get('username')) ) { $redirect->url($url_success); makeitso(); } // Make sure Session Token is correct if ($session->get('token') != $post->get('token')) { $messages->addMessage('error', "Invalid Session."); $log->error("Login Authentication - Invalid Session Token"); } // Handle Username $rawUsername = $post->get('username', null); $cleanUsername = $v->clean($rawUsername); // Clean the input $username = strtolower($cleanUsername); // Convert to lowercase if (!$username) { $messages->addMessage('error', "No Username given."); } // Handle Password $password = $v->clean($post->get('password', null)); if ( empty($password) ) { $messages->addMessage('error', "Password Empty."); } /************************************************************************************************************* * Query Database ************************************************************************************************************/ if ($messages->count('error') === 0) { $query = "SELECT id, username, email, password, blocked FROM users WHERE username = ? OR email = ?"; $matched = $db->getRow($query, [$username, $username]); if (empty($matched)) { $messages->addMessage('error', "User or Password incorrect."); $log->warning("Login Authentication - Login Error, user doesn't exist"); } } if ($messages->count('error') === 0) { // Re-apply pepper $peppered = hash_hmac('sha3-512', $password, $config['secure_key']); // Verify hashed password if (!password_verify($peppered, $matched['password'])) { $messages->addMessage('error', "User or Password incorrect."); $log->warning("Login Authentication - Login Error, password wrong"); } } // Process Login or Redirect if ($messages->count('error') === 0) { $query = "SELECT groupName FROM user_groups WHERE user_id = ?"; $groups = $db->getRow($query, [$matched['id']]); $session->set('username', $cleanUsername); $session->set('group', $groups['groupName']); $redirect->url($url_success); $log->info("Login Authentication - Login Success); } else { $redirect->url($url_fail); }