Reuse password reset tokens until they expire

app/code/Magento/Customer/Model/AccountManagement.php

@@ -644,6 +644,13 @@ public function initiatePasswordReset($email, $template, $websiteId = null)
         // load customer by email
         $customer = $this->customerRepository->get($email, $websiteId);
 
+        if ($this->customerHasValidPasswordResetToken($customer)) {
+            // No need to send an email as the password reset token that has
+            // already been sent is still valid. No message is shown to avoid
+            // leaking information about existence of account.
+            return false;
+        }
+
         // No need to validate customer address while saving customer reset password token
         $this->disableAddressValidation($customer);
 
@@ -1583,6 +1590,28 @@ public function getPasswordHash($password)
         return $this->encryptor->getHash($password, true);
     }
 
+    /**
+     * Retrieve and validate existing password reset token
+     *
+     * @param CustomerInterface $customer
+     * @return bool
+     */
+    private function customerHasValidPasswordResetToken(CustomerInterface $customer): bool
+    {
+        try {
+            $customerId = $customer->getId();
+            $customerSecureData = $this->customerRegistry->retrieveSecureData($customerId);
+            $token = $customerSecureData->getRpToken();
+            return $this->validateResetPasswordToken($customerId, $token);
+        } catch (NoSuchEntityException $exception) {
+            return false;
+        } catch (InputException $exception) {
+            return false;
+        } catch (ExpiredException $exception) {
+            return false;
+        }
+    }
+
     /**
      * Disable Customer Address Validation
      *

app/code/Magento/Customer/Test/Unit/Model/AccountManagementTest.php

@@ -205,7 +205,7 @@ class AccountManagementTest extends TestCase
     private $allowedCountriesReader;
 
     /**
-     * @var SessionCleanerInterface|\PHPUnit_Framework_MockObject_MockObject
+     * @var SessionCleanerInterface|MockObject
      */
     private $sessionCleanerMock;
 
@@ -256,7 +256,14 @@ protected function setUp(): void
             ->getMockForAbstractClass();
 
         $this->customerSecure = $this->getMockBuilder(CustomerSecure::class)
-            ->setMethods(['setRpToken', 'addData', 'setRpTokenCreatedAt', 'setData'])
+            ->setMethods([
+                'addData',
+                'getRpToken',
+                'getRpTokenCreatedAt',
+                'setData',
+                'setRpToken',
+                'setRpTokenCreatedAt',
+            ])
             ->disableOriginalConstructor()
             ->getMock();
 
@@ -1179,29 +1186,28 @@ public function testSendPasswordReminderEmail()
         $this->assertEquals($this->accountManagement, $this->accountManagement->sendPasswordReminderEmail($customer));
     }
 
-    /**
-     * @param string $email
-     * @param string $templateIdentifier
-     * @param string $sender
-     * @param int $storeId
-     * @param int $customerId
-     * @param string $hash
-     */
-    protected function prepareInitiatePasswordReset($email, $templateIdentifier, $sender, $storeId, $customerId, $hash)
-    {
+    private function prepareInitiatePasswordReset(
+        string $email,
+        string $templateIdentifier,
+        string $sender,
+        int $storeId,
+        int $customerId,
+        string $hash,
+        int $callCount = 1
+    ): void {
         $websiteId = 1;
         $addressId = 5;
         $datetime = $this->prepareDateTimeFactory();
         $customerData = ['key' => 'value'];
         $customerName = 'Customer Name';
 
-        $this->store->expects($this->once())
+        $this->store->expects($this->exactly($callCount))
             ->method('getWebsiteId')
             ->willReturn($websiteId);
         $this->store->expects($this->any())
             ->method('getId')
             ->willReturn($storeId);
-        $this->storeManager->expects($this->any())
+        $this->storeManager->expects($this->exactly($callCount))
             ->method('getStore')
             ->willReturn($this->store);
 
