AC-1323: Reset Token Improvement.

Author: admanesachin

app/code/Magento/Customer/Controller/Account/CreatePassword.php

@@ -17,6 +17,7 @@
 use Magento\Framework\Controller\Result\Redirect;
 use Magento\Framework\View\Result\Page;
 use Magento\Framework\View\Result\PageFactory;
+use Magento\Customer\Api\CustomerRepositoryInterface;
 
 /**
  * Controller for front-end customer password reset form
@@ -48,21 +49,28 @@ class CreatePassword extends \Magento\Customer\Controller\AbstractAccount implem
      */
     private $getByToken;
 
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepository;
+
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param PageFactory $resultPageFactory
      * @param AccountManagementInterface $accountManagement
      * @param ConfirmCustomerByToken|null $confirmByToken
      * @param GetCustomerByToken|null $getByToken
+     * @param CustomerRepositoryInterface|null $customerRepository
      */
     public function __construct(
         Context $context,
         Session $customerSession,
         PageFactory $resultPageFactory,
         AccountManagementInterface $accountManagement,
         ConfirmCustomerByToken $confirmByToken = null,
-        GetCustomerByToken $getByToken = null
+        GetCustomerByToken $getByToken = null,
+        CustomerRepositoryInterface $customerRepository = null
     ) {
         $this->session = $customerSession;
         $this->resultPageFactory = $resultPageFactory;
@@ -71,6 +79,8 @@ public function __construct(
             ?? ObjectManager::getInstance()->get(ConfirmCustomerByToken::class);
         $this->getByToken = $getByToken
             ?? ObjectManager::getInstance()->get(GetCustomerByToken::class);
+        $this->customerRepository = $customerRepository
+            ?? ObjectManager::getInstance()->get(CustomerRepositoryInterface::class);
 
         parent::__construct($context);
     }
@@ -83,23 +93,24 @@ public function __construct(
     public function execute()
     {
         $resetPasswordToken = (string)$this->getRequest()->getParam('token');
+        $customerId = (int)$this->getRequest()->getParam('id');
         $isDirectLink = $resetPasswordToken != '';
         if (!$isDirectLink) {
             $resetPasswordToken = (string)$this->session->getRpToken();
+            $customerId = (int)$this->session->getRpCustomerId();
         }
 
         try {
-            $this->accountManagement->validateResetPasswordLinkToken(null, $resetPasswordToken);
-
-            $this->confirmByToken->execute($resetPasswordToken);
+            $this->accountManagement->validateResetPasswordLinkToken($customerId, $resetPasswordToken);
 
             // Extend token validity to avoid expiration while this form is
             // being completed by the user.
-            $customer = $this->getByToken->execute($resetPasswordToken);
+            $customer = $this->customerRepository->getById($customerId);
             $this->accountManagement->changeResetPasswordLinkToken($customer, $resetPasswordToken);
 
             if ($isDirectLink) {
                 $this->session->setRpToken($resetPasswordToken);
+                $this->session->setRpCustomerId($customerId);
                 $resultRedirect = $this->resultRedirectFactory->create();
                 $resultRedirect->setPath('*/*/createpassword');
 
@@ -109,7 +120,8 @@ public function execute()
                 $resultPage = $this->resultPageFactory->create();
                 $resultPage->getLayout()
                            ->getBlock('resetPassword')
-                           ->setResetPasswordLinkToken($resetPasswordToken);
+                           ->setResetPasswordLinkToken($resetPasswordToken)
+                           ->setRpCustomerId($customerId);
 
                 return $resultPage;
             }

app/code/Magento/Customer/Controller/Account/ResetPasswordPost.php

@@ -67,8 +67,10 @@ public function execute()
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
         $resetPasswordToken = (string)$this->getRequest()->getQuery('token');
+        $customerId = (string)$this->getRequest()->getQuery('id');
         $password = (string)$this->getRequest()->getPost('password');
         $passwordConfirmation = (string)$this->getRequest()->getPost('password_confirmation');
+        $email = null;
 
         if ($password !== $passwordConfirmation) {
             $this->messageManager->addErrorMessage(__("New Password and Confirm New Password values didn't match."));
@@ -83,9 +85,13 @@ public function execute()
             return $resultRedirect;
         }
 
