AccountController::changePassword() - Code Metrics - Inspection of "User: Add improvements to 2FA - refs #6162" - chamilo/chamilo-lms - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( ca5032...cc6fd3 )

by Yannick

created 2025-07-11 23:43 UTC

AccountController::changePassword() C

↳ Parent: AccountController

Complexity

Conditions	14
Paths	16

Size

Total Lines	104
Code Lines	62

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	14
eloc	62
c	0
b	0
f	0
nc	16
nop	5
dl	0
loc	104
rs	6.2666

How to fix Long Method Complexity

<?php

declare(strict_types=1);

/* For licensing terms, see /license.txt */

namespace Chamilo\CoreBundle\Controller;

use Chamilo\CoreBundle\Entity\User;
use Chamilo\CoreBundle\Form\ChangePasswordType;
use Chamilo\CoreBundle\Form\ProfileType;
use Chamilo\CoreBundle\Helpers\UserHelper;
use Chamilo\CoreBundle\Repository\Node\IllustrationRepository;
use Chamilo\CoreBundle\Repository\Node\UserRepository;
use Chamilo\CoreBundle\Settings\SettingsManager;
use Chamilo\CoreBundle\Traits\ControllerTrait;
use Endroid\QrCode\Builder\Builder;
use Endroid\QrCode\Encoding\Encoding;
use Endroid\QrCode\ErrorCorrectionLevel\ErrorCorrectionLevelHigh;
use Endroid\QrCode\Writer\PngWriter;
use OTPHP\TOTP;
use Security;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
use Symfony\Component\Routing\Attribute\Route;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
use Symfony\Contracts\Translation\TranslatorInterface;

/**
 * @author Julio Montoya <[email protected]>
 */
#[Route('/account')]
class AccountController extends BaseController
{
    use ControllerTrait;

    public function __construct(
        private readonly UserHelper $userHelper,
        private readonly TranslatorInterface $translator
    ) {}

    #[Route('/edit', name: 'chamilo_core_account_edit', methods: ['GET', 'POST'])]
    public function edit(Request $request, UserRepository $userRepository, IllustrationRepository $illustrationRepo, SettingsManager $settingsManager): Response
    {
        $user = $this->userHelper->getCurrent();

        if (!\is_object($user) || !$user instanceof UserInterface) {
            throw $this->createAccessDeniedException('This user does not have access to this section');
        }

        /** @var User $user */
        $form = $this->createForm(ProfileType::class, $user);
        $form->setData($user);
        $form->handleRequest($request);

        if ($form->isSubmitted() && $form->isValid()) {
            if ($form->has('illustration')) {
                $illustration = $form['illustration']->getData();
                if ($illustration) {
                    $illustrationRepo->deleteIllustration($user);
                    $illustrationRepo->addIllustration($user, $user, $illustration);
                }
            }

            if ($form->has('password')) {
                $password = $form['password']->getData();
                if ($password) {
                    $user->setPlainPassword($password);
                }
            }

            $showTermsIfProfileCompleted = ('true' === $settingsManager->getSetting('show_terms_if_profile_completed'));
            $user->setProfileCompleted($showTermsIfProfileCompleted);

            $userRepository->updateUser($user);
            $this->addFlash('success', $this->trans('Updated'));
            $url = $this->generateUrl('chamilo_core_account_home');

            $request->getSession()->set('_locale_user', $user->getLocale());

            return new RedirectResponse($url);
        }

        return $this->render('@ChamiloCore/Account/edit.html.twig', [
            'form' => $form->createView(),
            'user' => $user,
        ]);
    }

    #[Route('/change-password', name: 'chamilo_core_account_change_password', methods: ['GET', 'POST'])]
    public function changePassword(
        Request $request,
        UserRepository $userRepository,
        CsrfTokenManagerInterface $csrfTokenManager,
        SettingsManager $settingsManager,
        UserPasswordHasherInterface $passwordHasher
    ): Response {
        /** @var User $user */
        $user = $this->getUser();

        // Ensure user is authenticated and has proper interface
        if (!\is_object($user) || !$user instanceof UserInterface) {
            throw $this->createAccessDeniedException('This user does not have access to this section');
        }

