMTP
+            $mail->Host = $smtp_conf["host"];                 // Specify main and backup SMTP servers
+            $mail->Port = $smtp_conf["port"];                 // TCP port to connect to
+            if (!empty($smtp_conf["user"])) {
+                $mail->SMTPAuth = true;                       // Enable SMTP authentication
+                $mail->Username = $smtp_conf["user"];         // SMTP username
+                if (!empty($smtp_conf["password"])) {
+                    $mail->Password = $smtp_conf["password"]; // SMTP password
                 }
-
-function send_mail_pending_verification($homeserver, $user, $receiver, $verify_url) {
-	$subject = "Bitte bestätige Registrierung auf $homeserver";
-	$body = "Guten Tag " . $user . ",
-
-Du hast anscheinend versucht dich auf $homeserver zu registrieren.
-Hier gibt es eine zweistufige Registrierung.
-
-Wir möchten dich bitten, dass du kurz bestätigst, dass du die Registrierung durchgeführt hast.
-Gehe dafür auf folgenden Link:
-$verify_url
-
-Erst anschließend werden die Administratoren über deine Registrierungsanfrage informiert.
-
-Hinweis: Du hast ca. 48 Stunden Zeit um die Bestätigung durchzuführen.
-Danach ist eine Re-Registrierung mit deinem gewünschten Nutzernamen für andere wieder möglich.
-
-Vielen Dank für dein Verständnis.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body );
             }
-
+            if (!empty($smtp_conf["encryption"])) {
-function send_mail_pending_approval($homeserver, $user, $receiver) {
+                $mail->SMTPSecure = $smtp_conf["encryption"]; // Enable TLS encryption, `ssl` also accepted
-	$subject = "Registrierung wartet auf Bestätigung durch Administratoren";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde verifiziert und wird nun durch die Administratoren überprüft.
-
-Du bekommst eine weitere E-Mail, sobald deine Registrierung bestätigt oder ablehnt wurde.
-
-Vielen Dank für dein Verständnis.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body );
             }
-
-function send_mail_registration_allowed_but_failed($homeserver, $user, $receiver) {
-	$subject = "Registrierung auf $homeserver genehmigt.";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
-
-Leider ist beim Registrieren ein Fehler aufgetaucht. Der Registrierungversuch wird bald wiederholt.
-Wir hoffen, das Problem ist bald behoben.
-Wir melden uns, wenn die Registrierung erfolgreich war.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body);
-
-}
-
-function send_mail_registration_success($homeserver, $user, $receiver, $username, $password, $howToURL) {
-	$subject = "Registrierung auf $homeserver erfolgreich.";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
-
-Zum Anmelden kannst du folgende Zugangsdaten verwenden:
-Nutzername: $username
-Passwort: $password
-
-Hinweis: Das Passwort kannst du aktuell über die App selbst ändern. Auch wenn das Passwort nirgends
-im Klartext gespeichert wird, kann jemand Zugriff auf diese Mail erlangen und so den Zugriff bekommen.
-";
-/*
-Wichtig: Bitte ändere das Passwort direkt nach der Anmeldung.
-Es wird zwar von unserer Seite nicht gespeichert, doch fremde könnten Zugriff auf diese E-Mail
-erhalten und so deinen Account kompromittieren.
- */
-if (!empty($howToURL)) {
-	$body .= "
-Zu weiteren Hilfestellungen findest du hier eine Auflistung von verschiedenen
-Anleitungen zu verschiedenen Clients:
-$howToURL\n";
-}
-	$body .= "
-Viel Spaß bei der Verwendung von $homeserver.
-Bei Fragen findest du nach der Anmeldung ein paar Räume in denen du sie stellen kannst.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body);
-
-}
-function send_mail_registration_decline($homeserver, $user, $receiver, $reason) {
-	$subject = "Registrierung auf $homeserver abgelehnt.";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde durch die Administratoren abgelehnt.\n";
-
-	if (empty($reason)) {
-		$body .= "\nEs wurde kein Grund angegeben\n";
         } else {
-		$body .= "\nAls Grund wurde folgendes angegeben:\n$reason\n";
+            // fallback to sendmail functionality (as before)
+            $mail->isSendmail();
         }
 
