snipe-it/app/Http/Controllers/Auth/ResetPasswordController.php

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Models\Setting;
use App\Models\User;
use Illuminate\Foundation\Auth\ResetsPasswords;
use Illuminate\Http\Request;


class ResetPasswordController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Password Reset Controller
    |--------------------------------------------------------------------------
    |
    | This controller is responsible for handling password reset requests
    | and uses a simple trait to include this behavior. You're free to
    | explore this trait and override any methods you wish to tweak.
    |
    */

    use ResetsPasswords;

    /**
     * Where to redirect users after resetting their password.
     *
     * @var string
     */
    protected $redirectTo = '/';

    protected $username = 'username';

    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('guest');
    }

    protected function rules()
    {
        return [
            'token' => 'required',
            'username' => 'required',
            'password' => 'confirmed|'.Setting::passwordComplexityRulesSaving('store'),
        ];
    }

    protected function credentials(Request $request)
    {
        return $request->only(
            'username', 'password', 'password_confirmation', 'token'
        );
    }

    public function showResetForm(Request $request, $token = null)
    {
        return view('auth.passwords.reset')->with(
            [
                'token' => $token,
                'username' => $request->input('username'),
            ]
        );
    }

    public function reset(Request $request)
    {

        $broker = $this->broker();

        $messages = [
            'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'),
        ];

        $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());

        \Log::debug('Checking if '.$request->input('username').' exists');
        // Check to see if the user even exists - we'll treat the response the same to prevent user sniffing
        if ($user = User::where('username', '=', $request->input('username'))->whereNotNull('email')->first()) {
            \Log::debug($user->username.' exists');

            // handle the password validation rules set by the admin settings
            if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
                $request->validate(
                    [
                        'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',
                    ], $messages);
            }

            // set the response
            \Log::debug('Setting the broker and resetting the password');
            $response = $broker->reset(
                $this->credentials($request), function ($user, $password) {
                $this->resetPassword($user, $password);
            });

            // Check if the password reset above actually worked
            if ($response == \Password::PASSWORD_RESET) {
                \Log::debug('Password reset for '.$user->username.' worked');
                return redirect('/')->with('success', trans('passwords.reset'));
            }

            \Log::debug('Password reset for '.$user->username.' FAILED - this user exists but the token is not valid');
            return redirect()->back()->withInput($request->only('email'))->with('error', trans('passwords.token'));

        }

        \Log::debug('Password reset for '.$request->input('username').' FAILED - user does not exist or does not have an email address - but make it look like it succeeded');
        return redirect()->route('login')->with('success', trans('passwords.sent'));

    }


}
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`<?php`

			`namespace App\Http\Controllers\Auth;`

			`use App\Http\Controllers\Controller;`
Use password security settings on password reset 2020-10-08 18:43:39 -07:00			`use App\Models\Setting;`
Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00			`use App\Models\User;`
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`use Illuminate\Foundation\Auth\ResetsPasswords;`
Honor active status for forgotten password request forms 2018-08-14 20:05:57 -07:00			`use Illuminate\Http\Request;`
Removed unused rules Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:26 -07:00
Honor active status for forgotten password request forms 2018-08-14 20:05:57 -07:00
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`class ResetPasswordController extends Controller`
			`{`
			`/*`
			`\|--------------------------------------------------------------------------`
			`\| Password Reset Controller`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| This controller is responsible for handling password reset requests`
			`\| and uses a simple trait to include this behavior. You're free to`
			`\| explore this trait and override any methods you wish to tweak.`
			`\|`
			`*/`

			`use ResetsPasswords;`

			`/**`
			`* Where to redirect users after resetting their password.`
			`*`
			`* @var string`
			`*/`
Fix redirect default on password reset 2017-09-27 16:23:21 -07:00			`protected $redirectTo = '/';`
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00
Updated passwordComplexityRulesSaving() signature so it isn’t nullable 2020-11-02 23:58:37 -08:00			`protected $username = 'username';`

Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`/**`
			`* Create a new controller instance.`
			`*`
			`* @return void`
			`*/`
			`public function __construct()`
			`{`
			`$this->middleware('guest');`
			`}`
Use username instead of email address in password reset (#6382) * Switch to use username instead of email * Fixed indenting * Updated password language * Updated blades to reflect username instead of email * Changed password/reset controllers to use username instead of email * Redirect to login page instead of repeating the password reset form 2018-10-31 18:03:24 -07:00
			`protected function rules()`
			`{`
			`return [`
			`'token' => 'required',`
			`'username' => 'required',`
Updated passwordComplexityRulesSaving() signature so it isn’t nullable 2020-11-02 23:58:37 -08:00			`'password' => 'confirmed\|'.Setting::passwordComplexityRulesSaving('store'),`
Use username instead of email address in password reset (#6382) * Switch to use username instead of email * Fixed indenting * Updated password language * Updated blades to reflect username instead of email * Changed password/reset controllers to use username instead of email * Redirect to login page instead of repeating the password reset form 2018-10-31 18:03:24 -07:00			`];`
			`}`

