Implement lost password recovery system

app/Http/Controllers/UserController.php

@@ -23,7 +23,11 @@ class UserController extends Controller {
         return view('signup');
     }
 
-    public function logoutUser(Request $request) {
+    public function displayLostPasswordPage(Request $request) {
+        return view('lost_password');
+    }
+
+    public function performLogoutUser(Request $request) {
         $request->session()->forget('username');
         return redirect()->route('index');
     }
@@ -114,7 +118,7 @@ class UserController extends Controller {
         return $response;
     }
 
-    public static function performActivation(Request $request, $username, $recovery_key) {
+    public function performActivation(Request $request, $username, $recovery_key) {
         $user = UserHelper::getUserByUsername($username, $inactive=true);
 
         if ($user) {
@@ -139,4 +143,56 @@ class UserController extends Controller {
         }
     }
 
+    public function performSendPasswordResetCode(Request $request) {
+        if (!env('SETTING_PASSWORD_RECOV')) {
+            return redirect(route('index'))->with('error', 'Password recovery is disabled.');
+        }
+
+        UserHelper::resetRecoveryKey($username);
+
+        $email = $request->input('email');
+        $ip = $request->ip();
+        $user = UserHelper::getUserByEmail($email);
+
+
+        Mail::send('emails.lost_password', [
+            'username' => $user->username, 'recovery_key' => $user->recovery_key, 'ip' => $ip
+        ], function ($m) use ($user) {
+            $m->from(env('MAIL_FROM_ADDRESS'), env('MAIL_FROM_NAME'));
+
+            $m->to($user->email, $user->username)->subject(env('APP_NAME') . ' password reset');
+        });
+
+        return redirect(route('index'))->with('success', 'Password reset email sent. Check your inbox for details.');
+    }
+
+    public function performPasswordReset(Request $request, $username, $recovery_key) {
+        if (!$request->input('new_password')) {
+            return view('reset_password');
+        }
+
+        $user = UserHelper::getUserByUsername($username);
+
+        if ($user) {
+            $user_recovery_key = $user->recovery_key;
+
+            if ($recovery_key == $user_recovery_key) {
+                // Key is correct
+                // Reset password
+                $user->password = $new_password;
+                $user->save();
+
+                UserHelper::resetRecoveryKey($username);
+                return redirect(route('login'))->with('success', 'Password reset. You may now login.');
+            }
+            else {
+                return redirect(route('index'))->with('error', 'Username or activation key incorrect.');
+            }
+        }
+        else {
+            return redirect(route('index'))->with('error', 'Username or reset key incorrect.');
+        }
+
+    }
+
 }

app/Http/routes.php

@@ -15,11 +15,13 @@
 /* GET endpoints */
 
 $app->get('/', ['as' => 'index', 'uses' => 'IndexController@showIndexPage']);
-$app->get('/logout', ['as' => 'logout', 'uses' => 'UserController@logoutUser']);
+$app->get('/logout', ['as' => 'logout', 'uses' => 'UserController@performLogoutUser']);
 $app->get('/login', ['as' => 'login', 'uses' => 'UserController@displayLoginPage']);
 $app->get('/about', ['as' => 'about', 'uses' => 'StaticPageController@displayAbout']);
 $app->get('/signup', ['as' => 'signup', 'uses' => 'UserController@displaySignupPage']);
+$app->get('/lost_password', ['as' => 'lost_password', 'uses' => 'UserController@displayLostPasswordPage']);
 $app->get('/activate/{username}/{recovery_key}', ['as' => 'activate', 'uses' => 'UserController@performActivation']);
+$app->get('/reset_password/{username}/{recovery_key}', ['as' => 'reset_password', 'uses' => 'UserController@performPasswordReset']);
 
 $app->get('/admin', ['as' => 'admin', 'uses' => 'AdminController@displayAdminPage']);
 
@@ -35,22 +37,26 @@ $app->get('/{short_url}/{secret_key}', ['uses' => 'LinkController@performRedirec
 
 $app->post('/login', ['as' => 'plogin', 'uses' => 'UserController@performLogin']);
 $app->post('/signup', ['as' => 'psignup', 'uses' => 'UserController@performSignup']);
-$app->post('/shorten', ['as' => 'shorten', 'uses' => 'LinkController@performShorten']);
+$app->post('/shorten', ['as' => 'pshorten', 'uses' => 'LinkController@performShorten']);
+$app->post('/lost_password', ['as' => 'plost_password', 'uses' => 'UserController@performSendPasswordResetCode']);
+$app->post('/reset_password/{username}/{recovery_key}', ['as' => 'preset_password', 'uses' => 'UserController@performPasswordReset']);
 
 $app->post('/admin/action/change_password', ['as' => 'change_password', 'uses' => 'AdminController@changePassword']);
 
