Change Password

[rossaddison]

Q	A
Is bugfix?	❌
New feature?	✔️
Breaks BC?	❌
Fixed issues	None

[what-the-diff]

PR Summary

• Introduction of README File
  A new README.md file has been added to the root directory. This file contains a description of the demo application.

• Update on Blog README
  The 'blog/README.md' file has been updated to include instructions for installing Bootstrap Node Modules while using WAMP. Furthermore, improvements have been made to the "Support the Project" section.

• New Route Addition
  A new route has been added to the 'blog/config/common/routes/routes.php' file. This route is for the ResetController and has the URL /reset.

• Localization Updates
  In the blog/resources/messages/en/app.php file, translations for 'layout.password-verify.new' and 'layout.password.new' have been added. This update also includes the new translation for 'menu.password.change'.

• Addition of New Menu Item
  A new menu item for changing the password has been put in the blog/resources/views/layout/main.php file. This menu item links to the URL /auth/reset.

• Password Reset Functionality
  Several new files have been introduced to handle password reset functionality. These include a file to display the password reset form (blog/resources/views/reset/reset.php), a file to control the password reset operation (blog/src/Auth/Controller/ResetController.php), and a file to handle the reset form and its validation (blog/src/Auth/Form/ResetForm.php).

• Enhanced Login Protocol
  The Identity class has been improved with new methods and logic for managing login keys using cookies.

• New Identity Repository Functionality
  A new file has been added as blog/src/Auth/IdentityRepository.php which is responsible for handling identity repository operations.

[samdark]

Isn't npm creating node_modules automatically?

[rossaddison]

Testing Demo Installation:
Step 1: Downloaded zip and extracted into demo2 folder
Step 2: composer update
Step 3: c:\wamp64\www\demo2\blog>yii serve

Step 4: Whilst running wampserver in url typed: 127.0.0.1:8080

Step 5: Removed blog from .env file path to remove above error.

[rossaddison]

[rossaddison]

Please review these changes

[vjik]

Added several comments, fix several errors and adapt PR to last changes in Yii Form.

[vjik]

Suggested change

	private string $passwordVerify = '';
	private string $passwordVerify = '';

Not need field for duplicate old password.

[samdark]

@rossaddison would you please resolve conflicts? Thanks.

[vjik]

if (!$authService->isGuest()) { already not need, we have this check above.

In the same way, you can remove "if" nesting in further code.

[vjik]

Do you want add ability to change password for any user? Not only current?

[rossaddison]

Yes. I will need to add a permission to the readonly => readonly e.g.

!$this->currentUser->can('changePasswordForAnyUser',[]) ?  'readonly'=>'readonly' :  '';

This will make sure that only administrators with the canChangePasswordForAnyUser permission can insert a username in the login textbox in place of the {login} in order to change the password.

...And remove the

if ($this->currentUser->can('viewInv',[])) {

since all authenticated users with a lesser permission (of viewInv) should be able to change their password.

changepassword.php

<?= $canChangePasswordForAnyUser ? Field::text($formModel, 'login')->addInputAttributes(['value'=> $login ?? '']) 
                                                     : Field::text($formModel, 'login')->addInputAttributes(['value'=> $login ?? '', 'readonly'=>'readonly']); ?>

Controller.php

public function change(
      AuthService $authService,
      Identity $identity,
      IdentityRepository $identityRepository,
      ServerRequestInterface $request,
      FormHydrator $formHydrator,
      ChangePasswordForm $changePasswordForm
    ): ResponseInterface {
      if ($authService->isGuest()) {
          return $this->redirectToMain();
      }
      // readonly the login detail on the change form
      $identity_id = $this->currentUser->getIdentity()->getId();
      if (null!==$identity_id) {
        $identity = $identityRepository->findIdentity($identity_id);
        if (null!==$identity) {
          // Identity and User are in a HasOne relationship so no null value
          $login = $identity->getUser()?->getLogin();
          if ($request->getMethod() === Method::POST
            && $formHydrator->populate($changePasswordForm, $request->getParsedBody())
            && $changePasswordForm->change() 
          ) {
            // Identity implements CookieLoginIdentityInterface: ensure the regeneration of the cookie auth key by means of $authService->logout();
            // @see vendor\yiisoft\user\src\Login\Cookie\CookieLoginIdentityInterface 
            // Specific note: "Make sure to invalidate earlier issued keys when you implement force user logout,
            // PASSWORD CHANGE and other scenarios, that require forceful access revocation for old sessions.
            // The authService logout function will regenerate the auth key here => overwriting any auth key
            $authService->logout();
            $this->flash_message('success', $this->translator->translate('validator.password.change'));
            return $this->redirectToMain();
          }
          return $this->viewRenderer->render('change', 
                  [
                      'formModel' => $changePasswordForm, 
                      'login' => $login,
                      'canChangePasswordForAnyUser' => $this->currentUser->can('changePasswordForAnyUser')    
                  ]);
        } // identity
      } // identity_id 
    } // r

[samdark]

viewInv isn't a good name for permission. Let's not shorten names.

[samdark]

Why?

[xepozz]

@rossaddison you can link your packages locally with yiisoft/yii-dev-tool
Take a look at it

[samdark]

Why?

[samdark]

Does that work in PhpStorm? Elsewhere?

[samdark]

Looks suspicious. What does it reset?

[samdark]

Was that created to exclude debug routes from language routing?

[samdark]

Suggested change

	$this->currentUser = $currentUser;
	$this->session = $session;
	$this->flash = new Flash($session);
	$this->translator = $translator;
	$this->viewRenderer = $viewRenderer->withControllerName('changepassword');
	$this->flash = new Flash($session);
	$this->viewRenderer = $viewRenderer->withControllerName('changepassword');

[samdark]

Suggested change

	$identity_id = $this->currentUser->getIdentity()->getId();
	$identityId = $this->currentUser->getIdentity()->getId();

[samdark]

Suggested change

	$this->flash_message('success', $this->translator->translate('validator.password.change'));
	$this->flashMessage('success', $this->translator->translate('validator.password.change'));

[samdark]

Ideally, that should be implemented by catching a database exception on inserting a record because SELECT and then INSERT aren't atomic and, thus, can cause an exception anyway if a value is inserted by another user in between.

[samdark]

I'd not limit password length because it weakens security overall.