/**
* Tests password reset functionality.
*/
function testUserPasswordReset()
{
// Try to reset the password for an invalid account.
$this->drupalGet('user/password');
$edit = array('name' => $this->randomMachineName(32));
$this->drupalPostForm(NULL, $edit, t('Email new password'));
$this->assertText(t('Sorry, @name is not recognized as a username or an email address.', array('@name' => $edit['name'])), 'Validation error message shown when trying to request password for invalid account.');
$this->assertEqual(count($this->drupalGetMails(array('id' => 'user_password_reset'))), 0, 'No email was sent when requesting a password for an invalid account.');
// Reset the password by username via the password reset page.
$edit['name'] = $this->account->getUsername();
$this->drupalPostForm(NULL, $edit, t('Email new password'));
// Verify that the user was sent an email.
$this->assertMail('to', $this->account->getEmail(), 'Password email sent to user.');
$subject = t('Replacement login information for @username at @site', array('@username' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name')));
$this->assertMail('subject', $subject, 'Password reset email subject is correct.');
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
// Check the one-time login page.
$this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');
$this->assertText(t('This login can be used only once.'), 'Found warning about one-time login.');
// Check successful login.
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name'))), 'Logged in using password reset link.');
// Change the forgotten password.
$password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
// Verify that the password reset session has been destroyed.
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('Your current password is missing or incorrect; it\'s required to change the Password.'), 'Password needed to make profile changes.');
// Log out, and try to log in again using the same one-time link.
$this->drupalLogout();
$this->drupalGet($resetURL);
$this->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');
// Request a new password again, this time using the email address.
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails(array('id' => 'user_password_reset')));
$edit = array('name' => $this->account->getEmail());
$this->drupalPostForm(NULL, $edit, t('Email new password'));
$this->assertTrue(count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.');
// Create a password reset link as if the request time was 60 seconds older than the allowed limit.
$timeout = \Drupal::config('user.settings')->get('password_reset_timeout');
$bogus_timestamp = REQUEST_TIME - $timeout - 60;
$_uid = $this->account->id();
$this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account->getPassword(), $bogus_timestamp, $this->account->getLastLoginTime()));
$this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
// Create a user, block the account, and verify that a login link is denied.
$timestamp = REQUEST_TIME - 1;
$blocked_account = $this->drupalCreateUser()->block();
$blocked_account->save();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account->getPassword(), $timestamp, $blocked_account->getLastLoginTime()));
$this->assertResponse(403);
}
/**
* {@inheritdoc}
*/
public function checkExistingPassword(UserInterface $account_unchanged)
{
return !empty($this->get('pass')->existing) && \Drupal::service('password')->check(trim($this->get('pass')->existing), $account_unchanged->getPassword());
}
/**
* Confirms cancelling a user account via an email link.
*
* @param \Drupal\user\UserInterface $user
* The user account.
* @param int $timestamp
* The timestamp.
* @param string $hashed_pass
* The hashed password.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* A redirect response.
*/
public function confirmCancel(UserInterface $user, $timestamp = 0, $hashed_pass = '')
{
// Time out in seconds until cancel URL expires; 24 hours = 86400 seconds.
$timeout = 86400;
$current = REQUEST_TIME;
// Basic validation of arguments.
$account_data = $this->userData->get('user', $user->id());
if (isset($account_data['cancel_method']) && !empty($timestamp) && !empty($hashed_pass)) {
// Validate expiration and hashed password/login.
if ($timestamp <= $current && $current - $timestamp < $timeout && $user->id() && $timestamp >= $user->getLastLoginTime() && $hashed_pass == user_pass_rehash($user->getPassword(), $timestamp, $user->getLastLoginTime(), $user->id())) {
$edit = array('user_cancel_notify' => isset($account_data['cancel_notify']) ? $account_data['cancel_notify'] : $this->config('user.settings')->get('notify.status_canceled'));
user_cancel($edit, $user->id(), $account_data['cancel_method']);
// Since user_cancel() is not invoked via Form API, batch processing
// needs to be invoked manually and should redirect to the front page
// after completion.
return batch_process('');
} else {
drupal_set_message(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'));
return $this->redirect('entity.user.cancel_form', ['user' => $user->id()], ['absolute' => TRUE]);
}
}
throw new AccessDeniedHttpException();
}
/**
* {@inheritdoc}
*/
public function getPassword()
{
return $this->subject->getPassword();
}
/**
* Implements Drupal\Core\Password\PasswordInterface::userNeedsNewHash().
*/
public function userNeedsNewHash(UserInterface $account)
{
// Check whether this was an updated password.
if (substr($account->getPassword(), 0, 3) != '$S$' || strlen($account->getPassword()) != static::HASH_LENGTH) {
return TRUE;
}
// Ensure that $count_log2 is within set bounds.
$count_log2 = $this->enforceLog2Boundaries($this->countLog2);
// Check whether the iteration count used differs from the standard number.
return $this->getCountLog2($account->getPassword()) !== $count_log2;
}