[reset-password] allow anyone to access check email

jrushlow · weaverryan · commit 8d9f45203937 · 2021-03-31T09:28:38.000-04:00
diff --git a/src/Maker/MakeResetPassword.php b/src/Maker/MakeResetPassword.php
@@ -32,12 +32,11 @@
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Mailer\MailerInterface;
 use Symfony\Component\Yaml\Yaml;
-use SymfonyCasts\Bundle\ResetPassword\Controller\ResetPasswordControllerTrait;
 use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestInterface;
 use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestTrait;
-use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordToken;
 use SymfonyCasts\Bundle\ResetPassword\Persistence\Repository\ResetPasswordRequestRepositoryTrait;
 use SymfonyCasts\Bundle\ResetPassword\Persistence\ResetPasswordRequestRepositoryInterface;
+use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelper;
 use SymfonyCasts\Bundle\ResetPassword\SymfonyCastsResetPasswordBundle;
 
 /**
@@ -96,12 +95,10 @@ public function configureDependencies(DependencyBuilder $dependencies): void
 
         $dependencies->addClassDependency(Annotation::class, 'annotations');
 
-        // reset-password-bundle 1.3 includes helpers to get/set a ResetPasswordToken object from the session.
-        // we need to check that version 1.3 is installed
-        if (class_exists(ResetPasswordToken::class)) {
-            if (!method_exists(ResetPasswordControllerTrait::class, 'getTokenObjectFromSession')) {
-                throw new RuntimeCommandException('Please upgrade symfonycasts/reset-password-bundle to version 1.3 or greater.');
-            }
+        // reset-password-bundle 1.6 includes the ability to generate a fake token.
+        // we need to check that version 1.6 is installed
+        if (class_exists(ResetPasswordHelper::class) && !method_exists(ResetPasswordHelper::class, 'generateFakeResetToken')) {
+            throw new RuntimeCommandException('Please run "composer upgrade symfonycasts/reset-password-bundle". Version 1.6 or greater of this bundle is required.');
         }
     }
 
diff --git a/src/Resources/skeleton/resetPassword/ResetPasswordController.tpl.php b/src/Resources/skeleton/resetPassword/ResetPasswordController.tpl.php
@@ -75,9 +75,10 @@ public function request(Request $request, MailerInterface $mailer): Response
 <?php } ?>
     public function checkEmail(): Response
     {
-        // We prevent users from directly accessing this page
+        // Generate a fake token if the user does not exist or someone hit this page directly.
+        // This prevents exposing whether or not a user was found with the given email address or not
         if (null === ($resetToken = $this->getTokenObjectFromSession())) {
-            return $this->redirectToRoute('app_forgot_password_request');
+            $resetToken = $this->resetPasswordHelper->generateFakeResetToken();
         }
 
         return $this->render('reset_password/check_email.html.twig', [
diff --git a/src/Resources/skeleton/resetPassword/twig_check_email.tpl.php b/src/Resources/skeleton/resetPassword/twig_check_email.tpl.php
@@ -4,7 +4,7 @@
 
 {% block body %}
     <p>
-        An email has been sent that contains a link that you can click to reset your password.
+        If an account matching your email exists, then an email was just sent that contains a link that you can use to reset your password.
         This link will expire in {{ resetToken.expirationMessageKey|trans(resetToken.expirationMessageData, 'ResetPasswordBundle') }}.
     </p>
     <p>If you don't receive an email please check your spam folder or <a href="{{ path('app_forgot_password_request') }}">try again</a>.</p>
diff --git a/src/Resources/skeleton/resetPassword/twig_request.tpl.php b/src/Resources/skeleton/resetPassword/twig_request.tpl.php
@@ -19,4 +19,4 @@
 
