PasswordReset
This class is responsible for - find the right user, sending out a reset email.
- create a token for creating the link (not exposed outside of this class)
- validate a hashed token
- send out an email to initiate the password reset
- update a password for a backend user if all parameters match
this is a concrete implementation for User/Password login and not part of public TYPO3 Core API.
Attributes
- #[Autoconfigure]
- $public: true
Table of Contents
Constants
- MAXIMUM_RESET_ATTEMPTS = 3
- MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'
- TOKEN_VALID_UNTIL = '+2 hours'
Methods
- __construct() : mixed
- initiateReset() : void
- Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.
- isEnabled() : bool
- Check if there are at least one in the system that contains a non-empty password AND an email address set.
- isEnabledForUser() : bool
- Check if a specific backend user can be used to trigger an email reset for (email + password set)
- isValidResetTokenFromRequest() : bool
- Validates all query parameters / GET parameters of the given request against the token.
- resetPassword() : bool
- Update the password in the database if the password matches and the token is valid.
- findValidUserForToken() : array<string|int, mixed>|null
- Fetch the user record from the database if the token is valid, and has matched all criteria
- generateResetLinkForUser() : UriInterface
- Creates a token, stores it in the database, and then creates an absolute URL for resetting the password.
- getNumberOfInitiatedResetsForEmail() : int
- SQL query to find the amount of initiated resets from a given time.
- getPreparedQueryBuilder() : QueryBuilder
- The querybuilder for finding the right user - and adds some restrictions: - No CLI users - No Admin users (with option) - No hidden/deleted users - Password must be set - Username must be set - Email address must be set
- hasExceededMaximumAttemptsForReset() : bool
- Checks if an email reset link has been requested more than 3 times in the last 30mins.
- invalidateUserSessions() : void
- Invalidate all backend user sessions by given user id
- isValidPassword() : bool
- Returns, if the given password is compliant with the global password policy for backend users
- log() : void
- Adds an entry to "sys_log", also used to track the maximum allowed attempts.
- sendAmbiguousEmail() : void
- Send out an email to a given email address and note that a reset was triggered but email was used multiple times.
- sendResetEmail() : void
- Send out an email to a user that does have an email address added to his account, containing a reset link.
Constants
MAXIMUM_RESET_ATTEMPTS
protected
mixed
MAXIMUM_RESET_ATTEMPTS
= 3
MAXIMUM_RESET_ATTEMPTS_SINCE
protected
mixed
MAXIMUM_RESET_ATTEMPTS_SINCE
= '-30 minutes'
TOKEN_VALID_UNTIL
protected
mixed
TOKEN_VALID_UNTIL
= '+2 hours'
Methods
__construct()
public
__construct(LoggerInterface $logger, MailerInterface $mailer, HashService $hashService, Random $random, ConnectionPool $connectionPool, EventDispatcherInterface $eventDispatcher, PasswordHashFactory $passwordHashFactory, UriBuilder $uriBuilder, SessionManager $sessionManager) : mixed
Parameters
- $logger : LoggerInterface
- $mailer : MailerInterface
- $hashService : HashService
- $random : Random
- $connectionPool : ConnectionPool
- $eventDispatcher : EventDispatcherInterface
- $passwordHashFactory : PasswordHashFactory
- $uriBuilder : UriBuilder
- $sessionManager : SessionManager
initiateReset()
Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.
public
initiateReset(ServerRequestInterface $request, Context $context, string $emailAddress) : void
If no user is found, this is logged to the system (but not to sys_log).
The method intentionally does not return anything to avoid any information disclosure or exposure.
