Add password reset request expiration
- Change password reset link to /lostpass/[pwdreset]
This commit is contained in:
		
					parent
					
						
							
								391c591322
							
						
					
				
			
			
				commit
				
					
						0888f51b4b
					
				
			
		
					 2 changed files with 95 additions and 60 deletions
				
			
		|  | @ -9,7 +9,8 @@ use Friendica\Core\System; | ||||||
| use Friendica\Database\DBM; | use Friendica\Database\DBM; | ||||||
| use Friendica\Model\User; | use Friendica\Model\User; | ||||||
| 
 | 
 | ||||||
| require_once 'include/boot.php'; | require_once 'boot.php'; | ||||||
|  | require_once 'include/datetime.php'; | ||||||
| require_once 'include/enotify.php'; | require_once 'include/enotify.php'; | ||||||
| require_once 'include/text.php'; | require_once 'include/text.php'; | ||||||
| require_once 'include/pgettext.php'; | require_once 'include/pgettext.php'; | ||||||
|  | @ -30,13 +31,17 @@ function lostpass_post(App $a) | ||||||
| 
 | 
 | ||||||
| 	$pwdreset_token = autoname(12) . mt_rand(1000, 9999); | 	$pwdreset_token = autoname(12) . mt_rand(1000, 9999); | ||||||
| 
 | 
 | ||||||
| 	$result = dba::update('user', ['pwdreset' => $pwdreset_token], ['uid' => $user['uid']]); | 	$fields = [ | ||||||
|  | 		'pwdreset' => $pwdreset_token, | ||||||
|  | 		'pwdreset_time' => datetime_convert() | ||||||
|  | 	]; | ||||||
|  | 	$result = dba::update('user', $fields, ['uid' => $user['uid']]); | ||||||
| 	if ($result) { | 	if ($result) { | ||||||
| 		info(t('Password reset request issued. Check your email.') . EOL); | 		info(t('Password reset request issued. Check your email.') . EOL); | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	$sitename = $a->config['sitename']; | 	$sitename = $a->config['sitename']; | ||||||
| 	$resetlink = System::baseUrl() . '/lostpass?verify=' . $pwdreset_token; | 	$resetlink = System::baseUrl() . '/lostpass/' . $pwdreset_token; | ||||||
| 
 | 
 | ||||||
| 	$preamble = deindent(t(' | 	$preamble = deindent(t(' | ||||||
| 		Dear %1$s, | 		Dear %1$s, | ||||||
|  | @ -76,21 +81,57 @@ function lostpass_post(App $a) | ||||||
| function lostpass_content(App $a) | function lostpass_content(App $a) | ||||||
| { | { | ||||||
| 	$o = ''; | 	$o = ''; | ||||||
| 	if (x($_GET, 'verify')) { | 	if ($a->argc > 1) { | ||||||
| 		$pwdreset_token = $_GET['verify']; | 		$pwdreset_token = $a->argv[1]; | ||||||
| 
 | 
 | ||||||
| 		$user = dba::selectFirst('user', ['uid', 'username', 'email'], ['pwdreset' => $pwdreset_token]); | 		$user = dba::selectFirst('user', ['uid', 'username', 'email', 'pwdreset_time'], ['pwdreset' => $pwdreset_token]); | ||||||
| 		if (!DBM::is_result($user)) { | 		if (!DBM::is_result($user)) { | ||||||
| 			$o = t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed."); | 			notice(t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed.")); | ||||||
|  | 
 | ||||||
|  | 			return lostpass_form(); | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		// Password reset requests expire in 20 minutes
 | ||||||
|  | 		if ($user['pwdreset_time'] < datetime_convert('UTC', 'UTC', 'now - 20 minutes')) { | ||||||
|  | 			$fields = [ | ||||||
|  | 				'pwdreset' => null, | ||||||
|  | 				'pwdreset_time' => null | ||||||
|  | 			]; | ||||||
|  | 			dba::update('user', $fields, ['uid' => $user['uid']]); | ||||||
|  | 
 | ||||||
