fixing some security issues and harderning service

app-code/api/login/send_reset_link.php

@@ -1,9 +1,15 @@
 <?php
-session_start();
+include "../utils/security.php";
+secure_session_start();
+require_same_origin_request();
 header('Content-Type: application/json');
 include "../../config/config.php";
 include "../utils/get_location.php";
-$username=$_SESSION["username"];
+$username=$_SESSION["username"] ?? "";
+if ($username === "") {
+	echo json_encode(['success' => false, 'message' => 'Missing username.']);
+	exit;
+}
 $sql="SELECT id, email, telegram_id FROM users WHERE username = ?;";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
 $mail="";
@@ -15,11 +21,17 @@ mysqli_stmt_execute($stmt);
 mysqli_stmt_store_result($stmt);
 mysqli_stmt_bind_result($stmt,$id, $mail,$telegram_id);
 mysqli_stmt_fetch($stmt);
+$user_found = mysqli_stmt_num_rows($stmt) === 1;
 mysqli_stmt_close($stmt);
+if (!$user_found) {
+	echo json_encode(['success' => true, 'message' => 'If the account has reset methods configured, a reset link has been sent.']);
+	exit;
+}
 //send telegram message
-$device = $_SERVER['HTTP_USER_AGENT'];
+$device = $_SERVER['HTTP_USER_AGENT'] ?? "";
 //$ip=$_SERVER["REMOTE_ADDR"];
-$ip=trim(explode(",",$_SERVER["HTTP_X_FORWARDED_FOR"])[0]);
+$forwarded_for = $_SERVER["HTTP_X_FORWARDED_FOR"] ?? $_SERVER["REMOTE_ADDR"] ?? "";
+$ip=trim(explode(",",$forwarded_for)[0]);
 $location=get_location_from_ip($ip);
 $date=date('Y-m-d H:i:s');
 $token=bin2hex(random_bytes(128));
@@ -628,11 +640,12 @@ if(!empty($mail)){
 
 
 //insert the token into our db
-$valid_until=time()+(8600/2);
+$valid_until=time()+(12 * 60 * 60);
 $sql="INSERT INTO reset_tokens (auth_token, user_id,valid_until) VALUES (?,?,?);";
 $stmt = mysqli_prepare($conn, $sql);
 mysqli_stmt_bind_param($stmt, 'sii', $token,$id,$valid_until);
 mysqli_stmt_execute($stmt);
 mysqli_stmt_close($stmt);
 
+echo json_encode(['success' => true, 'message' => 'If the account has reset methods configured, a reset link has been sent.']);
 ?>