22527357078

Committed 28 Feb 2026 07:22PM UTC coverage: 63.267% (+0.7%) from 62.568%

Build # 22527357078

Build Type

push

github

Committed by

daycry

Commit Message

Remove PHP 8.1 from PHPUnit CI matrix

Update .github/workflows/phpunit.yml to drop PHP 8.1 from the test matrix. CI will now run PHPUnit only on PHP 8.2 and 8.3, reducing the matrix to current supported versions.

Run Details

3064 of 4843 relevant lines covered (63.27%)

41.52 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/Controllers/PasswordResetController.php

<?php

declare(strict_types=1);

/**
 * This file is part of Daycry Auth.
 *
 * (c) Daycry <daycry9@proton.me>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace Daycry\Auth\Controllers;

use CodeIgniter\Events\Events;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\RedirectResponse;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\I18n\Time;
use Daycry\Auth\Enums\IdentityType;
use Daycry\Auth\Models\LoginModel;
use Daycry\Auth\Models\UserIdentityModel;
use Daycry\Auth\Models\UserModel;

/**
 * Handles password reset flow via email token.
 *
 * The user requests a reset link, receives an email with a token,
 * and uses that token to set a new password.
 */
class PasswordResetController extends BaseAuthController
{
    /**
     * @var UserModel
     */
    protected $provider;

    public function __construct()
    {
        /** @var class-string<UserModel> $providerClass */
        $providerClass = setting('Auth.userProvider');

        $this->provider = new $providerClass();
    }

    /**
     * Displays the form to request a password reset email.
     */
    public function requestView(): ResponseInterface
    {
        if (($redirect = $this->redirectIfLoggedIn()) instanceof RedirectResponse) {
            return $redirect;
        }

        $content = $this->view(setting('Auth.views')['password-reset-request']);

        return $this->response->setBody($content);
    }

    /**
     * Receives the email, generates a reset token, and sends an email.
     */
    public function requestAction(): RedirectResponse
    {
        // Validate email format
        $rules    = $this->getValidationRules();
        $postData = $this->request->getPost();

        if (! $this->validateRequest($postData, $rules)) {
            return $this->handleValidationError('password-reset');
        }

        $email = $this->request->getPost('email');
        $user  = $this->provider->findByCredentials(['email' => $email]);

        if ($user !== null) {
            /** @var UserIdentityModel $identityModel */
            $identityModel = model(UserIdentityModel::class);

            // Delete any previous reset_password identities
            $identityModel->deleteIdentitiesByType($user, IdentityType::RESET_PASSWORD->value);

            // Generate the token and save it as an identity
            helper('text');
            $token = random_string('crypto', 20);

            $identityModel->insert([
                'user_id' => $user->id,
                'type'    => IdentityType::RESET_PASSWORD->value,
                'secret'  => $token,
                'expires' => Time::now()->addSeconds(setting('Auth.passwordResetLifetime'))->format('Y-m-d H:i:s'),
            ]);

            /** @var IncomingRequest $request */
            $request = service('request');

            $ipAddress = $request->getIPAddress();
            $userAgent = (string) $request->getUserAgent();
            $date      = Time::now()->toDateTimeString();

            // Send the user an email with the reset link
            helper('email');
            $emailService = emailer()->setFrom(setting('Email.fromEmail'), setting('Email.fromName') ?? '');
            $emailService->setTo($user->email);
            $emailService->setSubject(lang('Auth.passwordResetSubject'));
            $emailService->setMessage($this->view(setting('Auth.views')['password-reset-email'], [
                'token'     => $token,
                'ipAddress' => $ipAddress,
                'userAgent' => $userAgent,
                'date'      => $date,
                'user'      => $user,
            ]));

            if ($emailService->send(false) === false) {
                log_message('error', $emailService->printDebugger(['headers']));
            }

            // Clear the email
            $emailService->clear();

            // Record the attempt
            $this->recordAttempt($email, true, $user->id);
        } else {
            // Record failed attempt but don't reveal that user doesn't exist
            $this->recordAttempt($email, false);
        }

        // Always redirect to message view (don't reveal if user exists)
        return redirect()->route('password-reset-message');
    }

