Merge pull request #6463 from christianbeeznest/GH-6460

User: Add password rotation feature - refs #6460

Author: christianbeeznest

assets/vue/composables/auth/login.js

@@ -9,7 +9,7 @@ function isValidHttpUrl(string) {
   try {
     const url = new URL(string);
     return url.protocol === "http:" || url.protocol === "https:";
-  } catch {
+  } catch (_) {
     return false;
   }
 }
@@ -31,23 +31,31 @@ export function useLogin() {
     try {
       const responseData = await securityService.login(payload);
 
-      // Step 1: Handle 2FA
+      // Check if the backend demands 2FA and no TOTP was provided yet
       if (responseData.requires2FA && !payload.totp) {
         requires2FA.value = true;
         return { success: false, requires2FA: true };
       }
 
-      // Step 2: Handle explicit error message
+      // Check rotate password flow
+      if (responseData.rotate_password && responseData.redirect) {
+        window.location.href = responseData.redirect;
+        return { success: true, rotate: true };
+      }
+
+      // Handle explicit backend error message
       if (responseData.error) {
         showErrorNotification(responseData.error);
         return { success: false, error: responseData.error };
       }
 
-      // Step 3: Set user and load platform config
-      securityStore.setUser(responseData);
-      await platformConfigurationStore.initialize();
+      // Special flow for terms acceptance
+      if (responseData.load_terms && responseData.redirect) {
+        window.location.href = responseData.redirect;
+        return { success: true, redirect: responseData.redirect };
+      }
 
-      // Step 4: Honor a redirect query parameter
+      // Handle external redirect param
       const redirectParam = route.query.redirect?.toString();
       if (redirectParam) {
         if (isValidHttpUrl(redirectParam)) {
@@ -58,39 +66,43 @@ export function useLogin() {
         return { success: true };
       }
 
-      // Step 5: Handle "load terms" flow
-      if (responseData.load_terms && responseData.redirect) {
+      if (responseData.redirect) {
         window.location.href = responseData.redirect;
         return { success: true };
       }
 
-      // Step 6: Default post-login redirect based on roles
-      const setting = platformConfigurationStore.getSetting(
-        "registration.redirect_after_login"
-      );
+      securityStore.setUser(responseData);
+      await platformConfigurationStore.initialize();
+
+      // Handle redirect param again after login
+      if (route.query.redirect) {
+        await router.replace({ path: route.query.redirect.toString() });
+        return { success: true };
+      }
+
+      // Determine post-login route from settings
+      const setting = platformConfigurationStore.getSetting("registration.redirect_after_login");
       let target = "/";
 
       if (setting && typeof setting === "string") {
         try {
           const map = JSON.parse(setting);
           const roles = responseData.roles || [];
-          const profile = roles.includes("ROLE_ADMIN")
-            ? "ADMIN"
-            : roles.includes("ROLE_SESSION_MANAGER")
-              ? "SESSIONADMIN"
-              : roles.includes("ROLE_TEACHER")
-                ? "COURSEMANAGER"
-                : roles.includes("ROLE_STUDENT_BOSS")
-                  ? "STUDENT_BOSS"
-                  : roles.includes("ROLE_DRH")
-                    ? "DRH"
-                    : roles.includes("ROLE_INVITEE")
-                      ? "INVITEE"
-                      : roles.includes("ROLE_STUDENT")
-                        ? "STUDENT"
-                        : null;
 
+          const getProfile = () => {
+            if (roles.includes("ROLE_ADMIN")) return "ADMIN";
+            if (roles.includes("ROLE_SESSION_MANAGER")) return "SESSIONADMIN";
+            if (roles.includes("ROLE_TEACHER")) return "COURSEMANAGER";
+            if (roles.includes("ROLE_STUDENT_BOSS")) return "STUDENT_BOSS";
+            if (roles.includes("ROLE_DRH")) return "DRH";
+            if (roles.includes("ROLE_INVITEE")) return "INVITEE";
+            if (roles.includes("ROLE_STUDENT")) return "STUDENT";
+            return null;
+          };
+
+          const profile = getProfile();
           const value = profile && map[profile] ? map[profile] : "";
+
           switch (value) {
             case "user_portal.php":
             case "index.php":

src/CoreBundle/Controller/AccountController.php

@@ -20,12 +20,16 @@
 use Endroid\QrCode\Writer\PngWriter;
 use OTPHP\TOTP;
 use Security;
+use Symfony\Component\Form\FormError;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
@@ -43,8 +47,12 @@ public function __construct(
     ) {}
 
     #[Route('/edit', name: 'chamilo_core_account_edit', methods: ['GET', 'POST'])]
-    public function edit(Request $request, UserRepository $userRepository, IllustrationRepository $illustrationRepo, SettingsManager $settingsManager): Response
-    {
+    public function edit(
+        Request $request,
+        UserRepository $userRepository,
+        IllustrationRepository $illustrationRepo,
+        SettingsManager $settingsManager
+    ): Response {
         $user = $this->userHelper->getCurrent();
 
         if (!\is_object($user) || !$user instanceof UserInterface) {
@@ -69,6 +77,7 @@ public function edit(Request $request, UserRepository $userRepository, Illustrat
                 $password = $form['password']->getData();
                 if ($password) {
                     $user->setPlainPassword($password);
+                    $user->setPasswordUpdateAt(new \DateTimeImmutable());
                 }
             }
 
