[TYPO3-dev] feuser, forgot password and kb_md5fepw

[Xavier Perseguers]

Hi,

I am trying to use the "forgot password" feature of feuser.

When simply using feuser, the FE user has to enter his email and a 
message with the password column from fe_users is sent to his email.

When using kb_md5fepw (I based my authentication mechanism on it but 
problem is the same), the procedure cannot be used as the password is 
hashed to md5.

In feuser/sv1/class.tx_felogin_pi1.php, I read this:

-----------------
     // Generate new password with md5 and save it in user record
if ($GLOBALS['TYPO3_DB']->sql_num_rows($res) && 
t3lib_extMgm::isLoaded('kb_md5fepw')) {
     $newPass = $this->generatePassword(8);
     $res = $GLOBALS['TYPO3_DB']->exec_UPDATEquery(
         'fe_users',
         'uid=' . $row['uid'],
         array('password' => md5($newPass))
     );
$msg = sprintf($this->pi_getLL('ll_forgot_email_password', '', 
0),$this->piVars['forgot_email'], $row['username'], $newPass);
}

$this->cObj->sendNotifyEmail($msg, $this->piVars['forgot_email'], '', 
$this->conf['email_from'], $this->conf['email_fromName'], 
$this->conf['replyTo']);
-----------------

Thus this code first changes the password and then send the new password 
to user.

Problem:

- I don't want the original password to be automatically updated as it 
could easily cause a denial of service when entering valid email (the 
user that has no access to his email cannot log anymore)

I want the method to send a mail with a link to a page that allows 
during *X hours/days* the password for himself to be reset *once*, the 
"old" password being always active.

Is there such an extension somewhere (that I could then hook in for my 
authentication service) or do I have to create it from scratch?

Thanks for your advice.

BTW, this may as well be incorporated into kb_md5fepw as security is now 
a priority and this old way of resetting passwords is obsolete.

-- 
Xavier Perseguers
http://xavier.perseguers.ch/en

One contribution a day keeps the fork away