From 3c8474db34594bd1b804f8fb363d4f4e0bdeef44 Mon Sep 17 00:00:00 2001
From: Stefan Brannfjell <braste10@nith.no>
Date: Sat, 6 Sep 2014 23:29:18 +0200
Subject: [PATCH] Email authentication system. Integrated with PHPMailer. When
 enabled, you will send an activation key to registering users, which they
 need to click to verify that they actually got a real email address, and to
 activate the account.

---
 config.php                | 17 +++++++
 engine/function/mail.php  | 93 +++++++++++++++++++++++++++++++++++++++
 engine/function/users.php | 23 ++++++++--
 engine/init.php           | 15 ++++---
 login.php                 | 41 +++++++++++------
 register.php              | 26 +++++++++--
 6 files changed, 187 insertions(+), 28 deletions(-)
 create mode 100644 engine/function/mail.php

diff --git a/config.php b/config.php
index e4f38d8..ef38167 100644
--- a/config.php
+++ b/config.php
@@ -374,6 +374,23 @@
 	$config['api'] = array(
 		'debug' => false,
 	);
+
+	// Email Server configurations (SMTP)
+	/* Download PHPMailer: https://github.com/PHPMailer/PHPMailer/archive/master.zip
+		Extract to Znote AAC directory (where this config.php file is located)
+		Rename the folder to "PHPMailer". Then configure this with your SMTP mail settings from your email provider.
+	*/
+	$config['mailserver'] = array(
+		'register' => false, // Send activation mail
+		'accountRecovery' => false, // Recover username or password through mail
+		'host' => "mailserver.znote.eu", // Outgoing mail server host.
+		'securityType' => 'ssl', // ssl or tls
+		'port' => 465, // SMTP port number - likely to be 465(ssl) or 587(tls)
+		'username' => 'noreply@znote.eu', // Likely the email address
+		'password' => 'emailpassword', // The password.
+		'debug' => false, // Enable debugging if you have problems and are looking for errors.
+		'fromName' => $config['site_title'],
+	);
 	// Use Znote's External Open Tibia Services Server
 	// Currently in Alpha and is pretty useless, but will contain paypal blacklist etc in future.
 	// You can use the official server: http://zeotss.znote.eu/
diff --git a/engine/function/mail.php b/engine/function/mail.php
new file mode 100644
index 0000000..83ed5fa
--- /dev/null
+++ b/engine/function/mail.php
@@ -0,0 +1,93 @@
+<?php
+class Mail {
+	protected $_config = false;
+
+	/**
+	 * @param  string $file
+	 * @access public
+	 * @return void
+	**/
+	public function __construct($config) {
+		$this->_config = $config;
+	}
+
+	/**
+	 * Sets the cache expiration limit (IMPORTANT NOTE: seconds, NOT ms!).
+	 *
+	 * @param  integer $span
+	 * @access public
+	 * @return void
+	**/
+	public function sendMail($to, $title, $text, $accname = '') {
+		//SMTP needs accurate times, and the PHP time zone MUST be set
+		//This should be done in your php.ini, but this is how to do it if you don't have access to that
+		//date_default_timezone_set('Etc/UTC');
+
+		require 'PHPMailer/PHPMailerAutoload.php';
+
+		//Create a new PHPMailer instance
+		$mail = new PHPMailer();
+
+		//Tell PHPMailer to use SMTP
+		$mail->isSMTP();
+
+		//Enable SMTP debugging
+		// 0 = off (for production use)
+		// 1 = client messages
+		// 2 = client and server messages
+		$mail->SMTPDebug = ($this->_config['debug']) ? 2 : 0;
+
+		//Ask for HTML-friendly debug output
+		$mail->Debugoutput = 'html';
+
+		//Set the hostname of the mail server
+		$mail->Host = $this->_config['host'];
+
+		//Set the SMTP port number - likely to be 25, 465 or 587
+		$mail->Port = $this->_config['port'];
+
+		//Whether to use SMTP authentication
+		$mail->SMTPAuth = true;
+		$mail->SMTPSecure = $this->_config['securityType'];
+
+		//Username to use for SMTP authentication
+		$mail->Username = $this->_config['username'];
+
+		//Password to use for SMTP authentication
+		$mail->Password = $this->_config['password'];
+
+		//Set who the message is to be sent from
+		$mail->setFrom($this->_config['username'], $this->_config['fromName']);
+
+		//Set who the message is to be sent to
+		$mail->addAddress($to, $accname);
+
+		//Set the subject line
+		$mail->Subject = $title;
+
+		// Body
+		$mail->Body = $text;
+
+		// Convert HTML -> plain for legacy mail recievers
+		// Create new lines instead of <br> html tags.
+		$text = str_replace("<br>", "\n", $text);
+		$text = str_replace("<br\>", "\n", $text);
+		$text = str_replace("<br \>", "\n", $text);
+		// Then get rid of the rest of the html tags.
+		$text = strip_tags($text);
+
+		//Replace the plain text body with one created manually
+		$mail->AltBody = $text;
+
+
+		//send the message, check for errors
+		$status = false;
+		if (!$mail->send()) {
+		    echo "Mailer Error: " . $mail->ErrorInfo;
+		    exit();
+		} else {
+		    $status = true;
+		}
+		return $status;
+	}
+}
\ No newline at end of file
diff --git a/engine/function/users.php b/engine/function/users.php
index 1e30a31..26f4408 100644
--- a/engine/function/users.php
+++ b/engine/function/users.php
@@ -1042,7 +1042,7 @@ function user_character_set_hide($char_id, $value) {
 }
 
