Polish lost password implementation & refactor

app/Helpers/UserHelper.php

@@ -62,6 +62,22 @@ class UserHelper {
         $user->recovery_key = $recovery_key;
         $user->save();
 
+        return $recovery_key;
+    }
+
+    public static function userResetKeyCorrect($username, $recovery_key, $inactive=false) {
+        // Given a username and a recovery key, return true if they match.
+
+        $user = self::getUserByUsername($username, $inactive);
+
+        if ($user) {
+            if ($recovery_key != $user->recovery_key) {
+                return false;
+            }
+        }
+        else {
+            return false;
+        }
         return true;
     }
 

app/Http/Controllers/UserController.php

@@ -1,6 +1,7 @@
 <?php
 namespace App\Http\Controllers;
 use Mail;
+use Hash;
 use App\Models\User;
 use Illuminate\Http\Request;
 
@@ -118,76 +119,65 @@ class UserController extends Controller {
         return $response;
     }
 
+    public function performSendPasswordResetCode(Request $request) {
+        if (!env('SETTING_PASSWORD_RECOV')) {
+            return redirect(route('index'))->with('error', 'Password recovery is disabled.');
+        }
+
+        $email = $request->input('email');
+        $ip = $request->ip();
+        $user = UserHelper::getUserByEmail($email);
+
+        if (!$user) {
+            return redirect(route('lost_password'))->with('error', 'Email is not associated with a user.');
+        }
+
+        $recovery_key = UserHelper::resetRecoveryKey($user->username);
+
+        Mail::send('emails.lost_password', [
+            'username' => $user->username, 'recovery_key' => $recovery_key, 'ip' => $ip
+        ], function ($m) use ($user) {
+            $m->from(env('MAIL_FROM_ADDRESS'), env('MAIL_FROM_NAME'));
+
+            $m->to($user->email, $user->username)->subject(env('APP_NAME') . ' Password Reset');
+        });
+
+        return redirect(route('index'))->with('success', 'Password reset email sent. Check your inbox for details.');
+    }
+
     public function performActivation(Request $request, $username, $recovery_key) {
-        $user = UserHelper::getUserByUsername($username, $inactive=true);
+        $user = UserHelper::getUserByUsername($username, true);
 
-        if ($user) {
-            $user_recovery_key = $user->recovery_key;
+        if (UserHelper::userResetKeyCorrect($username, $recovery_key, true)) {
+            // Key is correct
+            // Activate account and reset recovery key
+            $user->active = 1;
+            $user->save();
 
-            if ($recovery_key == $user_recovery_key) {
-                // Key is correct
-                // Activate account and reset recovery key
-                $user->active = 1;
-                $user->save();
-
-                UserHelper::resetRecoveryKey($username);
-                return redirect(route('login'))->with('success', 'Account activated. You may now login.');
-            }
-            else {
-                return $user->recovery_key;
-                // return redirect(route('index'))->with('error', 'Username or activation key incorrect.');
-            }
+            UserHelper::resetRecoveryKey($username);
+            return redirect(route('login'))->with('success', 'Account activated. You may now login.');
         }
         else {
             return redirect(route('index'))->with('error', 'Username or activation key incorrect.');
         }
     }
 
-    public function performSendPasswordResetCode(Request $request) {
-        if (!env('SETTING_PASSWORD_RECOV')) {
-            return redirect(route('index'))->with('error', 'Password recovery is disabled.');
-        }
-
-        UserHelper::resetRecoveryKey($username);
-
-        $email = $request->input('email');
-        $ip = $request->ip();
-        $user = UserHelper::getUserByEmail($email);
-
-
-        Mail::send('emails.lost_password', [
-            'username' => $user->username, 'recovery_key' => $user->recovery_key, 'ip' => $ip
-        ], function ($m) use ($user) {
-            $m->from(env('MAIL_FROM_ADDRESS'), env('MAIL_FROM_NAME'));
-
-            $m->to($user->email, $user->username)->subject(env('APP_NAME') . ' password reset');
-        });
-
-        return redirect(route('index'))->with('success', 'Password reset email sent. Check your inbox for details.');
-    }
-
     public function performPasswordReset(Request $request, $username, $recovery_key) {
-        if (!$request->input('new_password')) {
-            return view('reset_password');
-        }
-
+        $new_password = $request->input('new_password');
         $user = UserHelper::getUserByUsername($username);
 
