Frontend password reset

[modifiedcontent]

The modules don't really work for me. I have a custom login and registration process directly in template files and just want to add password reset. I don't need admin etc.

The following works:

Spoiler

<?php
if($user->isLoggedin()) {

$session->logout();
$session->redirect('/');

} else {

if ($input->post->submitforgot) {

	$email = $input->post->useroremail;

	if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
	
		$finduser = $users->get("email=".$email);
		$founduser = $finduser->name;

		} else {
		
		$founduser = $input->post->useroremail;
		
		}
    
    if($users->get($founduser)->id) {
        
            $lostmember = $users->get($founduser);
        
            $note = 'We found your account. Check your inbox for an email with a password reset link.';
        
            $pass = passworder(8);
            $activation = md5($pass."randomstringhereforextraprotection");
        
            $lostmember->of(false);
            $lostmember->activation = $activation;
            $lostmember->save();
            $lostmember->of(true);
        
            $activationlink = 'https://' . $config->httpHost . $_SERVER['REQUEST_URI'] . '?key='. $activation .'#join';
        
            $message = strip_tags(wirePopulateStringTags($pages->get('/join')->passreset_message,[ 'fullname' => $lostmember->fullname, 'activatelink' => $activationlink, 'username' => $lostmember->name ]));
            $mail->send($lostmember->email, 'My Website<admin@mywebsite.com>', 'Your password reset link', $message);

        } else {
        
            $note = 'Member does not exist. What are you even doing here?';
        
        }
} 
	
if ($note) {
	echo $note;
} else {
?>    

    <form action='<?php echo $config->urls->root; ?>#forgot' method=post id=forgotpass autocomplete=on>
        
    <section class=field>        
    <label for=useroremail>Email or username</label>
    <input id=useroremail type=text name=useroremail placeholder='' autocomplete=username required>
    </section>

	<input type=submit name=submitforgot value='reset password' />
    </form>

<?php 
	}
} 
?>

 

My PHP knowledge is very limited - I don't understand namespace, hooks, etc. etc. I have to start from a basic proof-of-concept and then improve on that as needed. 

Are there obvious mistakes in the code above?

Obvious security risks?

The process is really slow; it takes forever after clicking submit to find the user in the database. Could the code be more efficient?

Any comments / suggestions much appreciated.

 

[netcarver]

Hi @modifiedcontent have you considered just using Ryan's ProcessForgotPasswords module that is already part of PW and just loading it in your template file and having it take care of things for you?

I've not tried it myself in my own template files but it is certainly possible. Something like this might work for you on your reset page template (totally untested, but you seem to be willing to experiment)...

<?php

if ($user->isLoggedin()) {
    $session->logout();
    $session->redirect('/');
} else {
    $pfp = wire()->modules->get("ProcessForgotPassword"); 
    $pfp->useInlineNotices = true;
    $pfp->emailFrom = 'your-from-address@your.domain';
    echo $pfp->execute();
}

There are several other settings like 'useInlineNotices' that are documented in the module from lines 17-28, linked here.

You'll be better served using this core module if you can, rather than writing something yourself.  If you do want to use this as a learning opportunity, and decide to go with your own code then I'd suggest research in the following areas: CSRF tokens, session variables, cryptographically secure random number generators, MD5 weaknesses and password hashing.

[modifiedcontent]

Thanks @netcarver. I could not figure out how to use that ProcessForgotPasswords module. There were no instructions anywhere. It looks like it depends on other modules or assumes your login/register process is structured a certain way. Thanks for the other suggestions. Replacing md5() was going to be next.