Merge pull request #405 from 2pisoftware/develop

iceaxeliehne · web-flow · commit 4007c5c0c654 · 2024-12-09T12:49:01.000+11:00
release: merge develop into main
diff --git a/system/modules/auth/actions/forgotpassword.php b/system/modules/auth/actions/forgotpassword.php
@@ -1,5 +1,7 @@
 <?php
 
+use Carbon\CarbonInterval;
+
 function forgotpassword_GET(Web $w)
 {
     // Check if logged in already
@@ -36,11 +38,15 @@ function forgotpassword_POST(Web $w)
     $user->dt_password_reset_at = time();
     $user->update();
 
+    // default 30 minutes
+    $expiry = Config::get("auth.login.password.reset_token_expiry", 30 * 60);
+    $readable_expiry = CarbonInterval::seconds($expiry)->cascade()->forHumans();
+
     // Send email
     $message = "Hello {$user->getFullName()},\n<br/>";
     $message .= "Please go to this link to reset your password:<br/>\n";
-    $message .= "<a href=\"https://" . $_SERVER["HTTP_HOST"] . "/auth/resetpassword?email={$user_contact->email}&token={$user->password_reset_token}\">https://"
-        . $_SERVER["HTTP_HOST"] . "/auth/resetpassword?token={$user->password_reset_token}</a>\n<br/>You have 24 hours to reset your password.<br/><br/>";
+    $message .= "<a href=\"https://" . $_SERVER["HTTP_HOST"] . "/auth/resetpassword?token={$user->password_reset_token}\">https://"
+        . $_SERVER["HTTP_HOST"] . "/auth/resetpassword?token={$user->password_reset_token}</a>\n<br/>You have {$readable_expiry} to reset your password.<br/><br/>";
     $message .= "Thank you,\n<br/>". Config::get('main.company_name', 'Cosine');
 
     $result = MailService::getInstance($w)->sendMail($user_contact->email, $support_email, Config::get("main.application_name") . " password reset", $message);
diff --git a/system/modules/auth/actions/resetpassword.php b/system/modules/auth/actions/resetpassword.php
@@ -1,5 +1,6 @@
 <?php
 
+use Carbon\CarbonInterval;
 use Html\Form\InputField\Password;
 
 function resetpassword_GET(Web $w)
@@ -13,8 +14,13 @@ function resetpassword_GET(Web $w)
     if (!empty($user->id)) {
         // Check that the password reset hasn't expired
         LogService::getInstance($w)->setLogger("AUTH")->debug("USER: " . $user->id . " TIME: " . time() . " USER_RESET: " . $user->dt_password_reset_at . " RESULT: " . (time() - $user->dt_password_reset_at));
-        if ((time() - $user->dt_password_reset_at) > 86400) {
-            $w->msg("Your token has expired (max 24 hours), please submit for a new one", "/auth/forgotpassword");
+        
+        // default 30 minutes
+        $expiry = Config::get("auth.login.password.reset_token_expiry", 30 * 60);
+        $readable_expiry = CarbonInterval::seconds($expiry)->cascade()->forHumans();
+
+        if ((time() - $user->dt_password_reset_at) > $expiry) {
+            $w->msg("Your token has expired (max {$readable_expiry}), please submit for a new one", "/auth/forgotpassword");
             return;
         }
 
diff --git a/system/modules/auth/config.php b/system/modules/auth/config.php
@@ -16,7 +16,8 @@
     'login' => [
         'password' => [
             'enforce_length' => false,
-            'min_length' => 8
+            'min_length' => 8,
+            "reset_token_expiry" => 30 * 60 // 30 minutes
         ],
         'attempts' => [
             'track_attempts' => false,
