fix(user): make lostPassword use better hashed link

YesWiki · Oct 31, 2024 · e128570 · e128570
1 parent b5a8f93
commit e128570
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/includes/services/UserManager.php b/includes/services/UserManager.php
@@ -34,6 +34,7 @@ class UserManager implements UserProviderInterface, PasswordUpgraderInterface
     protected $passwordHasherFactory;
     protected $securityController;
     protected $params;
+    protected $userlink;
 
     private $getOneByNameCacheResults;
 

diff --git a/tools/login/actions/LostPasswordAction.php b/tools/login/actions/LostPasswordAction.php
@@ -10,20 +10,21 @@
 use YesWiki\Core\Service\UserManager;
 use YesWiki\Core\YesWikiAction;
 use YesWiki\Security\Controller\SecurityController;
+use YesWiki\Core\Service\PasswordHasherFactory;
 
 if (!function_exists('send_mail')) {
     require_once('includes/email.inc.php');
 }
 
 class LostPasswordAction extends YesWikiAction
 {
-    private const PW_SALT = 'FBcA';
     public const KEY_VOCABULARY = 'http://outils-reseaux.org/_vocabulary/key';
 
     protected $authController;
     protected $errorType;
     protected $typeOfRendering;
     protected $securityController;
+    protected $passwordHasherFactory;
     protected $tripleStore;
     protected $userManager;
 
@@ -34,6 +35,7 @@ public function run()
         $this->securityController = $this->getService(SecurityController::class);
         $this->tripleStore = $this->getService(TripleStore::class);
         $this->userManager = $this->getService(UserManager::class);
+        $this->passwordHasherFactory = $this->getService(PasswordHasherFactory::class);
 
         // init properties
         $this->errorType = null;
@@ -206,16 +208,18 @@ private function manageSubStep(int $subStep): ?User
     private function sendPasswordRecoveryEmail(User $user)
     {
         // Generate the password recovery key
-        $key = md5($user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s') . self::PW_SALT);
+        $passwordHasher = $this->passwordHasherFactory->getPasswordHasher($user);
+        $plainKey = $user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s');
+        $hashedKey = $passwordHasher->hash($plainKey);
         // Erase the previous triples in the trible table
         $this->tripleStore->delete($user['name'], self::KEY_VOCABULARY, null, '', '') ;
         // Store the (name, vocabulary, key) triple in triples table
-        $res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $key, '', '');
+        $res = $this->tripleStore->create($user['name'], self::KEY_VOCABULARY, $hashedKey, '', '');
 
         // Generate the recovery email
         $passwordLink = $this->wiki->Href('', '', [
             'a' => 'recover',
-            'email' => $key,
+            'email' => $hashedKey,
             'u' => base64_encode($user['name'])
         ], false);
         $pieces = parse_url($this->params->get('base_url'));