Skip to content

Commit 9947e38

Browse files
refactor(AppFramework): replace magic numbers in PasswordConfirmationMiddleware
Signed-off-by: Josh <josh.t.richards@gmail.com>
1 parent 76a1ada commit 9947e38

1 file changed

Lines changed: 7 additions & 2 deletions

File tree

lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@
2828
use ReflectionMethod;
2929

3030
class PasswordConfirmationMiddleware extends Middleware {
31+
private const PASSWORD_CONFIRMATION_TIMEOUT = 30 * 60;
32+
private const PASSWORD_CONFIRMATION_GRACE_SECONDS = 15;
33+
3134
/**
3235
* Legacy compatibility allowlist for backends that do not participate in the
3336
* non-strict recent-confirmation flow. New backends should prefer implementing
@@ -81,15 +84,17 @@ public function beforeController(Controller $controller, string $methodName) {
8184
return;
8285
}
8386

87+
$now = $this->timeFactory->getTime();
8488
$reflectionMethod = new ReflectionMethod($controller, $methodName);
8589
if ($this->isPasswordConfirmationStrict($reflectionMethod)) {
8690
$this->confirmPasswordFromAuthorizationHeader();
87-
$this->session->set('last-password-confirm', $this->timeFactory->getTime());
91+
$this->session->set('last-password-confirm', $now);
8892
return;
8993
}
9094

9195
$lastConfirm = (int)$this->session->get('last-password-confirm');
92-
$minimumRequiredConfirmTime = $this->timeFactory->getTime() - (30 * 60 + 15); // allow 15 seconds delay
96+
$minimumRequiredConfirmTime = $now
97+
- (self::PASSWORD_CONFIRMATION_TIMEOUT + self::PASSWORD_CONFIRMATION_GRACE_SECONDS);
9398

9499
// TODO: confirm excludedUserBackEnds can go away and remove it
95100
if (

0 commit comments

Comments
 (0)