Kezdőlap Felfedezés Súgó
Regisztráció Bejelentkezés
parisio
/
iao_team
1
0
Másolás 0
Fájlok Problémák 0 Beolvasztási kérések 0 Wiki
Fa: 68fca1d009
Branch-ok Tag-ek
iao_team
/
app
/
Http
/
Controllers
/
PasswordResetController.php

PasswordResetController.php 14 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443 
  1. <?php
    2. 

  2. 

  3. namespace App\Http\Controllers;
    4. 

  4. 

  5. use Illuminate\Http\Request;
    6. 

  6. use Illuminate\Support\Facades\DB;
    7. 

  7. use Illuminate\Support\Facades\Hash;
    8. 

  8. use Illuminate\Support\Facades\Mail;
    9. 

  9. use Illuminate\Support\Facades\Log;
    10. 

  10. use Illuminate\Support\Str;
    11. 

  11. use Carbon\Carbon;
    12. 

  12. 

  13. class PasswordResetController extends Controller
    14. 

  14. {
    15. 

  15.     /**
    16. 

  16.      * Show password reset request form
    17. 

  17.      */
    18. 

  18.     public function showResetRequestForm()
    19. 

  19.     {
    20. 

  20.         return view('auth.password-reset-request');
    21. 

  21.     }
    22. 

  22. 

  23.     /**
    24. 

  24.      * Send password reset email
    25. 

  25.      */
    26. 

  26.     public function sendResetEmail(Request $request)
    27. 

  27.     {
    28. 

  28.         $request->validate([
    29. 

  29.             'email' => 'required|email'
    30. 

  30.         ], [
    31. 

  31.             'email.required' => 'La mail è obbligatoria',
    32. 

  32.             'email.email' => 'Inserisci un indirizzo email valido'
    33. 

  33.         ]);
    34. 

  34. 

  35.         $this->logSecurityEvent('reset_requested', $request->email);
    36. 

  36. 

  37.         try {
    38. 

  38.             $user = $this->findUserInMasterDatabase($request->email);
    39. 

  39. 

  40.             if (!$user) {
    41. 

  41.                 $this->logSecurityEvent('reset_requested_invalid_email', $request->email);
    42. 

  42.                 return back()->with('success', 'Se l\'email esiste nel sistema, riceverai le istruzioni per il reset della password.');
    43. 

  43.             }
    44. 

  44. 

  45.             if ($this->hasRecentResetRequest($request->email)) {
    46. 

  46.                 $this->logSecurityEvent('reset_requested_too_soon', $request->email);
    47. 

  47.                 return back()->with('error', 'È già stata inviata una richiesta di reset per questa email. Controlla la tua casella di posta o riprova più tardi.');
    48. 

  48.             }
    49. 

  49. 

  50.             $token = Str::random(64);
    51. 

  51. 

  52.             $this->storeResetToken($request->email, $token);
    53. 

  53. 

  54.             $this->sendPasswordResetEmail($request->email, $token, $user);
    55. 

  55. 

  56.             $this->logSecurityEvent('reset_email_sent', $request->email);
    57. 

  57. 

  58.             return back()->with('success', 'Se l\'email esiste nel sistema, riceverai le istruzioni per il reset della password.');
    59. 

  59.         } catch (\Exception $e) {
    60. 

  60.             $this->logSecurityEvent('reset_request_failed', $request->email, ['error' => $e->getMessage()]);
    61. 

  61.             return back()->with('error', 'Errore durante l\'invio dell\'email. Riprova più tardi.');
    62. 

  62.         }
    63. 

  63.     }
    64. 

  64. 

  65.     /**
    66. 

  66.      * Show password reset form
    67. 

  67.      */
    68. 

  68.     public function showResetForm($token)
    69. 

  69.     {
    70. 

  70.         return view('auth.password-reset-form', ['token' => $token]);
    71. 

  71.     }
    72. 

  72. 

  73.     /**
    74. 

  74.      * Reset password
    75. 

  75.      */
    76. 

  76.     public function resetPassword(Request $request)
    77. 

  77.     {
    78. 

  78.         $request->validate([
    79. 

  79.             'token' => 'required',
    80. 

  80.             'email' => 'required|email',
    81. 

  81.             'password' => 'required|min:6|confirmed'
    82. 

  82.         ], [
    83. 

