I'm pretty sure the method hasUserHisThrottling() is really supposed to be hasUserHitThrottling(), right?

implement some sort of garbage collection default with option to disable. provide public methods to manually remove single/batch requests

Hello, I modified the controller. I deleted an unnecessary method and deleted a view. Can I offer my controller? I am new. I do not know how to do.

Automatic garbage collection occurs before fetching the request in ResetPasswordHelper::validateTokenAndFetchUser(). Expired requests are removed before being fetched. They never get checked to see if they are expired so a ExpiredResetPasswordTokenException will never be thrown.

I thought about doing the garbage collection after (like in try...finally) but it still doesn't fully fix the issue as garbage collection happens on generating and fetching. On a busy site, expired tokens would be cleaned up quickly.

One solution is to make the garbage collection time configurable.

WDYT?

// src/DependencyInjection/Configuration.php 
29  ->info('How long a reset password token should be valid before expiring.')
33  ->info('Length of time between non-expired reset password requests.')

Both of these descriptions need a little bit of work - this one could be clearer and both should mention that they are seconds.

Just installed this bundle for first time - thanks for saving me a job creating this logic btw - but just noticed that the link in the text version of the email is stripped out - not sure if this is an issue with this bundle or Symfony mailer as a text part doesn't seem to be supplied but thought I should highlight it either way

Hi!

To reset your password, please visit
here
This link will expire in 1 hour(s)..



Cheers!

ResetPasswordController::reset()

Create guesser and/or ask optional question to populate return $this->redirectToRoute('app_home');

• Install
• Usage
• copyright notice
• author / contributor notice

Random thoughts to touch on:
semver, bugfix / feature request / security related guidelines,

./bin/console make:reset-pass
The maker is not defined in two beta versions ?

Without a lock file, composer cache in CI doesn't always use latest builds of dependencies.

• temp. disable composer cache to use latest dev dependencies
• solution to invalidate cache without a composer.lock file

WIP

base64_encode() ideally only the public token needs to be encoded. But that may prevent any tokens to be validated.

Since this bundle supports Symfony 4.4, should it be added to the test matrix? Or maybe just --prefer-lowest

Bundle uses Symfony's Mailer component to send emails

• require symfony/mailer in composer.json
• reference in docs
• if ! exists mailer_dsn in .env - maker should create it
• add maker text reminder to set correct MAILER_DSN

cs-fixer is being implemented in PR #35. Project is under an MIT license but appropriate header for src/ files is still needed.

Bundle uses flex recipes to initiate it's config.

Either flex requirement, suggestion, or conflict should be added to composer if not covered by the framework-bundle conflict

Have optional question to populate the ->from(new Address( "email", "name" ))

the hashed token is never exposed outside of the bundle (except for storage in persistence). Is it more performant to store the token in its binary representation as a BLOB vs "natively encoded" string within the request object.

• if (empty($verifier)) { should be null === $verifier
• $verifier does not create new random string on subsequent getToken calls
• rename getToken() to createToken() to better describe the methods intent

Only affects bundle development

A few of our tests utilize the deprecated Doctrine\Common\Persistence namespace. These direct deprecation's do not appear in PHP Unit because of the current dev version constraints. Specifically doctrine/doctrine-bundle.

Update doctrine/doctrine-bundle constraint to at least 2.0.3 to allow the use of Doctrine\Persistence namespace in the tests.

Note to self:
#75 depends on this
fix ns from #93 after merge

Hello, how to modify the error messages? Some are not in the controller. thank you.

add summaries for ResetPasswordHelperInterface methods

Doctrine\DBAL\DBALException: Sqlite platform does not support alter foreign key, the table must be fully recreated using getAlterTableSQL.

This appears to be related to doctrine/dbal#3990

When adding the bundle to a fresh Symfony install, a user is unable to use the Symfony console if request_password_repository is not set with a valid repository in the bundles config file.

