From 613605ef9269d60032fd77d91cff70109105410b Mon Sep 17 00:00:00 2001 From: tracer Date: Sun, 13 Jun 2021 16:07:40 +0200 Subject: [PATCH] removed encoder, set hasher --- src/Controller/ResetPasswordController.php | 301 +++++++++++---------- 1 file changed, 152 insertions(+), 149 deletions(-) diff --git a/src/Controller/ResetPasswordController.php b/src/Controller/ResetPasswordController.php index cbdc141..319faa6 100644 --- a/src/Controller/ResetPasswordController.php +++ b/src/Controller/ResetPasswordController.php @@ -12,8 +12,9 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Mailer\MailerInterface; use Symfony\Component\Mime\Address; +use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface; use Symfony\Component\Routing\Annotation\Route; -use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface; +use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface; use SymfonyCasts\Bundle\ResetPassword\Controller\ResetPasswordControllerTrait; use SymfonyCasts\Bundle\ResetPassword\Exception\ResetPasswordExceptionInterface; use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelperInterface; @@ -25,152 +26,154 @@ use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelperInterface; #[Route('/reset-password')] class ResetPasswordController extends AbstractController { - use ResetPasswordControllerTrait; - - private $resetPasswordHelper; - - public function __construct(ResetPasswordHelperInterface $resetPasswordHelper) - { - $this->resetPasswordHelper = $resetPasswordHelper; - } - - /** - * Display & process form to request a password reset. - */ - #[Route('', name: 'app_forgot_password_request')] - public function request(Request $request, MailerInterface $mailer): Response - { - $form = $this->createForm(ResetPasswordRequestFormType::class); - $form->handleRequest($request); - - if ($form->isSubmitted() && $form->isValid()) { - return $this->processSendingPasswordResetEmail( - $form->get('email')->getData(), - $mailer - ); - } - - return $this->render('security/request.html.twig', [ - 'requestForm' => $form->createView(), - ]); - } - - /** - * Confirmation page after a user has requested a password reset. - */ - #[Route('/check-email', name: 'app_check_email')] - public function checkEmail(): Response - { - // Generate a fake token if the user does not exist or someone hit this page directly. - // This prevents exposing whether or not a user was found with the given email address or not - if (null === ($resetToken = $this->getTokenObjectFromSession())) { - $resetToken = $this->resetPasswordHelper->generateFakeResetToken(); - } - - return $this->render('security/check_email.html.twig', [ - 'resetToken' => $resetToken, - ]); - } - - /** - * Validates and process the reset URL that the user clicked in their email. - */ - #[Route('/reset/{token}', name: 'app_reset_password')] - public function reset(Request $request, UserPasswordEncoderInterface $passwordEncoder, string $token = null): Response - { - if ($token) { - // We store the token in session and remove it from the URL, to avoid the URL being - // loaded in a browser and potentially leaking the token to 3rd party JavaScript. - $this->storeTokenInSession($token); - - return $this->redirectToRoute('app_reset_password'); - } - - $token = $this->getTokenFromSession(); - if ($token === null) { - throw $this->createNotFoundException('No reset password token found in the URL or in the session.'); - } - - try { - $user = $this->resetPasswordHelper->validateTokenAndFetchUser($token); - } catch (ResetPasswordExceptionInterface $e) { - $this->addFlash('reset_password_error', sprintf( - 'There was a problem validating your reset request - %s', - $e->getReason() - )); - - return $this->redirectToRoute('app_forgot_password_request'); - } - - // The token is valid; allow the user to change their password. - $form = $this->createForm(ChangePasswordFormType::class); - $form->handleRequest($request); - - if ($form->isSubmitted() && $form->isValid()) { - // A password reset token should be used only once, remove it. - $this->resetPasswordHelper->removeResetRequest($token); - - // Encode the plain password, and set it. - $encodedPassword = $passwordEncoder->encodePassword( - $user, - $form->get('plainPassword')->getData() - ); - - $user->setPassword($encodedPassword); - $this->getDoctrine()->getManager()->flush(); - - // The session is cleaned up after the password has been changed. - $this->cleanSessionAfterReset(); - - return $this->redirectToRoute('blogs'); - } - - return $this->render('security/reset.html.twig', [ - 'resetForm' => $form->createView(), - ]); - } - - private function processSendingPasswordResetEmail(string $emailFormData, MailerInterface $mailer): RedirectResponse - { - $user = $this->getDoctrine()->getRepository(User::class)->findOneBy([ - 'email' => $emailFormData, - ]); - - // Do not reveal whether a user account was found or not. - if (!