Comments (4)
Ahh ok I think I see whats going on here. It look's like your access_control
's are preventing you from reaching the /reset-password/check-email
route. In short, make sure the routes in the table below are publicly accessible:
Route Name | Path | Methods | ResetPasswordController Method |
---|---|---|---|
app_forgot_password_request | /reset-password | GET/POST | Controller::request() |
app_check_email | /reset-password/check-email | GET | Controller::checkEmail() |
app_reset_password | /reset-password/reset/{token} | GET/POST | Controller::reset() |
In your security.yaml
:
...
access_control:
- - { path: ^/reset-password$, roles: PUBLIC_ACCESS }
+ - { path: ^/reset-password.*$, roles: PUBLIC_ACCESS }
...
Regex Test Results: https://regex101.com/r/xtQ5L5/1
The long version:
When a user needs to reset their password, it is safe to assume that they are not authenticated. Let's walk through the process:
-
User goes to
GET
-/reset-password
, types in there email address in the form, then clicks the submit button -
The form is submitted to
POST
-/reset-password
. Internally, the controller attempts to get the users email from persistence.
- 2a) If a user is NOT found, the controller returns a redirect to
/reset-password/check-email
. - 2b) If a user IS found, the controller creates a
ResetPasswordToken
(stored in persistence as aResetPasswordRequest
object), creates and then sends an email containing a link to reset their password, stores a copy of the generated token in the session (this is needed in step 3), and then redirects the user to/reset-password/check-email
- Redirect from step 2a or 2b:
GET
/reset-password/check-email
- displays a message to the user that IF we've found your email address, go check your email, you have 1 hour (or whatever timeout is configured) to click the link in your email.
Under the hood, step 3 checks the session for the token
that was stored in step 2b
. We need this token to show (in reset-password/check-email.html.twig
) how long the user has to "click the link" in their email. To protect from "phishing" attacks, if a token does NOT exist in the session, we generate a fake token and display the check email page. This basically keeps someone from going to /reset-password
and entering random email addresses to determine if a account exists or not. Think rainbow table attacks, etc...
-
The user clicks the link in the email ->
GET
/reset-password/reset/a-long-token-1234
. The controller grabs the token from the URL, stores it in the session, and returns a redirect toGET
/reset-password/reset
. (This prevents leaking the token to 3rd party javascript.) -
Redirected to
GET
/reset-password/reset
. we grab the token from the session, validate the token (compare it with theResetPasswordRequest
object in persistence, then returnreset-password/reset.html.twig
. -
The user fills out the form and clicks submit, the form is submitted to
POST
/reset-password/reset
, if the form is submission is "valid" we:
- remove the
ResetPasswordRequest
object from persistence - hash the new password, set it on the
User
object thenpersist
/flush
- Clear the session of any tokens
- redirect the user to
app_main
or whatever route you have defined in the controller.
As you can see this entire process was done without the user being authenticated. But, we attempt to prevent malicious behavior by using fake tokens and the like where necessary. Anywho, I hope this helps! If you're still having problems, please let us know...
Side note: I'm working on a PR for MakerBundle right now that will generate a functional test for entire process. In the meantime, I created a gist that has a rough draft of the actual test logic here -> https://gist.github.com/jrushlow/193798c452a6e135c883273277e05621
from reset-password-bundle.
Changing this , worked for me π :
...
access_control:
- - { path: ^/reset-password$, roles: PUBLIC_ACCESS }
+ - { path: ^/reset-password.*$, roles: PUBLIC_ACCESS }
...
Thanks so muchπ !!
from reset-password-bundle.
Howdy @iamabhijeet2003 - can you provide a little bit of information so we can help you figure this out?
-
What do you mean by "it is registered correctly"? Does this mean that when you fill out the reset password form and click submit - a
ResetPasswordRequest
object is created and persisted? Or you're just not seeing any sort of error message in the UI when you submit the reset password form? -
After checking the log's - are there any exception's thrown before or after submitting a reset password request?
