From 91d0ffa95ce3b07224771aa3f163d195634ffdd4 Mon Sep 17 00:00:00 2001
From: ElGovanni <elgovanni@gmail.com>
Date: Tue, 19 Apr 2016 20:41:57 +0200
Subject: [PATCH] Recovery System

Similar to this original from Tibia.
---
 config.php               |  55 +++++-----
 layout/widgets/login.php |   4 +-
 lostaccount.php          | 222 +++++++++++++++++++++++++++++++++++++++
 recovery.php             |   2 +-
 settings.php             |  81 ++++++++++----
 5 files changed, 318 insertions(+), 46 deletions(-)
 create mode 100644 lostaccount.php

diff --git a/config.php b/config.php
index a859981..485e6eb 100644
--- a/config.php
+++ b/config.php
@@ -12,7 +12,7 @@
 	$config['site_title_context'] = 'Because open communities are good communities. :3';
 
 	// Path to server folder without / Example: C:\Users\Alvaro\Documents\GitHub\forgottenserver
-	$config['server_path'] = ''; 
+	$config['server_path'] = '';
 
 
 	// ------------------------ \\
@@ -35,7 +35,7 @@
 		- getClock() = returns current time in numbers.
 		- getClock(time(), true) = returns current time in formatted date
 		- getClock(false, true) = same as above
-		- getClock(false, true, false) = get current time, don't adjust timezone 
+		- getClock(false, true, false) = get current time, don't adjust timezone
 		- echo getClock($profile_data['lastlogin'], true); = from characterprofile,
 		explains when user was last logged in. */
 	function getClock($time = false, $format = false, $adjust = true) {
@@ -51,7 +51,7 @@
 	// ------------------- \\
 	// CUSTOM SERVER STUFF \\
 	// ------------------- \\
-	// Enable / disable Questlog function (true / false) 
+	// Enable / disable Questlog function (true / false)
 			$config['EnableQuests'] = false;
 
