nextcloud / server

lib/private/Authentication/TwoFactorAuth/Manager.php

Indentation +322 added lines, -322 removed lines

@@ -47,330 +47,330 @@
 
 class Manager {
 
-	const SESSION_UID_KEY = 'two_factor_auth_uid';
-	const SESSION_UID_DONE = 'two_factor_auth_passed';
-	const REMEMBER_LOGIN = 'two_factor_remember_login';
-	const BACKUP_CODES_PROVIDER_ID = 'backup_codes';
-
-	/** @var ProviderLoader */
-	private $providerLoader;
-
-	/** @var IRegistry */
-	private $providerRegistry;
-
-	/** @var MandatoryTwoFactor */
-	private $mandatoryTwoFactor;
-
-	/** @var ISession */
-	private $session;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var IManager */
-	private $activityManager;
-
-	/** @var ILogger */
-	private $logger;
-
-	/** @var TokenProvider */
-	private $tokenProvider;
-
-	/** @var ITimeFactory */
-	private $timeFactory;
-
-	/** @var EventDispatcherInterface */
-	private $dispatcher;
-
-	public function __construct(ProviderLoader $providerLoader,
-								IRegistry $providerRegistry,
-								MandatoryTwoFactor $mandatoryTwoFactor,
-								ISession $session, IConfig $config,
-								IManager $activityManager, ILogger $logger, TokenProvider $tokenProvider,
-								ITimeFactory $timeFactory, EventDispatcherInterface $eventDispatcher) {
-		$this->providerLoader = $providerLoader;
-		$this->providerRegistry = $providerRegistry;
-		$this->mandatoryTwoFactor = $mandatoryTwoFactor;
-		$this->session = $session;
-		$this->config = $config;
-		$this->activityManager = $activityManager;
-		$this->logger = $logger;
-		$this->tokenProvider = $tokenProvider;
-		$this->timeFactory = $timeFactory;
-		$this->dispatcher = $eventDispatcher;
-	}
-
-	/**
-	 * Determine whether the user must provide a second factor challenge
-	 *
-	 * @param IUser $user
-	 * @return boolean
-	 */
-	public function isTwoFactorAuthenticated(IUser $user): bool {
-		if ($this->mandatoryTwoFactor->isEnforcedFor($user)) {
-			return true;
-		}
-
-		$providerStates = $this->providerRegistry->getProviderStates($user);
-		$providers = $this->providerLoader->getProviders($user);
-		$fixedStates = $this->fixMissingProviderStates($providerStates, $providers, $user);
-		$enabled = array_filter($fixedStates);
-		$providerIds = array_keys($enabled);
-		$providerIdsWithoutBackupCodes = array_diff($providerIds, [self::BACKUP_CODES_PROVIDER_ID]);
-
-		return !empty($providerIdsWithoutBackupCodes);
-	}
-
-	/**
-	 * Get a 2FA provider by its ID
-	 *
-	 * @param IUser $user
-	 * @param string $challengeProviderId
-	 * @return IProvider|null
-	 */
-	public function getProvider(IUser $user, string $challengeProviderId) {
-		$providers = $this->getProviderSet($user)->getProviders();
-		return $providers[$challengeProviderId] ?? null;
-	}
-
-	/**
-	 * Check if the persistant mapping of enabled/disabled state of each available
-	 * provider is missing an entry and add it to the registry in that case.
-	 *
-	 * @todo remove in Nextcloud 17 as by then all providers should have been updated
-	 *
-	 * @param string[] $providerStates
-	 * @param IProvider[] $providers
-	 * @param IUser $user
-	 * @return string[] the updated $providerStates variable
-	 */
-	private function fixMissingProviderStates(array $providerStates,
-		array $providers, IUser $user): array {
-
-		foreach ($providers as $provider) {
-			if (isset($providerStates[$provider->getId()])) {
-				// All good
-				continue;
-			}
-
-			$enabled = $provider->isTwoFactorAuthEnabledForUser($user);
-			if ($enabled) {
-				$this->providerRegistry->enableProviderFor($provider, $user);
-			} else {
-				$this->providerRegistry->disableProviderFor($provider, $user);
-			}
-			$providerStates[$provider->getId()] = $enabled;
-		}
-
-		return $providerStates;
-	}
-
-	/**
-	 * @param array $states
-	 * @param IProvider $providers
-	 */
-	private function isProviderMissing(array $states, array $providers): bool {
-		$indexed = [];
-		foreach ($providers as $provider) {
-			$indexed[$provider->getId()] = $provider;
-		}
-
-		$missing = [];
-		foreach ($states as $providerId => $enabled) {
-			if (!$enabled) {
-				// Don't care
-				continue;
-			}
-
-			if (!isset($indexed[$providerId])) {
-				$missing[] = $providerId;
-				$this->logger->alert("two-factor auth provider '$providerId' failed to load",
-					[
-					'app' => 'core',
-				]);
-			}
-		}
-
-		if (!empty($missing)) {
-			// There was at least one provider missing
-			$this->logger->alert(count($missing) . " two-factor auth providers failed to load", ['app' => 'core']);
-
-			return true;
-		}
-
-		// If we reach this, there was not a single provider missing
-		return false;
-	}
-
-	/**
-	 * Get the list of 2FA providers for the given user
-	 *
-	 * @param IUser $user
-	 * @throws Exception
-	 */
-	public function getProviderSet(IUser $user): ProviderSet {
-		$providerStates = $this->providerRegistry->getProviderStates($user);
-		$providers = $this->providerLoader->getProviders($user);
-
-		$fixedStates = $this->fixMissingProviderStates($providerStates, $providers, $user);
-		$isProviderMissing = $this->isProviderMissing($fixedStates, $providers);
-
-		$enabled = array_filter($providers, function (IProvider $provider) use ($fixedStates) {
-			return $fixedStates[$provider->getId()];
-		});
-		return new ProviderSet($enabled, $isProviderMissing);
-	}
-
-	/**
-	 * Verify the given challenge
-	 *
-	 * @param string $providerId
-	 * @param IUser $user
-	 * @param string $challenge
-	 * @return boolean
-	 */
-	public function verifyChallenge(string $providerId, IUser $user, string $challenge): bool {
-		$provider = $this->getProvider($user, $providerId);
-		if ($provider === null) {
-			return false;
-		}
-
-		$passed = $provider->verifyChallenge($user, $challenge);
-		if ($passed) {
