From 9f5d85706c04bda063dfb2a7c47bfaa8fca26eb4 Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Tue, 1 Oct 2019 14:53:13 +0200
Subject: v2rw: Convert registration, account activation and password reset

This is largely copy-paste from v3.
---
 lib/VNDB/Handler/Users.pm | 220 ----------------------------------------------
 1 file changed, 220 deletions(-)

(limited to 'lib/VNDB/Handler/Users.pm')

diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm
index 08c34245..171b6b4f 100644
--- a/lib/VNDB/Handler/Users.pm
+++ b/lib/VNDB/Handler/Users.pm
@@ -13,11 +13,6 @@ use PWLookup;
 
 TUWF::register(
   qr{u([1-9]\d*)}             => \&userpage,
-  qr{u/newpass}               => \&newpass,
-  qr{u/newpass/sent}          => \&newpass_sent,
-  qr{u([1-9]\d*)/setpass}     => \&setpass,
-  qr{u/register}              => \&register,
-  qr{u/register/done}         => \&register_done,
   qr{u([1-9]\d*)/edit}        => \&edit,
   qr{u([1-9]\d*)/posts}       => \&posts,
   qr{u([1-9]\d*)/del(/[od])?} => \&delete,
@@ -143,221 +138,6 @@ sub userpage {
 }
 
