revoked access to website for coaches, added web-specific tokens
This commit is contained in:
@ -43,6 +43,8 @@ case 'auth/login':
|
||||
|
||||
qdb_discard($tmpDb, $lockFp);
|
||||
|
||||
qdb_reject_coach_web_login((string)($user['role'] ?? ''));
|
||||
|
||||
if ((int)$user['mustChangePassword'] === 1) {
|
||||
$tempToken = bin2hex(random_bytes(32));
|
||||
token_add($tempToken, 10 * 60, [
|
||||
@ -127,6 +129,8 @@ case 'auth/change-password':
|
||||
json_error('FORBIDDEN', 'Token does not match user', 403);
|
||||
}
|
||||
|
||||
qdb_reject_coach_web_login((string)($user['role'] ?? ''));
|
||||
|
||||
if (!password_verify($oldPassword, $user['passwordHash'])) {
|
||||
qdb_discard($tmpDb, $lockFp);
|
||||
json_error('INVALID_CREDENTIALS', 'Old password incorrect', 401);
|
||||
|
||||
Reference in New Issue
Block a user