Merge pull request #11358 from snipe/fixes/missing_token_lang

snipe · web-flow · commit 89c234b1c2b9 · 2022-06-22T11:15:08.000-07:00
Fixed missing password.token string and checked for user existing before attempting to send reset email
diff --git a/.env.example b/.env.example
@@ -146,7 +146,13 @@ AWS_DEFAULT_REGION=null
 # --------------------------------------------
 LOGIN_MAX_ATTEMPTS=5
 LOGIN_LOCKOUT_DURATION=60
-RESET_PASSWORD_LINK_EXPIRES=900
+
+# --------------------------------------------
+# OPTIONAL: FORGOTTEN PASSWORD SETTINGS
+# --------------------------------------------
+RESET_PASSWORD_LINK_EXPIRES=15
+PASSWORD_CONFIRM_TIMEOUT=10800
+PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN=50
 
 # --------------------------------------------
 # OPTIONAL: MISC
diff --git a/app/Console/Kernel.php b/app/Console/Kernel.php
@@ -24,6 +24,7 @@ protected function schedule(Schedule $schedule)
         $schedule->command('snipeit:backup')->weekly();
         $schedule->command('backup:clean')->daily();
         $schedule->command('snipeit:upcoming-audits')->daily();
+        $schedule->command('auth:clear-resets')->everyFifteenMinutes();
     }
 
     /**
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
@@ -136,13 +136,12 @@ private function loginViaSaml(Request $request)
 
             // Better logging
             if (!$saml->isEnabled()) {
-                \Log::warning("SAML page requested, but SAML does not seem to enabled.");
+                \Log::debug("SAML page requested, but SAML does not seem to enabled.");
             } else {
                 \Log::warning("SAML page requested, but samlData seems empty.");
             }
         }
 
-        \Log::warning("Something else went wrong while trying to login as SAML user");
 
 
     }
diff --git a/app/Http/Controllers/Auth/ResetPasswordController.php b/app/Http/Controllers/Auth/ResetPasswordController.php
@@ -3,13 +3,11 @@
 namespace App\Http\Controllers\Auth;
 
 use App\Http\Controllers\Controller;
-use App\Http\Requests\SaveUserRequest;
 use App\Models\Setting;
 use App\Models\User;
 use Illuminate\Foundation\Auth\ResetsPasswords;
 use Illuminate\Http\Request;
-use Illuminate\Validation\Rule;
-use Illuminate\Validation\Validator;
+
 
 class ResetPasswordController extends Controller
 {
@@ -63,6 +61,14 @@ protected function credentials(Request $request)
 
     public function showResetForm(Request $request, $token = null)
     {
+
+        $credentials =  $request->only('email', 'token');
+
+        if (is_null($this->broker()->getUser($credentials))) {
+            \Log::debug('Password reset form FAILED - this token is not valid.');
+            return redirect()->route('password.request')->with('error', trans('passwords.token'));
+        }
+
         return view('auth.passwords.reset')->with(
             [
                 'token' => $token,
@@ -73,38 +79,53 @@ public function showResetForm(Request $request, $token = null)
 
     public function reset(Request $request)
     {
+
+        $broker = $this->broker();
+
         $messages = [
             'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'),
         ];
 
         $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());
 
-        // Check to see if the user even exists
-        $user = User::where('username', '=', $request->input('username'))->first();
+        \Log::debug('Checking if '.$request->input('username').' exists');
+        // Check to see if the user even exists - we'll treat the response the same to prevent user sniffing
+        if ($user = User::where('username', '=', $request->input('username'))->where('activated', '1')->whereNotNull('email')->first()) {
+            \Log::debug($user->username.' exists');
 
-        $broker = $this->broker();
-        if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
-            $request->validate(
-                [
-                'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',
-            ], $messages);
-        }
 
-        $response = $broker->reset(
-            $this->credentials($request), function ($user, $password) {
+            // handle the password validation rules set by the admin settings
+            if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== false) {
+                $request->validate(
+                    [
+                        'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"',
+                    ], $messages);
+            }
+
+
+            // set the response
+            $response = $broker->reset(
+                $this->credentials($request), function ($user, $password) {
                 $this->resetPassword($user, $password);
+            });
+
+            // Check if the password reset above actually worked
+            if ($response == \Password::PASSWORD_RESET) {
+                \Log::debug('Password reset for '.$user->username.' worked');
+                return redirect()->guest('login')->with('success', trans('passwords.reset'));
             }
-        );
 
