File Manager V1.5

[SYSTEM@ROOT]: /var/www/html/
FILE_CONTENT: forgot_password.php

<?php

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS");
header("Access-Control-Allow-Headers: Authorization, Content-Type, Accept, X-Requested-With, User-Agent, Origin");
header("Access-Control-Max-Age: 86400");
header("Content-Type: application/json; charset=UTF-8");

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    echo json_encode(["success" => false, "message" => "Only POST method allowed"]);
    exit;
}

require 'vendor/autoload.php';
use Dotenv\Dotenv;

try {
    $dotenv = Dotenv::createImmutable(__DIR__);
    $dotenv->load();
} catch (Exception $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'Environment configuration failed']);
    exit;
}

try {
    $pdo = new PDO(
        "mysql:host={$_ENV['DB_HOST']};dbname={$_ENV['DB_NAME']};charset=utf8mb4", 
        $_ENV['DB_USER'], 
        $_ENV['DB_PASSWORD']
    );
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'Database connection failed: ' . $e->getMessage()]);
    exit;
}

$data = json_decode(file_get_contents('php://input'), true);

if (empty($data['number'])) {
    http_response_code(400);
    echo json_encode(['success' => false, 'message' => 'Phone number is required']);
    exit;
}

$foundUser = null;
$foundUserType = null;
$foundUserId = null;

$tables = [
    'individusers' => 0,
    'companyusers' => 1,
    'leasingmanagers' => 2
];

foreach ($tables as $table => $userType) {
    $stmt = $pdo->prepare("SELECT id FROM $table WHERE number = ? LIMIT 1");
    $stmt->execute([$data['number']]);
    $user = $stmt->fetch(PDO::FETCH_ASSOC);
    
    if ($user) {
        $foundUserId = $user['id'];
        $foundUserType = $userType;
        break;
    }
}

if ($foundUserId === null) {
    http_response_code(200); 
    echo json_encode(['success' => true, 'message' => 'If an account with that phone number exists, a recovery code has been sent.']);
    exit;
}

try {
    $recovery_code = random_int(100000, 999999);

    $stmt = $pdo->prepare("DELETE FROM password_resets WHERE user_id = ? AND user_type = ?");
    $stmt->execute([$foundUserId, $foundUserType]);

    $stmt = $pdo->prepare("INSERT INTO password_resets (user_id, user_type, code) VALUES (?, ?, ?)");
    $stmt->execute([$foundUserId, $foundUserType, $recovery_code]);

    http_response_code(200);
    echo json_encode([
        'success' => true,
        'message' => 'Recovery code generated successfully.',
        'sms_code_for_test' => $recovery_code 
    ]);

} catch (Exception $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'Server error: ' . $e->getMessage()]);
}
?>
[ KEMBALI ]