    /**
     * Shows the "check your email" message view.
     */
    public function messageView(): ResponseInterface
    {
        $content = $this->view(setting('Auth.views')['password-reset-message']);

        return $this->response->setBody($content);
    }

    /**
     * Displays the password reset form (with token from query string).
     */
    public function resetView(): ResponseInterface
    {
        $token = $this->request->getGet('token');

        /** @var UserIdentityModel $identityModel */
        $identityModel = model(UserIdentityModel::class);

        $identity = $identityModel->getIdentityBySecret(IdentityType::RESET_PASSWORD->value, $token);

        if ($identity === null) {
            return redirect()->route('password-reset-request')
                ->with('error', lang('Auth.passwordResetTokenInvalid'));
        }

        if (Time::now()->isAfter($identity->expires)) {
            // Delete expired token
            $identityModel->delete($identity->id);

            return redirect()->route('password-reset-request')
                ->with('error', lang('Auth.passwordResetTokenExpired'));
        }

        $content = $this->view(setting('Auth.views')['password-reset-form'], [
            'token' => $token,
        ]);

        return $this->response->setBody($content);
    }

    /**
     * Handles the password reset form submission.
     */
    public function resetAction(): RedirectResponse
    {
        $rules = [
            'token'            => 'required',
            'password'         => 'required|min_length[8]',
            'password_confirm' => 'required|matches[password]',
        ];

        $postData = $this->request->getPost();

        if (! $this->validateRequest($postData, $rules)) {
            $token = $this->request->getPost('token');

            return redirect()->to(site_url('password-reset/verify?token=' . $token))
                ->withInput()
                ->with('errors', $this->validator->getErrors());
        }

        $token = $this->request->getPost('token');

        /** @var UserIdentityModel $identityModel */
        $identityModel = model(UserIdentityModel::class);

        $identity = $identityModel->getIdentityBySecret(IdentityType::RESET_PASSWORD->value, $token);

        if ($identity === null) {
            return redirect()->route('password-reset-request')
                ->with('error', lang('Auth.passwordResetTokenInvalid'));
        }

        if (Time::now()->isAfter($identity->expires)) {
            $identityModel->delete($identity->id);

            return redirect()->route('password-reset-request')
                ->with('error', lang('Auth.passwordResetTokenExpired'));
        }

        // Find the user
        $user = $this->provider->findById($identity->user_id);

        if ($user === null) {
            return redirect()->route('password-reset-request')
                ->with('error', lang('Auth.passwordResetTokenInvalid'));
        }

        // Update the password
        $password = $this->request->getPost('password');
        $user->setPassword($password);

        /** @var UserModel $userModel */
        $userModel = model(UserModel::class);
        $userModel->save($user);

        // Delete the reset token identity
        $identityModel->delete($identity->id);

        Events::trigger('passwordReset', $user);

        return redirect()->route('login')
            ->with('message', lang('Auth.passwordResetSuccess'));
    }

    /**
     * Records a login attempt for the password reset flow.
     *
     * @param int|string|null $userId
     */
    private function recordAttempt(
        string $identifier,
        bool $success,
        $userId = null,
    ): void {
        /** @var LoginModel $loginModel */
        $loginModel = model(LoginModel::class);

        $loginModel->recordLoginAttempt(
            IdentityType::RESET_PASSWORD->value,
            $identifier,
            $success,
            $this->request->getIPAddress(),
            (string) $this->request->getUserAgent(),
            $userId,
        );
    }

    /**
     * Returns the rules that should be used for validation.
     *
     * @return         array<string, array<string, list<string>|string>>
     * @phpstan-return array<string, array<string, string|list<string>>>
     */
    protected function getValidationRules(): array
    {
        return [
            'email' => config('Auth')->emailValidationRules,
        ];
    }
}

