‪TYPO3CMS  11.5
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
TYPO3\CMS\Backend\Authentication\PasswordReset Class Reference
Inheritance diagram for TYPO3\CMS\Backend\Authentication\PasswordReset:

Public Member Functions

 isEnabled ()
 
bool isEnabledForUser (int $userId)
 
 initiateReset (ServerRequestInterface $request, Context $context, string $emailAddress)
 
bool isValidResetTokenFromRequest (ServerRequestInterface $request)
 
bool resetPassword (ServerRequestInterface $request, Context $context)
 

Protected Member Functions

 sendAmbiguousEmail (ServerRequestInterface $request, Context $context, string $emailAddress)
 
 sendResetEmail (ServerRequestInterface $request, Context $context, array $user, string $emailAddress)
 
UriInterface generateResetLinkForUser (Context $context, int $userId, string $emailAddress)
 
array null findValidUserForToken (string $token, string $identity, int $expirationTimestamp)
 
QueryBuilder getPreparedQueryBuilder ()
 
 getHasher ()
 
 log (string $message, int $action, int $error, int $userId, array $data, $ipAddress, Context $context)
 
bool hasExceededMaximumAttemptsForReset (Context $context, string $email)
 
int getNumberOfInitiatedResetsForEmail (\DateTimeInterface $since, string $email)
 
 invalidateUserSessions (int $userId)
 

Protected Attributes

const TOKEN_VALID_UNTIL = '+2 hours'
 
const MAXIMUM_RESET_ATTEMPTS = 3
 
const MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'
 

Detailed Description

This class is responsible for

  • ‪find the right user, sending out a reset email.
  • ‪create a token for creating the link (not exposed outside of this class)
  • ‪validate a hashed token
  • ‪send out an email to initiate the password reset
  • ‪update a password for a backend user if all parameters match

this is a concrete implementation for User/Password login and not part of public TYPO3 Core API.

Definition at line 58 of file PasswordReset.php.

Member Function Documentation

◆ findValidUserForToken()

array null TYPO3\CMS\Backend\Authentication\PasswordReset::findValidUserForToken ( string  $token,
string  $identity,
int  $expirationTimestamp 
)
protected

Fetch the user record from the database if the token is valid, and has matched all criteria

Parameters
string$token
string$identity
int$expirationTimestamp
Returns
‪array|null the BE User database record

Definition at line 281 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\isValidResetTokenFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

◆ generateResetLinkForUser()

UriInterface TYPO3\CMS\Backend\Authentication\PasswordReset::generateResetLinkForUser ( Context  $context,
int  $userId,
string  $emailAddress 
)
protected

Creates a token, stores it in the database, and then creates an absolute URL for resetting the password. This is all in one method so it is not exposed from the outside.

This function requires: a) the user is allowed to do a password reset (no check is done anymore) b) a valid email address.

Parameters
Context$context
int$userId‪the backend user uid
string$emailAddress‪is part of the hash to ensure that the email address does not get reset.
Returns
‪UriInterface

Definition at line 230 of file PasswordReset.php.

References TYPO3\CMS\Backend\Routing\UriBuilder\ABSOLUTE_URL, TYPO3\CMS\Core\Context\Context\getAspect(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

◆ getHasher()

TYPO3\CMS\Backend\Authentication\PasswordReset::getHasher ( )
protected

Definition at line 405 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\generateResetLinkForUser(), and TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

◆ getNumberOfInitiatedResetsForEmail()

int TYPO3\CMS\Backend\Authentication\PasswordReset::getNumberOfInitiatedResetsForEmail ( \DateTimeInterface  $since,
string  $email 
)
protected

SQL query to find the amount of initiated resets from a given time.

Parameters
\DateTimeInterface$since
string$email
Returns
‪int

Definition at line 489 of file PasswordReset.php.

References TYPO3\CMS\Core\Database\Connection\PARAM_INT.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset().

◆ getPreparedQueryBuilder()

QueryBuilder TYPO3\CMS\Backend\Authentication\PasswordReset::getPreparedQueryBuilder ( )
protected

The querybuilder for finding the right user - and adds some restrictions:

  • ‪No CLI users
  • ‪No Admin users (with option)
  • ‪No hidden/deleted users
  • ‪Password must be set
  • ‪Username must be set
  • ‪Email address must be set
Returns
‪QueryBuilder

Definition at line 381 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Core\Database\Connection\PARAM_INT.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabled(), and TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabledForUser().