-			if ($this->session->get(self::REMEMBER_LOGIN) === true) {
-				// TODO: resolve cyclic dependency and use DI
-				\OC::$server->getUserSession()->createRememberMeToken($user);
-			}
-			$this->session->remove(self::SESSION_UID_KEY);
-			$this->session->remove(self::REMEMBER_LOGIN);
-			$this->session->set(self::SESSION_UID_DONE, $user->getUID());
-
-			// Clear token from db
-			$sessionId = $this->session->getId();
-			$token = $this->tokenProvider->getToken($sessionId);
-			$tokenId = $token->getId();
-			$this->config->deleteUserValue($user->getUID(), 'login_token_2fa', $tokenId);
-
-			$dispatchEvent = new GenericEvent($user, ['provider' => $provider->getDisplayName()]);
-			$this->dispatcher->dispatch(IProvider::EVENT_SUCCESS, $dispatchEvent);
-
-			$this->publishEvent($user, 'twofactor_success', [
-				'provider' => $provider->getDisplayName(),
-			]);
-		} else {
-			$dispatchEvent = new GenericEvent($user, ['provider' => $provider->getDisplayName()]);
-			$this->dispatcher->dispatch(IProvider::EVENT_FAILED, $dispatchEvent);
-
-			$this->publishEvent($user, 'twofactor_failed', [
-				'provider' => $provider->getDisplayName(),
-			]);
-		}
-		return $passed;
-	}
-
-	/**
-	 * Push a 2fa event the user's activity stream
-	 *
-	 * @param IUser $user
-	 * @param string $event
-	 * @param array $params
-	 */
-	private function publishEvent(IUser $user, string $event, array $params) {
-		$activity = $this->activityManager->generateEvent();
-		$activity->setApp('core')
-			->setType('security')
-			->setAuthor($user->getUID())
-			->setAffectedUser($user->getUID())
-			->setSubject($event, $params);
-		try {
-			$this->activityManager->publish($activity);
-		} catch (BadMethodCallException $e) {
-			$this->logger->warning('could not publish activity', ['app' => 'core']);
-			$this->logger->logException($e, ['app' => 'core']);
-		}
-	}
-
-	/**
-	 * Check if the currently logged in user needs to pass 2FA
-	 *
-	 * @param IUser $user the currently logged in user
-	 * @return boolean
-	 */
-	public function needsSecondFactor(IUser $user = null): bool {
-		if ($user === null) {
-			return false;
-		}
-
-		// If we are authenticated using an app password skip all this
-		if ($this->session->exists('app_password')) {
-			return false;
-		}
-
-		// First check if the session tells us we should do 2FA (99% case)
-		if (!$this->session->exists(self::SESSION_UID_KEY)) {
-
-			// Check if the session tells us it is 2FA authenticated already
-			if ($this->session->exists(self::SESSION_UID_DONE) &&
-				$this->session->get(self::SESSION_UID_DONE) === $user->getUID()) {
-				return false;
-			}
-
-			/*
+    const SESSION_UID_KEY = 'two_factor_auth_uid';
+    const SESSION_UID_DONE = 'two_factor_auth_passed';
+    const REMEMBER_LOGIN = 'two_factor_remember_login';
+    const BACKUP_CODES_PROVIDER_ID = 'backup_codes';
+
+    /** @var ProviderLoader */
+    private $providerLoader;
+
+    /** @var IRegistry */
+    private $providerRegistry;
+
+    /** @var MandatoryTwoFactor */
+    private $mandatoryTwoFactor;
+
+    /** @var ISession */
+    private $session;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var IManager */
+    private $activityManager;
+
+    /** @var ILogger */
+    private $logger;
+
+    /** @var TokenProvider */
+    private $tokenProvider;
+
+    /** @var ITimeFactory */
+    private $timeFactory;
+
+    /** @var EventDispatcherInterface */
+    private $dispatcher;
+
+    public function __construct(ProviderLoader $providerLoader,
+                                IRegistry $providerRegistry,
+                                MandatoryTwoFactor $mandatoryTwoFactor,
+                                ISession $session, IConfig $config,
+                                IManager $activityManager, ILogger $logger, TokenProvider $tokenProvider,
+                                ITimeFactory $timeFactory, EventDispatcherInterface $eventDispatcher) {
+        $this->providerLoader = $providerLoader;
+        $this->providerRegistry = $providerRegistry;
+        $this->mandatoryTwoFactor = $mandatoryTwoFactor;
+        $this->session = $session;
+        $this->config = $config;
+        $this->activityManager = $activityManager;
+        $this->logger = $logger;
+        $this->tokenProvider = $tokenProvider;
+        $this->timeFactory = $timeFactory;
+        $this->dispatcher = $eventDispatcher;
+    }
+
+    /**
+     * Determine whether the user must provide a second factor challenge
+     *
+     * @param IUser $user
+     * @return boolean
+     */
+    public function isTwoFactorAuthenticated(IUser $user): bool {
+        if ($this->mandatoryTwoFactor->isEnforcedFor($user)) {
+            return true;
+        }
+
+        $providerStates = $this->providerRegistry->getProviderStates($user);
+        $providers = $this->providerLoader->getProviders($user);
+        $fixedStates = $this->fixMissingProviderStates($providerStates, $providers, $user);
+        $enabled = array_filter($fixedStates);
+        $providerIds = array_keys($enabled);
+        $providerIdsWithoutBackupCodes = array_diff($providerIds, [self::BACKUP_CODES_PROVIDER_ID]);
+
+        return !empty($providerIdsWithoutBackupCodes);
+    }
+
+    /**
+     * Get a 2FA provider by its ID
+     *
+     * @param IUser $user
+     * @param string $challengeProviderId
+     * @return IProvider|null
+     */
+    public function getProvider(IUser $user, string $challengeProviderId) {
+        $providers = $this->getProviderSet($user)->getProviders();
+        return $providers[$challengeProviderId] ?? null;
+    }
+
+    /**
+     * Check if the persistant mapping of enabled/disabled state of each available
+     * provider is missing an entry and add it to the registry in that case.
