Fixed missing password.token string and checked for user existing before trying to reset

Signed-off-by: snipe <snipe@snipe.net>
2024-11-10 07:34:06 -08:00 · 2022-06-21 14:15:38 -07:00 · 2022-06-21 14:15:38 -07:00 · 21875100b6
parent 87980643ea
commit 21875100b6
3 changed files with 26 additions and 15 deletions
--- a/app/Http/Controllers/Auth/ResetPasswordController.php
+++ b/app/Http/Controllers/Auth/ResetPasswordController.php
@ -73,6 +73,7 @@ class ResetPasswordController extends Controller

    public function reset(Request $request)
    {
+
        $messages = [
            'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'),
        ];
@ -80,27 +81,36 @@ class ResetPasswordController extends Controller
        $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());

        // Check to see if the user even exists
-        $user = User::where('username', '=', $request->input('username'))->first();
+        if ($user = User::where('username', '=', $request->input('username'))->first()) {
+            $broker = $this->broker();

-        $broker = $this->broker();
-        if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
-            $request->validate(
-                [
-                'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',
-            ], $messages);
-        }
+            if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
+                $request->validate(
+                    [
+                        'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',
+                    ], $messages);
+            }

-        $response = $broker->reset(
-            $this->credentials($request), function ($user, $password) {
+            $response = $broker->reset(
+                $this->credentials($request), function ($user, $password) {
                $this->resetPassword($user, $password);
            }
        );

-        return $response == \Password::PASSWORD_RESET
-            ? $this->sendResetResponse($request, $response)
-            : $this->sendResetFailedResponse($request, $response);
+            return $response == \Password::PASSWORD_RESET
+                    ? $this->sendResetResponse($request, $response)
+                    : $this->sendResetFailedResponse($request, $response);
+        }
+
+        // the user doesn't exist, so we're not really sending anything here
+        return redirect()->route('login')
+            ->withInput(['username'=> $request->input('username')])
+            ->with('success', trans('passwords.sent'));
+
    }

+
+
    protected function sendResetFailedResponse(Request $request, $response)
    {
        return redirect()->back()
--- a/resources/lang/en/passwords.php
+++ b/resources/lang/en/passwords.php
@ -1,6 +1,7 @@
 <?php

 return [
-    'sent'	        => 'Success: If that email address exists in our system, a password recovery email has been sent.',
+    'sent'	        => 'If that email address exists in our system, a password recovery email has been sent.',
    'user'			=> 'No matching active user found with that email.',
+    "token"         => "This password reset token is invalid or expired.",
 ];
--- a/resources/lang/en/reminders.php
+++ b/resources/lang/en/reminders.php
@ -17,7 +17,7 @@ return array(

    "user"     => "Username or email address is incorrect",

-    "token"    => "This password reset token is invalid.",
+    "token"    =>  "This password reset token is invalid or expired.",

    "sent" => "If a matching email address was found, a password reminder has been sent!",