Fixed missing password.token string and checked for user existing bef…

…ore trying to reset Signed-off-by: snipe <snipe@snipe.net>
snipe · Jun 21, 2022 · 2187510 · 2187510
1 parent 8798064
commit 2187510
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 16 deletions.
diff --git a/app/Http/Controllers/Auth/ResetPasswordController.php b/app/Http/Controllers/Auth/ResetPasswordController.php
@@ -73,34 +73,44 @@ public function showResetForm(Request $request, $token = null)
 
     public function reset(Request $request)
     {
+
         $messages = [
             'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'),
         ];
 
         $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());
 
         // Check to see if the user even exists
-        $user = User::where('username', '=', $request->input('username'))->first();
-
-        $broker = $this->broker();
-        if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
-            $request->validate(
-                [
-                'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',
-            ], $messages);
-        }
+        if ($user = User::where('username', '=', $request->input('username'))->first()) {
+            $broker = $this->broker();
+
+            if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
+                $request->validate(
+                    [
+                        'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',
+                    ], $messages);
+            }
 
-        $response = $broker->reset(
-            $this->credentials($request), function ($user, $password) {
+            $response = $broker->reset(
+                $this->credentials($request), function ($user, $password) {
                 $this->resetPassword($user, $password);
             }
         );
 
-        return $response == \Password::PASSWORD_RESET
-            ? $this->sendResetResponse($request, $response)
-            : $this->sendResetFailedResponse($request, $response);
+            return $response == \Password::PASSWORD_RESET
+                    ? $this->sendResetResponse($request, $response)
+                    : $this->sendResetFailedResponse($request, $response);
+        }
+
+        // the user doesn't exist, so we're not really sending anything here
+        return redirect()->route('login')
+            ->withInput(['username'=> $request->input('username')])
+            ->with('success', trans('passwords.sent'));
+
     }
 
+
+
     protected function sendResetFailedResponse(Request $request, $response)
     {
         return redirect()->back()

diff --git a/resources/lang/en/passwords.php b/resources/lang/en/passwords.php
@@ -1,6 +1,7 @@
 <?php
 
 return [
-    'sent'	        => 'Success: If that email address exists in our system, a password recovery email has been sent.',
+    'sent'	        => 'If that email address exists in our system, a password recovery email has been sent.',
     'user'			=> 'No matching active user found with that email.',
+    "token"         => "This password reset token is invalid or expired.",
 ];
diff --git a/resources/lang/en/reminders.php b/resources/lang/en/reminders.php
@@ -17,7 +17,7 @@
 
     "user"     => "Username or email address is incorrect",
 
-    "token"    => "This password reset token is invalid.",
+    "token"    =>  "This password reset token is invalid or expired.",
 
     "sent" => "If a matching email address was found, a password reminder has been sent!",