1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 16:22:43 +01:00

Allow configuration of a minimum password length, unify password reset

interfaces

Summary:
  - We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
  - Provide a more reasonable default, and allow it to be configured.
  - We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
  - Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.

Test Plan:
  - Reset password on an account.
  - Changed password on an account.
  - Created a new account, logged in, set the password.
  - Tried to set a too-short password, got an error.

Reviewers: btrahan, jungejason, nh

Reviewed By: jungejason

CC: aran, jungejason

Maniphest Tasks: T766

Differential Revision: https://secure.phabricator.com/D1374
This commit is contained in:
epriestley 2012-01-11 20:26:38 -08:00
parent 8b3ab97d64
commit 02fb5fea89
7 changed files with 82 additions and 158 deletions

View file

@ -327,6 +327,10 @@ return array(
// information remains consistent across both systems.
'account.editable' => true,
// When users set or reset a password, it must have at least this many
// characters.
'account.minimum-password-length' => 8,
// -- Facebook ------------------------------------------------------------ //

View file

@ -642,7 +642,6 @@ phutil_register_library_map(array(
'PhabricatorRepositorySymbol' => 'applications/repository/storage/symbol',
'PhabricatorRepositoryTestCase' => 'applications/repository/storage/repository/__tests__',
'PhabricatorRepositoryType' => 'applications/repository/constants/repositorytype',
'PhabricatorResetPasswordController' => 'applications/auth/controller/resetpassword',
'PhabricatorS3FileStorageEngine' => 'applications/files/engine/s3',
'PhabricatorSQLPatchList' => 'infrastructure/setup/sql',
'PhabricatorSearchAbstractDocument' => 'applications/search/index/abstractdocument',
@ -1292,7 +1291,6 @@ phutil_register_library_map(array(
'PhabricatorRepositorySvnCommitMessageParserWorker' => 'PhabricatorRepositoryCommitMessageParserWorker',
'PhabricatorRepositorySymbol' => 'PhabricatorRepositoryDAO',
'PhabricatorRepositoryTestCase' => 'PhabricatorTestCase',
'PhabricatorResetPasswordController' => 'PhabricatorAuthController',
'PhabricatorS3FileStorageEngine' => 'PhabricatorFileStorageEngine',
'PhabricatorSearchAttachController' => 'PhabricatorSearchController',
'PhabricatorSearchBaseController' => 'PhabricatorController',

View file

@ -134,7 +134,6 @@ class AphrontDefaultApplicationConfiguration
'email/$' => 'PhabricatorEmailLoginController',
'etoken/(?P<token>\w+)/$' => 'PhabricatorEmailTokenController',
'refresh/$' => 'PhabricatorRefreshCSRFController',
'reset/$' => 'PhabricatorResetPasswordController',
'validate/$' => 'PhabricatorLoginValidateController',
),

View file

@ -81,11 +81,17 @@ class PhabricatorEmailTokenController extends PhabricatorAuthController {
$request->setCookie('phusr', $target_user->getUsername());
$request->setCookie('phsid', $session_key);
if (PhabricatorEnv::getEnvConfig('account.editable')) {
$next = '/settings/page/password/?token='.$token;
} else {
$next = '/';
}
$uri = new PhutilURI('/login/validate/');
$uri->setQueryParams(
array(
'phusr' => $target_user->getUsername(),
'next' => '/login/reset/',
'next' => $next,
));
return id(new AphrontRedirectResponse())

View file

@ -1,108 +0,0 @@
<?php
/*
* Copyright 2012 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
class PhabricatorResetPasswordController extends PhabricatorAuthController {
public function processRequest() {
$request = $this->getRequest();
$user = $request->getUser();
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
return new Aphront400Response();
}
$errors = array();
$e_pass = true;
$e_confirm = true;
if ($request->isFormPost()) {
$e_pass = 'Error';
$e_confirm = 'Error';
$pass = $request->getStr('password');
$confirm = $request->getStr('confirm');
if (strlen($pass) < 3) {
$errors[] = 'That password is ridiculously short.';
}
if ($pass !== $confirm) {
$errors[] = "Passwords do not match.";
}
if (!$errors) {
// The CSRF token depends on the user's password hash. When we change
// it, we cause the CSRF check to fail. We don't need to do a CSRF
// check here because we've already performed one in the isFormPost()
// call earlier.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$user->setPassword($pass);
$user->save();
unset($unguarded);
return id(new AphrontRedirectResponse())
->setURI('/');
}
}
if ($errors) {
$error_view = new AphrontErrorView();
$error_view->setTitle('Password Reset Failed');
$error_view->setErrors($errors);
} else {
$error_view = null;
}
$form = new AphrontFormView();
$form
->setUser($user)
->setAction('/login/reset/')
->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('New Password')
->setName('password')
->setError($e_pass))
->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('Confirm Password')
->setName('confirm')
->setError($e_confirm))
->appendChild(
id(new AphrontFormSubmitControl())
->setValue('Reset Password')
->addCancelButton('/', 'Skip'));
$panel = new AphrontPanelView();
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
$panel->setHeader('Reset Password');
$panel->appendChild($form);
return $this->buildStandardPageResponse(
array(
$error_view,
$panel,
),
array(
'title' => 'Reset Password',
));
}
}