|  | 			notice(t('Request has expired, please make a new one.')); | ||||||
|  | 
 | ||||||
|  | 			return lostpass_form(); | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		return lostpass_generate_password($user); | ||||||
|  | 	} else { | ||||||
|  | 		return lostpass_form(); | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function lostpass_form() | ||||||
|  | { | ||||||
|  | 	$tpl = get_markup_template('lostpass.tpl'); | ||||||
|  | 	$o = replace_macros($tpl, [ | ||||||
|  | 		'$title' => t('Forgot your Password?'), | ||||||
|  | 		'$desc' => t('Enter your email address and submit to have your password reset. Then check your email for further instructions.'), | ||||||
|  | 		'$name' => t('Nickname or Email: '), | ||||||
|  | 		'$submit' => t('Reset') | ||||||
|  | 	]); | ||||||
|  | 
 | ||||||
| 	return $o; | 	return $o; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | function lostpass_generate_password($user) | ||||||
|  | { | ||||||
|  | 	$o = ''; | ||||||
|  | 
 | ||||||
| 	$new_password = User::generateNewPassword(); | 	$new_password = User::generateNewPassword(); | ||||||
| 	$result = User::updatePassword($user['uid'], $new_password); | 	$result = User::updatePassword($user['uid'], $new_password); | ||||||
| 	if (DBM::is_result($result)) { | 	if (DBM::is_result($result)) { | ||||||
| 		$tpl = get_markup_template('pwdreset.tpl'); | 		$tpl = get_markup_template('pwdreset.tpl'); | ||||||
| 			$o .= replace_macros($tpl, | 		$o .= replace_macros($tpl, [ | ||||||
| 				[ |  | ||||||
| 			'$lbl1'    => t('Password Reset'), | 			'$lbl1'    => t('Password Reset'), | ||||||
| 			'$lbl2'    => t('Your password has been reset as requested.'), | 			'$lbl2'    => t('Your password has been reset as requested.'), | ||||||
| 			'$lbl3'    => t('Your new password is'), | 			'$lbl3'    => t('Your new password is'), | ||||||
|  | @ -127,18 +168,7 @@ function lostpass_content(App $a) | ||||||
| 			'preamble' => $preamble, | 			'preamble' => $preamble, | ||||||
| 			'body'     => $body | 			'body'     => $body | ||||||
| 		]); | 		]); | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	return $o; | 	return $o; | ||||||
| } | } | ||||||
| 	} else { |  | ||||||
| 		$tpl = get_markup_template('lostpass.tpl'); |  | ||||||
| 		$o .= replace_macros($tpl, [ |  | ||||||
| 			'$title'  => t('Forgot your Password?'), |  | ||||||
| 			'$desc'   => t('Enter your email address and submit to have your password reset. Then check your email for further instructions.'), |  | ||||||
| 			'$name'   => t('Nickname or Email: '), |  | ||||||
| 			'$submit' => t('Reset') |  | ||||||
| 		]); |  | ||||||
| 
 |  | ||||||
| 		return $o; |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
|  | @ -194,7 +194,12 @@ class User | ||||||
| 	 */ | 	 */ | ||||||
| 	private static function updatePasswordHashed($uid, $pasword_hashed) | 	private static function updatePasswordHashed($uid, $pasword_hashed) | ||||||
| 	{ | 	{ | ||||||
| 		return dba::update('user', ['password' => $pasword_hashed, 'pwdreset' => ''], ['uid' => $uid]); | 		$fields = [ | ||||||
|  | 			'password' => $pasword_hashed, | ||||||
|  | 			'pwdreset' => null, | ||||||
|  | 			'pwdreset_time' => null | ||||||
|  | 		]; | ||||||
|  | 		return dba::update('user', $fields, ['uid' => $uid]); | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	/** | 	/** | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue