mirror/php-auth
1
0
Fork 0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-08-06 16:16:29 +02:00
Code Issues Releases Wiki Activity

Restrict new passwords to 72 characters in length

Browse Source
This commit is contained in:
Marco
2025-04-30 13:54:16 +02:00
parent 233640502c
commit 05854dad61
3 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Administration.php
View File

@@ -384,7 +384,7 @@ final class Administration extends UserManager {
*/ */
public function changePasswordForUserById($userId, $newPassword) { public function changePasswordForUserById($userId, $newPassword) {
$userId = (int) $userId; $userId = (int) $userId;
$newPassword = self::validatePassword($newPassword); $newPassword = self::validatePassword($newPassword, true);
$this->updatePasswordInternal( $this->updatePasswordInternal(
$userId, $userId,

4
src/Auth.php
View File

@@ -779,7 +779,7 @@ final class Auth extends UserManager {
*/ */
public function changePasswordWithoutOldPassword($newPassword) { public function changePasswordWithoutOldPassword($newPassword) {
if ($this->isLoggedIn()) { if ($this->isLoggedIn()) {
$newPassword = self::validatePassword($newPassword); $newPassword = self::validatePassword($newPassword, true);
$this->updatePasswordInternal($this->getUserId(), $newPassword); $this->updatePasswordInternal($this->getUserId(), $newPassword);
try { try {
@@ -1560,7 +1560,7 @@ final class Auth extends UserManager {
if ((int) $resetData['resettable'] === 1) { if ((int) $resetData['resettable'] === 1) {
if (\password_verify($token, $resetData['token'])) { if (\password_verify($token, $resetData['token'])) {
if ($resetData['expires'] >= \time()) { if ($resetData['expires'] >= \time()) {
$newPassword = self::validatePassword($newPassword); $newPassword = self::validatePassword($newPassword, true);
$this->updatePasswordInternal($resetData['user'], $newPassword); $this->updatePasswordInternal($resetData['user'], $newPassword);
$this->forceLogoutForUserById($resetData['user']); $this->forceLogoutForUserById($resetData['user']);

12
src/UserManager.php
View File

@@ -132,7 +132,7 @@ abstract class UserManager {
\ignore_user_abort(true); \ignore_user_abort(true);
$email = self::validateEmailAddress($email); $email = self::validateEmailAddress($email);
$password = self::validatePassword($password); $password = self::validatePassword($password, true);
$username = isset($username) ? \trim($username) : null; $username = isset($username) ? \trim($username) : null;
@@ -315,20 +315,28 @@ abstract class UserManager {
* Validates a password * Validates a password
* *
* @param string $password the password to validate * @param string $password the password to validate
* @param bool|null $isNewPassword (optional) whether the password is a new password that the user wants to use
* @return string the sanitized password * @return string the sanitized password
* @throws InvalidPasswordException if the password has been invalid * @throws InvalidPasswordException if the password has been invalid
*/ */
protected static function validatePassword($password) { protected static function validatePassword($password, $isNewPassword = null) {
if (empty($password)) { if (empty($password)) {
throw new InvalidPasswordException(); throw new InvalidPasswordException();
} }
$password = \trim($password); $password = \trim($password);
$isNewPassword = ($isNewPassword !== null) ? (bool) $isNewPassword : false;
if (\strlen($password) < 1) { if (\strlen($password) < 1) {
throw new InvalidPasswordException(); throw new InvalidPasswordException();
} }
if ($isNewPassword) {
if (\strlen($password) > 72) {
throw new InvalidPasswordException();
}
}
return $password; return $password;
} }