AsmBB

sqlGetUserInfo   text "select id, salt, passHash, status from Users where nick = ?"
sqlInsertSession text "insert into sessions (userID, sid, FromIP, last_seen) values ( ?1, ?2, ?3, strftime('%s','now') )"
sqlUpdateSession text "update Sessions set userID = ?1, FromIP = ?3, last_seen = strftime('%s','now') where sid = ?2"
sqlCheckSession  text "select sid from sessions where userID = ? and fromIP = ?"
sqlCleanSessions text "delete from sessions where last_seen < (strftime('%s','now') - 2592000)"

sqlLoginTicket text "select ?1 as ticket, ?2 as email_flag"
sqlCheckLoginTicket text "select 1 from userlog where remoteIP=?1 and Client = ?2 and Param = ?3 and Activity = ?4"
sqlClearLoginTicket text "update userlog set Param = NULL where remoteIP=?1 and Activity in (1, 3, 14, 15, 16, 17)"


proc UserLogin, .pSpecial
.stmt  dd ?

.user     dd ?
.password dd ?

.userID   dd ?
.session  dd ?
.status   dd ?

.ticket   dd ?
.email_flag dd ?

begin
        pushad

        xor     eax, eax
        mov     [.session], eax
        mov     [.user], eax
        mov     [.password], eax
        mov     [.ticket], eax

        cinvoke sqliteExec, [hMainDatabase], sqlCleanSessions, sqlCleanSessions.length, eax, eax

        xor     eax, eax                                ; default no?
        stdcall GetParam, "email_confirm", gpInteger
        mov     [.email_flag], eax

; check the information

        mov     esi, [.pSpecial]
        mov     ebx, [esi+TSpecialParams.post_array]
        test    ebx, ebx
        jnz     .do_login_user

        stdcall StrCat, [esi+TSpecialParams.page_title], cLoginDialogTitle

        stdcall GetRandomString, 32
        mov     ebx, eax

        stdcall LogUserActivity, esi, uaLoggingIn, ebx

        lea     ecx, [.stmt]
        cinvoke sqlitePrepare_v2, [hMainDatabase], sqlLoginTicket, sqlLoginTicket.length, ecx, 0

        stdcall StrPtr, ebx
        cinvoke sqliteBindText, [.stmt], 1, eax, [eax+string.len],  SQLITE_STATIC
        cinvoke sqliteBindInt, [.stmt], 2, [.email_flag]
        cinvoke sqliteStep, [.stmt]

        stdcall RenderTemplate, 0, "form_login.tpl", [.stmt], esi
        mov     [esp+4*regEAX], eax

        cinvoke sqliteFinalize, [.stmt]
        stdcall StrDel, ebx

        clc
        popad
        return


.do_login_user:

        stdcall ValueByName, [esi+TSpecialParams.post_array], txt "submit.x"
        jc      .redirect_back_bad_permissions

        stdcall ValueByName, [esi+TSpecialParams.post_array], txt "submit.y"
        jc      .redirect_back_bad_permissions


        stdcall GetPostString, ebx, "username", 0
        mov     [.user], eax

        test    eax, eax
        jz      .redirect_back_short

.user      dd ?
.password  dd ?
.password2 dd ?
.email     dd ?
.secret    dd ?
.ticket    dd ?

.email_flag dd ?

begin
        pushad

        xor     eax, eax
        mov     [.user], eax
        mov     [.password], eax
        mov     [.password2], eax
        mov     [.email], eax
        mov     [.secret], eax
        mov     [.ticket], eax

; check the information

        xor     eax, eax                                ; default no?
        stdcall GetParam, "email_confirm", gpInteger
        mov     [.email_flag], eax

        mov     esi, [.pSpecial]
        cmp     [esi+TSpecialParams.userID], 0
        jne     .error_trick

        test    [esi+TSpecialParams.userStatus], permLogin      ; For the guests, permLogin == permRegister
        jz      .error_closed_registration

        mov     ebx, [esi+TSpecialParams.post_array]
        test    ebx, ebx
        jnz     .do_register_user

        stdcall GetRandomString, 32
        mov     ebx, eax

        stdcall LogUserActivity, esi, uaRegistering, ebx

        lea     ecx, [.stmt]
        cinvoke sqlitePrepare_v2, [hMainDatabase], sqlLoginTicket, sqlLoginTicket.length, ecx, 0

