- removed user get query from DDoS check in
- fixed DDoS protection to update login_attempts if user not exist too
- removed user get query from DDoS/reCAPTCHA check
- fixed DDoS/reCAPTCHA proection to update login_attempts if user not exist too
- added `get_login_attempts()` returns login_attempts as INT (used in `login()`)
- fixed both SQL files
- fixed `list_pms()`
- fixed `delete_pm()`
- updated CHANGELOG
- added abilty to send `system` PM's for `send_pm()` & `send_pms()`
- changed `name` to `username` in aauth_users table
- changed `name` to `username` in all user related functions
- changed `$name` to `$username` in `create_user()` & `update_user()`
- added `user_exist_by_username()`
- changed `user_exist_by_name()` to an alias of `user_exist_by_username()`
- added `pm_cleanup_max_age`-config_var
- added 2 files (`pm_deleted_sender` & `pm_deleted_receiver`) in pm table
- changed `list_pms()` to catch only not deleted pm's
- changed `delete_pm()` now it need a user_id to delete a pm (like `get_pm()`)
- changed `delete_pm()` sender's can now detete pm's from outbox
- changed `count_unread_pms()` it counts now only not deleted pm's.
- added `cleanup_pms()` removes pms older than X defined by `pm_cleanup_max_age`-config_var
- changed `$receiver_id` to `$receiver_ids`
- sends multiple pms
- returns array of receiver user ids with specific error message on failure or TRUE if message successfully sent
added a new table for login_attempts (in both SQL files)
added 2 config vars `login_attempts`(db) & `remove_successful_attempts`
changed function `reset_login_attempts()` (removed user_id and changed where to ip_address and timestamp from user_id only)
changed function `update_login_attempts()` (removed user_id and changed where to ip_address and timestamp from email/user_id only)
changed function `login()` (removed arguments from changed functions, added abilty to enable/disable removing login attempt after successful login)
- added 2 config vars (`totp_two_step_login_active`, `totp_two_step_login_redirect`)
- changed `login()` to set session data if totp is required and two_step_login is active and skip default
- fixed `control()` to check if totp verification is required, if required then it redirects to `totp_two_step_login_redirect`
- fixed `control()` to check if is_loggedin not with totp verification is required
- changed `is_allowed()` to check if totp verification is required, if required then it redirects to `totp_two_step_login_redirect`
- added 2 functions `verify_user_totp_code($totp_code, $user_id = FALSE)` & `is_totp_required()`
reference to #131 (tutorial follows)
- added config var `use_password_hash`
- added config var `password_hash_algo`
- added config var `password_hash_options`
- added `verify_password()`
- changed `login()` (changed pass check with new the function, added a little skip for pass recreation if password_hash is active)
- changed `hash_password()`
- added `sql/Aauth_v2_BCrypt.sql` with a working password if BCrypt is active
- changed `ver_code` to sha1 hashed timestamp (`remind_password()`)
- removed `user_id` in reset password link (`remind_password()`)
- removed function param `$user_id` (`reset_password()`)
- changed password length to an even number based on config var `min` (`reset_password()`)
- changed `last_login_attempt` value to `Y-m-d H:i:s` from `Y-m-d H:0:0`
- changed `last_login_attempt`-check to check every x minute based on config var (`max_login_attempt_per_minutes`)
- added optional `last_login_attempt` update on login attempt (`update_last_login_attempt`)
- added config var `max_login_attempt_per_minutes`
- added config var `update_last_login_attempt`
- fixed config var info for `max_login_attempt` (`20` to `10`)
REJack
Paul Canning
AnasTHH
Bevin