-	$body .= "\nDas Administratoren-Team von " . $homeserver;
+        //Recipients
-	return send_mail($receiver, $subject, $body );
+        $mail->setFrom($config["register_email"], 'Register Service');
+        $mail->addAddress($receiver);
+        $mail->Subject = $subject;
+        $mail->Body    = $body;
+
+        $mail->send();
+        return True;
+    } catch (Exception $e) {
+        error_log('Message could not be sent. Mailer Error: ' . $mail->ErrorInfo);
+        return False;
     }
+}
+
+$lang = $config["defaultLanguage"];
+if (isset($_GET['lang'])) {
+    $lang = filter_var($_GET['lang'], FILTER_SANITIZE_STRING);
+}
+$lang_file = __DIR__ . "/lang/mail." . $lang . ".php";
+if (!file_exists($lang_file)) {
+    error_log("Mail templates for '" . $lang . "' not found. Fallback to 'de-de'");
+    $lang = "de-de";
+}
+$lang_file = __DIR__ . "/lang/mail." . $lang . ".php";
+require_once($lang_file);
+unset($lang_file);
 ?>

public/index.php

@@ -13,19 +13,31 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once "../language.php";
-if (!file_exists("../config.php")) {
-	print($language["NO_CONFIGURATION"]);
-	exit();
-}
-require_once "../config.php";
-
 // enforce admin via https
 if (!isset($_SERVER['HTTPS'])) {
     header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], true, 301);
     exit();
 }
 
+require_once(__DIR__ . "/../language.php");
+if (!file_exists(__DIR__ . "/../config.php")) {
+    print($language["NO_CONFIGURATION"]);
+    exit();
+}
+require_once(__DIR__ . "/../config.php");
+
+// this values will not be used when using the register operation type
+$storeFirstLastName = false;
+if (isset($config["operationMode"]) && $config["operationMode"] === "local") {
+    $storeFirstLastName = true;
+}
+
+// currently the case to store the password on our own is the only supported one
+$storePassword = false;
+if (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"] &&
+        isset($config["operationMode"]) && $config["operationMode"] === "synapse") {
+    $storePassword = true;
+}
 session_start();
 
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
@@ -34,17 +46,23 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
             // token not present or invalid
             throw new Exception("UNKNOWN_SESSION");
         }
-		if (!isset($_POST["username"])) {
+        $username = filter_input(INPUT_POST, "username", FILTER_SANITIZE_STRING);
+        if (empty($username)) {
             throw new Exception("UNKNOWN_USERNAME");
         }
-		if (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
+        if (strlen($username) > 20 || strlen($username) < 3) {
-			throw new Exception("USERNAME_LENGTH_INVALID");
+            throw new Exception("USERNAME_INVALID");
         }
-		if (ctype_alnum($_POST['username']) != true) {
+        if (!ctype_alnum($username)) {
             throw new Exception("USERNAME_NOT_ALNUM");
         }
-		if (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"] &&
+        if (strcmp($username, strtolower($username)) !== 0) {
-			$_POST["password"] != $_POST["password_confirm"]) {
+            throw new Exception("USERNAME_INVALID");
+        }
+        if ($storePassword && (!isset($_POST["password"]) || !isset($_POST["password_confirm"]))) {
+                throw new Exception("PASSWORD_NOT_PROVIDED");
+        }
+        if ($storePassword && $_POST["password"] != $_POST["password_confirm"]) {
             throw new Exception("PASSWORD_NOT_MATCH");
         }
         if (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
@@ -53,48 +71,49 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
         if (!isset($_POST["email"]) || !filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
             throw new Exception("EMAIL_INVALID_FORMAT");
         }
-		if (isset($_POST["first_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["first_name"])) {
+        if ($storeFirstLastName) {
+            // only require first_name and last_name when we will evaluate them
+            if (!isset($_POST["first_name"]) || !preg_match("/[A-Z][a-z]+/", $_POST["first_name"])) {
                 throw new Exception("FIRSTNAME_INVALID_FORMAT");
             }
-		if (isset($_POST["last_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["last_name"])) {
+            if (!isset($_POST["last_name"]) || !preg_match("/[A-Z][a-z]+/", $_POST["last_name"])) {
                 throw new Exception("SIRNAME_INVALID_FORMAT");
             }
-
             $first_name = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
             $last_name = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);
-		$username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
+        } else {
-		if (isset($_POST["password"])) {
+            $first_name = $last_name = "";
+        }
+
+        $password = "";
+        if ($storePassword && isset($_POST["password"])) {
             $password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
         }
         $note = filter_var($_POST["note"], FILTER_SANITIZE_STRING);
         $email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
 
