Skip to content

Commit e128570

Browse files
mrflosmrflos
committed
fix(user): make lostPassword use better hashed link
1 parent b5a8f93 commit e128570

File tree

2 files changed

+9
-4
lines changed

2 files changed

+9
-4
lines changed

includes/services/UserManager.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ class UserManager implements UserProviderInterface, PasswordUpgraderInterface
3434
protected $passwordHasherFactory;
3535
protected $securityController;
3636
protected $params;
37+
protected $userlink;
3738

3839
private $getOneByNameCacheResults;
3940

tools/login/actions/LostPasswordAction.php

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,21 @@
1010
use YesWiki\Core\Service\UserManager;
1111
use YesWiki\Core\YesWikiAction;
1212
use YesWiki\Security\Controller\SecurityController;
13+
use YesWiki\Core\Service\PasswordHasherFactory;
1314

1415
if (!function_exists('send_mail')) {
1516
require_once('includes/email.inc.php');
1617
}
1718

1819
class LostPasswordAction extends YesWikiAction
1920
{
20-
private const PW_SALT = 'FBcA';
2121
public const KEY_VOCABULARY = 'http://outils-reseaux.org/_vocabulary/key';
2222

2323
protected $authController;
2424
protected $errorType;
2525
protected $typeOfRendering;
2626
protected $securityController;
27+
protected $passwordHasherFactory;
2728
protected $tripleStore;
2829
protected $userManager;
2930

@@ -34,6 +35,7 @@ public function run()
3435
$this->securityController = $this->getService(SecurityController::class);
3536
$this->tripleStore = $this->getService(TripleStore::class);
3637
$this->userManager = $this->getService(UserManager::class);
38+
$this->passwordHasherFactory = $this->getService(PasswordHasherFactory::class);
3739

3840
// init properties
3941
$this->errorType = null;
@@ -206,16 +208,18 @@ private function manageSubStep(int $subStep): ?User
206208
private function sendPasswordRecoveryEmail(User $user)
207209
{
208210
// Generate the password recovery key
209-
$key = md5($user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s') . self::PW_SALT);
211+
$passwordHasher = $this->passwordHasherFactory->getPasswordHasher($user);
212+
$plainKey = $user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s');
213+
$hashedKey = $passwordHasher->hash($plainKey);
210214
// Erase the previous triples in the trible table
211215
$this->tripleStore->delete($user['name'], self::KEY_VOCABULARY, null, '', '') ;
212216
// Store the (name, vocabulary, key) triple in triples table
213-
$res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $key, '', '');
217+
$res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $hashedKey, '', '');
214218

215219
// Generate the recovery email
216220
$passwordLink = $this->wiki->Href('', '', [
217221
'a' => 'recover',
218-
'email' => $key,
222+
'email' => $hashedKey,
219223
'u' => base64_encode($user['name'])
220224
], false);
221225
$pieces = parse_url($this->params->get('base_url'));

0 commit comments

Comments
 (0)