Issues in PasswordService.php - All Issues - Inspection of "Merge pull request #11567 from mrclay/11563_routes" - Elgg/Elgg - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( c0a3a7...3b84a4 )

by Jeroen

created 2018-01-08 10:08 UTC

engine/classes/Elgg/PasswordService.php (6 issues)

Showing only issues like (Show All)

methods always have a scope defined.

Best Practice Minor

Steve Clay 6

<?php
namespace Elgg;

/**
 * PRIVATE CLASS. API IN FLUX. DO NOT USE DIRECTLY.
 *
 * @package Elgg.Core
 * @access  private
 * @since   1.10.0
 */
final class PasswordService {

	/**
	 * Constructor
	 */
	public function __construct() {
		if (!function_exists('password_hash')) {
			throw new \RuntimeException("password_hash and associated functions are required.");
		}
	}

	/**
	 * Determine if the password hash needs to be rehashed
	 *
	 * If the answer is true, after validating the password using password_verify, rehash it.
	 *
	 * @param string $hash The hash to test
	 *
	 * @return boolean True if the password needs to be rehashed.
	 */
	function needsRehash($hash) {

		return password_needs_rehash($hash, PASSWORD_DEFAULT);
	}

	/**
	 * Verify a password against a hash using a timing attack resistant approach
	 *
	 * @param string $password The password to verify
	 * @param string $hash     The hash to verify against
	 *
	 * @return boolean If the password matches the hash
	 */
	function verify($password, $hash) {

		return password_verify($password, $hash);
	}

	/**
	 * Hash a password for storage using password_hash()
	 *
	 * @param string $password Password in clear text
	 *
	 * @return string
	 */
	function generateHash($password) {

		return password_hash($password, PASSWORD_DEFAULT);
	}

	/**
	 * Generate and send a password request email to a given user's registered email address.
	 *
	 * @param int $user_guid User GUID
	 *
	 * @return bool
	 */
	function sendNewPasswordRequest($user_guid) {

		$user_guid = (int) $user_guid;

		$user = _elgg_services()->entityTable->get($user_guid);
		if (!$user instanceof \ElggUser) {
			return false;
		}

		// generate code
		$code = generate_random_cleartext_password();
		$user->setPrivateSetting('passwd_conf_code', $code);
		$user->setPrivateSetting('passwd_conf_time', time());

		// generate link
		$link = _elgg_config()->wwwroot . "changepassword?u=$user_guid&c=$code";
		$link = _elgg_services()->urlSigner->sign($link, '+1 day');
		
		// generate email
		$ip_address = _elgg_services()->request->getClientIp();
		$message = _elgg_services()->translator->translate(
			'email:changereq:body', [$user->name, $ip_address, $link], $user->language);
		$subject = _elgg_services()->translator->translate(
			'email:changereq:subject', [], $user->language);

		$params = [
			'action' => 'requestnewpassword',
			'object' => $user,
			'ip_address' => $ip_address,
			'link' => $link,
		];
		
		return notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, $params, 'email');
	}

	/**
	 * Set a user's new password and save the entity.
	 *
	 * This can only be called from execute_new_password_request().
	 *
	 * @param \ElggUser|int $user     The user GUID or entity
	 * @param string        $password Text (which will then be converted into a hash and stored)
	 *
	 * @return bool
	 */
	function forcePasswordReset($user, $password) {

		if (!$user instanceof \ElggUser) {
			$user = _elgg_services()->entityTable->get($user, 'user');
			if (!$user) {
				return false;
			}
		}

		$user->setPassword($password);

		$ia = elgg_set_ignore_access(true);
		$result = (bool) $user->save();
		elgg_set_ignore_access($ia);

		return $result;
	}

	/**
	 * Validate and change password for a user.
	 *
	 * @param int    $user_guid The user id
	 * @param string $conf_code Confirmation code as sent in the request email.
	 * @param string $password  Optional new password, if not randomly generated.
	 *
	 * @return bool True on success
	 */
	function executeNewPasswordReset($user_guid, $conf_code, $password = null) {