@@ -96,32 +105,54 @@ public function changePassword(
         UserRepository $userRepository,
         CsrfTokenManagerInterface $csrfTokenManager,
         SettingsManager $settingsManager,
-        UserPasswordHasherInterface $passwordHasher
+        UserPasswordHasherInterface $passwordHasher,
+        TokenStorageInterface $tokenStorage,
     ): Response {
-        /** @var User $user */
+        /** @var ?User $user */
         $user = $this->getUser();
 
-        // Ensure user is authenticated and has proper interface
-        if (!\is_object($user) || !$user instanceof UserInterface) {
-            throw $this->createAccessDeniedException('This user does not have access to this section');
+        if (!$user || !$user instanceof UserInterface) {
+            $userId = $request->query->get('userId');
+            //error_log("User not logged in. Received userId from query: " . $userId);
+
+            if (!$userId || !ctype_digit($userId)) {
+                //error_log("Access denied: Missing or invalid userId.");
+                throw $this->createAccessDeniedException('This user does not have access to this section.');
+            }
+
+            $user = $userRepository->find((int)$userId);
+
+            if (!$user || !$user instanceof UserInterface) {
+                //error_log("Access denied: User not found with ID $userId");
+                throw $this->createAccessDeniedException('User not found or invalid.');
+            }
+
+            //error_log("Loaded user by ID: " . $user->getId());
         }
 
-        // Build the form and inject user-related options
+        $isRotation = $request->query->getBoolean('rotate', false);
+
         $form = $this->createForm(ChangePasswordType::class, [
             'enable2FA' => $user->getMfaEnabled(),
         ], [
             'user' => $user,
             'portal_name' => $settingsManager->getSetting('platform.institution'),
             'password_hasher' => $passwordHasher,
+            'enable_2fa_field' => !$isRotation,
         ]);
-
         $form->handleRequest($request);
+
         $session = $request->getSession();
         $qrCodeBase64 = null;
         $showQRCode = false;
 
-        // Generate TOTP secret and QR code for 2FA activation
-        if ($form->get('enable2FA')->getData() && !$user->getMfaSecret()) {
+        // Build QR code preview if user opts to enable 2FA but hasn't saved yet
+        if (
+            $form->isSubmitted()
+            && $form->has('enable2FA')
+            && $form->get('enable2FA')->getData()
+            && !$user->getMfaSecret()
+        ) {
             if (!$session->has('temporary_mfa_secret')) {
                 $totp = TOTP::create();
                 $secret = $totp->getSecret();
@@ -134,7 +165,6 @@ public function changePassword(
             $portalName = $settingsManager->getSetting('platform.institution');
             $totp->setLabel($portalName . ' - ' . $user->getEmail());
 
-            // Build QR code image
             $qrCodeResult = Builder::create()
                 ->writer(new PngWriter())
                 ->data($totp->getProvisioningUri())
@@ -148,47 +178,78 @@ public function changePassword(
             $showQRCode = true;
         }
 
