Merge branch 'develop' into feature/2fa

New Setting: block create account spam by ip
Update create.php
2026-02-07 13:46:22 +01:00 · 2026-02-06 20:28:54 +01:00 · 2026-02-06 20:26:14 +01:00 · 2026-02-06 20:20:49 +01:00 · 2026-01-31 21:46:55 +01:00 · 2026-01-31 21:41:22 +01:00
266 changed files with 7972 additions and 6835 deletions
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@@ -1,9 +1,9 @@
 name: Cypress
 on:
  pull_request:
-    branches: [main]
+    branches: [develop]
  push:
-    branches: [main]
+    branches: [develop]

 jobs:
  cypress:
@@ -22,8 +22,8 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        php-versions: [ '8.1', '8.2', '8.3', '8.4' ]
-        ots: ['tfs-1.4', 'canary-3.1.2'] # TODO: add 'tfs-master' (actually doesn't work cause AAC doesn't support reading .env configuration)
+        php-versions: [ '8.1', '8.2', '8.3', '8.4', '8.5' ]
+        ots: ['tfs-1.4', 'canary-3.1.2', 'tfs-0.3'] # TODO: add 'tfs-master' (actually doesn't work cause AAC doesn't support reading .env configuration)
    name: Cypress (PHP ${{ matrix.php-versions }}, ${{ matrix.ots }})
    steps:
        - name: 📌 MySQL Start & init & show db
@@ -58,6 +58,14 @@ jobs:
            ref: master
            path: ots

+        - name: Checkout TFS 0.3
+          uses: actions/checkout@v4
+          if: matrix.ots == 'tfs-0.3'
+          with:
+              repository: otland/tfs-old-svn
+              ref: 0.3
+              path: ots
+
        - name: Checkout Canary
          uses: actions/checkout@v4
          if: matrix.ots == 'canary-3.1.2'
@@ -67,9 +75,15 @@ jobs:
            path: ots

        - name: Import OTS Schema
+          if: matrix.ots != 'tfs-0.3'
          run: |
              mysql -uroot -proot myaac < ots/schema.sql

+        - name: Import OTS Schema (TFS 0.3)
+          if: matrix.ots == 'tfs-0.3'
+          run: |
+              mysql -uroot -proot myaac < ots/schemas/mysql.sql
+
        - name: Rename config.lua
          run: mv ots/config.lua.dist ots/config.lua

@@ -109,6 +123,33 @@ jobs:
              regex: false
              include: 'ots/config.lua'

+        - name: Replace mysqlPass (TFS 0.3.6pl1)
+          uses: jacobtomlinson/gha-find-replace@v3
+          if: matrix.ots == 'tfs-0.3'
+          with:
+              find: 'sqlType = "sqlite"'
+              replace: 'sqlType = "mysql"'
+              regex: false
+              include: 'ots/config.lua'
+
+        - name: Replace mysqlPass (TFS 0.3.6pl1)
+          uses: jacobtomlinson/gha-find-replace@v3
+          if: matrix.ots == 'tfs-0.3'
+          with:
+              find: 'sqlPass = ""'
+              replace: 'sqlPass = "root"'
+              regex: false
+              include: 'ots/config.lua'
+
+        - name: Replace mysqlDatabase (Canary)
+          uses: jacobtomlinson/gha-find-replace@v3
+          if: matrix.ots == 'tfs-0.3'
+          with:
+              find: 'sqlDatabase = "theforgottenserver"'
+              replace: 'sqlDatabase = "myaac"'
+              regex: false
+              include: 'ots/config.lua'
+
        - name: Setup PHP
          uses: shivammathur/setup-php@v2
          with:
--- a/.github/workflows/phplint.yml
+++ b/.github/workflows/phplint.yml
@@ -1,9 +1,9 @@
 name: PHP Linting
 on:
  pull_request:
-    branches: [main]
+    branches: [develop]
  push:
-    branches: [main]
+    branches: [develop]

 jobs:
  phplint:
--- a/.github/workflows/phpstan.yml
+++ b/.github/workflows/phpstan.yml
@@ -2,9 +2,9 @@ name: "PHPStan"

 on:
  pull_request:
-    branches: [main]
+    branches: [develop]
  push:
-    branches: [main]
+    branches: [develop]

 jobs:
  tests:
@@ -14,7 +14,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        php-versions: [ '8.1', '8.2', '8.3', '8.4' ]
+        php-versions: [ '8.1', '8.2', '8.3', '8.4', '8.5' ]
    steps:
      - name: "Checkout"
        uses: "actions/checkout@v4"
@@ -25,7 +25,7 @@ jobs:
          coverage: "none"
          extensions: "intl, zip"
          ini-values: "memory_limit=-1"
-          php-version: "${{ matrix.php-version }}"
+          php-version: "${{ matrix.php-versions }}"

      - name: Get composer cache directory
        id: composer-cache
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,7 @@ Thumbs.db

 #
 /.htaccess
-lua
+/lua

 # composer
 composer.phar
@@ -24,6 +24,7 @@ releases
 tmp

 config.local.php
+config2.local.php

 # all custom templates
 templates/*
--- a/CHANGELOG-1.x.md
+++ b/CHANGELOG-1.x.md
@@ -1,5 +1,203 @@
 # Changelog

+## [1.8.8 - 31.01.2026]
+### Added
+* Change Comment: Add missing hooks - patched from 0.8 (https://github.com/slawkens/myaac/commit/a60a23b84f61d41d1503073b52e01e3120f6d92a)
+
+### Changed
+* Account Manage: Change the last login to the correct login time – Instead of just "now" (https://github.com/slawkens/myaac/commit/5b841682cdc473b38ef1a5edfcfe1a020802e286)
+* Twig: Extract renderInline(content, context) as a method to $twig (https://github.com/slawkens/myaac/commit/5e4806f891f8c88c37d45b89bbede23afc2fa37b)
+* Mail: Remove HTML tags from the email function (https://github.com/slawkens/myaac/commit/6661c78dac69c6aa498b9c79fe7da4fe0150e5c8)
+
+### Fixed
+* Forum: Fix XSS in board name (https://github.com/slawkens/myaac/commit/e52d9e486f5bf1dea867f59287f70aef3d538189, https://github.com/slawkens/myaac/commit/6db738a87c44b8d96919191ba5e661c32ab47457)
+* Forum: Fix edit_post, despite being an author, edit didn't work (https://github.com/slawkens/myaac/commit/e8b47429e8c607c2662a78b65415dfa772aa0e48)
+* Forum: Fix a player link in the forum thread being not clickable (When outfits are enabled) (https://github.com/slawkens/myaac/commit/f640ca636f34cd2dfc1fa8de6fdbed0674908b30)
+* Settings: Fix variable overlapping if the same var name as in core (https://github.com/slawkens/myaac/commit/c2415e9df3a5ffaf768f6f9668bdd38b5efd0771)
+* Settings: fix show_if for the selects (https://github.com/slawkens/myaac/commit/8dcbb66753914322706216cfd01436eb1478a5ce)
+
+## [1.8.7 - 04.01.2026]
+
+### Fixed
+* Fixed [player/guild/house] bb code in forum (https://github.com/slawkens/myaac/commit/8ec9bf10682c73f1fe40967a106ccda2a5073ed0)
+
+### Changed
+* Settings: better responsiveness on mobile (https://github.com/slawkens/myaac/commit/c65d4e4b62ef26fb4e24ecb1d2bcc4556d746adf)
+* Signatures: Return 404 when the signature player is not found (https://github.com/slawkens/myaac/commit/7e6480b380799add7a2b1b7ce1d3c1f2b6819ff1)
+
+### Removed
+* Remove setting: outfit_images_wrong_looktypes - is obsolete, the bug doesn't exist in the latest outfit images (https://github.com/slawkens/myaac/commit/cc220bedc1f01535eaac23f6961135e2e7a6e310)
+
+## [1.8.6 - 14.12.2025]
+
+### Added
+* Added hook for adding custom rules to validate new character name (https://github.com/slawkens/myaac/commit/8e6749c59984631288e8e9803819b2f0ff389761)
+
+### Fixed
+* Highscores: Fix ordering by different skills (Adjust order by desc: skill_tries, manaspent, experience) - More exact results (https://github.com/slawkens/myaac/commit/c86257e6dacbad773aa09c0958eeaa106a967f2d)
+* Fix exception shown on first install, when there is no vendor - Before it displayed 500 white page, now it display the exception (https://github.com/slawkens/myaac/commit/18a1178e4b93607a350259679e0366cb83fb4126)
+* Fix typo $up -> $down, in migration nr 7, was failing due that (https://github.com/slawkens/myaac/commit/fd74f01291d0e9cdb92ee1b95021c9d7b591ad7c)
+
+### Changed
+* Ini set html_errors = 0, to show html code in exceptions (https://github.com/slawkens/myaac/commit/9ed06782e67772826d927ad847a077b99df5060d)
+
+## [1.8.5 - 21.11.2025]
+
+### Added
+* New Setting: Account Countries Most Popular (https://github.com/slawkens/myaac/commit/946364f59d7cd01472877108ab27ec78fb28307a)
+
+### Changed
+* Status: Write to status-error.log if there is connection error (https://github.com/slawkens/myaac/commit/780d4ccef741c1dd45a00bfc121fba9f1a175313)
+* Settings: escapeHtml in values (support for html code) (https://github.com/slawkens/myaac/commit/5861efdbe900ccd35309913af0c0a5f3d4cdc1a8)
+* News Page: Don't display hidden news for admin - it's confusing (https://github.com/slawkens/myaac/commit/175e97828b9a08ec3080cc8d3fb4eb3f1c08649f)
+* Plugins System: Add plugin:remove + plugin:delete as alias for plugin:uninstall + plugin:activate/deactivate (https://github.com/slawkens/myaac/commit/6367054487368c92741bfd1dc7c70c52aea9ee87, https://github.com/slawkens/myaac/commit/baec6c9ebf5c342b3b2f7123427c6ba21dbb93bc)
+
+### Fixed
+* Status: Fix $status['uptimeReadable'], was totally wrong (https://github.com/slawkens/myaac/commit/0a6d44bf21417562491aabc93543a2bc3a44b2df)
+* Guilds: Detect "deletion" column in guilds show/delete (https://github.com/slawkens/myaac/commit/6775a061bebc9ff449522f0173556d4a7a44fa5e, https://github.com/slawkens/myaac/commit/603d860b56bc7418db09e206f40aa06d0682c00e)
+* General: Ensure some cache folders & index.html exists (https://github.com/slawkens/myaac/commit/730a0f29124811f525207c24c06eb0d088fa3434)
+
+## [1.8.4 - 27.10.2025]
+
+### Changed
+* Reimport myaac_ tables on every install, this fixes errors when one table is missing or is duplicated (https://github.com/slawkens/myaac/commit/2580edadf84779f09fd395c21f92019b2c762f83)
+* Use custom env init on migrate, migrate:run and migrate:to (https://github.com/slawkens/myaac/commit/13ea68cc0c9349380c8e4051d702a6c2c8256f44, https://github.com/slawkens/myaac/commit/07fd034fe4cb0ffdb88667b1e400f414d0c6d06f)
+
+### Fixed
+* Show if there is mysql error on import schema (https://github.com/slawkens/myaac/commit/44110a9496b4385e42c31b75de301037e711b6c3)
+* Fix the premium checks, introduced in v1.8.3 (https://github.com/slawkens/myaac/commit/9d92a11fb7cb6d7a1619d79c12faaa0b1c01f980)
+
+## [1.8.3 - 21.10.2025]
+
+### Added
+* Feature: resend email verify (https://github.com/slawkens/myaac/commit/fe821c58085483e70491dcf76376ad5b96de3fdd)
+* New config: hooks_debug (To view where hooks are located in .twig files) (https://github.com/slawkens/myaac/commit/8c3cb0e06f9709c1de3398b48221241e7cbdd310)
+* Functions: Add db->getColumnInfo(table, column) (https://github.com/slawkens/myaac/commit/c898fe25efff6793a01d11c26fc153cb23fcb858)
+* Plugins: Add option to use ?subtopic=x for plugins pages (https://github.com/slawkens/myaac/commit/97f9d3d6f6c28aef6d824973058d7133f56e09c4)
+* getTopPlayers() Function - Add lookmount & promotion (https://github.com/slawkens/myaac/commit/2da0024c68f1cedc38a16ebbc6f52ffa55e65f7a, https://github.com/slawkens/myaac/commit/901df48d134079d648a18f9d82b60182e818ac02)
+* New hooks for account/change-password (https://github.com/slawkens/myaac/commit/470555f2687809a0c12491bbb27597e64b8929c1)
+
+### Changed
+* Feature: show vip days in account management (https://github.com/slawkens/myaac/commit/c88b08eb1ec1f560cbfdaaa16b24e3a0f26da7b3, by @andreoam)
+* Allow links in error_box.html.twig (https://github.com/slawkens/myaac/commit/9acad15451071639acf7a7d4e81619b0a9742b12)
+* Canary - Comment code to update lastday in login.php (https://github.com/slawkens/myaac/commit/38902c30d114fdbce259467f5820f97037b393e9)
+* Cache::remember $ttl = -1 = infinite (https://github.com/slawkens/myaac/commit/64acf70d3854182d88aaf0b67f77cea2a254f179)
+
+### Fixed
+* Online - Allow for html code (example - img) in online_datacenter (https://github.com/slawkens/myaac/commit/3bb272ebbbd2eb7769d174b7082061d14a17bd44)
+* Guilds - Fix guild create with freePremium enabled (https://github.com/slawkens/myaac/commit/c91bb5d4097647dca2196d3dea87bc90c89181d2)
+* Canary - Fix premDays count (https://github.com/slawkens/myaac/commit/3e61692780d4add93b7b0e9f12f7a283bd8f4b7a)
+* Template Change: Ignore set last visit for AJAX pages - Fixes template change redirect (https://github.com/slawkens/myaac/commit/89fae38caa7e4f645957fcf1a9330a36358ac04f)
+* Admin Panel - Accounts: Fix lastip v6 (TFS master) (https://github.com/slawkens/myaac/commit/f54b1bdd2af4c16c64ddff0e87a6c96bc4cf9eeb)
+* Functions - Prevent injection in $db->hasColumn (https://github.com/slawkens/myaac/commit/56bd7ec5ed904666074492f2e4f13e4fce226bee)
+* Compat Config: Add missing config: email_lai_sec_interval (https://github.com/slawkens/myaac/commit/2eae44e0755e624a91be68b4d1ec26d01eb4d9a1)
+
+## [1.8.2 - 26.09.2025]
+
+### Added
+* Routes: Possibility to override routes with plugins pages, like characters.php - No need to define routes in plugin.json anymore (https://github.com/slawkens/myaac/commit/3f24f961b1cdeff5c60387e837ae454448bc5e1b)
+
+### Changed
+* Style: Better look for myaac-table (https://github.com/slawkens/myaac/commit/a6032093b21e5bb3f0e75d2704da87d6dea6469d, https://github.com/slawkens/myaac/commit/5aa9bbf1c8e580d973ec82ac012489f8e7bc437e)
+
+### Fixed
+* Install: Fix when config.local.php cannot be saved (https://github.com/slawkens/myaac/commit/4eab805d26d8c5562b29ed699769919d77dabced)
+* Create Account: Fix an exception when email cannot be sent (https://github.com/slawkens/myaac/commit/d0112d1a67e8b854b65ad131f0375b79305df8d3)
+* Login Page: Add missing csrf() - fix create account button (https://github.com/slawkens/myaac/commit/3c0cb53e17dd0b85394cfa0fdc9cf9ad8d4551df)
+* tibiacom template: Fix account lost menu (https://github.com/slawkens/myaac/commit/ed9beaf2b6ca069e304e569c52e5b9188b58f05c)
+* tibiacom template: Fix Menu div wrong tag/closing (#329) (https://github.com/slawkens/myaac/commit/85e7005fd3f0be51466151a3c122b96085fdfe68)
+* tibiacom template: Replace firstChild with firstElementChild (Thanks to @un000000) (https://github.com/slawkens/myaac/commit/df7b6e29fb8875da97f431468c81ee99116271d9)
+
+## [1.8.1 - 05.09.2025]
+
+### Added
+* New Commands: plugin:enable/disable/uninstall {plugin-name} (https://github.com/slawkens/myaac/commit/7a08f91d3fc0897c1ff76089ef3c649a2c6d2003, https://github.com/slawkens/myaac/commit/fec773ba4b740f35c0a3ef92ca8444a4c7d02082)
+* Gifts: Added Transferable Coins to the store dropdown menu in the admin area (by @andreoam, #321) (https://github.com/slawkens/myaac/commit/42671c5c199dd9e91c774d8c9d30da9e12f1b695)
+
+### Changed
+* Commands: Allow settings to be changed/reset by plugin name (https://github.com/slawkens/myaac/commit/f8c4332e03e838d285ea0afb4b72b7c23e324d45, https://github.com/slawkens/myaac/commit/4b948e9510f7ba69d00f84d7fdaea8b3bf05b630)
+* Templates: Menus should be saved for each template separately (https://github.com/slawkens/myaac/commit/482f4067b2a2e7513d9ba214274a361ffaf123d8)
+
+### Fixed
+* Online: Fix skulls display (#320) (https://github.com/slawkens/myaac/commit/98073a110ae13f9592ec9d2c4d1d1aace87587a9)
+* Online: Fix if there is no world_id in the server_record table (https://github.com/slawkens/myaac/commit/b6e1620f14c20eecfc9001a7d86dfb67942985c6) (Reported by @gesior in #318)
+* tibiacom: some fixes to menus (https://github.com/slawkens/myaac/commit/20f99903ae80c74ad66c1cf5a5ea8d0b0fc2fd70, https://github.com/slawkens/myaac/commit/11dae90fa94fbbf47447017db5e5847c33d6aadf)
+* Guilds: Fix for some servers that don't have guild_invites table (https://github.com/slawkens/myaac/commit/9725a3c2bdb7003f5cb48febb77604c31a9b805b)
+
+## [1.8 - 02.08.2025]
+
+### Added
+* Templates - Kathrine: Possibility to add custom menu categories (https://github.com/slawkens/myaac/commit/ec11c1402417c25980582467546d1c1e9bb8267f)
+* Admin Panel - Accounts Editor: Add Coins Transferable (https://github.com/slawkens/myaac/commit/45d6047031c9c3a0e7e512dc5d15c75629aec5a2, https://github.com/slawkens/myaac/commit/bb097b69ce106500a49686d6f4fe604348eaa310)
+* Highscores:
+  * Revamped: (https://github.com/slawkens/myaac/commit/d8132d4d76e03d5aa0c042be426320655a601392)
+    * Show real rank, if 2 or more players have the same skill, show them with same rank
+    * New setting: highscores_online_status
+    * Additional fields passed to twig: updatedAt, totalResults, page, baseLink
+  * Add new Setting: Display Skills Box (https://github.com/slawkens/myaac/commit/36ca755243ef1c83f6ac87465b426d4d8d3b0bb9)
+* Functions: Add getExperienceForLevel (level) (https://github.com/slawkens/myaac/commit/1566deb84a082176b8c683fda205d828bc38fbcc)
+* Commands - cache:clear : Add warning about APCu clear in CLI (https://github.com/slawkens/myaac/commit/83f84172e02e8ea2ccb6dca29bc033e44c35aebc)
+* Models - PlayerOnline: Add missing $fillable into model (https://github.com/slawkens/myaac/commit/43415cf35db1c1307f2684c1728693d65065ffff)
+* Twig: add cache variable (https://github.com/slawkens/myaac/commit/0efe47ce71c4b364a9e96bc5a55b1655326ae6da)
+
+### Changed
+* pages/online: add cache, resulting in 20x performance boost
+  * (for an example server with 2k players) (https://github.com/slawkens/myaac/commit/c8363086015cbb6e8786c398c7b9ac3959a26ec4)
+* Admin Bar: Move admin bar code into body_start place_holder (https://github.com/slawkens/myaac/commit/f17269e44ce9dd38447bd2e2a8e1bdb065d4161f)
+* Cache::remember: $ttl = 0 means no cache (https://github.com/slawkens/myaac/commit/3b47e9df2f4051807c5ff87892f7fa3d348f9c55)
+* Templates: Load config.ini with $process_sections set to true (https://github.com/slawkens/myaac/commit/a89f9a84847630eb75b4890fdcc8b7a7bfa6b8ac)
+* Twig: Allow for timestamp as integer in the timeago twig function
+  (https://github.com/slawkens/myaac/commit/34fead906ea13b9f09d7a3c41ed88109d34d386c)
+
+### Fixed
+* Settings: Fixed two exceptions (https://github.com/slawkens/myaac/commit/6e5a4ff8c78ff5373aba091baa66cae029557643, https://github.com/slawkens/myaac/commit/20d69a641c0a933d14889a89da6d32f6a4bc6c7d)
+* Models\Account + OTS_Account -> isPremium -> ignore config.freePremium (https://github.com/slawkens/myaac/commit/5271633bdbfbbfed0b1d59c403093ce6fc2b7d20)
+* Admin Panel - Mailer:
+  * Fix send to email link redirecting from accounts page (https://github.com/slawkens/myaac/commit/080cc2781f034c844af658229e495e9a47fd2298)
+  * Option to send only to verified accounts - only if setting('core.account_mail_verify') enabled (https://github.com/slawkens/myaac/commit/cf7fd20452e863980045bb5d6012ec86c6e8e01f)
+
+### Internal
+* Rewrite to use constants (account transferable coins) (https://github.com/slawkens/myaac/commit/bccf8e056df985bbe1bab5f7ab5492f714d6b62b)
+* Refactor to use HAS_ACCOUNT_COINS (https://github.com/slawkens/myaac/commit/caf326a6584a234775ebc6c8000ea02b3fecd160)
+
+## [1.7.1 - 27.06.2025]
+
+### Changed
+* Rename plugin:install:install to plugin:setup, also add alias to previous command (https://github.com/slawkens/myaac/commit/13d33822b59df349199e885a78a3d6beb0863d0b)
+
+### Fixed
+* Fix commands: setup + cache:clear (https://github.com/slawkens/myaac/commit/0da524fefe93b3028392e9014550eea3324d3a22, https://github.com/slawkens/myaac/commit/fe8281594e989f00280ba1adc734a9198c6b5cc1)
+* Fix polls link in tibiacom template (https://github.com/slawkens/myaac/commit/d90fa323d7c77d81768df60feeb1c374b1650a0c)
+
+## [1.7 - 22.06.2025]
+
+### Added
+* Feature: plugins versions check (#310)
+* New hooks: HOOK_ACCOUNT_MANAGE_AFTER_CHARACTERS, HOOK_GUILDS_AFTER_MANAGE_BUTTON (https://github.com/slawkens/myaac/commit/c074a48f245df55646b6705737f667b6a84149b2, https://github.com/slawkens/myaac/commit/e6100a1b72de8695bba1dae9ba4e28bfdce47b10)
+* Add OTS_Toolbox::getVocationName(id, promotion) + OTS_Player->isNameLocked() (https://github.com/slawkens/myaac/commit/e222957893c4a1de0dc8dbba55bce1a43418d275, https://github.com/slawkens/myaac/commit/522f6c11d835afd36fd07a07074d96d7e219b488)
+* Add missing csrf in more places, causing white page with error about Request (https://github.com/slawkens/myaac/commit/dca904e61d21d856bf809070e7652803a2df0f58, https://github.com/slawkens/myaac/commit/c720ccc451ff90ef40b2a1595468d061ffd7e1e4)
+
+### Changed
+* Revamped online page (https://github.com/slawkens/myaac/commit/9a90e4aae280e607430511c6727d9a714b11f4c5, https://github.com/slawkens/myaac/commit/4767120043b09141870383e249f3729638d53dc2)
+* Better $title inventing (https://github.com/slawkens/myaac/commit/0c95bcfd06b68b21512e477646ef7bd3a0d4912b)
+
+### Fixed
+* Use apcu cache clear (https://github.com/slawkens/myaac/commit/b329da52aae9d0e21120a6444d3caf442420ce50, https://github.com/slawkens/myaac/commit/566c2a9151ab6392286f74e26853faa19a1b4f24)
+* fix: boostedcreatures for 13.40 (by @GooseWithAKnife) (#307)
+
+## [1.6.1 - 11.06.2025]
+
+### Fixed
+* Fixed "Request has been cancelled due to security reasons", cause of missing csrf() in twig files (https://github.com/slawkens/myaac/commit/10cd71a6630ffec91b43a26a6d685b66c5836a6a)
+* Fix: Ignore duplicated route exception (https://github.com/slawkens/myaac/commit/9d8e9d27bd87167d8d4005942a6af62bfe4c0892)
+
+### Changed
+* Move counter & visitors code before router (In case someone wants to include that info on page) (https://github.com/slawkens/myaac/commit/f78285030708ad3c74ab048711f73bbf3ee5281e)
+* Set TinyMCE license key to gpl (Avoid warning message in browser console) (https://github.com/slawkens/myaac/commit/8d29fdb98b92dbc3d2853ef88a185c67036b4a77)
+
+### Removed
+* Remove deprecated TinyMCE plugin - template (https://github.com/slawkens/myaac/commit/309c1fb715b882e67cb673b1544a03befbf64a22)
+
 ## [1.6 - 03.06.2025]

 ### Added
--- a/CHANGELOG-2.x.md
+++ b/CHANGELOG-2.x.md
@@ -0,0 +1,21 @@
+## [2.0-dev - x.x.2025]
+
+### Added
+* Add an "access" option to Menus (#340)
+	* Possibility to hide menus for unauthorized users
+* Add the possibility to fetch skills in the getTopPlayers function (#347)
+
+### Changed
+* Better handling of vocations: (#345)
+  * Load from vocations.xml (No need to manually set)
+  * Support for Monk vocation
+* Better gallery, loads images from images/gallery folder
+* Reworked account action logs to use a single IP column as varchar(45) for both ipv4 and ipv6 (#289)
+* Admin Panel: save menu collapse state (https://github.com/slawkens/myaac/commit/55da00520df7463a1d1ca41931df1598e9f2ffeb)
+
+### Internal
+* Refactor account/lost pages (#326)
+* Refactor OTS_Player to support more distros (#348)
+* Refactor PHP cache to store expiration and improve typing (https://github.com/slawkens/myaac/commit/96b8e00f4999f8b4c4c97b54b97d91c6fd7df298)
+* Move forum show_board code to Twig (https://github.com/slawkens/myaac/commit/e0e0e467012a5fb9979cc4387af6bad1d4540279)
+* Save db cache only if it has changed (https://github.com/slawkens/myaac/commit/11cb1cf97e74f3bccf59360e1efb800a426b3d43)
--- a/4
+++ b/4
@@ -25,7 +25,9 @@ foreach ($commandsGlob as $item) {
 	}

 	$commandPre = '\\MyAAC\Commands\\';
-	$application->add(new ($commandPre . $name));
+	if (!trait_exists($class = $commandPre . $name)) {
+		$application->add(new $class);
+	}
 }

 $pluginCommands = Plugins::getCommands();
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -9,6 +9,7 @@
 */

 use MyAAC\Models\Account as AccountModel;
+use MyAAC\Models\AccountAction;
 use MyAAC\Models\Player;

 defined('MYAAC') or die('Direct access not allowed!');
@@ -26,7 +27,6 @@ if (setting('core.account_country'))
 $nameOrNumberColumn = getAccountIdentityColumn();

 $hasSecretColumn = $db->hasColumn('accounts', 'secret');
-$hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
 $hasTypeColumn = $db->hasColumn('accounts', 'type');
 $hasGroupColumn = $db->hasColumn('accounts', 'group_id');
@@ -137,10 +137,17 @@ else if (isset($_REQUEST['search'])) {
 				$errors['email'] = Validator::getLastError();

 			// tibia coins
-			if ($hasCoinsColumn) {
+			if (HAS_ACCOUNT_COINS) {
 				$t_coins = $_POST['t_coins'];
 				verify_number($t_coins, 'Tibia coins', 12);
 			}
+
+			// transferable tibia coins
+			if (HAS_ACCOUNT_COINS_TRANSFERABLE || HAS_ACCOUNT_TRANSFERABLE_COINS) {
+				$t_coins_transferable = $_POST['t_coins_transferable'];
+				verify_number($t_coins_transferable, 'Transferable Tibia coins', 12);
+			}
+
 			// prem days
 			$p_days = (int)$_POST['p_days'];
 			verify_number($p_days, 'Prem days', 11);
@@ -176,33 +183,7 @@ else if (isset($_REQUEST['search'])) {
 					$account->setName($name);
 				}

-				if ($hasTypeColumn) {
-					$account->setCustomField('type', $group);
-				} elseif ($hasGroupColumn) {
-					$account->setCustomField('group_id', $group);
-				}
-
-				if ($hasSecretColumn) {
-					$account->setCustomField('secret', $secret);
-				}
-				$account->setCustomField('key', $key);
 				$account->setEMail($email);
-				if ($hasCoinsColumn) {
-					$account->setCustomField('coins', $t_coins);
-				}
-
-				$lastDay = 0;
-				if($p_days != 0 && $p_days != OTS_Account::GRATIS_PREMIUM_DAYS) {
-					$lastDay = time();
-				} else if ($lastDay != 0) {
-					$lastDay = 0;
-				}
-
-				$account->setPremDays($p_days);
-				$account->setLastLogin($lastDay);
-				if ($hasPointsColumn) {
-					$account->setCustomField('premium_points', $p_points);
-				}
 				$account->setRLName($rl_name);
 				$account->setLocation($rl_loca);

@@ -210,9 +191,18 @@ else if (isset($_REQUEST['search'])) {
 					$account->setCountry($rl_country);
 				}