-		require_once("../database.php");
+        require_once(__DIR__ . "/../database.php");
-		$res = $mx_db->addRegistration($first_name, $last_name, $username, $note, $email);
+        $res = $mx_db->addRegistration($first_name, $last_name, $username, $password, $note, $email);
 
         if (!isset($res["verify_token"])) {
             error_log("sth. went wrong. registration did not throw but admin_token not set");
-			throw Exception ("Unknown Error");
+            throw Exception("UNKNOWN_ERROR");
         }
         $verify_token = $res["verify_token"];
 
         $verify_url = $config["webroot"] . "/verify.php?t=" . $verify_token;
-		require_once "../mail_templates.php";
+        require_once(__DIR__ . "/../mail_templates.php");
         $success = send_mail_pending_verification(
-			$config["homeserver"],
+                $config["homeserver"], $storeFirstLastName ? $first_name . " " . $last_name : $username, $email, $verify_url);
-			$first_name . " " . $last_name,
-			$email,
-			$verify_url);
 
         $mx_db->setRegistrationStateVerify(
-			($success ? RegisterState::PendingEmailVerify : RegisterState::PendingEmailSend),
+                ($success ? RegisterState::PendingEmailVerify : RegisterState::PendingEmailSend), $verify_token);
-			$verify_token);
 
-		print("<title>Erfolgreich</title>");
+        print("<title>" . $language["SUCCESS"] . "</title>");
         print("</head><body>");
-		print("<h1>Erfolgreich</h1>");
+        print("<h1>" . $language["SUCCESS"] . "</h1>");
-		print("<p>Bitte überprüfe deine E-Mails um deine E-Mail-Adresse zu bestätigen.</p>");
+        print("<p>" . $language["TASK_CHECK_YOUR_EMAIL_VERIFY"] . "</p>");
-		print("<a href=\"" . $config["webroot"] . "/index.php" . "\">Zur Registrierungsseite</a>");
+        print("<a href=\"" . $config["webroot"] . "/index.php" . "\">" . $language["JUMP_TO_HOMEPAGE"] . "</a>");
     } catch (Exception $e) {
         print("<title>" . $language["REGISTRATION_REQUEST_FAILED"] . "</title>");
         print("</head><body>");
@@ -104,12 +123,12 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
         } else {
             print("<p>" . $e->getMessage() . "</p>");
         }
-		print("<a href=\"" . $config["webroot"] . "/index.php" . "\">Zur Registrierungsseite</a>");
+        print("<a href=\"" . $config["webroot"] . "/index.php" . "\">" . $language["JUMP_TO_HOMEPAGE"] . "</a>");
     }
 } else {
     $_SESSION["token"] = bin2hex(random_bytes(16));
     ?>
-		<title>Registriere dich für <?php echo $config["homeserver"]; ?></title>
+    <title><?php echo strtr($language["TOPIC_PLEASE_REGISTER"], ["@homeserver" => $config["homeserver"]]); ?></title>
     <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
     <style>
         body{
@@ -133,94 +152,101 @@ body{
             <div class="col-xs-12 col-sm-8 col-md-4 col-sm-offset-2 col-md-offset-4">
                 <div class="panel panel-default">
                     <div class="panel-heading">
-							<h3 class="panel-title">Bitte für <?php echo $config["homeserver"]; ?> registrieren<small>2-Schritt-Registrierung</small></h3>
+                        <h3 class="panel-title"><?php
+                            echo strtr($language["TOPIC_PLEASE_REGISTER"], ["@homeserver" => $config["homeserver"]])
+                            . "<small>" . $language["TOPIC_PLEASE_REGISTER_NOTE"] . "</small>";
+                            ?></h3>
                     </div>
                     <div class="panel-body">
                         <form name="regForm" role="form" action="index.php" method="post">
+                            <?php if ($storeFirstLastName) { ?>
                                 <div class="row">
                                     <div class="col-xs-6 col-sm-6 col-md-6">
                                         <div class="form-group">
                                             <input type="text" name="first_name" id="first_name" class="form-control input-sm"
-												placeholder="Vorname" pattern="[A-Z][a-z]+">
+                                                   placeholder="<?php echo $language["FIRST_NAME"]; ?>" pattern="[A-Z][a-z]+">
                                         </div>
                                     </div>
                                     <div class="col-xs-6 col-sm-6 col-md-6">
                                         <div class="form-group">
                                             <input type="text" name="last_name" id="last_name" class="form-control input-sm"
-												placeholder="Nachname" pattern="[A-Z][a-z]+">
+                                                   placeholder="<?php echo $language["LAST_NAME"]; ?>" pattern="[A-Z][a-z]+">
                                         </div>
                                     </div>
                                 </div>
+                            <?php } ?>
+
+                            <div class="form-group">
+                                <input type="email" name="email" id="email" class="form-control input-sm" placeholder="<?php echo $language["EMAIL_ADDRESS"]; ?>" required>
+                            </div>
 
