-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initiate cancel reset password step #22810
Conversation
$errorMessage = $ex->getMessage(); | ||
} | ||
|
||
$nonce = Nonce::getNonce(self::NONCE_CONFIRMCANCELRESETPASSWORD); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't really know if the nonce is necessary but it doesn't hurt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left two comments for improvements. Besides that it works as expected when tested locally.
plugins/Login/Controller.php
Outdated
$isNonceValid = Nonce::verifyNonce(self::NONCE_CONFIRMCANCELRESETPASSWORD, $request->getStringParameter('nonce')); | ||
if ($isNonceValid === false) { | ||
throw new Exception('Cannot verify request'); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could use Nonce::checkNonce
instead. That should directly throw a form validation exception if the nonce does not match and will also discard the nonce.
Also you need to do the nonce check before the actually action is performed!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I've fixed this.
Co-authored-by: Stefan Giehl <stefan@matomo.org>
…ore action is performed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description:
A problem was discovered with the cancel reset password flow where email link scanners would unintentionally cancel the reset password flow during their scan.
This adds a new screen in between that action to prevent that from happening.
Review