further implementing of multilanguage

- add stripLocalpart in helpers.php
- extend mxDatabase to update the password once validated

README.md

@@ -22,6 +22,8 @@ This is done in several steps:
 - To integrate with matrix-synapse-rest-auth:
   - `/_matrix-internal/identity/v1/check_credentials` should map to `internal/login.php`
 - To integrate with mxisd: Have a look at [the docs](https://github.com/kamax-io/mxisd/blob/master/docs/backends/rest.md) and apply as follows:
+
+
 | Key                            | file which handles that       | Description                                          |
 |--------------------------------|-------------------------------|------------------------------------------------------|
 | rest.endpoints.auth            | internal/login.php            | Validate credentials and get user profile            |

config.sample.php

@@ -22,5 +22,8 @@ $config = [
 	// credentials for sqlite not used
 	"databaseUser" => "dbUser123",
 	"databasePass" => "secretPassword",
+
+	// default language: one of [ en-gb | de-de ]
+	"defaultLanguage" => "en-gb"
 ]
 ?>

database.php

@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -304,6 +304,24 @@ class mxDatabase
 		return NULL;
 	}
 
+	function updatePassword($localpart, $old_password, $new_password) {
+		$user = $this->getUserForLogin($localpart, $old_password);
+		if ($user == NULL) {
+		    throw new Exception ("user with that credentials not found");
+		}
+
+		// The credentials were fine. So now set the new password
+		$password_hash = password_hash($new_password, PASSWORD_BCRYPT, ["cost"=>12]);
+
+		$sql = "UPDATE logins SET password_hash = '" . $password_hash . "'"
+			. "WHERE localpart = '" . $localpart . "'";
+
+		if ($this->db->exec($sql)) {
+			return true;
+		}
+		return false;
+	}
+
 	function searchUserByName($search_term) {
 		$term = filter_var($search_term, FILTER_SANITIZE_STRING);
 		$result = array();

helpers.php

@@ -0,0 +1,18 @@
+<?php
+function stripLocalpart($mxid) {
+	$localpart = NULL;
+	if (!empty($mxid)) {
+		// A mxid would start with an @ so we start at the 2. position
+		$sepPos = strpos($mxid,':', 1);
+		if ($sepPos === false) {
+			// : not found. Assume mxid is localpart
+			// TODO: further checks
+			$localpart = $mxid;
+		} else {
+			$localpart = substr($mxid, 1, strpos($mxid,':') - 1 );
+		}
+	}
+	return $localpart;
+}
+
+?>

internal/intercept_change_password.php

@@ -0,0 +1,72 @@
+<?php
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// URL for this: /_matrix/client/r0/account/password?access_token=$ACCESS_TOKEN
+
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Allow-Methods: POST, OPTIONS');
+header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization');
+if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+	print ("{}");
+	// return with success
+	exit();
+}
+$response= new stdClass;
+try {
+	$inputJSON = file_get_contents('php://input');
+	$input = json_decode($inputJSON, TRUE);
+	if (empty($input)) {
+		throw new Exception('no valid json as input present');
+	}
+	if (!isset($input["auth"])) {
+		throw new Exception('"auth" is not defined');
+	}
+	if (!isset($input["auth"]["user"]) || !isset($input["auth"]["password"])) {
+		throw new Exception('"auth.user" or "auth.password" is not defined');
+	}
+	if (!isset($input["auth"]["type"]) || $input["auth"]["type"] !== "m.login.password") {
+		throw new Exception('no or unknown auth.type');
+	}
+	if (!isset($input["new_password"])) {
+		throw new Exception('"new_password" is not defined');
+	}
+
+	require_once("../helpers.php");
+	$localpart = stripLocalpart($input["auth"]["user"]);
+
+	if (empty($localpart)) {
+		throw new Exception ("localpart cannot be identified");
+	}
+
+	require_once("../database.php");
+	if (!$mx_db->updatePassword(
+		$localpart,
+		$input["auth"]["password"],
+		$input["new_password"]
+	)) {
+		throw new Exception("invalid credentials or another error while updating");
+	}
+
+} catch (Exception $e) {
+	header("HTTP/1.0 500 Internal Error");
+	error_log("failed with error: " . $e->getMessage());
+	$response = [
+		"errorcode" => "M_UNKNOWN",
+		"error" => $e->getMessage(),
+	];
+}
+print (json_encode($response, JSON_PRETTY_PRINT));
+?>