View file

@ -1,23 +0,0 @@
<?php
/**
* This file is automatically generated. Lint this module to rebuild it.
* @generated
*/
phutil_require_module('phabricator', 'aphront/response/400');
phutil_require_module('phabricator', 'aphront/response/redirect');
phutil_require_module('phabricator', 'aphront/writeguard');
phutil_require_module('phabricator', 'applications/auth/controller/base');
phutil_require_module('phabricator', 'infrastructure/env');
phutil_require_module('phabricator', 'view/form/base');
phutil_require_module('phabricator', 'view/form/control/password');
phutil_require_module('phabricator', 'view/form/control/submit');
phutil_require_module('phabricator', 'view/form/error');
phutil_require_module('phabricator', 'view/layout/panel');
phutil_require_module('phutil', 'utils');
phutil_require_source('PhabricatorResetPasswordController.php');

View file

@ -32,31 +32,65 @@ class PhabricatorUserPasswordSettingsPanelController
return new Aphront400Response();
}
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
$min_len = (int)$min_len;
// NOTE: To change your password, you need to prove you own the account,
// either by providing the old password or by carrying a token to
// the workflow from a password reset email.
$token = $request->getStr('token');
if ($token) {
$valid_token = $user->validateEmailToken($token);
} else {
$valid_token = false;
}
$e_old = true;
$e_new = true;
$e_conf = true;
$errors = array();
if ($request->isFormPost()) {
if ($user->comparePassword($request->getStr('old_pw'))) {
$pass = $request->getStr('new_pw');
$conf = $request->getStr('conf_pw');
if ($pass === $conf) {
if (strlen($pass)) {
$user->setPassword($pass);
// This write is unguarded because the CSRF token has already
// been checked in the call to $request->isFormPost() and
// the CSRF token depends on the password hash, so when it
// is changed here the CSRF token check will fail.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$user->save();
unset($unguarded);
return id(new AphrontRedirectResponse())
->setURI('/settings/page/password/?saved=true');
} else {
$errors[] = 'Your new password is too short.';
}
} else {
$errors[] = 'New password and confirmation do not match.';
if (!$valid_token) {
if (!$user->comparePassword($request->getStr('old_pw'))) {
$errors[] = 'The old password you entered is incorrect.';
$e_old = 'Invalid';
}
} else {
$errors[] = 'The old password you entered is incorrect.';
}
$pass = $request->getStr('new_pw');
$conf = $request->getStr('conf_pw');
if (strlen($pass) < $min_len) {
$errors[] = 'Your new password is too short.';
$e_new = 'Too Short';
}
if ($pass !== $conf) {
$errors[] = 'New password and confirmation do not match.';
$e_conf = 'Invalid';
}
if (!$errors) {
$user->setPassword($pass);
// This write is unguarded because the CSRF token has already
// been checked in the call to $request->isFormPost() and
// the CSRF token depends on the password hash, so when it
// is changed here the CSRF token check will fail.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$user->save();
unset($unguarded);
if ($valid_token) {
// If this is a password set/reset, kick the user to the home page
// after we update their account.
$next = '/';
} else {
$next = '/settings/page/password/?saved=true';
}
return id(new AphrontRedirectResponse())->setURI($next);
}
}
@ -74,22 +108,36 @@ class PhabricatorUserPasswordSettingsPanelController
$notice->setErrors($errors);
}
$len_caption = null;
if ($min_len) {
$len_caption = 'Minimum password length: '.$min_len.' characters.';
}
$form = new AphrontFormView();
$form
->setUser($user)
->appendChild(
->addHiddenInput('token', $token);
if (!$valid_token) {
$form->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('Old Password')
->setError($e_old)
->setName('old_pw'));
}
$form
->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('New Password')
->setError($e_new)
->setName('new_pw'));
$form
->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('Confirm Password')
->setCaption($len_caption)
->setError($e_conf)
->setName('conf_pw'));
$form
->appendChild(