/[LeafOK_CVS]/fenglin/bbs/user_login_service.php
ViewVC logotype

Annotation of /fenglin/bbs/user_login_service.php

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.1 - (hide annotations)
Mon Mar 31 14:09:27 2025 UTC (11 months, 2 weeks ago) by sysadm
Branch: MAIN 
Move check_user.php to user_login_service.php
Refact as backend service
1 sysadm 1.1 <?
2     require_once "../lib/db_open.inc.php";
3     require_once "../lib/lml.inc.php";
4     require_once "../lib/passwd.inc.php";
5     require_once "../lib/vn_gif.inc.php";
6     require_once "../lib/client_addr.inc.php";
7     require_once "../lib/ip_mask.inc.php";
8     require_once "./session_init.inc.php";
9     require_once "./user_login.inc.php";
10    
11     $data = json_decode(file_get_contents("php://input"), true);
12    
13     $username = (isset($data["username"]) ? $data["username"] : "");
14     $password = (isset($data["password"]) ? $data["password"] : "");
15     $ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
16     $password_new = (isset($data["password_new"]) ? $data["password_new"] : "");
17     $agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
18     $mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
19     $vn_str = (isset($data["vn_str"]) ? $data["vn_str"] : "");
20    
21     $result_set = array(
22     "return" => array(
23     "code" => 0,
24     "message" => "",
25     "errorFields" => array(),
26     )
27     );
28    
29     header("Content-Type:application/json; charset=utf-8");
30    
31     // Validate input data
32    
33     if (!preg_match("/^[A-Za-z][A-Za-z0-9]{4,11}$/", $username))
34     {
35     $result_set["return"]["code"] = -1;
36     array_push($result_set["return"]["errorFields"], array(
37     "id" => "username",
38     "errMsg" => "不符合格式要求",
39     ));
40     }
41    
42     if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
43     {
44     $result_set["return"]["code"] = -1;
45     array_push($result_set["return"]["errorFields"], array(
46     "id" => "password",
47     "errMsg" => "不符合格式要求",
48     ));
49     }
50    
51     if ($ch_passwd)
52     {
53     if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password_new))
54     {
55     $result_set["return"]["code"] = -1;
56     array_push($result_set["return"]["errorFields"], array(
57     "id" => "password_new",
58     "errMsg" => "不符合格式要求",
59     ));
60     }
61    
62     if (!verify_pass_complexity($password_new, $username, 6))
63     {
64     $result_set["return"]["code"] = -1;
65     array_push($result_set["return"]["errorFields"], array(
66     "id" => "password_new",
67     "errMsg" => "不符合复杂性要求",
68     ));
69     }
70     }
71    
72     if ($mfa)
73     {
74     if ((!isset($_SESSION["BBS_vn_str"])) || VN_check($_SESSION["BBS_vn_str"], $vn_str) != 0)
75     {
76     $result_set["return"]["code"] = -1;
77     array_push($result_set["return"]["errorFields"], array(
78     "id" => "vn_str",
79     "errMsg" => "验证码错误",
80     ));
81     }
82     }
83    
84     if ($result_set["return"]["code"] != 0)
85     {
86     mysqli_close($db_conn);
87     exit(json_encode($result_set));
88     }
89    
90     // Begin transaction
91     $rs = mysqli_query($db_conn, "SET autocommit=0");
92     if ($rs == false)
93     {
94     $result_set["return"]["code"] = -2;
95     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
96    
97     mysqli_close($db_conn);
98     exit(json_encode($result_set));
99     }
100    
101     $rs = mysqli_query($db_conn, "BEGIN");
102     if ($rs == false)
103     {
104     $result_set["return"]["code"] = -2;
105     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
106    
107     mysqli_close($db_conn);
108     exit(json_encode($result_set));
109     }
110    
111     if (!$mfa)
112     {
113     // Failed login attempts from the same source (subnet /24) during certain time period
114     $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
115     WHERE login_dt >= SUBDATE(NOW(), INTERVAL '10' MINUTE)
116     AND login_ip LIKE '" . client_addr(1) . "'";
117     $rs = mysqli_query($db_conn, $sql);
118     if ($rs == false)
119     {
120     $result_set["return"]["code"] = -2;
121     $result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
122    
123     mysqli_close($db_conn);
124     exit(json_encode($result_set));
125     }
126    
127     if ($row = mysqli_fetch_array($rs))
128     {
129     if ($row["err_count"] >= 2)
130     {
131     $result_set["return"]["code"] = 1;
132     $result_set["return"]["message"] = "来源存在多次失败登陆尝试,请输入验证码";
133    
134     mysqli_close($db_conn);
135     exit(json_encode($result_set));
136     }
137     }
138     mysqli_free_result($rs);
139    
140     // Failed login attempts against the current username during certain time period
141     $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
142     WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL '1' DAY)";
143     $rs = mysqli_query($db_conn, $sql);
144     if ($rs == false)
145     {
146     $result_set["return"]["code"] = -2;
147     $result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
148    
149     mysqli_close($db_conn);
150     exit(json_encode($result_set));
151     }
152    
153     if ($row = mysqli_fetch_array($rs))
154     {
155     if ($row["err_count"] >= 5)
156     {
157     $result_set["return"]["code"] = 1;
158     $result_set["return"]["message"] = "账号存在多次失败登陆尝试,请输入验证码";
159    
160     mysqli_close($db_conn);
161     exit(json_encode($result_set));
162     }
163     }
164     mysqli_free_result($rs);
165     }
166    
167     $sql = "SELECT UID, p_login, verified, temp_password,
168     password = MD5('$password') AS old_pass
169     FROM user_list WHERE username = '$username' AND
170     (password = MD5('$password') OR password = SHA2('$password', 256) OR
171     temp_password = '$password')