internal/login.php

@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -49,22 +49,15 @@ try {
 
     // prefer the localpart attribute of mxisd. But in case of matrix-synapse-rest-auth
     // we have to parse it on our own
-    if (empty($localpart) && !empty($mxid)) {
+    if (empty($localpart)) {
-        // A mxid would start with an @ so we start at the 2. position
+	require_once("../helpers.php");
-        $sepPos = strpos($mxid,':', 1);
+	$localpart = stripLocalpart($mxid);
-        if ($sepPos === false) {
-            // : not found. Assume mxid is localpart
-            // TODO: further checks
-            $localpart = $mxid;
-        } else {
-            $localpart = substr($mxid, 1, strpos($mxid,':') - 1 );
-        }
     }
-    
+
     if (empty($localpart)) {
         throw new Exception ("localpart cannot be identified");
     }
-    
+
     $password = NULL;
     if (isset($input["user"]) && isset($input["user"]["password"])) {
         $password = $input["user"]["password"];
@@ -103,7 +96,7 @@ try {
             // we do not know how the data shall be transmitted so we do nothing with it
             $response["auth"]["success"] = false;
             break;
-    }    
+    }
 } catch (Exception $e) {
     error_log("Auth failed with error: " . $e->getMessage());
     $response["auth"]["error"] = $e->getMessage();

lang/lang.en-gb.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+$language = array(
+    "NO_CONFIGURATION" => "No configuration found",
+    "UNKNOWN_SESSION" => "Session token not found of invalid.",
+    "UNKNOWN_USERNAME" => "username unknown",
+    "UNKNOWN_TOKEN" => "Token is unknown",
+    "USERNAME_LENGTH_INVALID" => "Username cpnsists pf more than 20 or less than 3 characters",
+    "USERNAME_NOT_ALNUM" => "Username is not alphanumeric",
+    "USERNAME_PENDING_REGISTRATION" => "This username is locked for registration. Try again later or try again with a different username",
+    "USERNAME_REGISTERED" => "This username is already registered. Please try again with another username",
+    "PASSWORD_NOT_MATCH" => "passwords do not match",
+    "NOTE_LENGTH_EXEEDED" => "Note consists of more than 50 characters",
+    "EMAIL_INVALID_FORMAT" => "no valid email address",
+    "FIRSTNAME_INVALID_FORMAT" => "First name with invalid formatting",
+    "SIRNAME_INVALID_FORMAT" => "Sirname with invalid formatting",
+    "SEND_MAIL_FAIL" => "Email could not be sent",
+    "SEND_MATRIX_FAIL" => "Sending a message to the admins failed",
+    "REGISTRATION_REQUEST_FAILED" => "Registration request failed",
+    "REGISTRATION_FAILED" => "Registration failed",
+    "VERIFICATION_SUCEEDED" => "Verification suceeded",
+    "VERIFICATION_FAILED" => "Verification failed",
+    "VERIFICATION_SUCCESS_BODY" => "Thank you. The admins got informed",
+    "ADMIN_VERIFY_SITE_TITLE" => "Handle registration request",
+    "ADMIN_REGISTER_ACCEPTED_BODY" => "The registration request got accepted. The user got notified per email.",
+    "ADMIN_REGISTER_DECLINED_BODY" => "The registration request got declined. The user got notified per email.",
+);
+?>

