/[LeafOK_CVS]/fenglin/bbs/user_login_service.php
ViewVC logotype

Contents of /fenglin/bbs/user_login_service.php

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.16 - (show annotations)
Wed Apr 23 07:06:54 2025 UTC (10 months, 3 weeks ago) by sysadm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.15: +0 -0 lines
FILE REMOVED 
Rename user_login_service to user_service_login
1 <?php
2 require_once "../lib/db_open.inc.php";
3 require_once "../lib/lml.inc.php";
4 require_once "../lib/passwd.inc.php";
5 require_once "../lib/vn_gif.inc.php";
6 require_once "../lib/client_addr.inc.php";
7 require_once "../lib/ip_mask.inc.php";
8 require_once "./session_init.inc.php";
9 require_once "./user_login.inc.php";
10
11 $data = json_decode(file_get_contents("php://input"), true);
12
13 $username = (isset($data["username"]) ? trim($data["username"]) : "");
14 $password = (isset($data["password"]) ? trim($data["password"]) : "");
15 $ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
16 $password_new = (isset($data["password_new"]) ? trim($data["password_new"]) : "");
17 $agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
18 $mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
19 $vn_str = (isset($data["vn_str"]) ? trim($data["vn_str"]) : "");
20
21 $result_set = array(
22 "return" => array(
23 "code" => 0,
24 "message" => "",
25 "errorFields" => array(),
26 )
27 );
28
29 header("Content-Type:application/json; charset=utf-8");
30
31 // Validate input data
32 if (!preg_match("/^[A-Za-z][A-Za-z0-9]{2,11}$/", $username))
33 {
34 $result_set["return"]["code"] = -1;
35 array_push($result_set["return"]["errorFields"], array(
36 "id" => "username",
37 "errMsg" => "不符合格式要求",
38 ));
39 }
40
41 if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
42 {
43 $result_set["return"]["code"] = -1;
44 array_push($result_set["return"]["errorFields"], array(
45 "id" => "password",
46 "errMsg" => "不符合格式要求",
47 ));
48 }
49
50 if ($ch_passwd)
51 {
52 if (!preg_match("/^[A-Za-z0-9]{6,12}$/", $password_new))
53 {
54 $result_set["return"]["code"] = -1;
55 array_push($result_set["return"]["errorFields"], array(
56 "id" => "password_new",
57 "errMsg" => "不符合格式要求",
58 ));
59 }
60
61 if (!verify_pass_complexity($password_new, $username, 6))
62 {
63 $result_set["return"]["code"] = -1;
64 array_push($result_set["return"]["errorFields"], array(
65 "id" => "password_new",
66 "errMsg" => "不符合复杂性要求",
67 ));
68 }
69 }
70
71 if ($mfa)
72 {
73 if ((!isset($_SESSION["BBS_vn_str"])) || $_SESSION["BBS_vn_str"] == "" || strcasecmp($_SESSION["BBS_vn_str"], $vn_str) != 0)
74 {
75 $result_set["return"]["code"] = -1;
76 array_push($result_set["return"]["errorFields"], array(
77 "id" => "vn_str",
78 "errMsg" => "验证码错误",
79 ));
80 }
81 }
82
83 if ($result_set["return"]["code"] != 0)
84 {
85 mysqli_close($db_conn);
86 exit(json_encode($result_set));
87 }
88
89 // Begin transaction
90 $rs = mysqli_query($db_conn, "SET autocommit=0");
91 if ($rs == false)
92 {
93 $result_set["return"]["code"] = -2;
94 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
95
96 mysqli_close($db_conn);
97 exit(json_encode($result_set));
98 }
99
100 $rs = mysqli_query($db_conn, "BEGIN");
101 if ($rs == false)
102 {
103 $result_set["return"]["code"] = -2;
104 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
105
106 mysqli_close($db_conn);
107 exit(json_encode($result_set));
108 }
109
110 if (!$mfa)
111 {
112 // Failed login attempts from the same source (subnet /24) during certain time period
113 $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
114 WHERE login_dt >= SUBDATE(NOW(), INTERVAL 10 MINUTE)
115 AND login_ip LIKE '" . client_addr(1) . "'";
116 $rs = mysqli_query($db_conn, $sql);
117 if ($rs == false)