  83.             'email.required' => 'La mail è obbligatoria',
    84. 

  84.             'email.email' => 'Inserisci un indirizzo email valido',
    85. 

  85.             'password.required' => 'La password è obbligatoria',
    86. 

  86.             'password.min' => 'La password deve essere di almeno 6 caratteri',
    87. 

  87.             'password.confirmed' => 'Le password non coincidono'
    88. 

  88.         ]);
    89. 

  89. 

  90.         try {
    91. 

  91.             $resetRecord = $this->verifyResetToken($request->email, $request->token);
    92. 

  92. 

  93.             if (!$resetRecord) {
    94. 

  94.                 return back()->with('error', 'Token non valido o scaduto.');
    95. 

  95.             }
    96. 

  96. 

  97.             $user = $this->findUserInMasterDatabase($request->email);
    98. 

  98. 

  99.             if (!$user) {
    100. 

  100.                 return back()->with('error', 'Utente non trovato.');
    101. 

  101.             }
    102. 

  102. 

  103.             $this->updatePasswordInBothDatabases($request->email, $request->password, $user);
    104. 

  104. 

  105.             $this->deleteResetToken($request->email);
    106. 

  106. 

  107.             Log::info('Password reset completed', [
    108. 

  108.                 'email' => $request->email
    109. 

  109.             ]);
    110. 

  110. 

  111.             return redirect('/')->with('success', 'Password aggiornata con successo. Puoi ora effettuare il login.');
    112. 

  112.         } catch (\Exception $e) {
    113. 

  113.             Log::error('Password reset failed', [
    114. 

  114.                 'email' => $request->email,
    115. 

  115.                 'error' => $e->getMessage()
    116. 

  116.             ]);
    117. 

  117. 

  118.             return back()->with('error', 'Errore durante il reset della password. Riprova più tardi.');
    119. 

  119.         }
    120. 

  120.     }
    121. 

  121. 

  122.     /**
    123. 

  123.      * Find user in master database
    124. 

  124.      */
    125. 

  125.     private function findUserInMasterDatabase($email)
    126. 

  126.     {
    127. 

  127.         try {
    128. 

  128.             $masterConfig = [
    129. 

  129.                 'driver' => 'mysql',
    130. 

  130.                 'host' => env('DB_HOST', '127.0.0.1'),
    131. 

  131.                 'port' => env('DB_PORT', '3306'),
    132. 

  132.                 'database' => env('DB_DATABASE'),
    133. 

  133.                 'username' => env('DB_USERNAME'),
    134. 

  134.                 'password' => env('DB_PASSWORD'),
    135. 

  135.                 'charset' => 'utf8mb4',
    136. 

  136.                 'collation' => 'utf8mb4_unicode_ci',
    137. 

  137.                 'prefix' => '',
    138. 

  138.                 'strict' => true,
    139. 

  139.                 'engine' => null,
    140. 

  140.             ];
    141. 

  141. 

  142.             config(['database.connections.master_reset' => $masterConfig]);
    143. 

  143. 

  144.             $user = DB::connection('master_reset')
    145. 

  145.                 ->table('users')
    146. 

  146.                 ->where('email', $email)
    147. 

  147.                 ->first();
    148. 

  148. 

  149.             DB::purge('master_reset');
    150. 

  150. 

  151.             return $user;
    152. 

  152.         } catch (\Exception $e) {
    153. 

  153.             Log::error('Failed to find user in master database', [
    154. 

  154.                 'email' => $email,
    155. 

  155.                 'error' => $e->getMessage()
    156. 

  156.             ]);
    157. 

  157.             return null;
    158. 

  158.         }
    159. 

  159.     }
    160. 

  160. 

  161.     /**
    162. 

  162.      * Store reset token in master database
    163. 

  163.      */
    164. 

  164.     private function storeResetToken($email, $token)
    165. 

  165.     {
    166. 

  166.         try {
    167. 

  167.             $masterConfig = [
    168. 

  168.                 'driver' => 'mysql',
    169. 

  169.                 'host' => env('DB_HOST', '127.0.0.1'),
    170. 

  170.                 'port' => env('DB_PORT', '3306'),
    171. 

  171.                 'database' => env('DB_DATABASE'),
    172. 

  172.                 'username' => env('DB_USERNAME'),
    173. 

  173.                 'password' => env('DB_PASSWORD'),
    174. 