$user) { - return $this->redirectToRoute('app_check_email'); - } - - try { - $resetToken = $this->resetPasswordHelper->generateResetToken($user); - } catch (ResetPasswordExceptionInterface $e) { - // If you want to tell the user why a reset email was not sent, uncomment - // the lines below and change the redirect to 'app_forgot_password_request'. - // Caution: This may reveal if a user is registered or not. - // - // $this->addFlash('reset_password_error', sprintf( - // 'There was a problem handling your password reset request - %s', - // $e->getReason() - // )); - - return $this->redirectToRoute('app_check_email'); - } - - $email = (new TemplatedEmail()) - ->from(new Address('tracer@24unix.net', '24unix.net')) - ->to($user->getEmail()) - ->subject('Your password reset request') - ->htmlTemplate('security/email.html.twig') - ->context([ - 'resetToken' => $resetToken, - ]) - ; - - $mailer->send($email); - - // Store the token object in session for retrieval in check-email route. - $this->setTokenObjectInSession($resetToken); - - return $this->redirectToRoute('app_check_email'); - } + use ResetPasswordControllerTrait; + + private $resetPasswordHelper; + + public function __construct(ResetPasswordHelperInterface $resetPasswordHelper) + { + $this->resetPasswordHelper = $resetPasswordHelper; + } + + /** + * Display & process form to request a password reset. + */ + #[Route('', name: 'app_forgot_password_request')] + public function request(Request $request, MailerInterface $mailer): Response + { + $form = $this->createForm(ResetPasswordRequestFormType::class); + $form->handleRequest($request); + + if ($form->isSubmitted() && $form->isValid()) { + return $this->processSendingPasswordResetEmail( + $form->get('email')->getData(), + $mailer + ); + } + + return $this->render('security/request.html.twig', [ + 'requestForm' => $form->createView(), + ]); + } + + /** + * Confirmation page after a user has requested a password reset. + */ + #[Route('/check-email', name: 'app_check_email')] + public function checkEmail(): Response + { + // Generate a fake token if the user does not exist or someone hit this page directly. + // This prevents exposing whether or not a user was found with the given email address or not + if (null === ($resetToken = $this->getTokenObjectFromSession())) { + $resetToken = $this->resetPasswordHelper->generateFakeResetToken(); + } + + return $this->render('security/check_email.html.twig', [ + 'resetToken' => $resetToken, + ]); + } + + /** + * Validates and process the reset URL that the user clicked in their email. + */ + #[Route('/reset/{token}', name: 'app_reset_password')] + public function reset(Request $request, UserPasswordHasherInterface $passwordHasher, string $token = null): Response + { + if ($token) { + // We store the token in session and remove it from the URL, to avoid the URL being + // loaded in a browser and potentially leaking the token to 3rd party JavaScript. + $this->storeTokenInSession($token); + + return $this->redirectToRoute('app_reset_password'); + } + + $token = $this->getTokenFromSession(); + if ($token === null) { + throw $this->createNotFoundException('No reset password token found in the URL or in the session.'); + } + + try { + $user = $this->resetPasswordHelper->validateTokenAndFetchUser($token); + } catch (ResetPasswordExceptionInterface $e) { + $this->addFlash('reset_password_error', sprintf( + 'There was a problem validating your reset request - %s', + $e->getReason() + )); + + return $this->redirectToRoute('app_forgot_password_request'); + } + + // The token is valid; allow the user to change their password. + $form = $this->createForm(ChangePasswordFormType::class); + $form->handleRequest($request); + + if ($form->isSubmitted() && $form->isValid()) { + // A password reset token should be used only once, remove it. + $this->resetPasswordHelper->removeResetRequest($token); + + // Hash the plain password, and set it. + /* + ** @var PasswordAuthenticatedUserInterface $user + */ + $hashedPassword = $passwordHasher->hashPassword( + $user, + $form->get('plainPassword')->getData() + ); + + $user->setPassword($hashedPassword); + $this->getDoctrine()->getManager()->flush(); + + // The session is cleaned up after the password has been changed. + $this->cleanSessionAfterReset(); + + return $this->redirectToRoute('blogs'); + } + + return $this->render('security/reset.html.twig', [ + 'resetForm' => $form->createView(), + ]); + } + + private function processSendingPasswordResetEmail(string $emailFormData, MailerInterface $mailer): RedirectResponse + { + $user = $this->getDoctrine()->getRepository(User::class)->findOneBy([ + 'email' => $emailFormData, + ]); + + // Do not reveal whether a user account was found or not. + if (!$user) { + return $this->redirectToRoute('app_check_email'); + } + + try { + $resetToken = $this->resetPasswordHelper->generateResetToken($user); + } catch (ResetPasswordExceptionInterface $e) { + // If you want to tell the user why a reset email was not sent, uncomment + // the lines below and change the redirect to 'app_forgot_password_request'. + // Caution: This may reveal if a user is registered or not. + // + // $this->addFlash('reset_password_error', sprintf( + // 'There was a problem handling your password reset request - %s', + // $e->getReason() + // )); + + return $this->redirectToRoute('app_check_email'); + } + + $email = (new TemplatedEmail()) + ->from(new Address('tracer@24unix.net', '24unix.net')) + ->to($user->getEmail()) + ->subject('Your password reset request') + ->htmlTemplate('security/email.html.twig') + ->context([ + 'resetToken' => $resetToken, + ]); + + $mailer->send($email); + + // Store the token object in session for retrieval in check-email route. + $this->setTokenObjectInSession($resetToken); + + return $this->redirectToRoute('app_check_email'); + } }