-
Does your app successfully send emails from other components? e.g.
VerifyEmailBundle
, notifications, etc. -
Have you verified that the
sendgrid+smtp
configuration is setup correctly? See https://github.com/symfony/symfony/blob/7.0/src/Symfony/Component/Mailer/Bridge/Sendgrid/README.md -
Is the email sent in the
dev
environment? in a test? in production? -
what version of Symfony are you using?
-
did you use
bin/console make:reset-password
to create the reset password functionality?
Without more information or the exact steps to reproduce the problem, it's hard to narrow down what the actual problem is. In the meantime, a couple things to check:
config/packages/reset_password.yaml
should be similar to:
symfonycasts_reset_password:
request_password_repository: App\Repository\ResetPasswordRequestRepository
- Check out the docs for debugging mailer problems https://symfony.com/doc/current/mailer.html#development-debugging
If you do find a solution to the problem, please let us know! It could help someone else in the future. Otherwise, we look forward to hearing back from you.
from reset-password-bundle.
What do you mean by "it is registered correctly"? Does this mean that when you fill out the reset password form and click submit - a ResetPasswordRequest object is created and persisted? Or you're just not seeing any sort of error message in the UI when you submit the reset password form?
-
I mean to say when I fill the email form to reset the password, the token is created correctly in the database:
-
The mailer is working correctly.
-
The email is sent in the dev environment
-
I am using symfony 6
-
I used this command to create the reset password
bin/console make:reset-password
But when I access to the route and fill the email:
and submit the request it shows an authentication error:
This is my security.yaml file:
security:
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api:
pattern: ^/api/
stateless: true
provider: app_user_provider
jwt: ~
main:
json_login:
check_path: /auth
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
# lazy: true
# provider: app_user_provider
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/reset-password$, roles: PUBLIC_ACCESS }
- { path: ^/api$, roles: PUBLIC_ACCESS } # Allows accessing the Swagger UI
- { path: ^/auth, roles: PUBLIC_ACCESS }
- { path: ^/api/users$, roles: PUBLIC_ACCESS }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
# - { path: ^/admin, roles: ROLE_ADMIN }
# - { path: ^/profile, roles: ROLE_USER }
when@test:
security:
password_hashers:
# By default, password hashers are resource intensive and take time. This is
# important to generate secure password hashes. In tests however, secure hashes
# are not important, waste resources and increase test times. The following
# reduces the work factor to the lowest possible values.
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon
I wait for your response and I am available here to provide any further information.
Thanks!!
from reset-password-bundle.
Related Issues (20)
- `"php": ">=8.1 <8.1.10"` in the `composer.json` prevents installation. HOT 6
- Deprecation Message HOT 3
- Null Error during migration step HOT 3
- Some mandatory parameters are missing ("token") to generate a URL for route "app_reset_password". HOT 5
- Cannot find the entity manager for class "App\Entity\ResetPasswordRequest" HOT 2
- Token verification may fail for DateTime instances with milliseconds resolution
- Emails not send if use MailerInterface in private method proccessSendingResetEmail HOT 1
- Request: Allow to pass lifetime parameter in generateResetToken function on v1.14.1 version HOT 2
- Get not hashed token for functional testing HOT 2
- Errors after installation HOT 1
- Cannot find the entity manager for class "App\Entity\ResetPasswordRequest" HOT 6
- Error 500 when open url from Gmail or 365 web client HOT 3
- Support Symfony 7 HOT 3
- Flash message in request.html.twig HOT 2
- Hello! Tried to install the bundle on a fresh symfony 7 installation and it blocked the make:migration with an error: HOT 7
- ResetPasswordBundle v2.0
- ControllerTrait clear token HOT 2
- New password validaition constraints HOT 1
- [2.x] add test to ensure if lifetime is changed in userland - the new value is used in the helper
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from reset-password-bundle.