xref: /webtrees/app/Http/RequestHandlers/PasswordRequestAction.php (revision e93a8df2f8d797005750082cc3766c0e80799688) 
1a00bcc63SGreg Roach<?php
23976b470SGreg Roach
3a00bcc63SGreg Roach/**
4a00bcc63SGreg Roach * webtrees: online genealogy
5*d11be702SGreg Roach * Copyright (C) 2023 webtrees development team
6a00bcc63SGreg Roach * This program is free software: you can redistribute it and/or modify
7a00bcc63SGreg Roach * it under the terms of the GNU General Public License as published by
8a00bcc63SGreg Roach * the Free Software Foundation, either version 3 of the License, or
9a00bcc63SGreg Roach * (at your option) any later version.
10a00bcc63SGreg Roach * This program is distributed in the hope that it will be useful,
11a00bcc63SGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of
12a00bcc63SGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13a00bcc63SGreg Roach * GNU General Public License for more details.
14a00bcc63SGreg Roach * You should have received a copy of the GNU General Public License
1589f7189bSGreg Roach * along with this program. If not, see <https://www.gnu.org/licenses/>.
16a00bcc63SGreg Roach */
17fcfa147eSGreg Roach
18a00bcc63SGreg Roachdeclare(strict_types=1);
19a00bcc63SGreg Roach
20a00bcc63SGreg Roachnamespace Fisharebest\Webtrees\Http\RequestHandlers;
21a00bcc63SGreg Roach
22a00bcc63SGreg Roachuse Fig\Http\Message\StatusCodeInterface;
23a00bcc63SGreg Roachuse Fisharebest\Webtrees\FlashMessages;
24a00bcc63SGreg Roachuse Fisharebest\Webtrees\I18N;
25a00bcc63SGreg Roachuse Fisharebest\Webtrees\Log;
26e381f98dSGreg Roachuse Fisharebest\Webtrees\Services\EmailService;
279ed332c7SGreg Roachuse Fisharebest\Webtrees\Services\RateLimitService;
28a00bcc63SGreg Roachuse Fisharebest\Webtrees\Services\UserService;
29a00bcc63SGreg Roachuse Fisharebest\Webtrees\SiteUser;
30f917a287SGreg Roachuse Fisharebest\Webtrees\Tree;
31a00bcc63SGreg Roachuse Fisharebest\Webtrees\User;
32b55cbc6bSGreg Roachuse Fisharebest\Webtrees\Validator;
33a00bcc63SGreg Roachuse Illuminate\Support\Str;
34a00bcc63SGreg Roachuse Psr\Http\Message\ResponseInterface;
35a00bcc63SGreg Roachuse Psr\Http\Message\ServerRequestInterface;
36a00bcc63SGreg Roachuse Psr\Http\Server\RequestHandlerInterface;
373976b470SGreg Roach
38a00bcc63SGreg Roachuse function e;
393a837642SGreg Roachuse function random_int;
40a00bcc63SGreg Roachuse function redirect;
41a00bcc63SGreg Roachuse function route;
42a00bcc63SGreg Roachuse function view;
43a00bcc63SGreg Roach
44a00bcc63SGreg Roach/**
45a00bcc63SGreg Roach * Request a new password.
