application/front/controller/admin/PasswordController.php

   1 <?php
   2
   3 declare(strict_types=1);
   4
   5 namespace Shaarli\Front\Controller\Admin;
   6
   7 use Shaarli\Container\ShaarliContainer;
   8 use Shaarli\Front\Exception\OpenShaarliPasswordException;
   9 use Shaarli\Front\Exception\ShaarliFrontException;
  10 use Shaarli\Render\TemplatePage;
  11 use Slim\Http\Request;
  12 use Slim\Http\Response;
  13 use Throwable;
  14
  15 /**
  16  * Class PasswordController
  17  *
  18  * Slim controller used to handle passwords update.
  19  */
  20 class PasswordController extends ShaarliAdminController
  21 {
  22     public function __construct(ShaarliContainer $container)
  23     {
  24         parent::__construct($container);
  25
  26         $this->assignView(
  27             'pagetitle',
  28             t('Change password') .' - '. $this->container->conf->get('general.title', 'Shaarli')
  29         );
  30     }
  31
  32     /**
  33      * GET /admin/password - Displays the change password template
  34      */
  35     public function index(Request $request, Response $response): Response
  36     {
  37         return $response->write($this->render(TemplatePage::CHANGE_PASSWORD));
  38     }
  39
  40     /**
  41      * POST /admin/password - Change admin password - existing and new passwords need to be provided.
  42      */
  43     public function change(Request $request, Response $response): Response
  44     {
  45         $this->checkToken($request);
  46
  47         if ($this->container->conf->get('security.open_shaarli', false)) {
  48             throw new OpenShaarliPasswordException();
  49         }
  50
  51         $oldPassword = $request->getParam('oldpassword');
  52         $newPassword = $request->getParam('setpassword');
  53
  54         if (empty($newPassword) || empty($oldPassword)) {
  55             $this->saveErrorMessage(t('You must provide the current and new password to change it.'));
  56
  57             return $response
  58                 ->withStatus(400)
  59                 ->write($this->render(TemplatePage::CHANGE_PASSWORD))
  60             ;
  61         }
  62
  63         // Make sure old password is correct.
  64         $oldHash = sha1(
  65             $oldPassword .
  66             $this->container->conf->get('credentials.login') .
  67             $this->container->conf->get('credentials.salt')
  68         );
  69
  70         if ($oldHash !== $this->container->conf->get('credentials.hash')) {
  71             $this->saveErrorMessage(t('The old password is not correct.'));
  72
  73             return $response
  74                 ->withStatus(400)
  75                 ->write($this->render(TemplatePage::CHANGE_PASSWORD))
  76             ;
  77         }
  78
  79         // Save new password
  80         // Salt renders rainbow-tables attacks useless.
  81         $this->container->conf->set('credentials.salt', sha1(uniqid('', true) .'_'. mt_rand()));
  82         $this->container->conf->set(
  83             'credentials.hash',
  84             sha1(
  85                 $newPassword
  86                 . $this->container->conf->get('credentials.login')
  87                 . $this->container->conf->get('credentials.salt')
  88             )
  89         );
  90
  91         try {
  92             $this->container->conf->write($this->container->loginManager->isLoggedIn());
  93         } catch (Throwable $e) {
  94             throw new ShaarliFrontException($e->getMessage(), 500, $e);
  95         }
  96
  97         $this->saveSuccessMessage(t('Your password has been changed'));
  98
  99         return $response->write($this->render(TemplatePage::CHANGE_PASSWORD));
 100     }
 101 }