src/Controller/Main/ResettingController.php line 42

Open in your IDE?
  1. <?php
  3. namespace App\Controller\Main;
  5. use App\Entity\Main\User;
  6. use App\Events\Main\Registration\SecurityEvent;
  7. use App\Events\Main\Resetting\ResetEvent;
  8. use App\EventSubscribers\Main\ResettingSubscriber;
  9. use App\EventSubscribers\Main\SecuritySubscriber;
  10. use App\Model\TokenGenerator\TokenGenerator;
  11. use App\Services\EmailManager;
  12. use App\Services\UserManager;
  13. use App\Services\SecurityManager;
  14. use Predis\Client;
  15. use Psr\Log\LoggerInterface;
  16. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  17. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  18. use Symfony\Component\HttpFoundation\RedirectResponse;
  19. use Symfony\Component\HttpFoundation\Request;
  20. use Symfony\Component\HttpFoundation\Response;
  21. use Symfony\Component\Routing\Annotation\Route;
  23. /**
  24.  * Controller managing the resetting of the password.
  25.  *
  26.  * @Route(
  27.  *     condition="not (context.getHost() matches '%coaching_domain.host.regexp%')"
  28.  * )
  29.  *
  30.  */
  31. class ResettingController extends AbstractController
  32. {
  33.     use BrulafineControllerTrait;
  35.     const AUTOLOGIN_ATTEMPTS_REDIS_KEY "autologin_link_request_";
  37.     /**
  38.      * Request reset user password: show form.
  39.      *
  40.      * @Route("/resseting/request", name="user_resetting_request")
  41.      */
  42.     public function requestAction()
  43.     {
  44.         $setup $this->getSetup();
  46.         return $this->render($this->getTemplatesDir() . '/Security/views/Resetting/request.html.twig', [
  47.             'csrf_token' => $this->getLoginCsrfToken(),
  48.             'tracking' => $setup->getTracking(),
  49.             'site' => $setup->getSite(),
  50.         ]);
  51.     }
  53.     /**
  54.      * Request reset user password: submit form and send email.
  55.      *
  56.      * @Route ("/resetting/send-email", name="user_resetting_send_email")
  57.      * @param Request $request
  58.      *
  59.      * @param UserManager $securityManager
  60.      * @param EmailManager $emailFactory
  61.      * @return Response
  62.      * @throws \Exception
  63.      */
  64.     public function sendEmailAction(Request $requestUserManager $securityManagerEmailManager $emailFactoryEventDispatcherInterface $dispatcher)
  65.     {
  66.         $username $request->request->get('username');
  68.         /** @var User $user */
  69.         $user $securityManager->findUserByUsernameOrEmail($username);
  71.         //$ttl = $this->container->getParameter('fos_user.resetting.retry_ttl');
  72.         $ttl 1;
  73.         if (null !== $user && !$user->isPasswordRequestNonExpired($ttl)) {
  74.             $event = new ResetEvent($user$request);
  75.             $dispatcher->dispatch($eventResettingSubscriber::RESETTING_RESET_REQUEST);
  77.             if (null !== $event->getResponse()) {
  78.                 return $event->getResponse();
  79.             }
  81.             if (null === $user->getConfirmationToken()) {
  82.                 $tokenGenerator = new TokenGenerator();
  83.                 $user->setConfirmationToken($tokenGenerator->generateToken());
  84.             }
  86.             // Define here landing page for the autologin.
  87.             $destination $this->getParameter('reset_pw_autologin_destination') ?? null;
  89.             $emailFactory->sendAutoLoginEmailMessage($user$destination);
  90.             $user->setPasswordRequestedAt(new \DateTime());
  91.             $securityManager->updateUser($user);
  92.         }
  94.         return new RedirectResponse($this->generateUrl('user_resetting_check_email', ['username' => $username]));
  95.     }
  97.     /**
  98.      * Tell the user to check his email provider.
