xf_auth.php

<?php
/*
Script for XenForo 1.X
Tested with: 1.1.X
Created by: #SG# Sharkiller
Forked by: JWhy
Verison: 0.2.1
*/

###############
## Variables ##
###############

# Reject all connections exept this IP.
$secret = "CHANGE_THIS"; //Password needed to use this script
# Database info
$db_server = 'localhost';
$db_user = 'root';
$db_passwd = '';
$db_name = 'xf';
# Name of the custom field of XenForo where the Minecraft nicknames are stored.
$field = 'MCUSER';
# Minecraft nicks ignored from successful message
$ignore = array("admin1","admin2"); // Admin nicknames ignored from broadcast message on login.

##############
## Messages ##
##############

$msg = array(
	"login_successful" => "§8%s §7has logged in. Forum account: §8%s",
	"user_not_exist" => "§6§kasdasd§4 Does the user exist? §6§kasdasd",
	"player_not_exist" => "§4§kasdas§6 Nick not associated in forum. §4§kasdas",
	"user_banned" => "§6§kasdasd§4 The user is banned. §6§kasdasd",
	"wrong_data" => "§6Failed to read the user data. Contact an admin!",
	"wrong_password" => "§4Wrong password! §6 Use §a/login forum-password"
);

////////////////////////////////////////////////
// Don't change bellow this if you don't know //
////////////////////////////////////////////////

####################
## Security check ##
####################

//Restrict access to localhost
if($_SERVER['REMOTE_ADDR'] !== '127.0.0.1'){
    header("HTTP/1.0 403 Forbidden");
    die();
}

###############
## FUNCTIONS ##
###############

$nickname = $_POST['user'];
$password = $_POST['pass'];
$action = $_POST['action'];

# Response message
function done($msg, $template = "ERROR\n%s"){
	global $mysqli;
	printf($template, $msg);
	$mysqli->close();
	exit;
}

# Ignore users from successfull message.
function ignore($nick){
	global $ignore;
	if(in_array($nick, $ignore))
		return true;
	else
		return false;
}

################################
## Only support login for now ##
################################

# login, register, online, offline
if($action != "login"){
	header("HTTP/1.0 403 Forbidden");
	die();
}

###############
## Code here ##
###############

# Init MySQL connection
$mysqli = new mysqli($db_server, $db_user, $db_passwd, $db_name);

# Obtain user data (UserID, DataBlob) from Minecraft Nickname.
$stmt = $mysqli->prepare("SELECT `data`, `user_id`  FROM `xf_user_authenticate` WHERE `user_id` = (SELECT `user_id` FROM `xf_user_field_value` WHERE `field_value` = '$nickname' AND `field_id` = '$field') LIMIT 1") or done('MySQL Error 1');
$stmt->execute();
$stmt->bind_result($data, $user_id);
$success = $stmt->fetch();
$stmt->close();

# Check if a user have the nickname associated
if(!$success)
    done($msg["player_not_exist"]);

# Obtain user data (Username, Ban Status) from UserID.
$stmt = $mysqli->prepare("SELECT `username`, `is_banned` FROM `xf_user` WHERE `user_id` = $user_id LIMIT 1") or done('MySQL Error 2');
$stmt->execute();
$stmt->bind_result($username, $is_banned);
$success = $stmt->fetch();
$stmt->close();

# Check if user exist
if(!$success)
    done($msg["user_not_exist"]);

# Check if banned
if($is_banned == 1)
    done($msg["user_banned"]);

# Check and read user data blob
if(preg_match("/\"([a-z0-9]{64})\".*\"([a-z0-9]{64})\"/", $data, $matches) == 0)
	done($msg["wrong_data"]);

# Hashing password for XenForo
$hashforo = $matches[1];
$salt = $matches[2];
$hashpass = hash("sha256", hash("sha256", $password).$salt);

# Wrong password
if($hashforo != $hashpass)
	done($msg["wrong_password"]);

# Login Successful
$message = "";
if(!ignore($nickname))
	$message = sprintf($msg["login_successful"], $nickname, $username);

done($message, "YES\n%s");

?>