-				$account->setCustomField('created', $created);
 				$account->setWebFlags($web_flags);
-				$account->setCustomField('web_lastlogin', $web_lastlogin);
+
+				if (!isCanary()) {
+					$lastDay = 0;
+					if($p_days != 0 && $p_days != OTS_Account::GRATIS_PREMIUM_DAYS) {
+						$lastDay = time();
+					}
+
+					$account->setLastLogin($lastDay);
+				}
+
+				$account->setPremDays($p_days);

 				if (isset($password)) {
 					if (USE_ACCOUNT_SALT) {
@@ -223,12 +213,37 @@ else if (isset($_REQUEST['search'])) {

 					$password = encrypt($password);
 					$account->setPassword($password);
-
-					if (USE_ACCOUNT_SALT)
-						$account->setCustomField('salt', $salt);
 				}

 				$account->save();
+
+				if ($hasTypeColumn) {
+					$account->setCustomField('type', $group);
+				} elseif ($hasGroupColumn) {
+					$account->setCustomField('group_id', $group);
+				}
+
+				if ($hasSecretColumn) {
+					$account->setCustomField('secret', $secret);
+				}
+
+				$account->setCustomField('key', $key);
+
+				if (HAS_ACCOUNT_COINS) {
+					$account->setCustomField('coins', $t_coins);
+				}
+
+				if (HAS_ACCOUNT_COINS_TRANSFERABLE || HAS_ACCOUNT_TRANSFERABLE_COINS) {
+					$account->setCustomField(ACCOUNT_COINS_TRANSFERABLE_COLUMN, $t_coins_transferable);
+				}
+
+				if ($hasPointsColumn) {
+					$account->setCustomField('premium_points', $p_points);
+				}
+
+				$account->setCustomField('created', $created);
+				$account->setCustomField('web_lastlogin', $web_lastlogin);
+
 				echo_success('Account saved at: ' . date('G:i'));
 			}
 		}
@@ -395,12 +410,18 @@ else if (isset($_REQUEST['search'])) {
 										<label for="email">Email:</label><?php echo (setting('core.mail_enabled') ? ' (<a href="' . ADMIN_URL . '?p=mailer&mail_to=' . $account->getEMail() . '">Send Mail</a>)' : ''); ?>
 										<input type="text" class="form-control" id="email" name="email" autocomplete="off" value="<?php echo $account->getEMail(); ?>"/>
 									</div>
-									<?php if ($hasCoinsColumn): ?>
+									<?php if (HAS_ACCOUNT_COINS): ?>
 										<div class="col-12 col-sm-12 col-lg-6">
 											<label for="t_coins">Tibia Coins:</label>
 											<input type="text" class="form-control" id="t_coins" name="t_coins" autocomplete="off" maxlength="11" value="<?php echo $account->getCustomField('coins') ?>"/>
 										</div>
 									<?php endif; ?>
+									<?php if (HAS_ACCOUNT_COINS_TRANSFERABLE || HAS_ACCOUNT_TRANSFERABLE_COINS): ?>
+										<div class="col-12 col-sm-12 col-lg-6">
+											<label for="t_coins_transferable">Transferable Tibia Coins:</label>
+											<input type="text" class="form-control" id="t_coins_transferable" name="t_coins_transferable" autocomplete="off" maxlength="11" value="<?php echo $account->getCustomField(ACCOUNT_COINS_TRANSFERABLE_COLUMN) ?>"/>
+										</div>
+									<?php endif; ?>
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="p_days">Premium Days:</label>
 										<input type="text" class="form-control" id="p_days" name="p_days" autocomplete="off" maxlength="11" value="<?php echo $account->getPremDays(); ?>"/>
@@ -466,9 +487,8 @@ else if (isset($_REQUEST['search'])) {
 									</thead>
 									<tbody>
 										<?php
-											$accountActions = \MyAAC\Models\AccountAction::where('account_id', $account->getId())->orderByDesc('date')->get();
+											$accountActions = AccountAction::where('account_id', $account->getId())->orderByDesc('date')->get();
 											foreach ($accountActions as $i => $log):
-												$log->ip = ($log->ip != 0 ? long2ip($log->ip) : inet_ntop($log->ipv6));
 												?>
 											<tr>
 												<td><?php echo $i + 1; ?></td>
@@ -616,6 +636,7 @@ else if (isset($_REQUEST['search'])) {
 							</div>
 						</form>
 					</div>
+					<?php if (USE_ACCOUNT_NAME): ?>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
 							<?php csrf(); ?>
@@ -626,6 +647,7 @@ else if (isset($_REQUEST['search'])) {
 							</div>
 						</form>
 					</div>
+					<?php endif; ?>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
 							<?php csrf(); ?>
--- a/admin/pages/mailer.php
+++ b/admin/pages/mailer.php
@@ -25,9 +25,10 @@ if (!setting('core.mail_enabled')) {
 	return;
 }

-$mail_to = isset($_POST['mail_to']) ? stripslashes(trim($_POST['mail_to'])) : null;
+$mail_to = isset($_REQUEST['mail_to']) ? stripslashes(trim($_REQUEST['mail_to'])) : null;
 $mail_subject = isset($_POST['mail_subject']) ? stripslashes($_POST['mail_subject']) : null;
 $mail_content = isset($_POST['mail_content']) ? stripslashes($_POST['mail_content']) : null;
+$mail_verified_only = $_POST['mail_verified_only'] ?? false;

 if (isset($_POST['submit'])) {
 	if (empty($mail_subject)) {
@@ -58,14 +59,14 @@ if (!empty($mail_content) && !empty($mail_subject) && empty($mail_to)) {
 	$success = 0;
 	$failed = 0;

-	$add = '';
-	if (setting('core.account_mail_verify')) {
-		note('Note: Sending only to users with verified E-Mail.');
-		$add = ' AND `email_verified` = 1';
+	$query = Account::where('email', '!=', '');
+
+	if ($mail_verified_only) {
+		info('Note: Sending only to users with verified E-Mail.');
+		$query->where('email_verified', 1);
 	}

-	$query = Account::where('email', '!=', '')->get(['email']);
-	foreach ($query as $email) {
+	foreach ($query->get(['email']) as $email) {
 		if (_mail($email->email, $mail_subject, $mail_content)) {
 			$success++;
 		}
@@ -84,5 +85,6 @@ if (!empty($mail_content) && !empty($mail_subject) && empty($mail_to)) {
 $twig->display('admin.mailer.html.twig', [
 	'mail_to' => $mail_to,
 	'mail_subject' => $mail_subject,
-	'mail_content' => $mail_content
+	'mail_content' => $mail_content,
+	'mail_verified_only' => $mail_verified_only,
 ]);
--- a/admin/pages/mass_account.php
+++ b/admin/pages/mass_account.php
@@ -6,6 +6,7 @@
 * @package   MyAAC
 * @author    Slawkens <slawkens@gmail.com>
 * @author    Lee
+ * @author    gpedro
 * @copyright 2020 MyAAC
 * @link      https://my-aac.org
 */
@@ -18,11 +19,10 @@ $title = 'Mass Account Actions';

 csrfProtect();

-$hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
-$freePremium = $config['lua']['freePremium'];
+$freePremium = getBoolean(configLua('freePremium'));

-function admin_give_points($points)
+function admin_give_points($points): void
 {
 	global $hasPointsColumn;

@@ -38,11 +38,9 @@ function admin_give_points($points)
 	displayMessage($points . ' points added to all accounts.', true);
 }

-function admin_give_coins($coins)
+function admin_give_coins($coins): void
 {
-	global $hasCoinsColumn;
-
-	if (!$hasCoinsColumn) {
+	if (!HAS_ACCOUNT_COINS) {
 		displayMessage('Coins not supported.');
 		return;
 	}
@@ -55,7 +53,7 @@ function admin_give_coins($coins)
 	displayMessage($coins . ' coins added to all accounts.', true);
 }

-function admin_give_premdays($days)
+function admin_give_premdays($days): void
 {
 	global $db, $freePremium;

@@ -66,6 +64,7 @@ function admin_give_premdays($days)

 	$value = $days * 86400;
 	$now = time();
+
 	// othire
 	if ($db->hasColumn('accounts', 'premend')) {
 		// append premend
@@ -73,14 +72,11 @@ function admin_give_premdays($days)
 			// set premend
 			if (Account::where('premend', '<=', $now)->update(['premend' => $now + $value])) {
 				displayMessage($days . ' premium days added to all accounts.', true);
-				return;
 			} else {
 				displayMessage('Failed to execute set query.');
-				return;
 			}
 		} else {
 			displayMessage('Failed to execute append query.');
-			return;
 		}

 		return;
@@ -95,20 +91,14 @@ function admin_give_premdays($days)
 				// set lastday
 				if (Account::where('lastday', '<=', $now)->update(['lastday' => $now + $value])) {
 					displayMessage($days . ' premium days added to all accounts.', true);
-					return;
 				} else {
 					displayMessage('Failed to execute set query.');
-					return;
 				}
-
-				return;
 			} else {
 				displayMessage('Failed to execute append query.');
-				return;
 			}
 		} else {
 			displayMessage('Failed to execute set days query.');
-			return;
 		}

 		return;
@@ -121,14 +111,11 @@ function admin_give_premdays($days)
 			// set premium_ends_at
 			if (Account::where('premium_ends_at', '<=', $now)->update(['premium_ends_at' => $now + $value])) {
 				displayMessage($days . ' premium days added to all accounts.', true);
-				return;
 			} else {
 				displayMessage('Failed to execute set query.');
-				return;
 			}
 		} else {
 			displayMessage('Failed to execute append query.');
-			return;
 		}

 		return;
@@ -167,19 +154,20 @@ if (!empty(ACTION) && isRequestMethod('post')) {
 }
 else {
 	$twig->display('admin.tools.account.html.twig', array(
-		'hasCoinsColumn' => $hasCoinsColumn,
+		'hasCoinsColumn' => HAS_ACCOUNT_COINS,
 		'hasPointsColumn' => $hasPointsColumn,
 		'freePremium' => $freePremium,
 	));
 }

-function displayMessage($message, $success = false) {
-	global $twig, $hasCoinsColumn, $hasPointsColumn, $freePremium;
+function displayMessage($message, $success = false): void
+{
+	global $twig, $hasPointsColumn, $freePremium;

 	$success ? success($message): error($message);

 	$twig->display('admin.tools.account.html.twig', array(
-		'hasCoinsColumn' => $hasCoinsColumn,
+		'hasCoinsColumn' => HAS_ACCOUNT_COINS,
 		'hasPointsColumn' => $hasPointsColumn,
 		'freePremium' => $freePremium,
 	));
--- a/admin/pages/menus.php
+++ b/admin/pages/menus.php
@@ -23,6 +23,7 @@ if (!hasFlag(FLAG_CONTENT_MENUS) && !superAdmin()) {
 }

 $pluginThemes = Plugins::getThemes();
+$groups = new OTS_Groups_List();

 if (isset($_POST['template'])) {
 	$template = $_POST['template'];
@@ -32,6 +33,8 @@ if (isset($_POST['template'])) {
 		$post_menu_link = $_POST['menu_link'] ?? [];
 		$post_menu_blank = $_POST['menu_blank'] ?? [];
 		$post_menu_color = $_POST['menu_color'] ?? [];
+		$post_menu_access = $_POST['menu_access'] ?? [];
+
 		if (count($post_menu) != count($post_menu_link)) {
 			echo 'Menu count is not equal menu links. Something went wrong when sending form.';
 			return;
@@ -50,6 +53,7 @@ if (isset($_POST['template'])) {
 						'link' => $post_menu_link[$category][$i],
 						'blank' => $post_menu_blank[$category][$i] == 'on' ? 1 : 0,
 						'color' => str_replace('#', '', $post_menu_color[$category][$i]),
+						'access' => $post_menu_access[$category][$i],
 						'category' => $category,
 						'ordering' => $i
 					]);
@@ -122,7 +126,7 @@ if (isset($_POST['template'])) {
 	?>
 	<?php
 	$menus = Menu::query()
-		->select('name', 'link', 'blank', 'color', 'category', 'ordering')
+		->select('name', 'link', 'access', 'blank', 'color', 'category', 'ordering')
 		->where('enabled', 1)
 		->where('template', $template)
 		->orderBy('ordering')
@@ -151,11 +155,34 @@ if (isset($_POST['template'])) {
 									foreach ($menus[$id] as $menu):
 										$color = (empty($menu['color']) ? ($cat['default_links_color'] ?? ($config['menu_default_links_color'] ?? ($config['menu_default_color'] ?? '#ffffff'))) : '#' . $menu['color']);
 										?>
-										<li class="ui-state-default" id="list-<?php echo $id ?>-<?php echo $i ?>"><label>Name:</label> <input type="text" name="menu[<?php echo $id ?>][]" value="<?php echo escapeHtml($menu['name']); ?>"/>
-											<label>Link:</label> <input type="text" name="menu_link[<?php echo $id ?>][]" value="<?php echo $menu['link'] ?>"/>
-											<input type="hidden" name="menu_blank[<?php echo $id ?>][]" value="0"/>
-											<label><input class="blank-checkbox" type="checkbox" <?php echo($menu['blank'] == 1 ? 'checked' : '') ?>/><span title="Open in New Window">New Window</span></label>
-											<input class="color-picker" type="text" name="menu_color[<?php echo $id ?>][]" value="<?php echo $color; ?>"/>
+										<li class="ui-state-default" id="list-<?php echo $id ?>-<?php echo $i ?>">
+											<label class="label_menu_name">Name: <input type="text" name="menu[<?php echo $id ?>][]" class="form-control menu-name" value="<?php echo escapeHtml($menu['name']); ?>"/>
+											</label>
+
+											<label class="label_menu_link">Link: <input type="text" name="menu_link[<?= $id ?>][]" class="form-control menu-link" value="<?php echo $menu['link'] ?>"/>
+											</label>
+
+											<br/>
+
+											<div class="menu-options-row">
+
+												<label>Access:
+													<select name="menu_access[<?= $id ?>][]" class="form-control menu-access">
+														<option value="0" <?= ($menu['access'] == 0 ? 'selected' : ''); ?>>Guest*</option>
+														<?php foreach ($groups->getGroups() as $group): ?>
+															<option value="<?= $group->getId(); ?>" <?= ($menu['access'] == $group->getId() ? 'selected' : ''); ?>><?= ucfirst($group->getName()); ?></option>
+														<?php endforeach; ?>
+													</select>
+												</label>
+
+												<label>Color: <input class="menu-color" type="color" name="menu_color[<?php echo $id ?>][]" value="<?php echo $color; ?>"/>
+												</label>
+
+												<input type="hidden" name="menu_blank[<?php echo $id ?>][]" class="menu-blank" value="0"/>
+												<label><input type="checkbox" class="menu-blank-checkbox" <?php echo($menu['blank'] == 1 ? 'checked' : '') ?>/><span title="Open in New Window">New Window</span></label>
+
+											</div>
+
 											<a class="remove-button" id="remove-button-<?php echo $id ?>-<?php echo $i ?>"><i class="fas fa-trash"></a></i></li>
 										<?php $i++; $last_id[$id] = $i;
 									endforeach;
--- a/admin/pages/modules/coins.php
+++ b/admin/pages/modules/coins.php
@@ -6,7 +6,7 @@ defined('MYAAC') or die('Direct access not allowed!');

 $coins = 0;

-if ($db->hasColumn('accounts', 'coins')) {
+if (HAS_ACCOUNT_COINS) {
 	$whatToGet = ['id', 'coins'];
 	if (USE_ACCOUNT_NAME) {
 		$whatToGet[] = 'name';
--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -10,6 +10,7 @@

 use MyAAC\Forum;
 use MyAAC\Models\Player;
+use MyAAC\Server\XML\Vocations;

 defined('MYAAC') or die('Direct access not allowed!');

@@ -34,6 +35,7 @@ $skills = array(
 $hasBlessingsColumn = $db->hasColumn('players', 'blessings');
 $hasBlessingColumn = $db->hasColumn('players', 'blessings1');
 $hasLookAddons = $db->hasColumn('players', 'lookaddons');
+$hasCapColumn = $db->hasColumn('players', 'cap');

 $skull_type = array("None", "Yellow", "Green", "White", "Red", "Black", "Orange");
 ?>
@@ -166,8 +168,11 @@ else if (isset($_REQUEST['search'])) {
 			$town = $_POST['town'];
 			verify_number($town, 'Town', 11);

+			if ($hasCapColumn) {
 				$capacity = $_POST['capacity'];
 				verify_number($capacity, 'Capacity', 11);
+			}
+
 			$sex = $_POST['sex'];
 			verify_number($sex, 'Sex', 1);

@@ -237,7 +242,30 @@ else if (isset($_REQUEST['search'])) {
 				$player->setGroup($groups->getGroup($group));
 				$player->setLevel($level);
 				$player->setExperience($experience);
+
+				if ($db->hasColumn('players', 'promotion')) {
+					$promotion = 0;
+
+					$vocationOriginal = Vocations::getOriginal($vocation);
+					if ($vocation != $vocationOriginal) {
+						$tmpId = $vocationOriginal;
+						while($promoted = Vocations::getPromoted($tmpId)) {
+							$promotion++;
+
+							$tmpId = $promoted;
+							if ($promoted == $vocation) {
+								break;
+							}
+						}
+
+						$vocation = $vocationOriginal;
+					}
+
+					$player->setPromotion($promotion);
+				}
+
 				$player->setVocation($vocation);
+
 				$player->setHealth($health);
 				$player->setHealthMax($health_max);
 				$player->setMagLevel($magic_level);
@@ -249,16 +277,20 @@ else if (isset($_REQUEST['search'])) {
 				$player->setLookHead($look_head);
 				$player->setLookLegs($look_legs);
 				$player->setLookType($look_type);
-				if ($hasLookAddons)
+				if ($hasLookAddons) {
 					$player->setLookAddons($look_addons);
-				if ($db->hasColumn('players', 'offlinetraining_time'))
-					$player->setCustomField('offlinetraining_time', $offlinetraining);
+				}
+
 				$player->setPosX($pos_x);
 				$player->setPosY($pos_y);
 				$player->setPosZ($pos_z);
 				$player->setSoul($soul);
 				$player->setTownId($town);
+
+				if ($hasCapColumn) {
 					$player->setCap($capacity);
+				}
+
 				$player->setSex($sex);
 				$player->setLastLogin($lastlogin);
 				$player->setLastLogout($lastlogout);
@@ -275,23 +307,11 @@ else if (isset($_REQUEST['search'])) {
 				if ($hasBlessingsColumn)
 					$player->setBlessings($blessings);

-				if ($hasBlessingColumn) {
-					for ($i = 1; $i <= $bless_count; $i++) {
-						$a = 'blessing' . $i;
-						$player->setCustomField('blessings' . $i, ${'blessing' . $i} ? '1' : '0');
-					}
-				}
 				$player->setBalance($balance);
 				if ($db->hasColumn('players', 'stamina'))
 					$player->setStamina($stamina);
-				if ($db->hasColumn('players', 'deletion'))
-					$player->setCustomField('deletion', $deleted ? '1' : '0');
-				else
-					$player->setCustomField('deleted', $deleted ? '1' : '0');
-				$player->setCustomField('hide', $hide ? '1' : '0');
-				$player->setCustomField('created', $created);
-				if (isset($comment))
-					$player->setCustomField('comment', $comment);
+
+				$player->setDeleted($deleted ? '1' : '0');

 				foreach ($_POST['skills'] as $skill => $value) {
 					$player->setSkill($skill, $value);
@@ -300,6 +320,24 @@ else if (isset($_REQUEST['search'])) {
 					$player->setSkillTries($skill, $value);
 				}
 				$player->save();
+
+				if ($db->hasColumn('players', 'offlinetraining_time')) {
+					$player->setCustomField('offlinetraining_time', $offlinetraining);
+				}
+
+				if ($hasBlessingColumn) {
+					for ($i = 1; $i <= $bless_count; $i++) {
+						$a = 'blessing' . $i;
+						$player->setCustomField('blessings' . $i, ${'blessing' . $i} ? '1' : '0');
+					}
+				}
+
+				$player->setCustomField('hide', $hide ? '1' : '0');
+				$player->setCustomField('created', $created);
+				if (isset($comment)) {
+					$player->setCustomField('comment', $comment);
+				}
+
 				echo_success('Player saved at: ' . date('G:i'));
 				$player->load($id);
 			}
@@ -531,10 +569,12 @@ else if (isset($_REQUEST['search'])) {
 									</div>
 								</div>
 								<div class="form-group row">
+									<?php if($hasCapColumn): ?>
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="capacity" class="control-label">Capacity:</label>
 										<input type="text" class="form-control" id="capacity" name="capacity" autocomplete="off" size="3" maxlength="11" value="<?php echo $player->getCap(); ?>"/>
 									</div>
+									<?php endif; ?>
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="soul" class="control-label">Soul:</label>
 										<input type="text" class="form-control" id="soul" name="soul" autocomplete="off" size="3" maxlength="10" value="<?php echo $player->getSoul(); ?>"/>
@@ -669,12 +709,18 @@ else if (isset($_REQUEST['search'])) {
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="lastip" class="control-label">Last IP:</label>
 										<input type="text" class="form-control" id="lastip" name="lastip" autocomplete="off" maxlength="10" value="<?php
-										if (strlen($player->getLastIP()) > 11) {
+										$lastIPColumnInfo = $db->getColumnInfo('players', 'lastip');
+										if ($lastIPColumnInfo && is_array($lastIPColumnInfo)) {
+											if (str_contains($lastIPColumnInfo['type'], 'varbinary')) {
 												echo inet_ntop($player->getLastIP());
 											}
 											else {
 												echo longToIp($player->getLastIP());
 											}
+										}
+										else {
+											echo 'Error';
+										}
 										?>" readonly/>
 									</div>
 								</div>
--- a/admin/pages/plugins.php
+++ b/admin/pages/plugins.php
@@ -51,6 +51,56 @@ else {
 		} else {
 			error('Error while disabling plugin ' . $disable . ': ' . Plugins::getError());
 		}
+	}
+	else if (isset($_GET['check-updates'])) {
+		$repoUri = $config['admin_plugins_api_uri'] ?? 'https://plugins.my-aac.org/api/';
+		success("Fetching latest info from $repoUri..");
+
+		$adminPlugins = new \MyAAC\Admin\Plugins();
+
+		$adminPlugins->setApiBaseUri($repoUri);
+
+		try {
+			$plugins = $adminPlugins->getLatestVersions();
+		}
+		catch (Exception $e) {
+			error($e->getMessage());
+		}
+
+		if (isset($plugins) && count($plugins) > 0) {
+			$outdated = [];
+
+			foreach (get_plugins(true) as $plugin) {
+				$string = file_get_contents(BASE . 'plugins/' . $plugin . '.json');
+				$plugin_info = json_decode($string, true);
+
+				if (!$plugin_info) {
+					continue;
+				}
+
+				$disabled = (str_contains($plugin, 'disabled.'));
+				$pluginOriginal = ($disabled ? str_replace('disabled.', '', $plugin) : $plugin);
+
+				$info = $plugins[$pluginOriginal] ?? false;
+				if ($info && version_compare($info['version'], $plugin_info['version'], '>')) {
+					$outdated[] = [
+						'name' => $pluginOriginal,
+						'yourVersion' => $plugin_info['version'],
+						'latestVersion' => $info['version'],
+						'link' => $info['link'] ?? 'Unknown',
+						'download_link' => $info['download_link'] ?? 'Unknown',
+					];
+				}
+			}
+
+			if (count($outdated) > 0) {
+				info('Following updates have been found for your plugins:');
+				$twig->display('admin.plugins.outdated.html.twig', ['plugins' => $outdated]);
+			}
+			else {
+				success('All plugins up to date!');
+			}
+		}
 	} else if (isset($_FILES['plugin']['name'])) {
 		$file = $_FILES['plugin'];
 		$filename = $file['name'];
--- a/admin/pages/visitors.php
+++ b/admin/pages/visitors.php
@@ -19,8 +19,7 @@ $use_datatable = true;

 if (!setting('core.visitors_counter')): ?>
 	Visitors counter is disabled.<br/>
-	You can enable it by editing this configurable in <b>config.local.php</b> file:<br/>
-	<p style="margin-left: 3em;"><b>$config['visitors_counter'] = true;</b></p>
+	You can enable it in Settings -> General -> Visitors Counter.<br/>
 	<?php
 	return;
 endif;
@@ -46,7 +45,7 @@ foreach ($tmp as &$visitor) {
 		if ($dd->isBot()) {
 			$bot = $dd->getBot();
 			$message = '(Bot) %s, <a href="%s" target="_blank">%s</a>';
-			$browser = sprintf($message, $bot['category'], $bot['url'], $bot['name']);
+			$browser = sprintf($message, $bot['category'] ?? 'Unknown', $bot['url'] ?? '', $bot['name'] ?? 'Unknown name');
 		}
 		else {
 			$osFamily = OperatingSystem::getOsFamily($dd->getOs('name'));
--- a/admin/template/menus.php
+++ b/admin/template/menus.php
@@ -60,7 +60,7 @@ usort($menus, function ($a, $b) {

 foreach ($menus as $i => $menu) {
 	if (isset($menu['link']) && is_array($menu['link'])) {
-		usort($menus[$i]['link'], function ($a, $b) {
+		usort($menu['link'], function ($a, $b) {
 			return $a['order'] - $b['order'];
 		});
 	}
--- a/admin/template/template.php
+++ b/admin/template/template.php
@@ -19,14 +19,14 @@
 	<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,300italic,400italic,600italic">
 	<?php $hooks->trigger(HOOK_ADMIN_HEAD_END); ?>
 </head>
-<body class="sidebar-mini ">
+<body class="sidebar-mini <?= (session('admin.menu-collapse') ? 'sidebar-collapse' : ''); ?>">
 <?php $hooks->trigger(HOOK_ADMIN_BODY_START); ?>
 <?php if ($logged && admin()) { ?>
 	<div class="wrapper">
 		<nav class="main-header navbar navbar-expand navbar-white navbar-light">
 			<ul class="navbar-nav">
 				<li class="nav-item">
-					<a class="nav-link" data-widget="pushmenu" href="#"><i class="fas fa-bars"></i></a>
+					<a class="nav-link sidebar-toggle" data-widget="pushmenu" href="#"><i class="fas fa-bars"></i></a>
 				</li>
 				<li class="nav-item d-none d-sm-inline-block">
 					<a href="<?php echo ADMIN_URL; ?>" class="nav-link">Home</a>
@@ -198,6 +198,7 @@ if ($logged && admin()) {
 <script src="<?php echo BASE_URL; ?>tools/js/datatables.bs.min.js"></script>
 <?php } ?>
 <script src="<?php echo BASE_URL; ?>tools/js/adminlte.min.js"></script>
+<?php $twig->display('admin.menu-collapse.html.twig'); ?>
 <?php $hooks->trigger(HOOK_ADMIN_BODY_END); ?>
 </body>
 </html>
--- a/admin/tools/menu_collapse.php
+++ b/admin/tools/menu_collapse.php
@@ -0,0 +1,23 @@
+<?php
+
+const MYAAC_ADMIN = true;
+const IGNORE_SET_LAST_VISIT = true;
+
+require '../../common.php';
+require SYSTEM . 'functions.php';
+require SYSTEM . 'init.php';
+require SYSTEM . 'login.php';
+
+if(!admin()) {
+	http_response_code(500);
+	die('You are not logged in. Probably session expired. Please login again.');
+}
+
+if (!isset($_POST['collapse'])) {
+	http_response_code(500);
+	die('Something went wrong.');
+}
+
+csrfProtect();
+
+setSession('admin.menu-collapse', $_POST['collapse'] == 'true');
--- a/admin/tools/phpinfo.php
+++ b/admin/tools/phpinfo.php
@@ -1,5 +1,6 @@
 <?php
-define('MYAAC_ADMIN', true);
+const MYAAC_ADMIN = true;
+const IGNORE_SET_LAST_VISIT = true;

 require '../../common.php';
 require SYSTEM . 'functions.php';
--- a/admin/tools/reload_data.php
+++ b/admin/tools/reload_data.php
@@ -26,6 +26,7 @@
 use MyAAC\DataLoader;

 const MYAAC_ADMIN = true;
+const IGNORE_SET_LAST_VISIT = true;

 require '../../common.php';
 require SYSTEM . 'functions.php';
--- a/admin/tools/settings_save.php
+++ b/admin/tools/settings_save.php
@@ -1,9 +1,9 @@
 <?php

-use MyAAC\Hooks;
 use MyAAC\Settings;

 const MYAAC_ADMIN = true;
+const IGNORE_SET_LAST_VISIT = true;

 require '../../common.php';
 require SYSTEM . 'functions.php';
@@ -12,7 +12,7 @@ require SYSTEM . 'login.php';

 if(!admin()) {
 	http_response_code(500);
-	die('Access denied.');
+	die('You are not logged in. Probably session expired. Please login again.');
 }

 csrfProtect();
@@ -40,3 +40,6 @@ if (count($errors) > 0) {
 if ($success) {
 	echo 'Saved at ' . date('H:i');
 }
+else {
+	echo 'Something unexpected happened - it was impossible to save the settings, please try again later. If problem persists - contact MyAAC developers.';
+}
--- a/admin/tools/status.php
+++ b/admin/tools/status.php
@@ -1,5 +1,6 @@
 <?php
-define('MYAAC_ADMIN', true);
+const MYAAC_ADMIN = true;
+const IGNORE_SET_LAST_VISIT = true;

 require '../../common.php';
 require SYSTEM . 'init.php';
--- a/admin/tools/upload_image.php
+++ b/admin/tools/upload_image.php
@@ -1,5 +1,6 @@
 <?php
-define('MYAAC_ADMIN', true);
+const MYAAC_ADMIN = true;
+const IGNORE_SET_LAST_VISIT = true;

 require '../../common.php';
 require SYSTEM . 'functions.php';
--- a/common.php
+++ b/common.php
@@ -26,8 +26,8 @@
 if (version_compare(phpversion(), '8.1', '<')) die('PHP version 8.1 or higher is required.');

 const MYAAC = true;
-const MYAAC_VERSION = '1.6';
-const DATABASE_VERSION = 45;
+const MYAAC_VERSION = '2.0-dev';
+const DATABASE_VERSION = 51;
 const TABLE_PREFIX = 'myaac_';
 define('START_TIME', microtime(true));
 define('MYAAC_OS', stripos(PHP_OS, 'WIN') === 0 ? 'WINDOWS' : (strtoupper(PHP_OS) === 'DARWIN' ? 'MAC' : 'LINUX'));
@@ -148,16 +148,17 @@ if(!IS_CLI) {