 
-sub _check_throttle {
-  my $self = shift;
-  my $tm = $self->dbThrottleGet(norm_ip($self->reqIP));
-  if($tm-time() > $self->{login_throttle}[1]) {
-    $self->htmlHeader(title => 'Login');
-    div class => 'mainbox';
-     h1 'Login';
-     div class => 'warning';
-      h2 'Maximum failed login attempts reached.';
-      p;
-       txt 'Login has been temporarily disabled for your IP address. You can wait a few hours and try again,'
-          .' or you can try from a different IP address. If you forgot your password, you can still use the ';
-       a href => '/u/newpass', 'password reset';
-       txt ' functionality. If you still have trouble logging in, send a mail to ';
-       a href => 'mailto:contact@vndb.org', 'contact@vndb.org';
-       txt '.';
-      end;
-     end;
-    end 'div';
-    $self->htmlFooter;
-    return undef;
-  }
-  $tm
-}
-
-
-sub newpass {
-  my $self = shift;
-
-  return $self->resRedirect('/', 'temp') if $self->authInfo->{id};
-
-  my($frm, $uid, $token);
-  if($self->reqMethod eq 'POST') {
-    return if !$self->authCheckCode;
-    $frm = $self->formValidate({ post => 'mail', template => 'email' });
-    if(!$frm->{_err}) {
-      ($uid, $token) = $self->authResetPass($frm->{mail});
-      $frm->{_err} = [ 'No user found with that email address' ] if !$uid;
-    }
-    if(!$frm->{_err}) {
-      my $u = $self->dbUserGet(uid => $uid)->[0];
-      my $body = sprintf
-         "Hello %s,\n\nYour VNDB.org login has been disabled, you can now set a new password by following the link below:\n\n"
-        ."%s\n\nNow don't forget your password again! :-)\n\nvndb.org",
-        $u->{username}, $self->reqBaseURI()."/u$u->{id}/setpass?t=$token";
-      $self->mail($body,
-        To => $frm->{mail},
-        From => 'VNDB <noreply@vndb.org>',
-        Subject => "Password reset for $u->{username}",
-      );
-      return $self->resRedirect('/u/newpass/sent', 'post');
-    }
-  }
-
-  $self->htmlHeader(title => 'Forgot password', noindex => 1);
-  div class => 'mainbox';
-   h1 'Forgot password';
-   p 'Forgot your password and can\'t login to VNDB anymore?'
-    .' Don\'t worry! Just give us the email address you used to register on VNDB,'
-    .' and we\'ll send you instructions to set a new password within a few minutes!';
-  end;
-  $self->htmlForm({ frm => $frm, action => '/u/newpass' }, newpass => [ 'Reset password',
-    [ input  => short => 'mail', name => 'Email' ],
-  ]);
-  $self->htmlFooter;
-}
-
-
-sub newpass_sent {
-  my $self = shift;
-  return $self->resRedirect('/', 'temp') if $self->authInfo->{id};
-  $self->htmlHeader(title => 'New password', noindex => 1);
-  div class => 'mainbox';
-   h1 'New password';
-   div class => 'notice';
-    p 'Your password has been reset and instructions to set a new one should reach your mailbox in a few minutes.';
-   end;
-  end;
-  $self->htmlFooter;
-}
-
-
-# /u+/setpass had two modes: With a token (?t=xxx), to set the password after a
-# 'register' or 'newpass', or without a token, after the user tried to log in
-# with a weak password (that mode has been moved into v2rw).
-sub setpass {
-  my($self, $uid) = @_;
-  return $self->resRedirect('/', 'temp') if $self->authInfo->{id};
-
-  my $t = $self->formValidate({param => 't', required => 0, regex => qr/^[a-f0-9]{40}$/i });
-  return $self->resNotFound if $t->{_err};
-  $t = $t->{t};
-
-  my $u = $self->dbUserGet(uid => $uid)->[0];
-  return $self->resNotFound if !$u || ($t && !$self->authIsValidToken($u->{id}, $t));
-
-  my $tm = !$t && _check_throttle($self);
-  return if !$t && !defined $tm;
-
-  my $frm;
-  if($self->reqMethod eq 'POST') {
-    return if !$self->authCheckCode("/u$u->{id}/setpass");
-    $frm = $self->formValidate(
-      $t ? () : (
-        { post => 'curpass',  minlength => 4, maxlength => 500 },
-      ),
-      { post => 'usrpass',  minlength => 4, maxlength => 500 },
-      { post => 'usrpass2', minlength => 4, maxlength => 500 },
-    );
-    push @{$frm->{_err}}, 'Passwords do not match' if $frm->{usrpass} ne $frm->{usrpass2};
-    push @{$frm->{_err}}, 'Your chosen password is in a database of leaked passwords, please choose another one.'
-      if $self->{password_db} && PWLookup::lookup($self->{password_db}, $frm->{usrpass});
-
-    if(!$frm->{_err}) {
-      $self->dbUserEdit($uid, email_confirmed => 1);
-      return if $self->authSetPass($uid, $frm->{usrpass}, "/u$uid", $t ? (token => $t) : (pass => $frm->{curpass}));
-      $self->dbThrottleSet(norm_ip($self->reqIP), $tm+$self->{login_throttle}[0]);
-      push @{$frm->{_err}}, 'Invalid password';
