xref: /webtrees/app/Http/RequestHandlers/PasswordRequestAction.php (revision d97083fe315dad9b7d0a150d4fb5f563e57d1869) 
1a00bcc63SGreg Roach<?php
23976b470SGreg Roach
3a00bcc63SGreg Roach/**
4a00bcc63SGreg Roach * webtrees: online genealogy
589f7189bSGreg Roach * Copyright (C) 2021 webtrees development team
6a00bcc63SGreg Roach * This program is free software: you can redistribute it and/or modify
7a00bcc63SGreg Roach * it under the terms of the GNU General Public License as published by
8a00bcc63SGreg Roach * the Free Software Foundation, either version 3 of the License, or
9a00bcc63SGreg Roach * (at your option) any later version.
10a00bcc63SGreg Roach * This program is distributed in the hope that it will be useful,
11a00bcc63SGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of
12a00bcc63SGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13a00bcc63SGreg Roach * GNU General Public License for more details.
14a00bcc63SGreg Roach * You should have received a copy of the GNU General Public License
1589f7189bSGreg Roach * along with this program. If not, see <https://www.gnu.org/licenses/>.
16a00bcc63SGreg Roach */
17fcfa147eSGreg Roach
18a00bcc63SGreg Roachdeclare(strict_types=1);
19a00bcc63SGreg Roach
20a00bcc63SGreg Roachnamespace Fisharebest\Webtrees\Http\RequestHandlers;
21a00bcc63SGreg Roach
22a00bcc63SGreg Roachuse Fig\Http\Message\StatusCodeInterface;
23a00bcc63SGreg Roachuse Fisharebest\Webtrees\FlashMessages;
24a00bcc63SGreg Roachuse Fisharebest\Webtrees\I18N;
25a00bcc63SGreg Roachuse Fisharebest\Webtrees\Log;
26e381f98dSGreg Roachuse Fisharebest\Webtrees\Services\EmailService;
279ed332c7SGreg Roachuse Fisharebest\Webtrees\Services\RateLimitService;
28a00bcc63SGreg Roachuse Fisharebest\Webtrees\Services\UserService;
29a00bcc63SGreg Roachuse Fisharebest\Webtrees\SiteUser;
30f917a287SGreg Roachuse Fisharebest\Webtrees\Tree;
31a00bcc63SGreg Roachuse Fisharebest\Webtrees\User;
32a00bcc63SGreg Roachuse Illuminate\Support\Str;
33a00bcc63SGreg Roachuse Psr\Http\Message\ResponseInterface;
34a00bcc63SGreg Roachuse Psr\Http\Message\ServerRequestInterface;
35a00bcc63SGreg Roachuse Psr\Http\Server\RequestHandlerInterface;
363976b470SGreg Roach
37a00bcc63SGreg Roachuse function e;
383a837642SGreg Roachuse function random_int;
39a00bcc63SGreg Roachuse function redirect;
40a00bcc63SGreg Roachuse function route;
41a00bcc63SGreg Roachuse function view;
42a00bcc63SGreg Roach
43a00bcc63SGreg Roach/**
44a00bcc63SGreg Roach * Request a new password.
45a00bcc63SGreg Roach */
4671378461SGreg Roachclass PasswordRequestAction implements RequestHandlerInterface, StatusCodeInterface
47a00bcc63SGreg Roach{
4857ab2231SGreg Roach    private const TOKEN_LENGTH = 40;
49a00bcc63SGreg Roach
50*d97083feSGreg Roach    private const TOKEN_VALIDITY_SECONDS = 3600;
51*d97083feSGreg Roach
52*d97083feSGreg Roach    private const RATE_LIMIT_REQUESTS = 5;
53*d97083feSGreg Roach
54*d97083feSGreg Roach    private const RATE_LIMIT_SECONDS = 300;
55*d97083feSGreg Roach
56c4943cffSGreg Roach    private EmailService $email_service;
57a00bcc63SGreg Roach
589ed332c7SGreg Roach    private RateLimitService $rate_limit_service;
599ed332c7SGreg Roach
60c4943cffSGreg Roach    private UserService $user_service;
61a00bcc63SGreg Roach
62a00bcc63SGreg Roach    /**
63a00bcc63SGreg Roach     * PasswordRequestForm constructor.