                             <div class="form-group">
-									<input type="email" name="email" id="email" class="form-control input-sm" placeholder="E-Mail-Adresse" required>
+                                <input type="text" name="note" id="note" class="form-control input-sm" placeholder="<?php echo $language["PLACEHOLDER_NOTE_ABOUT_YOURSELF"]; ?>">
-								</div>
-
-								<div class="form-group">
-									<input type="text" name="note" id="note" class="form-control input-sm" placeholder="Notiz zu dir (max. 50 Zeichen)">
                             </div>
 
                             <div class="form-group">
                                 <input type="text" name="username" id="username" class="form-control input-sm"
-										placeholder="Nutzername (für den Login)" pattern="[a-z1-9]{3,20}" required>
+                                       placeholder="<?php echo $language["USERNAME"]; ?>" pattern="[a-z1-9]{3,20}" required>
                             </div>
-<?php if (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"]) { ?>
+                            <?php if ($storePassword) { ?>
                                 <div class="row">
                                     <div class="col-xs-6 col-sm-6 col-md-6">
                                         <div class="form-group">
-											<input type="password" name="password" id="password" class="form-control input-sm" placeholder="Passwort" required>
+                                            <input type="password" name="password" id="password" class="form-control input-sm" placeholder="<?php echo $language["PASSWORD"]; ?>" required>
                                         </div>
                                     </div>
                                     <div class="col-xs-6 col-sm-6 col-md-6">
                                         <div class="form-group">
-											<input type="password" name="password_confirm" id="password_confirm" class="form-control input-sm" placeholder="Passwort bestätigen" required>
+                                            <input type="password" name="password_confirm" id="password_confirm" class="form-control input-sm" placeholder="<?php echo $language["PASSWORD_CONFIRM"]; ?>" required>
                                         </div>
                                     </div>
                                 </div>
                             <?php } ?>
                             <input type="hidden" name="token" id="token" value="<?php echo $_SESSION["token"]; ?>">
-								<input type="submit" value="Registrieren" class="btn btn-info btn-block">
+                            <input type="submit" value="<?php echo $language["REGISTER"]; ?>" class="btn btn-info btn-block">
 
                         </form>
-							<p>Hinweis: <br />
+                        <?php
-							<?php echo $config["homeserver"]; ?> ist ein geschlossenes Chat-Netzwerk in dem jeder Nutzer bestätigt werden muss.<br />
+                        if (isset($language["NOTE_FOR_REGISTRATION"])) {
-							Du bekommst eine E-Mail wenn jemand deine Mitgliedschaft bestätigt hat. An diese wird auch dein initiales Passwort gesendet.
+                            echo "<p>" . $language["NOTE"] . ": <br />";
-							Hinterlasse also bitte einen Hinweis zu dir (der nur den entsprechenden Personen gezeigt wird).<br />
+                            echo strtr($language["NOTE_FOR_REGISTRATION"], ["@homeserver" => $config["homeserver"]]);
-							Liebe Grüße vom Team von <?php echo $config["homeserver"]; ?>
+                            echo "</p>";
-							</p>
+                        }
+                        ?>
                     </div>
                 </div>
             </div>
         </div>
     </div>
     <script type="text/javascript">
+        var user_name = document.getElementById("username");
+        user_name.oninvalid = function (event) {
+            event.target.setCustomValidity("<?php echo $language["USERNAME_INVALID"]; ?>");
+        }
+        user_name.onkeyup = function (event) {
+            event.target.setCustomValidity("");
+        }
+<?php if ($storeFirstLastName) { ?>
             var first_name = document.getElementById("first_name");
             first_name.oninvalid = function (event) {
-		event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+                event.target.setCustomValidity("<?php echo $language["FIRSTNAME_INVALID_FORMAT"]; ?>");
             }
             first_name.onkeyup = function (event) {
                 event.target.setCustomValidity("");
             }
             var last_name = document.getElementById("last_name");
             last_name.oninvalid = function (event) {
-		event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+                event.target.setCustomValidity("<?php echo $language["SIRNAME_INVALID_FORMAT"]; ?>");
             }
             last_name.onkeyup = function (event) {
                 event.target.setCustomValidity("");
             }
-	var user_name = document.getElementById("username");
+<?php } if ($storePassword) { ?>
-	user_name.oninvalid = function(event) {
-		event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
-	}
-	user_name.onkeyup = function (event) {
-		event.target.setCustomValidity("");
-	}
-<?php	if (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"]) { ?>
             var password = document.getElementById("password")
                     , confirm_password = document.getElementById("password_confirm");
             function validatePassword() {
                 if (password.value != confirm_password.value) {
-			confirm_password.setCustomValidity("Passwörter stimmen nicht überein");
+                    confirm_password.setCustomValidity("<?php echo $language["PASSWORD_NOT_MATCH"]; ?>");
                 } else {
                     confirm_password.setCustomValidity('');
                 }
@@ -230,5 +256,4 @@ body{
 <?php } ?>
     </script>
 <?php } ?>
-	</body>
+</body></html>
-</html>

public/verify.php

@@ -13,13 +13,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once "../language.php";
+require_once(__DIR__ . "/../language.php");
 if (!file_exists("../config.php")) {
     print($language["NO_CONFIGURATION"]);
     exit();
 }
-require_once "../config.php";
+require_once(__DIR__ . "/../config.php");
-require_once "../mail_templates.php";
+require_once(__DIR__ . "/../mail_templates.php");
 
 // enforce admin via https
 if (!isset($_SERVER['HTTPS'])) {
@@ -38,7 +38,7 @@ try {
     }
     $token = filter_var($_GET["t"], FILTER_SANITIZE_STRING);
 
-	require_once("../database.php");
+    require_once(__DIR__ . "/../database.php");
 
     $user = $mx_db->getUserForVerify($token);
     if ($user == NULL) {
@@ -46,20 +46,30 @@ try {
     }
     $first_name = $user["first_name"];
     $last_name = $user["last_name"];
+    $username = $user["username"];
     $note = $user["note"];
     $email = $user["email"];
     $admin_token = $user["admin_token"];
 
