Example #1
0
 /**
  * Check if password reset token is valid
  *
  * @param int $userId
  * @param string $resetPasswordToken
  * @return void
  * @throws \Magento\Framework\Exception\LocalizedException
  */
 protected function _validateResetPasswordLinkToken($userId, $resetPasswordToken)
 {
     if (!is_int($userId) || !is_string($resetPasswordToken) || empty($resetPasswordToken) || empty($userId) || $userId < 0) {
         throw new \Magento\Framework\Exception\LocalizedException(__('Please correct the password reset token.'));
     }
     /** @var $user \Magento\User\Model\User */
     $user = $this->_userFactory->create()->load($userId);
     if (!$user->getId()) {
         throw new \Magento\Framework\Exception\LocalizedException(__('Please specify the correct account and try again.'));
     }
     $userToken = $user->getRpToken();
     if (!Security::compareStrings($userToken, $resetPasswordToken) || $user->isResetPasswordLinkTokenExpired()) {
         throw new \Magento\Framework\Exception\LocalizedException(__('Your password reset link has expired.'));
     }
 }
Example #2
0
 /**
  * Forward request for a graph image to the web-service
  *
  * This is done in order to include the image to a HTTPS-page regardless of web-service settings
  *
  * @return  \Magento\Framework\Controller\Result\Raw
  */
 public function execute()
 {
     $error = __('invalid request');
     $httpCode = 400;
     $gaData = $this->_request->getParam('ga');
     $gaHash = $this->_request->getParam('h');
     /** @var \Magento\Framework\Controller\Result\Raw $resultRaw */
     $resultRaw = $this->resultRawFactory->create();
     if ($gaData && $gaHash) {
         /** @var $helper \Magento\Backend\Helper\Dashboard\Data */
         $helper = $this->_objectManager->get('Magento\\Backend\\Helper\\Dashboard\\Data');
         $newHash = $helper->getChartDataHash($gaData);
         if (Security::compareStrings($newHash, $gaHash)) {
             $params = null;
             $paramsJson = base64_decode(urldecode($gaData));
             if ($paramsJson) {
                 $params = json_decode($paramsJson, true);
             }
             if ($params) {
                 try {
                     /** @var $httpClient \Magento\Framework\HTTP\ZendClient */
                     $httpClient = $this->_objectManager->create('Magento\\Framework\\HTTP\\ZendClient');
                     $response = $httpClient->setUri(\Magento\Backend\Block\Dashboard\Graph::API_URL)->setParameterGet($params)->setConfig(['timeout' => 5])->request('GET');
                     $headers = $response->getHeaders();
                     $resultRaw->setHeader('Content-type', $headers['Content-type'])->setContents($response->getBody());
                     return $resultRaw;
                 } catch (\Exception $e) {
                     $this->_objectManager->get('Psr\\Log\\LoggerInterface')->critical($e);
                     $error = __('see error log for details');
                     $httpCode = 503;
                 }
             }
         }
     }
     $resultRaw->setHeader('Content-Type', 'text/plain; charset=UTF-8')->setHttpResponseCode($httpCode)->setContents(__('Service unavailable: %1', $error));
     return $resultRaw;
 }
 /**
  * Validate the Reset Password Token for a customer.