lang/mail.de-de.php

@@ -0,0 +1,124 @@
+<?php
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+function send_mail($receiver, $subject, $body) {
+	include("config.php");
+	$headers = "From: " . $config["register_email"] . "\r\n"
+		. "Content-Type: text/plain;charset=utf-8";
+	return mail($receiver, $subject, $body, $headers);
+}
+
+function send_mail_pending_verification($homeserver, $user, $receiver, $verify_url) {
+	$subject = "Bitte bestätige Registrierung auf $homeserver";
+	$body = "Guten Tag " . $user . ",
+
+Du hast anscheinend versucht dich auf $homeserver zu registrieren.
+Hier gibt es eine zweistufige Registrierung.
+
+Wir möchten dich bitten, dass du kurz bestätigst, dass du die Registrierung durchgeführt hast.
+Gehe dafür auf folgenden Link:
+$verify_url
+
+Erst anschließend werden die Administratoren über deine Registrierungsanfrage informiert.
+
+Hinweis: Du hast ca. 48 Stunden Zeit um die Bestätigung durchzuführen.
+Danach ist eine Re-Registrierung mit deinem gewünschten Nutzernamen für andere wieder möglich.
+
+Vielen Dank für dein Verständnis.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+
+function send_mail_pending_approval($homeserver, $user, $receiver) {
+	$subject = "Registrierung wartet auf Bestätigung durch Administratoren";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde verifiziert und wird nun durch die Administratoren überprüft.
+
+Du bekommst eine weitere E-Mail, sobald deine Registrierung bestätigt oder ablehnt wurde.
+
+Vielen Dank für dein Verständnis.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+
+function send_mail_registration_allowed_but_failed($homeserver, $user, $receiver) {
+	$subject = "Registrierung auf $homeserver genehmigt";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
+
+Leider ist beim Registrieren ein Fehler aufgetaucht. Der Registrierungversuch wird bald wiederholt.
+Wir hoffen, das Problem ist bald behoben.
+Wir melden uns, wenn die Registrierung erfolgreich war.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body);
+
+}
+
+function send_mail_registration_success($homeserver, $user, $receiver, $username, $password, $howToURL) {
+	$subject = "Registrierung auf $homeserver erfolgreich";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
+
+Zum Anmelden kannst du folgende Zugangsdaten verwenden:
+Nutzername: $username
+Passwort: $password
+
+Hinweis: Das Passwort kannst du aktuell über die App selbst ändern. Auch wenn das Passwort nirgends
+im Klartext gespeichert wird, kann jemand Zugriff auf diese Mail erlangen und so den Zugriff bekommen.
+";
+/*
+Wichtig: Bitte ändere das Passwort direkt nach der Anmeldung.
+Es wird zwar von unserer Seite nicht gespeichert, doch fremde könnten Zugriff auf diese E-Mail
+erhalten und so deinen Account kompromittieren.
+ */
+if (!empty($howToURL)) {
+	$body .= "
+Zu weiteren Hilfestellungen findest du hier eine Auflistung von verschiedenen
+Anleitungen zu verschiedenen Clients:
+$howToURL\n";
+}
+	$body .= "
+Viel Spaß bei der Verwendung von $homeserver.
+Bei Fragen findest du nach der Anmeldung ein paar Räume in denen du sie stellen kannst.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body);
+
+}
+function send_mail_registration_decline($homeserver, $user, $receiver, $reason) {
+	$subject = "Registrierung auf $homeserver abgelehnt";
+	$body = "Guten Tag " . $user . ",
+
+Deine Registrierungsanfrage wurde durch die Administratoren abgelehnt.\n";
+
+	if (empty($reason)) {
+		$body .= "\nEs wurde kein Grund angegeben\n";
+	} else {
+		$body .= "\nAls Grund wurde folgendes angegeben:\n$reason\n";
+	}
+
+	$body .= "
+Wir hoffen, dass du dies akzeptieren kannst.
+
+Das Administratoren-Team von " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+?>

