Can use security answers to create password reset token

2025-11-04 04:04:20 +00:00 · 2018-05-26 07:28:36 +02:00
parent 3ecdfe257d
commit 5a928c9198
3 changed files with 69 additions and 0 deletions
--- a/RestControllers/accountController.php
+++ b/RestControllers/accountController.php
@@ -127,6 +127,54 @@ class accountController {
 		);
 	}

+	/**
+	 * Check the security answers given by a user in order to reset its 
+	 * password
+	 * 
+	 * @url POST /account/check_security_answers
+	 */
+	public function checkSecurityAnswers(){
+
+		//Get account ID
+		$userID = $this->getUserIDFromPostEmail("email");
+
+		//Check if user has defined security questions
+		if(!components()->settings->has_security_questions($userID))
+			Rest_fatal_error(401, "Specified user has not set up security questions!");
+
+		//Get the security settings of the user
+		$settings = components()->settings->get_security($userID);
+
+		//Check for errors
+		if(!$settings->isValid())
+			Rest_fatal_error(500, "An error occurred while retrieving security settings of the user!");
+
+		//Get the list of security answers
+		$answersString = postString("answers", 3);
+
+		//Get answers
+		$answers = explode("&", $answersString);
+
+		//Check the number of given answers
+		if(count($answers) != 2)
+			Rest_fatal_error(401, "Please specify 2 security answers!");
+			
+		//Check the security answers
+		if(strtolower(urldecode($answers[0])) != strtolower($settings->get_security_answer_1()) || 
+			strtolower(urldecode($answers[1])) != strtolower($settings->get_security_answer_2()))
+			Rest_fatal_error(401, "Specified security answers are invalid!");
+		
+		//If we get there, security anwsers are valid
+		$token = random_str(255);
+		if(!components()->account->set_new_password_reset_token($userID, $token))
+			Rest_fatal_error(500, "Could not set a password reset token for the account!");
+		
+		//Return result
+		return array(
+			"reset_token" => $token
+		);
+	}
+
 	/**
 	 * Create an account
 	 * 
--- a/classes/components/AccountComponent.php
+++ b/classes/components/AccountComponent.php
@@ -291,6 +291,25 @@ class AccountComponent {
 		return CS::get()->db->updateDB(self::USER_TABLE, "ID = ?", $modif, array($userID));
 	}

+	/**
+	 * Set new password reset token for an account
+	 * 
+	 * @param int $userID Target user ID
+	 * @param string $token The new token to apply
+	 * @return bool TRUE for a success / FALSE else
+	 */
+	public function set_new_password_reset_token(int $userID, string $token) : bool {
+		
+		//Prepare database update
+		$modifs = array(
+			"pasword_reset_token" => $token,
+			"password_reset_token_time_create" => time()
+		);
+
+		//Apply update
+		return cs()->db->updateDB(self::USER_TABLE, "ID = ?", $modifs, array($userID));
+	}
+
 	/**
 	 * Crypt user password
 	 *
--- a/db_struct.sql
+++ b/db_struct.sql
@@ -484,5 +484,7 @@ CREATE TABLE `utilisateurs` (
  `allow_multilogin` int(11) NOT NULL DEFAULT '0',
  `allow_piwik` int(11) NOT NULL DEFAULT '1',
  `public_note` varchar(255) DEFAULT NULL,
+  `pasword_reset_token` varchar(255) DEFAULT NULL,
+  `password_reset_token_time_create` int(11) DEFAULT NULL,
  PRIMARY KEY (`ID`)
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1;