  *
  * @param int $customerId
  * @param string $resetPasswordLinkToken
  * @return bool
  * @throws \Magento\Framework\Exception\State\InputMismatchException If token is mismatched
  * @throws \Magento\Framework\Exception\State\ExpiredException If token is expired
  * @throws \Magento\Framework\Exception\InputException If token or customer id is invalid
  * @throws \Magento\Framework\Exception\NoSuchEntityException If customer doesn't exist
  */
 private function validateResetPasswordToken($customerId, $resetPasswordLinkToken)
 {
     if (empty($customerId) || $customerId < 0) {
         $params = ['value' => $customerId, 'fieldName' => 'customerId'];
         throw new InputException(__(InputException::INVALID_FIELD_VALUE, $params));
     }
     if (!is_string($resetPasswordLinkToken) || empty($resetPasswordLinkToken)) {
         $params = ['fieldName' => 'resetPasswordLinkToken'];
         throw new InputException(__(InputException::REQUIRED_FIELD, $params));
     }
     $customerSecureData = $this->customerRegistry->retrieveSecureData($customerId);
     $rpToken = $customerSecureData->getRpToken();
     $rpTokenCreatedAt = $customerSecureData->getRpTokenCreatedAt();
     if (!Security::compareStrings($rpToken, $resetPasswordLinkToken)) {
         throw new InputMismatchException(__('Reset password token mismatch.'));
     } elseif ($this->isResetPasswordLinkTokenExpired($rpToken, $rpTokenCreatedAt)) {
         throw new ExpiredException(__('Reset password token expired.'));
     }
     return true;
 }
 /**
  * @param  string $expected
  * @param  string $actual
  * @param  bool $result
  * @dataProvider dataProvider
  */
 public function testCompareStrings($expected, $actual, $result)
 {
     $this->assertEquals($result, Security::compareStrings($expected, $actual));
 }
Example #5
0
 /**
  * @inheritdoc
  */
 public function isValidHash($password, $hash)
 {
     $this->explodePasswordHash($hash);
     foreach ($this->getPasswordVersion() as $hashVersion) {
         $password = $this->hash($this->getPasswordSalt() . $password, $hashVersion);
     }
     return Security::compareStrings($password, $this->getPasswordHash());
 }
Example #6
0
 /**
  * Validate 'oauth_verifier' parameter.
  *
  * @param string $oauthVerifier
  * @param string $tokenVerifier
  * @return void
  * @throws \Magento\Framework\Oauth\Exception
  */
 protected function _validateVerifierParam($oauthVerifier, $tokenVerifier)
 {
     if (!is_string($oauthVerifier)) {
         throw new \Magento\Framework\Oauth\Exception(__('Verifier is invalid'));
     }
     if (!$this->validateOauthToken($oauthVerifier)) {
         throw new \Magento\Framework\Oauth\Exception(__('Verifier is not the correct length'));
     }
     if (!Security::compareStrings($tokenVerifier, $oauthVerifier)) {
         throw new \Magento\Framework\Oauth\Exception(__('Token verifier and verifier token do not match'));
     }
 }
Example #7
0
 /**
  * Return if is valid order id.
  *
  * @param string $merchantMd5
  * @param string $merchantApiLogin
  * @return bool
  */
 public function isValidHash($merchantMd5, $merchantApiLogin)
 {
     $hash = $this->generateHash($merchantMd5, $merchantApiLogin, $this->getXAmount(), $this->getXTransId());
     return Security::compareStrings($hash, $this->getData('x_MD5_Hash'));
 }
Example #8
0
 /**
  * Validate signature based on the signature method used.
  *
  * @param array $params
  * @param string $consumerSecret
  * @param string $httpMethod
  * @param string $requestUrl
  * @param string $tokenSecret
  * @return void
  * @throws Exception|OauthInputException
  */
 protected function _validateSignature($params, $consumerSecret, $httpMethod, $requestUrl, $tokenSecret = null)
 {
     if (!in_array($params['oauth_signature_method'], self::getSupportedSignatureMethods())) {
         throw new OauthInputException(new Phrase('Signature method %1 is not supported', [$params['oauth_signature_method']]));
     }
     $allowedSignParams = $params;
     unset($allowedSignParams['oauth_signature']);
     $calculatedSign = $this->_httpUtility->sign($allowedSignParams, $params['oauth_signature_method'], $consumerSecret, $tokenSecret, $httpMethod, $requestUrl);
     if (!Security::compareStrings($calculatedSign, $params['oauth_signature'])) {
         throw new Exception(new Phrase('Invalid signature'));
     }
 }