 	// array for filling questlog (Questid, max value, name, end of the quest fill 1 for the last part 0 for all others)
@@ -131,8 +131,8 @@
 	'secret' => true
 	),
 	30001 => array(
-	'Allow Cookies?', 
-	'With a perfectly harmless smile you fooled all of those wicecrackers into eating your exploding cookies. Consider a boy or girl scout outfit next time to make the trick even better.', 
+	'Allow Cookies?',
+	'With a perfectly harmless smile you fooled all of those wicecrackers into eating your exploding cookies. Consider a boy or girl scout outfit next time to make the trick even better.',
 	'points' => '10', // 1-3 points (1star), 4-6 points(2 stars), 7-9 points(3 stars), 10 points => (4 stars)
 	'secret' => true // show "secret" image
 	),
@@ -143,7 +143,7 @@
 	),
 	30003 => array(
 	'Bearhugger',
-	'Warm, furry and cuddly - though that same bear you just hugged would probably rip you into pieces if he had been conscious, he reminded you of that old teddy bear which always slept in your bed when you were still small.', 
+	'Warm, furry and cuddly - though that same bear you just hugged would probably rip you into pieces if he had been conscious, he reminded you of that old teddy bear which always slept in your bed when you were still small.',
 	'points' => '4'
 	),
 	30004 => array(
@@ -153,23 +153,23 @@
 	),
 	30005 => array(
 	'Chorister',
-	'Lalalala... you now know the cult\'s hymn sung in Liberty Bay by heart. Not that hard, considering that it mainly consists of two notes and repetitive lyrics.', 
+	'Lalalala... you now know the cult\'s hymn sung in Liberty Bay by heart. Not that hard, considering that it mainly consists of two notes and repetitive lyrics.',
 	'points' => '1'
 	),
 	30006 => array(
 	'Fountain of Life',
-	'You found and took a sip from the Fountain of Life. Thought it didn\'t grant you eternal life, you feel changed and somehow at peace.', 
+	'You found and took a sip from the Fountain of Life. Thought it didn\'t grant you eternal life, you feel changed and somehow at peace.',
 	'points' => '1',
 	'secret' => true
 	),
 	30007 => array(
 	'Here, Fishy Fishy!',
-	'Ah, the smell of the sea! Standing at the shore and casting a line is one of your favourite activities. For you, fishing is relaxing - and at the same time, providing easy food. Perfect!', 
+	'Ah, the smell of the sea! Standing at the shore and casting a line is one of your favourite activities. For you, fishing is relaxing - and at the same time, providing easy food. Perfect!',
 	'points' => '1'
 	),
 	30008 => array(
 	'Honorary Barbarian',
-	'You\'ve hugged bears, pushed mammoths and proved your drinking skills. And even though you have a slight hangover, a partially fractured rib and some greasy hair on your tongue, you\'re quite proud to call yourself a honorary barbarian from now on.', 
+	'You\'ve hugged bears, pushed mammoths and proved your drinking skills. And even though you have a slight hangover, a partially fractured rib and some greasy hair on your tongue, you\'re quite proud to call yourself a honorary barbarian from now on.',
 	'points' => '1'
 	),
 	30009 => array(
@@ -179,12 +179,12 @@
 	),
 	300010 => array(
 	'Just in Time',
-	'You\'re a fast runner and are good at delivering wares which are bound to decay just in the nick of time, even if you can\'t use any means of transportation or if your hands get cold or smelly in the process.', 
+	'You\'re a fast runner and are good at delivering wares which are bound to decay just in the nick of time, even if you can\'t use any means of transportation or if your hands get cold or smelly in the process.',
 	'points' => '1'
 	),
 	30011 => array(
 	'Matchmaker',
-	'You don\'t believe in romance to be a coincidence or in love at first sight. In fact - love potions, bouquets of flowers and cheesy poems do the trick much better than ever could. Keep those hormones flowing!', 
+	'You don\'t believe in romance to be a coincidence or in love at first sight. In fact - love potions, bouquets of flowers and cheesy poems do the trick much better than ever could. Keep those hormones flowing!',
 	'points' => '1',
 	'secret' => true
 	),
@@ -202,7 +202,7 @@
 	),
 	30014 => array(
 	'Secret Agent',
-	'Pack your spy gear and get ready for some dangerous missions in service of a secret agency. You\'ve shown you want to - but can you really do it? Time will tell.', 
+	'Pack your spy gear and get ready for some dangerous missions in service of a secret agency. You\'ve shown you want to - but can you really do it? Time will tell.',
 	'points' => '1',
 	'secret' => true
 	),
@@ -218,7 +218,7 @@
 	),
 	30017 => array(
 	'Worm Whacker',
-	'Weehee! Whack those worms! You sure know how to handle a big hammer.', 
+	'Weehee! Whack those worms! You sure know how to handle a big hammer.',
 	'points' => '1',
 	'secret' => true
 	),
@@ -229,7 +229,7 @@
 	),
 	30019 => array(
 	'Amateur Actor',
-	'You helped bringing Princess Buttercup, Doctor Dumbness and Lucky the Wonder Dog to life - and will probably dream of them tonight, since you memorised your lines perfectly. What a .. special piece of.. screenplay.', 
+	'You helped bringing Princess Buttercup, Doctor Dumbness and Lucky the Wonder Dog to life - and will probably dream of them tonight, since you memorised your lines perfectly. What a .. special piece of.. screenplay.',
 	'points' => '2'
 	),
 	30020 => array(
@@ -242,7 +242,7 @@
 	// TFS 1.0 powergamers and top online
 	//Before enabling powergamers, make sure that you have added LUA files and possible cloums to your server.
 	//files can be found at Lua folder.
-	
+
 	$config['powergamers'] = array(
 		'enabled' => true, // Enable or disable page
 		'limit' => 20, //Number of players that it will show.
@@ -350,7 +350,7 @@
 		5 => 'Ended',
 	);
 
-	/* -- SUB PAGES -- 
+	/* -- SUB PAGES --
 		Some custom layouts/templates have custom pages, they can use
 		this sub page functionality for that.
 	*/
@@ -429,7 +429,7 @@
 		'status_port' => "7171",
 		);
 
-	$config['delete_character_interval'] = '3 DAY'; // Delay after user character delete request is executed eg. 1 DAY, 2 HOUR, 3 MONTH etc. 
+	$config['delete_character_interval'] = '3 DAY'; // Delay after user character delete request is executed eg. 1 DAY, 2 HOUR, 3 MONTH etc.
 