 /** @var array $config */
 ini_set('log_errors', 1);
-if(@$config['env'] === 'dev' || defined('MYAAC_INSTALL')) {
-	ini_set('display_errors', 1);
-	ini_set('display_startup_errors', 1);
-	error_reporting(E_ALL);
-}
-else {
+if(isset($config['env']) && $config['env'] !== 'dev' && !defined('MYAAC_INSTALL')) {
 	ini_set('display_errors', 0);
 	ini_set('display_startup_errors', 0);
 	error_reporting(E_ALL & ~E_DEPRECATED & ~E_STRICT);
 }
+else {
+	ini_set('html_errors', 0);
+	ini_set('display_errors', 1);
+	ini_set('display_startup_errors', 1);
+	error_reporting(E_ALL);
+}

 $autoloadFile = VENDOR . 'autoload.php';
 if (!is_file($autoloadFile)) {
--- a/composer.json
+++ b/composer.json
@@ -18,7 +18,9 @@
        "symfony/string": "^6.4",
        "symfony/var-dumper": "^6.4",
        "filp/whoops": "^2.15",
-        "maximebf/debugbar": "1.*"
+        "maximebf/debugbar": "1.*",
+        "guzzlehttp/guzzle": "7.9.3",
+        "spomky-labs/otphp": "^11.3"
    },
    "require-dev": {
        "phpstan/phpstan": "^1.10"
--- a/composer.lock
+++ b/composer.lock
--- a/images/druid.png
+++ b/images/druid.png
--- a/images/facebook_16x16.png
+++ b/images/facebook_16x16.png
--- a/images/instagram_16x16.png
+++ b/images/instagram_16x16.png
--- a/images/knight.png
+++ b/images/knight.png
--- a/images/monk.png
+++ b/images/monk.png
--- a/images/news/delete.png
+++ b/images/news/delete.png
--- a/images/order_asc.gif
+++ b/images/order_asc.gif
--- a/images/order_desc.gif
+++ b/images/order_desc.gif
--- a/images/paladin.png
+++ b/images/paladin.png
--- a/images/sorcerer.png
+++ b/images/sorcerer.png
--- a/images/whatsapp_16x16.png
+++ b/images/whatsapp_16x16.png
--- a/index.php
+++ b/index.php
@@ -93,6 +93,7 @@ if(setting('core.backward_support')) {
 	if($logged && $account_logged)
 		$group_id_of_acc_logged = $account_logged->getGroupId();

+	$config['serverPath'] = $config['server_path'];
 	$config['site'] = &$config;
 	$config['server'] = &$config['lua'];
 	$config['site']['shop_system'] = setting('core.gifts_system');
@@ -117,6 +118,14 @@ if(setting('core.backward_support')) {
 		$config['status']['serverStatus_' . $key] = $value;
 }

+if(setting('core.views_counter')) {
+	require_once SYSTEM . 'counter.php';
+}
+
+if(setting('core.visitors_counter')) {
+	$visitors = new Visitors(setting('core.visitors_counter_ttl'));
+}
+
 require_once SYSTEM . 'router.php';

 // anonymous usage statistics
@@ -153,22 +162,6 @@ if(setting('core.anonymous_usage_statistics')) {
 	}
 }

-if(setting('core.views_counter'))
-	require_once SYSTEM . 'counter.php';
-
-if(setting('core.visitors_counter')) {
-	$visitors = new Visitors(setting('core.visitors_counter_ttl'));
-}
-
-/**
- * @var OTS_Account $account_logged
- */
-if ($logged && admin()) {
-	$content .= $twig->render('admin-bar.html.twig', [
-		'username' => USE_ACCOUNT_NAME ? $account_logged->getName() : $account_logged->getId()
-	]);
-}
-
 $title_full =  (isset($title) ? $title . ' - ' : '') . $config['lua']['serverName'];
 require $template_path . '/' . $template_index;

--- a/install/includes/import_base_data.php
+++ b/install/includes/import_base_data.php
@@ -0,0 +1,67 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+use MyAAC\Models\Changelog;
+use MyAAC\Models\Config;
+use MyAAC\Models\FAQ;
+use MyAAC\Models\ForumBoard;
+use MyAAC\Models\Gallery;
+use MyAAC\Models\NewsCategory;
+
+if (Changelog::count() === 0) {
+	Changelog::create([
+		'type' => 3,
+		'where' => 2,
+		'date' => time(),
+		'body' => 'MyAAC installed. (:',
+		'hide' => 0,
+	]);
+}
+
+if (Config::where('name', 'database_version')->count() === 0) {
+	Config::create([
+		'name' => 'database_version',
+		'value' => DATABASE_VERSION,
+	]);
+}
+
+if (ForumBoard::count() === 0) {
+	$forumBoards = [
+		['name' => 'News', 'description' => 'News commenting', 'closed' => 1],
+		['name' => 'Trade', 'description' => 'Trade offers.', 'closed' => 0],
+		['name' => 'Quests', 'description' => 'Quest making.', 'closed' => 0],
+		['name' => 'Pictures', 'description' => 'Your pictures.', 'closed' => 0],
+		['name' => 'Bug Report', 'description' => 'Report bugs there.', 'closed' => 0],
+	];
+
+	$i = 0;
+	foreach ($forumBoards as $forumBoard) {
+		ForumBoard::create([
+			'name' => $forumBoard['name'],
+			'description' => $forumBoard['description'],
+			'ordering' => $i++,
+			'closed' => $forumBoard['closed'],
+		]);
+	}
+}
+
+if (NewsCategory::count() === 0) {
+	$newsCategoriesIcons = [
+		0, 1, 2, 3, 4
+	];
+
+	foreach ($newsCategoriesIcons as $iconId) {
+		NewsCategory::create([
+			'icon_id' => $iconId,
+		]);
+	}
+}
+
+if(FAQ::count() == 0) {
+	FAQ::create([
+		'question' => 'What is this?',
+		'answer' => 'This is website for OTS powered by MyAAC.',
+	]);
+}
+
+success($locale['step_database_success_import_data']);
--- a/install/includes/schema.sql
+++ b/install/includes/schema.sql
@@ -1,16 +1,32 @@
-SET @myaac_database_version = 45;
-
-CREATE TABLE `myaac_account_actions`
+CREATE TABLE IF NOT EXISTS `myaac_account_actions`
 (
+	`id` int NOT NULL AUTO_INCREMENT,
 	`account_id` int NOT NULL,
-	`ip` int unsigned NOT NULL DEFAULT 0,
-	`ipv6` binary(16) NOT NULL DEFAULT 0,
+	`ip` varchar(45) NOT NULL DEFAULT '',
 	`date` int NOT NULL DEFAULT 0,
 	`action` varchar(255) NOT NULL DEFAULT '',
-	KEY (`account_id`)
+	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_admin_menu`
+CREATE TABLE IF NOT EXISTS `myaac_account_email_codes`
+(
+	`id` int(11) NOT NULL AUTO_INCREMENT,
+	`account_id` int NOT NULL,
+	`code` varchar(6) NOT NULL,
+	`created_at` int NOT NULL,
+	PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
+
+CREATE TABLE IF NOT EXISTS `myaac_account_emails_verify`
+(
+	`id` int NOT NULL AUTO_INCREMENT,
+	`account_id` int NOT NULL,
+	`hash` varchar(32) NOT NULL,
+	`sent_at` int NOT NULL DEFAULT 0,
+	PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
+
+CREATE TABLE IF NOT EXISTS `myaac_admin_menu`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`name` varchar(255) NOT NULL DEFAULT '',
@@ -21,7 +37,7 @@ CREATE TABLE `myaac_admin_menu`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_changelog`
+CREATE TABLE IF NOT EXISTS `myaac_changelog`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`body` varchar(500) NOT NULL DEFAULT '',
@@ -33,9 +49,7 @@ CREATE TABLE `myaac_changelog`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-INSERT INTO `myaac_changelog` (`id`, `type`, `where`, `date`, `body`, `hide`) VALUES (1, 3, 2, UNIX_TIMESTAMP(), 'MyAAC installed. (:', 0);
-
-CREATE TABLE `myaac_config`
+CREATE TABLE IF NOT EXISTS `myaac_config`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`name` varchar(30) NOT NULL,
@@ -44,9 +58,7 @@ CREATE TABLE `myaac_config`
 	UNIQUE (`name`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-INSERT INTO `myaac_config` (`name`, `value`) VALUES ('database_version', @myaac_database_version);
-
-CREATE TABLE `myaac_faq`
+CREATE TABLE IF NOT EXISTS `myaac_faq`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`question` varchar(255) NOT NULL DEFAULT '',
@@ -56,7 +68,7 @@ CREATE TABLE `myaac_faq`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_forum_boards`
+CREATE TABLE IF NOT EXISTS `myaac_forum_boards`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`name` varchar(32) NOT NULL,
@@ -68,13 +80,8 @@ CREATE TABLE `myaac_forum_boards`
 	`hide` tinyint NOT NULL DEFAULT 0,
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
-INSERT INTO `myaac_forum_boards` (`id`, `name`, `description`, `ordering`, `closed`) VALUES (NULL, 'News', 'News commenting', 0, 1);
-INSERT INTO `myaac_forum_boards` (`id`, `name`, `description`, `ordering`) VALUES (NULL, 'Trade', 'Trade offers.', 1);
-INSERT INTO `myaac_forum_boards` (`id`, `name`, `description`, `ordering`) VALUES (NULL, 'Quests', 'Quest making.', 2);
-INSERT INTO `myaac_forum_boards` (`id`, `name`, `description`, `ordering`) VALUES (NULL, 'Pictures', 'Your pictures.', 3);
-INSERT INTO `myaac_forum_boards` (`id`, `name`, `description`, `ordering`) VALUES (NULL, 'Bug Report', 'Report bugs there.', 4);

-CREATE TABLE `myaac_forum`
+CREATE TABLE IF NOT EXISTS `myaac_forum`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`first_post` int NOT NULL DEFAULT 0,
@@ -98,12 +105,13 @@ CREATE TABLE `myaac_forum`
 	KEY `section` (`section`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_menu`
+CREATE TABLE IF NOT EXISTS `myaac_menu`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`template` varchar(255) NOT NULL,
 	`name` varchar(255) NOT NULL,
 	`link` varchar(255) NOT NULL,
+	`access` tinyint NOT NULL DEFAULT 0,
 	`blank` tinyint NOT NULL DEFAULT 0,
 	`color` varchar(6) NOT NULL DEFAULT '',
 	`category` int NOT NULL DEFAULT 1,
@@ -112,7 +120,7 @@ CREATE TABLE `myaac_menu`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_monsters` (
+CREATE TABLE IF NOT EXISTS `myaac_monsters` (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`hide` tinyint NOT NULL DEFAULT 0,
 	`name` varchar(255) NOT NULL,
@@ -145,7 +153,7 @@ CREATE TABLE `myaac_monsters` (
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_news`
+CREATE TABLE IF NOT EXISTS `myaac_news`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`title` varchar(100) NOT NULL,
@@ -163,7 +171,7 @@ CREATE TABLE `myaac_news`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_news_categories`
+CREATE TABLE IF NOT EXISTS `myaac_news_categories`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`name` varchar(50) NOT NULL DEFAULT "",
@@ -173,13 +181,7 @@ CREATE TABLE `myaac_news_categories`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-INSERT INTO `myaac_news_categories` (`id`, `icon_id`) VALUES (NULL, 0);
-INSERT INTO `myaac_news_categories` (`id`, `icon_id`) VALUES (NULL, 1);
-INSERT INTO `myaac_news_categories` (`id`, `icon_id`) VALUES (NULL, 2);
-INSERT INTO `myaac_news_categories` (`id`, `icon_id`) VALUES (NULL, 3);
-INSERT INTO `myaac_news_categories` (`id`, `icon_id`) VALUES (NULL, 4);
-
-CREATE TABLE `myaac_notepad`
+CREATE TABLE IF NOT EXISTS `myaac_notepad`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`account_id` int NOT NULL,
@@ -189,7 +191,7 @@ CREATE TABLE `myaac_notepad`
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_pages`
+CREATE TABLE IF NOT EXISTS `myaac_pages`
 (
 	`id` INT NOT NULL AUTO_INCREMENT,
 	`name` varchar(30) NOT NULL,
@@ -205,21 +207,7 @@ CREATE TABLE `myaac_pages`
 	UNIQUE (`name`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_gallery`
-(
-	`id` int NOT NULL AUTO_INCREMENT,
-	`comment` varchar(255) NOT NULL DEFAULT '',
-	`image` varchar(255) NOT NULL,
-	`thumb` varchar(255) NOT NULL,
-	`author` varchar(50) NOT NULL DEFAULT '',
-	`ordering` int NOT NULL DEFAULT 0,
-	`hide` tinyint NOT NULL DEFAULT 0,
-	PRIMARY KEY (`id`)
-) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
-
-INSERT INTO `myaac_gallery` (`id`, `ordering`, `comment`, `image`, `thumb`, `author`) VALUES (NULL, 1, 'Demon', 'images/gallery/demon.jpg', 'images/gallery/demon_thumb.gif', 'MyAAC');
-
-CREATE TABLE `myaac_settings`
+CREATE TABLE IF NOT EXISTS `myaac_settings`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`name` varchar(255) NOT NULL DEFAULT '',
@@ -229,7 +217,7 @@ CREATE TABLE `myaac_settings`
 	KEY `key` (`key`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_spells`
+CREATE TABLE IF NOT EXISTS `myaac_spells`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`spell` varchar(255) NOT NULL DEFAULT '',
@@ -252,7 +240,7 @@ CREATE TABLE `myaac_spells`
 	UNIQUE (`name`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_visitors`
+CREATE TABLE IF NOT EXISTS `myaac_visitors`
 (
 	`ip` varchar(45) NOT NULL,
 	`lastvisit` int NOT NULL DEFAULT 0,
@@ -261,7 +249,7 @@ CREATE TABLE `myaac_visitors`
 	UNIQUE (`ip`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;

-CREATE TABLE `myaac_weapons`
+CREATE TABLE IF NOT EXISTS `myaac_weapons`
 (
 	`id` int NOT NULL,
 	`level` int NOT NULL DEFAULT 0,
--- a/install/steps/5-database.php
+++ b/install/steps/5-database.php
@@ -42,10 +42,9 @@ if(!$error) {
 	$configToSave['cache_prefix'] = 'myaac_' . generateRandomString(8, true, false, true);
 	$configToSave['database_auto_migrate'] = true;

-	if(!$error) {
 	$content = '';
 	$saved = Settings::saveConfig($configToSave, BASE . 'config.local.php', $content);
-		if ($saved) {
+	if ($saved || file_exists(BASE . 'config.local.php')) {
 		success($locale['step_database_config_saved']);
 		$_SESSION['saved'] = true;

@@ -74,15 +73,15 @@ if(!$error) {
 			}
 		}
 	} else {
+		$error = true;
 		$_SESSION['config_content'] = $content;
 		unset($_SESSION['saved']);

-			$locale['step_database_error_file'] = str_replace('$FILE$', '<b>' . BASE . 'config.php</b>', $locale['step_database_error_file']);
+		$locale['step_database_error_file'] = str_replace('$FILE$', '<b>' . BASE . 'config.local.php</b>', $locale['step_database_error_file']);
 		error($locale['step_database_error_file'] . '<br/>
 			<textarea cols="70" rows="10">' . $content . '</textarea>');
 	}
 }
-}
 ?>

 <div class="text-center m-3">
--- a/install/tools/5-database.php
+++ b/install/tools/5-database.php
@@ -30,17 +30,12 @@ if(!$error) {
 	}
 }

-if($db->hasTable(TABLE_PREFIX . 'account_actions')) {
-	$locale['step_database_error_table_exist'] = str_replace('$TABLE$', TABLE_PREFIX . 'account_actions', $locale['step_database_error_table_exist']);
-	warning($locale['step_database_error_table_exist']);
-}
-else {
 // import schema
 try {
 	$locale['step_database_importing'] = str_replace('$DATABASE_NAME$', config('database_name'), $locale['step_database_importing']);
 	success($locale['step_database_importing']);

-		$db->query(file_get_contents(BASE . 'install/includes/schema.sql'));
+	$db->exec(file_get_contents(BASE . 'install/includes/schema.sql'));

 	$locale['step_database_success_schema'] = str_replace('$PREFIX$', TABLE_PREFIX, $locale['step_database_success_schema']);
 	success($locale['step_database_success_schema']);
@@ -49,7 +44,8 @@ else {
 	error($locale['step_database_error_schema'] . ' ' . $error_);
 	return;
 }
-}
+
+require BASE . 'install/includes/import_base_data.php';

 if(!$db->hasColumn('accounts', 'email')) {
 	if(query("ALTER TABLE `accounts` ADD `email` varchar(255) NOT NULL DEFAULT '';"))
@@ -102,18 +98,23 @@ if(!$db->hasColumn('accounts', 'web_flags')) {
 		success($locale['step_database_adding_field'] . ' accounts.web_flags...');
 }

-if(!$db->hasColumn('accounts', 'email_hash')) {
-	if(query("ALTER TABLE `accounts` ADD `email_hash` VARCHAR(32) NOT NULL DEFAULT '' AFTER `web_flags`;"))
-		success($locale['step_database_adding_field'] . ' accounts.email_hash...');
+if(!$db->hasColumn('accounts', '2fa_type')) {
+	if(query("ALTER TABLE `accounts` ADD `2fa_type` tinyint NOT NULL DEFAULT 0 AFTER `web_flags`;"))
+		success($locale['step_database_adding_field'] . ' accounts.2fa_type...');
+}
+
+if(!$db->hasColumn('accounts', '2fa_secret')) {
+	if(query("ALTER TABLE `accounts` ADD `2fa_secret` varchar(16) NOT NULL DEFAULT '' AFTER `2fa_type`;"))
+		success($locale['step_database_adding_field'] . ' accounts.2fa_secret...');
 }

 if(!$db->hasColumn('accounts', 'email_verified')) {
-	if(query("ALTER TABLE `accounts` ADD `email_verified` TINYINT(1) NOT NULL DEFAULT 0 AFTER `email_hash`;"))
+	if(query("ALTER TABLE `accounts` ADD `email_verified` TINYINT(1) NOT NULL DEFAULT 0 AFTER `web_flags`;"))
 		success($locale['step_database_adding_field'] . ' accounts.email_verified...');
 }

 if(!$db->hasColumn('accounts', 'email_new')) {
-	if(query("ALTER TABLE `accounts` ADD `email_new` VARCHAR(255) NOT NULL DEFAULT '' AFTER `email_hash`;"))
+	if(query("ALTER TABLE `accounts` ADD `email_new` VARCHAR(255) NOT NULL DEFAULT '' AFTER `email_verified`;"))
 		success($locale['step_database_adding_field'] . ' accounts.email_new...');
 }

--- a/install/tools/7-finish.php
+++ b/install/tools/7-finish.php
@@ -2,8 +2,6 @@
 define('MYAAC_INSTALL', true);

 use MyAAC\DataLoader;
-use MyAAC\Models\FAQ as ModelsFAQ;
-use MyAAC\Plugins;

 require_once '../../common.php';

@@ -25,34 +23,9 @@ if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['save

 require SYSTEM . 'init.php';

-if ($db->hasTable('players')) {
-	$deleted = 'deleted';
-	if ($db->hasColumn('players', 'deletion'))
-		$deleted = 'deletion';
-
-	$time = time();
-	function insert_sample_if_not_exist($p)
-	{
-		global $db, $success, $deleted, $time;
-
-		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote($p['name']));
-		if ($query->rowCount() == 0) {
-			if (!query("INSERT INTO `players` (`id`, `name`, `group_id`, `account_id`, `level`, `vocation`, `health`, `healthmax`, `experience`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`, `maglevel`, `mana`, `manamax`, `manaspent`, `soul`, `town_id`, `posx`, `posy`, `posz`, `conditions`, `cap`, `sex`, `lastlogin`, `lastip`, `save`, `lastlogout`, `balance`, `$deleted`, `created`, `hide`, `comment`) VALUES (null, " . $db->quote($p['name']) . ", 1, " . getSession('account') . ", " . $p['level'] . ", " . $p['vocation_id'] . ", " . $p['health'] . ", " . $p['healthmax'] . ", " . $p['experience'] . ", 118, 114, 38, 57, " . $p['looktype'] . ", 0, " . $p['mana'] . ", " . $p['manamax'] . ", 0, " . $p['soul'] . ", 1, 1000, 1000, 7, '', " . $p['cap'] . ", 1, " . $time . ", 2130706433, 1, " . $time . ", 0, 0, " . $time . ", 1, '');"))
-				$success = false;
-		}
-	}
-
-	$success = true;
-	insert_sample_if_not_exist(array('name' => 'Rook Sample', 'level' => 1, 'vocation_id' => 0, 'health' => 150, 'healthmax' => 150, 'experience' => 0, 'looktype' => 130, 'mana' => 0, 'manamax' => 0, 'soul' => 100, 'cap' => 400));
-	insert_sample_if_not_exist(array('name' => 'Sorcerer Sample', 'level' => 8, 'vocation_id' => 1, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
-	insert_sample_if_not_exist(array('name' => 'Druid Sample', 'level' => 8, 'vocation_id' => 2, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
-	insert_sample_if_not_exist(array('name' => 'Paladin Sample', 'level' => 8, 'vocation_id' => 3, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 129, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
-	insert_sample_if_not_exist(array('name' => 'Knight Sample', 'level' => 8, 'vocation_id' => 4, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 131, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
-
-	if ($success) {
-		success($locale['step_database_imported_players']);
-	}
-}
+// add player samples
+require_once SYSTEM . 'migrations/49.php';
+$up();

 DataLoader::setLocale($locale);
 DataLoader::load();
@@ -61,10 +34,6 @@ DataLoader::load();
 require_once SYSTEM . 'migrations/17.php';
 $up();

-// update config.highscores_ids_hidden
-require_once SYSTEM . 'migrations/20.php';
-$up();
-
 // add z_polls tables
 require_once SYSTEM . 'migrations/22.php';
 $up();
@@ -83,13 +52,6 @@ $up();
 require_once SYSTEM . 'migrations/45.php';
 $up();

-if(ModelsFAQ::count() == 0) {
-	ModelsFAQ::create([
-		'question' => 'What is this?',
-		'answer' => 'This is website for OTS powered by MyAAC.',
-	]);
-}
-
 $hooks->trigger(HOOK_INSTALL_FINISH);

 $db->setClearCacheAfter(true);
--- a/login.php
+++ b/login.php
@@ -5,6 +5,7 @@ use MyAAC\Models\PlayerOnline;
 use MyAAC\Models\Account;
 use MyAAC\Models\Player;
 use MyAAC\RateLimit;
+use MyAAC\TwoFactorAuth\TwoFactorAuth;

 require_once 'common.php';
 require_once SYSTEM . 'functions.php';
@@ -88,8 +89,8 @@ switch ($action) {
 	case 'boostedcreature':
 		$clientVersion = (int)setting('core.client');

-		// 14.00 and up
-		if ($clientVersion >= 1400) {
+		// 13.40 and up
+		if ($clientVersion >= 1340) {
 			$creatureBoost = $db->query("SELECT * FROM " . $db->tableName('boosted_creature'))->fetchAll();
 			$bossBoost     = $db->query("SELECT * FROM " . $db->tableName('boosted_boss'))->fetchAll();
 			die(json_encode([
@@ -108,17 +109,18 @@ switch ($action) {

 	case 'login':

-		$port = $config['lua']['gameProtocolPort'];
+		$ip = configLua('ip');
+		$port = configLua('gameProtocolPort');

 		// default world info
 		$world = [
 			'id' => 0,
 			'name' => $config['lua']['serverName'],
-			'externaladdress' => $config['lua']['ip'],
+			'externaladdress' => $ip,
 			'externalport' => $port,
-			'externaladdressprotected' => $config['lua']['ip'],
+			'externaladdressprotected' => $ip,
 			'externalportprotected' => $port,
-			'externaladdressunprotected' => $config['lua']['ip'],
+			'externaladdressunprotected' => $ip,
 			'externalportunprotected' => $port,
 			'previewstate' => 0,
 			'location' => 'BRA', // BRA, EUR, USA
@@ -133,13 +135,12 @@ switch ($action) {

 		$inputEmail = $request->email ?? false;
 		$inputAccountName = $request->accountname ?? false;
-		$inputToken = $request->token ?? false;

 		$account = Account::query();
-		if ($inputEmail != false) { // login by email
+		if ($inputEmail) { // login by email
 			$account->where('email', $inputEmail);
 		}
-		else if($inputAccountName != false) { // login by account name
+		else if($inputAccountName) { // login by account name
 			$account->where('name', $inputAccountName);
 		}

@@ -151,13 +152,14 @@ switch ($action) {
 		$limiter->load();

 		$ban_msg = 'A wrong account, password or secret has been entered ' . setting('core.account_login_attempts_limit') . ' times in a row. You are unable to log into your account for the next ' . setting('core.account_login_ban_time') . ' minutes. Please wait.';
+
 		if (!$account) {
 			$limiter->increment($ip);
 			if ($limiter->exceeded($ip)) {
 				sendError($ban_msg);
 			}

-			sendError(($inputEmail != false ? 'Email' : 'Account name') . ' or password is not correct.');
+			sendError(($inputEmail ? 'Email' : 'Account name') . ' or password is not correct.');
 		}

 		$current_password = encrypt((USE_ACCOUNT_SALT ? $account->salt : '') . $request->password);
@@ -167,32 +169,30 @@ switch ($action) {
 				sendError($ban_msg);
 			}

-			sendError(($inputEmail != false ? 'Email' : 'Account name') . ' or password is not correct.');
+			sendError(($inputEmail ? 'Email' : 'Account name') . ' or password is not correct.');
 		}

-		$accountHasSecret = false;
-		if (fieldExist('secret', 'accounts')) {
-			$accountSecret = $account->secret;
-			if ($accountSecret != null && $accountSecret != '') {
-				$accountHasSecret = true;
-				if ($inputToken === false) {
-					$limiter->increment($ip);
-					if ($limiter->exceeded($ip)) {
-						sendError($ban_msg);
+		$twoFactorAuth = TwoFactorAuth::getInstance($account->id);
+
+		$code = '';
+		if ($twoFactorAuth->isActive()) {
+			if ($twoFactorAuth->getAuthType() === TwoFactorAuth::TYPE_EMAIL) {
+				$code = $request->emailcode ?? false;
 			}
-					sendError('Submit a valid two-factor authentication token.', 6);
-				} else {
-					require_once LIBS . 'rfc6238.php';
-					if (TokenAuth6238::verify($accountSecret, $inputToken) !== true) {
+			else if ($twoFactorAuth->getAuthType() === TwoFactorAuth::TYPE_APP) {
+				$code = $request->token ?? false;
+			}
+		}
+
+		$error = '';
+		$errorCode = 6;
+		if (!$twoFactorAuth->processClientLogin($code, $error, $errorCode)) {
 			$limiter->increment($ip);
 			if ($limiter->exceeded($ip)) {
 				sendError($ban_msg);
 			}

-						sendError('Two-factor authentication failed, token is wrong.', 6);
-					}
-				}
-			}
+			sendError($error, $errorCode);
 		}

 		$limiter->reset($ip);
@@ -220,43 +220,6 @@ switch ($action) {
 			}
 		}

-		if (fieldExist('premdays', 'accounts') && fieldExist('lastday', 'accounts')) {
-			$save = false;
-			$timeNow = time();
-			$premDays = $account->premdays;
-			$lastDay = $account->lastday;
-			$lastLogin = $lastDay;
-
-			if ($premDays != 0 && $premDays != PHP_INT_MAX) {
-				if ($lastDay == 0) {
-					$lastDay = $timeNow;
-					$save = true;
-				} else {
-					$days = (int)(($timeNow - $lastDay) / 86400);
-					if ($days > 0) {
-						if ($days >= $premDays) {
-							$premDays = 0;
-							$lastDay = 0;
-						} else {
-							$premDays -= $days;
-							$reminder = ($timeNow - $lastDay) % 86400;
-							$lastDay = $timeNow - $reminder;
-						}
-
-						$save = true;
-					}
-				}
-			} else if ($lastDay != 0) {
-				$lastDay = 0;
-				$save = true;
-			}
-			if ($save) {
-				$account->premdays = $premDays;
-				$account->lastday = $lastDay;
-				$account->save();
-			}
-		}
-
 		$worlds = [$world];
 		$playdata = compact('worlds', 'characters');

