MAPG-142 limit password reset query if the existing is not expired

2020-07-05 13:23:53 +02:00 · 2020-07-05 13:23:53 +02:00 · dd6bb5ef9a
commit dd6bb5ef9a
parent 37094e552b
1 changed files with 18 additions and 0 deletions
--- a/src/Controller/LoginController.php
+++ b/src/Controller/LoginController.php
@ -468,6 +468,16 @@ class LoginController
            ]);
        }

+        $existingResetter = $this->userPasswordResetterRepository->getByUser($user);
+
+        if ($existingResetter !== null && $existingResetter->getExpiresDate() > new DateTime()) {
+            return new JsonContent([
+                'error' => [
+                    'errorText' => 'Password reset was recently requested for this account. Please check your email, or try again later!'
+                ]
+            ]);
+        }
+
        $token = bin2hex(random_bytes(16));
        $expires = new DateTime('+1 hour');

@ -476,8 +486,16 @@ class LoginController
        $passwordResetter->setToken($token);
        $passwordResetter->setExpiresDate($expires);

+        \Container::$dbConnection->startTransaction();
+
+        if ($existingResetter !== null) {
+            $this->pdm->deleteFromDb($existingResetter);
+        }
+
        $this->pdm->saveToDb($passwordResetter);

+        \Container::$dbConnection->commit();
+
        $this->sendPasswordResetEmail($user->getEmail(), $token, $expires);

        return new JsonContent(['success' => true]);