			`protected function credentials(Request $request)`
			`{`
			`return $request->only(`
			`'username', 'password', 'password_confirmation', 'token'`
			`);`
			`}`
Honor active status for forgotten password request forms 2018-08-14 20:05:57 -07:00
Use username instead of email address in password reset (#6382) * Switch to use username instead of email * Fixed indenting * Updated password language * Updated blades to reflect username instead of email * Changed password/reset controllers to use username instead of email * Redirect to login page instead of repeating the password reset form 2018-10-31 18:03:24 -07:00			`public function showResetForm(Request $request, $token = null)`
			`{`
			`return view('auth.passwords.reset')->with(`
Use password security settings on password reset 2020-10-08 18:43:39 -07:00			`[`
			`'token' => $token,`
Adopt Laravel coding style Shift automatically applies the Laravel coding style - which uses the PSR-2 coding style as a base with some minor additions. You may customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config file to your project root. Feel free to use [Shift's Laravel ruleset][2] to help you get started. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 2021-06-10 13:15:52 -07:00			`'username' => $request->input('username'),`
Use password security settings on password reset 2020-10-08 18:43:39 -07:00			`]`
Use username instead of email address in password reset (#6382) * Switch to use username instead of email * Fixed indenting * Updated password language * Updated blades to reflect username instead of email * Changed password/reset controllers to use username instead of email * Redirect to login page instead of repeating the password reset form 2018-10-31 18:03:24 -07:00			`);`
			`}`

Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00			`public function reset(Request $request)`
			`{`
Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:15:38 -07:00
Handle workflow better for invalid users Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:43 -07:00			`$broker = $this->broker();`

Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00			`$messages = [`
			`'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'),`
			`];`

Removed debugging 2020-11-03 11:45:19 -08:00			`$request->validate($this->rules(), $request->all(), $this->validationErrorMessages());`
Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00
Handle workflow better for invalid users Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:43 -07:00			`\Log::debug('Checking if '.$request->input('username').' exists');`
			`// Check to see if the user even exists - we'll treat the response the same to prevent user sniffing`
Added a few comments to make it clearer what’s happening Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:33:10 -07:00			`if ($user = User::where('username', '=', $request->input('username'))->whereNotNull('email')->first()) {`
Handle workflow better for invalid users Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:43 -07:00			`\Log::debug($user->username.' exists');`
Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:15:38 -07:00
Added a few comments to make it clearer what’s happening Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:33:10 -07:00			`// handle the password validation rules set by the admin settings`
Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:15:38 -07:00			`if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {`
			`$request->validate(`
			`[`
			`'password' => 'required\|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',`
			`], $messages);`
			`}`
Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00
Handle workflow better for invalid users Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:43 -07:00			`// set the response`
			`\Log::debug('Setting the broker and resetting the password');`
Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:15:38 -07:00			`$response = $broker->reset(`
			`$this->credentials($request), function ($user, $password) {`
Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00			`$this->resetPassword($user, $password);`
Added a few comments to make it clearer what’s happening Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:33:10 -07:00			`});`
Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00
Handle workflow better for invalid users Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:43 -07:00			`// Check if the password reset above actually worked`
			`if ($response == \Password::PASSWORD_RESET) {`
			`\Log::debug('Password reset for '.$user->username.' worked');`
			`return redirect('/')->with('success', trans('passwords.reset'));`
			`}`

			`\Log::debug('Password reset for '.$user->username.' FAILED - this user exists but the token is not valid');`
			`return redirect()->back()->withInput($request->only('email'))->with('error', trans('passwords.token'));`

Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:15:38 -07:00			`}`
Handle workflow better for invalid users Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:43 -07:00
			`\Log::debug('Password reset for '.$request->input('username').' FAILED - user does not exist or does not have an email address - but make it look like it succeeded');`
			`return redirect()->route('login')->with('success', trans('passwords.sent'));`
Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:15:38 -07:00
Added new password complexity rules to forgot password 2020-11-03 11:42:42 -08:00			`}`
Updated passwordComplexityRulesSaving() signature so it isn’t nullable 2020-11-02 23:58:37 -08:00
Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 14:15:38 -07:00
Handle workflow better for invalid users Signed-off-by: snipe <snipe@snipe.net> 2022-06-21 16:13:43 -07:00
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`}`