/** * Check if password reset token is valid * * @param int $userId * @param string $resetPasswordToken * @return void * @throws \Magento\Framework\Exception\LocalizedException */ protected function _validateResetPasswordLinkToken($userId, $resetPasswordToken) { if (!is_int($userId) || !is_string($resetPasswordToken) || empty($resetPasswordToken) || empty($userId) || $userId < 0) { throw new \Magento\Framework\Exception\LocalizedException(__('Please correct the password reset token.')); } /** @var $user \Magento\User\Model\User */ $user = $this->_userFactory->create()->load($userId); if (!$user->getId()) { throw new \Magento\Framework\Exception\LocalizedException(__('Please specify the correct account and try again.')); } $userToken = $user->getRpToken(); if (!Security::compareStrings($userToken, $resetPasswordToken) || $user->isResetPasswordLinkTokenExpired()) { throw new \Magento\Framework\Exception\LocalizedException(__('Your password reset link has expired.')); } }
/** * Forward request for a graph image to the web-service * * This is done in order to include the image to a HTTPS-page regardless of web-service settings * * @return \Magento\Framework\Controller\Result\Raw */ public function execute() { $error = __('invalid request'); $httpCode = 400; $gaData = $this->_request->getParam('ga'); $gaHash = $this->_request->getParam('h'); /** @var \Magento\Framework\Controller\Result\Raw $resultRaw */ $resultRaw = $this->resultRawFactory->create(); if ($gaData && $gaHash) { /** @var $helper \Magento\Backend\Helper\Dashboard\Data */ $helper = $this->_objectManager->get('Magento\\Backend\\Helper\\Dashboard\\Data'); $newHash = $helper->getChartDataHash($gaData); if (Security::compareStrings($newHash, $gaHash)) { $params = null; $paramsJson = base64_decode(urldecode($gaData)); if ($paramsJson) { $params = json_decode($paramsJson, true); } if ($params) { try { /** @var $httpClient \Magento\Framework\HTTP\ZendClient */ $httpClient = $this->_objectManager->create('Magento\\Framework\\HTTP\\ZendClient'); $response = $httpClient->setUri(\Magento\Backend\Block\Dashboard\Graph::API_URL)->setParameterGet($params)->setConfig(['timeout' => 5])->request('GET'); $headers = $response->getHeaders(); $resultRaw->setHeader('Content-type', $headers['Content-type'])->setContents($response->getBody()); return $resultRaw; } catch (\Exception $e) { $this->_objectManager->get('Psr\\Log\\LoggerInterface')->critical($e); $error = __('see error log for details'); $httpCode = 503; } } } } $resultRaw->setHeader('Content-Type', 'text/plain; charset=UTF-8')->setHttpResponseCode($httpCode)->setContents(__('Service unavailable: %1', $error)); return $resultRaw; }
/** * Validate the Reset Password Token for a customer. * * @param int $customerId * @param string $resetPasswordLinkToken * @return bool * @throws \Magento\Framework\Exception\State\InputMismatchException If token is mismatched * @throws \Magento\Framework\Exception\State\ExpiredException If token is expired * @throws \Magento\Framework\Exception\InputException If token or customer id is invalid * @throws \Magento\Framework\Exception\NoSuchEntityException If customer doesn't exist */ private function validateResetPasswordToken($customerId, $resetPasswordLinkToken) { if (empty($customerId) || $customerId < 0) { $params = ['value' => $customerId, 'fieldName' => 'customerId']; throw new InputException(__(InputException::INVALID_FIELD_VALUE, $params)); } if (!is_string($resetPasswordLinkToken) || empty($resetPasswordLinkToken)) { $params = ['fieldName' => 'resetPasswordLinkToken']; throw new InputException(__(InputException::REQUIRED_FIELD, $params)); } $customerSecureData = $this->customerRegistry->retrieveSecureData($customerId); $rpToken = $customerSecureData->getRpToken(); $rpTokenCreatedAt = $customerSecureData->getRpTokenCreatedAt(); if (!Security::compareStrings($rpToken, $resetPasswordLinkToken)) { throw new InputMismatchException(__('Reset password token mismatch.')); } elseif ($this->isResetPasswordLinkTokenExpired($rpToken, $rpTokenCreatedAt)) { throw new ExpiredException(__('Reset password token expired.')); } return true; }
/** * @param string $expected * @param string $actual * @param bool $result * @dataProvider dataProvider */ public function testCompareStrings($expected, $actual, $result) { $this->assertEquals($result, Security::compareStrings($expected, $actual)); }
/** * @inheritdoc */ public function isValidHash($password, $hash) { $this->explodePasswordHash($hash); foreach ($this->getPasswordVersion() as $hashVersion) { $password = $this->hash($this->getPasswordSalt() . $password, $hashVersion); } return Security::compareStrings($password, $this->getPasswordHash()); }
/** * Validate 'oauth_verifier' parameter. * * @param string $oauthVerifier * @param string $tokenVerifier * @return void * @throws \Magento\Framework\Oauth\Exception */ protected function _validateVerifierParam($oauthVerifier, $tokenVerifier) { if (!is_string($oauthVerifier)) { throw new \Magento\Framework\Oauth\Exception(__('Verifier is invalid')); } if (!$this->validateOauthToken($oauthVerifier)) { throw new \Magento\Framework\Oauth\Exception(__('Verifier is not the correct length')); } if (!Security::compareStrings($tokenVerifier, $oauthVerifier)) { throw new \Magento\Framework\Oauth\Exception(__('Token verifier and verifier token do not match')); } }
/** * Return if is valid order id. * * @param string $merchantMd5 * @param string $merchantApiLogin * @return bool */ public function isValidHash($merchantMd5, $merchantApiLogin) { $hash = $this->generateHash($merchantMd5, $merchantApiLogin, $this->getXAmount(), $this->getXTransId()); return Security::compareStrings($hash, $this->getData('x_MD5_Hash')); }
/** * Validate signature based on the signature method used. * * @param array $params * @param string $consumerSecret * @param string $httpMethod * @param string $requestUrl * @param string $tokenSecret * @return void * @throws Exception|OauthInputException */ protected function _validateSignature($params, $consumerSecret, $httpMethod, $requestUrl, $tokenSecret = null) { if (!in_array($params['oauth_signature_method'], self::getSupportedSignatureMethods())) { throw new OauthInputException(new Phrase('Signature method %1 is not supported', [$params['oauth_signature_method']])); } $allowedSignParams = $params; unset($allowedSignParams['oauth_signature']); $calculatedSign = $this->_httpUtility->sign($allowedSignParams, $params['oauth_signature_method'], $consumerSecret, $tokenSecret, $httpMethod, $requestUrl); if (!Security::compareStrings($calculatedSign, $params['oauth_signature'])) { throw new Exception(new Phrase('Invalid signature')); } }