172     AND enable";
173    
174     $rs = mysqli_query($db_conn, $sql);
175     if ($rs == false)
176     {
177     $result_set["return"]["code"] = -2;
178     $result_set["return"]["message"] = "Query user list error; " . mysqli_error($db_conn);
179    
180     mysqli_close($db_conn);
181     exit(json_encode($result_set));
182     }
183    
184     $uid = 0;
185    
186     if ($row = mysqli_fetch_array($rs))
187     {
188     $uid = $row["UID"];
189    
190     if ($password == $row["temp_password"] && !$ch_passwd)
191     {
192     $result_set["return"]["code"] = 2;
193     $result_set["return"]["message"] = "使用临时密码登录需设置新密码";
194    
195     mysqli_close($db_conn);
196     exit(json_encode($result_set));
197     }
198    
199     if ($ch_passwd)
200     {
201     $verified = ($password == $row["temp_password"] ? 1 : $row["verified"]); // New user first time login with temp password
202    
203     $sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
204     temp_password = '', verified = $verified WHERE UID = $uid";
205     $rs_p = mysqli_query($db_conn, $sql);
206     if ($rs_p == false)
207     {
208     $result_set["return"]["code"] = -2;
209     $result_set["return"]["message"] = "Update password error; " . mysqli_error($db_conn);
210    
211     mysqli_close($db_conn);
212     exit(json_encode($result_set));
213     }
214     }
215     else if ($row["old_pass"])
216     {
217     $sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
218     $rs_p = mysqli_query($db_conn, $sql);
219     if ($rs_p == false)
220     {
221     $result_set["return"]["code"] = -2;
222     $result_set["return"]["message"] = "Upgrade password error; " . mysqli_error($db_conn);
223    
224     mysqli_close($db_conn);
225     exit(json_encode($result_set));
226     }
227     }
228    
229     mysqli_free_result($rs);
230    
231     // Add user login log
232     $sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
233     client_addr() . "')";
234     $rs = mysqli_query($db_conn, $sql);
235     if ($rs == false)
236     {
237     $result_set["return"]["code"] = -2;
238     $result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
239    
240     mysqli_close($db_conn);
241     exit(json_encode($result_set));
242     }
243    
244     // Commit transaction
245     $rs = mysqli_query($db_conn, "COMMIT");
246     if ($rs == false)
247     {
248     $result_set["return"]["code"] = -2;
249     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
250    
251     mysqli_close($db_conn);
252     exit(json_encode($result_set));
253     }
254    
255     // Forbidden user
256     if (!$row["p_login"])
257     {
258     $result_set["return"]["code"] = 3;
259     $result_set["return"]["message"] = "您已被封禁全站登陆权限!";
260    
261     mysqli_close($db_conn);
262     exit(json_encode($result_set));
263     }
264     }
265     else
266     {
267     // Log login failure
268     $sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
269     VALUES('$username', '$password', NOW(), '" . client_addr() . "')";
270    
271     $rs = mysqli_query($db_conn, $sql);
272     if ($rs == false)
273     {
274     $result_set["return"]["code"] = -2;
275     $result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
276    
277     mysqli_close($db_conn);
278     exit(json_encode($result_set));
279     }
280    
281     // Commit transaction
282     $rs = mysqli_query($db_conn, "COMMIT");
283     if ($rs == false)
284     {
285     $result_set["return"]["code"] = -2;
286     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
287    
288     mysqli_close($db_conn);
289     exit(json_encode($result_set));
290     }
291    
292     $result_set["return"]["code"] = 3;
293     $result_set["return"]["message"] = "用户名或密码不正确";
294    
295     mysqli_close($db_conn);
296     exit(json_encode($result_set));
297     }
298    
299     // SET AUTOCOMMIT = 1
300     $rs = mysqli_query($db_conn, "SET autocommit=1");
301     if ($rs == false)
302     {
303     $result_set["return"]["code"] = -2;
304     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
305    
306     mysqli_close($db_conn);
307     exit(json_encode($result_set));
308     }
309    
310     //Load User Information
311     $ret = load_user_info($uid, $db_conn);
312     switch($ret)
313     {
314     case "-1":
315     $result_set["return"]["code"] = -2;
316     $result_set["return"]["message"] = "User data not found; " . mysqli_error($db_conn);
317    
318     mysqli_close($db_conn);
319     exit(json_encode($result_set));
320     case "-2":
321     if (!$agreement)
322     {
323     $buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
324    
325     $result_set["return"]["code"] = 4;
326     $result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
327    
328     mysqli_close($db_conn);
329     exit(json_encode($result_set));
330     }
331     break;
332     case "-3":
333     $result_set["return"]["code"] = 3;
334     $result_set["return"]["message"] = "很遗憾,您已经永远离开了我们的世界……";
335    
336     mysqli_close($db_conn);
337     exit(json_encode($result_set));
338     }
339    
340     $sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
341     last_login_dt = NOW() WHERE UID = $uid";
342     $rs = mysqli_query($db_conn, $sql);
343     if ($rs == false)
344     {
345     $result_set["return"]["code"] = -2;
346     $result_set["return"]["message"] = "Update login info error; " . mysqli_error($db_conn);
347    
348     mysqli_close($db_conn);
349     exit(json_encode($result_set));
350     }
351    
352     $_SESSION["BBS_uid"] = $uid;
353     $_SESSION["BBS_username"] = $username;
354     $_SESSION["BBS_login_tm"] = time();
355     $_SESSION["BBS_vn_str"] == "";
356    
357     mysqli_close($db_conn);
358     exit(json_encode($result_set));
359     ?>
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1