##############################################################################
# The Faq-O-Matic is Copyright 1997 by Jon Howell, all rights reserved.      #
#                                                                            #
# This program is free software; you can redistribute it and/or              #
# modify it under the terms of the GNU General Public License                #
# as published by the Free Software Foundation; either version 2             #
# of the License, or (at your option) any later version.                     #
#                                                                            #
# This program is distributed in the hope that it will be useful,            #
# but WITHOUT ANY WARRANTY; without even the implied warranty of             #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              #
# GNU General Public License for more details.                               #
#                                                                            #
# You should have received a copy of the GNU General Public License          #
# along with this program; if not, write to the Free Software                #
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.#
#                                                                            #
# Jon Howell can be contacted at:                                            #
# 6211 Sudikoff Lab, Dartmouth College                                       #
# Hanover, NH  03755-3510                                                    #
# jonh@cs.dartmouth.edu                                                      #
#                                                                            #
# An electronic copy of the GPL is available at:                             #
# http://www.gnu.org/copyleft/gpl.html                                       #
#                                                                            #
##############################################################################

use strict;

package FAQ::OMatic::submitPass;

use CGI;
use FAQ::OMatic::Item;
use FAQ::OMatic;
use FAQ::OMatic::Auth;
use FAQ::OMatic::I18N;


sub main {
	my $cgi = FAQ::OMatic::dispatch::cgi();
	
	my $params = FAQ::OMatic::getParams($cgi);

	if ($params->{'_fromChangePass'} or $params->{'_badSecret'}) {
		# this is the user coming from changePass; send the secret
		# in email, and put up a page explaining what to do.
		my $id = $params->{'_id'} || '';
		if (not FAQ::OMatic::validEmail($id)) {
			FAQ::OMatic::gripe('error', gettext("An email address must look like 'name\@some.domain'.")
				."\n"
				.gettexta("If yours (%0) does and I keep rejecting it, please mail the administrator of this FAQ at %1 and tell him or her what's happening.",
					 $id, $FAQ::OMatic::Config::adminEmail));
		}
		my $pass = $params->{'_pass'} || '';
			# THANKS to Mark Shaw <mshaw@dal.asp.ti.com> for catching this
			# potential uninitialized value error.
		if (not ($pass =~ m/^\S*$/)) {
			FAQ::OMatic::gripe('error', gettext("Your password may not contain spaces or carriage returns."));
		}

		# put the secret in the IDfile, but don't put in the new
		# Only create a secret if user is coming straight from changePass.
		# Don't create ANOTHER secret if this is just the user
		# looping back around after entering a bad secret.
		if ($params->{'_fromChangePass'}) {
			my $secret = FAQ::OMatic::Entropy::gatherRandomString();
			my $restart = $params->{'_restart'} ||
				FAQ::OMatic::makeAref('faq', {}, 'url', 0, 'blastAll');
			# keep passwords out of the GET request fired up
			# when restarting after an authentication.
			# THANKS to
			# Cream-puff Casper Milquetoast <doughnut@doughnut.net>
			# for reporting this issue.
			my $saveurl = FAQ::OMatic::makeAref($restart,
				{'auth'=>'','pass'=>'','id'=>'',
				 '_id'=>'', '_pass'=>''},
				'url', 'saveTransients');

			# password yet, or we'll have circumvented the whole secret
			# thing.
			my ($idf,$passf,$secretf,$saveurlf,$oldwaitpassf,@rest)=FAQ::OMatic::Auth::readIDfile($id);
			if ((not defined $passf)
				or (not defined $idf)
				or ($idf ne $id)) {
				$passf = '__INVALID__';
			}
			my $cryptwaitpass = FAQ::OMatic::Auth::cryptPass($pass);
				# we'll store the crypted version to install later
	
			FAQ::OMatic::Auth::writeIDfile($id,$passf,$secret,$saveurl,$cryptwaitpass,@rest);
	
			# mail the user the secret url
			my $secreturl = FAQ::OMatic::makeAref('submitPass',
								{	'_id'=>$id,
									'_secret'=>$secret	},
								'url', 0, 'blastAll');
			my $subj = gettext("Your Faq-O-Matic authentication secret");
                        my $mesg = gettext("To validate your Faq-O-Matic password, you may either enter this secret into the Validation form:")."\n\n";   
			$mesg .= gettext("Secret:")." ".$secret."\n\n";
                        $mesg .= gettext("Or access the following URL. Be careful when you copy and paste the URL that the line-break doesn't cut the URL short.");
                        $mesg .= "\n\n$secreturl\n\n".gettext("Thank you for using Faq-O-Matic.")."\n\n";
			$mesg .= gettexta("(Note: if you did not sign up to use the Faq-O-Matic, someone else has attempted to log in using your name. Do not access the URL above; it will validate the password that user has supplied. Instead, send mail to %0 and I will look into the matter.)", $FAQ::OMatic::Config::adminEmail );

			if (FAQ::OMatic::sendEmail($id, $subj, $mesg)) {
				FAQ::OMatic::gripe('error',
					gettexta("I couldn't mail the authentication secret to \"%0\" and I'm not sure why.", $id));
			}
		}

		# now tell the user what's going on
		my $rt = '';

		$rt .= FAQ::OMatic::pageHeader($params);

		if ($params->{'_badSecret'}) {
			$rt .= gettext("The secret you entered is not correct.")."\n";
			$rt .=
			gettext("Did you copy and paste the secret or the URL completely?")
				."\n<p>\n";
		}
		else {
			$rt .= gettexta("I sent email to you at \"%0\". It should arrive soon, containing a URL.",
							$id)
				."\n<p>\n";
		}
		$rt.= gettext("Either open the URL directly, or paste the secret into the form below and click Validate.")
			."\n<p>\n"
			.gettext("Thank you for taking the time to sign up.")
			."\n";

		$rt.= FAQ::OMatic::makeAref('submitPass',
					{	'_id'=>$id,
						'_pass'=>$pass },
					'POST', 0, 'blastAll');
		#$rt.="<form action=\"submitPass\" method=POST>\n";
		$rt.= gettext("Secret:")." \n";
		$rt.= "<input type=text name=\"_secret\" value=\"\" size=36>\n";
		$rt.= "<p><input type=submit name=\"_submit\" value=\"".gettext("Validate")."\">\n";
		$rt.= "</form>\n";

		$rt .= FAQ::OMatic::pageFooter($params);
		print $rt;
	} else {
		# this is the user presenting his secret received via email
		my $id = $params->{'_id'};
		my $secret = $params->{'_secret'};
		my ($idf,$passf,$secretf,$saveurl,$cryptwaitpassf,@rest)
			= FAQ::OMatic::Auth::readIDfile($id);
		if (not defined($idf)
			or not ($idf eq $id)
			or not ($secret eq $secretf)) {
			# if we get the wrong secret, send the user back
			# around to the page with the Validate button (the top case
			# in this file) to give them another chance to enter the secret.
			my $url = FAQ::OMatic::makeAref('submitPass',
				{ '_badSecret'=>1, '_id'=>$id }, 'url');
			FAQ::OMatic::redirect($cgi, $url);
		}

		# no secret necessary anymore
		FAQ::OMatic::Auth::writeIDfile($idf, $cryptwaitpassf);
		# generate a cookie. We know it's you by your secret, but
		# we don't have your (uncrypted) password to let you go through the
		# normal password check. So we'll just create a cookie right now.
		my $newauth = "&auth=".FAQ::OMatic::Auth::newCookie($idf);
		FAQ::OMatic::redirect($cgi, $saveurl.$newauth);
	}
}

1;