/** * Tests password reset functionality. */ function testUserPasswordReset() { // Try to reset the password for an invalid account. $this->drupalGet('user/password'); $edit = array('name' => $this->randomMachineName(32)); $this->drupalPostForm(NULL, $edit, t('Email new password')); $this->assertText(t('Sorry, @name is not recognized as a username or an email address.', array('@name' => $edit['name'])), 'Validation error message shown when trying to request password for invalid account.'); $this->assertEqual(count($this->drupalGetMails(array('id' => 'user_password_reset'))), 0, 'No email was sent when requesting a password for an invalid account.'); // Reset the password by username via the password reset page. $edit['name'] = $this->account->getUsername(); $this->drupalPostForm(NULL, $edit, t('Email new password')); // Verify that the user was sent an email. $this->assertMail('to', $this->account->getEmail(), 'Password email sent to user.'); $subject = t('Replacement login information for @username at @site', array('@username' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name'))); $this->assertMail('subject', $subject, 'Password reset email subject is correct.'); $resetURL = $this->getResetURL(); $this->drupalGet($resetURL); // Check the one-time login page. $this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.'); $this->assertText(t('This login can be used only once.'), 'Found warning about one-time login.'); // Check successful login. $this->drupalPostForm(NULL, NULL, t('Log in')); $this->assertLink(t('Log out')); $this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name'))), 'Logged in using password reset link.'); // Change the forgotten password. $password = user_password(); $edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password); $this->drupalPostForm(NULL, $edit, t('Save')); $this->assertText(t('The changes have been saved.'), 'Forgotten password changed.'); // Verify that the password reset session has been destroyed. $this->drupalPostForm(NULL, $edit, t('Save')); $this->assertText(t('Your current password is missing or incorrect; it\'s required to change the Password.'), 'Password needed to make profile changes.'); // Log out, and try to log in again using the same one-time link. $this->drupalLogout(); $this->drupalGet($resetURL); $this->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.'); // Request a new password again, this time using the email address. $this->drupalGet('user/password'); // Count email messages before to compare with after. $before = count($this->drupalGetMails(array('id' => 'user_password_reset'))); $edit = array('name' => $this->account->getEmail()); $this->drupalPostForm(NULL, $edit, t('Email new password')); $this->assertTrue(count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.'); // Create a password reset link as if the request time was 60 seconds older than the allowed limit. $timeout = \Drupal::config('user.settings')->get('password_reset_timeout'); $bogus_timestamp = REQUEST_TIME - $timeout - 60; $_uid = $this->account->id(); $this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account->getPassword(), $bogus_timestamp, $this->account->getLastLoginTime())); $this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.'); // Create a user, block the account, and verify that a login link is denied. $timestamp = REQUEST_TIME - 1; $blocked_account = $this->drupalCreateUser()->block(); $blocked_account->save(); $this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account->getPassword(), $timestamp, $blocked_account->getLastLoginTime())); $this->assertResponse(403); }
/** * Confirms cancelling a user account via an email link. * * @param \Drupal\user\UserInterface $user * The user account. * @param int $timestamp * The timestamp. * @param string $hashed_pass * The hashed password. * * @return \Symfony\Component\HttpFoundation\RedirectResponse * A redirect response. */ public function confirmCancel(UserInterface $user, $timestamp = 0, $hashed_pass = '') { // Time out in seconds until cancel URL expires; 24 hours = 86400 seconds. $timeout = 86400; $current = REQUEST_TIME; // Basic validation of arguments. $account_data = $this->userData->get('user', $user->id()); if (isset($account_data['cancel_method']) && !empty($timestamp) && !empty($hashed_pass)) { // Validate expiration and hashed password/login. if ($timestamp <= $current && $current - $timestamp < $timeout && $user->id() && $timestamp >= $user->getLastLoginTime() && Crypt::hashEquals($hashed_pass, user_pass_rehash($user, $timestamp))) { $edit = array('user_cancel_notify' => isset($account_data['cancel_notify']) ? $account_data['cancel_notify'] : $this->config('user.settings')->get('notify.status_canceled')); user_cancel($edit, $user->id(), $account_data['cancel_method']); // Since user_cancel() is not invoked via Form API, batch processing // needs to be invoked manually and should redirect to the front page // after completion. return batch_process(''); } else { drupal_set_message(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'error'); return $this->redirect('entity.user.cancel_form', ['user' => $user->id()], ['absolute' => TRUE]); } } throw new AccessDeniedHttpException(); }
/** * {@inheritdoc} */ public function updateLastLoginTimestamp(UserInterface $account) { $this->database->update('users')->fields(array('login' => $account->getLastLoginTime()))->condition('uid', $account->id())->execute(); // Ensure that the entity cache is cleared. $this->resetCache(array($account->id())); }
/** * {@inheritdoc} */ public function getLastLoginTime() { return $this->subject->getLastLoginTime(); }