        stdcall StrPtr, ebx
        cinvoke sqliteBindText, [.stmt], 1, eax, [eax+string.len],  SQLITE_STATIC

        cinvoke sqliteBindInt, [.stmt], 2, [.email_flag]

        cinvoke sqliteStep, [.stmt]

        stdcall RenderTemplate, 0, "form_register.tpl", [.stmt], esi
        mov     [esp+4*regEAX], eax

        cinvoke sqliteFinalize, [.stmt]
        stdcall StrDel, ebx

        clc
        popad
        return


.do_register_user:

        stdcall ValueByName, [esi+TSpecialParams.post_array], txt "submit.x"
        jc      .error_trick

        stdcall ValueByName, [esi+TSpecialParams.post_array], txt "submit.y"
        jc      .error_trick

        stdcall GetPostString, ebx, "username", 0
        mov     [.user], eax

        test    eax, eax
        jz      .error_short_name

        stdcall ValidateUserName, [.user]
        jnc     .error_short_name         ; the name contains special characters actually!

        stdcall StrLen, eax
        cmp     eax, 3
        jbe     .error_short_name

        cmp     eax, 256
        ja      .error_trick

        stdcall GetPostString, ebx, "email", 0
        mov     [.email], eax

        cmp     [.email_flag], 0
        jne     .check_email

; Use the email field as a honeypot, if the activation emails are disabled.
; Some kind of bot protection...

        test    eax, eax
        jz      .check_password

        stdcall StrLen, eax
        test    eax, eax
        jz      .check_password

        jmp     .error_trick

; Check the email in case the activation email will be sent
.check_email:
        test    eax, eax
        jz      .error_bad_email

        stdcall CheckEmail, eax
        jc      .error_bad_email

.check_password:

        stdcall GetPostString, ebx, txt "password", 0
        mov     [.password], eax
        test    eax, eax
        jz      .error_short_pass

        stdcall GetPostString, ebx, txt "password2", 0

        stdcall StrLen, eax
        test    eax, eax
        jz      .error_trick

; check the ticket

        DebugMsg "Check the ticket."

        lea     eax, [.stmt]
        cinvoke sqlitePrepare_v2, [hMainDatabase], sqlCheckLoginTicket, sqlCheckLoginTicket.length, eax, 0
        cinvoke sqliteBindInt, [.stmt], 1, [esi+TSpecialParams.remoteIP]

        stdcall ValueByName, [esi+TSpecialParams.params], "HTTP_USER_AGENT"
        jc      .client_ok

; check whether the user exists

        lea     eax, [.stmt]
        cinvoke sqlitePrepare_v2, [hMainDatabase], sqlCheckUserExists, -1, eax, 0

        stdcall StrPtr, [.user]
        cinvoke sqliteBindText, [.stmt], 1, eax, [eax+string.len], SQLITE_STATIC

        cmp     [.email], 0
        je      .email_ok2

        stdcall StrPtr, [.email]
        cmp     [eax+string.len], 0
        je      .email_ok2

        cinvoke sqliteBindText, [.stmt], 2, eax, [eax+string.len], SQLITE_STATIC

.email_ok2:

        cinvoke sqliteStep, [.stmt]
        mov     ebx, eax

        cinvoke sqliteFinalize, [.stmt]

        cmp     ebx, SQLITE_ROW
        je      .error_exists

        lea     eax, [.stmt]
        cinvoke sqlitePrepare_v2, [hMainDatabase], sqlRegisterUser, sqlRegisterUser.length, eax, 0

        stdcall StrPtr, [.user]
        cinvoke sqliteBindText, [.stmt], 1, eax, [eax+string.len], SQLITE_STATIC

        stdcall StrPtr, [.password]
        cinvoke sqliteBindText, [.stmt], 2, eax, [eax+string.len], SQLITE_STATIC

        stdcall StrPtr, [.password2]
        cinvoke sqliteBindText, [.stmt], 3, eax, [eax+string.len], SQLITE_STATIC

        cmp     [.email], 0
        je      .email_ok

        stdcall StrPtr, [.email]
        cmp     [eax+string.len], 0
        je      .email_ok