This prohibits a user from accessing bin/console make:* that would otherwise be used to possibly create said repository.

Hey!

I really like this bundle but I also need secure token generation for a) confirming a registration and b) changing a email. Both require a similar structure as used in this bundle. Do you think it would be cool to have some "user-token" bundle as dependency on this bundle? So we can easily scaffold other systems that require confirmation tokens?

• add trait comment

Trait can be added to a Doctrine repository to help implement ResetPasswordRequestRepositoryInterface

Hello,

Is there any way to make a POST call with some parameters like email address for password reset request or you must use the generated web template?
For example to make a request call from mobile app, instead of opening browser.

Thanks for the replies in advance.

• add comments for getPublicToken()

when installing the bundle using composer require symfonycasts/reset-password-bundle, composer also installs dev related files/folders i.e. tests/.

This is not a big deal, but those files are not needed in a production env. Or a dev env outside of the actual development on the bundle. A .gitattributes file may be the solution to ignore said files. Thoughts?

Bonjour,

J'ai le soucie comme dit dans le titre mais je ne trouve vraiment 0 réponse sur les docs ou bien même sur google .

Voila se que j'aurai du avoir :
...
php bin/console make:reset-password

created: src/Controller/ResetPasswordController.php
created: src/Entity/ResetPasswordRequest.php
created: src/Repository/ResetPasswordRequestRepository.php
updated: config/packages/reset_password.yaml
created: src/Form/ResetPasswordRequestFormType.php
created: src/Form/ChangePasswordFormType.php
created: templates/reset_password/check_email.html.twig
created: templates/reset_password/email.html.twig
created: templates/reset_password/request.html.twig
created: templates/reset_password/reset.html.twig
...

et Voila se que j'ai :
....
created: src/Controller/ResetPasswordController.php
created: src/Entity/ResetPasswordRequest.php
created: src/Repository/ResetPasswordRequestRepository.php
updated: config/packages/reset_password.yaml
created: src/Form/ResetPasswordRequestFormType.php
...
Voila voila .. merci d'avance pour vos future réponce !

Hi,
Is it possible to use this bundle with multiple entities? A User entity and an Admin entity for example.
If not, it would be a good idea of feature :)
Thank you :)

Hi there the command is not found
Command "make:reset-password" is not defined.

Bundle relies on config/packages/reset_password.yaml file to get it's configuration param's. Primarily the request_password_repositoryparam which is required for the bundle to manage requests in persistence.

• create a flex recipe to create reset_password.yaml
• submit PR for flex recipe to Flex Repo

One thing I noticed in the make-bundle implementation, is it wasn't possible to re-request a reset if there was a valid token available. This is important if sending the email fails. I believe this bundle allows for this with the request throttle time, but I just wanted to confirm.

There is a code in .html.twig to show the expire hour(s):

This link will expire in {{ tokenLifetime|date('g') }} hour(s)..

The tokenLifetime is 3600 and i expect it show as 1 hour(s) but it display as

This link will expire in 9 hour(s)..

in my email.

My requested_at and expires_at in database are

• @var int Another password reset cannot be made faster than this throttle time. use in configuration and add "seconds" reference
• rearrange constructor args
• improve generateResetToken() description..

Generates a new password reset token, persists it & returns the token that can be emailed to the user.

• refactor generateResetToken() internal variable naming

from: $tokenData = $this->tokenGenerator->getToken
to: $tokenComponents = $this->tokenGenerator->getToken

• findToken() return type does not reference possible null return value

It would be useful to let the user know when they can retry.

Relates to #102 in that this value could be added to getMessageData for TooManyPasswordRequestsException

related to actions/runner-images#981
Appears to be a problem with actions itself, not the repo.

We are using a formatted string representation of the token expiration date when encoding the data for hash_hmac(). As these tokens are encrypted one-way, $expiresAt->getTimestamp() would seem more appropriate and less complex.