+        if ($customerId && $this->customerRepository->getById($customerId)) {
+            $email = $this->customerRepository->getById($customerId)->getEmail();
+        }
+
         try {
             $this->accountManagement->resetPassword(
-                null,
+                $email,
                 $resetPasswordToken,
                 $password
             );
@@ -95,6 +101,7 @@ public function execute()
                 $this->session->start();
             }
             $this->session->unsRpToken();
+            $this->session->unsRpCustomerId();
             $this->messageManager->addSuccessMessage(__('You updated your password.'));
             $resultRedirect->setPath('*/*/login');
 

app/code/Magento/Customer/Model/AccountManagement.php

@@ -714,8 +714,8 @@ private function handleUnknownTemplate($template)
     public function resetPassword($email, $resetToken, $newPassword)
     {
         if (!$email) {
-            $customer = $this->getByToken->execute($resetToken);
-            $email = $customer->getEmail();
+            $params = ['fieldName' => 'email'];
+            throw new InputException(__('"%fieldName" is required. Enter and try again.', $params));
         } else {
             $customer = $this->customerRepository->get($email);
         }
@@ -1186,24 +1186,17 @@ public function validateCustomerStoreIdByWebsiteId(CustomerInterface $customer)
      * @throws NoSuchEntityException If customer doesn't exist
      * @SuppressWarnings(PHPMD.LongVariable)
      */
-    private function validateResetPasswordToken($customerId, $resetPasswordLinkToken)
+    private function validateResetPasswordToken(int $customerId, string $resetPasswordLinkToken): bool
     {
-        if ($customerId !== null && $customerId <= 0) {
+        if (!$customerId) {
             throw new InputException(
                 __(
                     'Invalid value of "%value" provided for the %fieldName field.',
                     ['value' => $customerId, 'fieldName' => 'customerId']
                 )
             );
         }
-
-        if ($customerId === null) {
-            //Looking for the customer.
-            $customerId = $this->getByToken
-                ->execute($resetPasswordLinkToken)
-                ->getId();
-        }
-        if (!is_string($resetPasswordLinkToken) || empty($resetPasswordLinkToken)) {
+        if (!$resetPasswordLinkToken) {
             $params = ['fieldName' => 'resetPasswordLinkToken'];
             throw new InputException(__('"%fieldName" is required. Enter and try again.', $params));
         }

app/code/Magento/Customer/Model/ForgotPasswordToken/GetCustomerByToken.php

@@ -17,6 +17,7 @@
 /**
  * Get Customer By reset password token
  * @SuppressWarnings(PHPMD.LongVariable)
+ * @deprecated Rp Tokens cannot be looked up directly
  */
 class GetCustomerByToken
 {

app/code/Magento/Customer/Model/ResourceModel/Customer.php

@@ -12,6 +12,7 @@
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\AlreadyExistsException;
 use Magento\Framework\Validator\Exception as ValidatorException;
+use Magento\Framework\Encryption\EncryptorInterface;
 
 /**
  * Customer entity resource model
@@ -54,6 +55,11 @@ class Customer extends \Magento\Eav\Model\Entity\VersionControl\AbstractEntity
      */
     private $notificationStorage;
 
+    /**
+     * @var EncryptorInterface
+     */
+    private $encryptor;
+
     /**
      * Customer constructor.
      *
@@ -66,6 +72,7 @@ class Customer extends \Magento\Eav\Model\Entity\VersionControl\AbstractEntity
      * @param \Magento\Store\Model\StoreManagerInterface $storeManager
      * @param array $data
      * @param AccountConfirmation $accountConfirmation
+     * @param EncryptorInterface|null $encryptor
      */
     public function __construct(
         \Magento\Eav\Model\Entity\Context $context,
@@ -76,7 +83,8 @@ public function __construct(
         \Magento\Framework\Stdlib\DateTime $dateTime,
         \Magento\Store\Model\StoreManagerInterface $storeManager,
         $data = [],
-        AccountConfirmation $accountConfirmation = null
+        AccountConfirmation $accountConfirmation = null,
+        EncryptorInterface $encryptor = null
     ) {
         parent::__construct($context, $entitySnapshot, $entityRelationComposite, $data);
 