        cinvoke sqliteBindText, [.stmt], 4, eax, [eax+string.len], SQLITE_STATIC

.email_ok:

        cinvoke sqliteBindInt, [.stmt], 5, [esi+TSpecialParams.remoteIP]

        stdcall StrPtr, [.secret]
        cinvoke sqliteBindText, [.stmt], 6, eax, [eax+string.len], SQLITE_STATIC

        cinvoke sqliteBindInt, [.stmt], 7, uopCreateAccount

        cinvoke sqliteStep, [.stmt]
        mov     ebx, eax

        cinvoke sqliteFinalize, [.stmt]

        cmp     ebx, SQLITE_DONE
        jne     .error_exists



        cmp     [.email_flag], 0

        je      .no_confirm

; now send the activation email for all registered user, where the email was not sent.


        stdcall ProcessActivationEmails

; the user has been created and now is waiting for email activation.

        stdcall TextMakeRedirect, 0, "/!message/user_created/"
        jmp     .finish

gpString  = 0
gpInteger = 1


sqlGetParam text "select val from params where id = ?"

proc GetParam, .key, .type
.stmt dd ?
begin
        pushad

        lea     eax, [.stmt]
        cinvoke sqlitePrepare_v2, [hMainDatabase], sqlGetParam, sqlGetParam.length, eax, 0

        stdcall StrPtr, [.key]
        cinvoke sqliteBindText, [.stmt], 1, eax, -1, SQLITE_STATIC

        cinvoke sqliteStep, [.stmt]
        cmp     eax, SQLITE_ROW
        jne     .error

options.ShowSizes = 0

options.DebugMode = 0
options.AlignCode = 0
options.ShowImported = 0

options.DebugWeb = 0
options.DebugPost = 0           ; save the latest POST request data in the file "post_data.txt"
options.DebugSQLite = 1

options.DebugWebSSE = 0         ; debug server sent events - creates a command "!echo_events" for debugging SSE.
options.Benchmark = 0

;HeapManager  equ ASM
;LinuxThreads equ native

[css:navigation.css]
[css:login.css]

  <div class="ui_panel">
    <a class="ui left" href="/">Threads</a>
  </div>
  <form class="login-block" method="post" target="_self" action="/!login">
    <h1>Login</h1>
    <p class="pi_nick"><input type="text" value="" placeholder="Username" name="username" class="username" autofocus maxlength="256"></p>
    <p class="pi_pass"><input type="password" value="" placeholder="Password" name="password" class="password" maxlength="1024" autocomplete="off"></p>
    <p class="pi_tick"><input type="text" value="[special:referer]" name="backlink" id="backlink"></p>
    <p class="pi_nick"><input type="checkbox" name="persistent" id="pr" value="1"><label for="pr">Persistent login</label></p>
    <p class="pi_tick"><input type="text" value="[ticket]" name="ticket" id="ticket"></p>
    <input type="image" name="submit" id="submit" value="Submit"><label class="submit" for="submit">Submit</label>
  </form>
  <article>
    [case:[email_flag]||<p>If you forgot your password, <b><a href="/!resetpassword">click here</a></b>. You have limited reset attempts.</p>]
    [case:[special:canregister]||<p>If you don't have an account, you should <b><a href="/!register">register one</a></b>.</p>]
    <p></p>
    <p>The login process uses cookies. If the "Persistent login" checkbox is checked, the cookie will be stored persistently in your browser.</p>
    <p>If the "Persistent login" checkbox is not checked (default), AsmBB uses so called "session cookies" that are automatically removed when you close your browser.</p>
    <p>When you logout from the forum, all cookies are removed as well.</p>
  </article>

input[type=checkbox] + label {
    display: block;
    color: @clFormFG;
    margin: 0 0 @LineH 0;
}

.pi_nick, .pi_pass, .pi_tick, .pi_email {
  margin: 0px;
  padding: 0px;
}

.pi_tick, .pi_email {
  display: none;
}

#submit {
  position: absolute;
  z-index: -1;
  left: -10000px;

  &:focus + label {
    background: @clButtonActiveBG;
    color: @clButtonActiveFG;
    outline: 2px dotted @clSeparator;
    outline-offset: -2px;
  }
}

[css:navigation.css]
[css:login.css]

