public function testShouldRefuseMultipleRequestsInShortInterval()
{
$user_data = UserFactory::generateUser();
$r = new Request(array('email' => $user_data['email']));
$response = ResetController::apiCreate($r);
try {
ResetController::apiCreate($r);
} catch (InvalidParameterException $expected) {
$message = $expected->getMessage();
}
$this->assertEquals('passwordResetMinWait', $message);
// time travel
$reset_sent_at = ApiUtils::GetStringTime(time() - PASSWORD_RESET_MIN_WAIT - 1);
$user = UsersDAO::FindByEmail($user_data['email']);
$user->setResetSentAt($reset_sent_at);
UsersDAO::save($user);
ResetController::apiCreate($r);
}
/**
* Given a username or a email, returns the user object
*
* @param type $userOrEmail
* @return User
* @throws ApiException
* @throws InvalidDatabaseOperationException
* @throws InvalidParameterException
*/
public static function resolveUser($userOrEmail)
{
Validators::isStringNonEmpty($userOrEmail, 'Username or email not found');
$user = null;
try {
if (!is_null($user = UsersDAO::FindByEmail($userOrEmail)) || !is_null($user = UsersDAO::FindByUsername($userOrEmail))) {
return $user;
} else {
throw new NotFoundException('userOrMailNotFound');
}
} catch (ApiException $apiException) {
throw $apiException;
} catch (Exception $e) {
throw new InvalidDatabaseOperationException($e);
}
return $user;
}
public function LoginViaFacebook()
{
//ok, the user does not have any auth token
//if he wants to test facebook login
//Facebook must send me the state=something
//query, so i dont have to be testing
//facebook sessions on every single petition
//made from the front-end
if (!isset($_GET['state'])) {
return false;
}
//if that is not true, may still be logged with
//facebook, lets test that
$facebook = self::getFacebookInstance();
// Get User ID
$fb_user = $facebook->getUser();
if ($fb_user == 0) {
self::$log->info('FB session unavailable.');
return false;
}
// We may or may not have this data based on whether the user is logged in.
// If we have a $fb_user id here, it means we know the user is logged into
// Facebook, but we don't know if the access token is valid. An access
// token is invalid if the user logged out of Facebook.
try {
// Proceed knowing you have a logged in user who's authenticated.
$fb_user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
$fb_user = null;
self::$log->error('FacebookException:' . $e);
return false;
}
//ok we know the user is logged in,
//lets look for his information on the database
//if there is none, it means that its the first
//time the user has been here, lets register his info
self::$log->info('User is logged in via facebook !!');
$results = UsersDAO::FindByEmail($fb_user_profile['email']);
if (!is_null($results)) {
//user has been here before with facebook!
$vo_User = $results;
self::$log->info('user has been here before with facebook!');
} else {
// The user has never been here before, let's register him
// I have a problem with this:
$username = self::getUniqueUsernameFromEmail($fb_user_profile['email']);
// Even if the user gave us his/her email, we should not
// just go ahead and assume its ok to share with the world
// maybe we could do:
// $username = str_replace(" ", "_", $fb_user_profile["name"] ),
UserController::$permissionKey = uniqid();
$r = new Request(array('name' => $fb_user_profile['name'], 'username' => $username, 'email' => $fb_user_profile['email'], 'facebook_user_id' => $fb_user_profile['id'], 'password' => null, 'permission_key' => UserController::$permissionKey, 'ignore_password' => true));
try {
$res = UserController::apiCreate($r);
} catch (ApiException $e) {
self::$log->error('Unable to login via Facebook ' . $e);
return false;
}
$vo_User = UsersDAO::getByPK($res['user_id']);
}
//since we got here, this user does not have
//any auth token, lets give him one
//so we dont have to call facebook to see
//if he is still logged in, and he can call
//the api
$this->RegisterSession($vo_User);
}
/**
* Test update main email api
*/
public function testUpdateMainEmail()
{
$user = UserFactory::createUser();
$r = new Request(array("auth_token" => self::login($user), "email" => "*****@*****.**"));
$response = UserController::apiUpdateMainEmail($r);
// Check email in db
$user_in_db = UsersDAO::FindByEmail("*****@*****.**");
$this->assertEquals($user->getUserId(), $user_in_db->getUserId());
}
private static function validateUpdateRequest($r)
{
$user = UsersDAO::FindByEmail($r['email']);
$reset_token = $r['reset_token'];
$password = $r['password'];
$password_confirmation = $r['password_confirmation'];
if (is_null($user) || is_null($reset_token) || is_null($password) || is_null($password_confirmation)) {
throw new InvalidParameterException('invalidParameters');
}
if ($user->reset_digest !== hash('sha1', $reset_token)) {
throw new InvalidParameterException('invalidResetToken');
}
if ($password !== $password_confirmation) {
throw new InvalidParameterException('passwordMismatch');
}
SecurityTools::testStrongPassword($password);
$seconds = time() - strtotime($user->reset_sent_at);
if ($seconds > PASSWORD_RESET_TIMEOUT) {
throw new InvalidParameterException('passwordResetResetExpired');
}
}
public static function FindByEmail($keyWord, $index = 0, $limit = 10)
{
$index = (int) $index;
$limit = (int) $limit;
$keyWord = addslashes($keyWord);
return UsersDAO::FindByEmail($keyWord, $index, $limit);
}
public function testShouldLogInWithNewPassword()
{
$user_data = UserFactory::generateUser();
$r = new Request(array('email' => $user_data['email']));
$create_response = ResetController::apiCreate($r);
$reset_token = $create_response['token'];
$user_data['reset_token'] = $reset_token;
$new_password = '******';
$user_data['password'] = $new_password;
$user_data['password_confirmation'] = $new_password;
$r = new Request($user_data);
$user = UsersDAO::FindByEmail($user_data['email']);
ResetController::apiUpdate($r);
$user->password = $new_password;
$this->login($user);
}
