Implement password reset functionality

carlbennett · carlbennett · commit 7259639a5d60 · 2019-08-23T05:19:04.000Z
diff --git a/src/controllers/User/ResetPassword.php b/src/controllers/User/ResetPassword.php
@@ -2,26 +2,222 @@
 
 namespace BNETDocs\Controllers\User;
 
-use \BNETDocs\Models\User\ResetPassword as UserResetPasswordModel;
 use \CarlBennett\MVC\Libraries\Common;
 use \CarlBennett\MVC\Libraries\Controller;
 use \CarlBennett\MVC\Libraries\Router;
+use \CarlBennett\MVC\Libraries\Template;
 use \CarlBennett\MVC\Libraries\View;
 
+use \BNETDocs\Libraries\EventTypes;
+use \BNETDocs\Libraries\Exceptions\UserNotFoundException;
+use \BNETDocs\Libraries\Logger;
+use \BNETDocs\Libraries\User;
+
+use \BNETDocs\Models\User\ResetPassword as UserResetPasswordModel;
+
+use \PHPMailer\PHPMailer\Exception;
+use \PHPMailer\PHPMailer\PHPMailer;
+
+use \InvalidArgumentException;
+use \StdClass;
+
 class ResetPassword extends Controller {
+  const RET_FAILURE = 0;
+  const RET_SUCCESS = 1;
+  const RET_EMAIL   = 2;
+
+  public function &run( Router &$router, View &$view, array &$args ) {
 
-  public function &run(Router &$router, View &$view, array &$args) {
+    if ( $router->getRequestMethod() == 'GET' ) {
+      $data = $router->getRequestQueryArray();
+    } else {
+      $data = $router->getRequestBodyArray();
+    }
 
     $model = new UserResetPasswordModel();
 
-    $view->render($model);
+    $model->error = null;
+    $model->csrf_id = isset( $data[ 'csrf_id' ]) ? $data[ 'csrf_id' ] : null;
+    $model->csrf_token = (
+      isset( $data[ 'csrf_token' ]) ? $data[ 'csrf_token' ] : null
+    );
+    $model->pw1 = isset( $data[ 'pw1' ]) ? $data[ 'pw1' ] : null;
+    $model->pw2 = isset( $data[ 'pw2' ]) ? $data[ 'pw2' ] : null;
+    $model->token = isset( $data[ 't' ]) ? $data[ 't' ] : null;
+    $model->user = null;
+    $model->username = isset( $data[ 'username' ]) ? $data[ 'username' ] : null;
+
+    if ( $router->getRequestMethod() == 'POST' ) {
+      $ret = $this->doPasswordReset( $model );
+      if ( $ret !== self::RET_EMAIL ) {
+        Logger::logEvent(
+          EventTypes::USER_PASSWORD_RESET,
+          ( $model->user ? $model->user->getId() : null ),
+          getenv( 'REMOTE_ADDR' ),
+          json_encode([
+            'error' => $model->error,
+            'user' => ( $model->user ? true : false ),
+            'username' => $model->username,
+          ])
+        );
+      }
+    }
+
+    $view->render( $model );
 
     $model->_responseCode = 200;
-    $model->_responseHeaders["Content-Type"] = $view->getMimeType();
+    $model->_responseHeaders[ 'Content-Type' ] = $view->getMimeType();
     $model->_responseTTL = 0;
 
     return $model;
 
   }
 
+  protected function doPasswordReset( UserResetPasswordModel &$model ) {
+    $model->error = 'INTERNAL_ERROR';
+
+    if ( empty( $model->username )) {
+      $model->error = 'EMPTY_USERNAME';
+      return self::RET_FAILURE;
+    }
+
+    try {
+      $model->user = new User( User::findIdByUsername( $model->username ));
+    } catch ( UserNotFoundException $e ) {
+      $model->user = null;
+    } catch ( InvalidArgumentException $e ) {
+      $model->user = null;
+    }
+
+    if ( !$model->user ) {
+      $model->error = 'USER_NOT_FOUND';
+      return self::RET_FAILURE;
+    }
+
+    if ( empty( $model->token )) {
+      $state = new StdClass();
+
+      $mail = new PHPMailer( true ); // true enables exceptions
+      $mail_config = Common::$config->email;
+
+      $state->mail &= $mail;
+      $state->token = $model->user->getVerificationToken();
+      $state->user = $model->user;
+
+      try {
+        //Server settings
+        $mail->Timeout = 10; // default is 300 per RFC2821 $ 4.5.3.2
+        $mail->SMTPDebug = 0;
+        $mail->isSMTP();
+        $mail->Host       = $mail_config->smtp_host;
+        $mail->SMTPAuth   = !empty($mail_config->smtp_user);
+        $mail->Username   = $mail_config->smtp_user;
+        $mail->Password   = $mail_config->smtp_password;
+        $mail->SMTPSecure = $mail_config->smtp_tls ? 'tls' : '';
+        $mail->Port       = $mail_config->smtp_port;
+
+        //Recipients
+        if (!empty($mail_config->recipient_from)) {
+          $mail->setFrom($mail_config->recipient_from, 'BNETDocs');
+        }
+
+        $mail->addAddress($model->user->getEmail(), $model->user->getName());
+
+        if (!empty($mail_config->recipient_reply_to)) {
+          $mail->addReplyTo($mail_config->recipient_reply_to);
+        }
+
+        // Content
+        $mail->isHTML(true);
+        $mail->Subject = 'Reset Password';
+        $mail->CharSet = PHPMailer::CHARSET_UTF8;
+
+        ob_start();
+        (new Template($state, 'Email/User/ResetPassword.rich'))->render();
+        $mail->Body = ob_get_clean();
+
+        ob_start();
+        (new Template($state, 'Email/User/ResetPassword.plain'))->render();
+        $mail->AltBody = ob_get_clean();
+
+        $mail->send();
+
+        $model->error = false;
+
+        Logger::logEvent(
+          EventTypes::EMAIL_SENT,
+          $model->user->getId(),
+          getenv( 'REMOTE_ADDR' ),
+          json_encode([
+            'from' => $mail->From,
+            'to' => $mail->getToAddresses(),
+            'reply_to' => $mail->getReplyToAddresses(),
+            'subject' => $mail->Subject,
+            'content_type' => $mail->ContentType,
+            'body' => $mail->Body,
+            'alt_body' => $mail->AltBody,
+          ])
+        );
+
+      } catch (\Exception $e) {
+        $model->error = 'EMAIL_FAILURE';
+      }
+
+      return self::RET_EMAIL;
+    }
+
+    if ( $model->token !== $model->user->getVerificationToken() ) {
+      $model->error = 'INVALID_TOKEN';
+      return self::RET_FAILURE;
+    }
+
+    if ( $model->pw1 !== $model->pw2 ) {
+      $model->error = 'PASSWORD_MISMATCH';
+      return self::RET_FAILURE;
+    }
+
+    $req = Common::$config->bnetdocs->user_register_requirements;
+    $pwlen = strlen( $model->pw1 );
+
+    if ( is_numeric( $req->password_length_max )
+      && $pwlen > $req->password_length_max ) {
+      $model->error = 'PASSWORD_TOO_LONG';
+      return self::RET_FAILURE;
+    }
+
+    if ( is_numeric( $req->password_length_min )
+      && $pwlen < $req->password_length_min ) {
+      $model->error = 'PASSWORD_TOO_SHORT';
+      return self::RET_FAILURE;
+    }
+
+    if ( !$req->password_allow_email
+      && stripos( $model->pw1, $model->user->getEmail() )) {
+      $model->error = 'PASSWORD_CONTAINS_EMAIL';
+      return self::RET_FAILURE;
+    }
+
+    if ( !$req->password_allow_username
+      && stripos( $model->pw1, $model->user->getUsername() )) {
+      $model->error = 'PASSWORD_CONTAINS_USERNAME';
+      return self::RET_FAILURE;
+    }
+
+    // --
+    $model->user->invalidateVerificationToken();
+    // --
+
+    if ( $model->user->getAcl( User::OPTION_DISABLED )) {
+      $model->error = 'USER_DISABLED';
+      return self::RET_FAILURE;
+    }
+
+    if (!$model->user->changePassword( $model->pw1 )) {
+      $model->error = 'INTERNAL_ERROR';
+      return self::RET_FAILURE;
+    }
+
+    $model->error = false;
+    return self::RET_SUCCESS;
+  }
 }
diff --git a/src/models/User/ResetPassword.php b/src/models/User/ResetPassword.php
@@ -8,7 +8,9 @@ class ResetPassword extends Model {
 
   public $csrf_id;
   public $csrf_token;
-  public $email;
   public $error;
+  public $token;
+  public $user;
+  public $username;
 
 }
diff --git a/src/templates/Email/User/Register.plain.phtml b/src/templates/Email/User/Register.plain.phtml
@@ -1,7 +1,7 @@
 <?php
 namespace BNETDocs\Templates\Email\User;
 use \CarlBennett\MVC\Libraries\Common;
-require("./Email/header.plain.inc.phtml");
+require('./Email/header.plain.inc.phtml');
 ?>
 Welcome to BNETDocs!
 
@@ -13,4 +13,4 @@ or copy and paste the link below into your browser to activate your account.
 
