+/**
+ * WordPress User Page
+ *
+ * Handles authentication, registering, resetting passwords, forgot password,
+ * and other user handling.
+ *
+ * @package WordPress
+ */
+
+/** Make sure that the WordPress bootstrap has run before continuing. */
+require( dirname(__FILE__) . '/wp-load.php' );
+
+// Redirect to https login if forced to use SSL
+if ( force_ssl_admin() && ! is_ssl() ) {
+ if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
+ wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
+ exit();
+ } else {
+ wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
+ exit();
+ }
+}
+
+/**
+ * Output the login page header.
+ *
+ * @param string $title Optional. WordPress login Page title to display in the `<title>` element.
+ * Default 'Log In'.
+ * @param string $message Optional. Message to display in header. Default empty.
+ * @param WP_Error $wp_error Optional. The error to pass. Default empty.
+ */
+function login_header( $title = 'Log In', $message = '', $wp_error = '' ) {
+ global $error, $interim_login, $action;
+
+ // Don't index any of these forms
+ add_action( 'login_head', 'wp_no_robots' );
+
+ if ( wp_is_mobile() )
+ add_action( 'login_head', 'wp_login_viewport_meta' );
+
+ if ( empty($wp_error) )
+ $wp_error = new WP_Error();
+
+ // Shake it!
+ $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
+ /**
+ * Filter the error codes array for shaking the login form.
+ *
+ * @since 3.0.0
+ *
+ * @param array $shake_error_codes Error codes that shake the login form.
+ */
+ $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
+
+ if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
+ add_action( 'login_head', 'wp_shake_js', 12 );
+
+ ?><!DOCTYPE html>
+ <!--[if IE 8]>
+ <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
+ <![endif]-->
+ <!--[if !(IE 8) ]><!-->
+ <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
+ <!--<![endif]-->
+ <head>
+ <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
+ <title><?php bloginfo('name'); ?> › <?php echo $title; ?></title>
+ <?php
+
+ wp_admin_css( 'login', true );
+
+ /*
+ * Remove all stored post data on logging out.
+ * This could be added by add_action('login_head'...) like wp_shake_js(),
+ * but maybe better if it's not removable by plugins
+ */
+ if ( 'loggedout' == $wp_error->get_error_code() ) {
+ ?>
+ <script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
+ <?php
+ }
+
+ /**
+ * Enqueue scripts and styles for the login page.
+ *
+ * @since 3.1.0
+ */
+ do_action( 'login_enqueue_scripts' );
+ /**
+ * Fires in the login page header after scripts are enqueued.
+ *
+ * @since 2.1.0
+ */
+ do_action( 'login_head' );
+
+ if ( is_multisite() ) {
+ $login_header_url = network_home_url();
+ $login_header_title = get_current_site()->site_name;
+ } else {
+ $login_header_url = __( 'https://wordpress.org/' );
+ $login_header_title = __( 'Powered by WordPress' );
+ }
+
+ /**
+ * Filter link URL of the header logo above login form.
+ *
+ * @since 2.1.0
+ *
+ * @param string $login_header_url Login header logo URL.
+ */
+ $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
+ /**
+ * Filter the title attribute of the header logo above login form.
+ *
+ * @since 2.1.0
+ *
+ * @param string $login_header_title Login header logo title attribute.
+ */
+ $login_header_title = apply_filters( 'login_headertitle', $login_header_title );
+
+ $classes = array( 'login-action-' . $action, 'wp-core-ui' );
+ if ( wp_is_mobile() )
+ $classes[] = 'mobile';
+ if ( is_rtl() )
+ $classes[] = 'rtl';
+ if ( $interim_login ) {
+ $classes[] = 'interim-login';
+ ?>
+ <style type="text/css">html{background-color: transparent;}</style>
+ <?php
+
+ if ( 'success' === $interim_login )
+ $classes[] = 'interim-login-success';
+ }
+ $classes[] =' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
+
+ /**
+ * Filter the login page body classes.
+ *
+ * @since 3.5.0
+ *
+ * @param array $classes An array of body classes.
+ * @param string $action The action that brought the visitor to the login page.
+ */
+ $classes = apply_filters( 'login_body_class', $classes, $action );
+
+ ?>
+ </head>
+ <body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
+ <div id="login">
+ <h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>" tabindex="-1"><?php bloginfo( 'name' ); ?></a></h1>
+ <?php
+
+ unset( $login_header_url, $login_header_title );
+
+ /**
+ * Filter the message to display above the login form.
