public function validatePasswordResetRequest($email, $token)
{
Auth::restrictAccess('anonymous');
$passwordResets = new PasswordResets();
// This needs to go into base functions and return some kind of json message
if (!v::email()->validate($email)) {
return 'email dont comply';
}
if (!v::xdigit()->length(32, 32)->validate($token)) {
return 'token dont comply';
}
$passwordReset = $passwordResets->show($email);
// Not going to reveal whether the user account was found...
if (empty($passwordReset['token']) || empty($passwordReset['created'])) {
echo 'password reset request not found. forward. please submit a password reset request first';
die;
}
$created = strtotime($passwordReset['created']);
$now = strtotime(date('Y-m-d H:i:s'));
$diff = round(($now - $created) / 60, 2);
if (intval($diff) > 60) {
echo 'password reset has expired. 60 minutes max. submit another reset request';
die;
}
if (password_verify($token, $passwordReset['token'])) {
// probably shouldnt disclose this. just send json success
echo 'password matches. proceed to reset.';
}
return $passwordReset;
}
public function post($request, $response, $service, $app)
{
Auth::restrictAccess('anonymous');
$app->users = new Users();
$app->passwordResets = new PasswordResets();
$body = json_decode($request->body());
$email = $body->email;
if (!v::email()->validate($email)) {
return 'email dont comply';
}
$user = $app->users->showFromEmail($email);
// Maybe add some limit on request frequency here
if ($user) {
$token = bin2hex(openssl_random_pseudo_bytes(16));
$app->passwordResets->update($user['id'], $token);
echo 'password reset request submitted with email: ' . $email . ' and token: ' . $token;
} else {
// dont disclose that the user wasnt found? or do? do or do not. there is no try
echo 'account not found';
}
}
