feat: add force password reset feature

2022-09-04 20:30:49 +01:00 · 2022-09-04 20:30:49 +01:00 · 997b57f419
commit 997b57f419
parent 8a3b4c432a
5 changed files with 138 additions and 1 deletions
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@ -34,6 +34,7 @@ use App\Http\Requests\SearchPlayerRequest;
 use App\Http\Requests\UpdateUserRequest;
 use App\Notifications\ChangedPassword;
 use App\Notifications\EmailChanged;
+use App\Notifications\PasswordAdminResetNotification;
 use App\Services\AccountSuspensionService;
 use App\Traits\DisablesFeatures;
 use App\Traits\HandlesAccountDeletion;
@ -275,6 +276,33 @@ class UserController extends Controller
    }


+    /**
+     * Removes the user's password and notifies them.
+     *
+     * @param User $user The user to remove the password for
+     * @return \Illuminate\Http\RedirectResponse
+     * @throws \Illuminate\Auth\Access\AuthorizationException
+     */
+    public function forcePasswordReset(User $user) {
+
+        $this->authorize('adminEdit', $user);
+        $user->notify(new PasswordAdminResetNotification());
+
+        $user->password = null;
+        $user->save();
+
+
+        Log::alert("Removed account password", [
+            'target' => $user,
+            'actor' => Auth::user()
+        ]);
+
+        return redirect()
+            ->back()
+            ->with('success', 'Account password removed.');
+    }
+
+
    /**
     * Delete the given user's account
     *
--- a/app/Http/Requests/AdminPasswordResetRequest.php
+++ b/app/Http/Requests/AdminPasswordResetRequest.php
@ -0,0 +1,28 @@
+<?php
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Support\Facades\Auth;
+
+class AdminPasswordResetRequest extends FormRequest
+{
+    public function rules(): array
+    {
+        if (Auth::user()->has2FA()) {
+            return [
+                'currentPassword' => 'required|current_password:web',
+                'otp' => 'required|integer|max:6',
+            ];
+        }
+
+        return [
+            'currentPassword' => 'required|current_password:web',
+        ];
+    }
+
+    public function authorize(): bool
+    {
+        return true;
+    }
+}
--- a/app/Notifications/PasswordAdminResetNotification.php
+++ b/app/Notifications/PasswordAdminResetNotification.php
@ -0,0 +1,35 @@
+<?php
+
+namespace App\Notifications;
+
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Notifications\Messages\MailMessage;
+use Illuminate\Notifications\Notification;
+
+class PasswordAdminResetNotification extends Notification implements ShouldQueue
+{
+    use Queueable;
+
+    public function __construct()
+    {
+    }
+
+    public function via($notifiable): array
+    {
+        return ['mail'];
+    }
+
+    public function toMail($notifiable): MailMessage
+    {
+        return (new MailMessage)
+            ->from(config('notification.sender.address'), config('notification.sender.name'))
+            ->subject(config('app.name').' - account password invalidated')
+            ->markdown('mail.adminreset', ['name' => $notifiable->name]);
+    }
+
+    public function toArray($notifiable): array
+    {
+        return [];
+    }
+}
--- a/resources/views/dashboard/user/manage.blade.php
+++ b/resources/views/dashboard/user/manage.blade.php
@ -15,6 +15,30 @@

@section('content')

+    <x-modal id="resetAccountPasswordModal" modal-label="resetAccountPassword" modal-title="{{ __('Confirm your password') }}" include-close-button="true">
+
+        <p>{{ __('Please confirm that you want to invalidate this account\'s password. Since this is a sensitive operation, you\'ll need to confirm your own password and provide a 2FA code, if enabled.') }}</p>
+
+        <form id="resetAccountPasswordForm" method="POST" action="{{ route('force-reset-user', ['user' => $user]) }}">
+            @csrf
+            @method('patch')
+
+            <x-confirm-password>
+                {{ __('Re-entering your password is required to confirm sensitive administration actions.') }}
+            </x-confirm-password>
+
+            <x-confirm-second-factor>
+                {{ __('Two-factor authentication is required to confirm sensitive administration actions.') }}
+            </x-confirm-second-factor>
+
+        </form>
+
+        <x-slot name="modalFooter">
+            <button onclick="$('#resetAccountPasswordForm').submit()" type="button" class="btn btn-warning"><i class="fas fa-check"></i> {{ __('Re-authenticate and confirm') }}</button>
+        </x-slot>
+
+    </x-modal>
+
    <x-modal id="banAccountModal" modal-label="banAccount" modal-title="{{__('Please confirm')}}" include-close-button="true">

        <p>{{__("Please confirm that you want to suspend this account. You'll need to add a reason and expiration date to confirm this.")}}</p>
@ -363,7 +387,7 @@
                                <button type="submit" class="btn btn-success mr-2"><i class="fas fa-user"></i> {{ __('Unsuspend account') }}</button>
                            </form>
                        @endif
-                        <button class="btn-danger btn mr-3" type="button"><i class="fas fa-key"></i> {{ __('Force password reset') }}</button>
+                        <button onclick="$('#resetAccountPasswordModal').modal('show')" class="btn-danger btn mr-3" type="button"><i class="fas fa-key"></i> {{ __('Force password reset') }}</button>
                        <button class="btn-danger btn mr-3" type="button"><i class="fas fa-unlock"></i> {{ __('Reset MFA') }}</button>
                        <button onclick="$('#deleteAccount').modal('show')" type="button" class="btn btn-danger"><i class="fas fa-trash"></i> {{ __('Delete account') }}</button>
                </div>
--- a/resources/views/mail/adminreset.blade.php
+++ b/resources/views/mail/adminreset.blade.php
@ -0,0 +1,22 @@
+@component('mail::message')
+# Hi {{ $name }},
+
+Important notification about your {{ config('app.name') }} account:
+
+This email serves to inform you that our administration team has forcefully invalidated your account's password. This means that you will no longer be able to sign in using your old credentials.
+
+You will need to [reset your password]({{ route('password.email') }}) to set a new password if you want to keep using your account. Admins forcefully reset account passwords for a variety of reasons, including, but not limited to:
+
+ - Suspected compromised password;
+ - [Your password appeared in a data breach](https://haveibeenpwned.com/Passwords);
+ - A technical issue with your account;
+ - Our service suffered a security breach and a system-wide reset was initiated;
+ - and finally, forced reset at your request.
+
+We may or may not inform you of the specific cause for your forced reset.
+
+Please note that we take account security seriously, and forced password resets are just one of many security measures we employ to keep your account and data secure. If you have any questions, please do not hesitate in contacting us.
+
+Thank you,<br>
+The team at {{ config('app.name') }}
+@endcomponent