Login's ResetPassword - how long do you have before it expires? Cache dependent?

josh_curtis · February 11, 2022, 4:42am

Hi all,

I’ve been working with the Login extra on a site which has repurposed the ResetPassword functionality for having a new user whose MODX>User has just been created by a snippet to immediate change their password.

The site is having issues with folks clicking the URL provided to them and not being being met with the ‘expired’ message.

I went digging through the code to see if I could find out how long users have and it appears that the function verifyIdentity() in the ResetPassword controller tries to read confirmation from the cache. (https://github.com/modxcms/Login/blob/04ccc73a3f93201fada4dbfbf54065ce22379038/core/components/login/controllers/web/ResetPassword.php#L108)

Some testing seems to have confirmed this, but I just wanted to verify if anyone in the know can ratify it - does this mean that if the site cache happens to be emptied or otherwise expires (WITHIN the window between the password reset being ‘ordred’ and the link being visited) that means the user won’t able to change their password on that attempt and will need to go around again?

Thanks for any help.

halftrainedharry · February 11, 2022, 9:21am

I think you are correct.

It looks like the value gets written to the default cache partition without an expiration time.

github.com

modxcms/Login/blob/04ccc73a3f93201fada4dbfbf54065ce22379038/core/components/login/controllers/web/ForgotPassword.php#L226

      
        
            
            
    /* set the email properties */
                $emailProperties = $fields;
                $emailProperties['confirmUrl'] = $confirmUrl;
                $emailProperties['password'] = $password;
                $emailProperties['tpl'] = $this->getProperty('emailTpl');
                $emailProperties['tplAlt'] = $this->getProperty('emailTplAlt','');
                $emailProperties['tplType'] = $this->getProperty('emailTplType');
            
            
    /* now set new password to cache to prevent middleman attacks */
                $this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password);
            
            
    $emailSubject = $this->getProperty('emailSubject','');
                $subject = !empty($emailSubject) ? $emailSubject : $this->modx->getOption('login.forgot_password_email_subject',null,$this->modx->lexicon('login.forgot_password_email_subject'));
                $this->login->sendEmail($fields['email'],$fields['username'],$subject,$emailProperties);
                $this->emailsSent++;
            }
            
            
/**
             * Redirect the user to another page after successful form submission, if desired
             * @return boolean

Maybe it would be a better idea to use a custom partition in this case:

//Writes the data to its own cache partition with an expiry time of 2 hours.
$options = array(
	xPDO::OPT_CACHE_KEY => 'resetpassword',
);
$this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password, 7200, $options);

josh_curtis · February 12, 2022, 1:29am

Thank you - this worked beautifully and avoided the site’s clear-cache function.

For those playing at home, I updated the following files. Note that I updated the files in the package which means they’ll be overwritten at the next update of of the Login extra. (Buyer beware.)

core/components/login/controllers/web/ForgotPassword.php starting at line 234
Replaced

$this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password);

with

$options = array(
  xPDO::OPT_CACHE_KEY => 'resetpassword',
);
$time = 3600*2; // Two hour lifespan
$this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password, $time, $options);

core/components/login/controllers/web/ResetPassword.php starting at line 113 inside verifyIdentity() I added

$options = array(
  xPDO::OPT_CACHE_KEY => 'resetpassword',
);

and replaced

$cachePass = $this->modx->cacheManager->get($cacheKey);

with

$cachePass = $this->modx->cacheManager->get($cacheKey,$options);

And starting at line 121 inside eraseCache() I added

$options = array(
  xPDO::OPT_CACHE_KEY => 'resetpassword',
);

and replaced

$this->modx->cacheManager->delete($cacheKey,$options);

with

$this->modx->cacheManager->delete($cacheKey);

josh_curtis · June 27, 2022, 5:01am

Only from the post above these two should be swapped! The final product should be $this->modx->cacheManager->delete($cacheKey,$options);

system · June 29, 2022, 5:02am

This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.