		$user_guid = (int) $user_guid;
		$user = get_entity($user_guid);

		if ($password === null) {
			$password = generate_random_cleartext_password();
			$reset = true;
		} else {
			$reset = false;
		}

		if (!$user instanceof \ElggUser) {
			return false;
		}

		$saved_code = $user->getPrivateSetting('passwd_conf_code');
		$code_time = (int) $user->getPrivateSetting('passwd_conf_time');
		$codes_match = _elgg_services()->crypto->areEqual($saved_code, $conf_code);

		if (!$saved_code || !$codes_match) {
			return false;
		}

		// Discard for security if it is 24h old
		if (!$code_time || $code_time < time() - 24 * 60 * 60) {
			return false;
		}

		if (!$this->forcePasswordReset($user, $password)) {
			return false;
		}

		remove_private_setting($user_guid, 'passwd_conf_code');
		remove_private_setting($user_guid, 'passwd_conf_time');
		// clean the logins failures
		reset_login_failure_count($user_guid);

		$ns = $reset ? 'resetpassword' : 'changepassword';

		$message = _elgg_services()->translator->translate(
			"email:$ns:body", [$user->username, $password], $user->language);
		$subject = _elgg_services()->translator->translate("email:$ns:subject", [], $user->language);

		$params = [
			'action' => $ns,
			'object' => $user,
			'password' => $password,
		];

		notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, $params, 'email');

