Allow overriding the $resetRequestLifetime when generating a token

kbond · kbond · commit d947f9d43584 · 2023-02-01T11:57:38.000-05:00
diff --git a/src/ResetPasswordHelper.php b/src/ResetPasswordHelper.php
@@ -60,17 +60,19 @@ public function __construct(ResetPasswordTokenGenerator $generator, ResetPasswor
      *
      * @throws TooManyPasswordRequestsException
      */
-    public function generateResetToken(object $user): ResetPasswordToken
+    public function generateResetToken(object $user, ?int $resetRequestLifetime = null): ResetPasswordToken
     {
         $this->resetPasswordCleaner->handleGarbageCollection();
 
         if ($availableAt = $this->hasUserHitThrottling($user)) {
             throw new TooManyPasswordRequestsException($availableAt);
         }
 
-        $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $this->resetRequestLifetime));
+        $resetRequestLifetime = $resetRequestLifetime ?: $this->resetRequestLifetime;
 
-        $generatedAt = ($expiresAt->getTimestamp() - $this->resetRequestLifetime);
+        $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $resetRequestLifetime));
+
+        $generatedAt = ($expiresAt->getTimestamp() - $resetRequestLifetime);
 
         $tokenComponents = $this->tokenGenerator->createToken($expiresAt, $this->repository->getUserIdentifier($user));
 
@@ -164,11 +166,12 @@ public function getTokenLifetime(): int
      *
      * This method should not be used when timing attacks are a concern.
      */
-    public function generateFakeResetToken(): ResetPasswordToken
+    public function generateFakeResetToken(?int $resetRequestLifetime = null): ResetPasswordToken
     {
-        $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $this->resetRequestLifetime));
+        $resetRequestLifetime = $resetRequestLifetime ?: $this->resetRequestLifetime;
+        $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $resetRequestLifetime));
 
-        $generatedAt = ($expiresAt->getTimestamp() - $this->resetRequestLifetime);
+        $generatedAt = ($expiresAt->getTimestamp() - $resetRequestLifetime);
 
         return new ResetPasswordToken('fake-token', $expiresAt, $generatedAt);
     }
diff --git a/src/ResetPasswordHelperInterface.php b/src/ResetPasswordHelperInterface.php
@@ -16,7 +16,7 @@
  * @author Jesse Rushlow <jr@rushlow.dev>
  * @author Ryan Weaver   <ryan@symfonycasts.com>
  *
- * @method ResetPasswordToken generateFakeResetToken() Generates a fake ResetPasswordToken.
+ * @method ResetPasswordToken generateFakeResetToken(?int $resetRequestLifetime = null) Generates a fake ResetPasswordToken.
  */
 interface ResetPasswordHelperInterface
 {
@@ -28,9 +28,11 @@ interface ResetPasswordHelperInterface
      * and removeResetRequest() can eventually invalidate it by removing it
      * from storage.
      *
+     * @param ?int $resetRequestLifetime Override the default (to be added to interface in 2.0)
+     *
      * @throws ResetPasswordExceptionInterface
      */
-    public function generateResetToken(object $user): ResetPasswordToken;
+    public function generateResetToken(object $user/*, ?int $resetRequestLifetime = null*/): ResetPasswordToken;
 
     /**
      * Validate a reset request and fetch the user from persistence.
diff --git a/tests/UnitTests/ResetPasswordHelperTest.php b/tests/UnitTests/ResetPasswordHelperTest.php
@@ -332,6 +332,74 @@ public function testExpiresAtUsesCurrentTimeZone(): void
         self::assertSame(date_default_timezone_get(), $expiresAt->getTimezone()->getName());
     }
 