118 {
119 $result_set["return"]["code"] = -2;
120 $result_set["return"]["message"] = "Query login log error: " . mysqli_error($db_conn);
121
122 mysqli_close($db_conn);
123 exit(json_encode($result_set));
124 }
125
126 if ($row = mysqli_fetch_array($rs))
127 {
128 if ($row["err_count"] >= 2)
129 {
130 $result_set["return"]["code"] = 1;
131 $result_set["return"]["message"] = "来源存在多次失败登陆尝试,请输入验证码";
132
133 mysqli_close($db_conn);
134 exit(json_encode($result_set));
135 }
136 }
137 mysqli_free_result($rs);
138
139 // Failed login attempts against the current username during certain time period
140 $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
141 WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL 1 DAY)";
142 $rs = mysqli_query($db_conn, $sql);
143 if ($rs == false)
144 {
145 $result_set["return"]["code"] = -2;
146 $result_set["return"]["message"] = "Query login log error: " . mysqli_error($db_conn);
147
148 mysqli_close($db_conn);
149 exit(json_encode($result_set));
150 }
151
152 if ($row = mysqli_fetch_array($rs))
153 {
154 if ($row["err_count"] >= 5)
155 {
156 $result_set["return"]["code"] = 1;
157 $result_set["return"]["message"] = "账户存在多次失败登陆尝试,请输入验证码";
158
159 mysqli_close($db_conn);
160 exit(json_encode($result_set));
161 }
162 }
163 mysqli_free_result($rs);
164 }
165
166 $sql = "SELECT UID, p_login, verified, temp_password,
167 password = MD5('$password') AS old_pass
168 FROM user_list WHERE username = '$username' AND
169 (password = MD5('$password') OR password = SHA2('$password', 256) OR
170 temp_password = '$password')
171 AND enable FOR UPDATE";
172
173 $rs = mysqli_query($db_conn, $sql);
174 if ($rs == false)
175 {
176 $result_set["return"]["code"] = -2;
177 $result_set["return"]["message"] = "Query user list error: " . mysqli_error($db_conn);
178
179 mysqli_close($db_conn);
180 exit(json_encode($result_set));
181 }
182
183 $uid = 0;
184
185 if ($row = mysqli_fetch_array($rs))
186 {
187 $uid = intval($row["UID"]);
188
189 if ($password == $row["temp_password"] && !$ch_passwd)
190 {
191 $result_set["return"]["code"] = 2;
192 $result_set["return"]["message"] = "使用临时密码登录需设置新密码";
193
194 mysqli_close($db_conn);
195 exit(json_encode($result_set));
196 }
197
198 if ($ch_passwd)
199 {
200 if ($password == $row["temp_password"]) // New user first time login with temp password
201 {
202 $verified = 1;
203
204 // Set life = 150 for verified user
205 $sql = "UPDATE user_pubinfo SET life = 150 WHERE UID = $uid";
206 $rs_life = mysqli_query($db_conn, $sql);
207 if ($rs_life == false)
208 {
209 $result_set["return"]["code"] = -2;
210 $result_set["return"]["message"] = "Update user life error: " . mysqli_error($db_conn);
211
212 mysqli_close($db_conn);
213 exit(json_encode($result_set));
214 }
215 }
216 else
217 {
218 $verified = $row["verified"];
219 }
220
221 $sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
222 temp_password = '', verified = $verified WHERE UID = $uid";
223 $rs_p = mysqli_query($db_conn, $sql);
224 if ($rs_p == false)
225 {
226 $result_set["return"]["code"] = -2;
227 $result_set["return"]["message"] = "Update password error: " . mysqli_error($db_conn);
228
229 mysqli_close($db_conn);
230 exit(json_encode($result_set));
231 }
232 }
233 else if ($row["old_pass"])
234 {
235 $sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
236 $rs_p = mysqli_query($db_conn, $sql);
237 if ($rs_p == false)
238 {
239 $result_set["return"]["code"] = -2;
240 $result_set["return"]["message"] = "Upgrade password error: " . mysqli_error($db_conn);
241
242 mysqli_close($db_conn);
243 exit(json_encode($result_set));
244 }
245 }
246
247 mysqli_free_result($rs);
248
249 // Add user login log
250 $sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