  174.                 'charset' => 'utf8mb4',
    175. 

  175.                 'collation' => 'utf8mb4_unicode_ci',
    176. 

  176.                 'prefix' => '',
    177. 

  177.                 'strict' => true,
    178. 

  178.                 'engine' => null,
    179. 

  179.             ];
    180. 

  180. 

  181.             config(['database.connections.master_reset_token' => $masterConfig]);
    182. 

  182. 

  183.             DB::connection('master_reset_token')
    184. 

  184.                 ->table('password_resets')
    185. 

  185.                 ->where('email', $email)
    186. 

  186.                 ->delete();
    187. 

  187. 

  188.             DB::connection('master_reset_token')
    189. 

  189.                 ->table('password_resets')
    190. 

  190.                 ->insert([
    191. 

  191.                     'email' => $email,
    192. 

  192.                     'token' => Hash::make($token),
    193. 

  193.                     'created_at' => Carbon::now()
    194. 

  194.                 ]);
    195. 

  195. 

  196.             DB::purge('master_reset_token');
    197. 

  197.         } catch (\Exception $e) {
    198. 

  198.             Log::error('Failed to store reset token', [
    199. 

  199.                 'email' => $email,
    200. 

  200.                 'error' => $e->getMessage()
    201. 

  201.             ]);
    202. 

  202.             throw $e;
    203. 

  203.         }
    204. 

  204.     }
    205. 

  205. 

  206.     /**
    207. 

  207.      * Verify reset token
    208. 

  208.      */
    209. 

  209.     private function verifyResetToken($email, $token)
    210. 

  210.     {
    211. 

  211.         try {
    212. 

  212.             $masterConfig = [
    213. 

  213.                 'driver' => 'mysql',
    214. 

  214.                 'host' => env('DB_HOST', '127.0.0.1'),
    215. 

  215.                 'port' => env('DB_PORT', '3306'),
    216. 

  216.                 'database' => env('DB_DATABASE'),
    217. 

  217.                 'username' => env('DB_USERNAME'),
    218. 

  218.                 'password' => env('DB_PASSWORD'),
    219. 

  219.                 'charset' => 'utf8mb4',
    220. 

  220.                 'collation' => 'utf8mb4_unicode_ci',
    221. 

  221.                 'prefix' => '',
    222. 

  222.                 'strict' => true,
    223. 

  223.                 'engine' => null,
    224. 

  224.             ];
    225. 

  225. 

  226.             config(['database.connections.master_verify' => $masterConfig]);
    227. 

  227. 

  228.             $resetRecord = DB::connection('master_verify')
    229. 

  229.                 ->table('password_resets')
    230. 

  230.                 ->where('email', $email)
    231. 

  231.                 ->first();
    232. 

  232. 

  233.             DB::purge('master_verify');
    234. 

  234. 

  235.             if (!$resetRecord) {
    236. 

  236.                 return null;
    237. 

  237.             }
    238. 

  238. 

  239.             $isValidToken = Hash::check($token, $resetRecord->token);
    240. 

  240.             $isNotExpired = Carbon::parse($resetRecord->created_at)->addHours(24)->isFuture();
    241. 

  241. 

  242.             if ($isValidToken && $isNotExpired) {
    243. 

  243.                 return $resetRecord;
    244. 

  244.             }
    245. 

  245. 

  246.             return null;
    247. 

  247.         } catch (\Exception $e) {
    248. 

  248.             Log::error('Failed to verify reset token', [
    249. 

  249.                 'email' => $email,
    250. 

  250.                 'error' => $e->getMessage()
    251. 

  251.             ]);
    252. 

  252.             return null;
    253. 

  253.         }
    254. 

  254.     }
    255. 

  255. 

  256.     /**
    257. 

  257.      * Update password in both master and tenant databases
    258. 

  258.      */
    259. 

  259.     private function updatePasswordInBothDatabases($email, $newPassword, $masterUser)
    260. 

  260.     {
    261. 

  261.         $hashedPassword = Hash::make($newPassword);
    262. 

  262. 

  263.         try {
    264. 

  264.             $masterConfig = [
    265. 

  265.                 'driver' => 'mysql',
    266. 

  266.                 'host' => env('DB_HOST', '127.0.0.1'),
    267. 

  267.                 'port' => env('DB_PORT', '3306'),
    268. 