@@ -265,7 +228,7 @@ switch ($action) {
 		if (!fieldExist('istutorial', 'players')) {
 			$sessionKey .= "\n";
 		}
-		$sessionKey .= ($accountHasSecret && strlen($accountSecret) > 5) ? $inputToken : '';
+		$sessionKey .= ($twoFactorAuth->isActive() && strlen($account->{'2fa_secret'}) > 5) ? $account->{'2fa_secret'} : '';

 		// this is workaround to distinguish between TFS 1.x and otservbr
 		// TFS 1.x requires the number in session key
--- a/package-lock.json
+++ b/package-lock.json
@@ -18,9 +18,9 @@
      }
    },
    "node_modules/@cypress/request": {
-      "version": "3.0.8",
-      "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.8.tgz",
-      "integrity": "sha512-h0NFgh1mJmm1nr4jCwkGHwKneVYKghUyWe6TMNrk0B9zsjAJxpg8C4/+BAcmLgCPa1vj1V8rNUaILl+zYRUWBQ==",
+      "version": "3.0.10",
+      "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.10.tgz",
+      "integrity": "sha512-hauBrOdvu08vOsagkZ/Aju5XuiZx6ldsLfByg1htFeldhex+PeMrYauANzFsMJeAA0+dyPLbDoX2OYuvVoLDkQ==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
@@ -30,14 +30,14 @@
        "combined-stream": "~1.0.6",
        "extend": "~3.0.2",
        "forever-agent": "~0.6.1",
-        "form-data": "~4.0.0",
+        "form-data": "~4.0.4",
        "http-signature": "~1.4.0",
        "is-typedarray": "~1.0.0",
        "isstream": "~0.1.2",
        "json-stringify-safe": "~5.0.1",
        "mime-types": "~2.1.19",
        "performance-now": "^2.1.0",
-        "qs": "6.14.0",
+        "qs": "~6.14.1",
        "safe-buffer": "^5.1.2",
        "tough-cookie": "^5.0.0",
        "tunnel-agent": "^0.6.0",
@@ -976,15 +976,16 @@
      }
    },
    "node_modules/form-data": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.2.tgz",
-      "integrity": "sha512-hGfm/slu0ZabnNt4oaRZ6uREyfCj6P4fT/n6A1rGV+Z0VdGXjfOhVUpkn6qVQONHGIFwmveGXyDs75+nr6FM8w==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
+      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "asynckit": "^0.4.0",
        "combined-stream": "^1.0.8",
        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
        "mime-types": "^2.1.12"
      },
      "engines": {
@@ -1430,9 +1431,9 @@
      }
    },
    "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
      "dev": true,
      "license": "MIT"
    },
@@ -1742,9 +1743,9 @@
      }
    },
    "node_modules/qs": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
-      "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
+      "version": "6.14.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
@@ -2084,9 +2085,9 @@
      "license": "MIT"
    },
    "node_modules/tmp": {
-      "version": "0.2.3",
-      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.3.tgz",
-      "integrity": "sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==",
+      "version": "0.2.4",
+      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.4.tgz",
+      "integrity": "sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
--- a/phpstan-bootstrap.php
+++ b/phpstan-bootstrap.php
@@ -4,7 +4,6 @@ require __DIR__ . '/system/libs/pot/OTS.php';
 $ots = POT::getInstance();

 require __DIR__ . '/system/libs/pot/InvitesDriver.php';
-require __DIR__ . '/system/libs/rfc6238.php';
 require __DIR__ . '/common.php';

 const ACTION = '';
--- a/phpstan.neon
+++ b/phpstan.neon
@@ -28,10 +28,9 @@ parameters:
 		- '#Variable \$guild might not be defined#'
 		- '#Variable \$[a-zA-Z0-9\\_]+ might not be defined#'
 		# Eloquent models
+		- '#Call to an undefined method [a-zA-Z0-9\\_]+::[a-zA-Z0-9\\_]+\(\)#'
 		- '#Call to an undefined static method [a-zA-Z0-9\\_]+::[a-zA-Z0-9\\_]+\(\)#'
-		- '#Call to an undefined method object::toArray\(\)#'
 		# system/pages/highscores.php
-		- '#Call to an undefined method Illuminate\\Database\\Query\\Builder::withOnlineStatus\(\)#'
 		- '#Access to an undefined property Illuminate\\Database\\Eloquent\\Model::\$online_status#'
 		- '#Access to an undefined property Illuminate\\Database\\Eloquent\\Model::\$vocation_name#'
 		-
--- a/plugins/example.json
+++ b/plugins/example.json
@@ -51,5 +51,8 @@
 		"themes": true,
 		"admin-pages": true,
 		"admin-pages-sub-folders": true,
+		"settings": true,
+		"install": true,
+		"init": false
 	}
 }
--- a/system/compat/config.php
+++ b/system/compat/config.php
@@ -5,8 +5,6 @@ $deprecatedConfig = [
 	'genders',
 	'template',
 	'template_allow_change',
-	'vocations_amount',
-	'vocations',
 	'client',
 	'session_prefix',
 	'friendly_urls',
@@ -21,7 +19,6 @@ $deprecatedConfig = [
 	'visitors_counter_ttl',
 	'views_counter',
 	'outfit_images_url',
-	'outfit_images_wrong_looktypes',
 	'item_images_url',
 	'account_country',
 	'towns',
@@ -52,6 +49,7 @@ $deprecatedConfig = [
 	'online_skulls',
 	'online_outfit',
 	'online_afk',
+	'team_style',
 	'team_display_outfit' => 'team_outfit',
 	'team_display_status' => 'team_status',
 	'team_display_world' => 'team_world',
@@ -81,6 +79,7 @@ $deprecatedConfig = [
 	'account_change_character_name_points' => 'account_change_character_name_price',
 	'account_change_character_sex',
 	'account_change_character_sex_points' => 'account_change_character_name_price',
+	'email_lai_sec_interval' => 'mail_lost_account_interval',
 ];

 foreach ($deprecatedConfig as $key => $value) {
--- a/system/functions.php
+++ b/system/functions.php
@@ -17,11 +17,12 @@ use MyAAC\Models\Guild;
 use MyAAC\Models\House;
 use MyAAC\Models\Pages;
 use MyAAC\Models\Player;
+use MyAAC\Models\PlayerDeath;
+use MyAAC\Models\PlayerKillers;
 use MyAAC\News;
 use MyAAC\Plugins;
 use MyAAC\Settings;
 use PHPMailer\PHPMailer\PHPMailer;
-use Twig\Loader\ArrayLoader as Twig_ArrayLoader;

 function message($message, $type, $return)
 {
@@ -433,16 +434,22 @@ function delete_guild($id)
 		$rank_list->orderBy('level');

 		global $db;
+
+		$deletedColumn = 'deleted';
+		if ($db->hasColumn('players', 'deletion')) {
+			$deletedColumn = 'deletion';
+		}
+
 		/**
 		 * @var OTS_GuildRank $rank_in_guild
 		 */
 		foreach($rank_list as $rank_in_guild) {
 			if($db->hasTable('guild_members'))
-				$players_with_rank = $db->query('SELECT `players`.`id` as `id`, `guild_members`.`rank_id` as `rank_id` FROM `players`, `guild_members` WHERE `guild_members`.`rank_id` = ' . $rank_in_guild->getId() . ' AND `players`.`id` = `guild_members`.`player_id` ORDER BY `name`;');
+				$players_with_rank = $db->query('SELECT `players`.`id` as `id`, `guild_members`.`rank_id` as `rank_id` FROM `players`, `guild_members` WHERE `guild_members`.`rank_id` = ' . $rank_in_guild->getId() . ' AND `players`.`id` = `guild_members`.`player_id` AND `' . $deletedColumn . '` = 0 ORDER BY `name`;');
 			else if($db->hasTable('guild_membership'))
-				$players_with_rank = $db->query('SELECT `players`.`id` as `id`, `guild_membership`.`rank_id` as `rank_id` FROM `players`, `guild_membership` WHERE `guild_membership`.`rank_id` = ' . $rank_in_guild->getId() . ' AND `players`.`id` = `guild_membership`.`player_id` ORDER BY `name`;');
+				$players_with_rank = $db->query('SELECT `players`.`id` as `id`, `guild_membership`.`rank_id` as `rank_id` FROM `players`, `guild_membership` WHERE `guild_membership`.`rank_id` = ' . $rank_in_guild->getId() . ' AND `players`.`id` = `guild_membership`.`player_id` AND `' . $deletedColumn . '` = 0 ORDER BY `name`;');
 			else
-				$players_with_rank = $db->query('SELECT `id`, `rank_id` FROM `players` WHERE `rank_id` = ' . $rank_in_guild->getId() . ' AND `deleted` = 0;');
+				$players_with_rank = $db->query('SELECT `id`, `rank_id` FROM `players` WHERE `rank_id` = ' . $rank_in_guild->getId() . ' AND `' . $deletedColumn . '` = 0;');

 			$players_with_rank_number = $players_with_rank->rowCount();
 			if($players_with_rank_number > 0) {
@@ -510,10 +517,24 @@ function template_place_holder($type): string
 			$ret .= $debugBarRenderer->renderHead();
 		}
 	}
+	elseif ($type === 'head_end') {
+		$ret .= setting('core.html_head');
+	}
 	elseif ($type === 'body_start') {
+		$ret .= setting('core.html_body');
+
 		$ret .= $twig->render('browsehappy.html.twig');
+
+		if (admin()) {
+			global $account_logged;
+			$ret .= $twig->render('admin-bar.html.twig', [
+				'username' => USE_ACCOUNT_NAME ? $account_logged->getName() : $account_logged->getId()
+			]);
+		}
 	}
 	elseif($type === 'body_end') {
+		$ret .= setting('core.html_footer');
+
 		$ret .= template_ga_code();
 		if (isset($debugBar)) {
 			$ret .= $debugBarRenderer->render();
@@ -767,6 +788,10 @@ function formatExperience($exp, $color = true)
 	return $ret;
 }

+function getExperienceForLevel($level): float|int {
+	return ( 50 / 3 ) * pow( $level, 3 ) - ( 100 * pow( $level, 2 ) ) + ( ( 850 / 3 ) * $level ) - 200;
+}
+
 function get_locales()
 {
 	$ret = array();
@@ -861,11 +886,12 @@ function getWorldName($id)
 *
 * @param string $to Recipient email address.
 * @param string $subject Subject of the message.
- * @param string $body Message body in html format.
+ * @param string $body Message body in HTML format.
 * @param string $altBody Alternative message body, plain text.
 * @return bool PHPMailer status returned (success/failure).
+ * @throws \PHPMailer\PHPMailer\Exception
 */
-function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
+function _mail(string $to, string $subject, string $body, string $altBody = ''): bool
 {
 	global $mailer, $config;

@@ -883,12 +909,6 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 		$mailer->clearAllRecipients();
 	}

-	$signature_html = setting('core.mail_signature_html');
-	if($add_html_tags && isset($body[0]))
-		$tmp_body = '<html><head></head><body>' . $body . '<br/><br/>' . $signature_html . '</body></html>';
-	else
-		$tmp_body = $body . '<br/><br/>' . $signature_html;
-
 	$mailOption = setting('core.mail_option');
 	if($mailOption == MAIL_SMTP)
 	{
@@ -915,6 +935,9 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 		$mailer->isMail();
 	}

+	$signature_html = setting('core.mail_signature_html');
+	$tmp_body = $body . '<br/><br/>' . $signature_html;
+
 	$mailer->isHTML(isset($body[0]) > 0);
 	$mailer->From = setting('core.mail_address');
 	$mailer->Sender = setting('core.mail_address');
@@ -982,11 +1005,12 @@ function load_config_lua($filename)
 		foreach($lines as $ln => $line)
 		{
 			$line = trim($line);
-			if(@$line[0] === '{' || @$line[0] === '}') {
+			if(isset($line[0]) && ($line[0] === '{' || $line[0] === '}')) {
 				// arrays are not supported yet
 				// just ignore the error
 				continue;
 			}
+
 			$tmp_exp = explode('=', $line, 2);
 			if(str_contains($line, 'dofile')) {
 				$delimiter = '"';
@@ -1117,11 +1141,44 @@ function csrfProtect(): void
 	}
 }

-function getTopPlayers($limit = 5, $skill = 'level') {
+function getSkillIdByName(string $name): int|null
+{
+	$skills = [
+		'level' => POT::SKILL_LEVEL,
+		'experience' => POT::SKILL_LEVEL,
+
+		'magic' => POT::SKILL_MAGIC,
+		'maglevel' => POT::SKILL_MAGIC,
+
+		'balance' => SKILL_BALANCE,
+		'frags' => SKILL_FRAGS,
+
+		'club' => POT::SKILL_CLUB,
+		'sword' => POT::SKILL_SWORD,
+		'axe' => POT::SKILL_AXE,
+		'dist' => POT::SKILL_DIST,
+		'distance' => POT::SKILL_DIST,
+		'shield' => POT::SKILL_SHIELD,
+		'shielding' => POT::SKILL_SHIELD,
+		'fish' => POT::SKILL_FISH,
+		'fishing' => POT::SKILL_FISH,
+	];
+
+	return $skills[$name] ?? null;
+}
+
+function getTopPlayers($limit = 5, $skill = POT::SKILL_LEVEL)
+{
 	global $db;

-	if ($skill === 'level') {
-		$skill = 'experience';
+	$skillOriginal = $skill;
+
+	if (is_string($skill)) {
+		$skill = getSkillIdByName($skill);
+	}
+
+	if (!is_numeric($skill)) {
+		throw new RuntimeException("getTopPlayers: Invalid skill: $skillOriginal");
 	}

 	return Cache::remember("top_{$limit}_{$skill}", 2 * 60, function () use ($db, $limit, $skill) {
@@ -1130,19 +1187,76 @@ function getTopPlayers($limit = 5, $skill = 'level') {
 			'looktype', 'lookhead', 'lookbody', 'looklegs', 'lookfeet'
 		];

+		if ($db->hasColumn('players', 'promotion')) {
+			$columns[] = 'promotion';
+		}
+
 		if ($db->hasColumn('players', 'lookaddons')) {
 			$columns[] = 'lookaddons';
 		}

-		return Player::query()
+		if ($db->hasColumn('players', 'lookmount')) {
+			$columns[] = 'lookmount';
+		}
+
+		$query = Player::query()
 			->select($columns)
 			->withOnlineStatus()
 			->notDeleted()
 			->where('group_id', '<', setting('core.highscores_groups_hidden'))
 			->whereNotIn('id', setting('core.highscores_ids_hidden'))
 			->where('account_id', '!=', 1)
-			->orderByDesc($skill)
-			->limit($limit)
+			->orderByDesc('value');
+
+		if ($limit > 0) {
+			$query->limit($limit);
+		}
+
+		if ($skill >= POT::SKILL_FIRST && $skill <= POT::SKILL_LAST) { // skills
+			if ($db->hasColumn('players', 'skill_fist')) {// tfs 1.0
+				$skill_ids = array(
+					POT::SKILL_FIST => 'skill_fist',
+					POT::SKILL_CLUB => 'skill_club',
+					POT::SKILL_SWORD => 'skill_sword',
+					POT::SKILL_AXE => 'skill_axe',
+					POT::SKILL_DIST => 'skill_dist',
+					POT::SKILL_SHIELD => 'skill_shielding',
+					POT::SKILL_FISH => 'skill_fishing',
+				);
+
+				$query
+					->addSelect($skill_ids[$skill] . ' as value')
+					->orderByDesc($skill_ids[$skill] . '_tries');
+			} else {
+				$query
+					->join('player_skills', 'player_skills.player_id', '=', 'players.id')
+					->where('skillid', $skill)
+					->addSelect('player_skills.value as value');
+			}
+		} else if ($skill == SKILL_FRAGS) // frags
+		{
+			if ($db->hasTable('player_killers')) {
+				$query->addSelect(['value' => PlayerKillers::whereColumn('player_killers.player_id', 'players.id')->selectRaw('COUNT(*)')]);
+			} else {
+				$query->addSelect(['value' => PlayerDeath::unjustified()->whereColumn('player_deaths.killed_by', 'players.name')->selectRaw('COUNT(*)')]);
+			}
+		} else if ($skill == SKILL_BALANCE) // balance
+		{
+			$query
+				->addSelect('players.balance as value');
+		} else {
+			if ($skill == POT::SKILL_MAGIC) {
+				$query
+					->addSelect('players.maglevel as value', 'players.maglevel')
+					->orderByDesc('manaspent');
+			} else { // level
+				$query
+					->addSelect('players.level as value', 'players.experience')
+					->orderByDesc('experience');
+			}
+		}
+
+		return $query
 			->get()
 			->map(function ($e, $i) {
 				$row = $e->toArray();
@@ -1157,7 +1271,8 @@ function getTopPlayers($limit = 5, $skill = 'level') {
 	});
 }

-function deleteDirectory($dir, $ignore = array(), $contentOnly = false) {
+function deleteDirectory($dir, $ignore = array(), $contentOnly = false): bool
+{
 	if(!file_exists($dir)) {
 		return true;
 	}
@@ -1183,6 +1298,21 @@ function deleteDirectory($dir, $ignore = array(), $contentOnly = false) {
 	return rmdir($dir);
 }

+function ensureFolderExists($dir): void
+{
+	if (!file_exists($dir)) {
+		mkdir($dir, 0777, true);
+	}
+}
+
+function ensureIndexExists($dir): void
+{
+	$dir = rtrim($dir, '/');
+	if (!file_exists($file = $dir . '/index.html')) {
+		touch($file);
+	}
+}
+
 function config($key) {
 	global $config;
 	if (is_array($key)) {
@@ -1216,7 +1346,8 @@ function setting($key)
 		return $settings[$key[0]] = $key[1];
 	}

-	return $settings[$key]['value'];
+	$ret = $settings[$key];
+	return isset($ret) ? $ret['value'] : null;
 }

 function clearCache()
@@ -1265,14 +1396,15 @@ function clearCache()
 		$db->setClearCacheAfter(true);
 	}

+	if (function_exists('apcu_clear_cache')) {
+		apcu_clear_cache();
+	}
+
 	deleteDirectory(CACHE . 'signatures', ['index.html'], true);
 	deleteDirectory(CACHE . 'twig', ['index.html'], true);
 	deleteDirectory(CACHE . 'plugins', ['index.html'], true);
 	deleteDirectory(CACHE, ['signatures', 'twig', 'plugins', 'index.html', 'persistent'], true);

-	// routes cache
-	clearRouteCache();
-
 	global $hooks;
 	$hooks->trigger(HOOK_CACHE_CLEAR, ['cache' => Cache::getInstance()]);

@@ -1337,17 +1469,7 @@ function getCustomPage($name, &$success): string
 			ob_end_clean();
 		}
 		else {
-			$oldLoader = $twig->getLoader();
-
-			$twig_loader_array = new Twig_ArrayLoader(array(
-				'content.html' => $page['body']
-			));
-
-			$twig->setLoader($twig_loader_array);
-
-			$content .= $twig->render('content.html');
-
-			$twig->setLoader($oldLoader);
+			$content .= $twig->renderInline($page['body']);
 		}
 	}

@@ -1618,13 +1740,14 @@ function camelCaseToUnderscore($input)
 	return ltrim(strtolower(preg_replace('/[A-Z]([A-Z](?![a-z]))*/', '_$0', $input)), '_');
 }

-function removeIfFirstSlash(&$text) {
+function removeIfFirstSlash(&$text): void
+{
 	if(strpos($text, '/') === 0) {
 		$text = str_replace_first('/', '', $text);
 	}
 };

-function escapeHtml($html) {
+function escapeHtml($html): string {
 	return htmlspecialchars($html);
 }

@@ -1638,7 +1761,7 @@ function getGuildNameById($id)
 	return false;
 }

-function getGuildLogoById($id)
+function getGuildLogoById($id): string
 {
 	$logo = 'default.gif';

@@ -1654,7 +1777,8 @@ function getGuildLogoById($id)
 	return BASE_URL . GUILD_IMAGES_DIR . $logo;
 }

-function displayErrorBoxWithBackButton($errors, $action = null) {
+function displayErrorBoxWithBackButton($errors, $action = null): void
+{
 	global $twig;
 	$twig->display('error_box.html.twig', ['errors' => $errors]);
 	$twig->display('account.back_button.html.twig', [
@@ -1682,6 +1806,49 @@ function getAccountIdentityColumn(): string
 	return 'id';
 }

+function isCanary(): bool
+{
+	$dataPackDirectory = configLua('dataPackDirectory');
+	return isset($dataPackDirectory);
+}
+
+function getStatusUptimeReadable(int $uptime): string
+{
+	$fullMinute = 60;
+	$fullHour = (60 * $fullMinute);
+	$fullDay = (24 * $fullHour);
+	$fullMonth = (30 * $fullDay);
+	$fullYear = (365 * $fullDay);
+
+	// years
+	$years = floor($uptime / $fullYear);
+	$y = ($years > 1 ? "$years years, " : ($years == 1 ? 'year, ' : ''));
+
+	$uptime -= $years * $fullYear;
+
+	// months
+	$months = floor($uptime / $fullMonth);
+	$m = ($months > 1 ? "$months months, " : ($months == 1 ? 'month, ' : ''));
+
+	$uptime -= $months * $fullMonth;
+
+	// days
+	$days = floor($uptime / $fullDay);
+	$d = ($days > 1 ? "$days days, " : ($days == 1 ? 'day, ' : ''));
+
+	$uptime -= $days * $fullDay;
+
+	// hours
+	$hours = floor($uptime / $fullHour);
+
+	$uptime -= $hours * $fullHour;
+
+	// minutes
+	$min = floor($uptime / $fullMinute);
+
+	return "{$y}{$m}{$d}{$hours}h {$min}m";
+}
+
 // validator functions
 require_once SYSTEM . 'compat/base.php';

--- a/system/init.php
+++ b/system/init.php
@@ -14,10 +14,14 @@ use MyAAC\CsrfToken;
 use MyAAC\Hooks;
 use MyAAC\Plugins;
 use MyAAC\Models\Town;
+use MyAAC\Server\XML\Vocations;
 use MyAAC\Settings;

 defined('MYAAC') or die('Direct access not allowed!');

+ensureIndexExists(CACHE);
+ensureIndexExists(CACHE . 'twig/');
+
 global $config;
 if(!isset($config['installed']) || !$config['installed']) {
 	throw new RuntimeException('MyAAC has not been installed yet or there was error during installation. Please install again.');
@@ -144,6 +148,15 @@ $ots = POT::getInstance();
 $eloquentConnection = null;
 require_once SYSTEM . 'database.php';

+define('USE_ACCOUNT_NAME', $db->hasColumn('accounts', 'name'));
+define('USE_ACCOUNT_NUMBER', $db->hasColumn('accounts', 'number'));
+define('USE_ACCOUNT_SALT', $db->hasColumn('accounts', 'salt'));
+
+define('HAS_ACCOUNT_COINS', $db->hasColumn('accounts', 'coins'));
+define('HAS_ACCOUNT_COINS_TRANSFERABLE', $db->hasColumn('accounts', 'coins_transferable'));
+define('HAS_ACCOUNT_TRANSFERABLE_COINS', $db->hasColumn('accounts', 'transferable_coins'));
+const ACCOUNT_COINS_TRANSFERABLE_COLUMN = (HAS_ACCOUNT_COINS_TRANSFERABLE ? 'coins_transferable' : 'transferable_coins');
+
 $twig->addGlobal('logged', false);
 $twig->addGlobal('account_logged', new \OTS_Account());

@@ -188,10 +201,6 @@ if($settingsItemImagesURL[strlen($settingsItemImagesURL) - 1] !== '/') {
 	setting(['core.item_images_url', $settingsItemImagesURL . '/']);
 }

-define('USE_ACCOUNT_NAME', $db->hasColumn('accounts', 'name'));
-define('USE_ACCOUNT_NUMBER', $db->hasColumn('accounts', 'number'));
-define('USE_ACCOUNT_SALT', $db->hasColumn('accounts', 'salt'));
-
 $towns = Cache::remember('towns', 10 * 60, function () use ($db) {
 	if ($db->hasTable('towns') && Town::count() > 0) {
 		return Town::orderBy('id', 'ASC')->pluck('name', 'id')->toArray();
@@ -206,3 +215,5 @@ if (count($towns) <= 0) {

 config(['towns', $towns]);
 unset($towns);
+
+new Vocations();
--- a/system/libs/pot/OTS_Account.php
+++ b/system/libs/pot/OTS_Account.php
@@ -12,6 +12,9 @@
 * @license http://www.gnu.org/licenses/lgpl-3.0.txt GNU Lesser General Public License, Version 3
 */

+use MyAAC\Models\Account as AccountModel;
+use MyAAC\Models\AccountAction;
+
 /**
 * OTServ account abstraction.
 *
@@ -40,7 +43,11 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 */
 	private $data = array('email' => '', 'rlname' => '','location' => '', 'country' => '','web_flags' => 0, 'lastday' => 0, 'premdays' => 0, 'created' => 0);

-	public static $cache = array();
+	private array $columns = ['password', 'email', 'rlname', 'location', 'country', 'web_flags', 'created'];
+
+	private array $optionalColumns = ['name', 'number', 'lastday', 'premdays', 'premium_ends_at', 'premend'];
+
+	public static array $cache = [];

 	const GRATIS_PREMIUM_DAYS = 65535;
 /**
@@ -325,27 +332,50 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 */
 	public function save()
 	{
-        if( !isset($this->data['id']) )
-        {
+		if (!isset($this->data['id'])) {
 			throw new E_OTS_NotLoaded();
 		}

-	$field = 'lastday';
-	if($this->db->hasColumn('accounts', 'premend')) { // othire
-    		$field = 'premend';
-		if(!isset($this->data['premend'])) {
-			$this->data['premend'] = 0;
-		}
-	}
-	else if($this->db->hasColumn('accounts', 'premium_ends_at')) {
-		$field = 'premium_ends_at';
-		if(!isset($this->data['premium_ends_at'])) {
-			$this->data['premium_ends_at'] = 0;
+		$defaultValues = [
+			'premium_ends_at' => 0,
+			'lastday' => 0,
+			'premend' => 0,
+			'premdays' => 0,
+		];
+
+		foreach ($defaultValues as $key => $value) {
+			if (!isset($this->data[$key])) {
+				$this->data[$key] = $value;
 			}
 		}

-        // UPDATE query on database
-        $this->db->exec('UPDATE `accounts` SET ' . ($this->db->hasColumn('accounts', 'name') ? '`name` = ' . $this->db->quote($this->data['name']) . ',' : '') . '`password` = ' . $this->db->quote($this->data['password']) . ', `email` = ' . $this->db->quote($this->data['email']) . ', `rlname` = ' . $this->db->quote($this->data['rlname']) . ', `location` = ' . $this->db->quote($this->data['location']) . ', `country` = ' . $this->db->quote($this->data['country']) . ', `web_flags` = ' . (int) $this->data['web_flags'] . ', ' . ($this->db->hasColumn('accounts', 'premdays') ? '`premdays` = ' . (int) $this->data['premdays'] . ',' : '') . '`' . $field . '` = ' . (int) $this->data[$field] . ' WHERE `id` = ' . $this->data['id']);
+		$columns = $this->columns;
+		foreach ($this->optionalColumns as $column) {
+			if ($this->db->hasColumn('accounts', $column)) {
+				$columns[] = $column;
+			}
+		}
+
+		$values = [];
+		foreach ($columns as $column) {
+			$value = $this->data[$column];
+
+			$values[$column] = $value;
+		}
+
+		// updates existing player
+		if( isset($this->data['id']) ) {
+			AccountModel::where('id', $this->data['id'])->update($values);
+		}
+		// creates new player
+		else {
+			$values['created'] = time();
+
+			$account = AccountModel::create($values);
+
+			// ID of new player
+			$this->data['id'] = $account->id;
+		}
 	}

 /**
@@ -443,8 +473,9 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 			throw new E_OTS_NotLoaded();
 		}

-		if(isset($this->data['premium_ends_at']) || isset($this->data['premend'])) {
-			$col = isset($this->data['premium_ends_at']) ? 'premium_ends_at' : 'premend';
+		if(isset($this->data['premium_ends_at']) || isset($this->data['premend']) ||
+			(isCanary() && isset($this->data['lastday']))) {
+				$col = (isset($this->data['premium_ends_at']) ? 'premium_ends_at' : (isset($this->data['lastday']) ? 'lastday' : 'premend'));
 				$ret = ceil(($this->data[$col] - time()) / (24 * 60 * 60));
 				return max($ret, 0);
 		}
@@ -471,17 +502,16 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 		return $this->data['lastday'];
 	}

-    public function isPremium()
+	public function isPremium(): bool
 	{
-		global $config;
-        if(isset($config['lua']['freePremium']) && getBoolean($config['lua']['freePremium'])) return true;
-
-	    if(isset($this->data['premium_ends_at'])) {
-		    return $this->data['premium_ends_at'] > time();
+		if(isset($this->data['premium_ends_at']) || isset($this->data['premend']) ||
+			(isCanary() && isset($this->data['lastday']))) {
+			$col = (isset($this->data['premium_ends_at']) ? 'premium_ends_at' : (isset($this->data['lastday']) ? 'lastday' : 'premend'));
+			return $this->data[$col] > time();
 		}

