Lost password service: do not expose info whether a user exists or no…

…t (avoid brute-force attacks)
pimcore · Oct 21, 2019 · 4a7bba5 · 4a7bba5
1 parent 8522898
commit 4a7bba5
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 24 deletions.
diff --git a/bundles/AdminBundle/Controller/Admin/LoginController.php b/bundles/AdminBundle/Controller/Admin/LoginController.php
@@ -22,6 +22,7 @@
 use Pimcore\Controller\EventedControllerInterface;
 use Pimcore\Event\Admin\Login\LostPasswordEvent;
 use Pimcore\Event\AdminEvents;
+use Pimcore\Logger;
 use Pimcore\Model\User;
 use Pimcore\Templating\Model\ViewModel;
 use Pimcore\Tool;
@@ -116,29 +117,28 @@ public function loginCheckAction()
     public function lostpasswordAction(Request $request, BruteforceProtectionHandler $bruteforceProtectionHandler)
     {
         $view = $this->buildLoginPageViewModel();
-        $view->success = false;
+        $error = null;
 
-        // TODO is the error on the view used somewhere?
         if ($request->getMethod() === 'POST' && $username = $request->get('username')) {
             $user = User::getByName($username);
 
             if ($user instanceof User) {
                 if (!$user->isActive()) {
-                    $view->error = 'user inactive';
+                    $error = 'user inactive';
                 }
 
                 if (!$user->getEmail()) {
-                    $view->error = 'user has no email address';
+                    $error = 'user has no email address';
                 }
 
                 if (!$user->getPassword()) {
-                    $view->error = 'user has no password';
+                    $error = 'user has no password';
                 }
             } else {
-                $view->error = 'user unknown';
+                $error = 'user unknown';
             }
 
-            if (!$view->error) {
+            if (!$error) {
                 $token = Authentication::generateToken($username, $user->getPassword());
 
                 $loginUrl = $this->generateUrl('pimcore_admin_login_check', [
@@ -163,14 +163,13 @@ public function lostpasswordAction(Request $request, BruteforceProtectionHandler
                     if ($event->hasResponse()) {
                         return $event->getResponse();
                     }
-
-                    $view->success = true;
                 } catch (\Exception $e) {
-                    $view->error = 'could not send email';
+                    $error = 'could not send email';
                 }
             }
 
-            if ($view->error) {
+            if ($error) {
+                Logger::error('Lost password service: ' . $error);
                 $bruteforceProtectionHandler->addEntry($request->get('username'), $request);
             }
         }

diff --git a/bundles/AdminBundle/Resources/views/Admin/Login/lostpassword.html.php b/bundles/AdminBundle/Resources/views/Admin/Login/lostpassword.html.php
@@ -8,23 +8,16 @@
 
 
 
-<?php if ($this->success) { ?>
-    <div class="text info">
+<?php if ($this->getRequest()->getMethod() === 'POST') { ?>
+    <div class="text error">
         <?= $this->translate("A temporary login link has been sent to your email address."); ?>
         <br/>
         <?= $this->translate("Please check your mailbox."); ?>
     </div>
 <?php } else { ?>
-    <?php if ($this->error) { ?>
-        <div class="text error">
-            <?= $this->translate('lostpassword_reset_error'); ?>
-        </div>
-    <?php } else { ?>
-        <div class="text info">
-            <?= $this->translate("Enter your username and pimcore will send a login link to your email address"); ?>
-        </div>
-    <?php } ?>
-
+    <div class="text info">
+        <?= $this->translate("Enter your username and pimcore will send a login link to your email address"); ?>
+    </div>
 
     <form method="post" action="<?= $view->router()->path('pimcore_admin_login_lostpassword') ?>">
         <input type="text" name="username" placeholder="<?= $this->translate("Username"); ?>" required autofocus>

diff --git a/bundles/CoreBundle/Resources/translations/en.json b/bundles/CoreBundle/Resources/translations/en.json
@@ -147,7 +147,6 @@
   "send": "Send",
   "Password": "Password",
   "Forgot your password": "Forgot your password",
-  "lostpassword_reset_error": "There was an error while sending the lost password info. Please try again or contact your administrator.",
   "Back to Login": "Back to Login",
   "Enter your username and pimcore will send a login link to your email address": "Enter your username and Pimcore will send a login link to your email address",
   "Please check your mailbox.": "Please check your mailbox.",