TYPO3\CMS\Backend\Authentication\PasswordReset Class Reference

Inheritance diagram for TYPO3\CMS\Backend\Authentication\PasswordReset:

Public Member Functions
	__construct (private readonly MailerInterface $mailer, private readonly HashService $hashService,)
	isEnabled ()
	isEnabledForUser (int $userId)
	initiateReset (ServerRequestInterface $request, Context $context, string $emailAddress)
	isValidResetTokenFromRequest (ServerRequestInterface $request)
bool	resetPassword (ServerRequestInterface $request, Context $context)

Protected Member Functions
	sendAmbiguousEmail (ServerRequestInterface $request, Context $context, string $emailAddress)
	sendResetEmail (ServerRequestInterface $request, Context $context, array $user)
	generateResetLinkForUser (Context $context, int $userId, string $emailAddress)
array null	findValidUserForToken (string $token, string $identity, int $expirationTimestamp)
	getPreparedQueryBuilder ()
	getHasher ()
	log (string $message, int $action, int $error, int $userId, array $data, $ipAddress, Context $context)
	hasExceededMaximumAttemptsForReset (Context $context, string $email)
	getNumberOfInitiatedResetsForEmail (\DateTimeInterface $since, string $email)
	isValidPassword (string $password, array $user)
	invalidateUserSessions (int $userId)

Protected Attributes
const	TOKEN_VALID_UNTIL = '+2 hours'
const	MAXIMUM_RESET_ATTEMPTS = 3
const	MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'

Detailed Description

This class is responsible for

• ‪find the right user, sending out a reset email.
• ‪create a token for creating the link (not exposed outside of this class)
• ‪validate a hashed token
• ‪send out an email to initiate the password reset
• ‪update a password for a backend user if all parameters match

this is a concrete implementation for User/Password login and not part of public TYPO3 Core API.

Definition at line 64 of file PasswordReset.php.

Constructor & Destructor Documentation

__construct()

TYPO3\CMS\Backend\Authentication\PasswordReset::__construct	(	private readonly MailerInterface	$mailer,
		private readonly HashService	$hashService
	)

Definition at line 72 of file PasswordReset.php.

Member Function Documentation

findValidUserForToken()

array null TYPO3\CMS\Backend\Authentication\PasswordReset::findValidUserForToken ( string  $token, string  $identity, int  $expirationTimestamp  )

protected

Fetch the user record from the database if the token is valid, and has matched all criteria

Returns

‪array|null the BE User database record

Definition at line 277 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\isValidResetTokenFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

generateResetLinkForUser()

TYPO3\CMS\Backend\Authentication\PasswordReset::generateResetLinkForUser ( Context  $context, int  $userId, string  $emailAddress  )

protected

Creates a token, stores it in the database, and then creates an absolute URL for resetting the password. This is all in one method so it is not exposed from the outside.

This function requires: a) the user is allowed to do a password reset (no check is done anymore) b) a valid email address.

Parameters

Context	$context
int	$userId	‪the backend user uid
string	$emailAddress	‪is part of the hash to ensure that the email address does not get reset.

Definition at line 232 of file PasswordReset.php.

References TYPO3\CMS\Backend\Routing\UriBuilder\ABSOLUTE_URL, TYPO3\CMS\Core\Context\Context\getAspect(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

getHasher()

TYPO3\CMS\Backend\Authentication\PasswordReset::getHasher ( )

protected

Definition at line 409 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\generateResetLinkForUser(), and TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

getNumberOfInitiatedResetsForEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::getNumberOfInitiatedResetsForEmail ( \DateTimeInterface  $since, string  $email  )

protected

SQL query to find the amount of initiated resets from a given time.

Definition at line 483 of file PasswordReset.php.

References TYPO3\CMS\Core\Database\Connection\PARAM_INT.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset().

getPreparedQueryBuilder()

TYPO3\CMS\Backend\Authentication\PasswordReset::getPreparedQueryBuilder ( )

protected

The querybuilder for finding the right user - and adds some restrictions:

• ‪No CLI users
• ‪No Admin users (with option)
• ‪No hidden/deleted users
• ‪Password must be set
• ‪Username must be set
• ‪Email address must be set

Definition at line 385 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Core\Database\Connection\PARAM_INT.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabled(), and TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabledForUser().

hasExceededMaximumAttemptsForReset()

TYPO3\CMS\Backend\Authentication\PasswordReset::hasExceededMaximumAttemptsForReset ( Context  $context, string  $email  )

protected

Checks if an email reset link has been requested more than 3 times in the last 30mins. If a password was successfully reset more than three times in 30 minutes, it would still fail.

