src/Controller/ResetPasswordController.php line 39

Open in your IDE?
  1. <?php
  3. namespace App\Controller;
  5. use App\Entity\User;
  6. use App\Entity\UserPasswordHistory;
  7. use App\Form\ChangePasswordFormType;
  8. use App\Form\ResetPasswordRequestFormType;
  9. use App\Service\Email\Message;
  10. use App\Utils\Utitlity;
  11. use Doctrine\ORM\EntityManagerInterface;
  12. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  13. use Symfony\Component\Form\FormError;
  14. use Symfony\Component\HttpFoundation\RedirectResponse;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
  18. use Symfony\Component\Routing\Annotation\Route;
  19. use Symfony\Contracts\Translation\TranslatorInterface;
  20. use SymfonyCasts\Bundle\ResetPassword\Controller\ResetPasswordControllerTrait;
  21. use SymfonyCasts\Bundle\ResetPassword\Exception\ResetPasswordExceptionInterface;
  22. use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelperInterface;
  24. #[Route('/password')]
  25. class ResetPasswordController extends AbstractController
  26. {
  27. use ResetPasswordControllerTrait;
  29. public function __construct(
  30. private ResetPasswordHelperInterface $resetPasswordHelper,
  31. private EntityManagerInterface $entityManager
  32. ) {
  33. }
  35. /**
  36. * Display & process form to request a password reset.
  37. */
  38. #[Route('', name: 'app_forgot_password_request')]
  39. public function request(Request $request, Message $message, TranslatorInterface $translator): Response
  40. {
  41. $form = $this->createForm(ResetPasswordRequestFormType::class,null,[
  42. 'attr'=>['data-ajax' => 'false'],
  43. ]);
  44. $form->handleRequest($request);
  46. if ($form->isSubmitted() && $form->isValid()) {
  47. return $this->processSendingPasswordResetEmail(
  48. $form->get('email')->getData(),
  49. $message,
  50. $translator
  51. );
  52. }
  54. return $this->render('reset_password/request.html.twig', [
  55. 'requestForm' => $form->createView(),
  56. ]);
  57. }
  59. /**
  60. * Confirmation page after a user has requested a password reset.
  61. */
  62. #[Route('/check-email', name: 'app_check_email')]
  63. public function checkEmail(ResetPasswordHelperInterface $resetPasswordHelper): Response
  64. {
  65. // Generate a fake token if the user does not exist or someone hit this page directly.
  66. // This prevents exposing whether or not a user was found with the given email address or not
  67. if (null === ($resetToken = $this->getTokenObjectFromSession())) {
  68. $resetToken = $resetPasswordHelper->generateFakeResetToken();
  69. }
  71. return $this->render('reset_password/check_email.html.twig', [
  72. 'resetToken' => $resetToken,
  73. ]);
  74. }
  76. /**
  77. * Validates and process the reset URL that the user clicked in their email.
  78. */
  79. #[Route('/reset/{token}', name: 'app_reset_password')]
  80. public function reset(Request $request, UserPasswordHasherInterface $passwordHasher, TranslatorInterface $translator, string $token = null): Response
  81. {
  82. if ($token) {
  83. // We store the token in session and remove it from the URL, to avoid the URL being
  84. // loaded in a browser and potentially leaking the token to 3rd party JavaScript.
  85. $this->storeTokenInSession($token);
  87. return $this->redirectToRoute('app_reset_password');
  88. }
  90. $token = $this->getTokenFromSession();
  91. if (null === $token) {
  92. throw $this->createNotFoundException('No reset password token found in the URL or in the session.');
  93. }
  95. try {
  96. $user = $this->resetPasswordHelper->validateTokenAndFetchUser($token);
  97. } catch (ResetPasswordExceptionInterface $e) {
  98. $this->addFlash('reset_password_error', sprintf(
  99. '%s - %s',
  100. $translator->trans(ResetPasswordExceptionInterface::MESSAGE_PROBLEM_VALIDATE, [], 'ResetPasswordBundle'),
  101. $translator->trans($e->getReason(), [], 'ResetPasswordBundle')
  102. ));
  104. return $this->redirectToRoute('app_forgot_password_request');
  105. }
  107. // The token is valid; allow the user to change their password.
  108. $form = $this->createForm(ChangePasswordFormType::class,null,[
  109. 'attr'=>['data-ajax' => 'false'],
  110. ]);
  111. $form->handleRequest($request);
  113. if ($form->isSubmitted() && $form->isValid()) {
  114. $plain = $form->get('plainPassword')->getData();
  116. // Prevent password reuse: check against existing history
  117. if ($user instanceof User) {
  118. foreach ($user->getPasswordHistory() as $entry) {
  119. if (password_verify($plain, $entry->getPasswordHash())) {
  120. $form->get('plainPassword')->get('first')->addError(new FormError($translator->trans('validator.password.reuse', [], 'validators')));
  122. return $this->render('reset_password/reset.html.twig', [
  123. 'resetForm' => $form->createView(),
  124. ]);
  125. }
  126. }
  127. }
  129. // A password reset token should be used only once, remove it.