@@ -1232,17 +1238,14 @@ protected function prepareInitiatePasswordReset($email, $templateIdentifier, $se
         $customer->expects($this->any())
             ->method('getAddresses')
             ->willReturn([$address]);
-        $this->customerRepository->expects($this->once())
-            ->method('get')
-            ->willReturn($customer);
         $this->addressRegistryMock->expects($this->once())
             ->method('retrieve')
             ->with($addressId)
             ->willReturn($addressModel);
         $addressModel->expects($this->once())
             ->method('setShouldIgnoreValidation')
             ->with(true);
-        $this->customerRepository->expects($this->once())
+        $this->customerRepository->expects($this->exactly($callCount))
             ->method('get')
             ->with($email, $websiteId)
             ->willReturn($customer);
@@ -1265,6 +1268,9 @@ protected function prepareInitiatePasswordReset($email, $templateIdentifier, $se
             ->method('setRpTokenCreatedAt')
             ->with($datetime)
             ->willReturnSelf();
+        $this->customerSecure->expects($this->any())
+            ->method('getRpTokenCreatedAt')
+            ->willReturn($datetime);
         $this->customerSecure->expects($this->any())
             ->method('addData')
             ->with($customerData)
@@ -1273,76 +1279,61 @@ protected function prepareInitiatePasswordReset($email, $templateIdentifier, $se
             ->method('setData')
             ->with('name', $customerName)
             ->willReturnSelf();
-        $this->customerRegistry->expects($this->any())
+        $this->customerRegistry->expects($this->exactly($callCount * 2))
             ->method('retrieveSecureData')
             ->with($customerId)
             ->willReturn($this->customerSecure);
         $this->dataObjectProcessor->expects($this->any())
             ->method('buildOutputDataArray')
             ->with($customer, Customer::class)
             ->willReturn($customerData);
-
-        $this->prepareEmailSend($email, $templateIdentifier, $sender, $storeId, $customerName);
+        $this->customer->expects($this->any())
+            ->method('getResetPasswordLinkExpirationPeriod')
+            ->willReturn(100000);
     }
 
     /**
-     * @param string $email
-     * @param int $templateIdentifier
-     * @param string $sender
-     * @param int $storeId
-     * @param string $customerName
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
-    protected function prepareEmailSend($email, $templateIdentifier, $sender, $storeId, $customerName)
+    public function testInitiatePasswordResetEmailReminder()
     {
-        $transport = $this->getMockBuilder(TransportInterface::class)
-            ->getMock();
+        $customerId = 1;
 
-        $this->transportBuilder->expects($this->any())
-            ->method('setTemplateIdentifier')
-            ->with($templateIdentifier)
-            ->willReturnSelf();
-        $this->transportBuilder->expects($this->any())
-            ->method('setTemplateOptions')
-            ->with(['area' => Area::AREA_FRONTEND, 'store' => $storeId])
-            ->willReturnSelf();
-        $this->transportBuilder->expects($this->any())
-            ->method('setTemplateVars')
-            ->with(['customer' => $this->customerSecure, 'store' => $this->store])
-            ->willReturnSelf();
-        $this->transportBuilder->expects($this->any())
-            ->method('setFrom')
-            ->with($sender)
-            ->willReturnSelf();
-        $this->transportBuilder->expects($this->any())
-            ->method('addTo')
-            ->with($email, $customerName)
+        $email = 'test@example.com';
+        $template = AccountManagement::EMAIL_REMINDER;
+        $templateIdentifier = 'Template Identifier';
+        $sender = 'Sender';
+
+        $storeId = 1;
+
+        $hash = hash("sha256", uniqid(microtime() . random_int(0, PHP_INT_MAX), true));
+
+        $this->emailNotificationMock->expects($this->once())
+            ->method('passwordReminder')
             ->willReturnSelf();
-        $this->transportBuilder->expects($this->any())
-            ->method('getTransport')
-            ->willReturn($transport);
 
-        $transport->expects($this->any())
-            ->method('sendMessage');
+        $this->prepareInitiatePasswordReset($email, $templateIdentifier, $sender, $storeId, $customerId, $hash);
+
+        $this->assertTrue($this->accountManagement->initiatePasswordReset($email, $template));
     }
 
     /**
      * @throws \Magento\Framework\Exception\LocalizedException
      */
-    public function testInitiatePasswordResetEmailReminder()
+    public function testInitiatePasswordResetEmailReset()
     {
+        $storeId = 1;
         $customerId = 1;
 
         $email = 'test@example.com';
-        $template = AccountManagement::EMAIL_REMINDER;
+        $template = AccountManagement::EMAIL_RESET;
         $templateIdentifier = 'Template Identifier';
         $sender = 'Sender';
 
-        $storeId = 1;
-
         $hash = hash("sha256", uniqid(microtime() . random_int(0, PHP_INT_MAX), true));
 
         $this->emailNotificationMock->expects($this->once())
-            ->method('passwordReminder')
+            ->method('passwordResetConfirmation')
             ->willReturnSelf();
 
         $this->prepareInitiatePasswordReset($email, $templateIdentifier, $sender, $storeId, $customerId, $hash);
@@ -1353,7 +1344,7 @@ public function testInitiatePasswordResetEmailReminder()
     /**
      * @throws \Magento\Framework\Exception\LocalizedException
      */
-    public function testInitiatePasswordResetEmailReset()
+    public function testInitiatePasswordResetEmailResetNoDuplicateEmail()
     {
         $storeId = 1;
         $customerId = 1;
@@ -1369,9 +1360,23 @@ public function testInitiatePasswordResetEmailReset()
             ->method('passwordResetConfirmation')
             ->willReturnSelf();
 
-        $this->prepareInitiatePasswordReset($email, $templateIdentifier, $sender, $storeId, $customerId, $hash);
+        $this->prepareInitiatePasswordReset(
+            $email,
+            $templateIdentifier,
+            $sender,
+            $storeId,
+            $customerId,
+            $hash,
+            2 // call count
+        );
 
         $this->assertTrue($this->accountManagement->initiatePasswordReset($email, $template));
+
+        $this->customerSecure->expects($this->any())
+            ->method('getRpToken')
+            ->willReturn($hash);
+
+        $this->assertFalse($this->accountManagement->initiatePasswordReset($email, $template));
     }
 
     /**

app/code/Magento/User/Controller/Adminhtml/Auth/Forgotpassword.php

@@ -6,19 +6,21 @@
  */
 namespace Magento\User\Controller\Adminhtml\Auth;
 
+use Magento\Backend\App\Action\Context;
+use Magento\Backend\Helper\Data;
 use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Framework\App\ObjectManager;
-use Magento\Security\Model\SecurityManager;
-use Magento\Backend\App\Action\Context;
-use Magento\User\Model\UserFactory;
-use Magento\User\Model\ResourceModel\User\CollectionFactory;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Exception\SecurityViolationException;
 use Magento\Framework\Validator\EmailAddress;
 use Magento\Security\Model\PasswordResetRequestEvent;
-use Magento\Framework\Exception\SecurityViolationException;
+use Magento\Security\Model\SecurityManager;
 use Magento\User\Controller\Adminhtml\Auth;
-use Magento\Backend\Helper\Data;
+use Magento\User\Model\ResourceModel\User\CollectionFactory;
 use Magento\User\Model\Spi\NotificatorInterface;
+use Magento\User\Model\User;
+use Magento\User\Model\UserFactory;
 
 /**
  * Initiate forgot-password process.
@@ -63,7 +65,7 @@ public function __construct(
         SecurityManager $securityManager,
         CollectionFactory $userCollectionFactory = null,
         Data $backendDataHelper = null,
-        ?NotificatorInterface $notificator = null
+        NotificatorInterface $notificator = null
     ) {
         parent::__construct($context, $userFactory);
         $this->securityManager = $securityManager;
@@ -108,9 +110,9 @@ public function execute()
                 try {
                     if ($collection->getSize() > 0) {
                         foreach ($collection as $item) {
-                            /** @var \Magento\User\Model\User $user */
+                            /** @var User $user */
                             $user = $this->_userFactory->create()->load($item->getId());
-                            if ($user->getId()) {
+                            if ($user->getId() && !$this->userHasValidPasswordResetToken($user)) {
                                 $newPassResetToken = $this->backendDataHelper->generateResetPasswordLinkToken();
                                 $user->changeResetPasswordLinkToken($newPassResetToken);
                                 $user->save();
@@ -126,9 +128,9 @@ public function execute()
                     );
                     return $resultRedirect->setPath('admin');
                 }
-                // @codingStandardsIgnoreStart
-                $this->messageManager->addSuccess(__('We\'ll email you a link to reset your password.'));
-                // @codingStandardsIgnoreEnd
+                $this->messageManager->addSuccess(
+                    __('We\'ll email you a link to reset your password.')
+                );
                 $this->getResponse()->setRedirect(
                     $this->backendDataHelper->getHomePageUrl()
                 );
@@ -142,4 +144,23 @@ public function execute()
         $this->_view->loadLayout();
         $this->_view->renderLayout();
     }
+
+    /**
+     * Retrieve and validate existing password reset token
+     *
+     * @param User $user
+     * @return bool
+     */
+    private function userHasValidPasswordResetToken(User $user): bool
+    {
+        try {
+            $newPassResetToken = $user->getRpToken();
+            $this->_validateResetPasswordLinkToken((int) $user->getId(), $newPassResetToken);
+            return true;
+        } catch (LocalizedException $exception) {
+            // Catching LocalizedException as this is the exception that is thrown
+            // to indicate failure within Auth::_validateResetPasswordLinkToken()
+            return false;
+        }
+    }
 }