Definition at line 473 of file PasswordReset.php.

References TYPO3\CMS\Core\Context\Context\getAspect(), TYPO3\CMS\Backend\Authentication\PasswordReset\getNumberOfInitiatedResetsForEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\MAXIMUM_RESET_ATTEMPTS.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

initiateReset()

TYPO3\CMS\Backend\Authentication\PasswordReset::initiateReset	(	ServerRequestInterface	$request,
		Context	$context,
		string	$emailAddress
	)

Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.

If no user is found, this is logged to the system (but not to sys_log).

The method intentionally does not return anything to avoid any information disclosure or exposure.

Parameters

ServerRequestInterface	$request
Context	$context
string	$emailAddress

Definition at line 124 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder(), TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

invalidateUserSessions()

TYPO3\CMS\Backend\Authentication\PasswordReset::invalidateUserSessions ( int  $userId )

protected

Invalidate all backend user sessions by given user id

Definition at line 528 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

isEnabled()

TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabled

(

)

Check if there are at least one in the system that contains a non-empty password AND an email address set.

Definition at line 80 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

isEnabledForUser()

TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabledForUser

(

int

$userId

)

Check if a specific backend user can be used to trigger an email reset for (email + password set)

Definition at line 98 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder(), and TYPO3\CMS\Core\Database\Connection\PARAM_INT.

isValidPassword()

TYPO3\CMS\Backend\Authentication\PasswordReset::isValidPassword ( string  $password, array  $user  )

protected

Returns, if the given password is compliant with the global password policy for backend users

Definition at line 502 of file PasswordReset.php.

References $GLOBALS.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

isValidResetTokenFromRequest()

TYPO3\CMS\Backend\Authentication\PasswordReset::isValidResetTokenFromRequest

(

ServerRequestInterface

$request

)

Validates all query parameters / GET parameters of the given request against the token.

Definition at line 262 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken().

log()

TYPO3\CMS\Backend\Authentication\PasswordReset::log ( string  $message, int  $action, int  $error, int  $userId, array  $data,   $ipAddress, Context  $context  )

protected

Adds an entry to "sys_log", also used to track the maximum allowed attempts.

Parameters

string	$message	‪the information / message in english
int	$action	‪see SystemLogLoginAction
int	$error	‪see SystemLogErrorClassification
array	$data	‪additional information, used for the message
string	$ipAddress

Definition at line 423 of file PasswordReset.php.

References $fields, TYPO3\CMS\Core\Context\Context\getAspect(), TYPO3\CMS\Core\Database\Connection\PARAM_INT, and TYPO3\CMS\Core\Database\Connection\PARAM_STR.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

resetPassword()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::resetPassword	(	ServerRequestInterface	$request,
		Context	$context
	)

Update the password in the database if the password matches and the token is valid.

Returns

‪bool whether the password was reset or not

Definition at line 324 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher(), TYPO3\CMS\Backend\Authentication\PasswordReset\invalidateUserSessions(), TYPO3\CMS\Backend\Authentication\PasswordReset\isValidPassword(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

sendAmbiguousEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendAmbiguousEmail ( ServerRequestInterface  $request, Context  $context, string  $emailAddress  )

protected

Send out an email to a given email address and note that a reset was triggered but email was used multiple times. Used when the database returned multiple users.

Definition at line 159 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

sendResetEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendResetEmail ( ServerRequestInterface  $request, Context  $context, array  $user  )

protected

Send out an email to a user that does have an email address added to his account, containing a reset link.

Definition at line 186 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), TYPO3\CMS\Backend\Authentication\PasswordReset\generateResetLinkForUser(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

Member Data Documentation

MAXIMUM_RESET_ATTEMPTS

const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS = 3

protected

Definition at line 69 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset().

MAXIMUM_RESET_ATTEMPTS_SINCE

const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'

protected

Definition at line 70 of file PasswordReset.php.

TOKEN_VALID_UNTIL

const TYPO3\CMS\Backend\Authentication\PasswordReset::TOKEN_VALID_UNTIL = '+2 hours'

protected

Definition at line 68 of file PasswordReset.php.