+     *
+     * @todo remove in Nextcloud 17 as by then all providers should have been updated
+     *
+     * @param string[] $providerStates
+     * @param IProvider[] $providers
+     * @param IUser $user
+     * @return string[] the updated $providerStates variable
+     */
+    private function fixMissingProviderStates(array $providerStates,
+        array $providers, IUser $user): array {
+
+        foreach ($providers as $provider) {
+            if (isset($providerStates[$provider->getId()])) {
+                // All good
+                continue;
+            }
+
+            $enabled = $provider->isTwoFactorAuthEnabledForUser($user);
+            if ($enabled) {
+                $this->providerRegistry->enableProviderFor($provider, $user);
+            } else {
+                $this->providerRegistry->disableProviderFor($provider, $user);
+            }
+            $providerStates[$provider->getId()] = $enabled;
+        }
+
+        return $providerStates;
+    }
+
+    /**
+     * @param array $states
+     * @param IProvider $providers
+     */
+    private function isProviderMissing(array $states, array $providers): bool {
+        $indexed = [];
+        foreach ($providers as $provider) {
+            $indexed[$provider->getId()] = $provider;
+        }
+
+        $missing = [];
+        foreach ($states as $providerId => $enabled) {
+            if (!$enabled) {
+                // Don't care
+                continue;
+            }
+
+            if (!isset($indexed[$providerId])) {
+                $missing[] = $providerId;
+                $this->logger->alert("two-factor auth provider '$providerId' failed to load",
+                    [
+                    'app' => 'core',
+                ]);
+            }
+        }
+
+        if (!empty($missing)) {
+            // There was at least one provider missing
+            $this->logger->alert(count($missing) . " two-factor auth providers failed to load", ['app' => 'core']);
+
+            return true;
+        }
+
+        // If we reach this, there was not a single provider missing
+        return false;
+    }
+
+    /**
+     * Get the list of 2FA providers for the given user
+     *
+     * @param IUser $user
+     * @throws Exception
+     */
+    public function getProviderSet(IUser $user): ProviderSet {
+        $providerStates = $this->providerRegistry->getProviderStates($user);
+        $providers = $this->providerLoader->getProviders($user);
+
+        $fixedStates = $this->fixMissingProviderStates($providerStates, $providers, $user);
+        $isProviderMissing = $this->isProviderMissing($fixedStates, $providers);
+
+        $enabled = array_filter($providers, function (IProvider $provider) use ($fixedStates) {
+            return $fixedStates[$provider->getId()];
+        });
+        return new ProviderSet($enabled, $isProviderMissing);
+    }
+
+    /**
+     * Verify the given challenge
+     *
+     * @param string $providerId
+     * @param IUser $user
+     * @param string $challenge
+     * @return boolean
+     */
+    public function verifyChallenge(string $providerId, IUser $user, string $challenge): bool {
+        $provider = $this->getProvider($user, $providerId);
+        if ($provider === null) {
+            return false;
+        }
+
+        $passed = $provider->verifyChallenge($user, $challenge);
+        if ($passed) {
+            if ($this->session->get(self::REMEMBER_LOGIN) === true) {
+                // TODO: resolve cyclic dependency and use DI
+                \OC::$server->getUserSession()->createRememberMeToken($user);
+            }
+            $this->session->remove(self::SESSION_UID_KEY);
+            $this->session->remove(self::REMEMBER_LOGIN);
+            $this->session->set(self::SESSION_UID_DONE, $user->getUID());
+
+            // Clear token from db
+            $sessionId = $this->session->getId();
+            $token = $this->tokenProvider->getToken($sessionId);
+            $tokenId = $token->getId();
+            $this->config->deleteUserValue($user->getUID(), 'login_token_2fa', $tokenId);
+
+            $dispatchEvent = new GenericEvent($user, ['provider' => $provider->getDisplayName()]);
+            $this->dispatcher->dispatch(IProvider::EVENT_SUCCESS, $dispatchEvent);
+
+            $this->publishEvent($user, 'twofactor_success', [
+                'provider' => $provider->getDisplayName(),
+            ]);
+        } else {
+            $dispatchEvent = new GenericEvent($user, ['provider' => $provider->getDisplayName()]);
+            $this->dispatcher->dispatch(IProvider::EVENT_FAILED, $dispatchEvent);
+
+            $this->publishEvent($user, 'twofactor_failed', [
+                'provider' => $provider->getDisplayName(),
+            ]);
+        }
+        return $passed;
+    }
+
+    /**
+     * Push a 2fa event the user's activity stream
+     *
+     * @param IUser $user
+     * @param string $event
+     * @param array $params
+     */
+    private function publishEvent(IUser $user, string $event, array $params) {