-        return $response == \Password::PASSWORD_RESET
-            ? $this->sendResetResponse($request, $response)
-            : $this->sendResetFailedResponse($request, $response);
-    }
+            \Log::debug('Password reset for '.$user->username.' FAILED - this user exists but the token is not valid');
+            return redirect()->back()->withInput($request->only('email'))->with('error', trans('passwords.token'));
+
+        }
+
+
+        \Log::debug('Password reset for '.$request->input('username').' FAILED - user does not exist or does not have an email address - but make it look like it succeeded');
+        return redirect()->guest('login')->with('success', trans('passwords.reset'));
 
-    protected function sendResetFailedResponse(Request $request, $response)
-    {
-        return redirect()->back()
-            ->withInput(['username'=> $request->input('username')])
-            ->withErrors(['username' => trans($response), 'password' => trans($response)]);
     }
+
+
+
 }
diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
@@ -75,12 +75,22 @@ protected function mapApiRoutes()
     /**
      * Configure the rate limiters for the application.
      *
+     * https://laravel.com/docs/8.x/routing#rate-limiting
+     *
      * @return void
      */
     protected function configureRateLimiting()
     {
+
+        // Rate limiter for API calls
         RateLimiter::for('api', function (Request $request) {
-            return Limit::perMinute(60)->by(optional($request->user())->id ?: $request->ip());
+            return Limit::perMinute(config('app.api_throttle_per_minute'))->by(optional($request->user())->id ?: $request->ip());
         });
+
+        // Rate limiter for forgotten password requests
+        RateLimiter::for('forgotten_password', function (Request $request) {
+            return Limit::perMinute(config('auth.password_reset.max_attempts_per_min'))->by(optional($request->user())->id ?: $request->ip());
+        });
+
     }
 }
diff --git a/config/auth.php b/config/auth.php
@@ -98,14 +98,27 @@
             'email' => 'auth.emails.password',
             'table' => 'password_resets',
             'expire' => env('RESET_PASSWORD_LINK_EXPIRES', 900),
-            'throttle' => 60,
+            'throttle' => [
                 'max_attempts' => env('LOGIN_MAX_ATTEMPTS', 5),
-
                 'lockout_duration' => env('LOGIN_LOCKOUT_DURATION', 60),
+            ]
 
         ],
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Resetting Password Requests
+    |--------------------------------------------------------------------------
+    | This sets the throttle for forgotten password requests
+    |
+    */
+    'password_reset' => [
+       'max_attempts_per_min' => env('PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN', 50),
+    ],
+
+
+
     /*
     |--------------------------------------------------------------------------
     | Password Confirmation Timeout
@@ -117,6 +130,6 @@
     |
     */
 
-    'password_timeout' => 10800,
+    'password_timeout' =>  env('PASSWORD_CONFIRM_TIMEOUT', 10800),
 
 ];
diff --git a/resources/lang/en/passwords.php b/resources/lang/en/passwords.php
@@ -1,6 +1,8 @@
 <?php
 
 return [
-    'sent'	        => 'Success: If that email address exists in our system, a password recovery email has been sent.',
-    'user'			=> 'No matching active user found with that email.',
+    'sent'	        => 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.',
+    'user'			=> 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.',
+    'token'         => 'This password reset token is invalid or expired, or does not match the username provided.',
+    'reset'         => 'Your password has been reset!',
 ];
diff --git a/resources/lang/en/reminders.php b/resources/lang/en/reminders.php
@@ -14,11 +14,8 @@
     */
 
     "password" => "Passwords must be six characters and match the confirmation.",
-
     "user"     => "Username or email address is incorrect",
-
-    "token"    => "This password reset token is invalid.",
-
-    "sent" => "If a matching email address was found, a password reminder has been sent!",
+    "token"    => 'This password reset token is invalid or expired, or does not match the username provided.',
+    'sent'	   => 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.',
 
 );
diff --git a/resources/views/layouts/basic.blade.php b/resources/views/layouts/basic.blade.php
@@ -56,7 +56,7 @@
 
     @if (($snipeSettings) && ($snipeSettings->logo!=''))
         <center>
-            <img id="login-logo" src="{{ Storage::disk('public')->url('').e($snipeSettings->logo) }}">
+            <a href="{{ config('app.url') }}"><img id="login-logo" src="{{ Storage::disk('public')->url('').e($snipeSettings->logo) }}"></a>
         </center>
     @endif
   <!-- Content -->
diff --git a/routes/api.php b/routes/api.php
@@ -16,7 +16,7 @@
 |
 */
 
-Route::group(['prefix' => 'v1', 'middleware' => ['api', 'throttle:'.config('app.api_throttle_per_minute').',1']], function () {
+Route::group(['prefix' => 'v1', 'middleware' => ['api', 'throttle:api']], function () {
 