◆ hasExceededMaximumAttemptsForReset()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::hasExceededMaximumAttemptsForReset ( Context  $context,
string  $email 
)
protected

Checks if an email reset link has been requested more than 3 times in the last 30mins. If a password was successfully reset more than three times in 30 minutes, it would still fail.

Parameters
Context$context
string$email
Returns
‪bool

Definition at line 475 of file PasswordReset.php.

References TYPO3\CMS\Core\Context\Context\getAspect(), TYPO3\CMS\Backend\Authentication\PasswordReset\getNumberOfInitiatedResetsForEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\MAXIMUM_RESET_ATTEMPTS.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

◆ initiateReset()

TYPO3\CMS\Backend\Authentication\PasswordReset::initiateReset ( ServerRequestInterface  $request,
Context  $context,
string  $emailAddress 
)

Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.

If no user is found, this is logged to the system (but not to sys_log).

The method intentionally does not return anything to avoid any information disclosure or exposure.

Parameters
ServerRequestInterface$request
Context$context
string$emailAddress

Definition at line 116 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder(), TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

◆ invalidateUserSessions()

TYPO3\CMS\Backend\Authentication\PasswordReset::invalidateUserSessions ( int  $userId)
protected

Invalidate all backend user sessions by given user id

Definition at line 508 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

◆ isEnabled()

TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabled ( )

Check if there are at least one in the system that contains a non-empty password AND an email address set.

Definition at line 69 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

◆ isEnabledForUser()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabledForUser ( int  $userId)

Check if a specific backend user can be used to trigger an email reset for (email + password set)

Parameters
int$userId
Returns
‪bool

Definition at line 90 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder(), and TYPO3\CMS\Core\Database\Connection\PARAM_INT.

◆ isValidResetTokenFromRequest()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::isValidResetTokenFromRequest ( ServerRequestInterface  $request)

Validates all query parameters / GET parameters of the given request against the token.

Parameters
ServerRequestInterface$request
Returns
‪bool

Definition at line 263 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken().

◆ log()

TYPO3\CMS\Backend\Authentication\PasswordReset::log ( string  $message,
int  $action,
int  $error,
int  $userId,
array  $data,
  $ipAddress,
Context  $context 
)
protected

Adds an entry to "sys_log", also used to track the maximum allowed attempts.

Parameters
string$message‪the information / message in english
int$action‪see SystemLogLoginAction
int$error‪see SystemLogErrorClassification
int$userId
array$data‪additional information, used for the message
string$ipAddress
Context$context

Definition at line 421 of file PasswordReset.php.

References $fields, TYPO3\CMS\Core\Context\AspectInterface\get(), TYPO3\CMS\Core\Context\Context\getAspect(), TYPO3\CMS\Core\Database\Connection\PARAM_INT, and TYPO3\CMS\Core\Database\Connection\PARAM_STR.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

◆ resetPassword()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::resetPassword ( ServerRequestInterface  $request,
Context  $context 
)

Update the password in the database if the password matches and the token is valid.

Parameters
ServerRequestInterface$request
Context$context‪current context
Returns
‪bool whether the password was reset or not

Definition at line 330 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher(), TYPO3\CMS\Backend\Authentication\PasswordReset\invalidateUserSessions(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

◆ sendAmbiguousEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendAmbiguousEmail ( ServerRequestInterface  $request,
Context  $context,
string  $emailAddress 
)
protected

Send out an email to a given email address and note that a reset was triggered but email was used multiple times. Used when the database returned multiple users.

Parameters
ServerRequestInterface$request
Context$context
string$emailAddress

Definition at line 154 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

◆ sendResetEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendResetEmail ( ServerRequestInterface  $request,
Context  $context,
array  $user,
string  $emailAddress 
)
protected

Send out an email to a user that does have an email address added to his account, containing a reset link.

Parameters
ServerRequestInterface$request
Context$context
array$user
string$emailAddress

Definition at line 186 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), TYPO3\CMS\Backend\Authentication\PasswordReset\generateResetLinkForUser(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

Member Data Documentation

◆ MAXIMUM_RESET_ATTEMPTS

const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS = 3
protected

Definition at line 63 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset().

◆ MAXIMUM_RESET_ATTEMPTS_SINCE

const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'
protected

Definition at line 64 of file PasswordReset.php.

◆ TOKEN_VALID_UNTIL

const TYPO3\CMS\Backend\Authentication\PasswordReset::TOKEN_VALID_UNTIL = '+2 hours'
protected

Definition at line 62 of file PasswordReset.php.