+        $activity = $this->activityManager->generateEvent();
+        $activity->setApp('core')
+            ->setType('security')
+            ->setAuthor($user->getUID())
+            ->setAffectedUser($user->getUID())
+            ->setSubject($event, $params);
+        try {
+            $this->activityManager->publish($activity);
+        } catch (BadMethodCallException $e) {
+            $this->logger->warning('could not publish activity', ['app' => 'core']);
+            $this->logger->logException($e, ['app' => 'core']);
+        }
+    }
+
+    /**
+     * Check if the currently logged in user needs to pass 2FA
+     *
+     * @param IUser $user the currently logged in user
+     * @return boolean
+     */
+    public function needsSecondFactor(IUser $user = null): bool {
+        if ($user === null) {
+            return false;
+        }
+
+        // If we are authenticated using an app password skip all this
+        if ($this->session->exists('app_password')) {
+            return false;
+        }
+
+        // First check if the session tells us we should do 2FA (99% case)
+        if (!$this->session->exists(self::SESSION_UID_KEY)) {
+
+            // Check if the session tells us it is 2FA authenticated already
+            if ($this->session->exists(self::SESSION_UID_DONE) &&
+                $this->session->get(self::SESSION_UID_DONE) === $user->getUID()) {
+                return false;
+            }
+
+            /*
 			 * If the session is expired check if we are not logged in by a token
 			 * that still needs 2FA auth
 			 */
-			try {
-				$sessionId = $this->session->getId();
-				$token = $this->tokenProvider->getToken($sessionId);
-				$tokenId = $token->getId();
-				$tokensNeeding2FA = $this->config->getUserKeys($user->getUID(), 'login_token_2fa');
-
-				if (!\in_array($tokenId, $tokensNeeding2FA, true)) {
-					$this->session->set(self::SESSION_UID_DONE, $user->getUID());
-					return false;
-				}
-			} catch (InvalidTokenException $e) {
-			}
-		}
-
-		if (!$this->isTwoFactorAuthenticated($user)) {
-			// There is no second factor any more -> let the user pass
-			//   This prevents infinite redirect loops when a user is about
-			//   to solve the 2FA challenge, and the provider app is
-			//   disabled the same time
-			$this->session->remove(self::SESSION_UID_KEY);
-
-			$keys = $this->config->getUserKeys($user->getUID(), 'login_token_2fa');
-			foreach ($keys as $key) {
-				$this->config->deleteUserValue($user->getUID(), 'login_token_2fa', $key);
-			}
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * Prepare the 2FA login
-	 *
-	 * @param IUser $user
-	 * @param boolean $rememberMe
-	 */
-	public function prepareTwoFactorLogin(IUser $user, bool $rememberMe) {
-		$this->session->set(self::SESSION_UID_KEY, $user->getUID());
-		$this->session->set(self::REMEMBER_LOGIN, $rememberMe);
-
-		$id = $this->session->getId();
-		$token = $this->tokenProvider->getToken($id);
-		$this->config->setUserValue($user->getUID(), 'login_token_2fa', $token->getId(), $this->timeFactory->getTime());
-	}
-
-	public function clearTwoFactorPending(string $userId) {
-		$tokensNeeding2FA = $this->config->getUserKeys($userId, 'login_token_2fa');
-
-		foreach ($tokensNeeding2FA as $tokenId) {
-			$this->tokenProvider->invalidateTokenById($userId, $tokenId);
-		}
-	}
+            try {
+                $sessionId = $this->session->getId();
+                $token = $this->tokenProvider->getToken($sessionId);
+                $tokenId = $token->getId();
+                $tokensNeeding2FA = $this->config->getUserKeys($user->getUID(), 'login_token_2fa');
+
+                if (!\in_array($tokenId, $tokensNeeding2FA, true)) {
+                    $this->session->set(self::SESSION_UID_DONE, $user->getUID());
+                    return false;
+                }
+            } catch (InvalidTokenException $e) {
+            }
+        }
+
+        if (!$this->isTwoFactorAuthenticated($user)) {
+            // There is no second factor any more -> let the user pass
+            //   This prevents infinite redirect loops when a user is about
+            //   to solve the 2FA challenge, and the provider app is
+            //   disabled the same time
+            $this->session->remove(self::SESSION_UID_KEY);
+
+            $keys = $this->config->getUserKeys($user->getUID(), 'login_token_2fa');
+            foreach ($keys as $key) {
+                $this->config->deleteUserValue($user->getUID(), 'login_token_2fa', $key);
+            }
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Prepare the 2FA login
+     *
+     * @param IUser $user
+     * @param boolean $rememberMe
+     */
+    public function prepareTwoFactorLogin(IUser $user, bool $rememberMe) {
+        $this->session->set(self::SESSION_UID_KEY, $user->getUID());
+        $this->session->set(self::REMEMBER_LOGIN, $rememberMe);
+
+        $id = $this->session->getId();
+        $token = $this->tokenProvider->getToken($id);
+        $this->config->setUserValue($user->getUID(), 'login_token_2fa', $token->getId(), $this->timeFactory->getTime());
