PasswordReset implements LoggerAwareInterface uses LoggerAwareTrait

This class is responsible for - find the right user, sending out a reset email.

  • create a token for creating the link (not exposed outside of this class)
  • validate a hashed token
  • send out an email to initiate the password reset
  • update a password for a backend user if all parameters match
Internal

this is a concrete implementation for User/Password login and not part of public TYPO3 Core API.

Table of Contents

Interfaces

LoggerAwareInterface

Constants

MAXIMUM_RESET_ATTEMPTS  = 3
MAXIMUM_RESET_ATTEMPTS_SINCE  = '-30 minutes'
TOKEN_VALID_UNTIL  = '+2 hours'

Methods

initiateReset()  : void
Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.
isEnabled()  : bool
Check if there are at least one in the system that contains a non-empty password AND an email address set.
isEnabledForUser()  : bool
Check if a specific backend user can be used to trigger an email reset for (email + password set)
isValidResetTokenFromRequest()  : bool
Validates all query parameters / GET parameters of the given request against the token.
resetPassword()  : bool
Update the password in the database if the password matches and the token is valid.
findValidUserForToken()  : array<string|int, mixed>|null
Fetch the user record from the database if the token is valid, and has matched all criteria
generateResetLinkForUser()  : UriInterface
Creates a token, stores it in the database, and then creates an absolute URL for resetting the password.
getHasher()  : PasswordHashInterface
getNumberOfInitiatedResetsForEmail()  : int
SQL query to find the amount of initiated resets from a given time.
getPreparedQueryBuilder()  : QueryBuilder
The querybuilder for finding the right user - and adds some restrictions: - No CLI users - No Admin users (with option) - No hidden/deleted users - Password must be set - Username must be set - Email address must be set
hasExceededMaximumAttemptsForReset()  : bool
Checks if an email reset link has been requested more than 3 times in the last 30mins.
invalidateUserSessions()  : void
Invalidate all backend user sessions by given user id
log()  : void
Adds an entry to "sys_log", also used to track the maximum allowed attempts.
sendAmbiguousEmail()  : void
Send out an email to a given email address and note that a reset was triggered but email was used multiple times.
sendResetEmail()  : void
Send out an email to a user that does have an email address added to his account, containing a reset link.

Constants

MAXIMUM_RESET_ATTEMPTS

protected mixed MAXIMUM_RESET_ATTEMPTS = 3

MAXIMUM_RESET_ATTEMPTS_SINCE

protected mixed MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'

TOKEN_VALID_UNTIL

protected mixed TOKEN_VALID_UNTIL = '+2 hours'

Methods

initiateReset()

Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.

public initiateReset(ServerRequestInterface $request, Context $context, string $emailAddress) : void

If no user is found, this is logged to the system (but not to sys_log).

The method intentionally does not return anything to avoid any information disclosure or exposure.

Parameters
$request : ServerRequestInterface
$context : Context
$emailAddress : string

isEnabled()

Check if there are at least one in the system that contains a non-empty password AND an email address set.

public isEnabled() : bool
Return values
bool

isEnabledForUser()

Check if a specific backend user can be used to trigger an email reset for (email + password set)

public isEnabledForUser(int $userId) : bool
Parameters
$userId : int
Return values
bool

isValidResetTokenFromRequest()

Validates all query parameters / GET parameters of the given request against the token.

public isValidResetTokenFromRequest(ServerRequestInterface $request) : bool
Parameters
$request : ServerRequestInterface
Return values
bool

resetPassword()

Update the password in the database if the password matches and the token is valid.

public resetPassword(ServerRequestInterface $request, Context $context) : bool
Parameters
$request : ServerRequestInterface
$context : Context

current context

Return values
bool

whether the password was reset or not

findValidUserForToken()

Fetch the user record from the database if the token is valid, and has matched all criteria

protected findValidUserForToken(string $token, string $identity, int $expirationTimestamp) : array<string|int, mixed>|null
Parameters
$token : string
$identity : string
$expirationTimestamp : int
Return values
array<string|int, mixed>|null

the BE User database record

generateResetLinkForUser()

Creates a token, stores it in the database, and then creates an absolute URL for resetting the password.

protected generateResetLinkForUser(Context $context, int $userId, string $emailAddress) : UriInterface

This is all in one method so it is not exposed from the outside.

This function requires: a) the user is allowed to do a password reset (no check is done anymore) b) a valid email address.

Parameters
$context : Context
$userId : int

the backend user uid

$emailAddress : string

is part of the hash to ensure that the email address does not get reset.

Return values
UriInterface

getNumberOfInitiatedResetsForEmail()

SQL query to find the amount of initiated resets from a given time.

protected getNumberOfInitiatedResetsForEmail(DateTimeInterface $since, string $email) : int
Parameters
$since : DateTimeInterface
$email : string
Return values
int

getPreparedQueryBuilder()

The querybuilder for finding the right user - and adds some restrictions: - No CLI users - No Admin users (with option) - No hidden/deleted users - Password must be set - Username must be set - Email address must be set

protected getPreparedQueryBuilder() : QueryBuilder
Return values
QueryBuilder

hasExceededMaximumAttemptsForReset()

Checks if an email reset link has been requested more than 3 times in the last 30mins.

protected hasExceededMaximumAttemptsForReset(Context $context, string $email) : bool

If a password was successfully reset more than three times in 30 minutes, it would still fail.

Parameters
$context : Context
$email : string
Return values
bool

invalidateUserSessions()

Invalidate all backend user sessions by given user id

protected invalidateUserSessions(int $userId) : void
Parameters
$userId : int

log()

Adds an entry to "sys_log", also used to track the maximum allowed attempts.

protected log(string $message, int $action, int $error, int $userId, array<string|int, mixed> $data, string $ipAddress, Context $context) : void
Parameters
$message : string

the information / message in english

$action : int

see SystemLogLoginAction

$error : int

see SystemLogErrorClassification

$userId : int
$data : array<string|int, mixed>

additional information, used for the message

$ipAddress : string
$context : Context

sendAmbiguousEmail()

Send out an email to a given email address and note that a reset was triggered but email was used multiple times.

protected sendAmbiguousEmail(ServerRequestInterface $request, Context $context, string $emailAddress) : void

Used when the database returned multiple users.

Parameters
$request : ServerRequestInterface
$context : Context
$emailAddress : string

sendResetEmail()

Send out an email to a user that does have an email address added to his account, containing a reset link.

protected sendResetEmail(ServerRequestInterface $request, Context $context, array<string|int, mixed> $user, string $emailAddress) : void
Parameters
$request : ServerRequestInterface
$context : Context
$user : array<string|int, mixed>
$emailAddress : string

        
On this page

Search results