From d5cabac14a8407419996374c31b6378b8194b700 Mon Sep 17 00:00:00 2001
From: Znote <stefan_brannfjell@live.no>
Date: Sat, 21 Jan 2017 23:08:46 +0100
Subject: [PATCH] Disable 2FA through Email Fix #249 And fixed an issue with
 email activation link when registering an account.

---
 engine/function/users.php |   5 +-
 layout/widgets/login.php  |   2 +-
 recovery.php              | 115 +++++++++++++++++++++++++++++---------
 register.php              |   9 ++-
 4 files changed, 100 insertions(+), 31 deletions(-)

diff --git a/engine/function/users.php b/engine/function/users.php
index a267154..cc77f7f 100644
--- a/engine/function/users.php
+++ b/engine/function/users.php
@@ -1173,11 +1173,12 @@ function user_create_account($register_data, $maildata) {
 	
 	$account_id = user_id($register_data['name']);
 	$activeKey = rand(100000000,999999999);
-	mysql_insert("INSERT INTO `znote_accounts` (`account_id`, `ip`, `created`, `activekey`, `flag`) VALUES ('$account_id', '$ip', '$created', '$activeKey', '$flag')");
+	$active = ($maildata['register']) ? 0 : 1;
+	mysql_insert("INSERT INTO `znote_accounts` (`account_id`, `ip`, `created`, `active`, `activekey`, `flag`) VALUES ('$account_id', '$ip', '$created', '$active', '$activeKey', '$flag')");
 	
 	if ($maildata['register']) {
 
-		$thisurl = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
+		$thisurl = config('site_url') . "$_SERVER[REQUEST_URI]";
 		$thisurl .= "?authenticate&u=".$account_id."&k=".$activeKey;
 
 		$mailer = new Mail($maildata);
diff --git a/layout/widgets/login.php b/layout/widgets/login.php
index eb1869c..1e16d7f 100644
--- a/layout/widgets/login.php
+++ b/layout/widgets/login.php
@@ -23,7 +23,7 @@
 				Token::create();
 			?>
 		<center>	<h3><a href="register.php">New account</a></h3>
-		<font size="1">- Lost <a href="recovery.php?mode=username">username</a> or <a href="recovery.php?mode=password">password</a>?</font></center>
+		<font size="1">- <a href="recovery.php">Account Recovery</a></font></center>
 		</ul>
 		</form>
 	</div>
diff --git a/recovery.php b/recovery.php
index 9fd7f22..935d482 100644
--- a/recovery.php
+++ b/recovery.php
@@ -59,7 +59,7 @@ if ($config['mailserver']['accountRecovery']) {
 					<?php
 				}
 