-		if(isset($this->data['premend'])) {
-			return $this->data['premend'] > time();
+		if($this->data['premdays'] == self::GRATIS_PREMIUM_DAYS){
+			return true;
 		}

 		return ($this->data['premdays'] - (date("z", time()) + (365 * (date("Y", time()) - date("Y", $this->data['lastday']))) - date("z", $this->data['lastday'])) > 0);
@@ -504,11 +534,17 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 * @since 0.7.5
 * @throws E_OTS_NotLoaded If account is not loaded.
 */
-    public function setPremDays($premdays)
+	public function setPremDays($premdays): void
 	{
 		$this->data['premdays'] = (int) $premdays;
-		$this->data['premend'] = time() + ($premdays * 24 * 60 * 60);
-		$this->data['premium_ends_at'] = time() + ($premdays * 24 * 60 * 60);
+
+		$premiumTimeInSeconds = time() + ($premdays * 24 * 60 * 60);
+		$this->data['premend'] = $premiumTimeInSeconds;
+		$this->data['premium_ends_at'] = $premiumTimeInSeconds;
+
+		if (isCanary()) {
+			$this->data['lastday'] = $premiumTimeInSeconds;
+		}
 	}

 	public function setRLName($name)
@@ -700,17 +736,11 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 */
 	public function setCustomField($field, $value)
 	{
-        if( !isset($this->data['id']) )
-        {
+		if( !isset($this->data['id']) ) {
 			throw new E_OTS_NotLoaded();
 		}

-        // quotes value for SQL query
-        if(!( is_int($value) || is_float($value) ))
-        {
-            $value = $this->db->quote($value);
-        }
-        $this->db->exec('UPDATE ' . $this->db->tableName('accounts') . ' SET ' . $this->db->fieldName($field) . ' = ' . $value . ' WHERE ' . $this->db->fieldName('id') . ' = ' . $this->data['id']);
+		AccountModel::where('id', $this->data['id'])->update([$field => $value]);
 	}

 /**
@@ -1007,26 +1037,16 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable

 	public function logAction($action)
 	{
-		$ip = get_browser_real_ip();
-		if(!str_contains($ip, ":")) {
-			$ipv6 = '0';
-		}
-		else {
-			$ipv6 = $ip;
-			$ip = '';
+		AccountAction::create([
+			'account_id' => $this->getId(),
+			'ip' => get_browser_real_ip(),
+			'date' => time(),
+			'action' => $action,
+		]);
 	}

-		return $this->db->exec('INSERT INTO `' . TABLE_PREFIX . 'account_actions` (`account_id`, `ip`, `ipv6`, `date`, `action`) VALUES (' . $this->db->quote($this->getId()).', ' . ($ip == '' ? '0' : $this->db->quote(ip2long($ip))) . ', (' . ($ipv6 == '0' ? $this->db->quote('') : $this->db->quote(inet_pton($ipv6))) . '), UNIX_TIMESTAMP(NOW()), ' . $this->db->quote($action).')');
-	}
-
-	public function getActionsLog($limit1, $limit2)
-	{
-		$actions = array();
-
-		foreach($this->db->query('SELECT `ip`, `ipv6`, `date`, `action` FROM `' . TABLE_PREFIX . 'account_actions` WHERE `account_id` = ' . $this->data['id'] . ' ORDER by `date` DESC LIMIT ' . $limit1 . ', ' . $limit2 . '')->fetchAll() as $a)
-			$actions[] = array('ip' => $a['ip'], 'ipv6' => $a['ipv6'], 'date' => $a['date'], 'action' => $a['action']);
-
-		return $actions;
+	public function getActionsLog($limit) {
+		return AccountAction::where('account_id', $this->data['id'])->orderByDesc('date')->limit($limit)->get()->toArray();
 	}
 /**
 * Returns players iterator.
--- a/system/libs/pot/OTS_DB_MySQL.php
+++ b/system/libs/pot/OTS_DB_MySQL.php
@@ -26,10 +26,12 @@ use MyAAC\Cache\Cache;
 */
 class OTS_DB_MySQL extends OTS_Base_DB
 {
-	private $has_table_cache = array();
-	private $has_column_cache = array();
+	private bool $hasCacheChanged = false;
+	private array $has_table_cache = [];
+	private array $has_column_cache = [];
+	private array $get_column_info_cache = [];

-	private $clearCacheAfter = false;
+	private bool $clearCacheAfter = false;
 /**
 * Creates database connection.
 *
@@ -119,6 +121,11 @@ class OTS_DB_MySQL extends OTS_Base_DB
 				if($cache->fetch('database_columns', $tmp) && $tmp) {
 					$this->has_column_cache = unserialize($tmp);
 				}
+
+				$tmp = null;
+				if($cache->fetch('database_columns_info', $tmp) && $tmp) {
+					$this->get_column_info_cache = unserialize($tmp);
+				}
 			}
 		}

@@ -155,11 +162,13 @@ class OTS_DB_MySQL extends OTS_Base_DB
 			if ($this->clearCacheAfter) {
 				$cache->delete('database_tables');
 				$cache->delete('database_columns');
+				$cache->delete('database_columns_info');
 				$cache->delete('database_checksum');
 			}
-			else {
+			else if ($this->hasCacheChanged) {
 				$cache->set('database_tables', serialize($this->has_table_cache), 3600);
 				$cache->set('database_columns', serialize($this->has_column_cache), 3600);
+				$cache->set('database_columns_info', serialize($this->get_column_info_cache), 3600);
 				$cache->set('database_checksum', serialize(sha1($config['database_host'] . '.' . $config['database_name'])), 3600);
 			}
 		}
@@ -209,7 +218,8 @@ class OTS_DB_MySQL extends OTS_Base_DB
 		return $sql;
 	}

-	public function hasTable($name) {
+	public function hasTable($name): bool
+	{
 		if(isset($this->has_table_cache[$name])) {
 			return $this->has_table_cache[$name];
 		}
@@ -217,12 +227,15 @@ class OTS_DB_MySQL extends OTS_Base_DB
 		return $this->hasTableInternal($name);
 	}

-	private function hasTableInternal($name) {
-		global $config;
-		return ($this->has_table_cache[$name] = $this->query('SELECT `TABLE_NAME` FROM `information_schema`.`tables` WHERE `TABLE_SCHEMA` = ' . $this->quote($config['database_name']) . ' AND `TABLE_NAME` = ' . $this->quote($name) . ' LIMIT 1;')->rowCount() > 0);
+	private function hasTableInternal($name): bool
+	{
+		$this->hasCacheChanged = true;
+
+		return ($this->has_table_cache[$name] = $this->query('SELECT `TABLE_NAME` FROM `information_schema`.`tables` WHERE `TABLE_SCHEMA` = ' . $this->quote(config('database_name')) . ' AND `TABLE_NAME` = ' . $this->quote($name) . ' LIMIT 1;')->rowCount() > 0);
 	}

-	public function hasColumn($table, $column) {
+	public function hasColumn($table, $column): bool
+	{
 		if(isset($this->has_column_cache[$table . '.' . $column])) {
 			return $this->has_column_cache[$table . '.' . $column];
 		}
@@ -230,8 +243,10 @@ class OTS_DB_MySQL extends OTS_Base_DB
 		return $this->hasColumnInternal($table, $column);
 	}

-	private function hasColumnInternal($table, $column) {
-		return $this->hasTable($table) && ($this->has_column_cache[$table . '.' . $column] = count($this->query('SHOW COLUMNS FROM `' . $table . "` LIKE '" . $column . "'")->fetchAll()) > 0);
+	private function hasColumnInternal($table, $column): bool {
+		$this->hasCacheChanged = true;
+
+		return $this->hasTable($table) && ($this->has_column_cache[$table . '.' . $column] = count($this->query('SHOW COLUMNS FROM `' . $table . "` LIKE " . $this->quote($column))->fetchAll()) > 0);
 	}

 	public function hasTableAndColumns(string $table, array $columns = []): bool
@@ -247,7 +262,56 @@ class OTS_DB_MySQL extends OTS_Base_DB
 		return true;
 	}

-	public function revalidateCache() {
+	public function getColumnInfo(string $table, string $column): bool|array
+	{
+		if(isset($this->get_column_info_cache[$table . '.' . $column])) {
+			return $this->get_column_info_cache[$table . '.' . $column];
+		}
+
+		return $this->getColumnInfoInternal($table, $column);
+	}
+
+	private function getColumnInfoInternal(string $table, string $column): bool|array
+	{
+		if (!$this->hasTable($table) || !$this->hasColumn($table, $column)) {
+			return false;
+		}
+
+		$this->hasCacheChanged = true;
+
+		$formatResult = function ($result) {
+			return [
+				'field' => $result['Field'],
+				'type' => $result['Type'],
+				'null' => strtolower($result['Null']),
+				'key' => strtolower($result['Key'] ?? ''),
+				'default' => $result['Default'],
+				'extra' => $result['Extra'],
+			];
+		};
+
+		$query = $this->query('SHOW COLUMNS FROM `' . $table . "` LIKE " . $this->quote($column));
+		$rowCount = $query->rowCount();
+		if ($rowCount > 1) {
+			$tmp = [];
+
+			$results = $query->fetchAll(PDO::FETCH_ASSOC);
+			foreach ($results as $result) {
+				$tmp[] = $formatResult($result);
+			}
+
+			return ($this->get_column_info_cache[$table . '.' . $column] = $tmp);
+		}
+		else if ($rowCount == 1) {
+			$result = $query->fetch(PDO::FETCH_ASSOC);
+			return ($this->get_column_info_cache[$table . '.' . $column] = $formatResult($result));
+		}
+
+		return [];
+	}
+
+	public function revalidateCache(): void
+	{
 		foreach($this->has_table_cache as $key => $value) {
 			$this->hasTableInternal($key);
 		}
@@ -262,6 +326,21 @@ class OTS_DB_MySQL extends OTS_Base_DB
 				$this->hasColumnInternal($explode[0], $explode[1]);
 			}
 		}
+
+		foreach($this->get_column_info_cache as $key => $value) {
+			$explode = explode('.', $key);
+			if(!isset($this->has_table_cache[$explode[0]])) { // first check if table exist
+				$this->hasTableInternal($explode[0]);
+			}
+
+			if($this->has_table_cache[$explode[0]]) {
+				$this->hasColumnInternal($explode[0], $explode[1]);
+			}
+
+			if($this->has_table_cache[$explode[0]]) {
+				$this->getColumnInfoInternal($explode[0], $explode[1]);
+			}
+		}
 	}

 	public function setClearCacheAfter($clearCache)
--- a/system/libs/pot/OTS_Player.php
+++ b/system/libs/pot/OTS_Player.php
@@ -1,20 +1,6 @@
 <?php
-$__load = array();
-/*
-	'loss_experience' => NULL,
-	'loss_items' => NULL,
-	'guild_info' => NULL,
-	'skull_type' => NULL,
-	'skull_time' => NULL,
-	'blessings' => NULL,
-	'direction' => NULL,
-	'stamina' => NULL,
-	'world_id' => NULL,
-	'online' => NULL,
-	'deletion' => NULL,
-	'promotion' => NULL,
-	'marriage' => NULL
-);*/
+
+use MyAAC\Models\Player as PlayerModel;

 /**#@+
 * @version 0.0.1
@@ -109,6 +95,10 @@ class OTS_Player extends OTS_Row_DAO
 		POT::SKILL_FISH => array('value' => 0, 'tries' => 0)
 	);

+	private array $columns = ['name', 'account_id', 'group_id', 'sex', 'vocation', 'experience', 'level', 'maglevel', 'health', 'healthmax', 'mana', 'manamax', 'manaspent', 'soul', 'lookbody', 'lookfeet', 'lookhead', 'looklegs', 'looktype', 'posx', 'posy', 'posz', 'lastlogin', 'lastlogout', 'lastip', 'town_id', 'balance', 'created', 'comment', 'hide'];
+
+	private array $optionalColumns = ['cap', 'skull', 'skull_type', 'skull_time', 'loss_experience', 'loss_mana', 'loss_skills', 'loss_items', 'loss_containers', 'guildnick', 'rank_id', 'promotion', 'direction', 'blessings', 'stamina', 'lookaddons', 'save', 'conditions', 'world_id', 'online', 'deletion', 'deleted', 'marriage'];
+
 	private static array $playersOnline;
 /**
 * Magic PHP5 method.
@@ -133,90 +123,14 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function load($id, $fields = null, $load_skills = true)
 	{
-		global $__load;
-
-		if(!isset($__load['loss_experience']))
-		{
-			$loss = '';
-			if($this->db->hasColumn('players', 'loss_experience')) {
-				$loss = ', `loss_experience`, `loss_mana`, `loss_skills`';
+		$columns = $this->columns;
+		foreach ($this->optionalColumns as $column) {
+			if ($this->db->hasColumn('players', $column)) {
+				$columns[] = $column;
 			}
-
-			$__load['loss_experience'] = $loss;
-		}
-
-		if(!isset($__load['loss_items']))
-		{
-			$loss_items = '';
-			if($this->db->hasColumn('players', 'loss_items')) {
-				$loss_items = ', `loss_items`, `loss_containers`';
-			}
-
-			$__load['loss_items'] = $loss_items;
-		}
-
-		if(!isset($__load['guild_info']))
-		{
-			$guild_info = '';
-			if(!$this->db->hasTable('guild_members') && $this->db->hasColumn('players', 'guildnick')) {
-				$guild_info = ', `guildnick`, `rank_id`';
-			}
-
-			$__load['guild_info'] = $guild_info;
-		}
-
-		if(!isset($__load['skull_type']))
-		{
-			$skull_type = 'skull';
-			if($this->db->hasColumn('players', 'skull_type')) {
-				$skull_type = 'skull_type';
-			}
-
-			$__load['skull_type'] = $skull_type;
-		}
-
-		if(!isset($__load['skull_time']))
-		{
-			$skull_time = 'skulltime';
-			if($this->db->hasColumn('players', 'skull_time')) {
-				$skull_time = 'skull_time';
-			}
-
-			$__load['skull_time'] = $skull_time;
-		}
-
-		if(!isset($__load['blessings'])) {
-			$__load['blessings'] = $this->db->hasColumn('players', 'blessings');
-		}
-		if(!isset($__load['direction'])) {
-			$__load['direction'] = $this->db->hasColumn('players', 'direction');
-		}
-		if(!isset($__load['stamina'])) {
-			$__load['stamina'] = $this->db->hasColumn('players', 'stamina');
-		}
-		if(!isset($__load['world_id'])) {
-			$__load['world_id'] = $this->db->hasColumn('players', 'world_id');
-		}
-		if(!isset($__load['online'])) {
-			$__load['online'] = $this->db->hasColumn('players', 'online');
-		}
-		if(!isset($__load['deletion'])) {
-			$__load['deletion'] = $this->db->hasColumn('players', 'deletion');
-		}
-		if(!isset($__load['promotion'])) {
-			$__load['promotion'] = $this->db->hasColumn('players', 'promotion');
-		}
-		if(!isset($__load['marriage'])) {
-			$__load['marriage'] = $this->db->hasColumn('players', 'marriage');
 		}

 		if(isset($fields)) { // load only what we wish
-			if(in_array('promotion', $fields)) {
-				if(!$this->db->hasColumn('players', 'promotion')) {
-					unset($fields[array_search('promotion', $fields)]);
-				}
-			}
-
 			if(in_array('deleted', $fields)) {
 				if($this->db->hasColumn('players', 'deletion')) {
 					unset($fields[array_search('deleted', $fields)]);
@@ -224,21 +138,21 @@ class OTS_Player extends OTS_Row_DAO
 				}
 			}

-			if(in_array('online', $fields)) {
-				if(!$this->db->hasColumn('players', 'online')) {
-					unset($fields[array_search('online', $fields)]);
+			$columns = [];
+			foreach ($fields as $field) {
+				if ($this->db->hasColumn('players', $field)) {
+					$columns[] = $field;
 				}
 			}
-			$this->data = $this->db->query('SELECT ' . implode(', ', $fields) . ' FROM `players` WHERE `id` = ' . (int)$id)->fetch();
-		}
-		else {
-			// SELECT query on database
-			$this->data = $this->db->query('SELECT `id`, `name`, `account_id`, `group_id`, `sex`, `vocation`, `experience`, `level`, `maglevel`, `health`, `healthmax`, `mana`, `manamax`, `manaspent`, `soul`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`' . ($this->db->hasColumn('players', 'lookaddons') ? ', `lookaddons`' : '') . ', `posx`, `posy`, `posz`, `cap`, `lastlogin`, `lastlogout`, `lastip`, `save`, `conditions`, `' . $__load['skull_time'] . '` as `skulltime`, `' . $__load['skull_type'] . '` as `skull`' . $__load['guild_info'] . ', `town_id`' . $__load['loss_experience'] . $__load['loss_items'] . ', `balance`' . ($__load['blessings'] ? ', `blessings`' : '') . ($__load['direction'] ? ', `direction`' : '') . ($__load['stamina'] ? ', `stamina`' : '') . ($__load['world_id'] ? ', `world_id`' : '') . ($__load['online'] ? ', `online`' : '') . ', `' . ($__load['deletion'] ? 'deletion' : 'deleted') . '`' . ($__load['promotion'] ? ', `promotion`' : '') . ($__load['marriage'] ? ', `marriage`' : '') . ', `comment`, `created`, `hide` FROM `players` WHERE `id` = ' . (int)$id)->fetch();
 		}

+		array_unshift($columns, 'id');
+
+		$query = PlayerModel::where('id', $id)->first($columns);
+		$this->data = $query ? $query->toArray() : [];
+
 		// loads skills
-		if( $this->isLoaded() && $load_skills)
-		{
+		if( $this->isLoaded() && $load_skills) {
 			if($this->db->hasColumn('players', 'skill_fist')) {

 				$skill_ids = array(
@@ -318,153 +232,65 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function save()
 	{
-		$skull_type = 'skull';
-		if($this->db->hasColumn('players', 'skull_type')) {
-			$skull_type = 'skull_type';
+		$defaultValues = [
+			'cap' => 0,
+			'skull' => 0,
+			'skull_type' => 0,
+			'skull_time' => 0,
+			'loss_experience' => 100,
+			'loss_mana' => 100,
+			'loss_skills' => 100,
+			'loss_items' => 100,
+			'loss_containers' => 100,
+			'guildnick' => '',
+			'rank_id' => 0,
+			'promotion' => 0,
+			'direction' => 0,
+			'blessings' => 0,
+			'stamina' => 0,
+			'lookaddons' => 0,
+			'save' => 1,
+			'conditions' => '',
+			'town_id' => 1,
+			'world_id' => 1,
+			'online' => 0,
+			'deletion' => 0,
+			'deleted' => 0,
+			'marriage' => 0,
+		];
+
+		foreach ($defaultValues as $key => $value) {
+			if (!isset($this->data[$key])) {
+				$this->data[$key] = $value;
+			}
 		}

-		$skull_time = 'skulltime';
-		if($this->db->hasColumn('players', 'skull_time')) {
-			$skull_time = 'skull_time';
+		$columns = $this->columns;
+		foreach ($this->optionalColumns as $column) {
+			if ($this->db->hasColumn('players', $column)) {
+				$columns[] = $column;
+			}
 		}

-		if(!isset($this->data['loss_experience']))
-			$this->data['loss_experience'] = 100;
+		$values = [];
+		foreach ($columns as $column) {
+			$value = $this->data[$column];

-		if(!isset($this->data['loss_mana']))
-			$this->data['loss_mana'] = 100;
-
-		if(!isset($this->data['loss_skills']))
-			$this->data['loss_skills'] = 100;
-
-		if(!isset($this->data['loss_items']))
-			$this->data['loss_items'] = 10;
-
-		if(!isset($this->data['loss_containers']))
-			$this->data['loss_containers'] = 100;
-
-		if(!isset($this->data['guildnick']))
-			$this->data['guildnick'] = '';
-
-		if(!isset($this->data['rank_id']))
-			$this->data['rank_id'] = 0;
-
-		if(!isset($this->data['promotion']))
-			$this->data['promotion'] = 0;
-
-		if(!isset($this->data['direction']))
-			$this->data['direction'] = 0;
-
-		if(!isset($this->data['conditions']))
-			$this->data['conditions'] = '';
-
-		if(!isset($this->data['town_id']))
-			$this->data['town_id'] = 1;
+			$values[$column] = $value;
+		}

 		// updates existing player
-		if( isset($this->data['id']) )
-		{
-			$loss = '';
-			if($this->db->hasColumn('players', 'loss_experience')) {
-				$loss = ', `loss_experience` = ' . $this->data['loss_experience'] . ', `loss_mana` = ' . $this->data['loss_mana'] . ', `loss_skills` = ' . $this->data['loss_skills'];
-			}
-
-			$loss_items = '';
-			if($this->db->hasColumn('players', 'loss_items')) {
-				$loss_items = ', `loss_items` = ' . $this->data['loss_items'] . ', `loss_containers` = ' . $this->data['loss_containers'];
-			}
-
-			$guild_info = '';
-			if(!$this->db->hasTable('guild_members') && $this->db->hasColumn('players', 'guildnick')) {
-				$guild_info = ', `guildnick` = ' . $this->db->quote($this->data['guildnick']) . ', ' . $this->db->fieldName('rank_id') . ' = ' . $this->data['rank_id'];
-			}
-
-			$direction = '';
-			if($this->db->hasColumn('players', 'direction')) {
-				$direction = ', `direction` = ' . $this->db->quote($this->data['direction']);
-			}
-
-			$blessings = '';
-			if($this->db->hasColumn('players', 'blessings')) {
-				$blessings = ', `blessings` = ' . $this->db->quote($this->data['blessings']);
-			}
-
-			$stamina = '';
-			if($this->db->hasColumn('players', 'stamina')) {
-				$stamina = ', `stamina` = ' . $this->db->quote($this->data['stamina']);
-			}
-
-			$lookaddons = '';
-			if($this->db->hasColumn('players', 'lookaddons')) {
-				$lookaddons = ', `lookaddons` = ' . $this->db->quote($this->data['lookaddons']);
-			}
-
-			// UPDATE query on database
-			$this->db->query('UPDATE ' . $this->db->tableName('players') . ' SET ' . $this->db->fieldName('name') . ' = ' . $this->db->quote($this->data['name']) . ', ' . $this->db->fieldName('account_id') . ' = ' . $this->data['account_id'] . ', ' . $this->db->fieldName('group_id') . ' = ' . $this->data['group_id'] . ', ' . $this->db->fieldName('sex') . ' = ' . $this->data['sex'] . ', ' . $this->db->fieldName('vocation') . ' = ' . $this->data['vocation'] . ', ' . $this->db->fieldName('experience') . ' = ' . $this->data['experience'] . ', ' . $this->db->fieldName('level') . ' = ' . $this->data['level'] . ', ' . $this->db->fieldName('maglevel') . ' = ' . $this->data['maglevel'] . ', ' . $this->db->fieldName('health') . ' = ' . $this->data['health'] . ', ' . $this->db->fieldName('healthmax') . ' = ' . $this->data['healthmax'] . ', ' . $this->db->fieldName('mana') . ' = ' . $this->data['mana'] . ', ' . $this->db->fieldName('manamax') . ' = ' . $this->data['manamax'] . ', ' . $this->db->fieldName('manaspent') . ' = ' . $this->data['manaspent'] . ', ' . $this->db->fieldName('soul') . ' = ' . $this->data['soul'] . ', ' . $this->db->fieldName('lookbody') . ' = ' . $this->data['lookbody'] . ', ' . $this->db->fieldName('lookfeet') . ' = ' . $this->data['lookfeet'] . ', ' . $this->db->fieldName('lookhead') . ' = ' . $this->data['lookhead'] . ', ' . $this->db->fieldName('looklegs') . ' = ' . $this->data['looklegs'] . ', ' . $this->db->fieldName('looktype') . ' = ' . $this->data['looktype'] . $lookaddons . ', ' . $this->db->fieldName('posx') . ' = ' . $this->data['posx'] . ', ' . $this->db->fieldName('posy') . ' = ' . $this->data['posy'] . ', ' . $this->db->fieldName('posz') . ' = ' . $this->data['posz'] . ', ' . $this->db->fieldName('cap') . ' = ' . $this->data['cap'] . ', ' . $this->db->fieldName('lastlogin') . ' = ' . $this->data['lastlogin'] . ', ' . $this->db->fieldName('lastlogout') . ' = ' . $this->data['lastlogout'] . ', ' . $this->db->fieldName('lastip') . ' = ' . $this->db->quote($this->data['lastip']) . ', ' . $this->db->fieldName('save') . ' = ' . (int) $this->data['save'] . ', ' . $this->db->fieldName('conditions') . ' = ' . $this->db->quote($this->data['conditions']) . ', `' . $skull_time . '` = ' . $this->data['skulltime'] . ', `' . $skull_type . '` = ' . (int) $this->data['skull'] . $guild_info . ', ' . $this->db->fieldName('town_id') . ' = ' . $this->data['town_id'] . $loss . $loss_items . ', ' . $this->db->fieldName('balance') . ' = ' . $this->data['balance'] . $blessings . $stamina . $direction . ' WHERE ' . $this->db->fieldName('id') . ' = ' . $this->data['id']);
+		if( isset($this->data['id']) ) {
+			PlayerModel::where('id', $this->data['id'])->update($values);
 		}
 		// creates new player
-		else
-		{
-			$loss = '';
-			$loss_data = '';
-			if($this->db->hasColumn('players', 'loss_experience')) {
-				$loss = ', `loss_experience`, `loss_mana`, `loss_skills`';
-				$loss_data = ', ' . $this->data['loss_experience'] . ', ' . $this->data['loss_mana'] . ', ' . $this->data['loss_skills'];
-			}
+		else {
+			$values['created'] = time();

-			$loss_items = '';
-			$loss_items_data = '';
-			if($this->db->hasColumn('players', 'loss_items')) {
-				$loss_items = ', `loss_items`, `loss_containers`';
-				$loss_items_data = ', ' . $this->data['loss_items'] . ', ' . $this->data['loss_containers'];
-			}
+			$player = PlayerModel::create($values);

-			$guild_info = '';
-			$guild_info_data = '';
-			if(!$this->db->hasTable('guild_members') && $this->db->hasColumn('players', 'guildnick')) {
-				$guild_info = ', `guildnick`, `rank_id`';
-				$guild_info_data = ', ' . $this->db->quote($this->data['guildnick']) . ', ' . $this->data['rank_id'];
-			}
-
-			$promotion = '';
-			$promotion_data = '';
-			if($this->db->hasColumn('players', 'promotion')) {
-				$promotion = ', `promotion`';
-				$promotion_data = ', ' . $this->data['promotion'];
-			}
-
-			$direction = '';
-			$direction_data = '';
-			if($this->db->hasColumn('players', 'direction')) {
-				$direction = ', `direction`';
-				$direction_data = ', ' . $this->data['direction'];
-			}
-
-			$blessings = '';
-			$blessings_data = '';
-			if($this->db->hasColumn('players', 'blessings')) {
-				$blessings = ', `blessings`';
-				$blessings_data = ', ' . $this->data['blessings'];
-			}
-
-			$stamina = '';
-			$stamina_data = '';
-			if($this->db->hasColumn('players', 'stamina')) {
-				$stamina = ', `stamina`';
-				$stamina_data = ', ' . $this->data['stamina'];
-			}
-
-			$lookaddons = '';
-			$lookaddons_data = '';
-			if($this->db->hasColumn('players', 'lookaddons')) {
-				$lookaddons = ', `lookaddons`';
-				$lookaddons_data = ', ' . $this->data['lookaddons'];
-			}
-
-			// INSERT query on database
-			$this->db->query('INSERT INTO `players` (`name`, `account_id`, `group_id`, `sex`, `vocation`, `experience`, `level`, `maglevel`, `health`, `healthmax`, `mana`, `manamax`, `manaspent`, `soul`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`' . $lookaddons . ', `posx`, `posy`, `posz`, `cap`, `lastlogin`, `lastlogout`, `lastip`, `save`, `conditions`, `' . $skull_time . '`, `' . $skull_type . '`' . $guild_info . ', `town_id`' . $loss . $loss_items . ', `balance`' . $blessings . $stamina . $direction . ', `created`' . $promotion . ', `comment`) VALUES (' . $this->db->quote($this->data['name']) . ', ' . $this->data['account_id'] . ', ' . $this->data['group_id'] . ', ' . $this->data['sex'] . ', ' . $this->data['vocation'] . ', ' . $this->data['experience'] . ', ' . $this->data['level'] . ', ' . $this->data['maglevel'] . ', ' . $this->data['health'] . ', ' . $this->data['healthmax'] . ', ' . $this->data['mana'] . ', ' . $this->data['manamax'] . ', ' . $this->data['manaspent'] . ', ' . $this->data['soul'] . ', ' . $this->data['lookbody'] . ', ' . $this->data['lookfeet'] . ', ' . $this->data['lookhead'] . ', ' . $this->data['looklegs'] . ', ' . $this->data['looktype'] . $lookaddons_data . ', ' . $this->data['posx'] . ', ' . $this->data['posy'] . ', ' . $this->data['posz'] . ', ' . $this->data['cap'] . ', ' . $this->data['lastlogin'] . ', ' . $this->data['lastlogout'] . ', ' . $this->data['lastip'] . ', ' . (int) $this->data['save'] . ', ' . $this->db->quote($this->data['conditions']) . ', ' . $this->data['skulltime'] . ', ' . (int) $this->data['skull'] . $guild_info_data . ', ' . $this->data['town_id'] . $loss_data . $loss_items_data . ', ' . $this->data['balance'] . $blessings_data . $stamina_data . $direction_data . ', ' . time() . $promotion_data . ', "")');
-			// ID of new group
-			$this->data['id'] = $this->db->lastInsertId();
+			// ID of new player
+			$this->data['id'] = $player->id;
 		}

 		// updates skills - doesn't matter if we have just created character - trigger inserts new skills
@@ -490,7 +316,7 @@ class OTS_Player extends OTS_Row_DAO
 					$set .= ',';
 			}

