From f6b6ec57bb4e92abc750c1a4ddfcafa6fb99be76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Fastr=C3=A9?= Date: Fri, 31 Aug 2018 16:20:31 +0200 Subject: [PATCH] simplify link generation of recover token --- Security/PasswordRecover/TokenManager.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/Security/PasswordRecover/TokenManager.php b/Security/PasswordRecover/TokenManager.php index ea9c3ab7c..3dc0c1060 100644 --- a/Security/PasswordRecover/TokenManager.php +++ b/Security/PasswordRecover/TokenManager.php @@ -44,6 +44,8 @@ class TokenManager const TIMESTAMP = 'ts'; const USERNAME_CANONICAL = 'u'; + const TOKEN_LENGTH = 24; + public function __construct($secret, LoggerInterface $logger) { $this->secret = $secret; @@ -52,7 +54,7 @@ class TokenManager public function generate(User $user, \DateTimeInterface $expiration) { - $token = \random_bytes(32); + $token = \random_bytes(self::TOKEN_LENGTH); $username = $user->getUsernameCanonical(); if (empty($username)) { @@ -60,7 +62,7 @@ class TokenManager } $timestamp = $expiration->getTimestamp(); - $hash = \hash('sha512', $token.$username.$timestamp.$this->secret); + $hash = \hash('sha1', $token.$username.$timestamp.$this->secret); return [ self::HASH => $hash, @@ -72,7 +74,12 @@ class TokenManager public function verify($hash, $token, User $user, $timestamp) { - $token = \hex2bin($token); + $token = \hex2bin(\trim($token)); + + if (\strlen($token) !== self::TOKEN_LENGTH) { + return false; + } + $username = $user->getUsernameCanonical(); $date = \DateTimeImmutable::createFromFormat('U', $timestamp); @@ -84,7 +91,7 @@ class TokenManager return false; } - $expected = \hash('sha512', $token.$username.$timestamp.$this->secret); + $expected = \hash('sha1', $token.$username.$timestamp.$this->secret); if ($expected !== $hash) { return false;