        // Build the form and inject user-related options
        $form = $this->createForm(ChangePasswordType::class, [
            'enable2FA' => $user->getMfaEnabled(),
        ], [
            'user' => $user,
            'portal_name' => $settingsManager->getSetting('platform.institution'),
            'password_hasher' => $passwordHasher,
        ]);

        $form->handleRequest($request);
        $session = $request->getSession();
        $qrCodeBase64 = null;
        $showQRCode = false;

        // Generate TOTP secret and QR code for 2FA activation
        if ($form->get('enable2FA')->getData() && !$user->getMfaSecret()) {
            if (!$session->has('temporary_mfa_secret')) {
                $totp = TOTP::create();
                $secret = $totp->getSecret();
                $session->set('temporary_mfa_secret', $secret);
            } else {
                $secret = $session->get('temporary_mfa_secret');
            }

            $totp = TOTP::create($secret);
            $portalName = $settingsManager->getSetting('platform.institution');
            $totp->setLabel($portalName . ' - ' . $user->getEmail());

            // Build QR code image
            $qrCodeResult = Builder::create()
                ->writer(new PngWriter())
                ->data($totp->getProvisioningUri())
                ->encoding(new Encoding('UTF-8'))
                ->errorCorrectionLevel(new ErrorCorrectionLevelHigh())
                ->size(300)
                ->margin(10)
                ->build();

            $qrCodeBase64 = base64_encode($qrCodeResult->getString());
            $showQRCode = true;
        }

        // Handle form submission
        if ($form->isSubmitted() && $form->isValid()) {
            $newPassword = $form->get('newPassword')->getData();
            $enable2FA = $form->get('enable2FA')->getData();

            // Enable 2FA and store encrypted secret
            if ($enable2FA && !$user->getMfaSecret() && $session->has('temporary_mfa_secret')) {
                $secret = $session->get('temporary_mfa_secret');
                $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);

                $user->setMfaSecret($encryptedSecret);
                $user->setMfaEnabled(true);
                $user->setMfaService('TOTP');

                $userRepository->updateUser($user);
                $session->remove('temporary_mfa_secret');

                $this->addFlash('success', '2FA activated successfully.');
                return $this->redirectToRoute('chamilo_core_account_home');
            }

            // Disable 2FA if it was previously enabled
            if (!$enable2FA && $user->getMfaEnabled()) {
                $user->setMfaEnabled(false);
                $user->setMfaSecret(null);

                $userRepository->updateUser($user);
                $this->addFlash('success', '2FA disabled successfully.');
                return $this->redirectToRoute('chamilo_core_account_home');
            }

            // Update password if provided
            if (!empty($newPassword)) {
                $user->setPlainPassword($newPassword);
                $userRepository->updateUser($user);
                $this->addFlash('success', 'Password updated successfully.');
                return $this->redirectToRoute('chamilo_core_account_home');
            }
        }

        // Render form with optional QR code for 2FA
        return $this->render('@ChamiloCore/Account/change_password.html.twig', [
            'form' => $form->createView(),
            'qrCode' => $qrCodeBase64,
            'user' => $user,
            'showQRCode' => $showQRCode,
        ]);
    }

    /**
     * Encrypts the TOTP secret using AES-256-CBC encryption.
     */
    private function encryptTOTPSecret(string $secret, string $encryptionKey): string
    {
        $cipherMethod = 'aes-256-cbc';
        $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($cipherMethod));
        $encryptedSecret = openssl_encrypt($secret, $cipherMethod, $encryptionKey, 0, $iv);

        return base64_encode($iv.'::'.$encryptedSecret);
    }

    /**
     * Validates the provided TOTP code for the given user.
     */
    private function isTOTPValid(User $user, string $totpCode): bool

    {
        $decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
        $totp = TOTP::create($decryptedSecret);

        return $totp->verify($totpCode);
    }

    /**
     * Decrypts the TOTP secret using AES-256-CBC decryption.
     */
    private function decryptTOTPSecret(string $encryptedSecret, string $encryptionKey): string
    {
        $cipherMethod = 'aes-256-cbc';
        list($iv, $encryptedData) = explode('::', base64_decode($encryptedSecret), 2);

        return openssl_decrypt($encryptedData, $cipherMethod, $encryptionKey, 0, $iv);
    }

