Move reusable token verification to separate method

2022-12-06 18:12:43 +01:00 · 2022-12-06 18:12:43 +01:00 · 5a99441a0c
parent 685bf47b30
commit 5a99441a0c
6 changed files with 32 additions and 10 deletions
--- a/composer.json
+++ b/composer.json
@ -1,7 +1,7 @@
 {
    "name": "fwdekker/death-notifier",
    "description": "Get notified when a famous person dies.",
-    "version": "0.17.1", "_comment_version": "Also update version in `package.json`!",
+    "version": "0.17.2", "_comment_version": "Also update version in `package.json`!",
    "type": "project",
    "license": "MIT",
    "homepage": "https://git.fwdekker.com/tools/death-notifier",
--- a/composer.lock
+++ b/composer.lock
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "death-notifier",
-    "version": "0.17.1", "_comment_version": "Also update version in `composer.json`!",
+    "version": "0.17.2", "_comment_version": "Also update version in `composer.json`!",
    "description": "Get notified when a famous person dies.",
    "author": "Florine W. Dekker",
    "browser": "dist/bundle.js",
--- a/src/main/php/com/fwdekker/deathnotifier/user/ResetPasswordAction.php
+++ b/src/main/php/com/fwdekker/deathnotifier/user/ResetPasswordAction.php
@ -9,6 +9,9 @@ use com\fwdekker\deathnotifier\mailer\Email;
 use com\fwdekker\deathnotifier\mailer\EmailQueue;
 use com\fwdekker\deathnotifier\validator\HasStringLengthRule;
 use com\fwdekker\deathnotifier\validator\InvalidInputException;
+use com\fwdekker\deathnotifier\validator\IsEmailRule;
+use com\fwdekker\deathnotifier\validator\IsStringRule;
+use com\fwdekker\deathnotifier\validator\IsValidCsrfTokenRule;
 use com\fwdekker\deathnotifier\validator\RuleSet;


@ -54,17 +57,22 @@ class ResetPasswordAction extends Action
     * @throws InvalidInputException if no valid CSRF token is present, if no account with the given email address
     * exists, if the password is too short or too long, if the reset token is invalid, or if the reset token has
     * expired
-     * @see ValidatePasswordResetTokenAction::handle()
     */
    public function handle(array $inputs): mixed
    {
        (new RuleSet([
-            "password" => [new HasStringLengthRule(UserList::MIN_PASSWORD_LENGTH, UserList::MAX_PASSWORD_LENGTH)]
+            "token" => [new IsValidCsrfTokenRule()],
+            "email" => [new IsEmailRule()],
+            "password" => [new HasStringLengthRule(UserList::MIN_PASSWORD_LENGTH, UserList::MAX_PASSWORD_LENGTH)],
+            "reset_token" => [new IsStringRule()],
        ]))->check($inputs);

        $this->user_list->transaction(function () use ($inputs) {
-            // TODO: Extract the shared functionality cleanly
-            (new ValidatePasswordResetTokenAction($this->user_list))->handle($inputs);
+            ValidatePasswordResetTokenAction::validate_token(
+                $this->user_list,
+                $inputs["email"],
+                $inputs["reset_token"]
+            );

            $user_data = $this->user_list->get_user_by_email($inputs["email"]);
            if ($user_data === null)
--- a/src/main/php/com/fwdekker/deathnotifier/user/ValidatePasswordResetTokenAction.php
+++ b/src/main/php/com/fwdekker/deathnotifier/user/ValidatePasswordResetTokenAction.php
@ -52,10 +52,26 @@ class ValidatePasswordResetTokenAction extends Action
            "reset_token" => [new IsStringRule()],
        ]))->check($inputs);

-        $user_data = $this->user_list->get_user_by_email($inputs["email"]);
+        ValidatePasswordResetTokenAction::validate_token($this->user_list, $inputs["email"], $inputs["reset_token"]);
+        return null;
+    }
+
+    /**
+     * Checks whether the given password reset token is valid.
+     *
+     * @param UserList $user_list the list to validate the password reset token in
+     * @param string $email the email address to validate the password reset token of
+     * @param string $reset_token the password reset token to validate
+     * @return void
+     * @throws InvalidInputException if no account with the given email address exists, if the reset token is invalid,
+     * or if the reset token has expired
+     */
+    public static function validate_token(UserList $user_list, string $email, string $reset_token): void
+    {
+        $user_data = $user_list->get_user_by_email($email);
        if ($user_data === null)
            throw new InvalidInputException("No user with that email address has been registered.");
-        if ($inputs["reset_token"] !== $user_data["password_reset_token"])
+        if ($reset_token !== $user_data["password_reset_token"])
            // TODO: Just tell the user why the link is invalid: Because no request exists, or because the token is wrong
            // TODO: Also, tell the user what they can do to resolve this
            throw new InvalidInputException(
@ -72,7 +88,5 @@ class ValidatePasswordResetTokenAction extends Action
                `"Forgot password?" button to request a new password reset link.`
            );
        }
-
-        return null;
    }
 }