Skip to content

Commit e0b073b

Browse files
Generates random passwords and validation codes in SMF\Security
Signed-off-by: Jon Stovell <jonstovell@gmail.com>
1 parent fed16cc commit e0b073b

7 files changed

Lines changed: 42 additions & 26 deletions

File tree

Sources/Actions/Admin/Members.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
use SMF\Logging;
2929
use SMF\Mail;
3030
use SMF\Menu;
31+
use SMF\Security;
3132
use SMF\Theme;
3233
use SMF\Time;
3334
use SMF\User;
@@ -1245,7 +1246,7 @@ public function approve(): void
12451246
// We have to do this for each member I'm afraid.
12461247
foreach ($member_info as $member) {
12471248
// Generate a random activation code.
1248-
$validation_code = User::generateValidationCode();
1249+
$validation_code = Security::generateValidationCode();
12491250

12501251
// Set these members for activation - I know this includes two id_member checks but it's safer than bodging $condition ;).
12511252
Db::$db->query(

Sources/Actions/Register2.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -494,12 +494,12 @@ public static function registerMember(array &$reg_options, bool $return_errors =
494494
$validation_code = '';
495495

496496
if ($reg_options['require'] == 'activation') {
497-
$validation_code = User::generateValidationCode();
497+
$validation_code = Security::generateValidationCode();
498498
}
499499

500500
// If you haven't put in a password generate one.
501501
if ($reg_options['interface'] == 'admin' && $reg_options['password'] == '') {
502-
$reg_options['password'] = User::generateValidationCode();
502+
$reg_options['password'] = Security::generatePassword();
503503
$reg_options['password_check'] = $reg_options['password'];
504504
}
505505
// Does the first password match the second?

Sources/Actions/Reminder.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ public function pickType(): ?string
150150
// If they have no secret question then they can only get emailed the item, or they are requesting the email, send them an email.
151151
if (empty($this->member->secret_question) || (isset($_POST['reminder_type']) && $_POST['reminder_type'] == 'email')) {
152152
// Randomly generate a validation code with a max length of 10 chars.
153-
$code = User::generateValidationCode();
153+
$code = Security::generateValidationCode();
154154

155155
$replacements = [
156156
'REALNAME' => $this->member->name,

Sources/Profile.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -460,7 +460,7 @@ public function loadStandardFields(bool $force_reload = false)
460460

461461
// Do they need to revalidate? If so schedule the function!
462462
if ($isValid === true && !empty(Config::$modSettings['send_validation_onChange']) && !User::$me->allowedTo('moderate_forum')) {
463-
$this->new_data['validation_code'] = User::generateValidationCode();
463+
$this->new_data['validation_code'] = Security::generateValidationCode();
464464

465465
$this->new_data['is_activated'] = User::UNVALIDATED;
466466

@@ -2998,7 +2998,7 @@ protected function resetPassword(?string $username = null): void
29982998
}
29992999

30003000
// Generate a random password.
3001-
$new_password = implode('-', str_split(substr(preg_replace('/\W/', '', base64_encode(random_bytes(18))), 0, 18), 6));
3001+
$new_password = Security::generatePassword();
30023002
$new_password_hashed = Security::hashPassword($new_password);
30033003

30043004
// Do some checks on the username if needed.

Sources/Security.php

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,31 @@ public static function hashBenchmark(float $hashTime = 0.2): int
7373
return $cost;
7474
}
7575

76+
/**
77+
* Generates a random password.
78+
*
79+
* @return string A random password.
80+
*/
81+
public static function generatePassword(): string
82+
{
83+
$password = implode('-', str_split(substr(preg_replace('/\W/', '', base64_encode(random_bytes(18))), 0, 18), 6));
84+
85+
// Maybe a mod wants to do something different?
86+
IntegrationHook::call('integrate_generate_password', [&$password]);
87+
88+
return $password;
89+
}
90+
91+
/**
92+
* Generate a random validation code.
93+
*
94+
* @return string A random validation code
95+
*/
96+
public static function generateValidationCode(): string
97+
{
98+
return bin2hex(random_bytes(5));
99+
}
100+
76101
/**
77102
* Check if a specific confirm parameter was given.
78103
*

Sources/Subs-Compat.php

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -8823,6 +8823,16 @@ function memoryReturnBytes(string $val): int
88238823
* Begin SMF\Security
88248824
********************/
88258825

8826+
/**
8827+
* Generate a random validation code.
8828+
*
8829+
* @return string A random validation code
8830+
*/
8831+
function generateValidationCode(): string
8832+
{
8833+
return SMF\Security::generateValidationCode();
8834+
}
8835+
88268836
/**
88278837
* Hashes the user's password
88288838
*
@@ -10500,16 +10510,6 @@ function getGroupsWithPermissions(
1050010510
return SMF\User::getGroupsWithPermissions($general_permissions, $board_permissions, $profile_id);
1050110511
}
1050210512

10503-
/**
10504-
* Generate a random validation code.
10505-
*
10506-
* @return string A random validation code
10507-
*/
10508-
function generateValidationCode(): string
10509-
{
10510-
return SMF\User::generateValidationCode();
10511-
}
10512-
1051310513
/**
1051410514
* Log the spider presence online.
1051510515
*

Sources/User.php

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4258,16 +4258,6 @@ public static function getGroupsWithPermissions(array $general_permissions = [],
42584258
return $member_groups;
42594259
}
42604260

4261-
/**
4262-
* Generate a random validation code.
4263-
*
4264-
* @return string A random validation code
4265-
*/
4266-
public static function generateValidationCode(): string
4267-
{
4268-
return bin2hex(random_bytes(5));
4269-
}
4270-
42714261
/**
42724262
* Log the spider presence online.
42734263
*/

0 commit comments

Comments
 (0)