Added password reset token expiration

b8235c71 · Alexander Makarov · 3b95aa9c · b8235c71 · b8235c71 · b8235c71
Commit b8235c71 authored Feb 05, 2014 by Alexander Makarov
4 changed files
--- a/apps/advanced/common/models/User.php
+++ b/apps/advanced/common/models/User.php
@@ -67,7 +67,7 @@ class User extends ActiveRecord implements IdentityInterface
 	 * Finds user by username
 	 *
 	 * @param string $username
-	 * @return null|User
+	 * @return self
 	 */
 	public static function findByUsername($username)
 	{
@@ -75,6 +75,28 @@ class User extends ActiveRecord implements IdentityInterface
 	}
 	/**
+	 * Finds user by password reset token
+	 *
+	 * @param string $token password reset token
+	 * @return self
+	 */
+	public static function findByPasswordResetToken($token)
+	{
+		$expire = \Yii::$app->getParam('user.passwordResetTokenExpire', 3600);
+		$parts = explode('_', $token);
+		$timestamp = (int)end($parts);
+		if ($timestamp + $expire < time()) {
+			// token expired
+			return null;
+		}
+		return User::find([
+			'password_reset_token' => $token,
+			'status' => User::STATUS_ACTIVE,
+		]);
+	}
+	/**
 	 * @inheritdoc
 	 */
 	public function getId()
@@ -124,7 +146,7 @@ class User extends ActiveRecord implements IdentityInterface
 	 */
 	public function generatePasswordResetToken()
 	{
-		$this->password_reset_token = Security::generateRandomKey();
+		$this->password_reset_token = Security::generateRandomKey() . '_' . time();
 	}
 	/**

--- a/apps/advanced/frontend/controllers/SiteController.php
+++ b/apps/advanced/frontend/controllers/SiteController.php
@@ -87,7 +87,7 @@ class SiteController extends Controller
 	public function actionContact()
 	{
 		$model = new ContactForm;
-		if ($model->load($_POST) && $model->contact(Yii::$app->params['adminEmail'])) {
+		if ($model->load($_POST) && $model->contact(Yii::$app->getParam('adminEmail'))) {
 			Yii::$app->session->setFlash('success', 'Thank you for contacting us. We will respond to you as soon as possible.');
 			return $this->refresh();
 		} else {

--- a/apps/advanced/frontend/models/PasswordResetRequestForm.php
+++ b/apps/advanced/frontend/models/PasswordResetRequestForm.php
@@ -43,7 +43,7 @@ class PasswordResetRequestForm extends Model
 		$user->generatePasswordResetToken();
 		if ($user->save()) {
 			return \Yii::$app->mail->compose('passwordResetToken', ['user' => $user])
-				->setFrom([\Yii::$app->params['supportEmail'] => \Yii::$app->name . ' robot'])
+				->setFrom([\Yii::$app->getParam('supportEmail') => \Yii::$app->name . ' robot'])
 				->setTo($this->email)
 				->setSubject('Password reset for ' . \Yii::$app->name)
 				->send();

--- a/apps/advanced/frontend/models/ResetPasswordForm.php
+++ b/apps/advanced/frontend/models/ResetPasswordForm.php
@@ -30,10 +30,7 @@ class ResetPasswordForm extends Model
 		if (empty($token) || !is_string($token)) {
 			throw new InvalidParamException('Password reset token cannot be blank.');
 		}
-		$this->_user = User::find([
+		$this->_user = User::findByPasswordResetToken($token);
-			'password_reset_token' => $token,
-			'status' => User::STATUS_ACTIVE,
-		]);
 		if (!$this->_user) {
 			throw new InvalidParamException('Wrong password reset token.');
 		}