Extend token validity on password reset page load

This avoids a race condition where the password reset token is valid at page
load time, but no longer valid at page submission time.

Author: fredden

app/code/Magento/Customer/Controller/Account/CreatePassword.php

@@ -9,6 +9,7 @@
 
 use Magento\Customer\Api\AccountManagementInterface;
 use Magento\Customer\Model\ForgotPasswordToken\ConfirmCustomerByToken;
+use Magento\Customer\Model\ForgotPasswordToken\GetCustomerByToken;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Framework\View\Result\PageFactory;
@@ -42,6 +43,11 @@ class CreatePassword extends \Magento\Customer\Controller\AbstractAccount implem
      */
     private $confirmByToken;
 
+    /**
+     * @var \Magento\Customer\Model\ForgotPasswordToken\GetCustomerByToken
+     */
+    private $getByToken;
+
     /**
      * @param \Magento\Framework\App\Action\Context $context
      * @param \Magento\Customer\Model\Session $customerSession
@@ -54,13 +60,16 @@ public function __construct(
         Session $customerSession,
         PageFactory $resultPageFactory,
         AccountManagementInterface $accountManagement,
-        ConfirmCustomerByToken $confirmByToken = null
+        ConfirmCustomerByToken $confirmByToken = null,
+        GetCustomerByToken $getByToken = null
     ) {
         $this->session = $customerSession;
         $this->resultPageFactory = $resultPageFactory;
         $this->accountManagement = $accountManagement;
         $this->confirmByToken = $confirmByToken
             ?? ObjectManager::getInstance()->get(ConfirmCustomerByToken::class);
+        $this->getByToken = $getByToken
+            ?? ObjectManager::getInstance()->get(GetCustomerByToken::class);
 
         parent::__construct($context);
     }
@@ -83,6 +92,15 @@ public function execute()
 
             $this->confirmByToken->execute($resetPasswordToken);
 
+            try {
+                // Extend token validity to avoid expiration while this form is
+                // being completed by the user.
+                $customer = $this->getByToken->execute($resetPasswordToken);
+                $this->accountManagement->changeResetPasswordLinkToken($customer, $resetPasswordToken);
+            } catch (\Exception $exception) {
+                // Intentionally ignoring failures here
+            }
+
             if ($isDirectLink) {
                 $this->session->setRpToken($resetPasswordToken);
                 $resultRedirect = $this->resultRedirectFactory->create();

app/code/Magento/User/Controller/Adminhtml/Auth/ResetPassword.php

@@ -22,6 +22,16 @@ public function execute()
         try {
             $this->_validateResetPasswordLinkToken($userId, $passwordResetToken);
 
+            try {
+                // Extend token validity to avoid expiration while this form is
+                // being completed by the user.
+                $user = $this->_userFactory->create()->load($userId);
+                $user->changeResetPasswordLinkToken($passwordResetToken);
+                $user->save();
+            } catch (\Exception $exception) {
+                // Intentionally ignoring failures here
+            }
+
             $this->_view->loadLayout();
 
             $content = $this->_view->getLayout()->getBlock('content');