    /**
     * Validate the password against the same requirements as the client-side validation.
     */
    private function validatePassword(string $password): array

    {
        $errors = [];
        $minRequirements = Security::getPasswordRequirements()['min'];

        if (\strlen($password) < $minRequirements['length']) {
            $errors[] = $this->translator->trans('Password must be at least %length% characters long.', ['%length%' => $minRequirements['length']]);
        }
        if ($minRequirements['lowercase'] > 0 && !preg_match('/[a-z]/', $password)) {
            $errors[] = $this->translator->trans('Password must contain at least %count% lowercase characters.', ['%count%' => $minRequirements['lowercase']]);
        }
        if ($minRequirements['uppercase'] > 0 && !preg_match('/[A-Z]/', $password)) {
            $errors[] = $this->translator->trans('Password must contain at least %count% uppercase characters.', ['%count%' => $minRequirements['uppercase']]);
        }
        if ($minRequirements['numeric'] > 0 && !preg_match('/[0-9]/', $password)) {
            $errors[] = $this->translator->trans('Password must contain at least %count% numerical (0-9) characters.', ['%count%' => $minRequirements['numeric']]);
        }
        if ($minRequirements['specials'] > 0 && !preg_match('/[\W]/', $password)) {
            $errors[] = $this->translator->trans('Password must contain at least %count% special characters.', ['%count%' => $minRequirements['specials']]);
        }