 	$config['validate_IP'] = true; // Only allow legal IP addresses to register and create character.
 	$config['salt'] = false; // Some noob 0.3.6 servers don't support salt.
@@ -439,7 +439,7 @@
 
 	// Use guild logo system
 	$config['use_guild_logos'] = true;
-	
+
 	// Use country flags
 	$config['country_flags'] = false;
 
@@ -533,6 +533,13 @@
 		'debug' => false, // Enable debugging if you have problems and are looking for errors.
 		'fromName' => $config['site_title'],
 	);
+	//Recovery System by ElGovanni (https://github.com/ElGovanni) //know as Burczyk
+	$config['recovery_key'] = array(
+		'enabled' => true,
+		'length' => 10, 		//less or equal value from database (default is: 20)
+		'send_to_mail' => true,
+		'change_email_by_recovery' => true,
+	);
 	// Use Znote's External Open Tibia Services Server
 	// Currently in Alpha and is pretty useless, but will contain paypal blacklist etc in future.
 	// You can use the official server: http://zeotss.znote.eu/
@@ -560,7 +567,7 @@
 	// Available options: LINUX or WINDOWS
 	$config['os'] = 'WINDOWS';
 
-	// Measure how much players are lagging in-game. (Not completed). 
+	// Measure how much players are lagging in-game. (Not completed).
 	$config['ping'] = false;
 
 	// BAN STUFF - Don't touch this unless you know what you are doing.
@@ -638,13 +645,13 @@
 	$config['session_prefix'] = 'znote_';
 
 	/*	Store visitor data
-		Store visitor data in the database, logging every IP visitng site, 
+		Store visitor data in the database, logging every IP visitng site,
 		and how many times they have visited the site. And sometimes what
 		they do on the site.
-		
+
 		This helps to prevent POST SPAM (like register 1000 accounts in a few seconds)
 		and other things which can stress and slow down the server.
-		
+
 		The only downside is that database can get pretty fed up with much IP data
 		if table never gets flushed once in a while. So I highly recommend you
 		to configure flush_ip_logs if IPs are logged.
@@ -652,7 +659,7 @@
 	$config['log_ip'] = false;
 
 	// Flush IP logs each configured seconds, 60 * 15 = 15 minutes.
-	// Set to false to entirely disable ip log flush. 
+	// Set to false to entirely disable ip log flush.
 	// It is important to flush for optimal performance.
 	$config['flush_ip_logs'] = 59 * 27;
 