Parameters
- $request : ServerRequestInterface
- $context : Context
- $emailAddress : string
isEnabled()
Check if there are at least one in the system that contains a non-empty password AND an email address set.
public
isEnabled() : bool
Return values
boolisEnabledForUser()
Check if a specific backend user can be used to trigger an email reset for (email + password set)
public
isEnabledForUser(int $userId) : bool
Parameters
- $userId : int
Return values
boolisValidResetTokenFromRequest()
Validates all query parameters / GET parameters of the given request against the token.
public
isValidResetTokenFromRequest(ServerRequestInterface $request) : bool
Parameters
- $request : ServerRequestInterface
Return values
boolresetPassword()
Update the password in the database if the password matches and the token is valid.
public
resetPassword(ServerRequestInterface $request, Context $context) : bool
Parameters
- $request : ServerRequestInterface
- $context : Context
Return values
bool —whether the password was reset or not
findValidUserForToken()
Fetch the user record from the database if the token is valid, and has matched all criteria
protected
findValidUserForToken(string $token, string $identity, int $expirationTimestamp) : array<string|int, mixed>|null
Parameters
- $token : string
- $identity : string
- $expirationTimestamp : int
Return values
array<string|int, mixed>|null —the BE User database record
generateResetLinkForUser()
Creates a token, stores it in the database, and then creates an absolute URL for resetting the password.
protected
generateResetLinkForUser(Context $context, int $userId, string $emailAddress) : UriInterface
This is all in one method so it is not exposed from the outside.
This function requires: a) the user is allowed to do a password reset (no check is done anymore) b) a valid email address.
Parameters
- $context : Context
- $userId : int
-
the backend user uid
- $emailAddress : string
-
is part of the hash to ensure that the email address does not get reset.
Return values
UriInterfacegetNumberOfInitiatedResetsForEmail()
SQL query to find the amount of initiated resets from a given time.
protected
getNumberOfInitiatedResetsForEmail(DateTimeInterface $since, string $email) : int
Parameters
- $since : DateTimeInterface
- $email : string
Return values
intgetPreparedQueryBuilder()
The querybuilder for finding the right user - and adds some restrictions: - No CLI users - No Admin users (with option) - No hidden/deleted users - Password must be set - Username must be set - Email address must be set
protected
getPreparedQueryBuilder() : QueryBuilder
Return values
QueryBuilderhasExceededMaximumAttemptsForReset()
Checks if an email reset link has been requested more than 3 times in the last 30mins.
protected
hasExceededMaximumAttemptsForReset(Context $context, string $email) : bool
If a password was successfully reset more than three times in 30 minutes, it would still fail.
Parameters
- $context : Context
- $email : string
Return values
boolinvalidateUserSessions()
Invalidate all backend user sessions by given user id
protected
invalidateUserSessions(int $userId) : void
Parameters
- $userId : int
isValidPassword()
Returns, if the given password is compliant with the global password policy for backend users
protected
isValidPassword(string $password, array<string|int, mixed> $user) : bool
Parameters
- $password : string
- $user : array<string|int, mixed>
Return values
boollog()
Adds an entry to "sys_log", also used to track the maximum allowed attempts.
protected
log(string $message, int $action, int $error, int $userId, array<string|int, mixed> $data, string $ipAddress, Context $context) : void
Parameters
- $message : string
-
the information / message in english
- $action : int
-
see SystemLogLoginAction
- $error : int
-
see SystemLogErrorClassification
- $userId : int
- $data : array<string|int, mixed>
-
additional information, used for the message
- $ipAddress : string
- $context : Context
sendAmbiguousEmail()
Send out an email to a given email address and note that a reset was triggered but email was used multiple times.
protected
sendAmbiguousEmail(ServerRequestInterface $request, Context $context, string $emailAddress) : void
Used when the database returned multiple users.
Parameters
- $request : ServerRequestInterface
- $context : Context
- $emailAddress : string
sendResetEmail()
Send out an email to a user that does have an email address added to his account, containing a reset link.
protected
sendResetEmail(ServerRequestInterface $request, Context $context, array<string|int, mixed> $user) : void
Parameters
- $request : ServerRequestInterface
- $context : Context
- $user : array<string|int, mixed>