‪TYPO3CMS  ‪main
TYPO3\CMS\Backend\Authentication\PasswordReset Class Reference
Inheritance diagram for TYPO3\CMS\Backend\Authentication\PasswordReset:

Public Member Functions

 __construct (private readonly MailerInterface $mailer, private readonly HashService $hashService,)
 isEnabled ()
 isEnabledForUser (int $userId)
 initiateReset (ServerRequestInterface $request, Context $context, string $emailAddress)
 isValidResetTokenFromRequest (ServerRequestInterface $request)
bool resetPassword (ServerRequestInterface $request, Context $context)

Protected Member Functions

 sendAmbiguousEmail (ServerRequestInterface $request, Context $context, string $emailAddress)
 sendResetEmail (ServerRequestInterface $request, Context $context, array $user)
 generateResetLinkForUser (Context $context, int $userId, string $emailAddress)
array null findValidUserForToken (string $token, string $identity, int $expirationTimestamp)
 getPreparedQueryBuilder ()
 getHasher ()
 log (string $message, int $action, int $error, int $userId, array $data, $ipAddress, Context $context)
 hasExceededMaximumAttemptsForReset (Context $context, string $email)
 getNumberOfInitiatedResetsForEmail (\DateTimeInterface $since, string $email)
 isValidPassword (string $password, array $user)
 invalidateUserSessions (int $userId)

Protected Attributes

const TOKEN_VALID_UNTIL = '+2 hours'
const MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'

Detailed Description

This class is responsible for

  • ‪find the right user, sending out a reset email.
  • ‪create a token for creating the link (not exposed outside of this class)
  • ‪validate a hashed token
  • ‪send out an email to initiate the password reset
  • ‪update a password for a backend user if all parameters match

this is a concrete implementation for User/Password login and not part of public TYPO3 Core API.

Definition at line 64 of file PasswordReset.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Backend\Authentication\PasswordReset::__construct ( private readonly MailerInterface  $mailer,
private readonly HashService  $hashService 

Definition at line 72 of file PasswordReset.php.

Member Function Documentation

◆ findValidUserForToken()

array null TYPO3\CMS\Backend\Authentication\PasswordReset::findValidUserForToken ( string  $token,
string  $identity,
int  $expirationTimestamp 

Fetch the user record from the database if the token is valid, and has matched all criteria

‪array|null the BE User database record

Definition at line 277 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\isValidResetTokenFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

◆ generateResetLinkForUser()

TYPO3\CMS\Backend\Authentication\PasswordReset::generateResetLinkForUser ( Context  $context,
int  $userId,
string  $emailAddress 

Creates a token, stores it in the database, and then creates an absolute URL for resetting the password. This is all in one method so it is not exposed from the outside.

This function requires: a) the user is allowed to do a password reset (no check is done anymore) b) a valid email address.

int$userId‪the backend user uid
string$emailAddress‪is part of the hash to ensure that the email address does not get reset.

Definition at line 232 of file PasswordReset.php.

References TYPO3\CMS\Backend\Routing\UriBuilder\ABSOLUTE_URL, TYPO3\CMS\Core\Context\Context\getAspect(), and TYPO3\CMS\Backend\Authentication\PasswordReset\getHasher().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

◆ getHasher()

◆ getNumberOfInitiatedResetsForEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::getNumberOfInitiatedResetsForEmail ( \DateTimeInterface  $since,
string  $email 

SQL query to find the amount of initiated resets from a given time.

Definition at line 483 of file PasswordReset.php.

References TYPO3\CMS\Core\Database\Connection\PARAM_INT.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset().

◆ getPreparedQueryBuilder()

TYPO3\CMS\Backend\Authentication\PasswordReset::getPreparedQueryBuilder ( )

The querybuilder for finding the right user - and adds some restrictions:

  • ‪No CLI users
  • ‪No Admin users (with option)
  • ‪No hidden/deleted users
  • ‪Password must be set
  • ‪Username must be set
  • ‪Email address must be set

Definition at line 385 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Core\Database\Connection\PARAM_INT.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken(), TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabled(), and TYPO3\CMS\Backend\Authentication\PasswordReset\isEnabledForUser().

◆ hasExceededMaximumAttemptsForReset()

TYPO3\CMS\Backend\Authentication\PasswordReset::hasExceededMaximumAttemptsForReset ( Context  $context,
string  $email 

Checks if an email reset link has been requested more than 3 times in the last 30mins. If a password was successfully reset more than three times in 30 minutes, it would still fail.

