Add single-sign-on for password reset tokens

02926ef4 · Jared Hancock · 1ea3a12a · 02926ef4 · 02926ef4
Commit 02926ef4 authored 11 years ago by Jared Hancock
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -119,7 +119,7 @@ abstract class AuthenticationBackend {
            $result = $bk->authenticate($username, $password);
            if ($result instanceof AuthenticatedUser
-                    && (static::login($result, $bk)))
+                    && ($bk->login($result, $bk)))
                return $result;
            // TODO: Handle permission denied, for instance
            elseif ($result instanceof AccessDenied) {
@@ -141,7 +141,7 @@ abstract class AuthenticationBackend {
            $result = $bk->signOn();
            if ($result instanceof AuthenticatedUser) {
                //Perform further Object specific checks and the actual login
-                if (!static::login($result, $bk))
+                if (!$bk->login($result, $bk))
                    continue;
                return $result;
@@ -620,6 +620,39 @@ class osTicketAuthentication extends StaffAuthenticationBackend {
 }
 StaffAuthenticationBackend::register(osTicketAuthentication);
+class PasswordResetTokenBackend extends StaffAuthenticationBackend {
+    static $id = "pwreset.staff";
+    function authenticate($username, $password) {}
+    function signOn($errors=array()) {
+        if (!isset($_POST['userid']) || !isset($_POST['token']))
+            return false;
+        elseif (!($_config = new Config('pwreset')))
+            return false;
+        elseif (($staff = new StaffSession($_POST['userid'])) &&
+                !$staff->getId())
+            $errors['msg'] = 'Invalid user-id given';
+        elseif (!($id = $_config->get($_POST['token']))
+                || $id != $staff->getId())
+            $errors['msg'] = 'Invalid reset token';
+        elseif (!($ts = $_config->lastModified($_POST['token']))
+                && ($ost->getConfig()->getPwResetWindow() < (time() - strtotime($ts))))
+            $errors['msg'] = 'Invalid reset token';
+        elseif (!$staff->forcePasswdRest())
+            $errors['msg'] = 'Unable to reset password';
+        else
+            return $staff;
+    }
+    function login($staff, $bk) {
+        $_SESSION['_staff']['reset-token'] = $_POST['token'];
+        Signal::send('auth.pwreset.login', $staff);
+        return parent::login($staff, $bk);
+    }
+}
+StaffAuthenticationBackend::register(PasswordResetTokenBackend);
 /*
 * AuthToken Authentication Backend
 *

--- a/scp/pwreset.php
+++ b/scp/pwreset.php
@@ -47,26 +47,15 @@ if($_POST) {
        case 'newpasswd':
            // TODO: Compare passwords
            $tpl = 'pwreset.login.php';
-            $_config = new Config('pwreset');
+            $errors = array();
-            if (($staff = new StaffSession($_POST['userid'])) &&
+            if ($staff = StaffAuthenticationBackend::processSignOn($errors)) {
-                    !$staff->getId())
-                $msg = 'Invalid user-id given';
-            elseif (!($id = $_config->get($_POST['token']))
-                    || $id != $staff->getId())
-                $msg = 'Invalid reset token';
-            elseif (!($ts = $_config->lastModified($_POST['token']))
-                    && ($ost->getConfig()->getPwResetWindow() < (time() - strtotime($ts))))
-                $msg = 'Invalid reset token';
-            elseif (!$staff->forcePasswdRest())
-                $msg = 'Unable to reset password';
-            else {
                $info = array('page' => 'index.php');
-                Signal::send('auth.pwreset.login', $staff, $info);
-                Staff::_do_login($staff, $_POST['userid']);
-                $_SESSION['_staff']['reset-token'] = $_POST['token'];
                header('Location: '.$info['page']);
                exit();
            }
+            elseif (isset($errors['msg'])) {
+                $msg = $errors['msg'];
+            }
            break;
    }
 }