symfonycasts / reset-password-bundle
Symfony bundle that adds password reset functionality.
Installs: 4 917 921
Dependents: 26
Suggesters: 0
Security: 0
Stars: 470
Watchers: 9
Forks: 66
Open Issues: 26
Type:symfony-bundle
Requires
- php: >=8.1.10
- ext-json: *
- symfony/config: ^5.4 | ^6.0 | ^7.0
- symfony/dependency-injection: ^5.4 | ^6.0 | ^7.0
- symfony/deprecation-contracts: ^2.2 | ^3.0
- symfony/http-kernel: ^5.4 | ^6.0 | ^7.0
Requires (Dev)
- doctrine/annotations: ^1.0
- doctrine/doctrine-bundle: ^2.8
- doctrine/orm: ^2.13
- phpstan/phpstan: ^1.11.x-dev
- symfony/framework-bundle: ^5.4 | ^6.0 | ^7.0
- symfony/phpunit-bridge: ^5.4 | ^6.0 | ^7.0
This package is auto-updated.
Last update: 2024-10-22 16:27:29 UTC
README
Worrying about how to deal with users that can't remember their password? We've got you covered! This bundle provides a secure out of the box solution to allow users to reset their forgotten passwords.
Installation
The bundle can be installed using Composer or the Symfony binary:
composer require symfonycasts/reset-password-bundle
Usage
There are two ways to get started, the easiest and preferred way is to use Symfony's MakerBundle. The Maker will take care of everything from creating configuration, to generating your templates, controllers, and entities.
Using Symfony's Maker Bundle (Recommended)
- Run
bin/console make:reset-password
, answer a couple questions, and enjoy our bundle!
Setting things up manually
If you prefer to take care of the leg work yourself, checkout the manual setup guide. We still recommend using the Maker command to get a feel for how we intended the bundle to be used.
If you used our Symfony Maker command bin/console make:reset-password
after
installation, your app is ready to go. Go to https://your-apps-domain/reset-password
,
fill out the form, click on the link sent to your email, and change your password.
That's it! The ResetPasswordBundle takes care of the rest.
The above assumes you have already setup authentication with a registered user account & configured Symfony's mailer in your app.
Configuration
You can change the default configuration parameters for the bundle in the
config/packages/reset_password.yaml
config file created by Maker.
symfonycasts_reset_password: request_password_repository: App\Repository\ResetPasswordRequestRepository lifetime: 3600 throttle_limit: 3600 enable_garbage_collection: true
The production environment may require the default_uri
to be defined in the config/packages/routing.yaml
to prevent the URI in emails to point to localhost.
# config/packages/routing.yaml when@prod: framework: router: # ... default_uri: '<your project's root URI>'
Parameters:
request_password_repository
Required
The complete namespace of the repository for the ResetPasswordRequest
entity. If
you used make:reset-password
, this will be App\Repository\ResetPasswordRequestRepository
.
lifetime
Optional - Defaults to 3600
seconds
This is the length of time a reset password request is valid for in seconds after it has been created.
throttle_limit
Optional - Defaults to 3600
seconds
This is the length of time in seconds that must pass before a user can request a subsequent reset request.
Setting this value equal to or higher than lifetime
will prevent a user from
requesting a password reset before a previous reset attempt has either 1) Been
successfully completed. 2) The previous request has expired.
Setting this value lower than lifetime
will allow a user to make several
reset password requests, even if any previous requests have not been successfully
completed or have not expired. This would allow for cases such as a user never
received the reset password request email.
enable_garbage_collection
Optional - Defaults to true
Enable or disable the Reset Password Cleaner which handles expired reset password requests that may have been left in persistence.
Advanced Usage
Purging ResetPasswordRequest
objects from persistence
The ResetPasswordRequestRepositoryInterface::removeRequests()
method, which is
implemented in the
ResetPasswordRequestRepositoryTrait,
can be used to remove all request objects from persistence for a single user. This
differs from the
garbage collection mechanism
which only removes expired request objects for all users automatically.
Typically, you'd call this method when you need to remove request object(s) for a user who changed their email address due to suspicious activity and potentially has valid request objects in persistence with their "old" compromised email address.
// ProfileController #[Route(path: '/profile/{id}', name: 'app_update_profile', methods: ['GET', 'POST'])] public function profile(Request $request, User $user, ResetPasswordRequestRepositoryInterface $repository): Response { $originalEmail = $user->getEmail(); $form = $this->createFormBuilder($user) ->add('email', EmailType::class) ->add('save', SubmitType::class, ['label' => 'Save Profile']) ->getForm() ; $form->handleRequest($request); if ($form->isSubmitted() && $form->isValid()) { if ($originalEmail !== $user->getEmail()) { // The user changed their email address. // Remove any old reset requests for the user. $repository->removeRequests($user); } // Persist the user object and redirect... } return $this->render('profile.html.twig', ['form' => $form]); }
Support
Feel free to open an issue for questions, problems, or suggestions with our bundle.
Issues pertaining to Symfony's Maker Bundle, specifically make:reset-password
,
should be addressed in the Symfony Maker repository.
Security Issues
For security related vulnerabilities, we ask that you send an email to
ryan [at] symfonycasts.com
instead of creating an issue.
This will give us the opportunity to address the issue without exposing the vulnerability before a fix can be published.