		return true;
	}
}


1		<?php
2		namespace Elgg;
3
4		/**
5		* PRIVATE CLASS. API IN FLUX. DO NOT USE DIRECTLY.
6		*
7		* @package Elgg.Core
8		* @access private
9		* @since 1.10.0
10		*/
11		final class PasswordService {
12
13		/**
14		* Constructor
15		*/
16	12	public function __construct() {
17	12	if (!function_exists('password_hash')) {
18		throw new \RuntimeException("password_hash and associated functions are required.");
19		}
20	12	}
21
22		/**
23		* Determine if the password hash needs to be rehashed
24		*
25		* If the answer is true, after validating the password using password_verify, rehash it.
26		*
27		* @param string $hash The hash to test
28		*
29		* @return boolean True if the password needs to be rehashed.
30		*/
31	5	function needsRehash($hash) {
		0 ignored issues – show Best Practice introduced 2017-10-16 06:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
32	5	return password_needs_rehash($hash, PASSWORD_DEFAULT);
33		}
34
35		/**
36		* Verify a password against a hash using a timing attack resistant approach
37		*
38		* @param string $password The password to verify
39		* @param string $hash The hash to verify against
40		*
41		* @return boolean If the password matches the hash
42		*/
43	6	function verify($password, $hash) {
		0 ignored issues – show Best Practice introduced 2017-10-16 06:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
44	6	return password_verify($password, $hash);
45		}
46
47		/**
48		* Hash a password for storage using password_hash()
49		*
50		* @param string $password Password in clear text
51		*
52		* @return string
53		*/
54	162	function generateHash($password) {
		0 ignored issues – show Best Practice introduced 2017-10-16 06:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
55	162	return password_hash($password, PASSWORD_DEFAULT);
56		}
57
58		/**
59		* Generate and send a password request email to a given user's registered email address.
60		*
61		* @param int $user_guid User GUID
62		*
63		* @return bool
64		*/
65		function sendNewPasswordRequest($user_guid) {
		0 ignored issues – show Best Practice introduced 2017-10-16 06:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
66		$user_guid = (int) $user_guid;
67
68		$user = _elgg_services()->entityTable->get($user_guid);
69		if (!$user instanceof \ElggUser) {
70		return false;
71		}
72
73		// generate code
74		$code = generate_random_cleartext_password();
75		$user->setPrivateSetting('passwd_conf_code', $code);
76		$user->setPrivateSetting('passwd_conf_time', time());
77
78		// generate link
79		$link = _elgg_config()->wwwroot . "changepassword?u=$user_guid&c=$code";
80		$link = _elgg_services()->urlSigner->sign($link, '+1 day');
81
82		// generate email
83		$ip_address = _elgg_services()->request->getClientIp();
84		$message = _elgg_services()->translator->translate(
85		'email:changereq:body', [$user->name, $ip_address, $link], $user->language);
86		$subject = _elgg_services()->translator->translate(
87		'email:changereq:subject', [], $user->language);
88
89		$params = [
90		'action' => 'requestnewpassword',
91		'object' => $user,
92		'ip_address' => $ip_address,
93		'link' => $link,
94		];
95
96		return notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, $params, 'email');
97		}
98
99		/**
100		* Set a user's new password and save the entity.
101		*
102		* This can only be called from execute_new_password_request().
103		*
104		* @param \ElggUser\|int $user The user GUID or entity
105		* @param string $password Text (which will then be converted into a hash and stored)
106		*
107		* @return bool
108		*/
109		function forcePasswordReset($user, $password) {
		0 ignored issues – show Best Practice introduced 2017-10-16 06:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
110		if (!$user instanceof \ElggUser) {
111		$user = _elgg_services()->entityTable->get($user, 'user');
112		if (!$user) {
113		return false;
114		}
115		}
116
117		$user->setPassword($password);
118
119		$ia = elgg_set_ignore_access(true);
120		$result = (bool) $user->save();
121		elgg_set_ignore_access($ia);
122
123		return $result;
124		}
125
126		/**
127		* Validate and change password for a user.
128		*
129		* @param int $user_guid The user id
130		* @param string $conf_code Confirmation code as sent in the request email.
131		* @param string $password Optional new password, if not randomly generated.
132		*
133		* @return bool True on success
134		*/
135		function executeNewPasswordReset($user_guid, $conf_code, $password = null) {
		0 ignored issues – show Best Practice introduced 2017-10-16 06:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
136		$user_guid = (int) $user_guid;
137		$user = get_entity($user_guid);
138
139		if ($password === null) {
140		$password = generate_random_cleartext_password();
141		$reset = true;
142		} else {
143		$reset = false;
144		}
145
146		if (!$user instanceof \ElggUser) {
147		return false;
148		}
149
150		$saved_code = $user->getPrivateSetting('passwd_conf_code');
151		$code_time = (int) $user->getPrivateSetting('passwd_conf_time');
152		$codes_match = _elgg_services()->crypto->areEqual($saved_code, $conf_code);
153
154		if (!$saved_code \|\| !$codes_match) {
155		return false;
156		}
157
158		// Discard for security if it is 24h old
159		if (!$code_time \|\| $code_time < time() - 24 * 60 * 60) {
160		return false;
161		}
162
163		if (!$this->forcePasswordReset($user, $password)) {
164		return false;
165		}
166
167		remove_private_setting($user_guid, 'passwd_conf_code');
168		remove_private_setting($user_guid, 'passwd_conf_time');
169		// clean the logins failures
170		reset_login_failure_count($user_guid);
171
172		$ns = $reset ? 'resetpassword' : 'changepassword';
173
174		$message = _elgg_services()->translator->translate(
175		"email:$ns:body", [$user->username, $password], $user->language);
176		$subject = _elgg_services()->translator->translate("email:$ns:subject", [], $user->language);
177
178		$params = [
179		'action' => $ns,
180		'object' => $user,
181		'password' => $password,
182		];
183
184		notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, $params, 'email');
185
186		return true;
187		}
188		}
189

Elgg / Elgg

Push — master ( c0a3a7...3b84a4 )

engine/classes/Elgg/PasswordService.php (6 issues)

Showing only issues like (Show All)

Introduced By

Duplication Side-by-Side

Filter issues like