public/takelogin.php

<?php
require_once("../include/bittorrent.php");
header("Content-Type: text/html; charset=utf-8");
if (!mkglobal("username"))
	die();
dbconn();
require_once(get_langfile_path("", false, get_langfolder_cookie()));
failedloginscheck ();
cur_user_check () ;
$ip = getip();
function bark($text = "")
{
  global $lang_takelogin;
  $text =  ($text == "" ? $lang_takelogin['std_login_fail_note'] : $text);
  stderr($lang_takelogin['std_login_fail'], $text,false);
}
if ($iv == "yes") {
    check_code ($_POST['imagehash'], $_POST['imagestring'],'login.php',true);
}
//同时支持新旧两种登录方式
$useChallengeResponse = \App\Models\Setting::getIsUseChallengeResponseAuthentication();
if ($useChallengeResponse) {
    if (empty($_POST['response'])) {
        failedlogins("Require response parameter.");
    }
} else {
    if (empty($_POST['password'])) {
        failedlogins("Require password parameter.");
    }
}

$res = sql_query("SELECT id, passhash, secret, auth_key, enabled, status, two_step_secret, lang FROM users WHERE BINARY username = " . sqlesc($username));
$row = mysql_fetch_array($res);

if (!$row)
	failedlogins();
if ($row['status'] == 'pending')
	failedlogins($lang_takelogin['std_user_account_unconfirmed']);
if ($row["enabled"] == "no")
    bark($lang_takelogin['std_account_disabled']);

if (!empty($row['two_step_secret'])) {
    if (empty($_POST['two_step_code'])) {
        failedlogins($lang_takelogin['std_require_two_step_code']);
    }
    $ga = new \PHPGangsta_GoogleAuthenticator();
    if (!$ga->verifyCode($row['two_step_secret'], $_POST['two_step_code'])) {
        failedlogins($lang_takelogin['std_invalid_two_step_code']);
    }
}
$log = "user: {$row['id']}, ip: $ip";
$update = [];
if ($useChallengeResponse) {
    $challenge = \Nexus\Database\NexusDB::cache_get(get_challenge_key($username));
    if (empty($challenge)) {
        failedlogins("expired");
    }
    $log .= ", useChallengeResponse, client response: " . $_POST['response'];
} else {
    $passwordHash = hash('sha256', $row['secret'] . hash('sha256', $_POST['password']));
    $log .= ", !useChallengeResponse, passwordHash: $passwordHash";
    if (empty($row['auth_key'])) {
        //先使用旧的验证方式验证
        if ($row["passhash"] != md5($row["secret"] . $_POST['password'] . $row["secret"])) {
            do_log("$log, md5 not equal");
            login_failedlogins();
        }
        $log .= ", no auth_key, upgrade to challenge response";
        //自动升级为新的验证方式
        $update['passhash'] = $row['passhash'] = $passwordHash;
    }
    //后端自动生成挑战响应
    $challenge = mksecret();
    $_POST['response'] = hash_hmac('sha256', $passwordHash, $challenge);
    $log .= ", server generate response: " . $_POST['response'];
}
$expectedResponse = hash_hmac('sha256', $row['passhash'], $challenge);
$log .= ", expectedResponse: $expectedResponse";
if (!hash_equals($expectedResponse, $_POST["response"])) {
    do_log("$log, !hash_equals");
    login_failedlogins();
}
\Nexus\Database\NexusDB::cache_del(get_challenge_key($username));
do_log("$log, login successful");
$userRep = new \App\Repositories\UserRepository();
$userRep->saveLoginLog($row['id'], $ip, 'Web', true);

//update user lang
$language = \App\Models\Language::query()->where("site_lang_folder", get_langfolder_cookie())->first();

if ($language && $language->id != $row["lang"]) {
    do_log(sprintf("update user: %s lang: %s => %s", $row["id"], $row["lang"], $language->id));
    $update["lang"] = $language->id;
}
if (empty($row['auth_key'])) {
    $row['auth_key'] = $update['auth_key'] = hash('sha256', mksecret(32));
}
if (!empty($update)) {
    \App\Models\User::query()->where("id", $row["id"])->update($update);
    clear_user_cache($row["id"]);
}

if (isset($_POST["logout"]) && $_POST["logout"] == "yes")
{
	logincookie($row["id"], $row['auth_key'],900);
}
else
{
    logincookie($row["id"], $row['auth_key']);
}

if (!empty($_POST["returnto"]))
	nexus_redirect($_POST['returnto']);
else
	nexus_redirect("index.php");
?>
init 2020-12-26 01:42:23 +08:00			`<?php`
add composer 2021-01-13 19:32:26 +08:00			`require_once("../include/bittorrent.php");`
init 2020-12-26 01:42:23 +08:00			`header("Content-Type: text/html; charset=utf-8");`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`if (!mkglobal("username"))`
init 2020-12-26 01:42:23 +08:00			`die();`
			`dbconn();`
			`require_once(get_langfile_path("", false, get_langfolder_cookie()));`
			`failedloginscheck ();`
			`cur_user_check () ;`
secure login use ip instead of REMOTE_ADDR 2022-08-25 22:38:06 +08:00			`$ip = getip();`
init 2020-12-26 01:42:23 +08:00			`function bark($text = "")`
			`{`
			`global $lang_takelogin;`
			`$text = ($text == "" ? $lang_takelogin['std_login_fail_note'] : $text);`
			`stderr($lang_takelogin['std_login_fail'], $text,false);`
			`}`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`if ($iv == "yes") {`
			`check_code ($_POST['imagehash'], $_POST['imagestring'],'login.php',true);`
			`}`
			`//同时支持新旧两种登录方式`
			`$useChallengeResponse = \App\Models\Setting::getIsUseChallengeResponseAuthentication();`
			`if ($useChallengeResponse) {`
			`if (empty($_POST['response'])) {`
			`failedlogins("Require response parameter.");`
			`}`
			`} else {`
			`if (empty($_POST['password'])) {`
			`failedlogins("Require password parameter.");`
			`}`
			`}`

