TYPO3\CMS\Backend\Authentication\PasswordReset Class Reference

Inheritance diagram for TYPO3\CMS\Backend\Authentication\PasswordReset:

Public Member Functions
	isEnabled ()
bool	isEnabledForUser (int $userId)
	initiateReset (ServerRequestInterface $request, Context $context, string $emailAddress)
bool	isValidResetTokenFromRequest (ServerRequestInterface $request)
bool	resetPassword (ServerRequestInterface $request, Context $context)

Protected Member Functions
	sendAmbiguousEmail (ServerRequestInterface $request, Context $context, string $emailAddress)
	sendResetEmail (ServerRequestInterface $request, Context $context, array $user, string $emailAddress)
UriInterface	generateResetLinkForUser (Context $context, int $userId, string $emailAddress)
array null	findValidUserForToken (string $token, string $identity, int $expirationTimestamp)
QueryBuilder	getPreparedQueryBuilder ()
	getHasher ()
	log (string $message, int $action, int $error, int $userId, array $data, $ipAddress, Context $context)
bool	hasExceededMaximumAttemptsForReset (Context $context, string $email)
int	getNumberOfInitiatedResetsForEmail (\DateTimeInterface $since, string $email)
	invalidateUserSessions (int $userId)

Protected Attributes
const	TOKEN_VALID_UNTIL = '+2 hours'
const	MAXIMUM_RESET_ATTEMPTS = 3
const	MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'

Detailed Description

This class is responsible for

• ‪find the right user, sending out a reset email.
• ‪create a token for creating the link (not exposed outside of this class)
• ‪validate a hashed token
• ‪send out an email to initiate the password reset
• ‪update a password for a backend user if all parameters match

this is a concrete implementation for User/Password login and not part of public TYPO3 Core API.

Definition at line 57 of file PasswordReset.php.

Member Function Documentation

findValidUserForToken()

array null TYPO3\CMS\Backend\Authentication\PasswordReset::findValidUserForToken ( string  $token, string  $identity, int  $expirationTimestamp  )

protected

Fetch the user record from the database if the token is valid, and has matched all criteria

Parameters

string	$token
string	$identity
int	$expirationTimestamp

Returns

‪array|null the BE User database record

Definition at line 283 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\isValidResetTokenFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

generateResetLinkForUser()

UriInterface TYPO3\CMS\Backend\Authentication\PasswordReset::generateResetLinkForUser ( Context  $context, int  $userId, string  $emailAddress  )

protected

Creates a token, stores it in the database, and then creates an absolute URL for resetting the password. This is all in one method so it is not exposed from the outside.

This function requires: a) the user is allowed to do a password reset (no check is done anymore) b) a valid email address.

Parameters

Context	$context
int	$userId	‪the backend user uid
string	$emailAddress	‪is part of the hash to ensure that the email address does not get reset.

Returns

‪UriInterface

Definition at line 232 of file PasswordReset.php.

References TYPO3\CMS\Backend\Routing\UriBuilder\ABSOLUTE_URL, TYPO3\CMS\Core\Context\Context\getAspect(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

getHasher()

TYPO3\CMS\Backend\Authentication\PasswordReset::getHasher ( )

protected

Definition at line 407 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\generateResetLinkForUser(), and TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

getNumberOfInitiatedResetsForEmail()

int TYPO3\CMS\Backend\Authentication\PasswordReset::getNumberOfInitiatedResetsForEmail ( \DateTimeInterface  $since, string  $email  )

protected

SQL query to find the amount of initiated resets from a given time.

Parameters

\DateTimeInterface	$since
string	$email

Returns

‪int

Definition at line 487 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset().

getPreparedQueryBuilder()

QueryBuilder TYPO3\CMS\Backend\Authentication\PasswordReset::getPreparedQueryBuilder ( )

protected

The querybuilder for finding the right user - and adds some restrictions:

• ‪No CLI users
• ‪No Admin users (with option)
• ‪No hidden/deleted users
• ‪Password must be set
• ‪Username must be set
• ‪Email address must be set

Returns

‪QueryBuilder

Definition at line 383 of file PasswordReset.php.