-			$skills = $this->db->query('UPDATE `players` SET ' . $set . ' WHERE `id` = ' . $this->data['id']);
+			$this->db->query('UPDATE `players` SET ' . $set . ' WHERE `id` = ' . $this->data['id']);
 		}
 		else if($this->db->hasTable('player_skills')) {
 			foreach($this->skills as $id => $skill)
@@ -748,21 +574,25 @@ class OTS_Player extends OTS_Row_DAO

 	public function isDeleted()
 	{
-		$field = 'deleted';
+		$column = 'deleted';
 		if($this->db->hasColumn('players', 'deletion'))
-			$field = 'deletion';
+			$column = 'deletion';

-		if( !isset($this->data[$field]) )
+		if( !isset($this->data[$column]) )
 		{
 			throw new E_OTS_NotLoaded();
 		}

-		return $this->data[$field] > 0;
+		return $this->data[$column] > 0;
 	}

 	public function setDeleted($deleted)
 	{
-		$this->data['deleted'] = (int) $deleted;
+		$column = 'deleted';
+		if($this->db->hasColumn('players', 'deletion'))
+			$column = 'deletion';
+
+		$this->data[$column] = (int) $deleted;
 	}

 	public function isOnline()
@@ -852,13 +682,7 @@ class OTS_Player extends OTS_Row_DAO
 			throw new E_OTS_NotLoaded();
 		}

-		if(isset($this->data['promotion'])) {
-			global $config;
-			if((int)$this->data['promotion'] > 0)
-				return ($this->data['vocation'] + ($this->data['promotion'] * $config['vocations_amount']));
-		}
-
-		return $this->data['vocation'];
+		return \OTS_Toolbox::getVocationFromPromotion($this->data['vocation'], $this->data['promotion'] ?? 0);
 	}


@@ -1574,12 +1398,7 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function getCap()
 	{
-		if( !isset($this->data['cap']) )
-		{
-			throw new E_OTS_NotLoaded();
-		}
-
-		return $this->data['cap'];
+		return $this->data['cap'] ?? 0;
 	}

 /**
@@ -1792,12 +1611,12 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function getSkullTime()
 	{
-		if( !isset($this->data['skulltime']) )
-		{
-			throw new E_OTS_NotLoaded();
+		$column = 'skulltime';
+		if($this->db->hasColumn('players', 'skull_time')) {
+			$column = 'skull_time';
 		}

-		return $this->data['skulltime'];
+		return $this->data[$column] ?? 0;
 	}

 /**
@@ -1811,7 +1630,12 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function setSkullTime($skulltime)
 	{
-		$this->data['skulltime'] = (int) $skulltime;
+		$column = 'skulltime';
+		if($this->db->hasColumn('players', 'skull_time')) {
+			$column = 'skull_time';
+		}
+
+		$this->data[$column] = (int) $skulltime;
 	}

 /**
@@ -2919,6 +2743,32 @@ class OTS_Player extends OTS_Row_DAO
 		$this->data['banned'] = $ban['active'];
 		$this->data['banned_time'] = $ban['expires'];
 	}
+
+	public function isNameLocked(): bool
+	{
+		// nothing can't be banned
+		if( !$this->isLoaded() ) {
+			throw new E_OTS_NotLoaded();
+		}
+
+		if($this->db->hasTable('player_namelocks')) {
+			$ban = $this->db->query('SELECT 1 FROM `player_namelocks` WHERE `player_id` = ' . $this->data['id'])->fetch(PDO::FETCH_ASSOC);
+			return (isset($ban['1']));
+		}
+		else if($this->db->hasTable('bans')) {
+			if($this->db->hasColumn('bans', 'active')) {
+				$ban = $this->db->query('SELECT `active`, `expires` FROM `bans` WHERE `type` = 2 AND `active` = 1 AND `value` = ' . $this->data['id'] . ' AND (`expires` > ' . time() .' OR `expires` = -1) ORDER BY `expires` DESC')->fetch();
+				return isset($ban['active']);
+			}
+			else { // tfs 0.2
+				$ban = $this->db->query('SELECT `time` FROM `bans` WHERE `type` = 2 AND `account` = ' . $this->data['account_id'] . ' AND (`time` > ' . time() .' OR `time` = -1) ORDER BY `time` DESC')->fetch();
+
+				return isset($ban['time']) && ($ban['time'] == -1 || $ban['time'] > 0);
+			}
+		}
+
+		return false;
+	}
 /**
 * Deletes player.
 *
@@ -2953,21 +2803,14 @@ class OTS_Player extends OTS_Row_DAO
 * @return string Player proffesion name.
 * @throws E_OTS_NotLoaded If player is not loaded or global vocations list is not loaded.
 */
-	public function getVocationName()
+	public function getVocationName(): string
 	{
 		if( !isset($this->data['vocation']) )
 		{
 			throw new E_OTS_NotLoaded();
 		}

-		global $config;
-		$voc = $this->getVocation();
-		if(!isset($config['vocations'][$voc])) {
-			return 'Unknown';
-		}
-
-		return $config['vocations'][$voc];
-		//return POT::getInstance()->getVocationsList()->getVocationName($this->data['vocation']);
+		return OTS_Toolbox::getVocationName($this->data['vocation'], $this->data['promotion'] ?? 0);
 	}

 /**
@@ -3231,6 +3074,10 @@ class OTS_Player extends OTS_Row_DAO
 		return 0;
 	}

+	public function setData(array $data): void{
+		$this->data = $data;
+	}
+
 /**
 * Magic PHP5 method.
 *
--- a/system/libs/pot/OTS_ServerInfo.php
+++ b/system/libs/pot/OTS_ServerInfo.php
@@ -97,6 +97,8 @@ class OTS_ServerInfo
 			return new OTS_Buffer($data);
 		}

+		log_append('status-error.log', "Cannot connect to {$this->server}:{$this->port} - Error code: $error, message: $message");
+
 		return false;
 	}

--- a/system/libs/pot/OTS_Toolbox.php
+++ b/system/libs/pot/OTS_Toolbox.php
@@ -13,6 +13,8 @@
 * @license http://www.gnu.org/licenses/lgpl-3.0.txt GNU Lesser General Public License, Version 3
 */

+use MyAAC\Server\XML\Vocations;
+
 /**
 * Toolbox for common operations.
 *
@@ -110,6 +112,22 @@ class OTS_Toolbox
 		$list->setFilter($filter);
 		return $list;
 	}
+	public static function getVocationFromPromotion($id, $promotion = 0): int
+	{
+		if($promotion > 0) {
+			for ($i = 0; $i < $promotion; $i++) {
+				if ($_id = Vocations::getPromoted($id)) {
+					$id = $_id;
+				}
+			}
+		}
+
+		return $id;
+	}
+
+	public static function getVocationName($id, $promotion = 0): string {
+		return config('vocations')[self::getVocationFromPromotion($id, $promotion)] ?? 'Unknown';
+	}
 }

 /**#@-*/
--- a/system/libs/rfc6238.php
+++ b/system/libs/rfc6238.php
@@ -1,284 +0,0 @@
-<?php
-/** https://github.com/Voronenko/PHPOTP/blob/08cda9cb9c30b7242cf0b3a9100a6244a2874927/code/base32static.php
- * Encode in Base32 based on RFC 4648.
- * Requires 20% more space than base64
- * Great for case-insensitive filesystems like Windows and URL's  (except for = char which can be excluded using the pad option for urls)
- *
- * @package default
- * @author Bryan Ruiz
- **/
-class Base32Static {
-
-	private static $map = array(
-		'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', //  7
-		'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
-		'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
-		'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
-		'='  // padding character
-	);
-
-	private static $flippedMap = array(
-		'A'=>'0', 'B'=>'1', 'C'=>'2', 'D'=>'3', 'E'=>'4', 'F'=>'5', 'G'=>'6', 'H'=>'7',
-		'I'=>'8', 'J'=>'9', 'K'=>'10', 'L'=>'11', 'M'=>'12', 'N'=>'13', 'O'=>'14', 'P'=>'15',
-		'Q'=>'16', 'R'=>'17', 'S'=>'18', 'T'=>'19', 'U'=>'20', 'V'=>'21', 'W'=>'22', 'X'=>'23',
-		'Y'=>'24', 'Z'=>'25', '2'=>'26', '3'=>'27', '4'=>'28', '5'=>'29', '6'=>'30', '7'=>'31'
-	);
-
-	/**
-	 * Use padding false when encoding for urls
-	 *
-	 * @return base32 encoded string
-	 * @author Bryan Ruiz
-	 **/
-	public static function encode($input, $padding = true) {
-		if(empty($input)) return "";
-
-		$input = str_split($input);
-		$binaryString = "";
-
-		for($i = 0; $i < count($input); $i++) {
-			$binaryString .= str_pad(base_convert(ord($input[$i]), 10, 2), 8, '0', STR_PAD_LEFT);
-		}
-
-		$fiveBitBinaryArray = str_split($binaryString, 5);
-		$base32 = "";
-		$i=0;
-
-		while($i < count($fiveBitBinaryArray)) {
-			$base32 .= self::$map[base_convert(str_pad($fiveBitBinaryArray[$i], 5,'0'), 2, 10)];
-			$i++;
-		}
-
-		if($padding && ($x = strlen($binaryString) % 40) != 0) {
-			if($x == 8) $base32 .= str_repeat(self::$map[32], 6);
-			else if($x == 16) $base32 .= str_repeat(self::$map[32], 4);
-			else if($x == 24) $base32 .= str_repeat(self::$map[32], 3);
-			else if($x == 32) $base32 .= self::$map[32];
-		}
-
-		return $base32;
-	}
-
-	public static function decode($input) {
-		if(empty($input)) return;
-
-		$paddingCharCount = substr_count($input, self::$map[32]);
-		$allowedValues = array(6,4,3,1,0);
-
-		if(!in_array($paddingCharCount, $allowedValues)) return false;
-
-		for($i=0; $i<4; $i++){
-			if($paddingCharCount == $allowedValues[$i] &&
-				substr($input, -($allowedValues[$i])) != str_repeat(self::$map[32], $allowedValues[$i])) return false;
-		}
-
-		$input = str_replace('=','', $input);
-		$input = str_split($input);
-		$binaryString = "";
-
-		for($i=0; $i < count($input); $i = $i+8) {
-			$x = "";
-
-			if(!in_array($input[$i], self::$map)) return false;
-
-			for($j=0; $j < 8; $j++) {
-				$x .= str_pad(base_convert(@self::$flippedMap[@$input[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
-			}
-
-			$eightBits = str_split($x, 8);
-
-			for($z = 0; $z < count($eightBits); $z++) {
-				$binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ? $y:"";
-			}
-		}
-
-		return $binaryString;
-	}
-}
-
-// http://www.faqs.org/rfcs/rfc6238.html
-// https://github.com/Voronenko/PHPOTP/blob/08cda9cb9c30b7242cf0b3a9100a6244a2874927/code/rfc6238.php
-// Local changes: http -> https, consistent indentation, 200x200 -> 300x300 QR image size, PHP end tag
-class TokenAuth6238 {
-
-	/**
-	 * verify
-	 *
-	 * @param string $secretkey Secret clue (base 32).
-	 * @return bool True if success, false if failure
-	 */
-	public static function verify($secretkey, $code, $rangein30s = 3) {
-		$key = base32static::decode($secretkey);
-		$unixtimestamp = time()/30;
-
-		for($i=-($rangein30s); $i<=$rangein30s; $i++) {
-			$checktime = (int)($unixtimestamp+$i);
-			$thiskey = self::oath_hotp($key, $checktime);
-
-			if ((int)$code == self::oath_truncate($thiskey,6)) {
-				return true;
-			}
-
-		}
-		return false;
-	}
-
-
-	public static function getTokenCode($secretkey,$rangein30s = 3) {
-		$result = "";
-		$key = base32static::decode($secretkey);
-		$unixtimestamp = time()/30;
-
-		for($i=-($rangein30s); $i<=$rangein30s; $i++) {
-			$checktime = (int)($unixtimestamp+$i);
-			$thiskey = self::oath_hotp($key, $checktime);
-			$result = $result." # ".self::oath_truncate($thiskey,6);
-		}
-
-		return $result;
-	}
-
-	public static function getTokenCodeDebug($secretkey,$rangein30s = 3) {
-		$result = "";
-		print "<br/>SecretKey: $secretkey <br/>";
-
-		$key = base32static::decode($secretkey);
-		print "Key(base 32 decode): $key <br/>";
-
-		$unixtimestamp = time()/30;
-		print "UnixTimeStamp (time()/30): $unixtimestamp <br/>";
-
-		for($i=-($rangein30s); $i<=$rangein30s; $i++) {
-			$checktime = (int)($unixtimestamp+$i);
-			print "Calculating oath_hotp from (int)(unixtimestamp +- 30sec offset): $checktime basing on secret key<br/>";
-
-			$thiskey = self::oath_hotp($key, $checktime, true);
-			print "======================================================<br/>";
-			print "CheckTime: $checktime oath_hotp:".$thiskey."<br/>";
-
-			$result = $result." # ".self::oath_truncate($thiskey,6,true);
-		}
-
-		return $result;
-	}
-
-	public static function getBarCodeUrl($username, $domain, $secretkey, $issuer) {
-		$url = "https://chart.apis.google.com/chart";
-		$url = $url."?chs=300x300&chld=M|0&cht=qr&chl=otpauth://totp/";
-		$url = $url.$username . "@" . $domain . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
-		return $url;
-	}
-
-	public static function generateRandomClue($length = 16) {
-		$b32 = "234567QWERTYUIOPASDFGHJKLZXCVBNM";
-		$s = "";
-
-		for ($i = 0; $i < $length; $i++)
-			$s .= $b32[rand(0,31)];
-
-		return $s;
-	}
-
-	private static function hotp_tobytestream($key) {
-		$result = array();
-		$last = strlen($key);
-		for ($i = 0; $i < $last; $i = $i + 2) {
-			$x = $key[$i] + $key[$i + 1];
-			$x = strtoupper($x);
-			$x = hexdec($x);
-			$result =  $result.chr($x);
-		}
-
-		return $result;
-	}
-
-	private static function oath_hotp ($key, $counter, $debug=false) {
-		$result = "";
-		$orgcounter = $counter;
-		$cur_counter = array(0,0,0,0,0,0,0,0);
-
-		if ($debug) {
-			print "Packing counter $counter (".dechex($counter).")into binary string - pay attention to hex representation of key and binary representation<br/>";
-		}
-
-		for($i=7;$i>=0;$i--) { // C for unsigned char, * for  repeating to the end of the input data
-			$cur_counter[$i] = pack ('C*', $counter);
-
-			if ($debug)  {
-				print $cur_counter[$i]."(".dechex(ord($cur_counter[$i])).")"." from $counter <br/>";
-			}
-
-			$counter = $counter >> 8;
-		}
-
-		if ($debug) {
-			foreach ($cur_counter as $char) {
-				print ord($char) . " ";
-			}
-
-			print "<br/>";
-		}
-
-		$binary = implode($cur_counter);
-
-		// Pad to 8 characters
-		str_pad($binary, 8, chr(0), STR_PAD_LEFT);
-
-		if ($debug)  {
-			print "Prior to HMAC calculation pad with zero on the left until 8 characters.<br/>";
-			print "Calculate sha1 HMAC(Hash-based Message Authentication Code http://en.wikipedia.org/wiki/HMAC).<br/>";
-			print "hash_hmac ('sha1', $binary, $key)<br/>";
-		}
-
-		$result = hash_hmac ('sha1', $binary, $key);
-
-		if ($debug) {
-			print "Result: $result <br/>";
-		}
-
-		return $result;
-	}
-
-	private static function oath_truncate($hash, $length = 6, $debug=false) {
-		$result="";
-
-		// Convert to dec
-		if($debug) {
-			print "converting hex hash into characters<br/>";
-		}
-
-		$hashcharacters = str_split($hash,2);
-
-		if($debug) {
-			print_r($hashcharacters);
-			print "<br/>and convert to decimals:<br/>";
-		}
-
-		for ($j=0; $j<count($hashcharacters); $j++) {
-			$hmac_result[]=hexdec($hashcharacters[$j]);
-		}
-
-		if($debug) {
-			print_r($hmac_result);
-		}
-
-		// http://php.net/manual/ru/function.hash-hmac.php
-		// adopted from brent at thebrent dot net 21-May-2009 08:17 comment
-
-		$offset = $hmac_result[19] & 0xf;
-
-		if($debug) {
-			print "Calculating offset as 19th element of hmac:".$hmac_result[19]."<br/>";
-			print "offset:".$offset;
-		}
-
-		$result = (
-				(($hmac_result[$offset+0] & 0x7f) << 24 ) |
-				(($hmac_result[$offset+1] & 0xff) << 16 ) |
-				(($hmac_result[$offset+2] & 0xff) << 8 ) |
-				($hmac_result[$offset+3] & 0xff)
-			) % pow(10,$length);
-
-		return $result;
-	}
-}
--- a/system/locale/de/install.php
+++ b/system/locale/de/install.php
@@ -78,6 +78,7 @@ $locale['step_database_error_mysql_connect_3'] = 'MySQL ist nicht richtig konfig
 $locale['step_database_error_mysql_connect_4'] = 'MySQL-Server läuft nicht.';
 $locale['step_database_error_schema'] = 'Fehler beim Importieren des Schemas:';
 $locale['step_database_success_schema'] = '$PREFIX$ Tabellen wurden erfolgreich installiert.';
+$locale['step_database_success_import_data'] = 'Import von Daten für Tabellen was erfolgreich.';
 $locale['step_database_error_file'] = '$FILE$ konnte nicht geöffnet werden. Bitte kopieren Sie diesen Inhalt und fügen Sie ihn dort ein:';
 $locale['step_database_adding_field'] = 'Folgendes Feld wurde hinzugefügt: ';
 $locale['step_database_modifying_field'] = 'Folgendes Feld wurde geändert: ';
--- a/system/locale/en/install.php
+++ b/system/locale/en/install.php
@@ -83,6 +83,7 @@ $locale['step_database_error_mysql_connect_3'] = 'MySQL is not configured proper
 $locale['step_database_error_mysql_connect_4'] = 'MySQL server is not running.';
 $locale['step_database_error_schema'] = 'Error while importing schema:';
 $locale['step_database_success_schema'] = 'Successfully installed $PREFIX$ tables.';
+$locale['step_database_success_import_data'] = 'Successfully imported base data for tables.';
 $locale['step_database_error_file'] = '$FILE$ couldn\'t be opened. Please copy this content and paste there:';
 $locale['step_database_adding_field'] = 'Adding field';
 $locale['step_database_modifying_field'] = 'Modifying field';
--- a/system/locale/pl/install.php
+++ b/system/locale/pl/install.php
@@ -81,7 +81,8 @@ $locale['step_database_error_mysql_connect_2'] = 'Możliwe przyczyny:';
 $locale['step_database_error_mysql_connect_3'] = 'MySQL nie jest poprawnie skonfigurowane w <i>config.lua</i>.';
 $locale['step_database_error_mysql_connect_4'] = 'Serwer MySQL nie jest uruchomiony.';
 $locale['step_database_error_schema'] = 'Błąd podczas importowania struktury bazy danych:';
-$locale['step_database_success_schema'] = 'Pomyślnie zainstalowano tabele $PREFIX$.';
+$locale['step_database_success_schema'] = 'Pomyślnie zaimportowano tabele $PREFIX$.';
+$locale['step_database_success_import_data'] = 'Pomyślnie załadowano bazowe dane dla tabel.';
 $locale['step_database_error_file'] = '$FILE$ nie mógł zostać otwarty. Proszę skopiować zawartość pola tekstowego i wkleić do tego pliku:';
 $locale['step_database_adding_field'] = 'Dodawanie pola';
 $locale['step_database_modifying_field'] = 'Modyfikacja pola';
--- a/system/login.php
+++ b/system/login.php
@@ -34,8 +34,10 @@ if($logged) {
 	$twig->addGlobal('account_logged', $account_logged);
 }

+if (!defined('IGNORE_SET_LAST_VISIT') || !IGNORE_SET_LAST_VISIT) {
 	setSession('last_visit', time());
 	if(defined('PAGE')) {
 		setSession('last_page', PAGE);
 	}
 	setSession('last_uri', $_SERVER['REQUEST_URI']);
+}
--- a/system/migrate.php
+++ b/system/migrate.php
@@ -9,6 +9,8 @@
 */
 defined('MYAAC') or die('Direct access not allowed!');

+global $db;
+
 // database migrations
 $tmp = '';
 if(fetchDatabaseConfig('database_version', $tmp)) { // we got version
--- a/system/migrations/20.php
+++ b/system/migrations/20.php
@@ -1,5 +1,6 @@
 <?php

+use MyAAC\Models\Player as PlayerModel;
 use MyAAC\Settings;

 function updateHighscoresIdsHidden(): void
@@ -10,12 +11,22 @@ function updateHighscoresIdsHidden(): void
 		return;
 	}

-	$query = $db->query("SELECT `id` FROM `players` WHERE (`name` = " . $db->quote("Rook Sample") . " OR `name` = " . $db->quote("Sorcerer Sample") . " OR `name` = " . $db->quote("Druid Sample") . " OR `name` = " . $db->quote("Paladin Sample") . " OR `name` = " . $db->quote("Knight Sample") . " OR `name` = " . $db->quote("Account Manager") . ") ORDER BY `id`;");
+	$players = PlayerModel::where('name', 'Rook Sample')
+		->orWhere('name', 'Sorcerer Sample')
+		->orWhere('name', 'Druid Sample')
+		->orWhere('name', 'Paladin Sample')
+		->orWhere('name', 'Knight Sample')
+		->orWhere('name', 'Monk Sample')
+		->orWhere('name', 'Account Manager')
+		->orderBy('id')
+		->select('id')
+		->get();

-	$highscores_ignored_ids = array();
-	if ($query->rowCount() > 0) {
-		foreach ($query->fetchAll() as $result)
-			$highscores_ignored_ids[] = $result['id'];
+	$highscores_ignored_ids = [];
+	if (count($players) > 0) {
+		foreach ($players as $result) {
+			$highscores_ignored_ids[] = $result->id;
+		}
 	} else {
 		$highscores_ignored_ids[] = 0;
 	}
--- a/system/migrations/46-account_emails_verify.sql
+++ b/system/migrations/46-account_emails_verify.sql
@@ -0,0 +1,8 @@
+CREATE TABLE `myaac_account_emails_verify`
+(
+	`id` int NOT NULL AUTO_INCREMENT,
+	`account_id` int NOT NULL,
+	`hash` varchar(32) NOT NULL,
+	`sent_at` int NOT NULL DEFAULT 0,
+	PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
--- a/system/migrations/46.php
+++ b/system/migrations/46.php
@@ -0,0 +1,24 @@
+<?php
+/**
+ * @var OTS_DB_MySQL $db
+ */
+
+$up = function () use ($db) {
+	if ($db->hasColumn('accounts', 'email_hash')) {
+		$db->dropColumn('accounts', 'email_hash');
+	}
+
+	if (!$db->hasTable(TABLE_PREFIX . 'account_emails_verify')) {
+		$db->query(file_get_contents(__DIR__ . '/46-account_emails_verify.sql'));
+	}
+};
+
+$down = function () use ($db) {
+	if (!$db->hasColumn('accounts', 'email_hash')) {
+		$db->addColumn('accounts', 'email_hash', "varchar(32) NOT NULL DEFAULT ''");
+	}
+
+	if ($db->hasTable(TABLE_PREFIX . 'account_emails_verify')) {
+		$db->dropTable(TABLE_PREFIX . 'account_emails_verify');
+	}
+};
--- a/system/migrations/47.php
+++ b/system/migrations/47.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * @var OTS_DB_MySQL $db
+ */
+
+// 2025-02-27
+// remove ipv6, change to ip (for both ipv4 + ipv6) as VARCHAR(45)
+$up = function () use ($db) {
+	$accountActionsInfo = $db->getColumnInfo(TABLE_PREFIX . 'account_actions', 'account_id');
+	if ($accountActionsInfo && is_array($accountActionsInfo) && $accountActionsInfo['key'] == 'pri') {
+		$db->query("ALTER TABLE `myaac_account_actions` DROP KEY `account_id`;");
+	}
+
+	if (!$db->hasColumn(TABLE_PREFIX . 'account_actions', 'id')) {
+		$db->addColumn(TABLE_PREFIX . 'account_actions', 'id', 'INT NOT NULL AUTO_INCREMENT FIRST, ADD PRIMARY KEY (`id`)');
+	}
+
+	$db->modifyColumn(TABLE_PREFIX . 'account_actions', 'ip', "VARCHAR(45) NOT NULL DEFAULT ''");
+	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = INET_NTOA(`ip`) WHERE `ip` != '0';");
+	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = INET6_NTOA(`ipv6`) WHERE `ip` = '0';");
+
+	if ($db->hasColumn(TABLE_PREFIX . 'account_actions', 'ipv6')) {
+		$db->dropColumn(TABLE_PREFIX . 'account_actions', 'ipv6');
+	}
+};
+
+$down = function () use ($db) {
+	if ($db->hasColumn(TABLE_PREFIX . 'account_actions', 'id')) {
+		$db->query("ALTER TABLE `" . TABLE_PREFIX . "account_actions` DROP `id`;");
+	}
+
+	$db->query("ALTER TABLE  `" . TABLE_PREFIX . "account_actions` ADD KEY (`account_id`);");
+
+	if (!$db->hasColumn(TABLE_PREFIX . 'account_actions', 'ipv6')) {
+		$db->addColumn(TABLE_PREFIX . 'account_actions', 'ipv6', "BINARY(16) NOT NULL DEFAULT 0x00000000000000000000000000000000 AFTER ip");
+	}
+
+	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ipv6` = INET6_ATON(ip) WHERE NOT IS_IPV4(`ip`);");
+	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = INET_ATON(`ip`) WHERE IS_IPV4(`ip`);");
+	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = 0 WHERE `ipv6` != 0x00000000000000000000000000000000;");
+	$db->modifyColumn(TABLE_PREFIX . 'account_actions', 'ip', "INT(11) UNSIGNED NOT NULL DEFAULT 0;");
+};
--- a/system/migrations/48.php
+++ b/system/migrations/48.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * @var OTS_DB_MySQL $db
+ */
+
+$up = function () use ($db) {
+	if (!$db->hasColumn(TABLE_PREFIX . 'menu', 'access')) {
+		$db->addColumn(TABLE_PREFIX . 'menu', 'access', 'TINYINT NOT NULL DEFAULT 0 AFTER `link`');
+	}
+};
+
+$down = function () use ($db) {
+	if ($db->hasColumn(TABLE_PREFIX . 'menu', 'access')) {
+		$db->dropColumn(TABLE_PREFIX . 'menu', 'access');
+	}
+};
--- a/system/migrations/49.php
+++ b/system/migrations/49.php
@@ -0,0 +1,91 @@
+<?php
+/**
+ * @var OTS_DB_MySQL $db
+ */
+
+use MyAAC\Models\Account as AccountModel;
+
+$time = time();
+
+$accountId = getSession('account') ?? 1;
+if (!defined('MYAAC_INSTALL')) {
+	$accountModel = AccountModel::where('web_flags', 3)->first();
+	if ($accountModel) {
+		$accountId = $accountModel->id;
+	}
+}
+
+function insert_sample_if_not_exist($p): void
+{
+	global $time, $accountId;
+
+	$player = new OTS_Player();
+	$player->find($p['name']);
+
+	if (!$player->isLoaded()) {
+
+		$player->setData([
+			'name' => $p['name'],
+			'group_id' => 1,
+			'account_id' => $accountId,
+			'level' => $p['level'],
+			'vocation' => $p['vocation_id'],
+			'health' => $p['health'],
+			'healthmax' => $p['healthmax'],
+			'experience' => $p['experience'],
+			'lookbody' => 118,
+			'lookfeet' => 114,
+			'lookhead' => 38,
+			'looklegs' => 57,
+			'looktype' => $p['looktype'],
+			'maglevel' => 0,
+			'mana' => $p['mana'],
+			'manamax' => $p['manamax'],
+			'manaspent' => 0,
+			'soul' => $p['soul'],
+			'town_id' => 1,
+			'posx' => 1000,
+			'posy' => 1000,
+			'posz' => 7,
+			'conditions' => '',
+			'cap' => $p['cap'],
+			'sex' => 1,
+			'lastlogin' => $time,
+			'lastip' => 2130706433,
+			'save' => 1,
+			'lastlogout' => $time,
+			'balance' => 0,
+			'created' => $time,
+			'hide' => 1,
+			'comment' => '',
+		]);
+
+		$player->save();
+	}
+}
+
+$up = function () use ($db) {
+	if (!$db->hasTable('players')) {
+		return;
+	}
+
+	insert_sample_if_not_exist(['name' => 'Rook Sample', 'level' => 1, 'vocation_id' => 0, 'health' => 150, 'healthmax' => 150, 'experience' => 0, 'looktype' => 130, 'mana' => 0, 'manamax' => 0, 'soul' => 100, 'cap' => 400]);
+	insert_sample_if_not_exist(['name' => 'Sorcerer Sample', 'level' => 8, 'vocation_id' => 1, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
+	insert_sample_if_not_exist(['name' => 'Druid Sample', 'level' => 8, 'vocation_id' => 2, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
+	insert_sample_if_not_exist(['name' => 'Paladin Sample', 'level' => 8, 'vocation_id' => 3, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 129, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
+	insert_sample_if_not_exist(['name' => 'Knight Sample', 'level' => 8, 'vocation_id' => 4, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 131, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
+	insert_sample_if_not_exist(['name' => 'Monk Sample', 'level' => 8, 'vocation_id' => 9, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 128, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
+
+	if (defined('MYAAC_INSTALL')) {
+		global $locale;
+
+		success($locale['step_database_imported_players']);
+	}
+
+	require_once __DIR__ . '/20.php';
+	updateHighscoresIdsHidden();
+};
+
+$down = function () {
+	// nothing
+};
--- a/system/migrations/50-gallery.sql
+++ b/system/migrations/50-gallery.sql
@@ -0,0 +1,11 @@
+CREATE TABLE IF NOT EXISTS `myaac_gallery`
+(
+	`id` int NOT NULL AUTO_INCREMENT,
+	`comment` varchar(255) NOT NULL DEFAULT '',
+	`image` varchar(255) NOT NULL,
+	`thumb` varchar(255) NOT NULL,
+	`author` varchar(50) NOT NULL DEFAULT '',
+	`ordering` int NOT NULL DEFAULT 0,
+	`hide` tinyint NOT NULL DEFAULT 0,
+	PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
--- a/system/migrations/50.php
+++ b/system/migrations/50.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * @var OTS_DB_MySQL $db
+ */
+
+$up = function () use ($db) {
+	if ($db->hasTable(TABLE_PREFIX . 'gallery')) {
+		$db->dropTable(TABLE_PREFIX . 'gallery');
+	}
+};
+
+$down = function () use ($db) {
+	if (!$db->hasTable(TABLE_PREFIX . 'gallery')) {
+		$db->query(file_get_contents(__DIR__ . '/50-gallery.sql'));
+	}
+};
--- a/system/migrations/51-account_email_codes.sql
+++ b/system/migrations/51-account_email_codes.sql
@@ -0,0 +1,8 @@
+CREATE TABLE `myaac_account_email_codes`
+(
+	`id` int(11) NOT NULL AUTO_INCREMENT,
+	`account_id` int NOT NULL,
+	`code` varchar(6) NOT NULL,
+	`created_at` int NOT NULL,
+	PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
--- a/system/migrations/51.php
+++ b/system/migrations/51.php
@@ -0,0 +1,36 @@
+<?php
+// 2fa
+// add the myaac_account_email_codes
+
+/**
+ * @var OTS_DB_MySQL $db
+ */
+
+$up = function () use ($db) {
+	if (!$db->hasColumn('accounts', '2fa_type')) {
+		$db->addColumn('accounts', '2fa_type', "tinyint NOT NULL DEFAULT 0 AFTER `web_flags`");
+	}
+
+	if (!$db->hasColumn('accounts', '2fa_secret')) {
+		$db->addColumn('accounts', '2fa_secret', "varchar(16) NOT NULL DEFAULT '' AFTER `2fa_type`");
+	}
+
+	// add myaac_account_email_codes table
+	if (!$db->hasTable(TABLE_PREFIX . 'account_email_codes')) {
+		$db->exec(file_get_contents(__DIR__ . '/51-account_email_codes.sql'));
+	}
+};
+
+$down = function () use ($db) {
+	if ($db->hasColumn('accounts', '2fa_type')) {
+		$db->dropColumn('accounts', '2fa_type');
+	}
+
+	if ($db->hasColumn('accounts', '2fa_secret')) {
+		$db->dropColumn('accounts', '2fa_secret');
+	}
+
+	if ($db->hasTable(TABLE_PREFIX . 'account_email_codes')) {
+		$db->dropTable(TABLE_PREFIX . 'account_email_codes');
+	}
+};
--- a/system/migrations/7.php
+++ b/system/migrations/7.php
@@ -9,7 +9,7 @@ $up = function () use ($db) {
 	}
 };