lang/mail.en-gb.php

@@ -0,0 +1,118 @@
+<?php
+/**
+ * Copyright 2018 Matthias Kesler
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+function send_mail($receiver, $subject, $body) {
+	include("config.php");
+	$headers = "From: " . $config["register_email"] . "\r\n"
+		. "Content-Type: text/plain;charset=utf-8";
+	return mail($receiver, $subject, $body, $headers);
+}
+
+function send_mail_pending_verification($homeserver, $user, $receiver, $verify_url) {
+	$subject = "Pleast approve your registration request on $homeserver";
+	$body = "Dear " . $user . ",
+
+It seems that you tried to register on $homeserver.
+This homeserver requires a two step registration.
+
+For this we want you to verify that you want to register. For this please click on this link:
+$verify_url
+
+The admins will informed about your registration request once you clicked on this link.
+
+Note: This registration request will be cleaned up in 48 hours.
+Others might take your username afterwards.
+
+Thanks for your patience.
+
+The admin team of " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+
+function send_mail_pending_approval($homeserver, $user, $receiver) {
+	$subject = "Registration is pending verification from an admin";
+	$body = "Dear " . $user . ",
+
+You have verified your registration request. The admins are now checking your request.
+
+You will get an email once they approve or decline your request.
+
+Sincerely,
+
+The admin team of " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+
+function send_mail_registration_allowed_but_failed($homeserver, $user, $receiver) {
+	$subject = "Registration on $homeserver got approved";
+	$body = "Dear " . $user . ",
+
+Your registration request got approved by the admin team.
+
+But there was a problem when triggering the registration request. It will be retried in a few minutes.
+We hope that the issue will be fixed soon.
+You will get another email with initial credentials once the registration got handled completely.
+
+The admin team of " . $homeserver;
+	return send_mail($receiver, $subject, $body);
+
+}
+
+function send_mail_registration_success($homeserver, $user, $receiver, $username, $password, $howToURL) {
+	$subject = "Registration on $homeserver got approved";
+	$body = "Dear " . $user . ",
+
+Your registration request got verified by the admin team.
+
+To log in you can use the following credentials::
+Username: $username
+Password: $password
+
+Important: Please change your password as soon as possible after your first login.
+The password is not stored in clear text on the server but people could get access to this mail
+and compromise your account.
+";
+if (!empty($howToURL)) {
+	$body .= "
+You can find further help here::
+$howToURL\n";
+}
+	$body .= "
+Enjoy your usage of $homeserver.
+You can ask further questions inside of the chat system.
+
+The admin team of " . $homeserver;
+	return send_mail($receiver, $subject, $body);
+
+}
+function send_mail_registration_decline($homeserver, $user, $receiver, $reason) {
+	$subject = "Registration on $homeserver declined.";
+	$body = "Guten Tag " . $user . ",
+
+Your registration request got declined by the admin team.\n";
+
+	if (empty($reason)) {
+		$body .= "\nThey did not provide any reason for this\n";
+	} else {
+		$body .= "\nThey provide following hint for you:\n$reason\n";
+	}
+
+	$body .= "
+We hope that you can understand this reason.
+
+The admin team of " . $homeserver;
+	return send_mail($receiver, $subject, $body );
+}
+?>

language.php

@@ -13,13 +13,15 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-$lang = "de-de";
+require_once("config.php");
+$lang=$config["defaultLanguage"];
+
 if(isset($_GET['lang'])){
 	$lang = filter_var($_GET['lang'], FILTER_SANITIZE_STRING);
 }
 $lang_file = dirname(__FILE__) . "/lang/lang.".$lang.".php";
 if (!file_exists($lang_file)) {
-	error_log("Translation for " . $lang . " not found. Fallback to 'de-de'");
+	error_log("Translation for '" . $lang . "' not found. Fallback to 'de-de'");
 	$lang = "de-de";
 }
 require_once($lang_file);