@@ -88,6 +96,8 @@ public function __construct(
         $this->setType('customer');
         $this->setConnection('customer_read');
         $this->storeManager = $storeManager;
+        $this->encryptor = $encryptor ?? ObjectManager::getInstance()
+                ->get(EncryptorInterface::class);
     }
 
     /**
@@ -176,6 +186,11 @@ protected function _beforeSave(\Magento\Framework\DataObject $customer)
             $this->_validate($customer);
         }
 
+        if ($customer->getData('rp_token')) {
+            $rpToken = $customer->getData('rp_token');
+            $customer->setRpToken($this->encryptor->encrypt($rpToken));
+        }
+
         return $this;
     }
 
@@ -224,6 +239,10 @@ protected function _afterSave(\Magento\Framework\DataObject $customer)
             NotificationStorage::UPDATE_CUSTOMER_SESSION,
             $customer->getId()
         );
+        if ($customer->getData('rp_token')) {
+            $rpToken = $customer->getData('rp_token');
+            $customer->setRpToken($this->encryptor->decrypt($rpToken));
+        }
         return parent::_afterSave($customer);
     }
 
@@ -445,4 +464,16 @@ public function updateSessionCutOff(int $customerId, int $timestamp): void
             $this->getConnection()->quoteInto('entity_id = ?', $customerId)
         );
     }
+
+    /**
+     * @inheritDoc
+     */
+    protected function _afterLoad(\Magento\Framework\DataObject $customer)
+    {
+        if ($customer->getData('rp_token')) {
+            $rpToken = $customer->getData('rp_token');
+            $customer->setRpToken($this->encryptor->decrypt($rpToken));
+        }
+        return parent::_afterLoad($customer); //
+    }
 }

app/code/Magento/Customer/Test/Unit/Model/AccountManagementTest.php

@@ -1751,7 +1751,7 @@ public function testValidateResetPasswordTokenBadResetPasswordLinkToken(): void
         $this->expectException(InputException::class);
         $this->expectExceptionMessage('"resetPasswordLinkToken" is required. Enter and try again.');
 
-        $this->accountManagement->validateResetPasswordLinkToken(22, null);
+        $this->accountManagement->validateResetPasswordLinkToken(22, '');
     }
 
     /**

app/code/Magento/Customer/view/frontend/email/password_reset_confirmation.html

@@ -8,7 +8,7 @@
 <!--@vars {
 "var store.frontend_name":"Store Name",
 "var customer.name":"Customer Name",
-"var this.getUrl($store,'customer/account/createPassword/',[_query:[token:$customer.rp_token],_nosid:1])":"Reset Password URL"
+"var this.getUrl($store,'customer/account/createPassword/',[_query:[id:$customer.id,token:$customer.rp_token],_nosid:1])":"Reset Password URL"
 } @-->
 {{template config_path="design/email/header_template"}}
 
@@ -22,7 +22,7 @@
             <table class="inner-wrapper" border="0" cellspacing="0" cellpadding="0" align="center">
                 <tr>
                     <td align="center">
-                        <a href="{{var this.getUrl($store,'customer/account/createPassword/',[_query:[token:$customer.rp_token],_nosid:1])}}" target="_blank">{{trans "Set a New Password"}}</a>
+                        <a href="{{var this.getUrl($store,'customer/account/createPassword/',[_query:[id:$customer.id,token:$customer.rp_token],_nosid:1])}}" target="_blank">{{trans "Set a New Password"}}</a>
                     </td>
                 </tr>
             </table>

app/code/Magento/Customer/view/frontend/templates/form/resetforgottenpassword.phtml

