Move reusable token verification to separate method
This commit is contained in:
parent
685bf47b30
commit
5a99441a0c
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"name": "fwdekker/death-notifier",
|
||||
"description": "Get notified when a famous person dies.",
|
||||
"version": "0.17.1", "_comment_version": "Also update version in `package.json`!",
|
||||
"version": "0.17.2", "_comment_version": "Also update version in `package.json`!",
|
||||
"type": "project",
|
||||
"license": "MIT",
|
||||
"homepage": "https://git.fwdekker.com/tools/death-notifier",
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "death-notifier",
|
||||
"version": "0.17.1", "_comment_version": "Also update version in `composer.json`!",
|
||||
"version": "0.17.2", "_comment_version": "Also update version in `composer.json`!",
|
||||
"description": "Get notified when a famous person dies.",
|
||||
"author": "Florine W. Dekker",
|
||||
"browser": "dist/bundle.js",
|
||||
|
|
|
@ -9,6 +9,9 @@ use com\fwdekker\deathnotifier\mailer\Email;
|
|||
use com\fwdekker\deathnotifier\mailer\EmailQueue;
|
||||
use com\fwdekker\deathnotifier\validator\HasStringLengthRule;
|
||||
use com\fwdekker\deathnotifier\validator\InvalidInputException;
|
||||
use com\fwdekker\deathnotifier\validator\IsEmailRule;
|
||||
use com\fwdekker\deathnotifier\validator\IsStringRule;
|
||||
use com\fwdekker\deathnotifier\validator\IsValidCsrfTokenRule;
|
||||
use com\fwdekker\deathnotifier\validator\RuleSet;
|
||||
|
||||
|
||||
|
@ -54,17 +57,22 @@ class ResetPasswordAction extends Action
|
|||
* @throws InvalidInputException if no valid CSRF token is present, if no account with the given email address
|
||||
* exists, if the password is too short or too long, if the reset token is invalid, or if the reset token has
|
||||
* expired
|
||||
* @see ValidatePasswordResetTokenAction::handle()
|
||||
*/
|
||||
public function handle(array $inputs): mixed
|
||||
{
|
||||
(new RuleSet([
|
||||
"password" => [new HasStringLengthRule(UserList::MIN_PASSWORD_LENGTH, UserList::MAX_PASSWORD_LENGTH)]
|
||||
"token" => [new IsValidCsrfTokenRule()],
|
||||
"email" => [new IsEmailRule()],
|
||||
"password" => [new HasStringLengthRule(UserList::MIN_PASSWORD_LENGTH, UserList::MAX_PASSWORD_LENGTH)],
|
||||
"reset_token" => [new IsStringRule()],
|
||||
]))->check($inputs);
|
||||
|
||||
$this->user_list->transaction(function () use ($inputs) {
|
||||
// TODO: Extract the shared functionality cleanly
|
||||
(new ValidatePasswordResetTokenAction($this->user_list))->handle($inputs);
|
||||
ValidatePasswordResetTokenAction::validate_token(
|
||||
$this->user_list,
|
||||
$inputs["email"],
|
||||
$inputs["reset_token"]
|
||||
);
|
||||
|
||||
$user_data = $this->user_list->get_user_by_email($inputs["email"]);
|
||||
if ($user_data === null)
|
||||
|
|
|
@ -52,10 +52,26 @@ class ValidatePasswordResetTokenAction extends Action
|
|||
"reset_token" => [new IsStringRule()],
|
||||
]))->check($inputs);
|
||||
|
||||
$user_data = $this->user_list->get_user_by_email($inputs["email"]);
|
||||
ValidatePasswordResetTokenAction::validate_token($this->user_list, $inputs["email"], $inputs["reset_token"]);
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether the given password reset token is valid.
|
||||
*
|
||||
* @param UserList $user_list the list to validate the password reset token in
|
||||
* @param string $email the email address to validate the password reset token of
|
||||
* @param string $reset_token the password reset token to validate
|
||||
* @return void
|
||||
* @throws InvalidInputException if no account with the given email address exists, if the reset token is invalid,
|
||||
* or if the reset token has expired
|
||||
*/
|
||||
public static function validate_token(UserList $user_list, string $email, string $reset_token): void
|
||||
{
|
||||
$user_data = $user_list->get_user_by_email($email);
|
||||
if ($user_data === null)
|
||||
throw new InvalidInputException("No user with that email address has been registered.");
|
||||
if ($inputs["reset_token"] !== $user_data["password_reset_token"])
|
||||
if ($reset_token !== $user_data["password_reset_token"])
|
||||
// TODO: Just tell the user why the link is invalid: Because no request exists, or because the token is wrong
|
||||
// TODO: Also, tell the user what they can do to resolve this
|
||||
throw new InvalidInputException(
|
||||
|
@ -72,7 +88,5 @@ class ValidatePasswordResetTokenAction extends Action
|
|||
`"Forgot password?" button to request a new password reset link.`
|
||||
);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue