derhansen / fe_change_pwd Goto Github PK

View Code? Open in Web Editor NEW

6.0 4.0 9.0 486 KB

TYPO3 extension which allows frontend users to change their password. Uses TYPO3 password policies since version 4.0.0

License: GNU General Public License v2.0

PHP 93.93% HTML 5.59% CSS 0.49%

typo3 extension password secure haveibeenpwned

fe_change_pwd's Introduction

Change password for frontend users

What does it do?

This TYPO3 extension contains a plugin to allow logged in frontend users to change their password. The new user password is validated against the TYPO3 password policy for frontend users.

Password changes for frontend users can be enforced and passwords can expire after a certain amount of days.

Features:

Change password plugin
Validates the password against the TYPO3 password policies for frontend users
Force password change for frontend users
Redirect to configured page when password change is required
Password expiration after a configurable amount of days
Optional require the current password in order to change the password
Optional require a change password code, which is sent to the users email address, in order to change the password

Screenshot

The screenshot below shows the output of the "Change Frontend User Password" plugin after the user tried to submit a weak password.

Installation

Install the extension from the TYPO3 Extension Repository or using composer and add the Static Typoscript "Change password for frontend users" to your TypoScript template.
Add the site set "Change password for frontend users" to your site
Create a new page and make sure, that the page is only visible to logged in frontend users.
Add the Plugin "Change Frontend User Password" to the page created in step 2
Change Site settings to your needs. Please note, that if you want to use the password change enforcement, you must set fe_change_pwd.changePasswordPid to the page uid of the page created in step 2
Change TypoScript settings to your needs.
Optionally change the path to the extension templates in TypoScript and modify the templates to your needs.

New fe_user fields

The extension adds two new fields to the fe_users table (see screenshot)

If the checkbox "User must change password at next login" is set and a valid changePasswordPid is configured, the user will be redirected to the configured page after login when accessing pages as configured in the plugin.tx_fechangepwd.settings.redirect section.

The password expiry date defines the date, after a user must change the password.

Tip: If you quickly want all frontend users to change their passwords, you can use a simple SQL statement to set the field in the database like shown in this example UPDATE fe_users set must_change_password=1;

Site configuration settings

fe_change_pwd.changePasswordPid (integer) The pid to redirect to if a password change is required. This is usually the page with the Plugin of the extension
fe_change_pwd.redirect.allAccessProtectedPages (bool) If set to 1, a redirect to the configured fe_change_pwd.changePasswordPid will be forced for all access protected pages. Note, that if this option is set, the includePageUids is ignored!
fe_change_pwd.redirect.includePageUids (string) A redirect to the configured changePasswordPid will be forced for the configured PIDs separated by a comma
fe_change_pwd.redirect.includePageUidsRecursionLevel (integer) The recursion level for all pages configured in fe_change_pwd.redirect.includePageUids. Use this option, if you e.g. want to force a redirect for a page and all subpages
fe_change_pwd.redirect.excludePageUids (string) No redirect will be forced for the configured PIDs separated by a comma
fe_change_pwd.redirect.excludePageUidsRecursionLevel (integer) The recursion level for all pages configured in fe_change_pwd.redirect.excludePageUids. Use this option, if you e.g. want to exclude a page and all subpages for the redirect

TypoScript configuration settings

The following TypoScript settings are available.

plugin.tx_fechangepwd.settings.requireCurrentPassword

enabled (bool) If set to 1, the user must enter the current password in order to set a new password. Default setting is 1.

plugin.tx_fechangepwd.settings.requireChangePasswordCode

enabled (bool) If set to 1, the user must enter a change password code, which will be sent to the users email address, in order to set a new password. Default setting is 0.
validityInMinutes (integer) The time in minutes the change password code is valid, when it has been requested by the user.
senderEmail (string) Sender email address for email send to user
senderName (string) Sender name for email sent to user

plugin.tx_fechangepwd.settings.passwordExpiration

enabled (bool) Is set to 1, new passwords will expire after the configured amount of days
validityInDays (integer) The amount of days, a new password is valid before it needs to be changed

plugin.tx_fechangepwd.settings.afterPasswordChangeAction

redirect (string) Redirects the user to the "update" action and adds a flash message, that the password has been updated.
view (string) Shows the view for the update action with a message, that the password has been updated

Styling

The extension output is completely unstyled. Feel free to override the fluid templates to your needs.

Overriding Fluid email templates

If the email template used for the "change password code" email need to be overridden, this can be changed in $GLOBALS['TYPO3_CONF_VARS']['MAIL']['templateRootPaths'][750] or by adding e template override for the ChangePasswordCode template.

Possible Errors

No password hashing service

The extension will not save a users password, if it can not be hashed. If this scenario occurs, the following exception is shown:

No secure password hashing service could be initialized. Please check your TYPO3 system configuration

Possible CSRF detected

When the extension detects a possible CSRF, the following message is shown:

Possible CSRF detected. Ensure a valid "changeHmac" is provided.