-/* API endpoints */
-$app->post('/api/v2/link_avail_check', ['as' => 'api_link_check', 'uses' => 'AjaxController@checkLinkAvailability']);
-$app->post('/api/v2/admin/toggle_api_active', ['as' => 'api_toggle_api_active', 'uses' => 'AjaxController@toggleAPIActive']);
-$app->post('/api/v2/admin/generate_new_api_key', ['as' => 'api_generate_new_api_key', 'uses' => 'AjaxController@generateNewAPIKey']);
-$app->post('/api/v2/admin/delete_user', ['as' => 'api_generate_new_api_key', 'uses' => 'AjaxController@deleteUser']);
-$app->post('/api/v2/admin/toggle_link', ['as' => 'api_toggle_link', 'uses' => 'AjaxController@toggleLink']);
-$app->post('/api/v2/admin/delete_link', ['as' => 'api_delete_link', 'uses' => 'AjaxController@deleteLink']);
+$app->group(['prefix' => '/api/v2'], function ($app) {
+    /* API internal endpoints */
+    $app->post('link_avail_check', ['as' => 'api_link_check', 'uses' => 'AjaxController@checkLinkAvailability']);
+    $app->post('admin/toggle_api_active', ['as' => 'api_toggle_api_active', 'uses' => 'AjaxController@toggleAPIActive']);
+    $app->post('admin/generate_new_api_key', ['as' => 'api_generate_new_api_key', 'uses' => 'AjaxController@generateNewAPIKey']);
+    $app->post('admin/delete_user', ['as' => 'api_generate_new_api_key', 'uses' => 'AjaxController@deleteUser']);
+    $app->post('admin/toggle_link', ['as' => 'api_toggle_link', 'uses' => 'AjaxController@toggleLink']);
+    $app->post('admin/delete_link', ['as' => 'api_delete_link', 'uses' => 'AjaxController@deleteLink']);
 
-/* API shorten */
-$app->post('/api/v2/action/shorten', ['as' => 'api_shorten_url', 'uses' => 'Api\ApiLinkController@shortenLink']);
-$app->get('/api/v2/action/shorten', ['as' => 'api_shorten_url', 'uses' => 'Api\ApiLinkController@shortenLink']);
+    /* API shorten endpoints */
+    $app->post('action/shorten', ['as' => 'api_shorten_url', 'uses' => 'Api\ApiLinkController@shortenLink']);
+    $app->get('action/shorten', ['as' => 'api_shorten_url', 'uses' => 'Api\ApiLinkController@shortenLink']);
 
-/* API lookup */
-$app->post('/api/v2/action/lookup', ['as' => 'api_lookup_url', 'uses' => 'Api\ApiLinkController@lookupLink']);
-$app->get('/api/v2/action/lookup', ['as' => 'api_lookup_url', 'uses' => 'Api\ApiLinkController@lookupLink']);
+    /* API lookup endpoints */
+    $app->post('action/lookup', ['as' => 'api_lookup_url', 'uses' => 'Api\ApiLinkController@lookupLink']);
+    $app->get('action/lookup', ['as' => 'api_lookup_url', 'uses' => 'Api\ApiLinkController@lookupLink']);
+});

public/css/lost_password.css

@@ -0,0 +1,8 @@
+.header {
+    text-align: center;
+    margin-bottom: 1em;
+}
+
+.email-input-pd {
+    margin-bottom: 2em;
+}

public/css/reset_password.css

@@ -0,0 +1,8 @@
+.header {
+    text-align: center;
+    margin-bottom: 1em;
+}
+
+.email-input-pd {
+    margin-bottom: 2em;
+}

resources/views/emails/lost_password.blade.php

@@ -0,0 +1,23 @@
+<h3>Hello {{$username}}!</h3>
+
+<p>
+    You may use the link located in this email to reset your password for your
+    account at {{env('APP_NAME')}}.
+</p>
+
+<br />
+
+<a href='{{env('APP_PROTOCOL')}}{{env('APP_ADDRESS')}}/reset_password/{{$username}}/{{$recovery_key}}'>
+    {{env('APP_PROTOCOL')}}{{env('APP_ADDRESS')}}/reset_password/{{$username}}/{{$recovery_key}}
+</a>
+
+<br />
+
+<p>Thanks,</p>
+<p>The {{env('APP_NAME')}} team.</p>
+
+--
+<br />
+You received this email because someone with the IP {{$ip}} requested a password reset
+for an account at {{env('APP_PROTOCOL')}}{{env('APP_ADDRESS')}}. If this was not you,
+you may ignore this email.

resources/views/lost_password.blade.php

@@ -0,0 +1,17 @@
+@extends('layouts.base')
+
+@section('css')
+<link rel='stylesheet' href='/css/lost_password.css' />
+@endsection
+
+@section('content')
+<h1 class='header'>Lost Password</h1>
+
+<div class='col-md-6 col-md-offset-3'>
+    <form action='/lost_password' method='POST'>
+        <input type='email' placeholder='Email' class='form-control email-input-pd'>
+        <input type="hidden" name='_token' value='{{csrf_token()}}' />
+        <input type='submit' value='Send a password reset email' class='form-control'>
+    </form>
+</div>
+@endsection

resources/views/reset_password.php

@@ -0,0 +1,17 @@
+@extends('layouts.base')
+
+@section('css')
+<link rel='stylesheet' href='/css/reset_password.css' />
+@endsection
+
+@section('content')
+<h1 class='header'>Reset Password</h1>
+
+<div class='col-md-6 col-md-offset-3'>
+    <form action method='POST'>
+        <input type='password' placeholder='New Password' class='form-control password-input-pd'>
+        <input type="hidden" name='_token' value='{{csrf_token()}}' />
+        <input type='submit' value='Reset Password' class='form-control'>
+    </form>
+</div>
+@endsection