diff --git a/layout/widgets/login.php b/layout/widgets/login.php
index 561412e..d08afed 100644
--- a/layout/widgets/login.php
+++ b/layout/widgets/login.php
@@ -19,8 +19,8 @@
 				Token::create();
 			?>
 		<center>	<h3><a href="register.php">New account</a></h3>
-		<font size="1">- Lost <a href="recovery.php?mode=username">username</a> or <a href="recovery.php?mode=password">password</a>?</font></center>
+		<font size="1">- <a href="lostaccount.php" title="recovery access to login">Problems with logging?</a></font></center>
 		</ul>
 		</form>
 	</div>
-</div>
\ No newline at end of file
+</div>
diff --git a/lostaccount.php b/lostaccount.php
new file mode 100644
index 0000000..eb9360e
--- /dev/null
+++ b/lostaccount.php
@@ -0,0 +1,222 @@
+<?php require_once 'engine/init.php'; include 'layout/overall/header.php';
+$acceptedChars = '123456789ZXCVBNMASDFGHJKLQWERTYUIOPzxcvbnmasdfghjklqwertyuiop';
+if (empty($_POST) === false) {
+  if(isset($_POST['step']) && !empty($_POST['step']) && getValue($_POST['step'])>2){
+    if (!Token::isValid($_POST['token'])) {
+      $errors[] = 'Token is invalid.';
+    }
+  }
+}
+if(empty($_GET)){
+$step = (isset($_POST['step']) && !empty($_POST['step'])) ? getValue($_POST['step']) : false;
+$character = (isset($_POST['character']) && !empty($_POST['character'])) ? getValue($_POST['character']) : false;
+$option = (isset($_POST['option']) && !empty($_POST['option'])) ? getValue($_POST['option']) : false;
+$new_email = (isset($_POST['new_email']) && !empty($_POST['new_email'])) ? getValue($_POST['new_email']) : false;
+$rec_key = (isset($_POST['rec_key']) && !empty($_POST['rec_key'])) ? getValue($_POST['rec_key']) : false;
+
+  switch ($step) {
+    case '1':
+    {
+      {
+        ?>
+        <form action="" method="post">
+          <h2>Specify your problem</h2>
+          <label><input type="radio" name="option" value=0> I have forgotten my password</label><br>
+          <label><input type="radio" name="option" value=1> I have forgotten my account name</label><br>
+            <?php
+              if($config['recovery_key']['change_email_by_recovery'] && empty($errors))
+                echo '<label><input type="radio" name="option" value=2> I don\'t have access to my e-mail</label><br>';
+                else
+                echo '<label><input type="radio" name="option" value=2> Recovery password by key</label><br>';
+              echo '<input type="hidden" name="character" value="'.$character.'">';
+            ?>
+          <button type="submit" name="step" value=2>Submit</button>
+        </form>
+        <?php
+      }
+    }
+	break;
+    break;
+    case '2':
+        {
+          switch ($option) {
+            case '0':
+              header('Location: recovery.php?mode=password');
+              break;
+            case '1':
+              header('Location: recovery.php?mode=username');
+              break;
+            case '2':
+              {
+                  if($config['recovery_key']['change_email_by_recovery']){
+                    if(user_character_exist($character)){
+                    ?>
+                    <h2>We'll send authentication code to your new e-mail and then new password</h2>
+                    <form action="" method="post">
+                      <label>New e-mail address<br><input type="text" placeholder="new e-mail address" name="new_email" autocomplete="off"></label><br><br>
+                      <label>Recovery key<br><input type="text" placeholder="recovery key" name="rec_key" autocomplete="off"></label><br>
+                      <?php echo '<input type="hidden" name="character" value="'.$character.'">'; Token::create();?>
+                      <button type="submit" name="step" value=3>Submit</button>
+                    </form>
+                    <?php
+                  }else {
+                    echo 'We can\'t find that character';
+                    }
+                  }else{
+                    ?>
+                    <form action="" method="post">
+                      <label>Recovery key<br><input type="text" placeholder="recovery key" name="rec_key" autocomplete="off"></label><br>
+                      <?php echo '<input type="hidden" name="character" value="'.$character.'">'; Token::create();?>
+                      <button type="submit" name="step" value=3>Submit</button>
