LRR/reset_password_form.php

<?php
// Simulate a referrer to bypass NoDirectPhpAcess.php's direct access check
// This allows password reset links from emails to work correctly
if (!isset($_SERVER['HTTP_REFERER'])) {
    $_SERVER['HTTP_REFERER'] = 'https://' . $_SERVER['HTTP_HOST'] . '/LRR/recover_password.php';
}

include 'NoDirectPhpAcess.php';
include 'Header.php'; 

// Initialize variables
$token_from_url = null;
$error_message = null;
$show_form = false;
$is_success = false; // Define this variable at the start
$current_time_str = date('Y-m-d H:i:s');

if (isset($_GET['token'])) {
    $token_from_url = mysqli_real_escape_string($con, $_GET['token']);

    // Validate token: Check if it exists, is not expired, and not used
    $token_validation_query_str = "SELECT * FROM password_reset_tokens WHERE token='$token_from_url'";
    $token_validation_query = mysqli_query($con, $token_validation_query_str);

    if ($token_validation_query && mysqli_num_rows($token_validation_query) > 0) {
        $token_data = mysqli_fetch_assoc($token_validation_query);

        if ($token_data['used'] == 1) {
            $error_message = "This password reset link has already been used. Please request a new one if needed.";
        } elseif (strtotime($token_data['expires_at']) <= strtotime($current_time_str)) {
            $error_message = "This password reset link has expired. Please request a new one if needed.";
            // Optionally, delete the purely expired token now to keep the table clean
            // mysqli_query($con, "DELETE FROM password_reset_tokens WHERE token='$token_from_url'");
        } else {
            // Token is valid and can be used
            $show_form = true;
        }
    } else {
        // Token was not found in the database
        $error_message = "Invalid password reset token. It may not exist in our system or has been cleaned up. Please request a new one if needed.";
    }
} else {
    $error_message = "No reset token provided. Please use the link sent to your email.";
}

// Set success flag if applicable
if (isset($_SESSION['info_reset_password'])) {
    $is_success = (strpos(strtolower($_SESSION['info_reset_password']), 'success') !== false);
}
?>

<br><br><br>
<div class="container">
    <div class="row">
        <div class="col-md-6 col-md-offset-3">
            <legend>Reset Your Password</legend>

            <?php if (isset($_SESSION['info_reset_password'])): ?>
                <div class="alert alert-<?php echo $is_success ? 'success' : 'danger'; ?>" role="alert">
                    <?php echo htmlspecialchars($_SESSION['info_reset_password']); ?>
                </div>
                <?php if ($is_success): ?>
                    <p><a href="index.php">Click here to Login</a></p>
                <?php else: ?>
                    <p><a href="recover_password.php">Request a new password reset link</a></p>
                <?php endif; ?>
            <?php endif; ?>

            <?php if ($error_message && !isset($_SESSION['info_reset_password'])): /* Show general token errors if no processing message exists */ ?>
                <div class="alert alert-danger" role="alert"><?php echo htmlspecialchars($error_message); ?></div>
                <p><a href="recover_password.php">Request a new password reset link</a></p>
            <?php endif; ?>

            <?php if ($show_form && !isset($_SESSION['info_reset_password'])): ?>
                <form method="post" action="Script.php">
                    <input type="hidden" name="form_reset_password" value="true"/>
                    <input type="hidden" name="token" value="<?php echo htmlspecialchars($token_from_url); ?>"/>

                    <div class="form-group">
                        <label for="new_password">New Password</label>
                        <input type="password" name="new_password" id="new_password" class="form-control" required minlength="8" pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^\w\d\s:])(?!.*\s).{8,}" title="Password must be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special characters.">
                        <small class="form-text text-muted">Must be at least 8 characters, include uppercase, lowercase, number, and special character.</small>
                    </div>

                    <div class="form-group">
                        <label for="confirm_password">Confirm New Password</label>
                        <input type="password" name="confirm_password" id="confirm_password" class="form-control" required>
                    </div>

                    <button type="submit" class="btn btn-primary">Reset Password</button>
                </form>
            <?php endif; ?>
            
            <?php 
            // Only unset after displaying
            if (isset($_SESSION['info_reset_password'])) {
                unset($_SESSION['info_reset_password']); 
            }
            ?>
        </div>
    </div>
</div>

<?php
include 'Footer.php';
?>