46a00bcc63SGreg Roach */
4771378461SGreg Roachclass PasswordRequestAction implements RequestHandlerInterface, StatusCodeInterface
48a00bcc63SGreg Roach{
4957ab2231SGreg Roach    private const TOKEN_LENGTH = 40;
50a00bcc63SGreg Roach
51d97083feSGreg Roach    private const TOKEN_VALIDITY_SECONDS = 3600;
52d97083feSGreg Roach
53d97083feSGreg Roach    private const RATE_LIMIT_REQUESTS = 5;
54d97083feSGreg Roach
55d97083feSGreg Roach    private const RATE_LIMIT_SECONDS = 300;
56d97083feSGreg Roach
57c4943cffSGreg Roach    private EmailService $email_service;
58a00bcc63SGreg Roach
599ed332c7SGreg Roach    private RateLimitService $rate_limit_service;
609ed332c7SGreg Roach
61c4943cffSGreg Roach    private UserService $user_service;
62a00bcc63SGreg Roach
63a00bcc63SGreg Roach    /**
64e381f98dSGreg Roach     * @param EmailService     $email_service
659ed332c7SGreg Roach     * @param RateLimitService $rate_limit_service
66a00bcc63SGreg Roach     * @param UserService      $user_service
67a00bcc63SGreg Roach     */
689ed332c7SGreg Roach    public function __construct(
699ed332c7SGreg Roach        EmailService $email_service,
709ed332c7SGreg Roach        RateLimitService $rate_limit_service,
719ed332c7SGreg Roach        UserService $user_service
729ed332c7SGreg Roach    ) {
73e381f98dSGreg Roach        $this->email_service      = $email_service;
749ed332c7SGreg Roach        $this->rate_limit_service = $rate_limit_service;
759ed332c7SGreg Roach        $this->user_service       = $user_service;
76a00bcc63SGreg Roach    }
77a00bcc63SGreg Roach
78a00bcc63SGreg Roach    /**
79a00bcc63SGreg Roach     * @param ServerRequestInterface $request
80a00bcc63SGreg Roach     *
81a00bcc63SGreg Roach     * @return ResponseInterface
82a00bcc63SGreg Roach     */
83a00bcc63SGreg Roach    public function handle(ServerRequestInterface $request): ResponseInterface
84a00bcc63SGreg Roach    {
85b55cbc6bSGreg Roach        $tree  = Validator::attributes($request)->treeOptional();
86748dbe15SGreg Roach        $email = Validator::parsedBody($request)->string('email');
87a00bcc63SGreg Roach        $user  = $this->user_service->findByEmail($email);
88a00bcc63SGreg Roach
89a00bcc63SGreg Roach        if ($user instanceof User) {
90d97083feSGreg Roach            $this->rate_limit_service->limitRateForUser($user, self::RATE_LIMIT_REQUESTS, self::RATE_LIMIT_SECONDS, 'rate-limit-pw-reset');
919ed332c7SGreg Roach
92a00bcc63SGreg Roach            $token  = Str::random(self::TOKEN_LENGTH);
93d97083feSGreg Roach            $expire = (string) (time() + self::TOKEN_VALIDITY_SECONDS);
94f917a287SGreg Roach            $url    = route(PasswordResetPage::class, [
95f917a287SGreg Roach                'token' => $token,
9681bf3221SGreg Roach                'tree'  => $tree?->name(),
97f917a287SGreg Roach            ]);
98a00bcc63SGreg Roach
99a00bcc63SGreg Roach            $user->setPreference('password-token', $token);
100a00bcc63SGreg Roach            $user->setPreference('password-token-expire', $expire);
101a00bcc63SGreg Roach
102e381f98dSGreg Roach            $this->email_service->send(
103a00bcc63SGreg Roach                new SiteUser(),
104a00bcc63SGreg Roach                $user,
105a00bcc63SGreg Roach                new SiteUser(),
106a00bcc63SGreg Roach                I18N::translate('Request a new password'),
107a00bcc63SGreg Roach                view('emails/password-request-text', ['url' => $url, 'user' => $user]),
108a00bcc63SGreg Roach                view('emails/password-request-html', ['url' => $url, 'user' => $user])
109a00bcc63SGreg Roach            );
110a00bcc63SGreg Roach
111a00bcc63SGreg Roach            Log::addAuthenticationLog('Password request for user: ' . $user->userName());
1123a837642SGreg Roach        } else {
1133a837642SGreg Roach            // Email takes a few seconds to send.  An instant response would allow
1143a837642SGreg Roach            // an attacker to use the speed of the response to infer whether an account exists.
1153a837642SGreg Roach            usleep(random_int(500000, 2000000));
1163a837642SGreg Roach        }
117a00bcc63SGreg Roach
1183a837642SGreg Roach        // For security, send a success message even when we fail.
119a00bcc63SGreg Roach        $message1 = I18N::translate('A password reset link has been sent to “%s”.', e($email));
120a00bcc63SGreg Roach        $message2 = I18N::translate('This link is valid for one hour.');
121a00bcc63SGreg Roach        FlashMessages::addMessage($message1 . '<br>' . $message2, 'success');
122a00bcc63SGreg Roach
12381bf3221SGreg Roach        return redirect(route(LoginPage::class, ['tree' => $tree?->name()]));
124a00bcc63SGreg Roach    }
125a00bcc63SGreg Roach}
126