 // CREATE ACCOUNT
-function user_create_account($register_data) {
+function user_create_account($register_data, $maildata) {
 	array_walk($register_data, 'array_sanitize');
 	
 	if (config('TFSVersion') == 'TFS_03' && config('salt') === true) {
@@ -1064,10 +1064,25 @@ function user_create_account($register_data) {
 	mysql_insert("INSERT INTO `accounts` ($fields) VALUES ($data)");
 	
 	$account_id = user_id($register_data['name']);
-	mysql_insert("INSERT INTO `znote_accounts` (`account_id`, `ip`, `created`) VALUES ('$account_id', '$ip', '$created')");
+	$activeKey = rand(100000000,999999999);
+	mysql_insert("INSERT INTO `znote_accounts` (`account_id`, `ip`, `created`, `activekey`) VALUES ('$account_id', '$ip', '$created', '$activeKey')");
 	
-	//TO-DO: mail server and verification.
-	// http://www.web-development-blog.com/archives/send-e-mail-messages-via-smtp-with-phpmailer-and-gmail/
+	if ($maildata['register']) {
+
+		$thisurl = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
+		$thisurl .= "?authenticate&u=".$account_id."&k=".$activeKey;
+
+		$mailer = new Mail($maildata);
+
+		$title = "Please authenticate your account at $_SERVER[HTTP_HOST].";
+		
+		$body = "<h1>Please click on the following link to authenticate your account:</h1>";
+		$body .= "<p><a href='$thisurl'>$thisurl</a></p>";
+		$body .= "<p>Thank you for registering and enjoy your stay at $maildata[fromName].</p>";
+		$body .= "<hr><p>I am an automatic no-reply e-mail. Any emails sent back to me will be ignored.</p>";
+		
+		$mailer->sendMail($register_data['email'], $title, $body, $register_data['name']);
+	}
 }
 
 // CREATE CHARACTER
diff --git a/engine/init.php b/engine/init.php
index 202c44c..5efad58 100644
--- a/engine/init.php
+++ b/engine/init.php
@@ -8,7 +8,7 @@ $accQueriesData = array();
 
 session_start();
 ob_start();
-require 'config.php';
+require_once 'config.php';
 $sessionPrefix = $config['session_prefix'];
 
 if ($config['paypal']['enabled'] || $config['zeotss']['enabled']) {
@@ -16,12 +16,13 @@ if ($config['paypal']['enabled'] || $config['zeotss']['enabled']) {
 	if (!$curlcheck) die("php cURL is not enabled. It is required to for paypal and ZEOTSS services.<br>1. Find your php.ini file.<br>2. Uncomment extension=php_curl<br>Restart web server.<br><br><b>If you don't want this then disable zeotss and paypal in config.php.</b>");
 }
 