@@ -3,12 +3,13 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
+// phpcs:disable Generic.Files.LineLength.TooLong
+//phpcs:disable Magento2.Legacy.PhtmlTemplate
 /** @var \Magento\Customer\Block\Account\Resetpassword $block */
 ?>
-<form action="<?= $block->escapeUrl($block->getUrl('*/*/resetpasswordpost', ['_query' => ['token' => $block->getResetPasswordLinkToken()]])) ?>"
+<form action="<?= $block->escapeUrl($block->getUrl('*/*/resetpasswordpost', ['_query' => ['id'=>$block->getRpCustomerId(),'token' => $block->getResetPasswordLinkToken()]])) ?>"
       method="post"
-        <?php if ($block->isAutocompleteDisabled()) : ?> autocomplete="off"<?php endif; ?>
+        <?php if ($block->isAutocompleteDisabled()): ?> autocomplete="off"<?php endif; ?>
       id="form-validate"
       class="form password reset"
       data-mage-init='{"validation":{}}'>

dev/tests/integration/testsuite/Magento/Customer/Model/AccountManagementTest.php

@@ -375,10 +375,10 @@ public function testResetPasswordTokenSecondTime()
      * @magentoDataFixture Magento/Customer/_files/customer.php
      *
      */
-    public function testValidateResetPasswordLinkTokenNull()
+    public function testValidateResetPasswordLinkTokenEmpty()
     {
         try {
-            $this->accountManagement->validateResetPasswordLinkToken(1, null);
+            $this->accountManagement->validateResetPasswordLinkToken(1, '');
             $this->fail('Expected exception not thrown.');
         } catch (InputException $ie) {
             $this->assertEquals('"%fieldName" is required. Enter and try again.', $ie->getRawMessage());
@@ -391,25 +391,12 @@ public function testValidateResetPasswordLinkTokenNull()
     /**
      * @magentoDataFixture Magento/Customer/_files/customer.php
      */
-    public function testValidateResetPasswordLinkTokenWithoutId()
+    public function testValidateResetPasswordLinkTokenInvalidId()
     {
         $token = 'randomStr123';
         $this->setResetPasswordData($token, 'Y-m-d H:i:s');
-        $this->assertTrue(
-            $this->accountManagement->validateResetPasswordLinkToken(null, $token)
-        );
-    }
-    /**
-     * @magentoDataFixture Magento/Customer/_files/two_customers.php
-     */
-    public function testValidateResetPasswordLinkTokenAmbiguous()
-    {
-        $this->expectException(\Magento\Framework\Exception\State\ExpiredException::class);
-
-        $token = 'randomStr123';
-        $this->setResetPasswordData($token, 'Y-m-d H:i:s', 1);
-        $this->setResetPasswordData($token, 'Y-m-d H:i:s', 2);
-        $this->accountManagement->validateResetPasswordLinkToken(null, $token);
+        $this->expectException(\Magento\Framework\Exception\InputException::class);
+        $this->accountManagement->validateResetPasswordLinkToken(0, $token);
     }
 
     /**
@@ -542,21 +529,7 @@ public function testResetPasswordWithoutEmail()
         $resetToken = 'lsdj579slkj5987slkj595lkj';
         $password = 'new_Password123';
         $this->setResetPasswordData($resetToken, 'Y-m-d H:i:s');
-        $this->assertTrue(
-            $this->accountManagement->resetPassword(null, $resetToken, $password)
-        );
-    }
-    /**
-     * @magentoDataFixture Magento/Customer/_files/two_customers.php
-     */
-    public function testResetPasswordAmbiguousToken()
-    {
-        $this->expectException(\Magento\Framework\Exception\State\ExpiredException::class);
-
-        $resetToken = 'lsdj579slkj5987slkj595lkj';
-        $password = 'new_Password123';
-        $this->setResetPasswordData($resetToken, 'Y-m-d H:i:s', 1);
-        $this->setResetPasswordData($resetToken, 'Y-m-d H:i:s', 2);
+        $this->expectException(InputException::class);
         $this->accountManagement->resetPassword(null, $resetToken, $password);
     }