+ *
+ * @since 2.1.0
+ *
+ * @param string $message Login message text.
+ */
+ $message = apply_filters( 'login_message', $message );
+ if ( !empty( $message ) )
+ echo $message . "\n";
+
+ // In case a plugin uses $error rather than the $wp_errors object
+ if ( !empty( $error ) ) {
+ $wp_error->add('error', $error);
+ unset($error);
+ }
+
+ if ( $wp_error->get_error_code() ) {
+ $errors = '';
+ $messages = '';
+ foreach ( $wp_error->get_error_codes() as $code ) {
+ $severity = $wp_error->get_error_data( $code );
+ foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
+ if ( 'message' == $severity )
+ $messages .= ' ' . $error_message . "<br />\n";
+ else
+ $errors .= ' ' . $error_message . "<br />\n";
+ }
+ }
+ if ( ! empty( $errors ) ) {
+ /**
+ * Filter the error messages displayed above the login form.
+ *
+ * @since 2.1.0
+ *
+ * @param string $errors Login error message.
+ */
+ echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
+ }
+ if ( ! empty( $messages ) ) {
+ /**
+ * Filter instructional messages displayed above the login form.
+ *
+ * @since 2.5.0
+ *
+ * @param string $messages Login messages.
+ */
+ echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
+ }
+ }
+} // End of login_header()
+
+/**
+ * Outputs the footer for the login page.
+ *
+ * @param string $input_id Which input to auto-focus
+ */
+function login_footer($input_id = '') {
+ global $interim_login;
+
+ // Don't allow interim logins to navigate away from the page.
+ if ( ! $interim_login ): ?>
+ <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '← Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p>
+ <?php endif; ?>
+
+ </div>
+
+ <?php if ( !empty($input_id) ) : ?>
+ <script type="text/javascript">
+ try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
+ if(typeof wpOnload=='function')wpOnload();
+ </script>
+ <?php endif; ?>
+
+ <?php
+ /**
+ * Fires in the login page footer.
+ *
+ * @since 3.1.0
+ */
+ do_action( 'login_footer' ); ?>
+ <div class="clear"></div>
+ </body>
+ </html>
+ <?php
+}
+
+/**
+ * @since 3.0.0
+ */
+function wp_shake_js() {
+ if ( wp_is_mobile() )
+ return;
+?>
+<script type="text/javascript">
+addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
+function s(id,pos){g(id).left=pos+'px';}
+function g(id){return document.getElementById(id).style;}
+function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}
+addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});
+</script>
+<?php
+}
+
+/**
+ * @since 3.7.0
+ */
+function wp_login_viewport_meta() {
+ ?>
+ <meta name="viewport" content="width=device-width" />
+ <?php
+}
+
+/**
+ * Handles sending password retrieval email to user.
+ *
+ * @global wpdb $wpdb WordPress database abstraction object.
+ * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
+ *
+ * @return bool|WP_Error True: when finish. WP_Error on error
+ */
+function retrieve_password() {
+ global $wpdb, $wp_hasher;
+
+ $errors = new WP_Error();
+
+ if ( empty( $_POST['user_login'] ) ) {
+ $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.'));
+ } elseif ( strpos( $_POST['user_login'], '@' ) ) {
+ $user_data = get_user_by( 'email', trim( $_POST['user_login'] ) );
+ if ( empty( $user_data ) )
+ $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
+ } else {
+ $login = trim($_POST['user_login']);
+ $user_data = get_user_by('login', $login);
+ }
+
+ /**
+ * Fires before errors are returned from a password reset request.
+ *
+ * @since 2.1.0
+ * @since 4.4.0 Added the `$errors` parameter.
+ *
+ * @param WP_Error $errors A WP_Error object containing any errors generated
+ * by using invalid credentials.
+ */
+ do_action( 'lostpassword_post', $errors );
+
+ if ( $errors->get_error_code() )
+ return $errors;
+
+ if ( !$user_data ) {
+ $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or email.'));
+ return $errors;
+ }
+
+ // Redefining user_login ensures we return the right case in the email.
+ $user_login = $user_data->user_login;
+ $user_email = $user_data->user_email;
+ $key = get_password_reset_key( $user_data );