From 21875100b6552e43965484fdce7aaafb133ee51c Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 21 Jun 2022 14:15:38 -0700 Subject: [PATCH] Fixed missing password.token string and checked for user existing before trying to reset Signed-off-by: snipe --- .../Auth/ResetPasswordController.php | 38 ++++++++++++------- resources/lang/en/passwords.php | 3 +- resources/lang/en/reminders.php | 2 +- 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/app/Http/Controllers/Auth/ResetPasswordController.php b/app/Http/Controllers/Auth/ResetPasswordController.php index 95700e2992bc..99c1580c1029 100644 --- a/app/Http/Controllers/Auth/ResetPasswordController.php +++ b/app/Http/Controllers/Auth/ResetPasswordController.php @@ -73,6 +73,7 @@ public function showResetForm(Request $request, $token = null) public function reset(Request $request) { + $messages = [ 'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'), ]; @@ -80,27 +81,36 @@ public function reset(Request $request) $request->validate($this->rules(), $request->all(), $this->validationErrorMessages()); // Check to see if the user even exists - $user = User::where('username', '=', $request->input('username'))->first(); - - $broker = $this->broker(); - if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) { - $request->validate( - [ - 'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"', - ], $messages); - } + if ($user = User::where('username', '=', $request->input('username'))->first()) { + $broker = $this->broker(); + + if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) { + $request->validate( + [ + 'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"', + ], $messages); + } - $response = $broker->reset( - $this->credentials($request), function ($user, $password) { + $response = $broker->reset( + $this->credentials($request), function ($user, $password) { $this->resetPassword($user, $password); } ); - return $response == \Password::PASSWORD_RESET - ? $this->sendResetResponse($request, $response) - : $this->sendResetFailedResponse($request, $response); + return $response == \Password::PASSWORD_RESET + ? $this->sendResetResponse($request, $response) + : $this->sendResetFailedResponse($request, $response); + } + + // the user doesn't exist, so we're not really sending anything here + return redirect()->route('login') + ->withInput(['username'=> $request->input('username')]) + ->with('success', trans('passwords.sent')); + } + + protected function sendResetFailedResponse(Request $request, $response) { return redirect()->back() diff --git a/resources/lang/en/passwords.php b/resources/lang/en/passwords.php index 4772940015a5..3491f37b704d 100644 --- a/resources/lang/en/passwords.php +++ b/resources/lang/en/passwords.php @@ -1,6 +1,7 @@ 'Success: If that email address exists in our system, a password recovery email has been sent.', + 'sent' => 'If that email address exists in our system, a password recovery email has been sent.', 'user' => 'No matching active user found with that email.', + "token" => "This password reset token is invalid or expired.", ]; diff --git a/resources/lang/en/reminders.php b/resources/lang/en/reminders.php index e7a476e3a2ec..0ca927a445a7 100644 --- a/resources/lang/en/reminders.php +++ b/resources/lang/en/reminders.php @@ -17,7 +17,7 @@ "user" => "Username or email address is incorrect", - "token" => "This password reset token is invalid.", + "token" => "This password reset token is invalid or expired.", "sent" => "If a matching email address was found, a password reminder has been sent!",