-			} else {
+			} elseif (!$password) {
 				// Recover password
 				$newpass = rand(100000000, 999999999);
 				$salt = '';
@@ -100,37 +100,102 @@ if ($config['mailserver']['accountRecovery']) {
 					<p>Submitted data is wrong.</p>
 					<?php
 				}
+			} else { // Token
+				$password = sha1($password);
+				$user = mysql_select_single("SELECT `a`.`id`, `a`.`name`, `za`.`activekey` FROM `accounts` AS `a` INNER JOIN `znote_accounts` AS `za` ON `a`.`id` = `za`.`account_id` WHERE `a`.`name`='{$username}' AND `a`.`password`='{$password}' AND `a`.`email`='{$email}' LIMIT 1;");
+				if ($user !== false) {
+					// Found user
+					$recoverylink = $config['site_url'] . '/recovery.php?a='.$user['id'].'&k='.$user['activekey'];
+					$mailer = new Mail($config['mailserver']);
+					$title = $config['site_title'].": Remove Two-Factor Authentication link";
+					$body = "<h1>Remove Two-Factor Authentication</h1>";
+					$body .= "<p>If you really want to remove Two-Factor Authentication, click on the following link:<br>";
+					$body .= "<a href='$recoverylink' target='_BLANK'>$recoverylink</a><br>";
+					$body .= "Enjoy your stay at ".$config['mailserver']['fromName'].". <br>";
+					$body .= "<hr>I am an automatic no-reply e-mail. Any emails sent back to me will be ignored.</p>";
+					$mailer->sendMail($email, $title, $body, $user['name']);
+					?>
+					<h1>Confirm your action through email</h1>
+					<p>We have sent a confirmation link to <b><?php echo $email; ?></b>.</p>
+					<p>You must click the link before we remove Two-factor authentication.</p>
+					<p>If you can't find the email within 5 minutes, check your junk/trash inbox as it may be mislocated there.</p>
+					<?php
+				} else {
+					// Wrong submitted info
+					?>
+					<h1>Account recovery failed!</h1>
+					<p>Submitted data is wrong.</p>
+					<?php
+				}
+
+
 			}
 		} else echo "Captcha image verification was submitted wrong.";
 	} else {
-		?>
-		<h1>Account Recovery</h1>
-		<!-- HTML code -->
-		<?php
-		if (in_array($mode, array('username', 'password'))) {
-			?>
-			<form action="" method="POST">
-				<label for="email">Email:</label><input type="text" name="email" placeholder="name@mail.com"><br>
-				<label for="Character">Character: </label><input type="text" name="character"><br>
+		
+		$a = (isset($_GET['a']) && !empty($_GET['a'])) ? (int)$_GET['a'] : false;
+		$k = (isset($_GET['k']) && !empty($_GET['k'])) ? (int)$_GET['k'] : false;
+
+		// Remove Two-Factor Authentication
+		if ($a !== false && $k !== false) {
+			$account = mysql_select_single("SELECT `a`.`id`, `a`.`secret`, `za`.`secret` FROM `accounts` AS `a` INNER JOIN `znote_accounts` AS `za` ON `a`.`id`=`za`.`account_id` WHERE `a`.`id`='$a' AND `za`.`activekey`='$k' LIMIT 1;");
+			if ($account !== false) {
+				mysql_update("UPDATE `accounts` SET `secret`=NULL WHERE `id`='$a' LIMIT 1;");
+				mysql_update("UPDATE `znote_accounts` SET `secret`=NULL WHERE `account_id`='$a' LIMIT 1;");
+				?>
+				<h1>Two-Factor Authentication disabled.</h1>
+				<p>You may now login with just your username and password.</p>
 				<?php
-				if ($mode === 'password') echo '<label for="username">Username:</label> <input type="text" name="username"><br>';
-				else echo '<label for="password">Password:</label> <input type="password" name="password"><br>';
-				if ($config['use_captcha']) {
+			} else {
+				?>
+				<h1>Failed verify your request.</h1>
+				<p>We are unable to authenticate your account.</p>
+				<?php
+			}
+		} else { // Regular view
+			?>
+			<h1>Account Recovery</h1>
+			<!-- HTML code -->
+			<?php
+			if (in_array($mode, array('username', 'password', 'token'))) {
+				?>
+				<form action="" method="POST">
+					<label for="email">Email:</label><input type="text" name="email" placeholder="name@mail.com"><br>
+					<label for="Character">Character: </label><input type="text" name="character"><br>
+					<?php
+					
+					if ($mode === 'password') {
+						echo '<label for="username">Username:</label> <input type="text" name="username"><br>';
+					} elseif ($mode === 'password') {
+						echo '<label for="password">Password:</label> <input type="password" name="password"><br>';
+					} elseif ($mode === 'token') {
+						echo '<label for="username">Username:</label> <input type="text" name="username"><br>';
+						echo '<label for="password">Password:</label> <input type="password" name="password"><br>';
+					}
+
+					if ($config['use_captcha']) {
+						?>
+							<b>Write the image symbols in the text field to verify that you are a human:</b>
+							<img id="captcha" src="captcha/securimage_show.php" alt="CAPTCHA Image" /><br>
+							<input type="text" name="captcha_code" size="10" maxlength="6" />
+							<a href="#" onclick="document.getElementById('captcha').src = 'captcha/securimage_show.php?' + Math.random(); return false">[ Different Image ]</a><br><br>
+						<?php
+					}
 					?>
-						<b>Write the image symbols in the text field to verify that you are a human:</b>
-						<img id="captcha" src="captcha/securimage_show.php" alt="CAPTCHA Image" /><br>
-						<input type="text" name="captcha_code" size="10" maxlength="6" />
-						<a href="#" onclick="document.getElementById('captcha').src = 'captcha/securimage_show.php?' + Math.random(); return false">[ Different Image ]</a><br><br>
+					<input type="submit" value="Recover Account">
+				</form>
+				<?php
+			} else {
+				if ($config['twoFactorAuthenticator']) {
+					?>
+					<p>Do you wish to recover your <a href="?mode=username">username</a>, <a href="?mode=password">password</a> or remove <a href="?mode=token">Two-factor authentication</a>?</p>
+					<?php
+				} else {
+					?>
+					<p>Do you wish to recover your <a href="?mode=username">username</a> or <a href="?mode=password">password</a>?</p>
 					<?php
 				}
-				?>
-				<input type="submit" value="Recover Account">
-			</form>
-			<?php
-		} else {
-			?>
-			<p>Do you wish to recover your <a href="?mode=username">username</a> or <a href="?mode=password">password</a>?</p>
-			<?php
+			}
 		}
 	}
 } else {
diff --git a/register.php b/register.php
index 3e51c65..6507848 100644
--- a/register.php
+++ b/register.php
@@ -86,7 +86,7 @@ if (isset($_GET['success']) && empty($_GET['success'])) {
 		?>
 		<h1>Email authentication required</h1>
 		<p>We have sent you an email with an activation link to your submitted email address.</p>
-		<p>If you can't find the email within 5 minutes, check your junk/trash inbox as it may be mislocated there.</p>
+		<p>If you can't find the email within 5 minutes, check your <strong>junk/trash inbox (spam filter)</strong> as it may be mislocated there.</p>
 		<?php
 	} else echo 'Congratulations! Your account has been created. You may now login to create a character.';
 } elseif (isset($_GET['authenticate']) && empty($_GET['authenticate'])) {
@@ -94,11 +94,14 @@ if (isset($_GET['success']) && empty($_GET['success'])) {
 	$auid = (isset($_GET['u']) && (int)$_GET['u'] > 0) ? (int)$_GET['u'] : false;
 	$akey = (isset($_GET['k']) && (int)$_GET['k'] > 0) ? (int)$_GET['k'] : false;
 	// Find a match
-	$user = mysql_select_single("SELECT `id` FROM `znote_accounts` WHERE `account_id`='$auid' AND `activekey`='$akey' AND `active`='0' LIMIT 1;");
+	$user = mysql_select_single("SELECT `id`, `active` FROM `znote_accounts` WHERE `account_id`='$auid' AND `activekey`='$akey' LIMIT 1;");
 	if ($user !== false) {
 		$user = $user['id'];
+		$active = $user['active'];
 		// Enable the account to login
-		mysql_update("UPDATE `znote_accounts` SET `active`='1' WHERE `id`='$user' LIMIT 1;");
+		if ($active == 0) {
+			mysql_update("UPDATE `znote_accounts` SET `active`='1' WHERE `id`='$user' LIMIT 1;");
+		}
 		echo '<h1>Congratulations!</h1> <p>Your account has been created. You may now login to create a character.</p>';
 	} else {
 		echo '<h1>Authentication failed</h1> <p>Either the activation link is wrong, or your account is already activated.</p>';