sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #28792 from nextcloud/fix/noid/lost-password-missing-prefix 

fixes missing prefix to validate password reset token
pull/28774/head
John Molakvoæ 2021-09-14 09:50:22 +07:00 committed by GitHub
parent 58891a9655 6857136f06
commit a994ef0c4f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/Controller/LostController.php
Unescape Escape View File

@ -172,7 +172,8 @@ class LostController extends Controller {
*/
protected function checkPasswordResetToken(string $token, string $userId): void {
try {
$this->verificationToken->check($token, $this->userManager->get($userId), 'lostpassword', '', true);
$user = $this->userManager->get($userId);
$this->verificationToken->check($token, $user, 'lostpassword', $user ? $user->getEMailAddress() : '', true);
} catch (InvalidTokenException $e) {
$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
? $this->l10n->t('Could not reset password because the token is expired')

7
tests/Core/Controller/LostControllerTest.php
Unescape Escape View File

@ -153,7 +153,7 @@ class LostControllerTest extends \Test\TestCase {
->willReturn($this->existingUser);
$this->verificationToken->expects($this->once())
->method('check')
->with('12345:MySecretToken', $this->existingUser, 'lostpassword')
->with('12345:MySecretToken', $this->existingUser, 'lostpassword', 'test@example.com')
->willThrowException(new InvalidTokenException(InvalidTokenException::TOKEN_DECRYPTION_ERROR));
$response = $this->lostController->resetform('12345:MySecretToken', 'ValidTokenUser');
@ -174,7 +174,7 @@ class LostControllerTest extends \Test\TestCase {
->willReturn($this->existingUser);
$this->verificationToken->expects($this->once())
->method('check')
->with('MySecretToken', $this->existingUser, 'lostpassword');
->with('MySecretToken', $this->existingUser, 'lostpassword', 'test@example.com');
$response = $this->lostController->resetform('MySecretToken', 'ValidTokenUser');
$expectedResponse = new TemplateResponse('core',
@ -513,6 +513,9 @@ class LostControllerTest extends \Test\TestCase {
->willReturn(false);
$user->expects($this->never())
->method('setPassword');
$user->expects($this->any())
->method('getEMailAddress')
->willReturn('random@example.org');
$this->config->method('getUserValue')
->with('ValidTokenUser', 'core', 'lostpassword', null)