-require 'database/connect.php';
-require 'function/general.php';
-require 'function/users.php';
-require 'function/cache.php';
-require 'function/token.php';
-require 'function/itemparser/itemlistparser.php';
+require_once 'database/connect.php';
+require_once 'function/general.php';
+require_once 'function/users.php';
+require_once 'function/cache.php';
+require_once 'function/mail.php';
+require_once 'function/token.php';
+require_once 'function/itemparser/itemlistparser.php';
 
 if (isset($_SESSION['token'])) {
 	$_SESSION['old_token'] = $_SESSION['token'];
diff --git a/login.php b/login.php
index 9a7dd99..3d09cd2 100644
--- a/login.php
+++ b/login.php
@@ -30,20 +30,33 @@ if (empty($_POST) === false) {
 		if ($login === false) {
 			$errors[] = 'Username and password combination is wrong.';
 		} else {
-		setSession('user_id', $login);
-		
-		// if IP is not set (etc acc created before Znote AAC was in use)
-		$znote_data = user_znote_account_data($login);
-		if ($znote_data['ip'] == 0) {
-			$update_data = array(
-			'ip' => ip2long(getIP()),
-			);
-			user_update_znote_account($update_data);
-		}
-		
-		// Send them to myaccount.php
-		header('Location: myaccount.php');
-		exit();
+			// Check if user have access to login
+			$status = false;
+			if ($config['mailserver']['register']) {
+				$authenticate = mysql_select_single("SELECT `id` FROM `znote_accounts` WHERE `account_id`='$login' AND `active`='1' LIMIT 1;");
+				if ($authenticate !== false) {
+					$status = true;
+				} else {
+					$errors[] = "Your account is not activated. An email should have been sent to you when you registered. Please find it and click the activation link to activate your account.";
+				}
+			} else $status = true;
+			
+			if ($status) {
+				setSession('user_id', $login);
+			
+				// if IP is not set (etc acc created before Znote AAC was in use)
+				$znote_data = user_znote_account_data($login);
+				if ($znote_data['ip'] == 0) {
+					$update_data = array(
+					'ip' => ip2long(getIP()),
+					);
+					user_update_znote_account($update_data);
+				}
+				
+				// Send them to myaccount.php
+				header('Location: myaccount.php');
+				exit();
+			}
 		}
 	}
 } else {
diff --git a/register.php b/register.php
index 4072c97..6286972 100644
--- a/register.php
+++ b/register.php
@@ -82,7 +82,27 @@ if (empty($_POST) === false) {
 <h1>Register Account</h1>
 <?php
 if (isset($_GET['success']) && empty($_GET['success'])) {
-	echo 'Congratulations! Your account has been created. You may now login to create a character.';
+	if ($config['mailserver']) {
+		?>
+		<h1>Email authentication required</h1>
+		<p>We have sent you an email with an activation link to your submitted email address.</p>
+		<p>If you can't find the email within 5 minutes, check your junk/trash inbox as it may be mislocated there.</p>
+		<?php
+	} else echo 'Congratulations! Your account has been created. You may now login to create a character.';
+} elseif (isset($_GET['authenticate']) && empty($_GET['authenticate'])) {
+	// Authenticate user, fetch user id and activation key
+	$auid = (isset($_GET['u']) && (int)$_GET['u'] > 0) ? (int)$_GET['u'] : false;
+	$akey = (isset($_GET['k']) && (int)$_GET['k'] > 0) ? (int)$_GET['k'] : false;
+	// Find a match
+	$user = mysql_select_single("SELECT `id` FROM `znote_accounts` WHERE `account_id`='$auid' AND `activekey`='$akey' AND `active`='0' LIMIT 1;");
+	if ($user !== false) {
+		$user = $user['id'];
+		// Enable the account to login
+		mysql_update("UPDATE `znote_accounts` SET `active`='1' WHERE `id`='$user' LIMIT 1;");
+		echo '<h1>Congratulations!</h1> <p>Your account has been created. You may now login to create a character.</p>';
+	} else {
+		echo '<h1>Authentication failed</h1> <p>Either the activation link is wrong, or your account is already activated.</p>';
+	}
 } else {
 	if (empty($_POST) === false && empty($errors) === true) {
 		if ($config['log_ip']) {
@@ -97,8 +117,8 @@ if (isset($_GET['success']) && empty($_GET['success'])) {
 			'created'	=>	time()
 		);
 		
-		user_create_account($register_data);
-		header('Location: register.php?success');
+		user_create_account($register_data, $config['mailserver']);
+		if (!$config['mailserver']['debug']) header('Location: register.php?success');
 		exit();
 		//End register