  268.                 'database' => env('DB_DATABASE'),
    269. 

  269.                 'username' => env('DB_USERNAME'),
    270. 

  270.                 'password' => env('DB_PASSWORD'),
    271. 

  271.                 'charset' => 'utf8mb4',
    272. 

  272.                 'collation' => 'utf8mb4_unicode_ci',
    273. 

  273.                 'prefix' => '',
    274. 

  274.                 'strict' => true,
    275. 

  275.                 'engine' => null,
    276. 

  276.             ];
    277. 

  277. 

  278.             config(['database.connections.master_update' => $masterConfig]);
    279. 

  279. 

  280.             DB::connection('master_update')
    281. 

  281.                 ->table('users')
    282. 

  282.                 ->where('email', $email)
    283. 

  283.                 ->update(['password' => $hashedPassword]);
    284. 

  284. 

  285.             DB::purge('master_update');
    286. 

  286. 

  287.             Log::info('Password updated in master database', ['email' => $email]);
    288. 

  288. 

  289.             if ($masterUser->tenant_database) {
    290. 

  290.                 $tenantConfig = [
    291. 

  291.                     'driver' => 'mysql',
    292. 

  292.                     'host' => env('DB_HOST', '127.0.0.1'),
    293. 

  293.                     'port' => env('DB_PORT', '3306'),
    294. 

  294.                     'database' => $masterUser->tenant_database,
    295. 

  295.                     'username' => $masterUser->tenant_username,
    296. 

  296.                     'password' => $masterUser->tenant_password,
    297. 

  297.                     'charset' => 'utf8mb4',
    298. 

  298.                     'collation' => 'utf8mb4_unicode_ci',
    299. 

  299.                     'prefix' => '',
    300. 

  300.                     'strict' => true,
    301. 

  301.                     'engine' => null,
    302. 

  302.                 ];
    303. 

  303. 

  304.                 config(['database.connections.tenant_update' => $tenantConfig]);
    305. 

  305. 

  306.                 DB::connection('tenant_update')
    307. 

  307.                     ->table('users')
    308. 

  308.                     ->where('email', $email)
    309. 

  309.                     ->update(['password' => $hashedPassword]);
    310. 

  310. 

  311.                 DB::purge('tenant_update');
    312. 

  312. 

  313.                 Log::info('Password updated in tenant database', [
    314. 

  314.                     'email' => $email,
    315. 

  315.                     'tenant_database' => $masterUser->tenant_database
    316. 

  316.                 ]);
    317. 

  317.             }
    318. 

  318.         } catch (\Exception $e) {
    319. 

  319.             Log::error('Failed to update password in databases', [
    320. 

  320.                 'email' => $email,
    321. 

  321.                 'error' => $e->getMessage()
    322. 

  322.             ]);
    323. 

  323.             throw $e;
    324. 

  324.         }
    325. 

  325.     }
    326. 

  326. 

  327.     /**
    328. 

  328.      * Delete reset token
    329. 

  329.      */
    330. 

  330.     private function deleteResetToken($email)
    331. 

  331.     {
    332. 

  332.         try {
    333. 

  333.             $masterConfig = [
    334. 

  334.                 'driver' => 'mysql',
    335. 

  335.                 'host' => env('DB_HOST', '127.0.0.1'),
    336. 

  336.                 'port' => env('DB_PORT', '3306'),
    337. 

  337.                 'database' => env('DB_DATABASE'),
    338. 

  338.                 'username' => env('DB_USERNAME'),
    339. 

  339.                 'password' => env('DB_PASSWORD'),
    340. 

  340.                 'charset' => 'utf8mb4',
    341. 

  341.                 'collation' => 'utf8mb4_unicode_ci',
    342. 

  342.                 'prefix' => '',
    343. 

  343.                 'strict' => true,
    344. 

  344.                 'engine' => null,
    345. 

  345.             ];
    346. 

  346. 

  347.             config(['database.connections.master_delete_token' => $masterConfig]);
    348. 

  348. 

  349.             DB::connection('master_delete_token')
    350. 

  350.                 ->table('password_resets')
    351. 

  351.                 ->where('email', $email)
    352. 

  352.                 ->delete();
    353. 

  353. 

  354.             DB::purge('master_delete_token');
    355. 

  355.         } catch (\Exception $e) {
    356. 