-        if ($user) {
-            $user_recovery_key = $user->recovery_key;
-
-            if ($recovery_key == $user_recovery_key) {
-                // Key is correct
-                // Reset password
-                $user->password = $new_password;
-                $user->save();
-
-                UserHelper::resetRecoveryKey($username);
-                return redirect(route('login'))->with('success', 'Password reset. You may now login.');
-            }
-            else {
-                return redirect(route('index'))->with('error', 'Username or activation key incorrect.');
+        if (UserHelper::userResetKeyCorrect($username, $recovery_key)) {
+            if (!$new_password) {
+                return view('reset_password');
             }
+
+            // Key is correct
+            // Reset password
+            $user->password = Hash::make($new_password);
+            $user->save();
+
+            UserHelper::resetRecoveryKey($username);
+            return redirect(route('login'))->with('success', 'Password reset. You may now login.');
         }
         else {
             return redirect(route('index'))->with('error', 'Username or reset key incorrect.');

app/Http/routes.php

@@ -4,11 +4,6 @@
 |--------------------------------------------------------------------------
 | Application Routes
 |--------------------------------------------------------------------------
-|
-| Here is where you can register all of the routes for an application.
-| It is a breeze. Simply tell Lumen the URIs it should respond to
-| and give it the Closure to call when that URI is requested.
-|
 */
 
 

public/css/login.css

@@ -6,6 +6,10 @@
     margin-bottom: 20px;
 }
 
-.signup-prompt {
+.login-prompts {
     padding-top: 15px;
 }
+
+.login-prompts small {
+    display: block;
+}

public/css/reset_password.css

@@ -3,6 +3,7 @@
     margin-bottom: 1em;
 }
 
-.email-input-pd {
+#passwordConfirm {
+    margin-top: 0.5em;
     margin-bottom: 2em;
 }

public/js/reset_password.js

@@ -0,0 +1,10 @@
+$('#passwordConfirm').on('keyup', function() {
+    var password = $('#passwordFirst').val();
+    var confirm_password = $('#passwordConfirm').val();
+
+    if (password != confirm_password) {
+        this.setCustomValidity("Passwords do not match.");
+    } else {
+        this.setCustomValidity('');
+    }
+});

resources/views/emails/lost_password.blade.php

@@ -5,8 +5,6 @@
     account at {{env('APP_NAME')}}.
 </p>
 
-<br />
-
 <a href='{{env('APP_PROTOCOL')}}{{env('APP_ADDRESS')}}/reset_password/{{$username}}/{{$recovery_key}}'>
     {{env('APP_PROTOCOL')}}{{env('APP_ADDRESS')}}/reset_password/{{$username}}/{{$recovery_key}}
 </a>

resources/views/login.blade.php

@@ -15,11 +15,15 @@
             <input type="hidden" name='_token' value='{{csrf_token()}}' />
             <input type="submit" value="Login" class="login-submit btn btn-success" />
 
+            <p class='login-prompts'>
             @if (env('POLR_ALLOW_ACCT_CREATION') == true)
-                <p class='signup-prompt'>
-                    <small>Don't have an account? <a href='{{route('signup')}}'>Register</a></small>
-                </p>
-            @endif    
+                <small>Don't have an account? <a href='{{route('signup')}}'>Register</a></small>
+            @endif
+
+            @if (env('SETTING_PASSWORD_RECOV') == true)
+                <small>Forgot your password? <a href='{{route('lost_password')}}'>Reset</a></small>
+            @endif
+            </p>
         </form>
     </div>
     <div class="col-md-3"></div>

resources/views/lost_password.blade.php

@@ -9,7 +9,7 @@
 
 <div class='col-md-6 col-md-offset-3'>
     <form action='/lost_password' method='POST'>
-        <input type='email' placeholder='Email' class='form-control email-input-pd'>
+        <input type='email' name='email' placeholder='Email' class='form-control email-input-pd'>
         <input type="hidden" name='_token' value='{{csrf_token()}}' />
         <input type='submit' value='Send a password reset email' class='form-control'>
     </form>

resources/views/reset_password.blade.php

@@ -0,0 +1,23 @@
+@extends('layouts.base')
+
+@section('css')
+<link rel='stylesheet' href='/css/reset_password.css' />
+@endsection
+
+@section('content')
+<h1 class='header'>Reset Password</h1>
+
+<div class='col-md-6 col-md-offset-3'>
+    <form method='POST'>
+        <input type='password' id='passwordFirst' placeholder='New Password' class='form-control password-input-pd'>
+        <input type='password' id='passwordConfirm' placeholder='Confirm New Password' class='form-control password-input-pd' name='new_password'>
+
+        <input type="hidden" name='_token' value='{{csrf_token()}}' />
+        <input type='submit' id='submitForm' value='Reset Password' class='form-control'>
+    </form>
+</div>
+@endsection
+
+@section('js')
+<script src='/js/reset_password.js'></script>
+@endsection

resources/views/reset_password.php

@@ -1,17 +0,0 @@
-@extends('layouts.base')
-
-@section('css')
-<link rel='stylesheet' href='/css/reset_password.css' />
-@endsection
-
-@section('content')
-<h1 class='header'>Reset Password</h1>
-
-<div class='col-md-6 col-md-offset-3'>
-    <form action method='POST'>
-        <input type='password' placeholder='New Password' class='form-control password-input-pd'>
-        <input type="hidden" name='_token' value='{{csrf_token()}}' />
-        <input type='submit' value='Reset Password' class='form-control'>
-    </form>
-</div>
-@endsection