<div class="login">
  <div class="ui">
    <a class="ui" href="/">Threads</a>
  </div>
  <form class="login-block" method="post" target="_self" action="/!login">
    <h1>Login</h1>
    <p class="pi_nick"><input type="text" value="" placeholder="Username" name="username" class="username" autofocus maxlength="256"></p>
    <p class="pi_pass"><input type="password" value="" placeholder="Password" name="password" class="password" maxlength="1024" autocomplete="off"></p>
    <p class="pi_tick"><input type="text" value="[special:referer]" name="backlink" id="backlink"></p>
    <p class="pi_nick"><input type="checkbox" name="persistent" id="pr" value="1"><label for="pr">Persistent login</label></p>
    <p class="pi_tick"><input type="text" value="[ticket]" name="ticket" id="ticket"></p>
    <input type="image" name="submit" id="submit" value="Submit"><label class="submit" for="submit">Submit</label>
  </form>
  <article>
    [case:[email_flag]||<p>If you forgot your password, <b><a href="/!resetpassword">click here</a></b>. You have limited reset attempts.</p>]
    [case:[special:canregister]||<p>If you don't have an account, you should <b><a href="/!register">register one</a></b>.</p>]
    <p></p>
    <p>The login process uses cookies. If the "Persistent login" checkbox is checked, the cookie will be stored persistently in your browser.</p>
    <p>If the "Persistent login" checkbox is not checked (default), AsmBB uses so called "session cookies" that are automatically removed when you close your browser.</p>
    <p>When you logout from the forum, all cookies are removed as well.</p>
  </article>
</div>

[css:navigation.css]
[css:login.css]

<div class="login">
  <div class="ui">
    <a class="ui" href="/">Threads</a>
  </div>
  <form class="register-block" method="post" action="/!register/">
    <h1>Register</h1>
    <p class="pi_nick"><input type="text" value="" placeholder="Username" name="username" class="username" maxlength="256" autofocus></p>
    <p class="[case:[email_flag]|pi_email|pi_nick]"><input type="text" value="" placeholder="e-mail" name="email" class="email" maxlength="320"></p>
    <p class="pi_pass"><input type="password" value="" placeholder="Password" name="password" class="password" maxlength="1024" autocomplete="off"></p>
    <p class="pi_pass"><input type="password" value="" placeholder="Password again" name="password2" class="password" maxlength="1024" autocomplete="off"></p>
    <p class="pi_tick"><input type="text" value="[ticket]" name="ticket" id="ticket" class="ticket"></p>
    <label class="submit" for="submit">Submit</label><input type="image" name="submit" id="submit" value="Submit">
  </form>
  <article>
    <p>To choose strong password and write it down on a paper is better than to choose easy to remember password.</p>
    <p>Because the humans are not very good in remembering random strings, but pretty good in keeping small sheets of paper.</p>
    <p>But don't stick it on your monitor. Simply keep it in your wallet...</p>
    <p>... or use some password manager program.</p>
  </article>

    border: @borderEdit;

    background: @bgEditor;
    color: @clEditorFG;
}



input.username {
    background-image: url('[special:skin]/_images/user.png') !important;
}

input.email {
    background-image: url('[special:skin]/_images/email.png') !important;
}

input.password {
    background-image: url('[special:skin]/_images/pass.png') !important;
}

input.username:focus, input.email:focus, input.password:focus {
    background: @bgEditorFocus;
}


label.submit {
  height: 38px;
  line-height: 38px;
  width: 100%;
  background: @clButtonBG;
  color: @clButtonFG;
  border: none;
  font-weight: bold;
  font-size: 16px;
  font-variant: small-caps;
  outline: none;
  cursor: pointer;
  text-align: center;
  padding: 0px;
  display: block;
  margin: 8px 0px;

  &:hover {
    background: @clButtonActiveBG;
    color: @clButtonActiveFG;
  }
}

#submit {
  position: absolute;
  z-index: -1;
  left: -10000px;

  &:focus + label {
    background: @clButtonActiveBG;
    color: @clButtonActiveFG;
    outline: 2px dotted @clSeparator;
    outline-offset: -2px;
  }
}

.pi_nick, .pi_pass, .pi_tick, .pi_email {
  margin: 0px;
  padding: 0px;
}

.pi_tick, .pi_email {
  display: none;
}