<?php
/**
 *  Copyright (C) 2021  Double Bastion LLC
 *
 *  This file is part of Roundpin, which is licensed under the
 *  GNU Affero General Public License Version 3.0. The license terms
 *  are detailed in the "LICENSE.txt" file located in the root directory.
 */

session_start();

if (isset($_POST['s_ajax_call']) && ($_POST['s_ajax_call'] == $_SESSION['validate_s_access'])) {

 define('ACCESSCONST', TRUE);

 require('db-connect.php');

    $username = $_POST['username'];
    $currentPassword = $_POST['current_password'];
    $newPassword = $_POST['new_password'];

    // Get the password of the current user from the 'app_users' table
    $enabled = 1;
    $querypass = $mysqli->prepare("SELECT id, username, password, enabled FROM app_users WHERE BINARY username=? AND enabled=?");
    $querypass->bind_param("si", $username, $enabled);
    $querypass->execute();
    $fetchData = $querypass->get_result();
    $passdatafromdb = $fetchData->fetch_row();
    $fetchedpassfromdb = $passdatafromdb[2];

    $changepassverify = password_verify($currentPassword, $fetchedpassfromdb);

    if ($changepassverify) {

        $newHashedPassword = password_hash($newPassword, PASSWORD_DEFAULT);
        $enabled = 1;
        $queryupdatepass = $mysqli->prepare("UPDATE app_users SET password=? WHERE BINARY username=? AND enabled=?");
        $queryupdatepass->bind_param("ssi", $newHashedPassword, $username, $enabled);
        $queryupdatepass->execute();

        if ($queryupdatepass) { 
            $passchangemessage = "Your Roundpin user password has been updated successfully. From now on you will have to use your new password to log in to Roundpin.";
        } else { $passchangemessage = "An error occurred while attempting to save the new password!"; }

    } else { $passchangemessage = "The password you have entered in the 'Current Password' field doesn't match your current password!"; }

    echo json_encode($passchangemessage);

} else {
    header("Location: roundpin-login.php");
}

?>