-	require_once("../MatrixConnection.php");
+    // we have 2 cases: first and last name or just the username
+    $call_name = strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username;
+
+    require_once(__DIR__ . "/../MatrixConnection.php");
     $adminUrl = $config["webroot"] . "/verify_admin.php?t=" . $admin_token;
     $mxConn = new MatrixConnection($config["homeserver"], $config["access_token"]);
     $mxMsg = new MatrixMessage();
-	$mxMsg->set_body($first_name . ' ' . $last_name . "möchte sich registrieren und hat folgende Notiz hinterlassen:\r\n"
+    $mxMsg->set_body(strtr($language["MSG_USER_WANTS_REGISTER"], [
-		. $note . "\r\n"
+        "@name" => $call_name,
-		. "Zum Bearbeiten hier klicken:\r\n" . $adminUrl);
+        "@note" => $note,
-	$mxMsg->set_formatted_body($first_name . ' ' . $last_name . " möchte sich registrieren und hat folgende Notiz hinterlassen:<br />"
+        "@adminUrl" => $adminUrl
-		. $note . "<br />"
+    ]));
-		. "Zum Bearbeiten <a href=\"". $adminUrl . "\">hier</a> klicken");
+    if (isset($language["MSG_USER_WANTS_REGISTER_FORMATTED"])) {
+        $mxMsg->set_formatted_body(strtr($language["MSG_USER_WANTS_REGISTER_FORMATTED"], [
+            "@name" => $call_name,
+            "@note" => $note,
+            "@adminUrl" => $adminUrl
+        ]));
+    }
     $mxMsg->set_type("m.text");
     $response = $mxConn->send($config["register_room"], $mxMsg);
 
@@ -67,16 +77,15 @@ try {
         $message = $language["SEND_MATRIX_FAIL"];
     }
     $mx_db->setRegistrationStateVerify(
-		($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend),
+            ($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend), $token);
-		$token);
 
-	send_mail_pending_approval($config["homeserver"], $first_name . " " . $last_name, $email);
+    send_mail_pending_approval($config["homeserver"], $call_name, $email);
 
     print("<title>" . $language["VERIFICATION_SUCEEDED"] . "</title>");
     print("</head><body>");
     print("<h1>" . $language["VERIFICATION_SUCEEDED"] . "</h1>");
     print("<p>" . $language["VERIFICATION_SUCCESS_BODY"] . "</p>");
-	print("<a href=\"" . $config["webroot"] . "/index.php" . "\">Zur Registrierungsseite</a>");
+    print("<a href=\"" . $config["webroot"] . "/index.php" . "\">" . $language["JUMP_TO_HOMEPAGE"] . "</a>");
 } catch (Exception $e) {
     print("<title>" . $language["VERIFICATION_FAILED"] . "</title>");
     print("</head><body>");
@@ -86,7 +95,7 @@ try {
     } else {
         print("<p>" . $e->getMessage() . "</p>");
     }
-	print("<a href=\"" . $config["webroot"] . "/index.php" . "\">Zur Registrierungsseite</a>");
+    print("<a href=\"" . $config["webroot"] . "/index.php" . "\">" . $language["JUMP_TO_HOMEPAGE"] . "</a>");
 }
 ?>
     </body>

public/verify_admin.php

@@ -13,13 +13,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-require_once "../language.php";
+require_once(__DIR__ . "/../language.php");
 if (!file_exists("../config.php")) {
     print($language["NO_CONFIGURATION"]);
     exit();
 }
-require_once "../config.php";
+require_once(__DIR__ . "/../config.php");
-require_once "../mail_templates.php";
+require_once(__DIR__ . "/../mail_templates.php");
 
 // enforce admin via https
 if (!isset($_SERVER['HTTPS'])) {
@@ -33,23 +33,19 @@ try {
     if ($_SERVER["REQUEST_METHOD"] != "GET") {
         throw new Exception("Method not allowed");
     }
-	if (!isset($_GET["t"])) {
+    $token = filter_input(INPUT_GET, "t", FILTER_SANITIZE_STRING);
+    if (empty($token)) {
         throw new Exception("UNKNOWN_TOKEN");
     }
-	$token = filter_var($_GET["t"], FILTER_SANITIZE_STRING);
 
-	require_once("../database.php");
+    require_once(__DIR__ . "/../database.php");
 