-$up = function () use ($db) {
+$down = function () use ($db) {
 	if (!$db->hasColumn(TABLE_PREFIX . 'screenshots', 'name')) {
 		$db->addColumn(TABLE_PREFIX . 'screenshots', 'name', 'VARCHAR(30) NOT NULL');
 	}
--- a/system/pages/#examples/top-5.php
+++ b/system/pages/#examples/top-5.php
@@ -0,0 +1,29 @@
+<?php
+/**
+ * Example of using getTopPlayers() function
+ * to display the best players for each skill
+ */
+defined('MYAAC') or die('Direct access not allowed!');
+
+$skills = [
+	'magic', 'level',
+	'balance', 'frags',
+	POT::SKILL_FIST, POT::SKILL_CLUB,
+	POT::SKILL_SWORD, POT::SKILL_AXE,
+	POT::SKILL_DISTANCE, POT::SKILL_SHIELD,
+	POT::SKILL_FISH
+];
+
+foreach ($skills as $skill) {?>
+<ul>
+<?php
+	echo '<strong>' . ucwords(is_string($skill) ? $skill : getSkillName($skill)) . '</strong>';
+	foreach (getTopPlayers(5, $skill) as $player) {?>
+		<li><?= $player['rank'] . '. ' . $player['name'] . ' - ' . $player['value']; ?></li>
+		<?php
+	}
+	?>
+</ul>
+<?php
+}
+
--- a/system/pages/404.php
+++ b/system/pages/404.php
@@ -8,7 +8,7 @@
 * @link      https://my-aac.org
 */
 defined('MYAAC') or die('Direct access not allowed!');
-$title = '404 Not Found';
+$title = 'Not Found';

 header('HTTP/1.0 404 Not Found');
 ?>
--- a/system/pages/405.php
+++ b/system/pages/405.php
@@ -8,7 +8,7 @@
 * @link      https://my-aac.org
 */
 defined('MYAAC') or die('Direct access not allowed!');
-$title = '405 Method Not Allowed';
+$title = 'Method Not Allowed';

 header('HTTP/1.0 405 Method Not Allowed');
 ?>
--- a/system/pages/account/2fa/app/disable.php
+++ b/system/pages/account/2fa/app/disable.php
@@ -0,0 +1,26 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+if (!isRequestMethod('post')) {
+	error('This page cannot be accessed directly.');
+	return;
+}
+
+if (!$account_logged->isLoaded()) {
+	error('Account not found!');
+	return;
+}
+
+if (!$twoFactorAuth->isActive($twoFactorAuth::TYPE_APP)) {
+	error("Your account does not have Two Factor App Authentication enabled.");
+	return;
+}
+
+$twoFactorAuth->disable();
+
+$twig->display('success.html.twig', [
+	'title' => 'Disabled',
+	'description' => 'Two Factor App Authentication has been disabled.'
+]);
--- a/system/pages/account/2fa/app/enable.php
+++ b/system/pages/account/2fa/app/enable.php
@@ -0,0 +1,105 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+use MyAAC\TwoFactorAuth\TwoFactorAuth;
+
+require __DIR__ . '/../base.php';
+
+if ($twoFactorAuth->isActive()) {
+	$errors[] = 'Two-factor authentication is already enabled on your account.';
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+
+	return;
+}
+
+$explodeRecoveryKey = explode('-', $account_logged->getCustomField('key'));
+$newRecoveryKeyFormat = (count($explodeRecoveryKey) == 4);
+
+if (ACTION == 'request') {
+
+	if ($newRecoveryKeyFormat) {
+		$key = $_POST['key1'] . '-' . $_POST['key2'] . '-' . $_POST['key3'] . '-' . $_POST['key4'];
+	}
+	else {
+		$key = $_POST['key'];
+	}
+
+	$accountKey = $account_logged->getCustomField('key');
+	if (!empty($key) && $key == $accountKey) {
+		$secret = getSession('2fa_secret');
+		if ($secret === null) {
+			$secret = generateRandom2faSecret();
+			setSession('2fa_secret', $secret);
+		}
+
+		$twoFactorAuth->appDisplayEnable($secret);
+
+		return;
+	}
+	else {
+		if (empty($key)) {
+			$errors[] = 'Please enter the recovery key!';
+		}
+		else {
+			$errors[] = 'Invalid recovery key!';
+		}
+	}
+}
+
+if (ACTION == 'link') {
+	$secret = getSession('2fa_secret');
+
+	if ($secret === null) {
+		$twig->display('error_box.html.twig', ['errors' => ['Secret not set. Go back and try again.']]);
+		return;
+	}
+
+	$authCode = $_POST['auth-code'] ?? '';
+	if (!empty($authCode)) {
+		$otp = $twoFactorAuth->appInitTOTP($secret);
+
+		if (!$otp->verify($authCode)) {
+			$errors = ['Token is invalid!'];
+
+			$twig->display('error_box.html.twig', ['errors' => $errors]);
+
+			$twoFactorAuth->appDisplayEnable($secret, $otp, $errors);
+
+			return;
+		}
+
+		if ($db->hasColumn('accounts', 'secret')) {
+			$account_logged->setCustomField('secret', $secret);
+		}
+
+		$account_logged->setCustomField('2fa_secret', $secret);
+		$twoFactorAuth->enable(TwoFactorAuth::TYPE_APP);
+
+		$twig->display('success.html.twig',
+			[
+				'title' => 'Authenticator App Connected',
+				'description' => 'You successfully connected your Tibia account to an authenticator app.'
+			]
+		);
+
+		return;
+	}
+	else {
+		$errors = ['You have to enter the code generated by the authenticator!'];
+
+		$twig->display('error_box.html.twig', ['errors' => $errors]);
+		$twoFactorAuth->appDisplayEnable($secret, null, $errors);
+		return;
+	}
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+}
+
+$twig->display('account/2fa/app/enable.warning.html.twig',
+	[
+		'newRecoveryKeyFormat' => $newRecoveryKeyFormat,
+		'errors' => $errors,
+	]
+);
--- a/system/pages/account/2fa/base.php
+++ b/system/pages/account/2fa/base.php
@@ -0,0 +1,41 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+use MyAAC\TwoFactorAuth\TwoFactorAuth;
+
+csrfProtect();
+
+$title = 'Two Factor Authentication';
+
+/**
+ * @var OTS_Account $account_logged
+ */
+$code = $_REQUEST['auth-code'] ?? '';
+
+if (!$account_logged->isLoaded()) {
+	$current_session = getSession('account');
+	if($current_session) {
+		$account_logged = new OTS_Account();
+		$account_logged->load($current_session);
+	}
+}
+
+$twoFactorAuth = TwoFactorAuth::getInstance($account_logged);
+$twig->addGlobal('account_logged', $account_logged);
+
+/**
+ * Took from ZnoteAAC
+ * @author Znote
+ */
+function generateRandom2faSecret($length = 16): string
+{
+	$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+	$charactersLength = strlen($characters);
+	$randomString = '';
+
+	for ($i = 0; $i < $length; $i++) {
+		$randomString .= $characters[rand(0, $charactersLength - 1)];
+	}
+
+	return $randomString;
+}
--- a/system/pages/account/2fa/email/disable.php
+++ b/system/pages/account/2fa/email/disable.php
@@ -0,0 +1,34 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+if ((!setting('core.mail_enabled'))) {
+	$twig->display('error_box.html.twig',  ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]);
+	return;
+}
+
+if (!isRequestMethod('post')) {
+	error('This page cannot be accessed directly.');
+	return;
+}
+
+if (!$account_logged->isLoaded()) {
+	error('Account not found!');
+	return;
+}
+
+if (!$twoFactorAuth->isActive($twoFactorAuth::TYPE_EMAIL)) {
+	error("Your account does not have Two Factor E-Mail Authentication enabled.");
+	return;
+}
+
+$twoFactorAuth->disable();
+$twoFactorAuth->deleteOldCodes();
+
+$twig->display('success.html.twig',
+	[
+		'title' => 'Email Code Authentication Disabled',
+		'description' => 'You have successfully <strong>disabled</strong> the <b>Email Code Authentication</b> for your account.'
+	]
+);
--- a/system/pages/account/2fa/email/enable.php
+++ b/system/pages/account/2fa/email/enable.php
@@ -0,0 +1,51 @@
+<?php
+
+use MyAAC\TwoFactorAuth\TwoFactorAuth;
+
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+if ((!setting('core.mail_enabled'))) {
+	$twig->display('error_box.html.twig',  ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]);
+	return;
+}
+
+if ($twoFactorAuth->isActive()) {
+	$errors[] = 'Two-factor authentication is already enabled on your account.';
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+
+	return;
+}
+
+if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) {
+	$twoFactorAuth->resendEmailCode();
+}
+
+if (isset($_POST['save'])) {
+	if (!empty($code)) {
+		$twoFactorAuth->setAuthGateway(TwoFactorAuth::TYPE_EMAIL);
+		if ($twoFactorAuth->getAuthGateway()->verifyCode($code)) {
+			$serverName = configLua('serverName');
+
+			$twoFactorAuth->enable(TwoFactorAuth::TYPE_EMAIL);
+			$twoFactorAuth->deleteOldCodes();
+
+			$twig->display('success.html.twig', [
+				'title' => 'Email Code Authentication Activated',
+				'description' => sprintf('You have successfully activated <b>email code authentication</b> for your account. This means an <b>email code</b> will be sent to the email address assigned to your account whenever you try to log in to the %s client or the %s website. In order to log in, you will need to enter the <b>most recent email code</b> you have received.', $serverName, $serverName)
+			]);
+
+			return;
+		}
+		else {
+			$errors[] = 'Invalid email code!';
+		}
+	}
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+}
+
+$twig->display('account/2fa/email/enable.html.twig', ['wrongCode' => count($errors) > 0]);
--- a/system/pages/account/2fa/email/resend-code.php
+++ b/system/pages/account/2fa/email/resend-code.php
@@ -0,0 +1,32 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+if ((!setting('core.mail_enabled'))) {
+	$twig->display('error_box.html.twig',  ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]);
+	return;
+}
+
+if (!$account_logged->isLoaded()) {
+	error('Account not found!');
+	return;
+}
+
+if ($twoFactorAuth->isActive($twoFactorAuth::TYPE_APP)) {
+	error('You have to disable the app auth first!');
+	return;
+}
+
+if ($twoFactorAuth->hasRecentEmailCode(30 * 60)) {
+	$errors = ['Sorry, one email per 30 minutes'];
+}
+else {
+	$twoFactorAuth->resendEmailCode();
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig',  ['errors' => $errors]);
+}
+
+$twig->display('account/2fa/email/enable.html.twig');
--- a/system/pages/account/base.php
+++ b/system/pages/account/base.php
@@ -17,6 +17,10 @@ if(!$logged)
 	if(!empty($errors))
 		$twig->display('error_box.html.twig', array('errors' => $errors));

+	if (defined('HIDE_LOGIN_BOX') && HIDE_LOGIN_BOX) {
+		return;
+	}
+
 	$twig->display('account.login.html.twig', array(
 		'redirect' => $_REQUEST['redirect'] ?? null,
 		'account' => USE_ACCOUNT_NAME ? 'Name' : 'Number',
@@ -30,3 +34,11 @@ if(!$logged)
 else {
 	$show_form = true;
 }
+
+function generateRecoveryKey(): string
+{
+	return generateRandomString(5, false, true, true) . '-' .
+		generateRandomString(5, false, true, true) . '-' .
+		generateRandomString(5, false, true, true) . '-' .
+		generateRandomString(5, false, true, true);
+}
--- a/system/pages/account/change-email.php
+++ b/system/pages/account/change-email.php
@@ -166,7 +166,7 @@ if(isset($_POST['emailchangecancel']) && $_POST['emailchangecancel'] == 1) {
 	$account_logged->setCustomField("email_new", "");
 	$account_logged->setCustomField("email_new_time", 0);

-	$custom_buttons = '<div style="text-align:center"><table border="0" cellspacing="0" cellpadding="0" ><form action="' . getLink('account/manage') . '" method="post" ><tr><td style="border:0px;" >' . $twig->render('buttons.back.html.twig') . '</td></tr></form></table></div>';
+	$custom_buttons = '<div style="text-align:center"><table border="0" cellspacing="0" cellpadding="0" ><form action="' . getLink('account/manage') . '" method="post" >' . csrf(true) . '<tr><td style="border:0px;" >' . $twig->render('buttons.back.html.twig') . '</td></tr></form></table></div>';

 	$twig->display('success.html.twig', array(
 		'title' => 'Email Address Change Cancelled',
--- a/system/pages/account/change-password.php
+++ b/system/pages/account/change-password.php
@@ -19,18 +19,17 @@ if(!$logged) {

 csrfProtect();

-$new_password = $_POST['newpassword'] ?? NULL;
-$new_password_confirm = $_POST['newpassword_confirm'] ?? NULL;
-$old_password = $_POST['oldpassword'] ?? NULL;
-if(empty($new_password) && empty($new_password_confirm) && empty($old_password)) {
+$new_password = $_POST['new_password'] ?? null;
+$new_password_confirm = $_POST['new_password_confirm'] ?? null;
+$old_password = $_POST['old_password'] ?? null;
+if(is_null($new_password) && is_null($new_password_confirm) && is_null($old_password)) {
 	$twig->display('account.change-password.html.twig');
 }
-else
-{
+else {
 	if(empty($new_password) || empty($new_password_confirm) || empty($old_password)){
 		$errors[] = 'Please fill in form.';
 	}
-	$password_strlen = strlen($new_password);
+
 	if($new_password != $new_password_confirm) {
 		$errors[] = 'The new passwords do not match!';
 	}
@@ -41,10 +40,13 @@ else
 		}

 		/** @var OTS_Account $account_logged */
-		$old_password = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $old_password);
-		if($old_password != $account_logged->getPassword()) {
+		$old_password_hashed = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $old_password);
+		if($old_password_hashed != $account_logged->getPassword()) {
 			$errors[] = 'Current password is incorrect!';
 		}
+		else if ($old_password == $new_password) {
+			$errors[] = 'The old password is same as the new password!';
+		}

 		$hooks->trigger(HOOK_ACCOUNT_CHANGE_PASSWORD_POST);
 	}
--- a/system/pages/account/characters/change-comment.php
+++ b/system/pages/account/characters/change-comment.php
@@ -51,6 +51,8 @@ if($player_name != null) {
 						'description' => 'The character information has been changed.'
 					));
 					$show_form = false;
+
+					$hooks->trigger(HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_SUCCESS, ['player' => $player]);
 				}
 			}
 		} else {
@@ -70,9 +72,11 @@ if($show_form) {
 	}

 	if(isset($player) && $player) {
-		$twig->display('account.characters.change-comment.html.twig', array(
-			'player' => $player->toArray()
-		));
+		$_player = $player->toArray();
+		$_player['id'] = $player->id; // Hack, as it's somehow missing in the toArray() function
+
+		$twig->display('account.characters.change-comment.html.twig', [
+			'player' => $_player,
+		]);
 	}
 }
-?>
--- a/system/pages/account/confirm-email.php
+++ b/system/pages/account/confirm-email.php
@@ -9,6 +9,7 @@
 */

 use MyAAC\Models\Account;
+use MyAAC\Models\AccountEmailVerify;

 defined('MYAAC') or die('Direct access not allowed!');

@@ -20,16 +21,20 @@ if(empty($hash)) {
 	return;
 }

-if(!Account::where('email_hash', $hash)->exists()) {
-	note("Your email couldn't be verified. Please contact staff to do it manually.");
+// by default link is valid for 30 days
+$accountEmailVerify = AccountEmailVerify::where('hash', $hash)->where('sent_at', '>', time() - 30 * 24 * 60 * 60)->first();
+if(!$accountEmailVerify) {
+	note("Wrong link or link has expired.");
 }
 else
 {
-	$accountModel = Account::where('email_hash', $hash)->where('email_verified', 0)->first();
+	$accountModel = Account::where('id', $accountEmailVerify->account_id)->where('email_verified', 0)->first();
 	if ($accountModel) {
 		$accountModel->email_verified = 1;
 		$accountModel->save();

+		AccountEmailVerify::where('account_id', $accountModel->id)->delete();
+
 		success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this. You can now <a href=' . getLink('account/manage') . '>log in</a>.');

 		$account = new OTS_Account();
@@ -39,6 +44,6 @@ else
 		}
 	}
 	else {
-		error('Link has expired.');
+		error('Your account is already verified.');
 	}
 }
--- a/system/pages/account/create.php
+++ b/system/pages/account/create.php
@@ -10,6 +10,8 @@
 */

 use MyAAC\CreateCharacter;
+use MyAAC\Models\AccountAction;
+use MyAAC\Models\AccountEmailVerify;

 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Create Account';
@@ -43,6 +45,16 @@ $errors = array();
 $save = isset($_POST['save']) && $_POST['save'] == 1;
 if($save)
 {
+	$cooldown = setting('core.account_create_ip_block_cooldown');;
+	if ($cooldown > 0) {
+		$accountAction = AccountAction::where('ip', get_browser_real_ip())->where('action', 'Account created.')->where('date', '>=', time() - ($cooldown * 60))->first();
+
+		if ($accountAction) {
+			$minute = ($cooldown > 1 ? 'minutes' : 'minute');
+			$errors['account'] = "You have to wait $cooldown $minute before creating another account.";
+		}
+	}
+
 	if(!config('account_login_by_email')) {
 		if(USE_ACCOUNT_NAME) {
 			$account_name = $_POST['account'];
@@ -139,7 +151,7 @@ if($save)
 		'country' => $country,
 		'password' => $password,
 		'password_confirm' => $password_confirm,
-		'accept_rules' => isset($_POST['accept_rules']) ? $_POST['accept_rules'] === 'true' : false,
+		'accept_rules' => isset($_POST['accept_rules']) && $_POST['accept_rules'] === 'true',
 	);

 	if (!config('account_login_by_email')) {
@@ -191,6 +203,21 @@ if($save)

 		$new_account->setPassword(encrypt($password));
 		$new_account->setEMail($email);
+
+		$settingAccountPremiumDays = setting('core.account_premium_days');
+		if($settingAccountPremiumDays && $settingAccountPremiumDays > 0) {
+			$new_account->setPremDays($settingAccountPremiumDays);
+
+			if (!isCanary()) {
+				$lastDay = 0;
+				if($settingAccountPremiumDays != 0 && $settingAccountPremiumDays != OTS_Account::GRATIS_PREMIUM_DAYS) {
+					$lastDay = time();
+				}
+
+				$new_account->setLastLogin($lastDay);
+			}
+		}
+
 		$new_account->save();

 		$hooks->trigger(HOOK_ACCOUNT_CREATE_AFTER_SAVED, ['account' => $new_account]);
@@ -205,32 +232,21 @@ if($save)
 			$new_account->setCustomField('country', $country);
 		}

-		$settingAccountPremiumDays = setting('core.account_premium_days');
-		if($settingAccountPremiumDays && $settingAccountPremiumDays > 0) {
-			if($db->hasColumn('accounts', 'premend')) { // othire
-				$new_account->setCustomField('premend', time() + $settingAccountPremiumDays * 86400);
-			}
-			else { // rest
-				if ($db->hasColumn('accounts', 'premium_ends_at')) { // TFS 1.4+
-					$new_account->setCustomField('premium_ends_at', time() + $settingAccountPremiumDays * (60 * 60 * 24));
-				}
-				else {
-					$new_account->setCustomField('premdays', $settingAccountPremiumDays);
-					$new_account->setCustomField('lastday', time());
-				}
-			}
-		}
-
 		$accountDefaultPremiumPoints = setting('core.account_premium_points');
 		if($accountDefaultPremiumPoints > 0) {
 			$new_account->setCustomField('premium_points', $accountDefaultPremiumPoints);
 		}

 		$accountDefaultCoins = setting('core.account_coins');
-		if($db->hasColumn('accounts', 'coins') && $accountDefaultCoins > 0) {
+		if(HAS_ACCOUNT_COINS && $accountDefaultCoins > 0) {
 			$new_account->setCustomField('coins', $accountDefaultCoins);
 		}

+		$accountDefaultCoinsTransferable = setting('core.account_coins_transferable');
+		if((HAS_ACCOUNT_COINS_TRANSFERABLE || HAS_ACCOUNT_TRANSFERABLE_COINS) && $accountDefaultCoinsTransferable > 0) {
+			$new_account->setCustomField(ACCOUNT_COINS_TRANSFERABLE_COLUMN, $accountDefaultCoinsTransferable);
+		}
+
 		$tmp_account = $email;
 		if (!config('account_login_by_email')) {
 			$tmp_account = (USE_ACCOUNT_NAME ? $account_name : $account_id);
@@ -239,7 +255,12 @@ if($save)
 		if(setting('core.mail_enabled') && setting('core.account_mail_verify'))
 		{
 			$hash = md5(generateRandomString(16, true, true) . $email);
-			$new_account->setCustomField('email_hash', $hash);
+
+			AccountEmailVerify::create([
+				'account_id' => $new_account->getId(),
+				'hash' => $hash,
+				'sent_at' => time(),
+			]);

 			$verify_url = getLink('account/confirm-email/' . $hash);
 			$body_html = $twig->render('mail.account.verify.html.twig', array(
@@ -263,8 +284,10 @@ if($save)
 			}
 			else
 			{
-				error('An error occorred while sending email! Account not created. Try again. For Admin: More info can be found in system/logs/mailer-error.log');
+				error('An error occurred while sending email! Account not created. Try again. For Admin: More info can be found in system/logs/mailer-error.log');
 				$new_account->delete();
+
+				return;
 			}
 		}
 		else
@@ -354,7 +377,7 @@ if(!empty($errors))

 if (setting('core.account_country')) {
 	$countries = array();
-	foreach (array('pl', 'se', 'br', 'us', 'gb') as $c)
+	foreach (setting('core.account_countries_most_popular') ?? [] as $c)
 		$countries[$c] = $config['countries'][$c];

 	$countries['--'] = '----------';
--- a/system/pages/account/login.php
+++ b/system/pages/account/login.php
@@ -10,6 +10,7 @@
 */

 use MyAAC\RateLimit;
+use MyAAC\TwoFactorAuth\TwoFactorAuth;

 defined('MYAAC') or die('Direct access not allowed!');

@@ -48,10 +49,22 @@ if(!empty($login_account) && !empty($login_password))
 	)
 	{
 		if (setting('core.account_mail_verify') && (int)$account_logged->getCustomField('email_verified') !== 1) {
-			$errors[] = 'Your account is not verified. Please verify your email address. If the message is not coming check the SPAM folder in your E-Mail client.';
+			$link = getLink('account/resend-email-verify');
+			$errors[] = 'Your account is not verified. Please verify your email address. If the message is not coming check the SPAM folder in your E-Mail client.<br/>' .
+				'You can resend the Email here: <a href="' . $link . '">' . $link . '</a>';
 		} else {
-			session_regenerate_id();
 			setSession('account', $account_logged->getId());
+
+			if (!$hooks->trigger(HOOK_ACCOUNT_LOGIN_PRE)) {
+				return;
+			}
+
+			$twoFactorAuth = TwoFactorAuth::getInstance($account_logged);
+			if (!$twoFactorAuth->process($login_account, $login_password, $remember_me, $_POST['auth-code'] ?? '')) {
+				return;
+			}
+
+			session_regenerate_id();
 			setSession('password', encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password));
 			if($remember_me) {
 				setSession('remember_me', true);
--- a/system/pages/account/lost.php
+++ b/system/pages/account/lost.php
@@ -9,540 +9,11 @@
 * @link      https://my-aac.org
 */
 defined('MYAAC') or die('Direct access not allowed!');
-$title = 'Lost Account Interface';
+$title = 'Lost Account';

-if(!setting('core.mail_enabled'))
-{
-	echo '<b>Account maker is not configured to send e-mails, you can\'t use Lost Account Interface. Contact with admin to get help.</b>';
+if(!setting('core.mail_enabled')) {
+	echo "<b>Account maker is not configured to send e-mails, you can't use Lost Account Interface. Contact with admin to get help.</b>";
 	return;
 }