  356.             Log::error('Failed to delete reset token', [
    357. 

  357.                 'email' => $email,
    358. 

  358.                 'error' => $e->getMessage()
    359. 

  359.             ]);
    360. 

  360.         }
    361. 

  361.     }
    362. 

  362. 

  363.     /**
    364. 

  364.      * Send password reset email
    365. 

  365.      */
    366. 

  366.     private function sendPasswordResetEmail($email, $token, $user)
    367. 

  367.     {
    368. 

  368.         try {
    369. 

  369.             $resetUrl = url('/password-reset/' . $token . '?email=' . urlencode($email));
    370. 

  370.             $companyName = 'Leezard';
    371. 

  371. 

  372.             $emailData = [
    373. 

  373.                 'name' => $user->name,
    374. 

  374.                 'email' => $email,
    375. 

  375.                 'reset_url' => $resetUrl,
    376. 

  376.                 'company' => $companyName,
    377. 

  377.                 'expires_at' => Carbon::now()->addHours(24)->format('d/m/Y H:i')
    378. 

  378.             ];
    379. 

  379. 

  380.             Mail::send('emails.password-reset', $emailData, function ($message) use ($email, $companyName, $user) {
    381. 

  381.                 $message->to($email, $user->name)
    382. 

  382.                     ->subject('Reset Password -  Leezard')
    383. 

  383.                     ->from(config('mail.from.address'), config('mail.from.name'));
    384. 

  384.             });
    385. 

  385. 

  386.             Log::info('Password reset email sent', ['email' => $email]);
    387. 

  387.         } catch (\Exception $e) {
    388. 

  388.             Log::error('Failed to send password reset email', [
    389. 

  389.                 'email' => $email,
    390. 

  390.                 'error' => $e->getMessage()
    391. 

  391.             ]);
    392. 

  392.             throw $e;
    393. 

  393.         }
    394. 

  394.     }
    395. 

  395. 

  396.     private function logSecurityEvent($event, $email, $additionalData = [])
    397. 

  397.     {
    398. 

  398.         Log::info('Password Reset Security Event', array_merge([
    399. 

  399.             'event' => $event,
    400. 

  400.             'email' => $email,
    401. 

  401.             'ip' => request()->ip(),
    402. 

  402.             'user_agent' => request()->userAgent(),
    403. 

  403.             'timestamp' => now()
    404. 

  404.         ], $additionalData));
    405. 

  405.     }
    406. 

  406. 

  407.     private function hasRecentResetRequest($email)
    408. 

  408.     {
    409. 

  409.         try {
    410. 

  410.             $masterConfig = [
    411. 

  411.                 'driver' => 'mysql',
    412. 

  412.                 'host' => env('DB_HOST', '127.0.0.1'),
    413. 

  413.                 'port' => env('DB_PORT', '3306'),
    414. 

  414.                 'database' => env('DB_DATABASE'),
    415. 

  415.                 'username' => env('DB_USERNAME'),
    416. 

  416.                 'password' => env('DB_PASSWORD'),
    417. 

  417.                 'charset' => 'utf8mb4',
    418. 

  418.                 'collation' => 'utf8mb4_unicode_ci',
    419. 

  419.                 'prefix' => '',
    420. 

  420.                 'strict' => true,
    421. 

  421.                 'engine' => null,
    422. 

  422.             ];
    423. 

  423. 

  424.             config(['database.connections.master_check_recent' => $masterConfig]);
    425. 

  425. 

  426.             $recentRequest = DB::connection('master_check_recent')
    427. 

  427.                 ->table('password_resets')
    428. 

  428.                 ->where('email', $email)
    429. 

  429.                 ->where('created_at', '>', Carbon::now()->subMinutes(5)) // 5 minutes cooldown
    430. 

  430.                 ->first();
    431. 

  431. 

  432.             DB::purge('master_check_recent');
    433. 

  433. 

  434.             return $recentRequest !== null;
    435. 

  435.         } catch (\Exception $e) {
    436. 

  436.             Log::error('Failed to check recent reset requests', [
    437. 

  437.                 'email' => $email,
    438. 

  438.                 'error' => $e->getMessage()
    439. 

  439.             ]);
    440. 

  440.             return false;
    441. 

  441.         }
    442. 

  442.     }
    443. 

  443. }
    444.