Add time-out to password resets; prevent repeated mails #50

Open
Aaron wants to merge 7 commits from password-reset into master
4 changed files with 21 additions and 26 deletions
Showing only changes of commit 9c86d2c475 - Show all commits

View File

@ -24,7 +24,9 @@ class Login extends HTMLController
if (Authentication::checkPassword($_POST['emailaddress'], $_POST['password'])) if (Authentication::checkPassword($_POST['emailaddress'], $_POST['password']))
{ {
parent::__construct('Login'); parent::__construct('Login');
$_SESSION['user_id'] = Authentication::getUserId($_POST['emailaddress']);
$user = Member::fromEmailAddress($_POST['emailaddress']);
$_SESSION['user_id'] = $user->getUserId();
if (isset($_POST['redirect_url'])) if (isset($_POST['redirect_url']))
header('Location: ' . base64_decode($_POST['redirect_url'])); header('Location: ' . base64_decode($_POST['redirect_url']));

View File

@ -18,12 +18,12 @@ class ResetPassword extends HTMLController
if (isset($_GET['step'], $_GET['email'], $_GET['key']) && $_GET['step'] == 2) if (isset($_GET['step'], $_GET['email'], $_GET['key']) && $_GET['step'] == 2)
{ {
$email = rawurldecode($_GET['email']); $email = rawurldecode($_GET['email']);
$id_user = Authentication::getUserid($email); $user = Member::fromEmailAddress($email);
if ($id_user === false) if (!$user)
throw new UserFacingException('Invalid email address. Please make sure you copied the full link in the email you received.'); throw new UserFacingException('Invalid email address. Please make sure you copied the full link in the email you received.');
$key = $_GET['key']; $key = $_GET['key'];
if (!Authentication::checkResetKey($id_user, $key)) if (!Authentication::checkResetKey($user->getUserId(), $key))
throw new UserFacingException('Invalid reset token. Please make sure you copied the full link in the email you received. Note: you cannot use the same token twice.'); throw new UserFacingException('Invalid reset token. Please make sure you copied the full link in the email you received. Note: you cannot use the same token twice.');
parent::__construct('Reset password - ' . SITE_TITLE); parent::__construct('Reset password - ' . SITE_TITLE);
@ -42,7 +42,7 @@ class ResetPassword extends HTMLController
// So, are we good to go? // So, are we good to go?
if (empty($missing)) if (empty($missing))
{ {
Authentication::updatePassword($id_user, Authentication::computeHash($_POST['password1'])); Authentication::updatePassword($user->getUserId(), Authentication::computeHash($_POST['password1']));
$_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success']; $_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success'];
header('Location: ' . BASEURL . '/login/'); header('Location: ' . BASEURL . '/login/');
exit; exit;
@ -60,15 +60,15 @@ class ResetPassword extends HTMLController
// Have they submitted an email address yet? // Have they submitted an email address yet?
if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress']))) if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress'])))
{ {
$id_user = Authentication::getUserid(trim($_POST['emailaddress'])); $user = Member::fromEmailAddress($_POST['emailaddress']);
if ($id_user === false) if (!$user)
{ {
$form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'danger')); $form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'danger'));
return; return;
} }
Authentication::setResetKey($id_user); Authentication::setResetKey($user->getUserId());
Email::resetMail($id_user); Email::resetMail($user->getUserId());
// Show the success message // Show the success message
$this->page->clear(); $this->page->clear();

View File

@ -73,22 +73,6 @@ class Authentication
return $hash; return $hash;
} }
/**
* Finds the user id belonging to a certain emailaddress.
*/
public static function getUserId($emailaddress)
{
$res = Registry::get('db')->queryValue('
SELECT id_user
FROM users
WHERE emailaddress = {string:emailaddress}',
[
'emailaddress' => $emailaddress,
]);
return empty($res) ? false : $res;
}
/** /**
* Verifies whether the user is currently logged in. * Verifies whether the user is currently logged in.
*/ */

View File

@ -8,7 +8,7 @@
class Member extends User class Member extends User
{ {
private function __construct($data) private function __construct($data = [])
{ {
foreach ($data as $key => $value) foreach ($data as $key => $value)
$this->$key = $value; $this->$key = $value;
@ -18,6 +18,15 @@ class Member extends User
$this->is_admin = $this->is_admin == 1; $this->is_admin = $this->is_admin == 1;
} }
public static function fromEmailAddress($email_address)
{
return Registry::get('db')->queryObject(static::class, '
SELECT *
FROM users
WHERE emailaddress = {string:email_address}',
['email_address' => $email_address]);
}
public static function fromId($id_user) public static function fromId($id_user)
{ {
$row = Registry::get('db')->queryAssoc(' $row = Registry::get('db')->queryAssoc('