-        // Handle form submission
-        if ($form->isSubmitted() && $form->isValid()) {
-            $newPassword = $form->get('newPassword')->getData();
-            $enable2FA = $form->get('enable2FA')->getData();
-
-            // Enable 2FA and store encrypted secret
-            if ($enable2FA && !$user->getMfaSecret() && $session->has('temporary_mfa_secret')) {
-                $secret = $session->get('temporary_mfa_secret');
-                $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
-
-                $user->setMfaSecret($encryptedSecret);
-                $user->setMfaEnabled(true);
-                $user->setMfaService('TOTP');
-
-                $userRepository->updateUser($user);
-                $session->remove('temporary_mfa_secret');
-
-                $this->addFlash('success', '2FA activated successfully.');
-                return $this->redirectToRoute('chamilo_core_account_home');
-            }
-
-            // Disable 2FA if it was previously enabled
-            if (!$enable2FA && $user->getMfaEnabled()) {
-                $user->setMfaEnabled(false);
-                $user->setMfaSecret(null);
-
-                $userRepository->updateUser($user);
-                $this->addFlash('success', '2FA disabled successfully.');
-                return $this->redirectToRoute('chamilo_core_account_home');
-            }
-
-            // Update password if provided
-            if (!empty($newPassword)) {
-                $user->setPlainPassword($newPassword);
-                $userRepository->updateUser($user);
-                $this->addFlash('success', 'Password updated successfully.');
-                return $this->redirectToRoute('chamilo_core_account_home');
+        if ($form->isSubmitted()) {
+            if ($form->isValid()) {
+                $submittedToken = $request->request->get('_token');
+                if (!$csrfTokenManager->isTokenValid(new CsrfToken('change_password', $submittedToken))) {
+                    $form->addError(new FormError($this->translator->trans('CSRF token is invalid. Please try again.')));
+                } else {
+                    $currentPassword = $form->get('currentPassword')->getData();
+                    $newPassword = $form->get('newPassword')->getData();
+                    $confirmPassword = $form->get('confirmPassword')->getData();
+                    $enable2FA = !$isRotation && $form->has('enable2FA')
+                        ? $form->get('enable2FA')->getData()
+                        : false;
+
+                    if ($enable2FA && !$user->getMfaSecret()) {
+                        $secret = $session->get('temporary_mfa_secret');
+                        $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
+                        $user->setMfaSecret($encryptedSecret);
+                        $user->setMfaEnabled(true);
+                        $user->setMfaService('TOTP');
+                        $userRepository->updateUser($user);
+
+                        $session->remove('temporary_mfa_secret');
+
+                        $this->addFlash('success', '2FA activated successfully.');
+
+                        return $this->redirectToRoute('chamilo_core_account_home');
+                    }
+
+                    if (!$isRotation && !$enable2FA && $user->getMfaEnabled()) {
+                        $user->setMfaEnabled(false);
+                        $user->setMfaSecret(null);
+                        $userRepository->updateUser($user);
+                        $this->addFlash('success', '2FA disabled successfully.');
+                    }
+
+                    if ($newPassword || $confirmPassword || $currentPassword) {
+                        if (!$userRepository->isPasswordValid($user, $currentPassword)) {
+                            $form->get('currentPassword')->addError(new FormError(
+                                $this->translator->trans('The current password is incorrect')
+                            ));
+                        } elseif ($newPassword !== $confirmPassword) {
+                            $form->get('confirmPassword')->addError(new FormError(
+                                $this->translator->trans('Passwords do not match')
+                            ));
+                        } else {
+                            $user->setPlainPassword($newPassword);
+                            $user->setPasswordUpdateAt(new \DateTimeImmutable());
+                            $userRepository->updateUser($user);
+                            $this->addFlash('success', 'Password updated successfully.');
+
+                            // Re-login if the user was not logged
+                            if (!$this->getUser()) {
+                                $token = new UsernamePasswordToken(
+                                    $user,
+                                    'main',
+                                    $user->getRoles()
+                                );
+                                $tokenStorage->setToken($token);
+                                $request->getSession()->set('_security_main', serialize($token));
+                            }
+
+                            return $this->redirectToRoute('chamilo_core_account_home');
+                        }
+                    }
+                }
+            } else {
+                error_log("Form is NOT valid.");
             }
+        } else {
+            error_log("Form NOT submitted yet.");
         }
 
-        // Render form with optional QR code for 2FA
         return $this->render('@ChamiloCore/Account/change_password.html.twig', [
             'form' => $form->createView(),
             'qrCode' => $qrCodeBase64,
@@ -206,18 +267,7 @@ private function encryptTOTPSecret(string $secret, string $encryptionKey): strin
         $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($cipherMethod));
         $encryptedSecret = openssl_encrypt($secret, $cipherMethod, $encryptionKey, 0, $iv);
 
-        return base64_encode($iv.'::'.$encryptedSecret);
-    }
-
-    /**
-     * Validates the provided TOTP code for the given user.
-     */
-    private function isTOTPValid(User $user, string $totpCode): bool
-    {
-        $decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
-        $totp = TOTP::create($decryptedSecret);
-
-        return $totp->verify($totpCode);
+        return base64_encode($iv . '::' . $encryptedSecret);
     }
 
     /**

src/CoreBundle/Controller/SecurityController.php

@@ -145,6 +145,24 @@ public function loginJson(
             ]);
         }
 
+        // Password rotation check
+        $days = (int) $this->settingsManager->getSetting('security.password_rotation_days', true);
+        if ($days > 0) {
+            $lastUpdate = $user->getPasswordUpdateAt() ?? $user->getCreatedAt();
+            $diffDays = (new \DateTimeImmutable())->diff($lastUpdate)->days;
+
+            if ($diffDays > $days) {
+                // Clean token & session
+                $tokenStorage->setToken(null);
+                $request->getSession()->invalidate();
+
+                return $this->json([
+                    'rotate_password' => true,
+                    'redirect' => '/account/change-password?rotate=1&userId=' . $user->getId(),
+                ]);
+            }
+        }
+
         $data = null;
         if ($user) {
             $data = $this->serializer->serialize($user, 'jsonld', ['groups' => ['user_json:read']]);

src/CoreBundle/DataFixtures/SettingsCurrentFixtures.php

@@ -3139,6 +3139,11 @@ public static function getNewConfigurationSettings(): array
                 ],
             ],
             'security' => [
+                [
+                    'name'    => 'password_rotation_days',
+                    'title'   => 'Password rotation interval (days)',
+                    'comment' => 'Number of days before users must rotate their password (0 = disabled).',
+                ],
                 [
                     'name' => 'password_requirements',
                     'title' => 'Minimal password syntax requirements',