-    }
-  }
-
-  $self->htmlHeader(title => "Set password for $u->{username}", noindex => 1);
-  $self->htmlForm({ frm => $frm, action => "/u$u->{id}/setpass" }, setpass => [ "Set password for $u->{username}",
-    [ hidden => short => 't', value => $t||'' ],
-    $t ? (
-      [ static => nolabel => 1, content => 'Now you can set a password for your account.'
-          .' You will be logged in automatically after your password has been saved.' ],
-    ) : (
-      [ static => nolabel => 1, content => "Your current password is in a database of leaked passwords, please change your password to continue.<br><br>" ],
-      [ passwd => short => 'curpass',  name => 'Current password' ],
-    ),
-    [ passwd => short => 'usrpass',  name => 'Password' ],
-    [ passwd => short => 'usrpass2', name => 'Confirm password' ],
-  ]);
-  $self->htmlFooter;
-}
-
-
-sub register {
-  my $self = shift;
-  return $self->resRedirect('/', 'temp') if $self->authInfo->{id};
-
-  my $frm;
-  if($self->reqMethod eq 'POST') {
-    return if !$self->authCheckCode;
-    $frm = $self->formValidate(
-      { post => 'usrname',  template => 'uname' },
-      { post => 'mail',     template => 'email' },
-      { post => 'type',     enum => [1..3] },
-      { post => 'answer',   template => 'uint' },
-    );
-    my $num = $self->{stats}{[qw|vn releases producers|]->[ $frm->{type} - 1 ]};
-    push @{$frm->{_err}}, 'Question was not correctly answered. Are you sure you are a human?'
-      if !$frm->{_err} && ($frm->{answer} > $num*1.005 || $frm->{answer} < $num*0.995);
-    push @{$frm->{_err}}, 'Someone already has this username, please choose another name'
-      if $frm->{usrname} eq 'anonymous' || !$frm->{_err} && $self->dbUserGet(username => $frm->{usrname})->[0]{id};
-    push @{$frm->{_err}}, 'Someone already registered with that email address'
-      if !$frm->{_err} && $self->dbUserEmailExists($frm->{mail});
-
-    # Use /32 match for IPv4 and /48 for IPv6. The /48 is fairly broad, so some
-    # users may have to wait a bit before they can register...
-    my $ip = $self->reqIP;
-    push @{$frm->{_err}}, 'You can only register one account from the same IP within 24 hours'
-      if !$frm->{_err} && $self->dbUserGet(ip => $ip =~ /:/ ? "$ip/48" : $ip, registered => time-24*3600)->[0]{id};
-
-    if(!$frm->{_err}) {
-      my $uid = $self->dbUserAdd($frm->{usrname}, $frm->{mail});
-      my(undef, $token) = $self->authResetPass($frm->{mail});
-      my $body = sprintf "Hello %s,\n\n"
-        ."Someone has registered an account on VNDB.org with your email address. To confirm your registration, follow the link below.\n\n"
-        ."%s\n\n"
-        ."If you don't remember creating an account on VNDB.org recently, please ignore this e-mail.\n\n"
-        ."vndb.org",
-        $frm->{usrname}, $self->reqBaseURI()."/u$uid/setpass?t=$token";
-      $self->mail($body,
-        To => $frm->{mail},
-        From => 'VNDB <noreply@vndb.org>',
-        Subject => "Confirm registration for $frm->{usrname}",
-      );
-      return $self->resRedirect('/u/register/done', 'post');
-    }
-  }
-
-  $self->htmlHeader(title => 'Create an account', noindex => 1);
-
-  my $type = $frm->{type} || floor(rand 3)+1;
-  $self->htmlForm({ frm => $frm, action => '/u/register' }, register => [ 'Create an account',
-    [ hidden => short => 'type', value => $type ],
-    [ input  => short => 'usrname', name => 'Username' ],
-    [ static => content => 'Preferred username. Must be lowercase and can only consist of alphanumeric characters.' ],
-    [ input  => short => 'mail', name => 'Email' ],
-    [ static => content => 'Your email address will only be used in case you lose your password.'
-        .' We will never send spam or newsletters unless you explicitly ask us for it or we get hacked.<br /><br />' ],
-    [ static => content => sprintf '<br /><br />How many %s do we have in the database? (Hint: look to your left)',
-        ['visual novels', 'releases', 'producers']->[$type-1] ],
-    [ input  => short => 'answer', name => 'Answer' ],
-  ]);
-  $self->htmlFooter;
-}
-
-
-sub register_done {
-  my $self = shift;
-  return $self->resRedirect('/', 'temp') if $self->authInfo->{id};
-  $self->htmlHeader(title => 'Account created', noindex => 1);
-  div class => 'mainbox';
-   h1 'Account created';
-   div class => 'notice';
-    p 'Your account has been created! In a few minutes, you should receive an email with instructions to set your password.';
-   end;
-  end;
-  $self->htmlFooter;
-}
-
-
 sub edit {
   my($self, $uid) = @_;
 
-- 
cgit v1.2.3