check for prohibited passwords on password reset change

composer · Mar 15, 2024 · d056806 · d056806
1 parent 96d9771
commit d056806
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 7 deletions.
diff --git a/src/Controller/ResetPasswordController.php b/src/Controller/ResetPasswordController.php
@@ -99,7 +99,7 @@ public function reset(Request $request, UserPasswordHasherInterface $passwordHas
  }
 
  // The token is valid; allow the user to change their password.
- $form = $this->createForm(ResetPasswordFormType::class, null, ['user' => $user]);
+ $form = $this->createForm(ResetPasswordFormType::class, $user);
  $form->handleRequest($request);
 
  if ($form->isSubmitted() && $form->isValid()) {

diff --git a/src/Form/ResetPasswordFormType.php b/src/Form/ResetPasswordFormType.php
@@ -13,6 +13,7 @@
 namespace App\Form;
 
 use App\Entity\User;
+use App\Validator\NotProhibitedPassword;
 use App\Validator\Password;
 use App\Validator\RateLimitingRecaptcha;
 use App\Validator\TwoFactorCode;
@@ -26,10 +27,10 @@ class ResetPasswordFormType extends AbstractType
 {
  public function configureOptions(OptionsResolver $resolver): void
  {
- $resolver
- ->define('user')
- ->allowedTypes(User::class)
-  ->required();
+ $resolver->setDefaults([
+ 'data_class' => User::class,
+ 'constraints' => [new NotProhibitedPassword()],
+ ]);
  }
 
  public function buildForm(FormBuilderInterface $builder, array $options): void
@@ -46,15 +47,15 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
  ])
  ;
 
- if ($options['user']->isTotpAuthenticationEnabled()) {
+ if ($options['data']->isTotpAuthenticationEnabled()) {
  $builder
  ->add('twoFactorCode', TextType::class, [
  'label' => 'Two-Factor Code',
  'required' => true,
  'mapped' => false,
  'constraints' => [
  new RateLimitingRecaptcha(),
- new TwoFactorCode($options['user']),
+ new TwoFactorCode($options['data']),
  ],
  ]);
  }

diff --git a/tests/Controller/ResetPasswordControllerTest.php b/tests/Controller/ResetPasswordControllerTest.php
@@ -69,6 +69,18 @@ public function testResetPasswordWithTwoFactor(): void
  $this->assertTrue(self::getContainer()->get(TokenStorageInterface::class)->getToken()?->getAttribute(TwoFactorAuthenticator::FLAG_2FA_COMPLETE));
  }
 
+ public function testResetPasswordToProhibited(): void
+ {
+ $user = $this->setupUserWithPasswordResetRequest(false);
+ $oldPassword = $user->getPassword();
+
+ $crawler = $this->client->request('GET', '/reset-password/reset/' . $user->getConfirmationToken());
+ $this->assertResponseStatusCodeSame(200);
+
+ $this->submitPasswordResetFormAndAsserStatusCode($crawler, newPassword: $user->getEmail(), expectedStatusCode: 422);
+ $this->assertUserHasUnchangedPassword($user, $oldPassword);
+ }
+
  private function setupUserWithPasswordResetRequest(bool $withTwoFactor): User
  {
  $user = new User;
@@ -112,4 +124,14 @@ private function assertUserHasNewPassword(User $user, ?string $oldPassword): voi
  $this->assertNotNull($user);
  $this->assertNotSame($oldPassword, $user->getPassword());
  }
+
+ private function assertUserHasUnchangedPassword(User $user, ?string $oldPassword): void
+ {
+ $em = static::getContainer()->get(ManagerRegistry::class)->getManager();
+ $em->clear();
+
+ $user = $em->getRepository(User::class)->find($user->getId());
+ $this->assertNotNull($user);
+ $this->assertSame($oldPassword, $user->getPassword());
+ }
 }