Automatically login users after successful password reset

[psy]

@ryan's ForgotPassword module has been in PW since Day Dot. It does it's job BUT it's onerous, especially for Frontend Users, eg those using LoginRegisterPro.
My client, quite reasonably, wanted the FE users to be logged in automatically after a successful password reset. The module doesn't have many hooks.
Here's one solution to automatically logging in frontend users after a successful password reset.
In site/ready.php:

//  Force login after successful password reset
$this->addHookAfter('ProcessForgotPassword::renderMessage', function(HookEvent $event) {
    $msg = $event->arguments(0);
    $input = wire('input');
    $session = wire('session');
    $pages = wire('pages');
    $page = wire('page');
	$users = wire('users');

    $return = $event->return;
    // This uses the module's default text. 
    // Adapt to suit on multi-language sites or if you want it to work for admins too
    if(stripos($msg, 'success') !== false && $page->template->name !== 'admin') {
        $userid = $input->get('u', 'int');
		$user = $users->get($userid);
		// limit access to specific users or roles
        if(!$user->isSuperuser() && $user->hasRole('login-register')) {
            $session->forceLogin($user);
            $session->redirect($pages->get("name=mypage")->url);
        }
    }
    $event->return = $return;
});

 

[Robin S]

1 hour ago, psy said:

        $userid = $input->get('u', 'int');
        $user = $users->get($userid);
        $session->forceLogin($user);

Maybe this is safe, but it looks very risky to me. The ID here is coming from the URL, which is a type of user input. You would want to be 100% certain someone can't insert the default superuser ID 41 into the URL and then get logged in without a password and gain full access to the admin.

[psy]

@Robin S good pickup! Thanks. Will add logic to ensure the user has/has not specific user roles 🙂

Example code updated.