+    }
+
+    public function clearTwoFactorPending(string $userId) {
+        $tokensNeeding2FA = $this->config->getUserKeys($userId, 'login_token_2fa');
+
+        foreach ($tokensNeeding2FA as $tokenId) {
+            $this->tokenProvider->invalidateTokenById($userId, $tokenId);
+        }
+    }
 
 }

core/Controller/LostController.php

Indentation +340 added lines, -340 removed lines

@@ -59,344 +59,344 @@
  * @package OC\Core\Controller
  */
 class LostController extends Controller {
-	/** @var IURLGenerator */
-	protected $urlGenerator;
-	/** @var IUserManager */
-	protected $userManager;
-	/** @var Defaults */
-	protected $defaults;
-	/** @var IL10N */
-	protected $l10n;
-	/** @var string */
-	protected $from;
-	/** @var IManager */
-	protected $encryptionManager;
-	/** @var IConfig */
-	protected $config;
-	/** @var ISecureRandom */
-	protected $secureRandom;
-	/** @var IMailer */
-	protected $mailer;
-	/** @var ITimeFactory */
-	protected $timeFactory;
-	/** @var ICrypto */
-	protected $crypto;
-	/** @var ILogger */
-	private $logger;
-	/** @var Manager */
-	private $twoFactorManager;
-
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IURLGenerator $urlGenerator
-	 * @param IUserManager $userManager
-	 * @param Defaults $defaults
-	 * @param IL10N $l10n
-	 * @param IConfig $config
-	 * @param ISecureRandom $secureRandom
-	 * @param string $defaultMailAddress
-	 * @param IManager $encryptionManager
-	 * @param IMailer $mailer
-	 * @param ITimeFactory $timeFactory
-	 * @param ICrypto $crypto
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								IURLGenerator $urlGenerator,
-								IUserManager $userManager,
-								Defaults $defaults,
-								IL10N $l10n,
-								IConfig $config,
-								ISecureRandom $secureRandom,
-								$defaultMailAddress,
-								IManager $encryptionManager,
-								IMailer $mailer,
-								ITimeFactory $timeFactory,
-								ICrypto $crypto,
-								ILogger $logger,
-								Manager $twoFactorManager) {
-		parent::__construct($appName, $request);
-		$this->urlGenerator = $urlGenerator;
-		$this->userManager = $userManager;
-		$this->defaults = $defaults;
-		$this->l10n = $l10n;
-		$this->secureRandom = $secureRandom;
-		$this->from = $defaultMailAddress;
-		$this->encryptionManager = $encryptionManager;
-		$this->config = $config;
-		$this->mailer = $mailer;
-		$this->timeFactory = $timeFactory;
-		$this->crypto = $crypto;
-		$this->logger = $logger;
-		$this->twoFactorManager = $twoFactorManager;
-	}
-
-	/**
-	 * Someone wants to reset their password:
-	 *
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 *
-	 * @param string $token
-	 * @param string $userId
-	 * @return TemplateResponse
-	 */
-	public function resetform($token, $userId) {
-		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
-			return new TemplateResponse('core', 'error', [
-					'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
-				],
-				'guest'
-			);
-		}
-
-		try {
-			$this->checkPasswordResetToken($token, $userId);
-		} catch (\Exception $e) {
-			return new TemplateResponse(
-				'core', 'error', [
-					"errors" => array(array("error" => $e->getMessage()))
-				],
-				'guest'
-			);
-		}
-
-		return new TemplateResponse(
-			'core',
-			'lostpassword/resetpassword',
-			array(
-				'link' => $this->urlGenerator->linkToRouteAbsolute('core.lost.setPassword', array('userId' => $userId, 'token' => $token)),
-			),
-			'guest'
-		);
-	}
-
-	/**
-	 * @param string $token
-	 * @param string $userId
-	 * @throws \Exception
-	 */
-	protected function checkPasswordResetToken($token, $userId) {
-		$user = $this->userManager->get($userId);
-		if($user === null || !$user->isEnabled()) {
-			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
-		}
-
-		try {
-			$encryptedToken = $this->config->getUserValue($userId, 'core', 'lostpassword', null);
-			$mailAddress = !is_null($user->getEMailAddress()) ? $user->getEMailAddress() : '';
-			$decryptedToken = $this->crypto->decrypt($encryptedToken, $mailAddress.$this->config->getSystemValue('secret'));
-		} catch (\Exception $e) {
-			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
-		}
-
-		$splittedToken = explode(':', $decryptedToken);
-		if(count($splittedToken) !== 2) {
-			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
-		}
-
-		if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*24*7) ||
-			$user->getLastLogin() > $splittedToken[0]) {
-			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired'));
-		}
-
-		if (!hash_equals($splittedToken[1], $token)) {
-			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
-		}
-	}
-
-	/**
-	 * @param $message
-	 * @param array $additional
-	 * @return array
-	 */
-	private function error($message, array $additional=array()) {
-		return array_merge(array('status' => 'error', 'msg' => $message), $additional);
-	}
-
-	/**
-	 * @param array $data
-	 * @return array
-	 */
-	private function success($data = []) {
-		return array_merge($data, ['status'=>'success']);
-	}
-
-	/**
-	 * @PublicPage
-	 * @BruteForceProtection(action=passwordResetEmail)