-$action_type = isset($_REQUEST['action_type']) ? $_REQUEST['action_type'] : '';
-if($action == '')
-{
-	$twig->display('account.lost.form.html.twig');
-}
-else if($action == 'step1' && $action_type == '') {
-	$twig->display('account.lost.noaction.html.twig');
-}
-elseif($action == 'step1' && $action_type == 'email')
-{
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_next') < time())
-				echo 'Please enter e-mail to account with this character.<BR>
-				<form action="' . getLink('account/lost') . '?action=sendcode" method=post>
-				<input type=hidden name="character">
-				<table cellspacing=1 cellpadding=4 border=0 width=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter e-mail to account</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Character: <INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR>
-				E-mail to account:<INPUT TYPE=text NAME="email" VALUE="" SIZE="40"><BR>
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-			else
-			{
-				$insec = (int)$account->getCustomField('email_next') - time();
-				$minutesleft = floor($insec / 60);
-				$secondsleft = $insec - ($minutesleft * 60);
-				$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
-				echo 'Account of selected character (<b>'.$nick.'</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60).' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
-			}
-		}
-		else
-			echo 'Player or account of player <b>' . $nick . '</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-}
-elseif($action == 'sendcode')
-{
-	$email = $_REQUEST['email'];
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_next') < time())
-			{
-				if($account->getEMail() == $email)
-				{
-					$newcode = generateRandomString(30, true, false, true);
-					$mailBody = '
-					You asked to reset your ' . $config['lua']['serverName'] . ' password.<br/>
-					<p>Account name: '.$account->getName().'</p>
-					<br />
-					To do so, please click this link:
-					<p><a href="' . getLink('account/lost') . '?action=checkcode&code='.$newcode.'&character='.urlencode($nick).'">' . getLink('account/lost') . '?action=checkcode&code='.$newcode.'&character='.urlencode($nick).'</a></p>
-					<p>or open page: <i>' . getLink('account/lost') . '?action=checkcode</i> and in field "code" write <b>'.$newcode.'</b></p>
-					<br/>
-						<p>If you did not request a password change, you may ignore this message and your password will remain unchanged.';
-
-					$account_mail = $account->getCustomField('email');
-					if(_mail($account_mail, $config['lua']['serverName'].' - Recover your account', $mailBody))
-					{
-						$account->setCustomField('email_code', $newcode);
-						$account->setCustomField('email_next', (time() + setting('core.mail_lost_account_interval')));
-						echo '<br />Details about steps required to recover your account has been sent to <b>' . $account_mail . '</b>. You should receive this email within 15 minutes. Please check your inbox/spam directory.';
-					}
-					else
-					{
-						$account->setCustomField('email_next', (time() + 60));
-						echo '<br /><p class="error">An error occurred while sending email! Try again later or contact with admin. For Admin: More info can be found in system/logs/mailer-error.log</p>';
-					}
-				}
-				else
-					echo 'Invalid e-mail to account of character <b>'.$nick.'</b>. Try again.';
-			}
-			else
-			{
-				$insec = (int)$account->getCustomField('email_next') - time();
-				$minutesleft = floor($insec / 60);
-				$secondsleft = $insec - ($minutesleft * 60);
-				$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
-				echo 'Account of selected character (<b>'.$nick.'</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60).' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
-			}
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '?action=step1&action_type=email&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-}
-elseif($action == 'step1' && $action_type == 'reckey')
-{
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			$account_key = $account->getCustomField('key');
-			if(!empty($account_key))
-			{
-						echo 'If you enter right recovery key you will see form to set new e-mail and password to account. To this e-mail will be send your new password and account name.<BR>
-						<FORM ACTION="' . getLink('account/lost') . '?action=step2" METHOD=post>
-						<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-						<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter your recovery key</B></TD></TR>
-						<TR><TD BGCOLOR="'.$config['darkborder'].'">
-						Character name:&nbsp;<INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR />
-						Recovery key:&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=text NAME="key" VALUE="" SIZE="40"><BR>
-						</TD></TR>
-						</TABLE>
-						<BR>
-						<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-						' . $twig->render('buttons.submit.html.twig') . '</div>
-						</TD></TR></FORM></TABLE></TABLE>';
-			}
-			else
-				echo 'Account of this character has no recovery key!';
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-}
-elseif($action == 'step2')
-{
-	$rec_key = trim($_REQUEST['key']);
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			$account_key = $account->getCustomField('key');
-			if(!empty($account_key))
-			{
-				if($account_key == $rec_key)
-				{
-					echo '<script type="text/javascript">
-					function validate_required(field,alerttxt)
-					{
-					with (field)
-					{
-					if (value==null||value==""||value==" ")
-					  {alert(alerttxt);return false;}
-					else {return true}
-					}
-					}
-					function validate_email(field,alerttxt)
-					{
-					with (field)
-					{
-					apos=value.indexOf("@");
-					dotpos=value.lastIndexOf(".");
-					if (apos<1||dotpos-apos<2)
-					  {alert(alerttxt);return false;}
-					else {return true;}
-					}
-					}
-					function validate_form(thisform)
-					{
-					with (thisform)
-					{
-					if (validate_required(email,"Please enter your e-mail!")==false)
-					  {email.focus();return false;}
-					if (validate_email(email,"Invalid e-mail format!")==false)
-					  {email.focus();return false;}
-					if (validate_required(passor,"Please enter password!")==false)
-					  {passor.focus();return false;}
-					if (validate_required(passor2,"Please repeat password!")==false)
-					  {passor2.focus();return false;}
-					if (passor2.value!=passor.value)
-					  {alert(\'Repeated password is not equal to password!\');return false;}
-					}
-					}
-					</script>';
-					echo 'Set new password and e-mail to your account.<BR>
-					<FORM ACTION="' . getLink('account/lost') . '?action=step3" onsubmit="return validate_form(this)" METHOD=post>
-					<INPUT TYPE=hidden NAME="character" VALUE="">
-					<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-					<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter new password and e-mail</B></TD></TR>
-					<TR><TD BGCOLOR="'.$config['darkborder'].'">
-					Account of character:&nbsp;&nbsp;<INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR />
-					New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT id="passor" TYPE=password NAME="passor" VALUE="" SIZE="40"><BR>
-					Repeat new password:&nbsp;&nbsp;<INPUT id="passor2" TYPE=password NAME="passor" VALUE="" SIZE="40"><BR>
-					New e-mail address:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT id="email" TYPE=text NAME="email" VALUE="" SIZE="40"><BR>
-					<INPUT TYPE=hidden NAME="key" VALUE="'.$rec_key.'">
-					</TD></TR>
-					</TABLE>
-					<BR>
-					<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-					' . $twig->render('buttons.submit.html.twig') . '</div>
-					</TD></TR></FORM></TABLE></TABLE>';
-				}
-				else
-					echo 'Wrong recovery key!';
-			}
-			else
-				echo 'Account of this character has no recovery key!';
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '?action=step1&action_type=reckey&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-}
-elseif($action == 'step3')
-{
-	$rec_key = trim($_REQUEST['key']);
-	$nick = stripslashes($_REQUEST['nick']);
-	$new_pass = trim($_REQUEST['passor']);
-	$new_email = trim($_REQUEST['email']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			$account_key = $account->getCustomField('key');
-			if(!empty($account_key))
-			{
-				if($account_key == $rec_key)
-				{
-					if(Validator::password($new_pass))
-					{
-						if(Validator::email($new_email))
-						{
-							$account->setEMail($new_email);
-
-							$tmp_new_pass = $new_pass;
-							if(USE_ACCOUNT_SALT)
-							{
-								$salt = generateRandomString(10, false, true, true);
-								$tmp_new_pass = $salt . $new_pass;
-							}
-
-							$account->setPassword(encrypt($tmp_new_pass));
-							$account->save();
-
-							if(USE_ACCOUNT_SALT)
-								$account->setCustomField('salt', $salt);
-
-							echo 'Your account name, new password and new e-mail.<BR>
-							<FORM ACTION="' . getLink('account/manage') . '" onsubmit="return validate_form(this)" METHOD=post>
-							<INPUT TYPE=hidden NAME="character" VALUE="">
-							<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-							<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Your account name, new password and new e-mail</B></TD></TR>
-							<TR><TD BGCOLOR="'.$config['darkborder'].'">
-							Account name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>'.$account->getName().'</b><BR>
-							New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>'.$new_pass.'</b><BR>
-							New e-mail address:&nbsp;<b>'.$new_email.'</b><BR>';
-							if($account->getCustomField('email_next') < time())
-							{
-								$mailBody = '
-								<h3>Your account name and new password!</h3>
-								<p>Changed password and e-mail to your account in Lost Account Interface on server <a href="'.BASE_URL.'"><b>'.$config['lua']['serverName'].'</b></a></p>
-								<p>Account name: <b>'.$account->getName().'</b></p>
-								<p>New password: <b>'.$new_pass.'</b></p>
-								<p>E-mail: <b>'.$new_email.'</b> (this e-mail)</p>
-								<br />
-								<p><u>It\'s automatic e-mail from OTS Lost Account System. Do not reply!</u></p>';
-
-								if(_mail($account->getCustomField('email'), $config['lua']['serverName']." - New password to your account", $mailBody))
-								{
-									echo '<br /><small>Sent e-mail with your account name and password to new e-mail. You should receive this e-mail in 15 minutes. You can login now with new password!</small>';
-								}
-								else
-								{
-									echo '<br /><p class="error">An error occurred while sending email! You will not receive e-mail with this informations. For Admin: More info can be found in system/logs/mailer-error.log</p>';
-								}
-							}
-							else
-							{
-								echo '<br /><small>You will not receive e-mail with this informations.</small>';
-							}
-							echo '<INPUT TYPE=hidden NAME="account_login" VALUE="'.$account->getId().'">
-							<INPUT TYPE=hidden NAME="password_login" VALUE="'.$new_pass.'">
-							</TD></TR></TABLE><BR>
-							<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-							<INPUT TYPE=image NAME="Login" ALT="Login" SRC="'.$template_path.'/images/global/buttons/sbutton_login.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
-							</TD></TR></FORM></TABLE></TABLE>';
-						}
-						else
-							echo Validator::getLastError();
-					}
-					else
-						echo Validator::getLastError();
-				}
-				else
-					echo 'Wrong recovery key!';
-			}
-			else
-				echo 'Account of this character has no recovery key!';
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '?action=step1&action_type=reckey&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-}
-elseif($action == 'checkcode')
-{
-	$code = trim($_REQUEST['code']);
-	$character = stripslashes(trim($_REQUEST['character']));
-	if(empty($code) || empty($character))
-		echo 'Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
-				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-	else
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($character);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_code') == $code)
-			{
-				echo '<script type="text/javascript">
-				function validate_required(field,alerttxt)
-				{
-				with (field)
-				{
-				if (value==null||value==""||value==" ")
-				  {alert(alerttxt);return false;}
-				else {return true}
-				}
-				}
-
-				function validate_form(thisform)
-				{
-				with (thisform)
-				{
-				if (validate_required(passor,"Please enter password!")==false)
-				  {passor.focus();return false;}
-				if (validate_required(passor2,"Please repeat password!")==false)
-				  {passor2.focus();return false;}
-				if (passor2.value!=passor.value)
-				  {alert(\'Repeated password is not equal to password!\');return false;}
-				}
-				}
-				</script>
-				Please enter new password to your account and repeat to make sure you remember password.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=setnewpassword" onsubmit="return validate_form(this)" METHOD=post>
-				<INPUT TYPE=hidden NAME="character" VALUE="'.$character.'">
-				<INPUT TYPE=hidden NAME="code" VALUE="'.$code.'">
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & account name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=password ID="passor" NAME="passor" VALUE="" SIZE="40")><BR />
-				Repeat new password:&nbsp;<INPUT TYPE=password ID="passor2" NAME="passor2" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-			}
-			else
-				$error= 'Wrong code to change password.';
-		}
-		else
-			$error = 'Account of this character or this character doesn\'t exist.';
-	}
-	if(!empty($error))
-				echo '<span style="color: red"><b>'.$error.'</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
-				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-}
-elseif($action == 'setnewpassword')
-{
-	$newpassword = $_REQUEST['passor'];
-	$code = $_REQUEST['code'];
-	$character = stripslashes($_REQUEST['character']);
-	echo '';
-	if(empty($code) || empty($character) || empty($newpassword))
-		echo '<span style="color: red"><b>Error. Try again.</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<BR><FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<INPUT TYPE=image NAME="Back" ALT="Back" SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-	else
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($character);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_code') == $code)
-			{
-				if(Validator::password($newpassword))
-				{
-					$tmp_new_pass = $newpassword;
-					if(USE_ACCOUNT_SALT)
-					{
-						$salt = generateRandomString(10, false, true, true);
-						$tmp_new_pass  = $salt . $newpassword;
-						$account->setCustomField('salt', $salt);
-					}
-
-					$account->setPassword(encrypt($tmp_new_pass ));
-					$account->save();
-					$account->setCustomField('email_code', '');
-					echo 'New password to your account is below. Now you can login.<BR>
-					<INPUT TYPE=hidden NAME="character" VALUE="'.$character.'">
-					<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-					<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Changed password</B></TD></TR>
-					<TR><TD BGCOLOR="'.$config['darkborder'].'">
-					New password:&nbsp;<b>'.$newpassword.'</b><BR />
-					Account name:&nbsp;&nbsp;&nbsp;<i>(Already on your e-mail)</i><BR />';
-
-					$mailBody = '
-					<h3>Your account name and password!</h3>
-					<p>Changed password to your account in Lost Account Interface on server <a href="'.BASE_URL.'"><b>'.$config['lua']['serverName'].'</b></a></p>
-					<p>Account name: <b>'.$account->getName().'</b></p>
-					<p>New password: <b>'.$newpassword.'</b></p>
-					<br />
-					<p><u>It\'s automatic e-mail from OTS Lost Account System. Do not reply!</u></p>';
-
-					if(_mail($account->getCustomField('email'), $config['lua']['serverName']." - Your new password", $mailBody))
-					{
-						echo '<br /><small>New password work! Sent e-mail with your password and account name. You should receive this e-mail in 15 minutes. You can login now with new password!';
-					}
-					else
-					{
-						echo '<br /><p class="error">New password work! An error occurred while sending email! You will not receive e-mail with new password. For Admin: More info can be found in system/logs/mailer-error.log';
-					}
-				echo '</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<FORM ACTION="' . getLink('account/manage') . '" METHOD=post>
-				<INPUT TYPE=image NAME="Login" ALT="Login" SRC="'.$template_path.'/images/global/buttons/sbutton_login.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-				}
-				else
-					$error= Validator::getLastError();
-			}
-			else
-				$error= 'Wrong code to change password.';
-		}
-		else
-			$error = 'Account of this character or this character doesn\'t exist.';
-	}
-	if(!empty($error))
-				echo '<span style="color: red"><b>'.$error.'</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
-				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-}
+$twig->display('account/lost/form.html.twig');
--- a/system/pages/account/lost/base.php
+++ b/system/pages/account/lost/base.php
@@ -0,0 +1,18 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+function lostAccountWriteCooldown(string $nick, int $time): void
+{
+	global $twig;
+
+	$inSec = $time - time();
+	$minutesLeft = floor($inSec / 60);
+	$secondsLeft = $inSec - ($minutesLeft * 60);
+	$timeLeft = "$minutesLeft minutes $secondsLeft seconds";
+
+	$timeRounded = ceil(setting('core.mail_lost_account_interval') / 60);
+
+	$twig->display('error_box.html.twig', [
+		'errors' => ["Account of selected character (<b>" . escapeHtml($nick) . "</b>) received e-mail in last $timeRounded minutes. You must wait $timeLeft before you can use Lost Account Interface again."]
+	]);
+}
--- a/system/pages/account/lost/check-code.php
+++ b/system/pages/account/lost/check-code.php
@@ -0,0 +1,51 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+csrfProtect();
+
+$title = 'Lost Account';
+
+$code = $_REQUEST['code'] ?? '';
+$character = $_REQUEST['character'] ?? '';
+
+if(empty($code) || empty($character)) {
+	$twig->display('account/lost/check-code.html.twig', [
+		'code' => $code,
+		'characters' => $character,
+	]);
+}
+else {
+	$player = new OTS_Player();
+	$account = new OTS_Account();
+	$player->find($character);
+	if($player->isLoaded()) {
+		$account = $player->getAccount();
+	}
+
+	if($account->isLoaded()) {
+		if($account->getCustomField('email_code') == $code) {
+			$twig->display('account/lost/check-code.finish.html.twig', [
+				'character' => $character,
+				'code' => $code,
+			]);
+		}
+		else {
+			$error = 'Wrong code to change password.';
+		}
+	}
+	else {
+		$error = "Account of this character or this character doesn't exist.";
+	}
+}
+
+if(!empty($error)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => [$error],
+	]);
+
+	echo '<br/>';
+
+	$twig->display('account/lost/check-code.html.twig', [
+
+	]);
+}
--- a/system/pages/account/lost/email/send-code.php
+++ b/system/pages/account/lost/email/send-code.php
@@ -0,0 +1,75 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+csrfProtect();
+
+require __DIR__ . '/../base.php';
+
+$title = 'Lost Account';
+
+$email = $_POST['email'] ?? '';
+$nick = $_POST['nick'] ?? '';
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if($account->isLoaded()) {
+	if($account->getCustomField('email_next') < time()) {
+		if($account->getEMail() == $email) {
+			$newCode = generateRandomString(30, true, false, true);
+			$mailBody = $twig->render('mail.account.lost.code.html.twig', [
+				'newCode' => $newCode,
+				'account' => $account,
+				'nick' => $nick,
+			]);
+
+			$accountEMail = $account->getCustomField('email');
+			if(_mail($accountEMail, configLua('serverName') . ' - Recover your account', $mailBody)) {
+				$account->setCustomField('email_code', $newCode);
+				$account->setCustomField('email_next', (time() + setting('core.mail_lost_account_interval')));
+
+				$twig->display('success.html.twig', [
+					'title' => 'Email has been sent',
+					'description' => 'Details about steps required to recover your account has been sent to <b>' . $accountEMail . '</b>. You should receive this email within 15 minutes. Please check your inbox/spam directory.',
+					'custom_buttons' => '',
+				]);
+
+				$twig->display('account.back_button.html.twig', [
+					'new_line' => true,
+					'center' => true,
+					'action' => getLink('news'),
+				]);
+
+				return;
+			}
+
+			$account->setCustomField('email_next', (time() + 60));
+			error('An error occurred while sending email! Try again later or contact with admin. For Admin: More info can be found in system/logs/mailer-error.log</p>');
+		}
+		else {
+			$errors[] = 'Invalid e-mail to account of character <b>' . escapeHtml($nick) . '</b>. Try again.';
+		}
+	}
+	else {
+		lostAccountWriteCooldown($nick, (int)$account->getCustomField('email_next'));
+	}
+}
+else {
+	$errors[] =  "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost/step-1') . '?action=email&nick=' . urlencode($nick),
+]);
--- a/system/pages/account/lost/email/set-new-password.php
+++ b/system/pages/account/lost/email/set-new-password.php
@@ -0,0 +1,128 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+csrfProtect();
+
+$title = 'Lost Account';
+
+$newPassword = $_POST['password'] ?? '';
+$passwordRepeat = $_POST['password_repeat'] ?? '';
+$code = $_POST['code'] ?? '';
+$character = $_POST['character'] ?? '';
+
+if(empty($code) || empty($character)) {
+	$errors[] = 'Please enter code from e-mail and name of one character from account.';
+
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+
+	$twig->display('account/lost/check-code.html.twig', [
+		'code' => $code,
+		'character' => $character,
+	]);
+
+	$twig->display('account.back_button.html.twig', [
+		'new_line' => true,
+		'center' => true,
+		'action' => getLink('account/lost/check-code')
+	]);
+
+	return;
+}
+
+if (empty($newPassword) || empty($passwordRepeat)) {
+	$errors[] = 'Please enter both passwords.';
+
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+
+	$twig->display('account/lost/check-code.finish.html.twig', [
+		'character' => $character,
+		'code' => $code,
+	]);
+
+	return;
+}
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($character);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+$passwordFailed = false;
+
+if($account->isLoaded()) {
+	if($account->getCustomField('email_code') == $code) {
+		if ($newPassword == $passwordRepeat) {
+			if (Validator::password($newPassword)) {
+
+				$hooks->trigger(HOOK_ACCOUNT_LOST_EMAIL_SET_NEW_PASSWORD_POST);
+
+				if (empty($errors)) {
+					$tmp_new_pass = $newPassword;
+					if (USE_ACCOUNT_SALT) {
+						$salt = generateRandomString(10, false, true, true);
+						$tmp_new_pass = $salt . $newPassword;
+						$account->setCustomField('salt', $salt);
+					}
+
+					$account->setPassword(encrypt($tmp_new_pass));
+					$account->save();
+					$account->setCustomField('email_code', '');
+
+					$mailBody = $twig->render('mail.account.lost.new-password.html.twig', [
+						'account' => $account,
+						'newPassword' => $newPassword,
+					]);
+
+					$statusMsg = '';
+					if (_mail($account->getCustomField('email'), configLua('serverName') . ' - Your new password', $mailBody)) {
+						$statusMsg = '<br /><small>New password work! Sent e-mail with your password and account name. You should receive this e-mail in 15 minutes. You can login now with new password!';
+					} else {
+						$statusMsg = '<br /><p class="error">New password work! An error occurred while sending email! You will not receive e-mail with new password. For Admin: More info can be found in system/logs/mailer-error.log';
+					}
+
+					$twig->display('account/lost/finish.new-password.html.twig', [
+						'statusMsg' => $statusMsg,
+						'newPassword' => $newPassword,
+					]);
+				}
+			} else {
+				$passwordFailed = true;
+				$errors[] = Validator::getLastError();
+			}
+		}
+		else {
+			$passwordFailed = true;
+			$errors[] = 'Passwords are not the same!';
+		}
+	}
+	else {
+		$errors[] = 'Wrong code to change password.';
+	}
+}
+else {
+	$errors[] = "Account of this character or this character doesn't exist.";
+}
+
+if(!empty($errors)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+
+	echo '<br/>';
+
+	$template = 'account/lost/check-code.html.twig';
+	if($passwordFailed) {
+		$template = 'account/lost/check-code.finish.html.twig';
+	}
+
+	$twig->display($template, [
+		'code' => $code,
+		'character' => $character,
+	]);
+}
--- a/system/pages/account/lost/email/step-1.php
+++ b/system/pages/account/lost/email/step-1.php
@@ -0,0 +1,36 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+csrfProtect();
+
+$title = 'Lost Account';
+
+$nick = $_REQUEST['nick'] ?? '';
+
+if($account->isLoaded()) {
+	if($account->getCustomField('email_next') < time()) {
+		$twig->display('account/lost/email.html.twig', [
+			'nick' => $nick,
+		]);
+	}
+	else {
+		lostAccountWriteCooldown($nick, (int)$account->getCustomField('email_next'));
+	}
+}
+else {
+	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost'),
+]);
--- a/system/pages/account/lost/recovery-key/step-1.php
+++ b/system/pages/account/lost/recovery-key/step-1.php
@@ -0,0 +1,38 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+csrfProtect();
+
+$title = 'Lost Account';
+
+$nick = $_REQUEST['nick'] ?? '';
+$key = $_REQUEST['key'] ?? '';
+
+if($account->isLoaded()) {
+	$account_key = $account->getCustomField('key');
+
+	if(!empty($account_key)) {
+		$twig->display('account/lost/recovery-key.step-1.html.twig', [
+			'nick' => $nick,
+			'key' => $key,
+		]);
+	}
+	else {
+		$errors[] = 'Account of this character has no recovery key!';
+	}
+}
+else {
+	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost'),
+]);
--- a/system/pages/account/lost/recovery-key/step-2.php
+++ b/system/pages/account/lost/recovery-key/step-2.php
@@ -0,0 +1,49 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+csrfProtect();
+
+$title = 'Lost Account';
+
+$key = $_REQUEST['key'] ?? '';
+$nick = $_REQUEST['nick'] ?? '';
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if($account->isLoaded()) {
+	$accountKey = $account->getCustomField('key');
+	if(!empty($accountKey)) {
+		if($accountKey == $key) {
+			$twig->display('account/lost/recovery-key.step-2.html.twig', [
+				'nick' => $nick,
+				'key' => $key,
+			]);
+		}
+		else {
+			$errors[] = 'Wrong recovery key!';
+		}
+	}
+	else {
+		$errors[] = 'Account of this character has no recovery key!';
+	}
+}
+else {
+	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost/step-1') . '?action=recovery-key&nick=' . urlencode($nick) . '&key=' . urlencode($key),
+]);
--- a/system/pages/account/lost/recovery-key/step-3.php
+++ b/system/pages/account/lost/recovery-key/step-3.php
@@ -0,0 +1,117 @@
+<?php
+
+use MyAAC\Models\Account as AccountModel;
+
+defined('MYAAC') or die('Direct access not allowed!');
+
+csrfProtect();
+
+$title = 'Lost Account';
+
+$key = $_POST['key'];
+$nick = $_POST['nick'] ?? '';
+$newPassword = $_POST['password'] ?? '';
+$passwordRepeat = $_POST['password_repeat'] ?? '';
+$newEmail = $_POST['email'] ?? '';
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if($account->isLoaded()) {
+	$accountKey = $account->getCustomField('key');
+
+	if(!empty($accountKey)) {
+		if($accountKey == $key) {
+			if(Validator::password($newPassword)) {
+				if ($newPassword == $passwordRepeat) {
+					if (Validator::email($newEmail)) {
+						$emailExists = AccountModel::where('email', $newEmail)->count() > 0;
+						if (!$emailExists) {
+
+							$hooks->trigger(HOOK_ACCOUNT_LOST_RECOVERY_KEY_STEP_3_POST);
+
+							if (empty($errors)) {
+								$account->setEMail($newEmail);
+
+								$tmp_new_pass = $newPassword;
+								if (USE_ACCOUNT_SALT) {
+									$salt = generateRandomString(10, false, true, true);
+									$tmp_new_pass = $salt . $newPassword;
+								}
+
+								$account->setPassword(encrypt($tmp_new_pass));
+								$account->save();
+
+								if (USE_ACCOUNT_SALT) {
+									$account->setCustomField('salt', $salt);
+								}
+
+								$statusMsg = '';
+								if ($account->getCustomField('email_next') < time()) {
+									$mailBody = $twig->render('mail.account.lost.new-email.html.twig', [
+										'account' => $account,
+										'newPassword' => $newPassword,
+										'newEmail' => $newEmail,
+									]);
+
+									if (_mail($account->getCustomField('email'), configLua('serverName') . ' - New password to your account', $mailBody)) {
+										$statusMsg = '<br /><small>Sent e-mail with your account name and password to new e-mail. You should receive this e-mail in 15 minutes. You can login now with new password!</small>';
+									} else {
+										$statusMsg = '<br /><p class="error">An error occurred while sending email! You will not receive e-mail with this informations. For Admin: More info can be found in system/logs/mailer-error.log</p>';
+									}
+								} else {
+									$statusMsg = '<br /><small>You will not receive e-mail with this informations.</small>';
+								}
+
+								$twig->display('account/lost/finish.new-email.html.twig', [
+									'statusMsg' => $statusMsg,
+									'account' => $account,
+									'newPassword' => $newPassword,
+									'newEmail' => $newEmail,
+								]);
+
+								return;
+							}
+						}
+						else {
+							$errors[] = 'This email is already registered!';
+						}
+					} else {
+						$errors[] = Validator::getLastError();
+					}
+				}
+				else {
+					$errors[] = 'Passwords are not the same!';
+				}
+			}
+			else {
+				$errors[] = Validator::getLastError();
+			}
+		}
+		else {
+			$errors[] = 'Wrong recovery key!';
+		}
+	}
+	else {
+		$errors[] = 'Account of this character has no recovery key!';
+	}
+}
+else {
+	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => $errors,
+	]);
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost/recovery-key/step-2') . '?nick=' . urlencode($nick) . '&key=' . urlencode($key),
+]);
--- a/system/pages/account/lost/step-1.php
+++ b/system/pages/account/lost/step-1.php
@@ -0,0 +1,26 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+csrfProtect();
+
+$title = 'Lost Account';
+
+$nick = $_REQUEST['nick'] ?? '';
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if (ACTION == 'email') {
+	require __DIR__ . '/email/step-1.php';
+}
+else if (ACTION == 'recovery-key') {
+	require __DIR__ . '/recovery-key/step-1.php';
+}
+else {
+	$twig->display('account/lost/no-action.html.twig');
+}
+
--- a/system/pages/account/manage.php
+++ b/system/pages/account/manage.php
@@ -8,6 +8,9 @@
 * @copyright 2019 MyAAC
 * @link      https://my-aac.org
 */
+
+use MyAAC\TwoFactorAuth\TwoFactorAuth;
+
 defined('MYAAC') or die('Direct access not allowed!');

 $title = 'Account Management';
@@ -38,15 +41,24 @@ csrfProtect();

 $groups = new OTS_Groups_List();

-$freePremium = isset($config['lua']['freePremium']) && getBoolean($config['lua']['freePremium']) || $account_logged->getPremDays() == OTS_Account::GRATIS_PREMIUM_DAYS;
-$dayOrDays = $account_logged->getPremDays() == 1 ? 'day' : 'days';
 /**
 * @var OTS_Account $account_logged
 */
-if(!$account_logged->isPremium())
+$premDays = $account_logged->getPremDays();
+
+$freePremium = isset($config['lua']['freePremium']) && getBoolean($config['lua']['freePremium']) || $premDays == OTS_Account::GRATIS_PREMIUM_DAYS;
+$dayOrDays = ($premDays == 1 ? 'day' : 'days');
+
+$vipSystemEnabled = isset($config['lua']['vipSystemEnabled']) && getBoolean($config['lua']['vipSystemEnabled']);
+$premiumLabel = $vipSystemEnabled ? 'VIP' : 'Premium Account';
+
+if ($freePremium && !$vipSystemEnabled) {
+	$account_status = '<b><span style="color: green">Gratis Premium Account</span></b>';
+} else if(!$account_logged->isPremium()) {
 	$account_status = '<b><span style="color: red">Free Account</span></b>';
-else
-	$account_status = '<b><span style="color: green">' . ($freePremium ? 'Gratis Premium Account' : 'Premium Account, ' . $account_logged->getPremDays() . ' '.$dayOrDays.' left') . '</span></b>';
+} else {
+	$account_status = '<b><span style="color: green">' . $premiumLabel . ', ' . $premDays . ' '.$dayOrDays.' left</span></b>';
+}

 $recovery_key = $account_logged->getCustomField('key');
 if(empty($recovery_key))
@@ -87,12 +99,8 @@ if($email_new_time > 1)
 	}
 }

-$actions = array();
-foreach($account_logged->getActionsLog(0, 1000) as $action) {
-	$actions[] = array('action' => $action['action'], 'date' => $action['date'], 'ip' => $action['ip'] != 0 ? long2ip($action['ip']) : inet_ntop($action['ipv6']));
-}
+$actions = $account_logged->getActionsLog(1000);

-$players = array();
 /** @var OTS_Players_List $account_players */
 $account_players = $account_logged->getPlayersList();
 $account_players->orderBy('id');
@@ -111,6 +119,8 @@ $twig->display('account.management.html.twig', array(
 	'account_registered' => $account_registered,
 	'account_rlname' => $account_rlname,
 	'account_location' => $account_location,
+	'twoFactorViews' => TwoFactorAuth::getInstance($account_logged)->getAccountManageViews(),
+
 	'actions' => $actions,
-	'players' => $account_players
+	'players' => $account_players,
 ));
--- a/Show More
+++ b/Show More