+    public function testExpiresAtUsingDefault(): void
+    {
+        $helper = new ResetPasswordHelper(
+            $this->mockTokenGenerator,
+            $this->mockCleaner,
+            $this->mockRepo,
+            60,
+            99999999
+        );
+
+        $token = $helper->generateResetToken(new \stdClass());
+        $expiresAt = $token->getExpiresAt();
+
+        self::assertGreaterThan(new \DateTimeImmutable('+55 seconds'), $expiresAt);
+        self::assertLessThan(new \DateTimeImmutable('+65 seconds'), $expiresAt);
+    }
+
+    public function testExpiresAtUsingOverride(): void
+    {
+        $helper = new ResetPasswordHelper(
+            $this->mockTokenGenerator,
+            $this->mockCleaner,
+            $this->mockRepo,
+            60,
+            99999999
+        );
+
+        $token = $helper->generateResetToken(new \stdClass(), 30);
+        $expiresAt = $token->getExpiresAt();
+
+        self::assertGreaterThan(new \DateTimeImmutable('+25 seconds'), $expiresAt);
+        self::assertLessThan(new \DateTimeImmutable('+35 seconds'), $expiresAt);
+    }
+
+    public function testFakeTokenExpiresAtUsingDefault(): void
+    {
+        $helper = new ResetPasswordHelper(
+            $this->mockTokenGenerator,
+            $this->mockCleaner,
+            $this->mockRepo,
+            60,
+            99999999
+        );
+
+        $token = $helper->generateFakeResetToken();
+        $expiresAt = $token->getExpiresAt();
+
+        self::assertGreaterThan(new \DateTimeImmutable('+55 seconds'), $expiresAt);
+        self::assertLessThan(new \DateTimeImmutable('+65 seconds'), $expiresAt);
+    }
+
+    public function testFakeTokenExpiresAtUsingOverride(): void
+    {
+        $helper = new ResetPasswordHelper(
+            $this->mockTokenGenerator,
+            $this->mockCleaner,
+            $this->mockRepo,
+            60,
+            99999999
+        );
+
+        $token = $helper->generateFakeResetToken(30);
+        $expiresAt = $token->getExpiresAt();
+
+        self::assertGreaterThan(new \DateTimeImmutable('+25 seconds'), $expiresAt);
+        self::assertLessThan(new \DateTimeImmutable('+35 seconds'), $expiresAt);
+    }
+
     private function getPasswordResetHelper(): ResetPasswordHelper
     {
         return new ResetPasswordHelper(

Original file line number	Diff line number	Diff line change
`@@ -60,17 +60,19 @@ public function __construct(ResetPasswordTokenGenerator $generator, ResetPasswor`
`60`	`60`	`*`
`61`	`61`	`* @throws TooManyPasswordRequestsException`
`62`	`62`	`*/`
`63`		`- public function generateResetToken(object $user): ResetPasswordToken`
	`63`	`+ public function generateResetToken(object $user, ?int $resetRequestLifetime = null): ResetPasswordToken`
`64`	`64`	`{`
`65`	`65`	`$this->resetPasswordCleaner->handleGarbageCollection();`
`66`	`66`
`67`	`67`	`if ($availableAt = $this->hasUserHitThrottling($user)) {`
`68`	`68`	`throw new TooManyPasswordRequestsException($availableAt);`
`69`	`69`	`}`
`70`	`70`
`71`		`- $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $this->resetRequestLifetime));`
	`71`	`+ $resetRequestLifetime = $resetRequestLifetime ?: $this->resetRequestLifetime;`
`72`	`72`
`73`		`- $generatedAt = ($expiresAt->getTimestamp() - $this->resetRequestLifetime);`
	`73`	`+ $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $resetRequestLifetime));`
	`74`	`+`
	`75`	`+ $generatedAt = ($expiresAt->getTimestamp() - $resetRequestLifetime);`
`74`	`76`
`75`	`77`	`$tokenComponents = $this->tokenGenerator->createToken($expiresAt, $this->repository->getUserIdentifier($user));`
`76`	`78`
`@@ -164,11 +166,12 @@ public function getTokenLifetime(): int`
`164`	`166`	`*`
`165`	`167`	`* This method should not be used when timing attacks are a concern.`
`166`	`168`	`*/`
`167`		`- public function generateFakeResetToken(): ResetPasswordToken`
	`169`	`+ public function generateFakeResetToken(?int $resetRequestLifetime = null): ResetPasswordToken`
`168`	`170`	`{`
`169`		`- $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $this->resetRequestLifetime));`
	`171`	`+ $resetRequestLifetime = $resetRequestLifetime ?: $this->resetRequestLifetime;`
	`172`	`+ $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $resetRequestLifetime));`
`170`	`173`
`171`		`- $generatedAt = ($expiresAt->getTimestamp() - $this->resetRequestLifetime);`
	`174`	`+ $generatedAt = ($expiresAt->getTimestamp() - $resetRequestLifetime);`
`172`	`175`
`173`	`176`	`return new ResetPasswordToken('fake-token', $expiresAt, $generatedAt);`
`174`	`177`	`}`