Add method 'resetPassword'

src/Auth.php

@@ -763,6 +763,63 @@ class Auth {
 		}
 	}
 
+	/**
+	 * Resets the password for a particular account by supplying the correct selector/token pair
+	 *
+	 * The selector/token pair must have been generated previously by calling `Auth#forgotPassword(...)`
+	 *
+	 * @param string $selector the selector from the selector/token pair
+	 * @param string $token the token from the selector/token pair
+	 * @param string $newPassword the new password to set for the account
+	 * @throws InvalidSelectorTokenPairException if either the selector or the token was not correct
+	 * @throws TokenExpiredException if the token has already expired
+	 * @throws InvalidPasswordException if the new password was invalid
+	 * @throws TooManyRequestsException if the number of allowed attempts/requests has been exceeded
+	 * @throws AuthError if an internal problem occurred (do *not* catch)
+	 */
+	public function resetPassword($selector, $token, $newPassword) {
+		$this->throttle(self::THROTTLE_ACTION_CONSUME_TOKEN);
+		$this->throttle(self::THROTTLE_ACTION_CONSUME_TOKEN, $selector);
+
+		$newPassword = self::validatePassword($newPassword);
+
+		$stmt = $this->db->prepare("SELECT id, user, token, expires FROM users_resets WHERE selector = :selector");
+		$stmt->bindValue(':selector', $selector, \PDO::PARAM_STR);
+		if ($stmt->execute()) {
+			$resetData = $stmt->fetch(\PDO::FETCH_ASSOC);
+
+			if ($resetData !== false) {
+				if (password_verify($token, $resetData['token'])) {
+					if ($resetData['expires'] >= time()) {
+						$this->updatePassword($resetData['user'], $newPassword);
+
+						$stmt = $this->db->prepare("DELETE FROM users_resets WHERE id = :id");
+						$stmt->bindValue(':id', $resetData['id'], \PDO::PARAM_INT);
+
+						if ($stmt->execute()) {
+							return;
+						}
+						else {
+							throw new DatabaseError();
+						}
+					}
+					else {
+						throw new TokenExpiredException();
+					}
+				}
+				else {
+					throw new InvalidSelectorTokenPairException();
+				}
+			}
+			else {
+				throw new InvalidSelectorTokenPairException();
+			}
+		}
+		else {
+			throw new DatabaseError();
+		}
+	}
+
 	/**
 	 * Sets whether the user is currently logged in and updates the session
 	 *

tests/index.php

@@ -134,6 +134,25 @@ function processRequestData(\Delight\Auth\Auth $auth) {
 					return 'too many requests';
 				}
 			}
+			else if ($_POST['action'] === 'resetPassword') {
+				try {
+					$auth->resetPassword($_POST['selector'], $_POST['token'], $_POST['password']);
+
+					return 'ok';
+				}
+				catch (\Delight\Auth\InvalidSelectorTokenPairException $e) {
+					return 'invalid token';
+				}
+				catch (\Delight\Auth\TokenExpiredException $e) {
+					return 'token expired';
+				}
+				catch (\Delight\Auth\InvalidPasswordException $e) {
+					return 'invalid password';
+				}
+				catch (\Delight\Auth\TooManyRequestsException $e) {
+					return 'too many requests';
+				}
+			}
 			else if ($_POST['action'] === 'changePassword') {
 				try {
 					$auth->changePassword($_POST['oldPassword'], $_POST['newPassword']);
@@ -260,4 +279,12 @@ function showGuestUserForm() {
 	echo '<input type="text" name="email" placeholder="Email" /> ';
 	echo '<button type="submit">Forgot password</button>';
 	echo '</form>';
+
+	echo '<form action="" method="post" accept-charset="utf-8">';
+	echo '<input type="hidden" name="action" value="resetPassword" />';
+	echo '<input type="text" name="selector" placeholder="Selector" /> ';
+	echo '<input type="text" name="token" placeholder="Token" /> ';
+	echo '<input type="text" name="password" placeholder="New password" /> ';
+	echo '<button type="submit">Reset password</button>';
+	echo '</form>';
 }