         <button class="btn btn-primary">Send password reset email</button>
     {{ form_end(requestForm) }}
-{% endblock %}
+{% endblock %}
diff --git a/tests/fixtures/MakeResetPasswordFunctionalTest/tests/ResetPasswordFunctionalTest.php b/tests/fixtures/MakeResetPasswordFunctionalTest/tests/ResetPasswordFunctionalTest.php
@@ -11,23 +11,23 @@ public function testResetRequestRoute()
         $client = static::createClient();
         $client->request('GET', '/reset-password');
 
-        $this->assertSame(200, $client->getResponse()->getStatusCode());
+        self::assertSame(200, $client->getResponse()->getStatusCode());
     }
 
     public function testResetRequestRouteDeniesInvalidToken()
     {
         $client = static::createClient();
         $client->request('GET', '/reset-password/reset/badToken1234');
 
-        $this->assertSame(302, $client->getResponse()->getStatusCode());
+        self::assertSame(302, $client->getResponse()->getStatusCode());
     }
 
-    public function testCheckEmailRouteRedirectsToRequestRouteIfUserNotAllowedToCheckEmail()
+    public function testCheckEmailPageIsAlwaysAccessible()
     {
         $client = static::createClient();
         $client->request('GET', '/reset-password/check-email');
 
-        $this->assertSame(302, $client->getResponse()->getStatusCode());
-        $this->assertResponseRedirects('/reset-password');
+        self::assertResponseIsSuccessful();
+        self::assertPageTitleSame('Password Reset Email Sent');
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -75,9 +75,10 @@ public function request(Request $request, MailerInterface $mailer): Response`
`75`	`75`	`<?php } ?>`
`76`	`76`	`public function checkEmail(): Response`
`77`	`77`	`{`
`78`		`- // We prevent users from directly accessing this page`
	`78`	`+ // Generate a fake token if the user does not exist or someone hit this page directly.`
	`79`	`+ // This prevents exposing whether or not a user was found with the given email address or not`
`79`	`80`	`if (null === ($resetToken = $this->getTokenObjectFromSession())) {`
`80`		`- return $this->redirectToRoute('app_forgot_password_request');`
	`81`	`+ $resetToken = $this->resetPasswordHelper->generateFakeResetToken();`
`81`	`82`	`}`
`82`	`83`
`83`	`84`	`return $this->render('reset_password/check_email.html.twig', [`
Original file line number	Diff line number	Diff line change
`@@ -11,23 +11,23 @@ public function testResetRequestRoute()`
`11`	`11`	`$client = static::createClient();`
`12`	`12`	`$client->request('GET', '/reset-password');`
`13`	`13`
`14`		`- $this->assertSame(200, $client->getResponse()->getStatusCode());`
	`14`	`+ self::assertSame(200, $client->getResponse()->getStatusCode());`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`public function testResetRequestRouteDeniesInvalidToken()`
`18`	`18`	`{`
`19`	`19`	`$client = static::createClient();`
`20`	`20`	`$client->request('GET', '/reset-password/reset/badToken1234');`
`21`	`21`
`22`		`- $this->assertSame(302, $client->getResponse()->getStatusCode());`
	`22`	`+ self::assertSame(302, $client->getResponse()->getStatusCode());`
`23`	`23`	`}`
`24`	`24`
`25`		`- public function testCheckEmailRouteRedirectsToRequestRouteIfUserNotAllowedToCheckEmail()`
	`25`	`+ public function testCheckEmailPageIsAlwaysAccessible()`
`26`	`26`	`{`
`27`	`27`	`$client = static::createClient();`
`28`	`28`	`$client->request('GET', '/reset-password/check-email');`
`29`	`29`
`30`		`- $this->assertSame(302, $client->getResponse()->getStatusCode());`
`31`		`- $this->assertResponseRedirects('/reset-password');`
	`30`	`+ self::assertResponseIsSuccessful();`
	`31`	`+ self::assertPageTitleSame('Password Reset Email Sent');`
`32`	`32`	`}`
`33`	`33`	`}`