  130. $this->resetPasswordHelper->removeResetRequest($token);
  132. // Encode(hash) the plain password, and set it.
  133. $encodedPassword = $passwordHasher->hashPassword(
  134. $user,
  135. $plain
  136. );
  138. $user->setPassword($encodedPassword);
  139. $user->setPasswordChangedAt(new \DateTime());
  141. // Save password into history
  142. if (class_exists(UserPasswordHistory::class)) {
  143. $history = new UserPasswordHistory();
  144. $history->setUser($user);
  145. $history->setPasswordHash($encodedPassword);
  146. $history->setCreatedAt(new \DateTime());
  147. $this->entityManager->persist($history);
  148. }
  150. $this->entityManager->flush();
  152. // The session is cleaned up after the password has been changed.
  153. $this->cleanSessionAfterReset();
  155. return $this->redirectToRoute('security_login');
  156. }
  158. return $this->render('reset_password/reset.html.twig', [
  159. 'resetForm' => $form->createView(),
  160. ]);
  161. }
  163. /**
  164. * Validates and process the reset URL that the user clicked in their email.
  165. */
  166. #[Route('/new/{user}', name: 'app_new_password')]
  167. public function new(Request $request, UserPasswordHasherInterface $passwordHasher, TranslatorInterface $translator, User $user = null): Response
  168. {
  169. $form = $this->createForm(ChangePasswordFormType::class,null,[
  170. 'attr'=>['data-ajax' => 'false'],
  171. ]);
  172. $form->handleRequest($request);
  174. if ($form->isSubmitted() && $form->isValid()) {
  175. $plain = $form->get('plainPassword')->getData();
  177. if ($user && is_object($user) && method_exists($user, 'getPasswordHistory')) {
  178. foreach ($user->getPasswordHistory() as $entry) {
  179. if (password_verify($plain, $entry->getPasswordHash())) {
  180. $form->get('plainPassword')->get('first')->addError(new FormError($translator->trans('validator.password.reuse', [], 'validators')));
  181. return $this->render('reset_password/new.html.twig', [
  182. 'resetForm' => $form->createView(),
  183. 'user' => $user
  184. ]);
  185. }
  186. }
  187. }
  189. // Encode(hash) the plain password, and set it.
  190. $encodedPassword = $passwordHasher->hashPassword(
  191. $user,
  192. $plain
  193. );
  195. $user->setPassword($encodedPassword);
  196. $user->setPasswordChangedAt(new \DateTime());
  198. // Save password into history
  199. if (class_exists(\App\Entity\UserPasswordHistory::class)) {
  200. $history = new \App\Entity\UserPasswordHistory();
  201. $history->setUser($user);
  202. $history->setPasswordHash($encodedPassword);
  203. $history->setCreatedAt(new \DateTime());
  204. $this->entityManager->persist($history);
  205. }
  207. $this->entityManager->flush();
  209. return $this->redirectToRoute('security_login');
  210. }
  212. return $this->render('reset_password/new.html.twig', [
  213. 'resetForm' => $form->createView(),
  214. 'user' => $user
  215. ]);
  216. }
  218. private function processSendingPasswordResetEmail(string $emailFormData, Message $message, TranslatorInterface $translator): RedirectResponse
  219. {
  221. $user = $this->entityManager->getRepository(User::class)->findOneBy([
  222. 'email' => $emailFormData,
  223. ]);
  225. // Do not reveal whether a user account was found or not.
  226. if (!$user) {
  227. return $this->redirectToRoute('app_check_email');
  228. }
  230. try {
  231. $resetToken = $this->resetPasswordHelper->generateResetToken($user);
  232. } catch (ResetPasswordExceptionInterface $e) {
  233. // If you want to tell the user why a reset email was not sent, uncomment
  234. // the lines below and change the redirect to 'app_forgot_password_request'.
  235. // Caution: This may reveal if a user is registered or not.
  236. //
  237. // $this->addFlash('reset_password_error', sprintf(
  238. // '%s - %s',
  239. // $translator->trans(ResetPasswordExceptionInterface::MESSAGE_PROBLEM_HANDLE, [], 'ResetPasswordBundle'),
  240. // $translator->trans($e->getReason(), [], 'ResetPasswordBundle')
  241. // ));
  242. return $this->redirectToRoute('app_check_email');
  243. }
  245. $fromAddress = Utitlity::getSenderAddressByUser($user);
  246. if ($fromAddress) {
  247. $message->setFrom($fromAddress);
  248. } else {
  249. $message->setFrom($this->getParameter('message.email.default'));
  250. }
  252. $message->setTemplate('emails/login/reset_password.html.twig');
  253. $message->setSubject($translator->trans('email.registration.subject.invite'));
  254. $message->setTo($user->getEmail());
  256. //$message->setSubject($translator->trans('email.resetPassword.subject'));
  258. $message->send(['resetToken'=>$resetToken,'user'=>$user]);
  260. // Store the token object in session for retrieval in check-email route.
  261. $this->setTokenObjectInSession($resetToken);
  263. return $this->redirectToRoute('app_check_email');
  264. }
  265. }