mail_templates.php

@@ -13,109 +13,16 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-function send_mail($receiver, $subject, $body) {
+require_once("config.php");
-	include("config.php");
+$lang=$config["defaultLanguage"];
-	$headers = "From: " . $config["register_email"] . "\r\n"
+if(isset($_GET['lang'])){
-		. "Content-Type: text/plain;charset=utf-8";
+	$lang = filter_var($_GET['lang'], FILTER_SANITIZE_STRING);
-	return mail($receiver, $subject, $body, $headers);
 }
-
+$lang_file = dirname(__FILE__) . "/lang/mail.".$lang.".php";
-function send_mail_pending_verification($homeserver, $user, $receiver, $verify_url) {
+if (!file_exists($lang_file)) {
-	$subject = "Bitte bestätige Registrierung auf $homeserver";
+	error_log("Mail templates for '" . $lang . "' not found. Fallback to 'de-de'");
-	$body = "Guten Tag " . $user . ",
+	$lang = "de-de";
-
-Du hast anscheinend versucht dich auf $homeserver zu registrieren.
-Hier gibt es eine zweistufige Registrierung.
-
-Wir möchten dich bitten, dass du kurz bestätigst, dass du die Registrierung durchgeführt hast.
-Gehe dafür auf folgenden Link:
-$verify_url
-
-Erst anschließend werden die Administratoren über deine Registrierungsanfrage informiert.
-
-Hinweis: Du hast ca. 48 Stunden Zeit um die Bestätigung durchzuführen.
-Danach ist eine Re-Registrierung mit deinem gewünschten Nutzernamen für andere wieder möglich.
-
-Vielen Dank für dein Verständnis.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body );
-}
-
-function send_mail_pending_approval($homeserver, $user, $receiver) {
-	$subject = "Registrierung wartet auf Bestätigung durch Administratoren";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde verifiziert und wird nun durch die Administratoren überprüft.
-
-Du bekommst eine weitere E-Mail, sobald deine Registrierung bestätigt oder ablehnt wurde.
-
-Vielen Dank für dein Verständnis.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body );
-}
-
-function send_mail_registration_allowed_but_failed($homeserver, $user, $receiver) {
-	$subject = "Registrierung auf $homeserver genehmigt.";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
-
-Leider ist beim Registrieren ein Fehler aufgetaucht. Der Registrierungversuch wird bald wiederholt.
-Wir hoffen, das Problem ist bald behoben.
-Wir melden uns, wenn die Registrierung erfolgreich war.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body);
-
-}
-
-function send_mail_registration_success($homeserver, $user, $receiver, $username, $password, $howToURL) {
-	$subject = "Registrierung auf $homeserver erfolgreich.";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
-
-Zum Anmelden kannst du folgende Zugangsdaten verwenden:
-Nutzername: $username
-Passwort: $password
-
-Hinweis: Aktuell ist es nicht möglich, das Passwort selbst zu ändern. Sobald die Funktionalität zur
-Verfügung steht, gibt es aber einen Hinweis.
-";
-/*
-Wichtig: Bitte ändere das Passwort direkt nach der Anmeldung.
-Es wird zwar von unserer Seite nicht gespeichert, doch fremde könnten Zugriff auf diese E-Mail
-erhalten und so deinen Account kompromittieren.
- */
-if (!empty($howToURL)) {
-	$body .= "
-Zu weiteren Hilfestellungen findest du hier eine Auflistung von verschiedenen
-Anleitungen zu verschiedenen Clients:
-$howToURL\n";
-}
-	$body .= "
-Viel Spaß bei der Verwendung von $homeserver.
-Bei Fragen findest du nach der Anmeldung ein paar Räume in denen du sie stellen kannst.
-
-Das Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body);
-
-}
-function send_mail_registration_decline($homeserver, $user, $receiver, $reason) {
-	$subject = "Registrierung auf $homeserver abgelehnt.";
-	$body = "Guten Tag " . $user . ",
-
-Deine Registrierungsanfrage wurde durch die Administratoren abgelehnt.\n";
-
-	if (empty($reason)) {
-		$body .= "\nEs wurde kein Grund angegeben\n";
-	} else {
-		$body .= "\nAls Grund wurde folgendes angegeben:\n$reason\n";
-	}
-
-	$body .= "\nDas Administratoren-Team von " . $homeserver;
-	return send_mail($receiver, $subject, $body );
 }
+require_once($lang_file);
+unset($lang_file);
 ?>