64a00bcc63SGreg Roach     *
65e381f98dSGreg Roach     * @param EmailService     $email_service
669ed332c7SGreg Roach     * @param RateLimitService $rate_limit_service
67a00bcc63SGreg Roach     * @param UserService      $user_service
68a00bcc63SGreg Roach     */
699ed332c7SGreg Roach    public function __construct(
709ed332c7SGreg Roach        EmailService $email_service,
719ed332c7SGreg Roach        RateLimitService $rate_limit_service,
729ed332c7SGreg Roach        UserService $user_service
739ed332c7SGreg Roach    ) {
74e381f98dSGreg Roach        $this->email_service      = $email_service;
759ed332c7SGreg Roach        $this->rate_limit_service = $rate_limit_service;
769ed332c7SGreg Roach        $this->user_service       = $user_service;
77a00bcc63SGreg Roach    }
78a00bcc63SGreg Roach
79a00bcc63SGreg Roach    /**
80a00bcc63SGreg Roach     * @param ServerRequestInterface $request
81a00bcc63SGreg Roach     *
82a00bcc63SGreg Roach     * @return ResponseInterface
83a00bcc63SGreg Roach     */
84a00bcc63SGreg Roach    public function handle(ServerRequestInterface $request): ResponseInterface
85a00bcc63SGreg Roach    {
86f917a287SGreg Roach        $tree = $request->getAttribute('tree');
87f917a287SGreg Roach
88b46c87bdSGreg Roach        $params = (array) $request->getParsedBody();
89b46c87bdSGreg Roach
90b46c87bdSGreg Roach        $email = $params['email'] ?? '';
91a00bcc63SGreg Roach        $user  = $this->user_service->findByEmail($email);
92a00bcc63SGreg Roach
93a00bcc63SGreg Roach        if ($user instanceof User) {
94*d97083feSGreg Roach            $this->rate_limit_service->limitRateForUser($user, self::RATE_LIMIT_REQUESTS, self::RATE_LIMIT_SECONDS, 'rate-limit-pw-reset');
959ed332c7SGreg Roach
96a00bcc63SGreg Roach            $token  = Str::random(self::TOKEN_LENGTH);
97*d97083feSGreg Roach            $expire = (string) (time() + self::TOKEN_VALIDITY_SECONDS);
98f917a287SGreg Roach            $url    = route(PasswordResetPage::class, [
99f917a287SGreg Roach                'token' => $token,
100f917a287SGreg Roach                'tree'  => $tree instanceof Tree ? $tree->name() : null,
101f917a287SGreg Roach            ]);
102a00bcc63SGreg Roach
103a00bcc63SGreg Roach            $user->setPreference('password-token', $token);
104a00bcc63SGreg Roach            $user->setPreference('password-token-expire', $expire);
105a00bcc63SGreg Roach
106e381f98dSGreg Roach            $this->email_service->send(
107a00bcc63SGreg Roach                new SiteUser(),
108a00bcc63SGreg Roach                $user,
109a00bcc63SGreg Roach                new SiteUser(),
110a00bcc63SGreg Roach                I18N::translate('Request a new password'),
111a00bcc63SGreg Roach                view('emails/password-request-text', ['url' => $url, 'user' => $user]),
112a00bcc63SGreg Roach                view('emails/password-request-html', ['url' => $url, 'user' => $user])
113a00bcc63SGreg Roach            );
114a00bcc63SGreg Roach
115a00bcc63SGreg Roach            Log::addAuthenticationLog('Password request for user: ' . $user->userName());
1163a837642SGreg Roach        } else {
1173a837642SGreg Roach            // Email takes a few seconds to send.  An instant response would allow
1183a837642SGreg Roach            // an attacker to use the speed of the response to infer whether an account exists.
1193a837642SGreg Roach            usleep(random_int(500000, 2000000));
1203a837642SGreg Roach        }
121a00bcc63SGreg Roach
1223a837642SGreg Roach        // For security, send a success message even when we fail.
123a00bcc63SGreg Roach        $message1 = I18N::translate('A password reset link has been sent to “%s”.', e($email));
124a00bcc63SGreg Roach        $message2 = I18N::translate('This link is valid for one hour.');
125a00bcc63SGreg Roach        FlashMessages::addMessage($message1 . '<br>' . $message2, 'success');
126a00bcc63SGreg Roach
127f917a287SGreg Roach        return redirect(route(LoginPage::class, ['tree' => $tree instanceof Tree ? $tree->name() : null]));
128a00bcc63SGreg Roach    }
129a00bcc63SGreg Roach}
130