 
     Route::get('/', function () {
diff --git a/routes/web.php b/routes/web.php
@@ -20,6 +20,8 @@
 use App\Http\Controllers\SuppliersController;
 use App\Http\Controllers\ViewAssetsController;
 use App\Http\Controllers\Auth\LoginController;
+use App\Http\Controllers\Auth\ForgotPasswordController;
+use App\Http\Controllers\Auth\ResetPasswordController;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\Auth;
 
@@ -426,6 +428,39 @@
         [LoginController::class, 'postTwoFactorAuth']
     );
 
+
+
+    Route::post(
+        'password/email',
+        [ForgotPasswordController::class, 'sendResetLinkEmail']
+    )->name('password.email')->middleware('throttle:forgotten_password');
+
+    Route::get(
+        'password/reset',
+        [ForgotPasswordController::class, 'showLinkRequestForm']
+    )->name('password.request')->middleware('throttle:forgotten_password');
+
+
+    Route::post(
+        'password/reset',
+        [ResetPasswordController::class, 'reset']
+    )->name('password.update')->middleware('throttle:forgotten_password');
+
+    Route::get(
+        'password/reset/{token}',
+        [ResetPasswordController::class, 'showResetForm']
+    )->name('password.reset');
+
+
+    Route::post(
+        'password/email',
+        [ForgotPasswordController::class, 'sendResetLinkEmail']
+    )->name('password.email')->middleware('throttle:forgotten_password');
+
+
+
+
+
     Route::get(
         '/',
         [
@@ -446,7 +481,7 @@
     )->name('logout');
 });
 
-Auth::routes();
+//Auth::routes();
 
 Route::get(
     '/health', 

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ protected function schedule(Schedule $schedule)`
`24`	`24`	`$schedule->command('snipeit:backup')->weekly();`
`25`	`25`	`$schedule->command('backup:clean')->daily();`
`26`	`26`	`$schedule->command('snipeit:upcoming-audits')->daily();`
	`27`	`+ $schedule->command('auth:clear-resets')->everyFifteenMinutes();`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -136,13 +136,12 @@ private function loginViaSaml(Request $request)`
`136`	`136`
`137`	`137`	`// Better logging`
`138`	`138`	`if (!$saml->isEnabled()) {`
`139`		`- \Log::warning("SAML page requested, but SAML does not seem to enabled.");`
	`139`	`+ \Log::debug("SAML page requested, but SAML does not seem to enabled.");`
`140`	`140`	`} else {`
`141`	`141`	`\Log::warning("SAML page requested, but samlData seems empty.");`
`142`	`142`	`}`
`143`	`143`	`}`
`144`	`144`
`145`		`- \Log::warning("Something else went wrong while trying to login as SAML user");`
`146`	`145`
`147`	`146`
`148`	`147`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,12 +75,22 @@ protected function mapApiRoutes()`
`75`	`75`	`/**`
`76`	`76`	`* Configure the rate limiters for the application.`
`77`	`77`	`*`
	`78`	`+ * https://laravel.com/docs/8.x/routing#rate-limiting`
	`79`	`+ *`
`78`	`80`	`* @return void`
`79`	`81`	`*/`
`80`	`82`	`protected function configureRateLimiting()`
`81`	`83`	`{`
	`84`	`+`
	`85`	`+ // Rate limiter for API calls`
`82`	`86`	`RateLimiter::for('api', function (Request $request) {`
`83`		`- return Limit::perMinute(60)->by(optional($request->user())->id ?: $request->ip());`
	`87`	`+ return Limit::perMinute(config('app.api_throttle_per_minute'))->by(optional($request->user())->id ?: $request->ip());`
`84`	`88`	`});`
	`89`	`+`
	`90`	`+ // Rate limiter for forgotten password requests`
	`91`	`+ RateLimiter::for('forgotten_password', function (Request $request) {`
	`92`	`+ return Limit::perMinute(config('auth.password_reset.max_attempts_per_min'))->by(optional($request->user())->id ?: $request->ip());`
	`93`	`+ });`
	`94`	`+`
`85`	`95`	`}`
`86`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`\|`
`17`	`17`	`*/`
`18`	`18`
`19`		`-Route::group(['prefix' => 'v1', 'middleware' => ['api', 'throttle:'.config('app.api_throttle_per_minute').',1']], function () {`
	`19`	`+Route::group(['prefix' => 'v1', 'middleware' => ['api', 'throttle:api']], function () {`
`20`	`20`
`21`	`21`
`22`	`22`	`Route::get('/', function () {`