API: torrents upload/list 2025-04-17 01:39:40 +07:00			`$res = sql_query("SELECT id, passhash, secret, auth_key, enabled, status, two_step_secret, lang FROM users WHERE BINARY username = " . sqlesc($username));`
init 2020-12-26 01:42:23 +08:00			`$row = mysql_fetch_array($res);`

			`if (!$row)`
			`failedlogins();`
			`if ($row['status'] == 'pending')`
			`failedlogins($lang_takelogin['std_user_account_unconfirmed']);`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`if ($row["enabled"] == "no")`
			`bark($lang_takelogin['std_account_disabled']);`
init 2020-12-26 01:42:23 +08:00
Google Authenticator 2021-06-10 21:07:20 +08:00			`if (!empty($row['two_step_secret'])) {`
			`if (empty($_POST['two_step_code'])) {`
			`failedlogins($lang_takelogin['std_require_two_step_code']);`
			`}`
			`$ga = new \PHPGangsta_GoogleAuthenticator();`
			`if (!$ga->verifyCode($row['two_step_secret'], $_POST['two_step_code'])) {`
			`failedlogins($lang_takelogin['std_invalid_two_step_code']);`
			`}`
			`}`
secure login use ip instead of REMOTE_ADDR 2022-08-25 22:38:06 +08:00			`$log = "user: {$row['id']}, ip: $ip";`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`$update = [];`
			`if ($useChallengeResponse) {`
			`$challenge = \Nexus\Database\NexusDB::cache_get(get_challenge_key($username));`
			`if (empty($challenge)) {`
			`failedlogins("expired");`
			`}`
			`$log .= ", useChallengeResponse, client response: " . $_POST['response'];`
			`} else {`
			`$passwordHash = hash('sha256', $row['secret'] . hash('sha256', $_POST['password']));`
			`$log .= ", !useChallengeResponse, passwordHash: $passwordHash";`
			`if (empty($row['auth_key'])) {`
			`//先使用旧的验证方式验证`
			`if ($row["passhash"] != md5($row["secret"] . $_POST['password'] . $row["secret"])) {`
			`do_log("$log, md5 not equal");`
			`login_failedlogins();`
			`}`
			`$log .= ", no auth_key, upgrade to challenge response";`
			`//自动升级为新的验证方式`
			`$update['passhash'] = $row['passhash'] = $passwordHash;`
			`}`
			`//后端自动生成挑战响应`
			`$challenge = mksecret();`
			`$_POST['response'] = hash_hmac('sha256', $passwordHash, $challenge);`
			`$log .= ", server generate response: " . $_POST['response'];`
			`}`
			`$expectedResponse = hash_hmac('sha256', $row['passhash'], $challenge);`
			`$log .= ", expectedResponse: $expectedResponse";`
			`if (!hash_equals($expectedResponse, $_POST["response"])) {`
			`do_log("$log, !hash_equals");`
login notify + bonus log 2023-01-31 16:38:21 +08:00			`login_failedlogins();`
			`}`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`\Nexus\Database\NexusDB::cache_del(get_challenge_key($username));`
			`do_log("$log, login successful");`
improve login notify + migrate torrent purchase to announce 2023-04-09 14:53:15 +08:00			`$userRep = new \App\Repositories\UserRepository();`
			`$userRep->saveLoginLog($row['id'], $ip, 'Web', true);`

login update user lang 2024-04-01 21:39:43 +08:00			`//update user lang`
			`$language = \App\Models\Language::query()->where("site_lang_folder", get_langfolder_cookie())->first();`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00
login update user lang 2024-04-01 21:39:43 +08:00			`if ($language && $language->id != $row["lang"]) {`
			`do_log(sprintf("update user: %s lang: %s => %s", $row["id"], $row["lang"], $language->id));`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`$update["lang"] = $language->id;`
			`}`
			`if (empty($row['auth_key'])) {`
			`$row['auth_key'] = $update['auth_key'] = hash('sha256', mksecret(32));`
			`}`
			`if (!empty($update)) {`
			`\App\Models\User::query()->where("id", $row["id"])->update($update);`
login update user lang 2024-04-01 21:39:43 +08:00			`clear_user_cache($row["id"]);`
			`}`

fix announce for directory change 2021-01-19 21:50:21 +08:00			`if (isset($_POST["logout"]) && $_POST["logout"] == "yes")`
init 2020-12-26 01:42:23 +08:00			`{`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`logincookie($row["id"], $row['auth_key'],900);`
init 2020-12-26 01:42:23 +08:00			`}`
Google Authenticator 2021-06-10 21:07:20 +08:00			`else`
init 2020-12-26 01:42:23 +08:00			`{`
Challenge-Response Authentication 2025-04-05 15:38:40 +07:00			`logincookie($row["id"], $row['auth_key']);`
init 2020-12-26 01:42:23 +08:00			`}`

			`if (!empty($_POST["returnto"]))`
login + logout nexus_redirect 2023-07-30 02:00:08 +08:00			`nexus_redirect($_POST['returnto']);`
init 2020-12-26 01:42:23 +08:00			`else`
login + logout nexus_redirect 2023-07-30 02:00:08 +08:00			`nexus_redirect("index.php");`
init 2020-12-26 01:42:23 +08:00			`?>`