1	<?php
2
3	declare(strict_types=1);
4
5	/**
6	* This file is part of Daycry Auth.
7	*
8	* (c) Daycry <daycry9@proton.me>
9	*
10	* For the full copyright and license information, please view
11	* the LICENSE file that was distributed with this source code.
12	*/
13
14	namespace Daycry\Auth\Controllers;
15
16	use CodeIgniter\Events\Events;
17	use CodeIgniter\HTTP\IncomingRequest;
18	use CodeIgniter\HTTP\RedirectResponse;
19	use CodeIgniter\HTTP\ResponseInterface;
20	use CodeIgniter\I18n\Time;
21	use Daycry\Auth\Enums\IdentityType;
22	use Daycry\Auth\Models\LoginModel;
23	use Daycry\Auth\Models\UserIdentityModel;
24	use Daycry\Auth\Models\UserModel;
25
26	/**
27	* Handles password reset flow via email token.
28	*
29	* The user requests a reset link, receives an email with a token,
30	* and uses that token to set a new password.
31	*/
32	class PasswordResetController extends BaseAuthController
33	{
34	/**
35	* @var UserModel
36	*/
37	protected $provider;
38
39	public function __construct()	×
40	{
41	/** @var class-string<UserModel> $providerClass */
42	$providerClass = setting('Auth.userProvider');	×
43
44	$this->provider = new $providerClass();	×
45	}
46
47	/**
48	* Displays the form to request a password reset email.
49	*/
50	public function requestView(): ResponseInterface	×
51	{
52	if (($redirect = $this->redirectIfLoggedIn()) instanceof RedirectResponse) {	×
53	return $redirect;	×
54	}
55
56	$content = $this->view(setting('Auth.views')['password-reset-request']);	×
57
58	return $this->response->setBody($content);	×
59	}
60
61	/**
62	* Receives the email, generates a reset token, and sends an email.
63	*/
64	public function requestAction(): RedirectResponse	×
65	{
66	// Validate email format
67	$rules = $this->getValidationRules();	×
68	$postData = $this->request->getPost();	×
69
70	if (! $this->validateRequest($postData, $rules)) {	×
71	return $this->handleValidationError('password-reset');	×
72	}
73
74	$email = $this->request->getPost('email');	×
75	$user = $this->provider->findByCredentials(['email' => $email]);	×
76
77	if ($user !== null) {	×
78	/** @var UserIdentityModel $identityModel */
79	$identityModel = model(UserIdentityModel::class);	×
80
81	// Delete any previous reset_password identities
82	$identityModel->deleteIdentitiesByType($user, IdentityType::RESET_PASSWORD->value);	×
83
84	// Generate the token and save it as an identity
85	helper('text');	×
86	$token = random_string('crypto', 20);	×
87
88	$identityModel->insert([	×
89	'user_id' => $user->id,	×
90	'type' => IdentityType::RESET_PASSWORD->value,	×
91	'secret' => $token,	×
92	'expires' => Time::now()->addSeconds(setting('Auth.passwordResetLifetime'))->format('Y-m-d H:i:s'),	×
93	]);	×
94
95	/** @var IncomingRequest $request */
96	$request = service('request');	×
97
98	$ipAddress = $request->getIPAddress();	×
99	$userAgent = (string) $request->getUserAgent();	×
100	$date = Time::now()->toDateTimeString();	×
101
102	// Send the user an email with the reset link
103	helper('email');	×
104	$emailService = emailer()->setFrom(setting('Email.fromEmail'), setting('Email.fromName') ?? '');	×
105	$emailService->setTo($user->email);	×
106	$emailService->setSubject(lang('Auth.passwordResetSubject'));	×
107	$emailService->setMessage($this->view(setting('Auth.views')['password-reset-email'], [	×
108	'token' => $token,	×
109	'ipAddress' => $ipAddress,	×
110	'userAgent' => $userAgent,	×
111	'date' => $date,	×
112	'user' => $user,	×
113	]));	×
114
115	if ($emailService->send(false) === false) {	×
116	log_message('error', $emailService->printDebugger(['headers']));	×
117	}
118
119	// Clear the email
120	$emailService->clear();	×
121
122	// Record the attempt
123	$this->recordAttempt($email, true, $user->id);	×
124	} else {
125	// Record failed attempt but don't reveal that user doesn't exist
126	$this->recordAttempt($email, false);	×
127	}
128
129	// Always redirect to message view (don't reveal if user exists)
130	return redirect()->route('password-reset-message');	×
131	}
132
133	/**
134	* Shows the "check your email" message view.
135	*/
136	public function messageView(): ResponseInterface	×
137	{