+                    </form>
+                    <?php
+                  }
+              }
+              break;
+            default:
+              echo "Something went wrong, please conact with administrator.";
+              break;
+          }
+        }
+        break;
+    case '3':
+        {
+
+          if(user_character_exist($character) && empty($errors)){
+            $query = mysql_select_single("SELECT `p`.`id` AS `player_id`, `a`.`name`, `a`.`key`, `a`.`email_new_time`, `a`.`email`, `a`.`id` AS `account_id` FROM `players` `p` INNER JOIN `accounts` `a` ON `p`.`account_id`=`a`.`id` WHERE `p`.`name` = '$character' LIMIT 1;");
+          if($config['recovery_key']['change_email_by_recovery']){
+            if($query['key']==$rec_key && filter_var($new_email, FILTER_VALIDATE_EMAIL) != false  && $query['email']!=$new_email){
+              if((intval($query['email_new_time']) - time())>=7140)  //interval
+                echo "Something went wrong";
+              else {
+          			$tempKey = NULL;
+          			for($i=0; $i < 25; $i++) {
+          				$cnum[$i] = $acceptedChars{mt_rand(0, 60)};
+          				$tempKey .= $cnum[$i];
+          			}
+                mysql_update("UPDATE `accounts` SET `email_code` = '".$tempKey."', `email_new` = '".$new_email."', `email_new_time` = '".intval(time()+7200)."' WHERE `id` = '".$query['account_id']."';");
+
+
+                $thisurl = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
+                $thisurl .= "?confirm&u=".$query['account_id']."&tempkey=".$tempKey;
+
+              //Authenticate email
+                $mailer = new Mail($config['mailserver']);
+                $title = "Please authenticate your account at $_SERVER[HTTP_HOST].";
+                $body = "<h1>Please click on the following link to authenticate your account:</h1>";
+                $body .= "<p><a href='$thisurl'>$thisurl</a></p>";
+                $body .= "<hr><p>I am an automatic no-reply e-mail. Any emails sent back to me will be ignored.</p>";
+                $mailer->sendMail($_POST['new_email'], $title, $body, $query['name']);
+
+                echo 'We have sent an e-mail to your new address with link to authenticate this e-mail, please check it.';
+
+                }
+              } else {
+                  echo 'Incorrect e-mail or recovery key.<br>';
+                }
+              }else{
+                if((intval($query['email_new_time']) - time())>=7140)  //interval
+                  echo "Something went wrong";
+                  else{
+                    $newPassword = NULL;
+                		for($i=0; $i < 10; $i++) {
+                			$cnum[$i] = $acceptedChars{mt_rand(0, 60)};
+                			$newPassword .= $cnum[$i];
+                		}
+                    $salt = '';
+                    if ($config['TFSVersion'] != 'TFS_03') {
+                      // TFS 0.2 and 1.0
+                      $password = sha1($newPassword);
+                    } else {
+                      // TFS 0.3/4
+                      if (config('salt') === true) {
+                        $saltdata = mysql_select_single("SELECT `salt` FROM `accounts` WHERE `id` = $auid LIMIT 1;");
+                        if ($saltdata !== false) $salt .= $saltdata['salt'];
+                      }
+                      $password = sha1($salt.$newPassword);
+                    }
+                    mysql_update("UPDATE `accounts` SET `password`='".$password."', `email_new_time` = '".intval(time()+7200)."' WHERE `id` = '".$query['account_id']."';");
+                    echo "Your new password is: ".$newPassword."<br>Stay safe.";
+                  }
+
+              }
+
+          } else {
+              echo output_errors($errors);
+              echo 'This character not exist.';
+            }
+
+        }
+      break;
+    default:
+      ?>
+      <h2>Welcome to the Lost Account Interface!</h2><br>
+
+      <p>If you have lost access to your account, this interface can help you. Of course, you need to prove that your claim to the account is justified. Enter the requested data and follow the instructions carefully. Please understand there is no way to get access to your lost account if the interface cannot help you.</p>
+
+      <form action="" method="post">
