accounts_handler.php

<?php
// This file carries functions related to accounts.

function get_avatar_url($bcid):string {

    $exists = db_execute('SELECT public FROM avatars WHERE id = ? LIMIT 1', [$bcid]);

    if (empty($exists)) {
        return '/assets/default.png';
    }

    return '/public/avatars/' . $bcid;
}

function get_display_name($bcid, $use_bcid_fallback=true, $put_bcid_in_parenthesis=false, $format_bcid=false):string {
	$display_name = db_execute("SELECT display_name FROM accounts WHERE id = ?", [$bcid])['display_name'];
	if (!empty($display_name)) {
        if ($put_bcid_in_parenthesis) {
            return $display_name . " ($bcid)";
        }
		return $display_name;
	}

	if ($use_bcid_fallback) {
		return $bcid;
	}

	return "";
}

// Tokens so apps can get VERY BASIC information

function generate_basic_access_token($bcid, $application_id=""): array
{
    // Returns an access token, a refresh token and an expiry timestamp.

    $access_token = md5(uniqid(more_entropy: true).rand(1000000, 9999999));
    $refresh_token = md5(uniqid("rfish").rand(1000000, 9999999));

    $valid_time = 12; // in hours
    $expiry = time() + ($valid_time * 60 * 60);

//    echo $access_token . ":" . $refresh_token;

    if ($application_id) {
        db_execute(
            "INSERT INTO tokens (access_token, refresh_token, expiry, owner_id, application_id, permissions) VALUES (?,?,?,?,?, (1<<0 | 1<<1))",
            [$access_token, $refresh_token, $expiry, $bcid, $application_id]
        );
    } else {
        db_execute(
            "INSERT INTO tokens (access_token, refresh_token, expiry, owner_id, permissions) VALUES (?,?,?,?, (1<<0 | 1<<1))",
            [$access_token, $refresh_token, $expiry, $bcid]
        );
    }

    return [
        "access" => $access_token,
        "refresh" => $refresh_token,
        "expiry" => $expiry,
        "id" => $bcid
    ];
}

function generate_token($bcid, $application_id=null, $permissions=0): array {
    $access_token = md5(uniqid(more_entropy: true).rand(1000000, 9999999));
    $refresh_token = md5(uniqid("rfish").rand(1000000, 9999999));

    $valid_time = 12; // in hours
    $expiry = time() + ($valid_time * 60 * 60);

    db_execute(
        "INSERT INTO tokens (access_token, refresh_token, expiry, owner_id, application_id, permissions, type) VALUES (?,?,?,?,?,?, 'oauth')",
        [$access_token, $refresh_token, $expiry, $bcid, $application_id, $permissions]
    );

    return [
        "access" => $access_token,
        "refresh" => $refresh_token,
        "permissions" => $permissions,
        "expiry" => $expiry,
        "id" => $bcid
    ];
}

function generate_cookie_access_token($bcid) {
    $access_token = md5(uniqid(prefix: "COOKIECOOKIECOOKIE", more_entropy: true).rand(1000000, 9999999));

    $valid_time = 365 * 24; // 1 year
    $expiry = time() + ($valid_time * 60 * 60);

//    echo $access_token . ":" . $refresh_token;

    db_execute(
        "INSERT INTO tokens (access_token, expiry, owner_id, type) VALUES (?,?,?,'cookie')",
        [$access_token, $expiry, $bcid]
    );

    return [
        "access" => $access_token,
        "expiry" => $expiry,
        "id" => $bcid
    ];
}

function validate_access_token($access_token): bool
{
    $token_details = db_execute("SELECT * FROM tokens WHERE access_token = ?", [$access_token]);
    if (null == $token_details) {
        return false;
    }
    if (time() > $token_details['expiry']) {
        db_execute("DELETE FROM tokens where access_token = ?", [$access_token]);
        return false;
    }
    return true;
}

// Password resets
const PASSWORD_RESET_VALIDITY = 300; // in seconds.
function create_password_reset($bcid):string {
	// Returns a password reset link.
	global $pdo;

	$reset_time = time() + PASSWORD_RESET_VALIDITY;

	$auth_token = generateRandomString(65);

	$sql = 'INSERT INTO `password_resets` (auth_id, owner_id, expiration) VALUES (?, ?, ?)';

	try{
		$stmt = $pdo->prepare($sql);
		$stmt->execute([$auth_token, $bcid, $reset_time]);
		$reset_id = $pdo->lastInsertId();
	} catch (PDOException $e) {
		http_response_code(500);
		die("An error occurred with the database. (12)");
	}

	return BASE_URL.'/reset/password?reset_id='.$reset_id.'&reset_token='.$auth_token;
}

function validate_password_reset($reset_id, $reset_token):bool {
	global $pdo;

	$sql = 'SELECT * FROM password_resets WHERE id = ?';

	try {
		$stmt = $pdo->prepare($sql);
		$stmt->execute([$reset_id]);
		$result = $stmt->fetch();
	} catch (PDOException $e) {
		http_response_code(500);
		die("An error occurred fetching data from the database. (11)
		$e");
	}

	if (empty($result)) {
		echo "<pre>";
		throw new Exception('Todokete setsuna sa ni wa
Namae wo tsukeyou ka "Snow halation"
Omoi ga kasanaru made matezu ni
Kuyashii kedo sukitte junjou
Binetsu no naka tameratte mo dame da ne
Tobikomu yuuki ni sansei mamonaku start!');
	}

	if ($result['auth_id'] == $reset_token && !hasTimePassed($result['expiration'])) {
		return true;
	} elseif ($result['auth_id'] == $reset_token && hasTimePassed($result['expiration'])) {
		$sql = 'DELETE FROM password_resets WHERE id = ?';
		try {
			$stmt = $pdo -> prepare(($sql));
			$stmt->execute([$reset_id]);
			die("Sorry, that link expired. Please request a new one.");
		} catch (PDOException $e) {
			http_response_code(500);
			die("An error occurred deleting data from the database. That link was expired anyway, so request a new one. (13b)
		$e");
		}
	}

	return false;

}

function get_id_for_password_reset($reset_id, $reset_token):string {
	global $pdo;
	$sql = 'SELECT * FROM password_resets WHERE id = ?';

	try {
		$stmt = $pdo->prepare($sql);
		$stmt->execute([$reset_id]);
		$result = $stmt->fetch();
	} catch (PDOException $e) {
		http_response_code(500);
		die("An error occurred fetching data from the database. (11)
		$e");
	}

	return $result['owner_id'];
}

function delete_password_reset($reset_id, $reset_token): void
{
	global $pdo;
	$sql = 'DELETE FROM password_resets WHERE id = ?';
	try {
		$stmt = $pdo->prepare(($sql));
		$stmt->execute([$reset_id]);
		header("Location: /signin");
		die();
	} catch (PDOException $e) {
		http_response_code(500);
		die("An error occurred deleting data from the database. (13)
		$e");
	}
}