Skip to content

Commit

Permalink
fix(user): make lostPassword use better hashed link
Browse files Browse the repository at this point in the history
  • Loading branch information
mrflos committed Oct 31, 2024
1 parent b5a8f93 commit e128570
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 4 deletions.
1 change: 1 addition & 0 deletions includes/services/UserManager.php
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ class UserManager implements UserProviderInterface, PasswordUpgraderInterface
protected $passwordHasherFactory;
protected $securityController;
protected $params;
protected $userlink;

private $getOneByNameCacheResults;

Expand Down
12 changes: 8 additions & 4 deletions tools/#/actions/LostPasswordAction.php
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,21 @@
use YesWiki\Core\Service\UserManager;
use YesWiki\Core\YesWikiAction;
use YesWiki\Security\Controller\SecurityController;
use YesWiki\Core\Service\PasswordHasherFactory;

if (!function_exists('send_mail')) {
require_once('includes/email.inc.php');
}

class LostPasswordAction extends YesWikiAction
{
private const PW_SALT = 'FBcA';
public const KEY_VOCABULARY = 'http://outils-reseaux.org/_vocabulary/key';

protected $authController;
protected $errorType;
protected $typeOfRendering;
protected $securityController;
protected $passwordHasherFactory;
protected $tripleStore;
protected $userManager;

Expand All @@ -34,6 +35,7 @@ public function run()
$this->securityController = $this->getService(SecurityController::class);
$this->tripleStore = $this->getService(TripleStore::class);
$this->userManager = $this->getService(UserManager::class);
$this->passwordHasherFactory = $this->getService(PasswordHasherFactory::class);

// init properties
$this->errorType = null;
Expand Down Expand Up @@ -206,16 +208,18 @@ private function manageSubStep(int $subStep): ?User
private function sendPasswordRecoveryEmail(User $user)
{
// Generate the password recovery key
$key = md5($user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s') . self::PW_SALT);
$passwordHasher = $this->passwordHasherFactory->getPasswordHasher($user);
$plainKey = $user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s');
$hashedKey = $passwordHasher->hash($plainKey);
// Erase the previous triples in the trible table
$this->tripleStore->delete($user['name'], self::KEY_VOCABULARY, null, '', '') ;
// Store the (name, vocabulary, key) triple in triples table
$res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $key, '', '');
$res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $hashedKey, '', '');

// Generate the recovery email
$passwordLink = $this->wiki->Href('', '', [
'a' => 'recover',
'email' => $key,
'email' => $hashedKey,
'u' => base64_encode($user['name'])
], false);
$pieces = parse_url($this->params->get('base_url'));
Expand Down

0 comments on commit e128570

Please # to comment.