From 9815db29d021fa5d04335cfaee0953529fedc9b8 Mon Sep 17 00:00:00 2001
From: Myron Blair <myronblair@outlook.com>
Date: Wed, 3 Jun 2026 03:56:17 +0000
Subject: [PATCH] =?UTF-8?q?Add=20reset=5Fpassword.php=20=E2=80=94=20passwo?=
 =?UTF-8?q?rd=20reset=20redemption=20page?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Handles the /reset_password.php?token=... URL generated by the
admin send_password_reset action. Flow:
- GET: validates token against pending_registrations (username=__reset__,
  not expired), shows set-new-password form
- POST: re-validates token, enforces 6-char min + confirm match,
  bcrypt-hashes the new password, updates users.password by email,
  deletes the pending row to prevent reuse
- Invalid/expired token shows a clear error with link back to home

Matches the dark gaming aesthetic of verify.php.
---
 reset_password.php | 113 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100644 reset_password.php

diff --git a/reset_password.php b/reset_password.php
new file mode 100644
index 0000000..6d603b5
--- /dev/null
+++ b/reset_password.php
@@ -0,0 +1,113 @@
+<?php
+require_once __DIR__ . '/../includes/auth.php';
+
+$token   = trim($_GET['token'] ?? '');
+$error   = '';
+$success = false;
+$pending = null;
+
+// Look up the reset token (username='__reset__' distinguishes from email-verification rows)
+if ($token) {
+    $stmt = db()->prepare(
+        "SELECT * FROM pending_registrations WHERE token=? AND username='__reset__' AND expires_at > NOW()"
+    );
+    $stmt->execute([$token]);
+    $pending = $stmt->fetch();
+}
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $token    = trim($_POST['token'] ?? '');
+    $password = $_POST['password'] ?? '';
+    $confirm  = $_POST['confirm']  ?? '';
+
+    // Re-fetch pending row inside POST to prevent token reuse after expiry
+    $stmt = db()->prepare(
+        "SELECT * FROM pending_registrations WHERE token=? AND username='__reset__' AND expires_at > NOW()"
+    );
+    $stmt->execute([$token]);
+    $pending = $stmt->fetch();
+
+    if (!$pending) {
+        $error = 'This reset link has expired or already been used. Please request a new one.';
+    } elseif (strlen($password) < 6) {
+        $error = 'Password must be at least 6 characters.';
+    } elseif ($password !== $confirm) {
+        $error = 'Passwords do not match.';
+    } else {
+        $hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 8]);
+        $updated = db()->prepare("UPDATE users SET password=? WHERE email=?")
+                       ->execute([$hash, $pending['email']]);
+        db()->prepare("DELETE FROM pending_registrations WHERE token=?")->execute([$token]);
+        $success = true;
+        $pending = null;
+    }
+}
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title><?= SITE_NAME ?> — Reset Password</title>
+<link href="https://fonts.googleapis.com/css2?family=Exo+2:wght@400;700;900&family=Rajdhani:wght@400;500;600&display=swap" rel="stylesheet">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{background:#0a0a12;color:#e8e8f0;font-family:'Rajdhani',sans-serif;min-height:100dvh;display:flex;align-items:center;justify-content:center;padding:24px}
+body::before{content:'';position:fixed;inset:0;background-image:linear-gradient(rgba(0,229,255,0.03) 1px,transparent 1px),linear-gradient(90deg,rgba(0,229,255,0.03) 1px,transparent 1px);background-size:40px 40px;pointer-events:none}
+.card{background:#1a1a2e;border:1px solid rgba(255,255,255,0.08);border-radius:20px;padding:40px 32px;max-width:420px;width:100%;text-align:center;position:relative;z-index:1}
+.icon{font-size:64px;margin-bottom:20px;display:block}
+.title{font-family:'Exo 2',sans-serif;font-weight:900;font-size:26px;margin-bottom:10px}
+.title.success{background:linear-gradient(135deg,#f0c040,#00e5ff);-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.title.error{color:#ff4444}
+.msg{font-size:15px;color:#aaaacc;line-height:1.7;margin-bottom:28px}
+.logo{font-family:'Exo 2',sans-serif;font-weight:900;font-size:20px;background:linear-gradient(135deg,#f0c040,#00e5ff);-webkit-background-clip:text;-webkit-text-fill-color:transparent;margin-bottom:28px;letter-spacing:1px}
+.btn{display:block;width:100%;padding:15px;border:none;border-radius:10px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;letter-spacing:1px;cursor:pointer;text-decoration:none;text-align:center;transition:all .2s}
+.btn-gold{background:linear-gradient(135deg,#f0c040,#d4a017);color:#000;box-shadow:0 4px 20px rgba(240,192,64,.4)}
+.btn-outline{background:transparent;border:1.5px solid rgba(255,255,255,.2);color:#aaaacc;margin-top:10px}
+.form-group{text-align:left;margin-bottom:18px}
+.form-group label{display:block;font-size:13px;color:#8888aa;margin-bottom:6px;letter-spacing:.5px}
+.form-group input{width:100%;background:#111122;border:1.5px solid rgba(255,255,255,.12);border-radius:10px;padding:13px 16px;color:#e8e8f0;font-family:'Rajdhani',sans-serif;font-size:15px;outline:none;transition:border-color .2s}
+.form-group input:focus{border-color:#f0c040}
+.alert-err{background:rgba(255,68,68,.1);border:1px solid rgba(255,68,68,.3);color:#ff9999;padding:12px 16px;border-radius:10px;font-size:14px;margin-bottom:20px;text-align:left}
+</style>
+</head>
+<body>
+<div class="card">
+  <div class="logo">🎮 <?= SITE_NAME ?></div>
+
+<?php if ($success): ?>
+  <span class="icon">✅</span>
+  <div class="title success">Password Updated!</div>
+  <p class="msg">Your password has been reset successfully. You can now log in with your new password.</p>
+  <a href="/" class="btn btn-gold">BACK TO LOGIN</a>
+
+<?php elseif (!$token || (!$pending && !$error)): ?>
+  <span class="icon">❌</span>
+  <div class="title error">Invalid Link</div>
+  <p class="msg">This password reset link is invalid or has expired.<br>Please request a new one from the app.</p>
+  <a href="/" class="btn btn-gold">BACK TO HOME</a>
+
+<?php else: ?>
+  <div class="title" style="color:#f0c040;margin-bottom:8px;">Reset Password</div>
+  <p class="msg" style="margin-bottom:24px;">Enter a new password for your account.</p>
+
+  <?php if ($error): ?>
+  <div class="alert-err"><?= htmlspecialchars($error) ?></div>
+  <?php endif; ?>
+
+  <form method="POST">
+    <input type="hidden" name="token" value="<?= htmlspecialchars($token) ?>">
+    <div class="form-group">
+      <label>NEW PASSWORD</label>
+      <input type="password" name="password" placeholder="At least 6 characters" required minlength="6" autofocus>
+    </div>
+    <div class="form-group">
+      <label>CONFIRM PASSWORD</label>
+      <input type="password" name="confirm" placeholder="Repeat new password" required minlength="6">
+    </div>
+    <button type="submit" class="btn btn-gold">SET NEW PASSWORD</button>
+  </form>
+<?php endif; ?>
+</div>
+</body>
+</html>