+      Character name: <br>
+        <input type="text" name="character"><br>
+        <button type="submit" name="step" value=1>Submit</button>
+      </form>
+      <?php
+      break;
+    }
+}elseif (isset($_GET['confirm']) && empty($_GET['confirm'])) {
+  $auid = (isset($_GET['u']) && (int)$_GET['u'] > 0) ? (int)$_GET['u'] : false;
+	$tempKey = (isset($_GET['tempkey'])) ? $_GET['tempkey'] : false;
+  $tempKeyStatus = true;
+  for($i = 0;$i<strlen($tempKey); $i++)
+  {
+    $homeStatus = false;
+    for($j = 0; $j<strlen($acceptedChars); $j++)
+    {
+      $homeStatus = false;
+      if($tempKey[$i] == $acceptedChars[$j]){
+          $homeStatus = true;
+          break;
+        }
+    }
+    if($homeStatus===false)
+    {
+      $tempKeyStatus=false;
+      break;
+    }
+  }
+if($tempKeyStatus===false)
+  return false;
+  $query = mysql_select_single("SELECT `email_code`, `email_new`, `name`, `password` FROM `accounts` WHERE `id` = $auid LIMIT 1;");
+  if($query!==false && $query['email_code']==$tempKey && $query['email_new']){
+		$newPassword = NULL;
+		for($i=0; $i < 10; $i++) {
+			$cnum[$i] = $acceptedChars{mt_rand(0, 60)};
+			$newPassword .= $cnum[$i];
+		}
+    $salt = '';
+    if ($config['TFSVersion'] != 'TFS_03') {
+      // TFS 0.2 and 1.0
+      $password = sha1($newPassword);
+    } else {
+      // TFS 0.3/4
+      if (config('salt') === true) {
+        $saltdata = mysql_select_single("SELECT `salt` FROM `accounts` WHERE `id` = $auid LIMIT 1;");
+        if ($saltdata !== false) $salt .= $saltdata['salt'];
+      }
+      $password = sha1($salt.$newPassword);
+    }
+    //Send new password
+      $mailer = new Mail($config['mailserver']);
+      $title = "This is your new password at $_SERVER[HTTP_HOST].";
+      $body = "<p>Password: ".$newPassword."</p>";
+      $body .= "<p>Stay safe at ".$config['mailserver']['fromName'].".</p>";
+      $body .= "<hr><p>I am an automatic no-reply e-mail. Any emails sent back to me will be ignored.</p>";
+      $mailer->sendMail($query['email_new'], $title, $body, $query['name']);
+
+    mysql_update("UPDATE `accounts` SET `email` = '".$query['email_new']."', `email_new` = '0', `email_code` = '0', `password` = '$password' WHERE `id` = $auid LIMIT 1;");
+    echo "We have sent new password to your new e-mail, have fun! :)";
+
+  }else{
+    echo 'Something went wrong';
+  }
+}
+include 'layout/overall/footer.php'; ?>
diff --git a/recovery.php b/recovery.php
index 9fd7f22..10c2eaa 100644
--- a/recovery.php
+++ b/recovery.php
@@ -139,4 +139,4 @@ if ($config['mailserver']['accountRecovery']) {
 	<p>The admin have disabled automatic account recovery.</p>
 	<?php
 }
-include 'layout/overall/footer.php'; ?>
\ No newline at end of file
+include 'layout/overall/footer.php'; ?>
diff --git a/settings.php b/settings.php
index c131059..ff9f9e7 100644
--- a/settings.php
+++ b/settings.php
@@ -8,20 +8,21 @@ if (empty($_POST) === false) {
 	/* Token used for cross site scripting security */
 	if (!Token::isValid($_POST['token'])) {
 		$errors[] = 'Token is invalid.';
-	}
-	$required_fields = array('new_email', 'new_flag');
-	foreach($_POST as $key=>$value) {
-		if (empty($value) && in_array($key, $required_fields) === true) {
-			$errors[] = 'You need to fill in all fields.';
-			break 1;
+	} elseif(isset($_POST['create_rkey'])!=true){
+		$required_fields = array('new_email', 'new_flag');
+		foreach($_POST as $key=>$value) {
+			if (empty($value) && in_array($key, $required_fields) === true) {
+				$errors[] = 'You need to fill in all fields.';
+				break 1;
+			}
 		}
-	}
-	
-	if (empty($errors) === true) {
-		if (filter_var($_POST['new_email'], FILTER_VALIDATE_EMAIL) === false) {
-			$errors[] = 'A valid email address is required.';
-		} else if (user_email_exist($_POST['new_email']) === true && $user_data['email'] !== $_POST['new_email']) {
-			$errors[] = 'That email address is already in use.';
+
+		if (empty($errors) === true) {
+			if (filter_var($_POST['new_email'], FILTER_VALIDATE_EMAIL) === false) {
+				$errors[] = 'A valid email address is required.';
+			} else if (user_email_exist($_POST['new_email']) === true && $user_data['email'] !== $_POST['new_email']) {
+				$errors[] = 'That email address is already in use.';
+			}
 		}
 	}
 }
@@ -29,28 +30,54 @@ if (empty($_POST) === false) {
 <h1>Settings</h1>
 