Definition at line 473 of file PasswordReset.php.

References TYPO3\CMS\Core\Context\Context\getAspect(), TYPO3\CMS\Backend\Authentication\PasswordReset\getNumberOfInitiatedResetsForEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\MAXIMUM_RESET_ATTEMPTS.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

◆ initiateReset()

TYPO3\CMS\Backend\Authentication\PasswordReset::initiateReset ( ServerRequestInterface  $request,
Context  $context,
string  $emailAddress 

Determine the right user and send out an email. If multiple users are found with the same email address an alternative email is sent.

If no user is found, this is logged to the system (but not to sys_log).

The method intentionally does not return anything to avoid any information disclosure or exposure.


Definition at line 124 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder(), TYPO3\CMS\Backend\Authentication\PasswordReset\hasExceededMaximumAttemptsForReset(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

◆ invalidateUserSessions()

TYPO3\CMS\Backend\Authentication\PasswordReset::invalidateUserSessions ( int  $userId)

Invalidate all backend user sessions by given user id

Definition at line 528 of file PasswordReset.php.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

◆ isEnabled()

TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabled ( )

Check if there are at least one in the system that contains a non-empty password AND an email address set.

Definition at line 80 of file PasswordReset.php.

References $GLOBALS, and TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder().

◆ isEnabledForUser()

TYPO3\CMS\Backend\Authentication\PasswordReset::isEnabledForUser ( int  $userId)

Check if a specific backend user can be used to trigger an email reset for (email + password set)

Definition at line 98 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\getPreparedQueryBuilder(), and TYPO3\CMS\Core\Database\Connection\PARAM_INT.

◆ isValidPassword()

TYPO3\CMS\Backend\Authentication\PasswordReset::isValidPassword ( string  $password,
array  $user 

Returns, if the given password is compliant with the global password policy for backend users

Definition at line 502 of file PasswordReset.php.

References $GLOBALS.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword().

◆ isValidResetTokenFromRequest()

TYPO3\CMS\Backend\Authentication\PasswordReset::isValidResetTokenFromRequest ( ServerRequestInterface  $request)

Validates all query parameters / GET parameters of the given request against the token.

Definition at line 262 of file PasswordReset.php.

References TYPO3\CMS\Backend\Authentication\PasswordReset\findValidUserForToken().

◆ log()

TYPO3\CMS\Backend\Authentication\PasswordReset::log ( string  $message,
int  $action,
int  $error,
int  $userId,
array  $data,
Context  $context 

Adds an entry to "sys_log", also used to track the maximum allowed attempts.

string$message‪the information / message in english
int$action‪see SystemLogLoginAction
int$error‪see SystemLogErrorClassification
array$data‪additional information, used for the message

Definition at line 423 of file PasswordReset.php.

References $fields, TYPO3\CMS\Core\Context\Context\getAspect(), TYPO3\CMS\Core\Database\Connection\PARAM_INT, and TYPO3\CMS\Core\Database\Connection\PARAM_STR.

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\resetPassword(), TYPO3\CMS\Backend\Authentication\PasswordReset\sendAmbiguousEmail(), and TYPO3\CMS\Backend\Authentication\PasswordReset\sendResetEmail().

◆ resetPassword()

bool TYPO3\CMS\Backend\Authentication\PasswordReset::resetPassword ( ServerRequestInterface  $request,
Context  $context 

◆ sendAmbiguousEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendAmbiguousEmail ( ServerRequestInterface  $request,
Context  $context,
string  $emailAddress 

Send out an email to a given email address and note that a reset was triggered but email was used multiple times. Used when the database returned multiple users.

Definition at line 159 of file PasswordReset.php.

References TYPO3\CMS\Core\Http\NormalizedParams\createFromRequest(), and TYPO3\CMS\Backend\Authentication\PasswordReset\log().

Referenced by TYPO3\CMS\Backend\Authentication\PasswordReset\initiateReset().

◆ sendResetEmail()

TYPO3\CMS\Backend\Authentication\PasswordReset::sendResetEmail ( ServerRequestInterface  $request,
Context  $context,
array  $user 

Member Data Documentation


const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS = 3


const TYPO3\CMS\Backend\Authentication\PasswordReset::MAXIMUM_RESET_ATTEMPTS_SINCE = '-30 minutes'

Definition at line 70 of file PasswordReset.php.


const TYPO3\CMS\Backend\Authentication\PasswordReset::TOKEN_VALID_UNTIL = '+2 hours'

Definition at line 68 of file PasswordReset.php.