        return $errors;
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/* For licensing terms, see /license.txt */
6
7			namespace Chamilo\CoreBundle\Controller;
8
9			use Chamilo\CoreBundle\Entity\User;
10			use Chamilo\CoreBundle\Form\ChangePasswordType;
11			use Chamilo\CoreBundle\Form\ProfileType;
12			use Chamilo\CoreBundle\Helpers\UserHelper;
13			use Chamilo\CoreBundle\Repository\Node\IllustrationRepository;
14			use Chamilo\CoreBundle\Repository\Node\UserRepository;
15			use Chamilo\CoreBundle\Settings\SettingsManager;
16			use Chamilo\CoreBundle\Traits\ControllerTrait;
17			use Endroid\QrCode\Builder\Builder;
18			use Endroid\QrCode\Encoding\Encoding;
19			use Endroid\QrCode\ErrorCorrectionLevel\ErrorCorrectionLevelHigh;
20			use Endroid\QrCode\Writer\PngWriter;
21			use OTPHP\TOTP;
22			use Security;
23			use Symfony\Component\HttpFoundation\RedirectResponse;
24			use Symfony\Component\HttpFoundation\Request;
25			use Symfony\Component\HttpFoundation\Response;
26			use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
27			use Symfony\Component\Routing\Attribute\Route;
28			use Symfony\Component\Security\Core\User\UserInterface;
29			use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
30			use Symfony\Contracts\Translation\TranslatorInterface;
31
32			/**
33			* @author Julio Montoya <[email protected]>
34			*/
35			#[Route('/account')]
36			class AccountController extends BaseController
37			{
38			use ControllerTrait;
39
40			public function __construct(
41			private readonly UserHelper $userHelper,
42			private readonly TranslatorInterface $translator
43			) {}
44
45			#[Route('/edit', name: 'chamilo_core_account_edit', methods: ['GET', 'POST'])]
46			public function edit(Request $request, UserRepository $userRepository, IllustrationRepository $illustrationRepo, SettingsManager $settingsManager): Response
47			{
48			$user = $this->userHelper->getCurrent();
49
50			if (!\is_object($user) \|\| !$user instanceof UserInterface) {
51			throw $this->createAccessDeniedException('This user does not have access to this section');
52			}
53
54			/** @var User $user */
55			$form = $this->createForm(ProfileType::class, $user);
56			$form->setData($user);
57			$form->handleRequest($request);
58
59			if ($form->isSubmitted() && $form->isValid()) {
60			if ($form->has('illustration')) {
61			$illustration = $form['illustration']->getData();
62			if ($illustration) {
63			$illustrationRepo->deleteIllustration($user);
64			$illustrationRepo->addIllustration($user, $user, $illustration);
65			}
66			}
67
68			if ($form->has('password')) {
69			$password = $form['password']->getData();
70			if ($password) {
71			$user->setPlainPassword($password);
72			}
73			}
74
75			$showTermsIfProfileCompleted = ('true' === $settingsManager->getSetting('show_terms_if_profile_completed'));
76			$user->setProfileCompleted($showTermsIfProfileCompleted);
77
78			$userRepository->updateUser($user);
79			$this->addFlash('success', $this->trans('Updated'));
80			$url = $this->generateUrl('chamilo_core_account_home');
81
82			$request->getSession()->set('_locale_user', $user->getLocale());
83
84			return new RedirectResponse($url);
85			}
86
87			return $this->render('@ChamiloCore/Account/edit.html.twig', [
88			'form' => $form->createView(),
89			'user' => $user,
90			]);
91			}
92
93			#[Route('/change-password', name: 'chamilo_core_account_change_password', methods: ['GET', 'POST'])]
94			public function changePassword(
95			Request $request,
96			UserRepository $userRepository,
97			CsrfTokenManagerInterface $csrfTokenManager,
98			SettingsManager $settingsManager,
99			UserPasswordHasherInterface $passwordHasher
100			): Response {
101			/** @var User $user */
102			$user = $this->getUser();
103
104			// Ensure user is authenticated and has proper interface
105			if (!\is_object($user) \|\| !$user instanceof UserInterface) {
106			throw $this->createAccessDeniedException('This user does not have access to this section');
107			}
108
109			// Build the form and inject user-related options
110			$form = $this->createForm(ChangePasswordType::class, [
111			'enable2FA' => $user->getMfaEnabled(),
112			], [
113			'user' => $user,
114			'portal_name' => $settingsManager->getSetting('platform.institution'),
115			'password_hasher' => $passwordHasher,
116			]);
117
118			$form->handleRequest($request);
119			$session = $request->getSession();
120			$qrCodeBase64 = null;
121			$showQRCode = false;
122
123			// Generate TOTP secret and QR code for 2FA activation
124			if ($form->get('enable2FA')->getData() && !$user->getMfaSecret()) {
125			if (!$session->has('temporary_mfa_secret')) {
126			$totp = TOTP::create();
127			$secret = $totp->getSecret();
128			$session->set('temporary_mfa_secret', $secret);
129			} else {
130			$secret = $session->get('temporary_mfa_secret');
131			}
132
133			$totp = TOTP::create($secret);
134			$portalName = $settingsManager->getSetting('platform.institution');
135			$totp->setLabel($portalName . ' - ' . $user->getEmail());
136
137			// Build QR code image
138			$qrCodeResult = Builder::create()
139			->writer(new PngWriter())
140			->data($totp->getProvisioningUri())
141			->encoding(new Encoding('UTF-8'))
142			->errorCorrectionLevel(new ErrorCorrectionLevelHigh())
143			->size(300)
144			->margin(10)
