<?php

function change_password($db, $first_password, $second_password){
	if($_SESSION["login"]){
		$username = user_id($db, $_SESSION["username"]);
	} else {
		$username_db = $db->query("SELECT id FROM user WHERE email='" . SQLite3::escapeString($_POST['email']) . "';");
		$username_ar = $username_db->fetchArray(SQLITE3_NUM);
		$username = $username_ar[0];
	}
	
	if($first_password != $second_password || !isset($first_password) || empty($first_password) || $first_password == ""){
		return PASSWORD_PASSWORD;
	}

	$pepper = file_get_contents("../database/pepper.txt");
	$password = $first_password . $pepper;

	$hash_password = password_hash($password, PASSWORD_DEFAULT);

	if($db->exec("
		BEGIN TRANSACTION;
		UPDATE user SET password='" . $hash_password . "' WHERE id=" . $username . ";
		COMMIT;
	")){
		return PASSWORD_SUCCESS;
	} else {
		return PASSWORD_DATABASE;
	}
}

function recover_password($db){
	$test_email_db = $db->query("SELECT 1 FROM user WHERE email='" . SQLite3::escapeString($_POST['email']) . "';");
	$test_email_ar = $test_email_db->fetchArray(SQLITE3_NUM);

	if($test_email_ar[0] == 1){
		$password_array = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "_", "-", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" );

		$length = count($password_array);
		$password = ""; 

		for ($i=0;$i<21;$i++){
			$index = mt_rand(0,$length-1);
			$password = "$password".$password_array[$index];
		}

		$var = change_password($db, $password, $password);

		if($var == PASSWORD_SUCCESS){

			$subject = "Your new password is" . $password;
			if(mail($_POST['email'], "New password", $subject, "From: mail@iamfabulous.de")){
				return RECOVER_SUCCESS;
			} else {
				return RECOVER_EMAIL;
			}
		} else {
			return $var;
		}
	} else {
		return RECOVER_PROHIBITED;
	}
}

function validate_password($db, $username, $password){
	$res_db = $db->query("SELECT password FROM user WHERE name='".$db->escapeString($username)."'");
	$res_ar = $res_db->fetchArray(SQLITE3_NUM);

	$pepper = file_get_contents("../database/pepper.txt");
	$password .= $pepper;

	if(password_verify($password, $res_ar[0])){
		return true;
	} else {
		return false;
	}
}