implements security on recovering password and redis connector

2025-08-27 18:13:48 +00:00 · 2018-08-17 17:54:17 +02:00
parent 35683a7289
commit 480655f31b
12 changed files with 630 additions and 15 deletions
--- a/Controller/PasswordController.php
+++ b/Controller/PasswordController.php
@@ -16,6 +16,9 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 use Chill\MainBundle\Security\PasswordRecover\RecoverPasswordHelper;
 use Symfony\Component\HttpFoundation\Response;
 use Chill\MainBundle\Security\PasswordRecover\TokenManager;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Chill\MainBundle\Security\PasswordRecover\PasswordRecoverEvent;
+use Chill\MainBundle\Security\PasswordRecover\PasswordRecoverVoter;

 class PasswordController extends Controller
 {
@@ -49,18 +52,26 @@ class PasswordController extends Controller
     */
    protected $tokenManager;
    
+    /**
+     *
+     * @var EventDispatcherInterface
+     */
+    protected $eventDispatcher;
+    
    public function __construct(
        LoggerInterface $chillLogger,
        UserPasswordEncoderInterface $passwordEncoder,
        RecoverPasswordHelper $recoverPasswordHelper,
        TokenManager $tokenManager,
-        TranslatorInterface $translator
+        TranslatorInterface $translator,
+        EventDispatcherInterface $eventDispatcher
    ) {
        $this->chillLogger = $chillLogger;
        $this->passwordEncoder = $passwordEncoder;
        $this->translator = $translator;
        $this->tokenManager = $tokenManager;
        $this->recoverPasswordHelper = $recoverPasswordHelper;
+        $this->eventDispatcher = $eventDispatcher;
    }
    
    /**
@@ -132,6 +143,12 @@ class PasswordController extends Controller

    public function recoverAction(Request $request)
    {
+        if (FALSE === $this->isGranted(PasswordRecoverVoter::ASK_TOKEN)) {
+            return (new Response($this->translator->trans("You are not allowed "
+                . "to try to recover password, due to mitigating possible "
+                . "attack. Try to contact your system administrator"), Response::HTTP_FORBIDDEN));
+        }
+        
        $query = $request->query;
        $username = $query->get(TokenManager::USERNAME_CANONICAL);
        $hash = $query->getAlnum(TokenManager::HASH);
@@ -141,10 +158,16 @@ class PasswordController extends Controller
            ->findOneByUsernameCanonical($username);
        
        if (NULL === $user) {
+            $this->eventDispatcher->dispatch(PasswordRecoverEvent::INVALID_TOKEN, 
+                new PasswordRecoverEvent($token, null, $request->getClientIp()));
+            
            throw $this->createNotFoundException(sprintf('User %s not found', $username));
        }
        
        if (TRUE !== $this->tokenManager->verify($hash, $token, $user, $timestamp)) {
+            $this->eventDispatcher->dispatch(PasswordRecoverEvent::INVALID_TOKEN, 
+                new PasswordRecoverEvent($token, $user, $request->getClientIp()));
+            
            return new Response("Invalid token", Response::HTTP_FORBIDDEN);
        }
        
@@ -184,6 +207,12 @@ class PasswordController extends Controller
    
    public function requestRecoverAction(Request $request)
    {
+        if (FALSE === $this->isGranted(PasswordRecoverVoter::ASK_TOKEN)) {
+            return (new Response($this->translator->trans("You are not allowed "
+                . "to try to recover password, due to mitigating possible "
+                . "attack. Try to contact your system administrator"), Response::HTTP_FORBIDDEN));
+        }
+        
        $form = $this->requestRecoverForm();
        
        $form->handleRequest($request);
@@ -205,6 +234,12 @@ class PasswordController extends Controller
                $this->addFlash('error', $this->translator->trans('This account does not have an email address. '
                    . 'Please ask your administrator to renew your password.'));
            } else {
+                if (FALSE === $this->isGranted(PasswordRecoverVoter::ASK_TOKEN, $user)) {
+                    return (new Response($this->translator->trans("You are not allowed "
+                        . "to try to recover password, due to mitigating possible "
+                        . "attack. Try to contact your system administrator"), Response::HTTP_FORBIDDEN));
+                }
+                
                $this->recoverPasswordHelper->sendRecoverEmail($user, 
                    (new \DateTimeImmutable('now'))->add(new \DateInterval('PT30M')));
                
@@ -218,8 +253,18 @@ class PasswordController extends Controller
                    )
                );
                
+                $this->eventDispatcher->dispatch(
+                    PasswordRecoverEvent::ASK_TOKEN_SUCCESS, 
+                    new PasswordRecoverEvent(null, $user, $request->getClientIp())
+                    );
+                
                return $this->redirectToRoute('password_request_recover_confirm');
            }
+        } elseif ($form->isSubmitted() && FALSE === $form->isValid()) {
+            $this->eventDispatcher->dispatch(
+                PasswordRecoverEvent::ASK_TOKEN_INVALID_FORM, 
+                new PasswordRecoverEvent(null, null, $request->getClientIp())
+                );
        }
        
        return $this->render('@ChillMain/Password/request_recover_password.html.twig', [