From e1285709f6f6a2277bd0075acf369f33cefd78f7 Mon Sep 17 00:00:00 2001 From: Florian Schmitt Date: Thu, 31 Oct 2024 10:01:24 +0100 Subject: [PATCH] fix(user): make lostPassword use better hashed link --- includes/services/UserManager.php | 1 + tools/login/actions/LostPasswordAction.php | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/includes/services/UserManager.php b/includes/services/UserManager.php index 652e82db3..95a384b5c 100644 --- a/includes/services/UserManager.php +++ b/includes/services/UserManager.php @@ -34,6 +34,7 @@ class UserManager implements UserProviderInterface, PasswordUpgraderInterface protected $passwordHasherFactory; protected $securityController; protected $params; + protected $userlink; private $getOneByNameCacheResults; diff --git a/tools/login/actions/LostPasswordAction.php b/tools/login/actions/LostPasswordAction.php index e36b9e314..0b67fdc07 100644 --- a/tools/login/actions/LostPasswordAction.php +++ b/tools/login/actions/LostPasswordAction.php @@ -10,6 +10,7 @@ use YesWiki\Core\Service\UserManager; use YesWiki\Core\YesWikiAction; use YesWiki\Security\Controller\SecurityController; +use YesWiki\Core\Service\PasswordHasherFactory; if (!function_exists('send_mail')) { require_once('includes/email.inc.php'); @@ -17,13 +18,13 @@ class LostPasswordAction extends YesWikiAction { - private const PW_SALT = 'FBcA'; public const KEY_VOCABULARY = 'http://outils-reseaux.org/_vocabulary/key'; protected $authController; protected $errorType; protected $typeOfRendering; protected $securityController; + protected $passwordHasherFactory; protected $tripleStore; protected $userManager; @@ -34,6 +35,7 @@ public function run() $this->securityController = $this->getService(SecurityController::class); $this->tripleStore = $this->getService(TripleStore::class); $this->userManager = $this->getService(UserManager::class); + $this->passwordHasherFactory = $this->getService(PasswordHasherFactory::class); // init properties $this->errorType = null; @@ -206,16 +208,18 @@ private function manageSubStep(int $subStep): ?User private function sendPasswordRecoveryEmail(User $user) { // Generate the password recovery key - $key = md5($user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s') . self::PW_SALT); + $passwordHasher = $this->passwordHasherFactory->getPasswordHasher($user); + $plainKey = $user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s'); + $hashedKey = $passwordHasher->hash($plainKey); // Erase the previous triples in the trible table $this->tripleStore->delete($user['name'], self::KEY_VOCABULARY, null, '', '') ; // Store the (name, vocabulary, key) triple in triples table - $res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $key, '', ''); + $res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $hashedKey, '', ''); // Generate the recovery email $passwordLink = $this->wiki->Href('', '', [ 'a' => 'recover', - 'email' => $key, + 'email' => $hashedKey, 'u' => base64_encode($user['name']) ], false); $pieces = parse_url($this->params->get('base_url'));