-	 * @AnonRateThrottle(limit=10, period=300)
-	 *
-	 * @param string $user
-	 * @return JSONResponse
-	 */
-	public function email($user){
-		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
-			return new JSONResponse($this->error($this->l10n->t('Password reset is disabled')));
-		}
-
-		\OCP\Util::emitHook(
-			'\OCA\Files_Sharing\API\Server2Server',
-			'preLoginNameUsedAsUserName',
-			['uid' => &$user]
-		);
-
-		// FIXME: use HTTP error codes
-		try {
-			$this->sendEmail($user);
-		} catch (\Exception $e) {
-			// Ignore the error since we do not want to leak this info
-			$this->logger->logException($e, [
-				'level' => ILogger::WARN
-			]);
-		}
-
-		$response = new JSONResponse($this->success());
-		$response->throttle();
-		return $response;
-	}
-
-	/**
-	 * @PublicPage
-	 * @param string $token
-	 * @param string $userId
-	 * @param string $password
-	 * @param boolean $proceed
-	 * @return array
-	 */
-	public function setPassword($token, $userId, $password, $proceed) {
-		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
-			return $this->error($this->l10n->t('Password reset is disabled'));
-		}
-
-		if ($this->encryptionManager->isEnabled() && !$proceed) {
-			$encryptionModules = $this->encryptionManager->getEncryptionModules();
-			foreach ($encryptionModules as $module) {
-				/** @var IEncryptionModule $instance */
-				$instance = call_user_func($module['callback']);
-				// this way we can find out whether per-user keys are used or a system wide encryption key
-				if ($instance->needDetailedAccessList()) {
-					return $this->error('', array('encryption' => true));
-				}
-			}
-		}
-
-		try {
-			$this->checkPasswordResetToken($token, $userId);
-			$user = $this->userManager->get($userId);
-
-			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', array('uid' => $userId, 'password' => $password));
-
-			if (!$user->setPassword($password)) {
-				throw new \Exception();
-			}
-
-			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));
-
-			$this->twoFactorManager->clearTwoFactorPending($userId);
-
-			$this->config->deleteUserValue($userId, 'core', 'lostpassword');
-			@\OC::$server->getUserSession()->unsetMagicInCookie();
-		} catch (HintException $e){
-			return $this->error($e->getHint());
-		} catch (\Exception $e){
-			return $this->error($e->getMessage());
-		}
-
-		return $this->success(['user' => $userId]);
-	}
-
-	/**
-	 * @param string $input
-	 * @throws \Exception
-	 */
-	protected function sendEmail($input) {
-		$user = $this->findUserByIdOrMail($input);
-		$email = $user->getEMailAddress();
-
-		if (empty($email)) {
-			throw new \Exception(
-				$this->l10n->t('Could not send reset email because there is no email address for this username. Please contact your administrator.')
-			);
-		}
-
-		// Generate the token. It is stored encrypted in the database with the
-		// secret being the users' email address appended with the system secret.
-		// This makes the token automatically invalidate once the user changes
-		// their email address.
-		$token = $this->secureRandom->generate(
-			21,
-			ISecureRandom::CHAR_DIGITS.
-			ISecureRandom::CHAR_LOWER.
-			ISecureRandom::CHAR_UPPER
-		);
-		$tokenValue = $this->timeFactory->getTime() .':'. $token;
-		$encryptedValue = $this->crypto->encrypt($tokenValue, $email . $this->config->getSystemValue('secret'));
-		$this->config->setUserValue($user->getUID(), 'core', 'lostpassword', $encryptedValue);
-
-		$link = $this->urlGenerator->linkToRouteAbsolute('core.lost.resetform', array('userId' => $user->getUID(), 'token' => $token));
-
-		$emailTemplate = $this->mailer->createEMailTemplate('core.ResetPassword', [
-			'link' => $link,
-		]);
-
-		$emailTemplate->setSubject($this->l10n->t('%s password reset', [$this->defaults->getName()]));
-		$emailTemplate->addHeader();
-		$emailTemplate->addHeading($this->l10n->t('Password reset'));
-
-		$emailTemplate->addBodyText(
-			htmlspecialchars($this->l10n->t('Click the following button to reset your password. If you have not requested the password reset, then ignore this email.')),
-			$this->l10n->t('Click the following link to reset your password. If you have not requested the password reset, then ignore this email.')
-		);
-
-		$emailTemplate->addBodyButton(
-			htmlspecialchars($this->l10n->t('Reset your password')),
-			$link,
-			false
-		);
-		$emailTemplate->addFooter();
-
-		try {
-			$message = $this->mailer->createMessage();
-			$message->setTo([$email => $user->getUID()]);
-			$message->setFrom([$this->from => $this->defaults->getName()]);
-			$message->useTemplate($emailTemplate);
-			$this->mailer->send($message);
-		} catch (\Exception $e) {
-			throw new \Exception($this->l10n->t(
-				'Couldn\'t send reset email. Please contact your administrator.'
-			));
-		}
-	}
-
-	/**
-	 * @param string $input
-	 * @return IUser
-	 * @throws \InvalidArgumentException
-	 */
-	protected function findUserByIdOrMail($input) {
-		$userNotFound = new \InvalidArgumentException(
-			$this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.')