References $GLOBALS, TYPO3\CMS\Core\Database\Query\Restriction\QueryRestrictionContainerInterface\add(), TYPO3\CMS\Core\Database\Query\QueryBuilder\getRestrictions(), and TYPO3\CMS\Core\Database\Query\Restriction\QueryRestrictionContainerInterface\removeAll().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabled(), and TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabledForUser().

hasExceededMaximumAttemptsForReset()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::hasExceededMaximumAttemptsForReset ( Context  $context, string  $email  )

protected

Checks if an email reset link has been requested more than 3 times in the last 30mins. If a password was successfully reset more than three times in 30 minutes, it would still fail.

Parameters

Context	$context
string	$email

Returns

‪bool

Definition at line 473 of file PasswordReset.php.

References TYPO3\CMS\Core\Context\Context\getAspect(), TYPO3\CMS\Backend\Authentication\PasswordReset\getNumberOfInitiatedResetsForEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\MAXIMUM_RESET_ATTEMPTS.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

initiateReset()

TYPO3\CMS\Backend\Authentication\PasswordReset::initiateReset	(	ServerRequestInterface	$request,
		Context	$context,
		string	$emailAddress
	)

Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.

If no user is found, this is logged to the system (but not to sys_log).

The method intentionally does not return anything to avoid any information disclosure or exposure.

Parameters

ServerRequestInterface	$request
Context	$context
string	$emailAddress

Definition at line 120 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder(), TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

invalidateUserSessions()

TYPO3\CMS\Backend\Authentication\PasswordReset::invalidateUserSessions ( int  $userId )

protected

Invalidate all backend user sessions by given user id

Definition at line 506 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

isEnabled()

TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabled

(

)

Check if there are at least one in the system that contains a non-empty password AND an email address set.

Definition at line 68 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

isEnabledForUser()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabledForUser

(

int

$userId

)

Check if a specific backend user can be used to trigger an email reset. Basically checks if the functionality is enabled in general, and if the user has email + password set.

Parameters

int

$userId

Returns

‪bool

Definition at line 90 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

isValidResetTokenFromRequest()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::isValidResetTokenFromRequest

(

ServerRequestInterface

$request

)

Validates all query parameters / GET parameters of the given request against the token.

Parameters

ServerRequestInterface

$request

Returns

‪bool

Definition at line 265 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken().

log()

TYPO3\CMS\Backend\Authentication\PasswordReset::log ( string  $message, int  $action, int  $error, int  $userId, array  $data,   $ipAddress, Context  $context  )

protected

Adds an entry to "sys_log", also used to track the maximum allowed attempts.

Parameters

string	$message	‪the information / message in english
int	$action	‪see SystemLogLoginAction
int	$error	‪see SystemLogErrorClassification
int	$userId
array	$data	‪additional information, used for the message
string	$ipAddress
Context	$context

Definition at line 423 of file PasswordReset.php.

References $fields, TYPO3\CMS\Core\Context\AspectInterface\get(), and TYPO3\CMS\Core\Context\Context\getAspect().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

resetPassword()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::resetPassword	(	ServerRequestInterface	$request,
		Context	$context
	)

Update the password in the database if the password matches and the token is valid.

Parameters

ServerRequestInterface	$request
Context	$context	‪current context

Returns

‪bool whether the password was reset or not

Definition at line 332 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher(), TYPO3\CMS\Backend\Authentication\PasswordReset\invalidateUserSessions(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

sendAmbiguousEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendAmbiguousEmail ( ServerRequestInterface  $request, Context  $context, string  $emailAddress  )

protected

Send out an email to a given email address and note that a reset was triggered but email was used multiple times. Used when the database returned multiple users.

Parameters

ServerRequestInterface	$request
Context	$context
string	$emailAddress

Definition at line 158 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

sendResetEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendResetEmail ( ServerRequestInterface  $request, Context  $context, array  $user, string  $emailAddress  )

protected

Send out an email to a user that does have an email address added to his account, containing a reset link.

Parameters

ServerRequestInterface	$request
Context	$context
array	$user
string	$emailAddress

Definition at line 190 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), TYPO3\CMS\Backend\Authentication\PasswordReset\generateResetLinkForUser(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

Member Data Documentation

MAXIMUM_RESET_ATTEMPTS

const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS = 3

protected

Definition at line 62 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset().

MAXIMUM_RESET_ATTEMPTS_SINCE

const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'

protected

Definition at line 63 of file PasswordReset.php.

TOKEN_VALID_UNTIL

const TYPO3\CMS\Backend\Authentication\PasswordReset::TOKEN_VALID_UNTIL = '+2 hours'

protected

Definition at line 61 of file PasswordReset.php.