From ea91d59ffc00aacdb9db29fa0069438ac696fe31 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 31 Oct 2018 18:03:24 -0700
Subject: [PATCH] Use username instead of email address in password reset
 (#6382)

* Switch to use username instead of email

* Fixed indenting

* Updated password language

* Updated blades to reflect username instead of email

* Changed password/reset controllers to use username instead of email

* Redirect to login page instead of repeating the password reset form
---
 .../Auth/ForgotPasswordController.php         | 28 ++++++++-------
 .../Auth/ResetPasswordController.php          | 36 ++++++++++++++-----
 resources/lang/en/auth/message.php            | 22 +++++-------
 resources/lang/en/passwords.php               |  4 +--
 .../views/auth/passwords/email.blade.php      |  6 ++--
 .../views/auth/passwords/reset.blade.php      |  8 ++---
 6 files changed, 60 insertions(+), 44 deletions(-)

diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php
index c64710ac38..ef085c6e7e 100644
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -5,6 +5,7 @@ namespace App\Http\Controllers\Auth;
 use App\Http\Controllers\Controller;
 use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
 use Illuminate\Http\Request;
+use App\Models\User;
 
 class ForgotPasswordController extends Controller
 {
@@ -49,27 +50,28 @@ class ForgotPasswordController extends Controller
      */
     public function sendResetLinkEmail(Request $request)
     {
-        $this->validate($request, ['email' => 'required|email']);
+        $this->validate($request, ['username' => 'required'], ['username.required' => 'Please enter your username.']);
 
-        // We will send the password reset link to this user. Once we have attempted
-        // to send the link, we will examine the response then see the message we
-        // need to show to the user. Finally, we'll send out a proper response.
+
+        // Make sure the user is active, and their password is not controlled via LDAP
         $response = $this->broker()->sendResetLink(
             array_merge(
-                $request->only('email'),
-                ['activated' => '1']
+                $request->only('username'),
+                ['activated' => '1'],
+                ['ldap_import' => '0']
             )
         );
 
         if ($response === \Password::RESET_LINK_SENT) {
-            return redirect()->route('login')->with('status', trans($response));
+            \Log::info('Password reset attempt: User '.$request->input('username').' found, password reset sent');
+        } else {
+            \Log::info('Password reset attempt: User '.$request->input('username').' not found or user is inactive');
         }
 
-        // If an error was returned by the password broker, we will get this message
-        // translated so we can notify a user of the problem. We'll redirect back
-        // to where the users came from so they can attempt this process again.
-        return back()->withErrors(
-            ['email' => trans($response)]
-        );
+
+
+        // Regardless of response, we do not want to disclose the status of a user account,
+        // so we give them a generic "If this exists, we're TOTALLY gonna email you" response
+        return redirect()->route('login')->with('success',trans('passwords.sent'));
     }
 }
diff --git a/app/Http/Controllers/Auth/ResetPasswordController.php b/app/Http/Controllers/Auth/ResetPasswordController.php
index c9446fc5e4..fe1eb6d1e0 100644
--- a/app/Http/Controllers/Auth/ResetPasswordController.php
+++ b/app/Http/Controllers/Auth/ResetPasswordController.php
@@ -4,7 +4,6 @@ namespace App\Http\Controllers\Auth;
 
 use App\Http\Controllers\Controller;
 use Illuminate\Foundation\Auth\ResetsPasswords;
-use App\Models\User;
 use Illuminate\Http\Request;
 
 
@@ -39,18 +38,37 @@ class ResetPasswordController extends Controller
     {
         $this->middleware('guest');
     }
+
+    protected function rules()
+    {
+        return [
+            'token' => 'required',
+            'username' => 'required',
+            'password' => 'required|confirmed|min:6',
+        ];
+    }
+
+
+    protected function credentials(Request $request)
+    {
+        return $request->only(
+            'username', 'password', 'password_confirmation', 'token'
+        );
+    }
     
 
-    public function showSnipeResetForm(Request $request, $token = null)
+    public function showResetForm(Request $request, $token = null)
     {
-        // Check that the user is active
-        if ($user = User::where('email', '=',$request->input('email'))->where('activated','=','1')->count() > 0) {
-            return view('auth.passwords.reset')->with(
-                ['token' => $token, 'email' => $request->email]
-            );
+        return view('auth.passwords.reset')->with(
+            ['token' => $token, 'username' => $request->input('username')]
+        );
+    }
 
