forked from Public/pics
ResetPassword: add time-out to password resets; prevent repeated mails
This commit is contained in:
@@ -12,6 +12,8 @@
|
||||
*/
|
||||
class Authentication
|
||||
{
|
||||
const DEFAULT_RESET_TIMEOUT = 30;
|
||||
|
||||
/**
|
||||
* Checks a password for a given username against the database.
|
||||
*/
|
||||
@@ -57,6 +59,27 @@ class Authentication
|
||||
return $hash;
|
||||
}
|
||||
|
||||
public static function consumeResetKey($id_user)
|
||||
{
|
||||
return Registry::get('db')->query('
|
||||
UPDATE users
|
||||
SET reset_key = NULL,
|
||||
reset_blocked_until = NULL
|
||||
WHERE id_user = {int:id_user}',
|
||||
['id_user' => $id_user]);
|
||||
}
|
||||
|
||||
public static function getResetTimeOut($id_user)
|
||||
{
|
||||
$resetTime = Registry::get('db')->queryValue('
|
||||
SELECT reset_blocked_until
|
||||
FROM users
|
||||
WHERE id_user = {int:id_user}',
|
||||
['id_user' => $id_user]);
|
||||
|
||||
return max(0, $resetTime - time());
|
||||
}
|
||||
|
||||
/**
|
||||
* Verifies whether the user is currently logged in.
|
||||
*/
|
||||
@@ -92,7 +115,8 @@ class Authentication
|
||||
{
|
||||
return Registry::get('db')->query('
|
||||
UPDATE users
|
||||
SET reset_key = {string:key}
|
||||
SET reset_key = {string:key},
|
||||
reset_blocked_until = UNIX_TIMESTAMP() + ' . static::DEFAULT_RESET_TIMEOUT . '
|
||||
WHERE id_user = {int:id}',
|
||||
[
|
||||
'id' => $id_user,
|
||||
@@ -117,4 +141,26 @@ class Authentication
|
||||
'blank' => '',
|
||||
]);
|
||||
}
|
||||
|
||||
public static function updateResetTimeOut($id_user)
|
||||
{
|
||||
$currentResetTimeOut = static::getResetTimeOut($id_user);
|
||||
|
||||
// New timeout: between 30 seconds, double the current timeout, and a full day
|
||||
$newResetTimeOut = min(max(static::DEFAULT_RESET_TIMEOUT, $currentResetTimeOut * 2), 60 * 60 * 24);
|
||||
|
||||
$success = Registry::get('db')->query('
|
||||
UPDATE users
|
||||
SET reset_blocked_until = {int:new_time_out}
|
||||
WHERE id_user = {int:id_user}',
|
||||
[
|
||||
'id_user' => $id_user,
|
||||
'new_time_out' => time() + $newResetTimeOut,
|
||||
]);
|
||||
|
||||
if (!$success)
|
||||
throw new UnexpectedValueException('Could not set password reset timeout!');
|
||||
|
||||
return $newResetTimeOut;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -23,6 +23,7 @@ abstract class User
|
||||
protected $ip_address;
|
||||
protected $is_admin;
|
||||
protected $reset_key;
|
||||
protected $reset_blocked_until;
|
||||
|
||||
protected bool $is_logged;
|
||||
protected bool $is_guest;
|
||||
|
||||
Reference in New Issue
Block a user