Skip to content

Commit

Permalink
[Bug]: Limit password length (#445)
Browse files Browse the repository at this point in the history
* Limit password length.

* fix typo.
  • Loading branch information
martineiber authored Mar 29, 2023
1 parent 52da3c7 commit e716155
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 11 deletions.
37 changes: 27 additions & 10 deletions src/Controller/AccountController.php
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

use App\EventListener\AuthenticationLoginListener;
use App\Form\LoginFormType;
use App\Form\PasswordMaxLengthTrait;
use App\Form\RegistrationFormHandler;
use App\Form\RegistrationFormType;
use App\Model\Customer;
Expand Down Expand Up @@ -54,6 +55,7 @@
*/
class AccountController extends BaseController
{
use PasswordMaxLengthTrait;
/**
* @Route("/account/login", name="account-login")
*
Expand Down Expand Up @@ -213,6 +215,10 @@ public function registerAction(
$customer->setActive(true);

try {
if(!$hidePassword) {
$this->checkPassword($form->getData()['password']);
}

$customer->save();

if ($form->getData()['newsletter']) {
Expand Down Expand Up @@ -509,24 +515,35 @@ public function resetPasswordAction(Request $request, PasswordRecoveryService $s
{
$token = $request->get('token');
$customer = $service->getCustomerByToken($token);
if (!$customer) {
//TODO render error page
throw new NotFoundHttpException('Invalid token');
}
$error = null;
try {
if (!$customer) {
throw new NotFoundHttpException('Invalid token');
}

if ($request->isMethod(Request::METHOD_POST)) {
$newPassword = $request->get('password');
$service->setPassword($token, $newPassword);
if ($request->isMethod(Request::METHOD_POST)) {

$this->addFlash('success', $translator->trans('account.password-reset-successful'));
$newPassword = $request->get('password');

return $this->redirectToRoute('account-login', ['no-referer-redirect' => true]);
$this->checkPassword($newPassword);

$service->setPassword($token, $newPassword);

$this->addFlash('success', $translator->trans('account.password-reset-successful'));

return $this->redirectToRoute('account-login', ['no-referer-redirect' => true]);

}

} catch (\Exception $exception) {
$error = $exception->getMessage();
}

return $this->render('account/reset_password.html.twig', [
'hideBreadcrumbs' => true,
'token' => $token,
'email' => $customer->getEmail()
'email' => $customer?->getEmail(),
'error' => $error
]);
}
}
4 changes: 4 additions & 0 deletions src/Form/LoginFormType.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
use Symfony\Component\Form\Extension\Core\Type\SubmitType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\PasswordHasher\PasswordHasherInterface;

class LoginFormType extends AbstractType
{
Expand All @@ -55,6 +56,9 @@ public function buildForm(FormBuilderInterface $builder, array $options)
'label' => 'user.password',
'label_attr' => [
'class' => 'sr-only'
],
'attr' => [
'maxlength' => PasswordHasherInterface::MAX_PASSWORD_LENGTH
]
])
->add('_target_path', HiddenType::class)
Expand Down
37 changes: 37 additions & 0 deletions src/Form/PasswordMaxLengthTrait.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<?php

declare(strict_types=1);

/**
* Pimcore
*
* This source file is available under two different licenses:
* - GNU General Public License version 3 (GPLv3)
* - Pimcore Commercial License (PCL)
* Full copyright and license information is available in
* LICENSE.md which is distributed with this source code.
*
* @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org)
* @license http://www.pimcore.org/license GPLv3 and PCL
*/


namespace App\Form;

use Pimcore\Model\Element\ValidationException;
use Symfony\Component\PasswordHasher\Hasher\CheckPasswordLengthTrait;

trait PasswordMaxLengthTrait
{
use CheckPasswordLengthTrait;

/**
* @throws ValidationException
*/
public function checkPassword(string $password): void
{
if ($this->isPasswordTooLong($password)) {
throw new ValidationException("Given password is too long.");
}
}
}
6 changes: 5 additions & 1 deletion src/Form/RegistrationFormType.php
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
use Symfony\Component\Form\Extension\Core\Type\TextType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\PasswordHasher\PasswordHasherInterface;

class RegistrationFormType extends AbstractType
{
Expand All @@ -61,7 +62,10 @@ public function buildForm(FormBuilderInterface $builder, array $options)
]);
if (!$options['hidePassword']) {
$builder->add('password', PasswordType::class, [
'label' => 'general.password'
'label' => 'general.password',
'attr' => [
'maxlength' => PasswordHasherInterface::MAX_PASSWORD_LENGTH
]
]);
}

Expand Down
6 changes: 6 additions & 0 deletions templates/account/reset_password.html.twig
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@
<div class="form-signin mb-5">

<form method="post">
{% if error %}
<div class="alert alert-danger">
{{ error | raw }}
</div>
{% else %}
<h1 class="display-3 mb-3 font-weight-normal">{{ 'account.password-recovery' | trans }}</h1>

<p>{{ 'account.password-recovery-text' | trans([email]) }}</p>
Expand All @@ -17,6 +22,7 @@
<div class="form-group">
<button type="submit" id="_submit" name="_submit" class="btn-success btn-lg btn-block mt-4 btn">{{ 'account.set-password' | trans }}</button>
</div>
{% endif %}

</form>

Expand Down

0 comments on commit e716155

Please sign in to comment.