145			->build();
146
147			$qrCodeBase64 = base64_encode($qrCodeResult->getString());
148			$showQRCode = true;
149			}
150
151			// Handle form submission
152			if ($form->isSubmitted() && $form->isValid()) {
153			$newPassword = $form->get('newPassword')->getData();
154			$enable2FA = $form->get('enable2FA')->getData();
155
156			// Enable 2FA and store encrypted secret
157			if ($enable2FA && !$user->getMfaSecret() && $session->has('temporary_mfa_secret')) {
158			$secret = $session->get('temporary_mfa_secret');
159			$encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
160
161			$user->setMfaSecret($encryptedSecret);
162			$user->setMfaEnabled(true);
163			$user->setMfaService('TOTP');
164
165			$userRepository->updateUser($user);
166			$session->remove('temporary_mfa_secret');
167
168			$this->addFlash('success', '2FA activated successfully.');
169			return $this->redirectToRoute('chamilo_core_account_home');
170			}
171
172			// Disable 2FA if it was previously enabled
173			if (!$enable2FA && $user->getMfaEnabled()) {
174			$user->setMfaEnabled(false);
175			$user->setMfaSecret(null);
176
177			$userRepository->updateUser($user);
178			$this->addFlash('success', '2FA disabled successfully.');
179			return $this->redirectToRoute('chamilo_core_account_home');
180			}
181
182			// Update password if provided
183			if (!empty($newPassword)) {
184			$user->setPlainPassword($newPassword);
185			$userRepository->updateUser($user);
186			$this->addFlash('success', 'Password updated successfully.');
187			return $this->redirectToRoute('chamilo_core_account_home');
188			}
189			}
190
191			// Render form with optional QR code for 2FA
192			return $this->render('@ChamiloCore/Account/change_password.html.twig', [
193			'form' => $form->createView(),
194			'qrCode' => $qrCodeBase64,
195			'user' => $user,
196			'showQRCode' => $showQRCode,
197			]);
198			}
199
200			/**
201			* Encrypts the TOTP secret using AES-256-CBC encryption.
202			*/
203			private function encryptTOTPSecret(string $secret, string $encryptionKey): string
204			{
205			$cipherMethod = 'aes-256-cbc';
206			$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($cipherMethod));
207			$encryptedSecret = openssl_encrypt($secret, $cipherMethod, $encryptionKey, 0, $iv);
208
209			return base64_encode($iv.'::'.$encryptedSecret);
210			}
211
212			/**
213			* Validates the provided TOTP code for the given user.
214			*/
215			private function isTOTPValid(User $user, string $totpCode): bool
			0 ignored issues – show Unused Code introduced 2025-05-23 22:12 UTC by Report Bug Copy Issue Report The method `isTOTPValid()` is not used, and could be removed. This check looks for private methods that have been defined, but are not used inside the class. Loading history...
216			{
217			$decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
218			$totp = TOTP::create($decryptedSecret);
219
220			return $totp->verify($totpCode);
221			}
222
223			/**
224			* Decrypts the TOTP secret using AES-256-CBC decryption.
225			*/
226			private function decryptTOTPSecret(string $encryptedSecret, string $encryptionKey): string
227			{
228			$cipherMethod = 'aes-256-cbc';
229			list($iv, $encryptedData) = explode('::', base64_decode($encryptedSecret), 2);
230
231			return openssl_decrypt($encryptedData, $cipherMethod, $encryptionKey, 0, $iv);
232			}
233
234			/**
235			* Validate the password against the same requirements as the client-side validation.
236			*/
237			private function validatePassword(string $password): array
			0 ignored issues – show Unused Code introduced 2024-10-02 23:28 UTC by Report Bug Copy Issue Report The method `validatePassword()` is not used, and could be removed. This check looks for private methods that have been defined, but are not used inside the class. Loading history...
238			{
239			$errors = [];
240			$minRequirements = Security::getPasswordRequirements()['min'];
241
242			if (\strlen($password) < $minRequirements['length']) {
243			$errors[] = $this->translator->trans('Password must be at least %length% characters long.', ['%length%' => $minRequirements['length']]);
244			}
245			if ($minRequirements['lowercase'] > 0 && !preg_match('/[a-z]/', $password)) {
246			$errors[] = $this->translator->trans('Password must contain at least %count% lowercase characters.', ['%count%' => $minRequirements['lowercase']]);
247			}
248			if ($minRequirements['uppercase'] > 0 && !preg_match('/[A-Z]/', $password)) {
249			$errors[] = $this->translator->trans('Password must contain at least %count% uppercase characters.', ['%count%' => $minRequirements['uppercase']]);
250			}
251			if ($minRequirements['numeric'] > 0 && !preg_match('/[0-9]/', $password)) {
252			$errors[] = $this->translator->trans('Password must contain at least %count% numerical (0-9) characters.', ['%count%' => $minRequirements['numeric']]);
253			}
254			if ($minRequirements['specials'] > 0 && !preg_match('/[\W]/', $password)) {
255			$errors[] = $this->translator->trans('Password must contain at least %count% special characters.', ['%count%' => $minRequirements['specials']]);
256			}
257
258			return $errors;
259			}
260			}
261

chamilo / chamilo-lms

Push — master ( ca5032...cc6fd3 )

AccountController::changePassword() C

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like