Skip to content
Permalink
Browse files

formatting and cleaning

  • Loading branch information...
taylorotwell committed Oct 21, 2019
1 parent 23041e9 commit a9341609705e2f8febcd356cdfa33391ec6538c7
@@ -50,7 +50,7 @@ class DatabaseTokenRepository implements TokenRepositoryInterface
*
* @var int
*/
protected $timeout;
protected $throttle;
/**
* Create a new token repository instance.
@@ -60,18 +60,19 @@ class DatabaseTokenRepository implements TokenRepositoryInterface
* @param string $table
* @param string $hashKey
* @param int $expires
* @param int $timeout
* @param int $throttle
* @return void
*/
public function __construct(ConnectionInterface $connection, HasherContract $hasher,
$table, $hashKey, $expires = 60, $timeout = 60)
$table, $hashKey, $expires = 60,
$throttle = 60)
{
$this->table = $table;
$this->hasher = $hasher;
$this->hashKey = $hashKey;
$this->expires = $expires * 60;
$this->timeout = $timeout;
$this->connection = $connection;
$this->throttle = $throttle;
}
/**
@@ -149,12 +150,12 @@ protected function tokenExpired($createdAt)
}
/**
* Determine if a token record exists and was recently created.
* Determine if the given user recently created a password reset token.
*
* @param \Illuminate\Contracts\Auth\CanResetPassword $user
* @param \Illuminate\Contracts\Auth\CanResetPassword $user
* @return bool
*/
public function recentlyCreated(CanResetPasswordContract $user)
public function recentlyCreatedToken(CanResetPasswordContract $user)
{
$record = (array) $this->getTable()->where(
'email', $user->getEmailForPasswordReset()
@@ -166,12 +167,18 @@ public function recentlyCreated(CanResetPasswordContract $user)
/**
* Determine if the token was recently created.
*
* @param string $createdAt
* @param string $createdAt
* @return bool
*/
protected function tokenRecentlyCreated($createdAt)
{
return Carbon::parse($createdAt)->addSeconds($this->timeout)->isFuture();
if ($this->throttle <= 0) {
return false;
}
return Carbon::parse($createdAt)->addSeconds(
$this->throttle
)->isFuture();
}
/**
@@ -55,14 +55,9 @@ public function sendResetLink(array $credentials)
return static::INVALID_USER;
}
// Before 7.x we have to check the existence of a new method.
// In 7.x, this code must be removed.
if (method_exists($this->tokens, 'recentlyCreated')) {
// An attacker can make a lot of password reset requests,
// which will lead to spam in user's mailbox.
if ($this->tokens->recentlyCreated($user)) {
return static::RESEND_TIMEOUT;
}
if (method_exists($this->tokens, 'recentlyCreatedToken') &&
$this->tokens->recentlyCreatedToken($user)) {
return static::RESET_THROTTLED;
}
// Once we have the reset token, we are ready to send the message out to this
@@ -96,9 +96,7 @@ protected function createTokenRepository(array $config)
$config['table'],
$key,
$config['expire'],
// Before 7.x this element in the configuration may not exist.
// In 7.x, this check must be removed.
$config['timeout'] ?? 0
$config['throttle'] ?? 0
);
}
@@ -35,11 +35,11 @@ interface PasswordBroker
const INVALID_TOKEN = 'passwords.token';
/**
* Constant representing the wait before password reset link resending.
* Constant representing a throttled reset attempt.
*
* @var string
*/
const RESEND_TIMEOUT = 'passwords.timeout';
const RESET_THROTTLED = 'passwords.throttled';
/**
* Send a password reset link to a user.
@@ -107,7 +107,7 @@ public function testRecentlyCreatedReturnsFalseIfNoRowFoundForUser()
$user = m::mock(CanResetPassword::class);
$user->shouldReceive('getEmailForPasswordReset')->once()->andReturn('email');
$this->assertFalse($repo->recentlyCreated($user));
$this->assertFalse($repo->recentlyCreatedToken($user));
}
public function testRecentlyCreatedReturnsTrueIfRecordIsRecentlyCreated()
@@ -120,7 +120,7 @@ public function testRecentlyCreatedReturnsTrueIfRecordIsRecentlyCreated()
$user = m::mock(CanResetPassword::class);
$user->shouldReceive('getEmailForPasswordReset')->once()->andReturn('email');
$this->assertTrue($repo->recentlyCreated($user));
$this->assertTrue($repo->recentlyCreatedToken($user));
}
public function testRecentlyCreatedReturnsFalseIfValidRecordExists()
@@ -133,7 +133,7 @@ public function testRecentlyCreatedReturnsFalseIfValidRecordExists()
$user = m::mock(CanResetPassword::class);
$user->shouldReceive('getEmailForPasswordReset')->once()->andReturn('email');
$this->assertFalse($repo->recentlyCreated($user));
$this->assertFalse($repo->recentlyCreatedToken($user));
}
public function testDeleteMethodDeletesByToken()
@@ -35,10 +35,10 @@ public function testIfTokenIsRecentlyCreated()
$mocks['tokens'] = m::mock(TestTokenRepositoryInterface::class);
$broker = $this->getMockBuilder(PasswordBroker::class)->setMethods(['emailResetLink', 'getUri'])->setConstructorArgs(array_values($mocks))->getMock();
$mocks['users']->shouldReceive('retrieveByCredentials')->once()->with(['foo'])->andReturn($user = m::mock(CanResetPassword::class));
$mocks['tokens']->shouldReceive('recentlyCreated')->once()->with($user)->andReturn(true);
$mocks['tokens']->shouldReceive('recentlyCreatedToken')->once()->with($user)->andReturn(true);
$user->shouldReceive('sendPasswordResetNotification')->with('token');
$this->assertEquals(PasswordBrokerContract::RESEND_TIMEOUT, $broker->sendResetLink(['foo']));
$this->assertEquals(PasswordBrokerContract::RESET_THROTTLED, $broker->sendResetLink(['foo']));
}
public function testGetUserThrowsExceptionIfUserDoesntImplementCanResetPassword()
@@ -130,5 +130,5 @@ protected function getMocks()
interface TestTokenRepositoryInterface extends TokenRepositoryInterface
{
public function recentlyCreated(CanResetPassword $user);
public function recentlyCreatedToken(CanResetPassword $user);
}

0 comments on commit a934160

Please sign in to comment.
You can’t perform that action at this time.