From 8d9f45203937336e1c6f25f6bab9cc3d025cc7f0 Mon Sep 17 00:00:00 2001 From: Jesse Rushlow Date: Mon, 29 Mar 2021 13:18:16 -0400 Subject: [PATCH] [reset-password] allow anyone to access check email --- src/Maker/MakeResetPassword.php | 13 +++++-------- .../resetPassword/ResetPasswordController.tpl.php | 5 +++-- .../skeleton/resetPassword/twig_check_email.tpl.php | 2 +- .../skeleton/resetPassword/twig_request.tpl.php | 2 +- .../tests/ResetPasswordFunctionalTest.php | 10 +++++----- 5 files changed, 15 insertions(+), 17 deletions(-) diff --git a/src/Maker/MakeResetPassword.php b/src/Maker/MakeResetPassword.php index cd472bfad..1451f8555 100644 --- a/src/Maker/MakeResetPassword.php +++ b/src/Maker/MakeResetPassword.php @@ -32,12 +32,11 @@ use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Mailer\MailerInterface; use Symfony\Component\Yaml\Yaml; -use SymfonyCasts\Bundle\ResetPassword\Controller\ResetPasswordControllerTrait; use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestInterface; use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestTrait; -use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordToken; use SymfonyCasts\Bundle\ResetPassword\Persistence\Repository\ResetPasswordRequestRepositoryTrait; use SymfonyCasts\Bundle\ResetPassword\Persistence\ResetPasswordRequestRepositoryInterface; +use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelper; use SymfonyCasts\Bundle\ResetPassword\SymfonyCastsResetPasswordBundle; /** @@ -96,12 +95,10 @@ public function configureDependencies(DependencyBuilder $dependencies): void $dependencies->addClassDependency(Annotation::class, 'annotations'); - // reset-password-bundle 1.3 includes helpers to get/set a ResetPasswordToken object from the session. - // we need to check that version 1.3 is installed - if (class_exists(ResetPasswordToken::class)) { - if (!method_exists(ResetPasswordControllerTrait::class, 'getTokenObjectFromSession')) { - throw new RuntimeCommandException('Please upgrade symfonycasts/reset-password-bundle to version 1.3 or greater.'); - } + // reset-password-bundle 1.6 includes the ability to generate a fake token. + // we need to check that version 1.6 is installed + if (class_exists(ResetPasswordHelper::class) && !method_exists(ResetPasswordHelper::class, 'generateFakeResetToken')) { + throw new RuntimeCommandException('Please run "composer upgrade symfonycasts/reset-password-bundle". Version 1.6 or greater of this bundle is required.'); } } diff --git a/src/Resources/skeleton/resetPassword/ResetPasswordController.tpl.php b/src/Resources/skeleton/resetPassword/ResetPasswordController.tpl.php index a2c77c87a..1ebb617b4 100644 --- a/src/Resources/skeleton/resetPassword/ResetPasswordController.tpl.php +++ b/src/Resources/skeleton/resetPassword/ResetPasswordController.tpl.php @@ -75,9 +75,10 @@ public function request(Request $request, MailerInterface $mailer): Response public function checkEmail(): Response { - // We prevent users from directly accessing this page + // Generate a fake token if the user does not exist or someone hit this page directly. + // This prevents exposing whether or not a user was found with the given email address or not if (null === ($resetToken = $this->getTokenObjectFromSession())) { - return $this->redirectToRoute('app_forgot_password_request'); + $resetToken = $this->resetPasswordHelper->generateFakeResetToken(); } return $this->render('reset_password/check_email.html.twig', [ diff --git a/src/Resources/skeleton/resetPassword/twig_check_email.tpl.php b/src/Resources/skeleton/resetPassword/twig_check_email.tpl.php index 00701d0e7..786819b3f 100644 --- a/src/Resources/skeleton/resetPassword/twig_check_email.tpl.php +++ b/src/Resources/skeleton/resetPassword/twig_check_email.tpl.php @@ -4,7 +4,7 @@ {% block body %}

- An email has been sent that contains a link that you can click to reset your password. + If an account matching your email exists, then an email was just sent that contains a link that you can use to reset your password. This link will expire in {{ resetToken.expirationMessageKey|trans(resetToken.expirationMessageData, 'ResetPasswordBundle') }}.

If you don't receive an email please check your spam folder or try again.

diff --git a/src/Resources/skeleton/resetPassword/twig_request.tpl.php b/src/Resources/skeleton/resetPassword/twig_request.tpl.php index 8b0e3141a..d92640169 100644 --- a/src/Resources/skeleton/resetPassword/twig_request.tpl.php +++ b/src/Resources/skeleton/resetPassword/twig_request.tpl.php @@ -19,4 +19,4 @@ {{ form_end(requestForm) }} -{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/tests/fixtures/MakeResetPasswordFunctionalTest/tests/ResetPasswordFunctionalTest.php b/tests/fixtures/MakeResetPasswordFunctionalTest/tests/ResetPasswordFunctionalTest.php index d14c5b517..1687797a6 100644 --- a/tests/fixtures/MakeResetPasswordFunctionalTest/tests/ResetPasswordFunctionalTest.php +++ b/tests/fixtures/MakeResetPasswordFunctionalTest/tests/ResetPasswordFunctionalTest.php @@ -11,7 +11,7 @@ public function testResetRequestRoute() $client = static::createClient(); $client->request('GET', '/reset-password'); - $this->assertSame(200, $client->getResponse()->getStatusCode()); + self::assertSame(200, $client->getResponse()->getStatusCode()); } public function testResetRequestRouteDeniesInvalidToken() @@ -19,15 +19,15 @@ public function testResetRequestRouteDeniesInvalidToken() $client = static::createClient(); $client->request('GET', '/reset-password/reset/badToken1234'); - $this->assertSame(302, $client->getResponse()->getStatusCode()); + self::assertSame(302, $client->getResponse()->getStatusCode()); } - public function testCheckEmailRouteRedirectsToRequestRouteIfUserNotAllowedToCheckEmail() + public function testCheckEmailPageIsAlwaysAccessible() { $client = static::createClient(); $client->request('GET', '/reset-password/check-email'); - $this->assertSame(302, $client->getResponse()->getStatusCode()); - $this->assertResponseRedirects('/reset-password'); + self::assertResponseIsSuccessful(); + self::assertPageTitleSame('Password Reset Email Sent'); } }