-	$action = NULL;
+    $param_action = filter_input(INPUT_GET, "d", FILTER_SANITIZE_STRING);
-	if (isset($_GET["allow"])) {
+    if ($param_action == "allow") {
         $action = RegisterState::RegistrationAccepted;
-	}
+    } elseif ($param_action == "deny") {
-	$decline_reason = NULL;
-	if (isset($_GET["deny"])) {
         $action = RegisterState::RegistrationDeclined;
-		if (isset($_GET["reason"])) {
+        $decline_reason = filter_input(INPUT_GET, "decline_reason", FILTER_SANITIZE_STRING);
-			$decline_reason = filter_var($_GET["reason"], FILTER_SANITIZE_STRING);
-		}
     }
 
     $user = $mx_db->getUserForApproval($token);
@@ -60,6 +56,9 @@ try {
     $first_name = $user["first_name"];
     $last_name = $user["last_name"];
     $username = $user["username"];
+    // we have 2 cases: first and last name or just the username
+    $call_name = strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username;
+
     $note = $user["note"];
     $email = $user["email"];
 
@@ -67,24 +66,57 @@ try {
         $mx_db->setRegistrationStateAdmin(RegisterState::PendingRegistration, $token);
 
         // register user
-		require_once("../MatrixConnection.php");
+        require_once(__DIR__ . "/../MatrixConnection.php");
         $mxConn = new MatrixConnection($config["homeserver"], $config["access_token"]);
 
