public function validatePasswordResetRequest($email, $token) { Auth::restrictAccess('anonymous'); $passwordResets = new PasswordResets(); // This needs to go into base functions and return some kind of json message if (!v::email()->validate($email)) { return 'email dont comply'; } if (!v::xdigit()->length(32, 32)->validate($token)) { return 'token dont comply'; } $passwordReset = $passwordResets->show($email); // Not going to reveal whether the user account was found... if (empty($passwordReset['token']) || empty($passwordReset['created'])) { echo 'password reset request not found. forward. please submit a password reset request first'; die; } $created = strtotime($passwordReset['created']); $now = strtotime(date('Y-m-d H:i:s')); $diff = round(($now - $created) / 60, 2); if (intval($diff) > 60) { echo 'password reset has expired. 60 minutes max. submit another reset request'; die; } if (password_verify($token, $passwordReset['token'])) { // probably shouldnt disclose this. just send json success echo 'password matches. proceed to reset.'; } return $passwordReset; }
public function post($request, $response, $service, $app) { Auth::restrictAccess('anonymous'); $app->users = new Users(); $app->passwordResets = new PasswordResets(); $body = json_decode($request->body()); $email = $body->email; if (!v::email()->validate($email)) { return 'email dont comply'; } $user = $app->users->showFromEmail($email); // Maybe add some limit on request frequency here if ($user) { $token = bin2hex(openssl_random_pseudo_bytes(16)); $app->passwordResets->update($user['id'], $token); echo 'password reset request submitted with email: ' . $email . ' and token: ' . $token; } else { // dont disclose that the user wasnt found? or do? do or do not. there is no try echo 'account not found'; } }