-		);
-
-		$user = $this->userManager->get($input);
-		if ($user instanceof IUser) {
-			if (!$user->isEnabled()) {
-				throw $userNotFound;
-			}
-
-			return $user;
-		}
-
-		$users = \array_filter($this->userManager->getByEmail($input), function (IUser $user) {
-			return $user->isEnabled();
-		});
-
-		if (\count($users) === 1) {
-			return $users[0];
-		}
-
-		throw $userNotFound;
-	}
+    /** @var IURLGenerator */
+    protected $urlGenerator;
+    /** @var IUserManager */
+    protected $userManager;
+    /** @var Defaults */
+    protected $defaults;
+    /** @var IL10N */
+    protected $l10n;
+    /** @var string */
+    protected $from;
+    /** @var IManager */
+    protected $encryptionManager;
+    /** @var IConfig */
+    protected $config;
+    /** @var ISecureRandom */
+    protected $secureRandom;
+    /** @var IMailer */
+    protected $mailer;
+    /** @var ITimeFactory */
+    protected $timeFactory;
+    /** @var ICrypto */
+    protected $crypto;
+    /** @var ILogger */
+    private $logger;
+    /** @var Manager */
+    private $twoFactorManager;
+
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IURLGenerator $urlGenerator
+     * @param IUserManager $userManager
+     * @param Defaults $defaults
+     * @param IL10N $l10n
+     * @param IConfig $config
+     * @param ISecureRandom $secureRandom
+     * @param string $defaultMailAddress
+     * @param IManager $encryptionManager
+     * @param IMailer $mailer
+     * @param ITimeFactory $timeFactory
+     * @param ICrypto $crypto
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                IURLGenerator $urlGenerator,
+                                IUserManager $userManager,
+                                Defaults $defaults,
+                                IL10N $l10n,
+                                IConfig $config,
+                                ISecureRandom $secureRandom,
+                                $defaultMailAddress,
+                                IManager $encryptionManager,
+                                IMailer $mailer,
+                                ITimeFactory $timeFactory,
+                                ICrypto $crypto,
+                                ILogger $logger,
+                                Manager $twoFactorManager) {
+        parent::__construct($appName, $request);
+        $this->urlGenerator = $urlGenerator;
+        $this->userManager = $userManager;
+        $this->defaults = $defaults;
+        $this->l10n = $l10n;
+        $this->secureRandom = $secureRandom;
+        $this->from = $defaultMailAddress;
+        $this->encryptionManager = $encryptionManager;
+        $this->config = $config;
+        $this->mailer = $mailer;
+        $this->timeFactory = $timeFactory;
+        $this->crypto = $crypto;
+        $this->logger = $logger;
+        $this->twoFactorManager = $twoFactorManager;
+    }
+
+    /**
+     * Someone wants to reset their password:
+     *
+     * @PublicPage
+     * @NoCSRFRequired
+     *
+     * @param string $token
+     * @param string $userId
+     * @return TemplateResponse
+     */
+    public function resetform($token, $userId) {
+        if ($this->config->getSystemValue('lost_password_link', '') !== '') {
+            return new TemplateResponse('core', 'error', [
+                    'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
+                ],
+                'guest'
+            );
+        }
+
+        try {
+            $this->checkPasswordResetToken($token, $userId);
+        } catch (\Exception $e) {
+            return new TemplateResponse(
+                'core', 'error', [
+                    "errors" => array(array("error" => $e->getMessage()))
+                ],
+                'guest'
+            );
+        }
+
+        return new TemplateResponse(
+            'core',
+            'lostpassword/resetpassword',
+            array(
+                'link' => $this->urlGenerator->linkToRouteAbsolute('core.lost.setPassword', array('userId' => $userId, 'token' => $token)),
+            ),
+            'guest'
+        );
+    }
+
+    /**
+     * @param string $token
+     * @param string $userId
+     * @throws \Exception
+     */
+    protected function checkPasswordResetToken($token, $userId) {
+        $user = $this->userManager->get($userId);
+        if($user === null || !$user->isEnabled()) {
+            throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
+        }
+
+        try {
+            $encryptedToken = $this->config->getUserValue($userId, 'core', 'lostpassword', null);
+            $mailAddress = !is_null($user->getEMailAddress()) ? $user->getEMailAddress() : '';
+            $decryptedToken = $this->crypto->decrypt($encryptedToken, $mailAddress.$this->config->getSystemValue('secret'));
+        } catch (\Exception $e) {
+            throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
+        }
+
+        $splittedToken = explode(':', $decryptedToken);
+        if(count($splittedToken) !== 2) {
+            throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
+        }
+
+        if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*24*7) ||
+            $user->getLastLogin() > $splittedToken[0]) {
+            throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired'));
+        }
+
+        if (!hash_equals($splittedToken[1], $token)) {
+            throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
+        }
+    }
+
+    /**
+     * @param $message
+     * @param array $additional
+     * @return array
+     */
+    private function error($message, array $additional=array()) {
+        return array_merge(array('status' => 'error', 'msg' => $message), $additional);
+    }
+
+    /**
+     * @param array $data
+     * @return array
+     */
+    private function success($data = []) {
+        return array_merge($data, ['status'=>'success']);
+    }
+
+    /**
+     * @PublicPage
+     * @BruteForceProtection(action=passwordResetEmail)
+     * @AnonRateThrottle(limit=10, period=300)
+     *
+     * @param string $user
+     * @return JSONResponse
+     */
+    public function email($user){
+        if ($this->config->getSystemValue('lost_password_link', '') !== '') {