-        }
-        return redirect()->route('password.request')->withErrors(['email' => 'No matching users']);
+    protected function sendResetFailedResponse(Request $request, $response)
+    {
+        return redirect()->back()
+            ->withInput(['username'=>$request->input('username')])
+            ->withErrors(['username' => trans($response)]);
     }
 
 }
diff --git a/resources/lang/en/auth/message.php b/resources/lang/en/auth/message.php
index 3aee689e54..73ab381dd7 100644
--- a/resources/lang/en/auth/message.php
+++ b/resources/lang/en/auth/message.php
@@ -19,19 +19,15 @@ return array(
         'success' => 'Account sucessfully created.',
     ),
 
-        'forgot-password' => array(
-            'error'   => 'There was a problem while trying to get a reset password code, please try again.',
-            'success' => 'Password recovery email successfully sent.',
-        ),
-
-        'forgot-password-confirm' => array(
-            'error'   => 'There was a problem while trying to reset your password, please try again.',
-            'success' => 'Your password has been successfully reset.',
-        ),
-
-    'activate' => array(
-        'error'   => 'There was a problem while trying to activate your account, please try again.',
-        'success' => 'Your account has been successfully activated.',
+    'forgot-password' => array(
+        'error'   => 'There was a problem while trying to get a reset password code, please try again.',
+        'success' => 'Password recovery email successfully sent.',
     ),
 
+    'forgot-password-confirm' => array(
+        'error'   => 'There was a problem while trying to reset your password, please try again.',
+        'success' => 'Your password has been successfully reset.',
+    ),
+
+
 );
diff --git a/resources/lang/en/passwords.php b/resources/lang/en/passwords.php
index 61fe7fbd43..0d55c17811 100644
--- a/resources/lang/en/passwords.php
+++ b/resources/lang/en/passwords.php
@@ -1,7 +1,7 @@
 <?php
 
 return [
-    'sent'	        => 'Your password link has been sent!',
-    'user'			=> 'No matching active user found with that email.',
+    'sent'	        => 'If a matching username and email address is found, a password reset link will be sent!',
+    'user'			=> 'No matching active user found.',
 ];
 
diff --git a/resources/views/auth/passwords/email.blade.php b/resources/views/auth/passwords/email.blade.php
index d2e1cd344b..2aad4afa4b 100644
--- a/resources/views/auth/passwords/email.blade.php
+++ b/resources/views/auth/passwords/email.blade.php
@@ -31,11 +31,11 @@
 
 
 
-                                    <div class="form-group{{ $errors->has('email') ? ' has-error' : '' }}">
+                                    <div class="form-group{{ $errors->has('username') ? ' has-error' : '' }}">
 
                                         <div class="col-md-12">
-                                            <input type="email" class="form-control" name="email" value="{{ old('email') }}" placeholder="{{ trans('admin/users/table.email') }}">
-                                            {!! $errors->first('email', '<span class="alert-msg"><i class="fa fa-times"></i> :message</span>') !!}
+                                            <input type="text" class="form-control" name="username" value="{{ old('username') }}" placeholder="{{ trans('admin/users/table.username') }}">
+                                            {!! $errors->first('username', '<span class="alert-msg"><i class="fa fa-times"></i> :message</span>') !!}
                                         </div>
                                     </div>
 
diff --git a/resources/views/auth/passwords/reset.blade.php b/resources/views/auth/passwords/reset.blade.php
index af14a2a6fc..1704b8e1af 100644
--- a/resources/views/auth/passwords/reset.blade.php
+++ b/resources/views/auth/passwords/reset.blade.php
@@ -31,12 +31,12 @@
 
                                     <input type="hidden" name="token" value="{{ $token }}">
 
-                                    <div class="form-group{{ $errors->has('email') ? ' has-error' : '' }}">
-                                        <label class="col-md-4 control-label">{{ trans('admin/users/table.email')  }}</label>
+                                    <div class="form-group{{ $errors->has('username') ? ' has-error' : '' }}">
+                                        <label class="col-md-4 control-label">{{ trans('admin/users/table.username')  }}</label>
 
                                         <div class="col-md-6">
-                                            <input type="email" class="form-control" name="email" value="{{ $email or old('email') }}">
-                                            {!! $errors->first('email', '<span class="alert-msg"><i class="fa fa-times"></i> :message</span>') !!}
+                                            <input type="text" class="form-control" name="username" value="{{ $username or old('username') }}">
+                                            {!! $errors->first('username', '<span class="alert-msg"><i class="fa fa-times"></i> :message</span>') !!}
 
                             </div>
                         </div>