138	$content = $this->view(setting('Auth.views')['password-reset-message']);	×
139
140	return $this->response->setBody($content);	×
141	}
142
143	/**
144	* Displays the password reset form (with token from query string).
145	*/
146	public function resetView(): ResponseInterface	×
147	{
148	$token = $this->request->getGet('token');	×
149
150	/** @var UserIdentityModel $identityModel */
151	$identityModel = model(UserIdentityModel::class);	×
152
153	$identity = $identityModel->getIdentityBySecret(IdentityType::RESET_PASSWORD->value, $token);	×
154
155	if ($identity === null) {	×
156	return redirect()->route('password-reset-request')	×
157	->with('error', lang('Auth.passwordResetTokenInvalid'));	×
158	}
159
160	if (Time::now()->isAfter($identity->expires)) {	×
161	// Delete expired token
162	$identityModel->delete($identity->id);	×
163
164	return redirect()->route('password-reset-request')	×
165	->with('error', lang('Auth.passwordResetTokenExpired'));	×
166	}
167
168	$content = $this->view(setting('Auth.views')['password-reset-form'], [	×
169	'token' => $token,	×
170	]);	×
171
172	return $this->response->setBody($content);	×
173	}
174
175	/**
176	* Handles the password reset form submission.
177	*/
178	public function resetAction(): RedirectResponse	×
179	{
180	$rules = [	×
181	'token' => 'required',	×
182	'password' => 'required\|min_length[8]',	×
183	'password_confirm' => 'required\|matches[password]',	×
184	];	×
185
186	$postData = $this->request->getPost();	×
187
188	if (! $this->validateRequest($postData, $rules)) {	×
189	$token = $this->request->getPost('token');	×
190
191	return redirect()->to(site_url('password-reset/verify?token=' . $token))	×
192	->withInput()	×
193	->with('errors', $this->validator->getErrors());	×
194	}
195
196	$token = $this->request->getPost('token');	×
197
198	/** @var UserIdentityModel $identityModel */
199	$identityModel = model(UserIdentityModel::class);	×
200
201	$identity = $identityModel->getIdentityBySecret(IdentityType::RESET_PASSWORD->value, $token);	×
202
203	if ($identity === null) {	×
204	return redirect()->route('password-reset-request')	×
205	->with('error', lang('Auth.passwordResetTokenInvalid'));	×
206	}
207
208	if (Time::now()->isAfter($identity->expires)) {	×
209	$identityModel->delete($identity->id);	×
210
211	return redirect()->route('password-reset-request')	×
212	->with('error', lang('Auth.passwordResetTokenExpired'));	×
213	}
214
215	// Find the user
216	$user = $this->provider->findById($identity->user_id);	×
217
218	if ($user === null) {	×
219	return redirect()->route('password-reset-request')	×
220	->with('error', lang('Auth.passwordResetTokenInvalid'));	×
221	}
222
223	// Update the password
224	$password = $this->request->getPost('password');	×
225	$user->setPassword($password);	×
226
227	/** @var UserModel $userModel */
228	$userModel = model(UserModel::class);	×
229	$userModel->save($user);	×
230
231	// Delete the reset token identity
232	$identityModel->delete($identity->id);	×
233
234	Events::trigger('passwordReset', $user);	×
235
236	return redirect()->route('login')	×
237	->with('message', lang('Auth.passwordResetSuccess'));	×
238	}
239
240	/**
241	* Records a login attempt for the password reset flow.
242	*
243	* @param int\|string\|null $userId
244	*/
245	private function recordAttempt(	×
246	string $identifier,
247	bool $success,
248	$userId = null,
249	): void {
250	/** @var LoginModel $loginModel */
251	$loginModel = model(LoginModel::class);	×
252
253	$loginModel->recordLoginAttempt(	×
254	IdentityType::RESET_PASSWORD->value,	×
255	$identifier,	×
256	$success,	×
257	$this->request->getIPAddress(),	×
258	(string) $this->request->getUserAgent(),	×
259	$userId,	×
260	);	×
261	}
262
263	/**
264	* Returns the rules that should be used for validation.
265	*
266	* @return array<string, array<string, list<string>\|string>>
267	* @phpstan-return array<string, array<string, string\|list<string>>>
268	*/
269	protected function getValidationRules(): array	×
270	{
271	return [	×
272	'email' => config('Auth')->emailValidationRules,	×
273	];	×
274	}
275	}

daycry / auth / 22527357078

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous