Last active
March 16, 2022 12:21
-
-
Save lchrusciel/777b59b2af6a4e39ccb23ed7c6f49b59 to your computer and use it in GitHub Desktop.
Reset password token not set to null after reset password security bug fix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// src/CommandHandler/Account/ResetPasswordHandler.php | |
declare(strict_types=1); | |
namespace App\CommandHandler\Account; | |
use Sylius\Bundle\ApiBundle\Command\Account\ResetPassword; | |
use Sylius\Component\Core\Model\ShopUserInterface; | |
use Sylius\Component\Resource\Metadata\MetadataInterface; | |
use Sylius\Component\User\Repository\UserRepositoryInterface; | |
use Sylius\Component\User\Security\PasswordUpdaterInterface; | |
use Symfony\Component\Messenger\Handler\MessageHandlerInterface; | |
use Webmozart\Assert\Assert; | |
final class ResetPasswordHandler implements MessageHandlerInterface | |
{ | |
private UserRepositoryInterface $userRepository; | |
private MetadataInterface $metadata; | |
private PasswordUpdaterInterface $passwordUpdater; | |
public function __construct( | |
UserRepositoryInterface $userRepository, | |
MetadataInterface $metadata, | |
PasswordUpdaterInterface $passwordUpdater | |
) { | |
$this->userRepository = $userRepository; | |
$this->metadata = $metadata; | |
$this->passwordUpdater = $passwordUpdater; | |
} | |
public function __invoke(ResetPassword $command): void | |
{ | |
/** @var ShopUserInterface|null $user */ | |
$user = $this->userRepository->findOneBy(['passwordResetToken' => $command->resetPasswordToken]); | |
Assert::notNull($user, 'No user found with reset token: ' . $command->resetPasswordToken); | |
$resetting = $this->metadata->getParameter('resetting'); | |
$lifetime = new \DateInterval($resetting['token']['ttl']); | |
if (!$user->isPasswordRequestNonExpired($lifetime)) { | |
throw new \InvalidArgumentException('Password reset token has expired'); | |
} | |
if ($command->resetPasswordToken !== $user->getPasswordResetToken()) { | |
throw new \InvalidArgumentException('Password reset token does not match.'); | |
} | |
$user->setPlainPassword($command->newPassword); | |
$this->passwordUpdater->updatePassword($user); | |
$user->setPasswordResetToken(null); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# config/services.yaml | |
services: | |
# ... | |
# For Sylius v1.11 | |
Sylius\Bundle\ApiBundle\CommandHandler\Account\ResetPasswordHandler: | |
alias: App\CommandHandler\Account\ResetPasswordHandler | |
# For Sylius v1.10 | |
Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler: | |
alias: App\CommandHandler\Account\ResetPasswordHandler | |
App\CommandHandler\Account\ResetPasswordHandler: | |
arguments: | |
- '@sylius.repository.shop_user' | |
- !service | |
class: Sylius\Component\Resource\Metadata\MetadataInterface | |
factory: [ '@sylius.resource_registry', 'get' ] | |
arguments: | |
- 'sylius.shop_user' | |
- '@sylius.security.password_updater' | |
tags: | |
- { name: messenger.message_handler, bus: sylius.command_bus } | |
- { name: messenger.message_handler, bus: sylius_default.bus } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment