Bug #87349

FELogin - password recovery / forgot link

Added by Benjamin Reinisch 3 months ago. Updated 8 days ago.

Status:
New
Priority:
Must have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2019-01-07
Due date:
% Done:

0%

TYPO3 Version:
9
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The password forgot link is not correctly generated, the url contains the following GET params:

http://test.domain/navigationen/login?tx_felogin_pi1%5Bforgothash%5D=1546897690%7C4e485fd92fe2beebebf2f3b244e94371&tx_felogin_pi1%5Buser%5D=123&cHash=6de0887c9d906f020ca766f7c8067c03

tx_felogin_pi1%5Bforgothash%5D: 1546897690|4e485fd92fe2beebebf2f3b244e94371
tx_felogin_pi1%5Buser%5D: 123
cHash: 6de0887c9d906f020ca766f7c8067c03

Therefore sysext/felogin/Classes/Controller/FrontendLoginController.php:181 is never reached:

177: // What to display
178:        $content = '';
179:        if ($this->piVars['forgot'] && $this->conf['showForgotPasswordLink']) {
180:            $content .= $this->showForgot();
181:        } elseif ($this->piVars['forgothash']) {
182:            $content .= $this->changePassword();
183:        } else {
184:            if ($this->userIsLoggedIn && !$this->logintype) {
185:                $content .= $this->showLogout();
186:            } else {
187:                $content .= $this->showLogin();
188:            }
189:        }

If I modify it, so the url gets correctly encoded, then the chash comparison fails.


Related issues

Related to TYPO3 Core - Bug #87664: fe_login password reset link is double encoded Closed 2019-02-06

History

#1 Updated by Nico de Haen about 2 months ago

I don't get your point:

If the condition $this->piVars['forgot'] is wrong (or NULL) then the condition $this->piVars['forgothash'] is evaluated (which is true in your example) so line 182 will be executed...

#2 Updated by Nico de Haen about 2 months ago

  • Related to Bug #87664: fe_login password reset link is double encoded added

#3 Updated by Patrick no-lastname-given 20 days ago

Since the upgrade to 9.5 of my installations, the reset link in the user emails look like this:
https://www.mydomain.local/25%7C5a5b6599d6664664bf2eac0412eba416&tx_felogin_pi1%5Buser%5D=14&cHash=35a87a1d4786223d382a77d1ce227fe9

This link goes to the 404 page. I have no route enhancers for felogin yet and the configuration is like in 8.7. The login form is on the root page and on a subpage.

With this route enhancers:

PasswordForgot:
  type: Plugin
  limitToPages:
    - 1
    - 23
  namespace: 'tx_felogin_pi1'
  routePath: '/password-forgot/{forgot}'

PasswordReset:
  type: Plugin
  limitToPages:
    - 1
    - 23
  namespace: tx_felogin_pi1
  routePath: '/password-reset/{forgothash}/{user}'

The link is look like this
https://www.mydomain.local/73f7c4dbdaf0d8be8a6a/14/?cHash=8b62bcdc86249c817751f000725c1f6d
and goes also to the 404 page.

I think there is a bug with felogin and site handling. Or can anybody give me a source to correct felogin route enhancers.

#4 Updated by Vasyl Mosiychuk 8 days ago

it is my configuration

routeEnhancers:
  ForgotPassword:
    type: Plugin
    limitToPages: [1]
    namespace: 'tx_felogin_pi1'
    routePath: '/forgot/password/{forgot}'
    defaults:
      forgot: '1'
    requirements:
      forgot: '^[1]{1}$'
  ResetPassword:
    type: Plugin
    limitToPages: [1]
    namespace: 'tx_felogin_pi1'
    routePath: '/reset/password/{forgothash}/{user}'
    requirements:
      forgothash: '^[a-zA-Z0-9%]$'
      user: '[0-9]{1..3}'

I get urls:

`https://www.mydomain.local/user/profile/login/forgot/password/1?cHash=ec0225deb7dbb47bbe939638f78cdc5d`

`https://www.mydomain.local/user/profile/login/reset/password/73f7c4dbdaf0d8be8a6a/1?cHash=8b62bcdc86249c817751f000725c1f6d`

..and it is works. I do not get 404 error

... but I have another problem with `cHash=....` I always his get so `..?cHash=....` and not so `../.../`
for example so... it is that I need

`https://www.mydomain.local/user/profile/login/forgot/password/1/ec0225deb7dbb47bbe939638f78cdc5d`

`https://www.mydomain.local/user/profile/login/reset/password/73f7c4dbdaf0d8be8a6a/1/8b62bcdc86249c817751f000725c1f6d`

...even if I to add another configuration

routeEnhancers:
  ForgotPassword:
    type: Plugin
    limitToPages: [1]
    namespace: 'tx_felogin_pi1'
    routePath: '/forgot/password/{forgot}/{hash}'
    defaults:
      forgot: '1'
    requirements:
      forgot: '^[1]{1}$'
      hash: '^[a-zA-Z0-9]{32}$'
  ResetPassword:
    type: Plugin
    limitToPages: [1]
    namespace: 'tx_felogin_pi1'
    routePath: '/reset/password/{forgothash}/{user}/{hash}'
    requirements:
      forgothash: '^[a-zA-Z0-9%]$'
      user: '[0-9]{1..3}'
      hash: '^[a-zA-Z0-9]{32}$'

...after this I get URLs so..

`https://www.mydomain.local/user/profile/login?tx_felogin_pi1%5Bforgot%5D=1&cHash=ec0225deb7dbb47bbe939638f78cdc5d`

and

`https://www.mydomain.local/user/profile/login?tx_felogin_pi1%5Bforgothash%5D=1552985686%7Ca90f54764cdb5a81cf8804999368fdd6&tx_felogin_pi1%5Buser%5D=1&cHash=d1c604f5fbdc330a9167828763f3bdc7`

Also available in: Atom PDF