  99.      *
  100.      * @param Request $request
  101.      *
  102.      * @Route ("/resseting/check-email", name="user_resetting_check_email")
  103.      * @return Response
  104.      */
  105.     public function checkEmailAction(Request $request)
  106.     {
  107.         $username $request->query->get('username');
  109.         if (empty($username)) {
  110.             // the user does not come from the sendEmail action
  111.             return new RedirectResponse($this->generateUrl('user_resetting_request'));
  112.         }
  114.         $setup $this->getSetup();
  115.         return $this->render($this->getTemplatesDir() . '/Security/views/Resetting/check.html.twig', [
  116.             'csrf_token' => $this->getLoginCsrfToken(),
  117.             'tracking' => $setup->getTracking(),
  118.             'site' => $setup->getSite(),
  119.         ]);
  120.     }
  122.     /**
  123.      * @param Request $request
  124.      * @param $token
  125.      * @param $dest
  126.      * @param LoggerInterface $logger
  127.      * @param SecurityManager $securityManager
  128.      * @return RedirectResponse
  129.      */
  130.     public function autoLoginAction(Request $request$token$destLoggerInterface $loggerUserManager $securityManagerEventDispatcherInterface $eventDispatcher$redisClient)
  131.     {
  132.         $environment $this->getParameter("kernel.environment");
  133.         $redisKey self::AUTOLOGIN_ATTEMPTS_REDIS_KEY $request->getClientIp();
  135.         // prevent brut force attacks by limiting to 50 calls on this address by the same IP.
  136.         $redisClient->setex($redisKey3600, ((int) $redisClient->get($redisKey) + 1));
  138.         if ((int) $redisClient->get($redisKey) > 50 && 'test' != $environment) {
  139.             $this->addFlash("error""flashMessages.site.linkNoValid");
  140.             $logger->alert("Someone is trying to bruteforce the autologin url, IP {$request->getClientIp()}, number of tries so far : {$redisClient->get($redisKey)}");
  141.             return new RedirectResponse($this->generateUrl("brulafine_shipping"));
  142.         }
  144.         // first check if user is already logged in.
  145.         $currentUser $this->getUser();
  147.         if ($currentUser instanceof User) {
  148.             return $this->redirectToRoute($this->getRouteToRedirect($dest));
  149.         }
  151.         $user $securityManager->findUserByConfirmationToken($token);
  153.         if (!$user instanceof User) {
  154.             $this->addFlash("error""flashMessages.site.linkNoValid");
  155.             return new RedirectResponse($this->generateUrl("brulafine_shipping"));
  156.         }
  158.         // check if reset request exists.
  159.         $event = new ResetEvent($user$request);
  160.         $eventDispatcher->dispatch($eventResettingSubscriber::RESETTING_RESET_INITIALIZE);
  162.         if (null !== $event->getResponse()) {
  163.             $this->addFlash("error""flashMessages.site.linkNoValid");
  164.             return new RedirectResponse($this->generateUrl("brulafine_shipping"));
  165.         }
  167.         // update the user data.
  168.         $user->setConfirmationToken(null);
  169.         $user->setPasswordRequestedAt(null);
  170.         $user->setEnabled(true);
  171.         $securityManager->updateUser($user);
  173.         // Force Login the user
  174.         $eventDispatcher->dispatch(
  175.             new SecurityEvent($user$request),
  176.             SecuritySubscriber::USER_LOGGED_IN
  177.         );
  179.         return $this->redirectToRoute($this->getRouteToRedirect($dest));
  180.     }
  182.     /**
  183.      * @param $dest
  184.      * @return string
  185.      */
  186.     private function getRouteToRedirect($dest)
  187.     {
  188.         // define where to redirect the user
  189.         if ('pass' == $dest) {
  190.             $route 'user_change_password';
  191.         } else {
  192.             $route 'brulafine_shipping';
  193.         }
  195.         return $route;
  196.     }
  197. }