 <?php
-if (isset($_GET['success']) === true && empty($_GET['success']) === true) {
+if(isset($_POST['create_rkey']) && $config['recovery_key']['enabled']) {
+		$acceptedChars = '123456789ZXCVBNMASDFGHJKLQWERTYUIOPzxcvbnmasdfghjklqwertyuiop';
+		$randomString = NULL;
+		for($i=0; $i < $config['recovery_key']['length']; $i++) {
+			$cnum[$i] = $acceptedChars{mt_rand(0, 60)};
+			$randomString .= $cnum[$i];
+		}
+
+		$update_data = array(
+			'key' => $randomString,
+			'reckey_created' => time()
+		);
+		user_update_account($update_data);
+			if($config['recovery_key']['send_to_mail']) {
+				$mailer = new Mail($config['mailserver']);
+				$title = "You have created recovery key for $_SERVER[HTTP_HOST].";
+				$body = "<h1>Please save it in safe place:</h1>";
+				$body .= "<p>$randomString</p>";
+				$body .= "<p>Thank you for stay safe and enjoy at".$config['mailserver']['fromName']."</p>";
+				$body .= "<hr><p>I am an automatic no-reply e-mail. Any emails sent back to me will be ignored.</p>";
+				$mailer->sendMail($user_data['email'], $title, $body, $user_data['name']);
+			}
+			echo "<p>Your new recovery key is: ".$randomString;
+			if($config['recovery_key']['send_to_mail'])
+				echo '<br>Duplicate has been send to your e-mail address: '.$user_data['email'];
+			echo '</p>';
+} elseif (isset($_GET['success']) === true && empty($_GET['success']) === true) {
 	echo 'Your settings have been updated.';
 } else {
 	if (empty($_POST) === false && empty($errors) === true) {
 		$update_data = array(
 			'email' => $_POST['new_email'],
 		);
-		
+
 		$update_znote_data = array(
 			'flag' => getValue($_POST['new_flag']),
 		);
-		
+
 		user_update_account($update_data);
 		user_update_znote_account($update_znote_data);
 		header('Location: settings.php?success');
 		exit();
-		
+
 	} else if (empty($errors) === false) {
 		echo output_errors($errors);
 	}
 	?>
-	
+
 	<form action="" method="post">
 		<ul>
 			<li>
@@ -82,6 +109,22 @@ if (isset($_GET['success']) === true && empty($_GET['success']) === true) {
 			</li>
 		</ul>
 	</form>
+	<?php
+		if($config['recovery_key']['enabled']){
+			$query = mysql_select_single("SELECT `reckey_created` FROM `accounts` WHERE `id` = '$session_user_id'");
+			echo '<h2>Recovery Key</h2>';
+			if($query['reckey_created'] !=0){
+				echo '<input type="text" name="rkey" value="'.gmdate('Y-m-d', $query['reckey_created']).'" disabled>';
+				echo '<button disabled>Create</button>';
+			}
+			else{
+	 ?>
+	<form action="" method="post">
+		<input type="text" name="rkey" value="" disabled>
+			<?php Token::create(); ?>
+		<button name="create_rkey" type="submit">Create</button>
+	</form>
+	<?php }} ?>
 	<script>
 		function selectCurrentFlag(flag) {
 			document.getElementById("flag_select").value = flag != null ? flag : "";
@@ -91,4 +134,4 @@ if (isset($_GET['success']) === true && empty($_GET['success']) === true) {
 <?php
 }
 include 'layout/overall/footer.php';
-?>
\ No newline at end of file
+?>