 Note: This link will only be available for 24 hours after registering. If you
 wait until it expires, you will need to complete a password reset.
-<?php require("./Email/footer.plain.inc.phtml"); ?>
+<?php require('./Email/footer.plain.inc.phtml'); ?>
diff --git a/src/templates/Email/User/Register.rich.phtml b/src/templates/Email/User/Register.rich.phtml
@@ -1,11 +1,11 @@
 <?php
 namespace BNETDocs\Templates\Email\User;
 use \CarlBennett\MVC\Libraries\Common;
-require("./Email/header.rich.inc.phtml");
+require('./Email/header.rich.inc.phtml');
 $url = Common::relativeUrlToAbsolute('/user/activate?u=' . rawurlencode($this->getContext()->user_id) . '&t=' . rawurlencode($this->getContext()->token));
 ?>
 <p style="font-family:sans-serif;font-weight:bold;">Welcome to BNETDocs!</p>
 <p style="font-family:sans-serif;">Your account requires activation before being able to use this service. Click or copy and paste the link below into your browser to activate your account.</p>
 <p style="font-family:sans-serif;"><a href="<?=$url?>" rel="external"><?=filter_var($url, FILTER_SANITIZE_FULL_SPECIAL_CHARS)?></a></p>
 <p style="font-family:sans-serif;"><strong>Note:</strong> This link will only be available for 24 hours after registering. If you wait until it expires, you will need to complete a password reset.</p>
-<?php require("./Email/footer.rich.inc.phtml"); ?>
+<?php require('./Email/footer.rich.inc.phtml'); ?>
diff --git a/src/templates/Email/User/ResetPassword.plain.phtml b/src/templates/Email/User/ResetPassword.plain.phtml
@@ -1,10 +1,14 @@
-<?php require('./Email/header.plain.inc.phtml'); ?>
+<?php
+namespace BNETDocs\Templates\Email\User;
+use \CarlBennett\MVC\Libraries\Common;
+require('./Email/header.plain.inc.phtml');
+?>
 Hello <?=$this->getContext()->user->getName()?>,
 
-You requested your password to be reset on BNETDocs. If this was you, copy and
-paste the following into your web browser:
+Someone requested your password to be reset on BNETDocs. If this was you, copy
+and paste the following into your web browser:
 
-<?=$this->getContext()->url?>
+<?=Common::relativeUrlToAbsolute('/user/resetpassword?username=' . rawurlencode($this->getContext()->user->getUsername()) . '&t=' . rawurlencode($this->getContext()->token))?>
 
 If this was not you, then you can safely ignore this email; no action will be
 taken.
diff --git a/src/templates/Email/User/ResetPassword.rich.phtml b/src/templates/Email/User/ResetPassword.rich.phtml
@@ -1,9 +1,10 @@
 <?php
-
 namespace BNETDocs\Templates\Email\User;
 
-$name = $this->getContext()->user->getName();
-$url  = $this->getContext()->url;
+use \CarlBennett\MVC\Libraries\Common;
+
+$name = filter_var($this->getContext()->user->getName(), FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+$url  = Common::relativeUrlToAbsolute('/user/resetpassword?username=' . rawurlencode($this->getContext()->user->getUsername()) . '&t=' . rawurlencode($this->getContext()->token));
 
 ?><!DOCTYPE html "-//w3c//dtd xhtml 1.0 transitional //en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
     <!--[if gte mso 9]><xml>
@@ -173,7 +174,7 @@ $url  = $this->getContext()->url;
   <tbody><tr style="vertical-align: top">
     <td style="word-break: break-word;border-collapse: collapse !important;vertical-align: top;padding-top: 10px;padding-right: 10px;padding-bottom: 10px;padding-left: 10px">
         <div style="color:#DDD;line-height:120%;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;">            
-                <div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">Hello <?php echo $name; ?>,</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">You requested your password to be reset on BNETDocs. If this was you, click the following:</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;"><?php echo $url; ?></span><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">If this was not you, then you can safely ignore this email; no action will be taken.</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">Best,</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">BNETDocs Staff</span></p></div>
+                <div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">Hello <?php echo $name; ?>,</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">Someone requested your password to be reset on BNETDocs. If this was you, click the following:</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;"><a style="color: #00DEBF;text-decoration: none;" href="<?=$url?>"><?=$url?></a></span><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">If this was not you, then you can safely ignore this email; no action will be taken.</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">Best,</span></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><br></p></div><div style="font-size:12px;line-height:14px;color:#DDD;font-family:Arial, 'Helvetica Neue', Helvetica, sans-serif;text-align:left;"><p style="margin: 0;font-size: 12px;line-height: 14px"><span style="font-size: 14px; line-height: 16px;">BNETDocs Staff</span></p></div>
         </div>
     </td>
   </tr>
diff --git a/src/templates/User/ResetPassword.phtml b/src/templates/User/ResetPassword.phtml

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,9 @@ class ResetPassword extends Model {`
`8`	`8`
`9`	`9`	`public $csrf_id;`
`10`	`10`	`public $csrf_token;`
`11`		`- public $email;`
`12`	`11`	`public $error;`
	`12`	`+ public $token;`
	`13`	`+ public $user;`
	`14`	`+ public $username;`
`13`	`15`
`14`	`16`	`}`