+            return new JSONResponse($this->error($this->l10n->t('Password reset is disabled')));
+        }
+
+        \OCP\Util::emitHook(
+            '\OCA\Files_Sharing\API\Server2Server',
+            'preLoginNameUsedAsUserName',
+            ['uid' => &$user]
+        );
+
+        // FIXME: use HTTP error codes
+        try {
+            $this->sendEmail($user);
+        } catch (\Exception $e) {
+            // Ignore the error since we do not want to leak this info
+            $this->logger->logException($e, [
+                'level' => ILogger::WARN
+            ]);
+        }
+
+        $response = new JSONResponse($this->success());
+        $response->throttle();
+        return $response;
+    }
+
+    /**
+     * @PublicPage
+     * @param string $token
+     * @param string $userId
+     * @param string $password
+     * @param boolean $proceed
+     * @return array
+     */
+    public function setPassword($token, $userId, $password, $proceed) {
+        if ($this->config->getSystemValue('lost_password_link', '') !== '') {
+            return $this->error($this->l10n->t('Password reset is disabled'));
+        }
+
+        if ($this->encryptionManager->isEnabled() && !$proceed) {
+            $encryptionModules = $this->encryptionManager->getEncryptionModules();
+            foreach ($encryptionModules as $module) {
+                /** @var IEncryptionModule $instance */
+                $instance = call_user_func($module['callback']);
+                // this way we can find out whether per-user keys are used or a system wide encryption key
+                if ($instance->needDetailedAccessList()) {
+                    return $this->error('', array('encryption' => true));
+                }
+            }
+        }
+
+        try {
+            $this->checkPasswordResetToken($token, $userId);
+            $user = $this->userManager->get($userId);
+
+            \OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', array('uid' => $userId, 'password' => $password));
+
+            if (!$user->setPassword($password)) {
+                throw new \Exception();
+            }
+
+            \OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));
+
+            $this->twoFactorManager->clearTwoFactorPending($userId);
+
+            $this->config->deleteUserValue($userId, 'core', 'lostpassword');
+            @\OC::$server->getUserSession()->unsetMagicInCookie();
+        } catch (HintException $e){
+            return $this->error($e->getHint());
+        } catch (\Exception $e){
+            return $this->error($e->getMessage());
+        }
+
+        return $this->success(['user' => $userId]);
+    }
+
+    /**
+     * @param string $input
+     * @throws \Exception
+     */
+    protected function sendEmail($input) {
+        $user = $this->findUserByIdOrMail($input);
+        $email = $user->getEMailAddress();
+
+        if (empty($email)) {
+            throw new \Exception(
+                $this->l10n->t('Could not send reset email because there is no email address for this username. Please contact your administrator.')
+            );
+        }
+
+        // Generate the token. It is stored encrypted in the database with the
+        // secret being the users' email address appended with the system secret.
+        // This makes the token automatically invalidate once the user changes
+        // their email address.
+        $token = $this->secureRandom->generate(
+            21,
+            ISecureRandom::CHAR_DIGITS.
+            ISecureRandom::CHAR_LOWER.
+            ISecureRandom::CHAR_UPPER
+        );
+        $tokenValue = $this->timeFactory->getTime() .':'. $token;
+        $encryptedValue = $this->crypto->encrypt($tokenValue, $email . $this->config->getSystemValue('secret'));
+        $this->config->setUserValue($user->getUID(), 'core', 'lostpassword', $encryptedValue);
+
+        $link = $this->urlGenerator->linkToRouteAbsolute('core.lost.resetform', array('userId' => $user->getUID(), 'token' => $token));
+
+        $emailTemplate = $this->mailer->createEMailTemplate('core.ResetPassword', [
+            'link' => $link,
+        ]);
+
+        $emailTemplate->setSubject($this->l10n->t('%s password reset', [$this->defaults->getName()]));
+        $emailTemplate->addHeader();
+        $emailTemplate->addHeading($this->l10n->t('Password reset'));
+
+        $emailTemplate->addBodyText(
+            htmlspecialchars($this->l10n->t('Click the following button to reset your password. If you have not requested the password reset, then ignore this email.')),
+            $this->l10n->t('Click the following link to reset your password. If you have not requested the password reset, then ignore this email.')
+        );
+
+        $emailTemplate->addBodyButton(
+            htmlspecialchars($this->l10n->t('Reset your password')),
+            $link,
+            false
+        );
+        $emailTemplate->addFooter();
+
+        try {
+            $message = $this->mailer->createMessage();
+            $message->setTo([$email => $user->getUID()]);
+            $message->setFrom([$this->from => $this->defaults->getName()]);
+            $message->useTemplate($emailTemplate);
+            $this->mailer->send($message);
+        } catch (\Exception $e) {
+            throw new \Exception($this->l10n->t(
+                'Couldn\'t send reset email. Please contact your administrator.'
+            ));
+        }
+    }
+
+    /**
+     * @param string $input
+     * @return IUser
+     * @throws \InvalidArgumentException
+     */
+    protected function findUserByIdOrMail($input) {
+        $userNotFound = new \InvalidArgumentException(
+            $this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.')
+        );
+
+        $user = $this->userManager->get($input);
+        if ($user instanceof IUser) {
+            if (!$user->isEnabled()) {
+                throw $userNotFound;
+            }
+
+            return $user;
+        }
+
+        $users = \array_filter($this->userManager->getByEmail($input), function (IUser $user) {
+            return $user->isEnabled();
+        });
+
+        if (\count($users) === 1) {
+            return $users[0];
+        }
+
+        throw $userNotFound;
+    }
 }