251 client_addr() . "')";
252 $rs = mysqli_query($db_conn, $sql);
253 if ($rs == false)
254 {
255 $result_set["return"]["code"] = -2;
256 $result_set["return"]["message"] = "Write log error: " . mysqli_error($db_conn);
257
258 mysqli_close($db_conn);
259 exit(json_encode($result_set));
260 }
261
262 // Commit transaction
263 $rs = mysqli_query($db_conn, "COMMIT");
264 if ($rs == false)
265 {
266 $result_set["return"]["code"] = -2;
267 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
268
269 mysqli_close($db_conn);
270 exit(json_encode($result_set));
271 }
272
273 // Forbidden user
274 if (!$row["p_login"])
275 {
276 $result_set["return"]["code"] = 3;
277 $result_set["return"]["message"] = "您已被封禁全站登陆权限!";
278
279 mysqli_close($db_conn);
280 exit(json_encode($result_set));
281 }
282 }
283 else
284 {
285 // Log login failure
286 $sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
287 VALUES('$username', '$password', NOW(), '" . client_addr() . "')";
288
289 $rs = mysqli_query($db_conn, $sql);
290 if ($rs == false)
291 {
292 $result_set["return"]["code"] = -2;
293 $result_set["return"]["message"] = "Write log error: " . mysqli_error($db_conn);
294
295 mysqli_close($db_conn);
296 exit(json_encode($result_set));
297 }
298
299 // Commit transaction
300 $rs = mysqli_query($db_conn, "COMMIT");
301 if ($rs == false)
302 {
303 $result_set["return"]["code"] = -2;
304 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
305
306 mysqli_close($db_conn);
307 exit(json_encode($result_set));
308 }
309
310 $_SESSION["BBS_vn_str"] = ""; // Force change vn_str
311
312 $result_set["return"]["code"] = 3;
313 $result_set["return"]["message"] = "用户名或密码不正确";
314
315 mysqli_close($db_conn);
316 exit(json_encode($result_set));
317 }
318
319 // SET AUTOCOMMIT = 1
320 $rs = mysqli_query($db_conn, "SET autocommit=1");
321 if ($rs == false)
322 {
323 $result_set["return"]["code"] = -2;
324 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
325
326 mysqli_close($db_conn);
327 exit(json_encode($result_set));
328 }
329
330 //Load User Information
331 $ret = load_user_info($uid, $db_conn);
332 switch($ret)
333 {
334 case -1:
335 $result_set["return"]["code"] = -2;
336 $result_set["return"]["message"] = "User data not found: " . mysqli_error($db_conn);
337
338 mysqli_close($db_conn);
339 exit(json_encode($result_set));
340 case -2:
341 if (!$agreement)
342 {
343 $buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
344
345 $result_set["return"]["code"] = 4;
346 $result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
347
348 mysqli_close($db_conn);
349 exit(json_encode($result_set));
350 }
351 break;
352 case -3:
353 $result_set["return"]["code"] = 3;
354 $result_set["return"]["message"] = "很遗憾,您已经永远离开了我们的世界……";
355
356 mysqli_close($db_conn);
357 exit(json_encode($result_set));
358 }
359
360 $sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
361 last_login_dt = NOW() WHERE UID = $uid";
362 $rs = mysqli_query($db_conn, $sql);
363 if ($rs == false)
364 {
365 $result_set["return"]["code"] = -2;
366 $result_set["return"]["message"] = "Update login info error: " . mysqli_error($db_conn);
367
368 mysqli_close($db_conn);
369 exit(json_encode($result_set));
370 }
371
372 $_SESSION["BBS_uid"] = $uid;
373 $_SESSION["BBS_username"] = $username;
374 $_SESSION["BBS_login_tm"] = time();
375 $_SESSION["BBS_vn_str"] = "";
376
377 if (!keep_alive($db_conn))
378 {
379 $result_set["return"]["code"] = -2;
380 $result_set["return"]["message"] = "Keep alive error: " . mysqli_error($db_conn);
381
382 mysqli_close($db_conn);
383 exit(json_encode($result_set));
384 }
385
386 mysqli_close($db_conn);
387 exit(json_encode($result_set));
388 ?>
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1