mirror/php-auth
1
0
Fork 0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-08-05 15:47:25 +02:00
Code Issues Releases Wiki Activity

Restrict new passwords to 72 characters in length

Browse Source
This commit is contained in:
Marco
2025-04-30 13:54:16 +02:00
parent 233640502c
commit 05854dad61
3 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Administration.php
View File

@@ -384,7 +384,7 @@ final class Administration extends UserManager {
*/
public function changePasswordForUserById($userId, $newPassword) {
$userId = (int) $userId;
$newPassword = self::validatePassword($newPassword);
$newPassword = self::validatePassword($newPassword, true);
$this->updatePasswordInternal(
$userId,

4
src/Auth.php
View File

@@ -779,7 +779,7 @@ final class Auth extends UserManager {
*/
public function changePasswordWithoutOldPassword($newPassword) {
if ($this->isLoggedIn()) {
$newPassword = self::validatePassword($newPassword);
$newPassword = self::validatePassword($newPassword, true);
$this->updatePasswordInternal($this->getUserId(), $newPassword);
try {
@@ -1560,7 +1560,7 @@ final class Auth extends UserManager {
if ((int) $resetData['resettable'] === 1) {
if (\password_verify($token, $resetData['token'])) {
if ($resetData['expires'] >= \time()) {
$newPassword = self::validatePassword($newPassword);
$newPassword = self::validatePassword($newPassword, true);
$this->updatePasswordInternal($resetData['user'], $newPassword);
$this->forceLogoutForUserById($resetData['user']);

12
src/UserManager.php
View File

@@ -132,7 +132,7 @@ abstract class UserManager {
\ignore_user_abort(true);
$email = self::validateEmailAddress($email);
$password = self::validatePassword($password);
$password = self::validatePassword($password, true);
$username = isset($username) ? \trim($username) : null;
@@ -315,20 +315,28 @@ abstract class UserManager {
* Validates a password
*
* @param string $password the password to validate
* @param bool|null $isNewPassword (optional) whether the password is a new password that the user wants to use
* @return string the sanitized password
* @throws InvalidPasswordException if the password has been invalid
*/
protected static function validatePassword($password) {
protected static function validatePassword($password, $isNewPassword = null) {
if (empty($password)) {
throw new InvalidPasswordException();
}
$password = \trim($password);
$isNewPassword = ($isNewPassword !== null) ? (bool) $isNewPassword : false;
if (\strlen($password) < 1) {
throw new InvalidPasswordException();
}
if ($isNewPassword) {
if (\strlen($password) > 72) {
throw new InvalidPasswordException();
}
}
return $password;
}