Symfony's AuthenticationException has this to help with translation.

Test suite to check integration with Symfony Framework -

• Autowiring test

ResetPasswordControllerTrait::getTokenFromSession() returns string, but SessionInterface::get() returns the value of the key in the session, or a configurable value if the key is not found.

As we are not modifying the default return value of SessionInterface::get(), the correct return type for getTokenFromSession() should be ?string.

Run CI daily

Too bad github actions doesn't have an "allow failure" option for a workflow. At least we are still able to see the deprecation warnings in the job output.

I think as long as we are testing dev-master, we would start to see tests fail once the deprecated code is removed. Using a cron build trigger could help if there is a large amount of time between contributions.

Originally posted by @kbond in #87 (comment)

• require psalm as a dev dependency
• fix errors triggered by psalm
• add psalm step to actions CI

do not add psalm step in CI until bulk of errors have been fixed.. ci test failures due to static analysis may hide problems with phpunit based tests..

console:

developer@2f4c8df8a609:/var/htdocs$ bin/console reset-password:remove-expired
Removing expired reset password requests...
Garbage collection successful. Removed 0 reset password request objects.

In Command.php line 258:
                                                                                                                                                      
  Return value of "SymfonyCasts\Bundle\ResetPassword\Command\ResetPasswordRemoveExpiredCommand::execute()" must be of the type int, "NULL" returned.

mariadb:

MariaDB [reset-password-app-test-2]> select * from reset_password_request;
+----+---------+----------------------+----------------------------------------------+---------------------+---------------------+
| id | user_id | selector             | hashed_token                                 | requested_at        | expires_at          |
+----+---------+----------------------+----------------------------------------------+---------------------+---------------------+
|  1 |       1 | k71rLHlzaCMLklIX26Tm | g65btmYbs3jrf2S7zbyvFds4CPTo8UAs+MGSy9P+xyk= | 2020-04-04 22:08:52 | 2020-04-04 23:08:52 |

config:

symfonycasts_reset_password:
    request_password_repository: App\Repository\ResetPasswordRequestRepository
    throttle_limit: 0

Since symfony/config 5.1: The signature of method "Symfony\Component\Config\Definition\Builder\NodeDefinition::setDeprecated()" requires 3 arguments: "string $package, string $version, string $message", not defining them is deprecated.

Functional Test: 16x in ResetPasswordRequestRepositoryTest::setUp from SymfonyCasts\Bundle\ResetPassword\Tests\FunctionalTests\Persistence

Integration Test: 2x in ResetPasswordInterfaceAutowireTest::testResetPasswordInterfaceIsAutowiredByContainer from SymfonyCasts\Bundle\ResetPassword\Tests\IntegrationTests

Functional test suite will be somewhat limited as the Unit & Integration tests will cover the bulk of the bundle. However, the following deserve special attention:

• ResetPasswordRequestRepositoryTrait

Is there an issue with the typehints in this?

In the generated ResetPasswordController.php there's this:

try {
    $user = $this->resetPasswordHelper->validateTokenAndFetchUser($token);
} catch (ResetPasswordExceptionInterface $e) {
    $this->addFlash('reset_password_error', sprintf(
        'There was a problem validating your reset request - %s',
        $e->getReason()
    ));

    return $this->redirectToRoute('app_forgot_password_request');
}

then a little further down:

// Encode the plain password, and set it.
$encodedPassword = $passwordEncoder->encodePassword(
    $user,
    $form->get('plainPassword')->getData()
);

PHPStorm complains "Expected UserInterface, got object", and something like PHPStan says:

 ------ -----------------------------------------------------------------------------------------------------------------------------
  Line   Controller/ResetPasswordController.php
 ------ -----------------------------------------------------------------------------------------------------------------------------
  119    Parameter #1 $user of method Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface::encodePassword() expects
         Symfony\Component\Security\Core\User\UserInterface, object given.

Things still work fine but should these be corrected?