Completed registration system (closes #90)

app/Controllers/Auth/PasswordRecoveryController.php

@@ -7,6 +7,7 @@ use App\Controllers\Controller;
 use App\Web\Mail;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
+use Slim\Exception\HttpNotFoundException;
 
 class PasswordRecoveryController extends Controller
 {
@@ -73,9 +74,16 @@ class PasswordRecoveryController extends Controller
      * @throws \Twig\Error\LoaderError
      * @throws \Twig\Error\RuntimeError
      * @throws \Twig\Error\SyntaxError
+     * @throws HttpNotFoundException
      */
     public function recoverPasswordForm(Request $request, Response $response, string $resetToken): Response
     {
+        $user = $this->database->query('SELECT `id` FROM `users` WHERE `reset_token` = ? LIMIT 1', $resetToken)->fetch();
+
+        if (!$user) {
+            throw new HttpNotFoundException($request);
+        }
+
         return view()->render($response, 'auth/recover_password.twig', [
             'reset_token' => $resetToken
         ]);
@@ -86,8 +94,35 @@ class PasswordRecoveryController extends Controller
      * @param  Response  $response
      * @param  string  $resetToken
      * @return Response
+     * @throws HttpNotFoundException
      */
     public function recoverPassword(Request $request, Response $response, string $resetToken): Response
     {
+        $user = $this->database->query('SELECT `id` FROM `users` WHERE `reset_token` = ? LIMIT 1', $resetToken)->fetch();
+
+        if (!$user) {
+            throw new HttpNotFoundException($request);
+        }
+
+        if (param($request, 'password') === null) {
+            $this->session->alert(lang('password_required'), 'danger');
+
+            return redirect($response, route('recover.password', ['resetToken' => $resetToken]));
+        }
+
+        if (param($request, 'password') !== param($request, 'password_repeat')) {
+            $this->session->alert(lang('password_match'), 'danger');
+
+            return redirect($response, route('recover.password', ['resetToken' => $resetToken]));
+        }
+
+        $this->database->query('UPDATE `users` SET `password`=?, `reset_token`=? WHERE `id` = ?', [
+            password_hash(param($request, 'password'), PASSWORD_DEFAULT),
+            null,
+            $user->id,
+        ]);
+
+        $this->session->alert(lang('password_restored'), 'success');
+        return redirect($response, route('login.show'));
     }
 }

resources/lang/en.lang.php

@@ -129,4 +129,6 @@ return [
     'account_activated' => 'Account activated, now you can login!',
     'quota_enabled' => 'Enable user quota',
     'password_repeat' => 'Repeat Password',
+    'password_match' => 'Password and repeat password must be the same.',
+    'password_restored' => 'Password has been reset.',
 ];

resources/templates/auth/recover_password.twig

@@ -26,7 +26,7 @@
 
 {% block content %}
     <div class="container-fluid">
-        <form class="form-signin" method="post" action="{{ route('recover.mail') }}">
+        <form class="form-signin" method="post" action="{{ route('recover.password', {'resetToken': reset_token}) }}">
             <div class="row text-center">
                 <div class="col-md-12">
                     <h1 class="h3 mb-3 font-weight-normal">{{ config.app_name }}</h1>
@@ -35,7 +35,6 @@
             </div>
             <div class="row">
                 <div class="col-md-12">
-                    <input type="hidden" name="reset_token" value="{{ reset_token }}">
                     <label for="password" class="sr-only">{{ lang('password') }}</label>
                     <input type="password" id="password" class="form-control first" placeholder="{{ lang('password') }}" name="password" required>
                     <label for="password_repeat" class="sr-only">{{ lang('password_repeat') }}</label>