/
SecurityAdminExtension.php
170 lines (149 loc) · 4.77 KB
/
SecurityAdminExtension.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
<?php
declare(strict_types=1);
namespace SilverStripe\MFA\Extension\AccountReset;
use Exception;
use Psr\Log\LoggerInterface;
use SilverStripe\Admin\SecurityAdmin;
use SilverStripe\Control\Controller;
use SilverStripe\Control\Email\Email;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Control\HTTPResponse;
use SilverStripe\Core\Extension;
use SilverStripe\MFA\Extension\MemberExtension as BaseMFAMemberExtension;
use SilverStripe\MFA\JSONResponse;
use SilverStripe\Security\Member;
use SilverStripe\Security\Permission;
use SilverStripe\Security\Security;
use SilverStripe\Security\SecurityToken;
/**
* This extension is applied to SecurityAdmin to provide an additional endpoint
* for sending account reset requests.
*
* @package SilverStripe\MFA\Extension
* @property SecurityAdmin $owner
*/
class SecurityAdminExtension extends Extension
{
use JSONResponse;
private static $allowed_actions = [
'reset',
];
/**
* @var string[]
*/
private static $dependencies = [
'Logger' => '%$' . LoggerInterface::class . '.account_reset',
];
/**
* @var LoggerInterface
*/
protected $logger;
public function reset(HTTPRequest $request): HTTPResponse
{
if (!$request->isPOST() || !$request->param('ID')) {
return $this->jsonResponse(
[
'error' => _t(__CLASS__ . '.BAD_REQUEST', 'Invalid request')
],
400
);
}
$body = json_decode($request->getBody() ?? '', true);
if (!SecurityToken::inst()->check($body['csrf_token'] ?? null)) {
return $this->jsonResponse(
[
'error' => _t(__CLASS__ . '.INVALID_CSRF_TOKEN', 'Invalid or missing CSRF token')
],
400
);
}
if (!Permission::check(BaseMFAMemberExtension::MFA_ADMINISTER_REGISTERED_METHODS)) {
return $this->jsonResponse(
[
'error' => _t(
__CLASS__ . '.INSUFFICIENT_PERMISSIONS',
'Insufficient permissions to reset user'
)
],
403
);
}
/** @var Member $memberToReset */
$memberToReset = Member::get()->byID($request->param('ID'));
if ($memberToReset === null) {
return $this->jsonResponse(
[
'error' => _t(
__CLASS__ . '.INVALID_MEMBER',
'Requested member for reset not found'
)
],
403
);
}
$sent = $this->sendResetEmail($memberToReset);
if (!$sent) {
return $this->jsonResponse(
[
'error' => _t(
__CLASS__ . '.EMAIL_NOT_SENT',
'Email sending failed'
)
],
500
);
}
return $this->jsonResponse(['success' => true], 200);
}
/**
* Prepares and attempts to send the Account Reset request email.
*
* @param Member&MemberExtension $member
* @return bool
*/
protected function sendResetEmail($member)
{
// Generate / store / obtain reset token
$token = $member->generateAccountResetTokenAndStoreHash();
// Create email and fire
try {
$email = Email::create()
->setHTMLTemplate('SilverStripe\\MFA\\Email\\AccountReset')
->setData($member)
->setSubject(_t(
__CLASS__ . '.ACCOUNT_RESET_EMAIL_SUBJECT',
'Reset your account'
))
->addData('AccountResetLink', $this->getAccountResetLink($member, $token))
->addData('Member', $member)
->setTo($member->Email);
return $email->send();
} catch (Exception $e) {
$this->logger->info('WARNING: Account Reset Email failed to send: ' . $e->getMessage());
return false;
}
}
/**
* Generates a link to the Account Reset Handler endpoint to be sent to a Member.
*
* @param Member $member
* @param string $token
* @return string
*/
public function getAccountResetLink(Member $member, string $token): string
{
return Controller::join_links(
Security::singleton()->Link('resetaccount'),
"?m={$member->ID}&t={$token}"
);
}
/**
* @param LoggerInterface|null $logger
* @return SecurityAdmin
*/
public function setLogger(?LoggerInterface $logger): ?SecurityAdmin
{
$this->logger = $logger;
return $this->owner;
}
}