-		// generate a password with 8 characters
+        $password = NULL;
-		$password = $mx_db->addUser($first_name, $last_name, $username, $email);
+        $use_db_password = (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"]);
+        if ($use_db_password && isset($user["password"]) && strlen($user["password"]) > 0) {
+            $password = $user["password"];
+        } else {
+            $use_db_password = false;
+            // generate a password with 10 characters
+            $password = bin2hex(openssl_random_pseudo_bytes(5));
+        }
+        switch ($config["operationMode"]) {
+            case "synapse":
+                // register with registration_shared_secret
+                $res = $mxConn->register($username, $password, $config["registration_shared_secret"]);
+                if (!$res) {
+                    // something went wrong while registering
+                    $password = NULL;
+                }
+                break;
+            case "local":
+                // register by adding a user to the local database
+                $password = $mx_db->addUser($first_name, $last_name, $username, $password, $email);
+                break;
+            default:
+                throw new Exception("Unknown operationMode");
+        }
         if ($password != NULL) {
             // send registration_success
-			$res = send_mail_registration_success($config["homeserver"], $first_name . " " . $last_name, $email, $username, $password, $config["howToURL"]);
+            $res = send_mail_registration_success(
+                    $config["homeserver"],
+                    $call_name,
+                    $email,
+                    $username,
+                    // only send password when auto-created
+                    ($use_db_password ? NULL : $password),
+                    $config["howToURL"]
+            );
             if ($res) {
                 $mx_db->setRegistrationStateAdmin(RegisterState::AllDone, $token);
             } else {
                 $mx_db->setRegistrationStateAdmin(RegisterState::PendingSendRegistrationMail, $token);
             }
         } else {
-			send_mail_registration_allowed_but_failed($config["homeserver"], $first_name . " " . $last_name, $email);
+            send_mail_registration_allowed_but_failed($config["homeserver"], $call_name, $email);
             $mxMsg = new MatrixMessage();
             $mxMsg->set_type("m.text");
-			$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
+            $mxMsg->set_body(strtr($language["REGISTRATION_FAILED_FOR"], [
+                "@name" => $call_name,
+            ]));
             $mxConn->send($config["register_room"], $mxMsg);
             throw new Exception("REGISTRATION_FAILED");
         }
@@ -95,13 +127,14 @@ try {
         print("<p>" . $language["ADMIN_REGISTER_ACCEPTED_BODY"] . "</p>");
     } elseif ($action == RegisterState::RegistrationDeclined) {
         $mx_db->setRegistrationStateAdmin(RegisterState::RegistrationDeclined, $token);
-		send_mail_registration_decline($config["homeserver"], $first_name . " " . $last_name, $email, $decline_reason);
+        send_mail_registration_decline(
+                $config["homeserver"], $call_name, $email, $decline_reason
+        );
         print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
         print("</head><body>");
         print("<h1>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</h1>");
         print("<p>" . $language["ADMIN_REGISTER_DECLINED_BODY"] . "</p>");
     } else {
-
         print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
         ?>
         <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
@@ -130,7 +163,11 @@ background: rgba(255, 255, 255, 0.8);
                             <h3 class="panel-title"><?php echo $language["ADMIN_VERIFY_SITE_TITLE"]; ?></h3>
                         </div>
                         <div class="panel-body">
-			<form name="appForm" role="form" action="verify_admin.php" method="GET">
+                            <form name="appForm" role="form" onsubmit="return submitForm()" action="verify_admin.php" method="GET">
+                                <?php
+                                if (isset($config["operationMode"]) && $config["operationMode"] === "local") {
+                                    // this values will not be used when using the register operation type
+                                    ?>
                                     <div class="row">
                                         <div class="col-xs-6 col-sm-6 col-md-6">
                                             <div class="form-group">
@@ -145,7 +182,7 @@ background: rgba(255, 255, 255, 0.8);
                                             </div>
                                         </div>
                                     </div>
-
+                                <?php } ?>
                                 <div class="form-group">
                                     <input type="text" id="note" class="form-control input-sm" value="<?php echo $note; ?>" disabled=true>
                                 </div>
@@ -154,10 +191,16 @@ background: rgba(255, 255, 255, 0.8);
                                     <input type="text" id="username" class="form-control input-sm"
                                            value="<?php echo $username; ?>" disabled=true>
                                 </div>
+                                <div class="form-group">
+                                    <input type="hidden" name="decline_reason" class="form-control input-sm"
+                                           placeholder="<?php echo $language["DECLINE_REASON"]; ?>">
+                                </div>
                                 <input type="hidden" name="t" id="token" value="<?php echo $token; ?>">
-			<input type="submit" name="allow" value="Bestätigen" class="btn btn-info btn-block">
+                                <div class="form-group">
-			<input type="submit" name="deny" value="Ablehnen" class="btn btn-info btn-block">
+                                    <input type="radio" name="d" value="allow"><?php echo $language["ACCEPT"]; ?>
-
+                                    <input type="radio" name="d" value="deny"><?php echo $language["DECLINE"]; ?>
+                                </div>
+                                <input type="submit" value="<?php echo $language["SUBMIT"]; ?>" class="btn btn-info btn-block">
                             </form>
                         </div>
                     </div>
@@ -165,7 +208,30 @@ background: rgba(255, 255, 255, 0.8);
             </div>
         </div>
         <script type="text/javascript">
-
+            var rad = document.appForm.d;
+            function isSelected() {
+                for (var i=0; i<rad.length; i++)
+                    if (rad[i].checked)
+                        return true;
+                return false;
+            }
+            function submitForm() {
+                if (isSelected()) {
+                    return true;
+                }
+                alert("<?php echo $language["MAKE_A_SELECTION"];?>");
+                return false;
+            }
+            for(var i = 0; i < rad.length; i++) {
+                rad[i].onclick = function() {
+                    if (this.value === "deny") {
+                        document.appForm.decline_reason.type = "text";
+                    } else {
+                        document.appForm.decline_reason.type = "hidden";
+                    }
+                };
+            }
+        </script>
             <?php
         } // else - no action provided
     } catch (Exception $e) {
@@ -177,7 +243,7 @@ background: rgba(255, 255, 255, 0.8);
         } else {
             print("<p>" . $e->getMessage() . "</p>");
         }
-	print("<a href=\"" . $config["webroot"] . "/index.php" . "\">Zur Registrierungsseite</a>");
+        print("<a href=\"" . $config["webroot"] . "/index.php" . "\">" . $language["JUMP_TO_HOMEPAGE"] . "</a>");
     }
     ?>
     </body>