From dd6bb5ef9ae05a399486f8732ad50209b37806de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C5=91cze=20Bence?= Date: Sun, 5 Jul 2020 13:23:53 +0200 Subject: [PATCH] MAPG-142 limit password reset query if the existing is not expired --- src/Controller/LoginController.php | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/Controller/LoginController.php b/src/Controller/LoginController.php index d7f1eb5..92d7a46 100644 --- a/src/Controller/LoginController.php +++ b/src/Controller/LoginController.php @@ -468,6 +468,16 @@ class LoginController ]); } + $existingResetter = $this->userPasswordResetterRepository->getByUser($user); + + if ($existingResetter !== null && $existingResetter->getExpiresDate() > new DateTime()) { + return new JsonContent([ + 'error' => [ + 'errorText' => 'Password reset was recently requested for this account. Please check your email, or try again later!' + ] + ]); + } + $token = bin2hex(random_bytes(16)); $expires = new DateTime('+1 hour'); @@ -476,8 +486,16 @@ class LoginController $passwordResetter->setToken($token); $passwordResetter->setExpiresDate($expires); + \Container::$dbConnection->startTransaction(); + + if ($existingResetter !== null) { + $this->pdm->deleteFromDb($existingResetter); + } + $this->pdm->saveToDb($passwordResetter); + \Container::$dbConnection->commit(); + $this->sendPasswordResetEmail($user->getEmail(), $token, $expires); return new JsonContent(['success' => true]);