If you unexpectedly see this message, ensure you add the changeHmac property as described in "Breaking Changes" for version 1.5.0

For developers

PSR-14 events

The extension currently contains the following PSR-14 events:

Derhansen\FeChangePwd\Controller\PasswordController
- AfterPasswordUpdatedEvent
Derhansen\FeChangePwd\Middleware\ForcePasswordChangeRedirect
- ModifyRedirectUrlParameterEvent

Additionally, the extension also dispatches the TYPO3 core PSR-14 event TYPO3\CMS\Core\PasswordPolicy\Event\EnrichPasswordValidationContextDataEvent

If additional user data has to be considered for password validation, please use this event to add the data to the ContextData DTO.

Versions

Version	TYPO3	PHP	Support/Development
5.x	13.4	8.2 - 8.4	Features, Bugfixes, Security Updates
4.x	12.4	8.1 - 8.4	Features, Bugfixes, Security Updates
3.x	11.5	7.4 - 8.3	Security Updates
2.x	9.5 - 10.4	7.2 - 7.4	Support dropped
1.x	8.7 - 9.5	7.0 - 7.3	Support dropped

Breaking changes

Version 5.0.0

This version contains major breaking changes, which must be migrated manually. The following TypoScript settings must be migrated to site settings:

plugin.tx_fechangepwd.settings.changePasswordPid => fe_change_pwd.changePasswordPid
plugin.tx_fechangepwd.settings.redirect.* => fe_change_pwd.redirect.*

This change is required, since full TypoScript is not available for cached pages in a PSR-15 MiddleWare.

This breaking change limits the plugin to be used once per Site, if the "Must change password" or "Password expiry date" features are used, which both need to redirect to a single page UID, which now is configured in site settings.

Version 4.0.0

This version contains major breaking changes, since now the TYPO3 password policy is used for password validation.

All password validators have been removed in favor to TYPO3 password policies. Make sure to check, if the TYPO3 default password policy suits your needs
The pwned password check has been removed. If this check is required, please use TYPO3 extension add_pwd_policy in the password policy for frontend users
The extension now requires the current user password by default. This check can be disabled in settings using requireCurrentPassword
The extension requires TYPO3 security.usePasswordPolicyForFrontendUsers feature toggle to be active
Dropped TYPO3 11.5 compatibility.

Version 3.0.0

Dropped TYPO3 9.5 and 10.4 compatibility.
Changed file extension für TypoScript files to .typoscript
Replaced signal slot with PSR-14 event

Version 2.0.0

Dropped TYPO3 8.7 compatibility.

Version 1.5.0

Added CSRF protection.

If you use an own template for "Edit.html", you must add the following code inside <f:form>...</f:form>.

<f:form.hidden property="changeHmac" />

Prior to version 1.5.0, the extension did contain a CSRF vulnerability, if settings.requireCurrentPassword was disabled (default). In order to mitigate the issue, the property changeHmac has been added to the DTO. This property contains a HMAC, which is unique for the current logged-in user. When the provided changeHmac does not match the expected value, an exception is thrown when the form is submitted.

Thanks for sponsoring

Thanks to Wikafi sprl for sponsoring the initial development of this extension.
Thanks to t3site.com for sponsoring the "Require current password" feature.
Thanks to cron IT GmbH for sponsoring the "Require change password code" feature.

fe_change_pwd's People

Contributors

Stargazers

Watchers

Forkers

sebkln idleworks portrino bastianbalthasarbux mbhsoft pkannetwork dennismetz georgringer mogic-le

fe_change_pwd's Issues

[TASK] Handle salted passwords deprecations for v9

One the extension in only compatible with V9.5+, the salted passwords core deprecations in v9 can be handled.

[TASK] Add TYPO3 V9 compatibility

[TASK] Handle misconfigured redirectPid

[BUG] Composer / PSR-4 compatibility

Wrong namespace in Exception\InvalidUserException.php and MissingPasswordHashServiceException.php

namespace Derhansen\FeChangePwd\Service; -> namespace Derhansen\FeChangePwd\Exception;

Class Derhansen\FeChangePwd\Service\InvalidUserException located in ..../typo3conf/ext/fe_change_pwd/Classes\Exception\InvalidUserException.php does not comply with psr-4 autoloading standard. Skipping.

Class Derhansen\FeChangePwd\Service\MissingPasswordHashServiceException located in .../typo3conf/ext/fe_change_pwd/Classes\Exception\MissingPasswordHashServiceException.php does not comply with p
sr-4 autoloading standard. Skipping.

[TASK] Add coveralls to CI

Add coverage to CI as soon as php-coveralls/php-coveralls#275 is merged

[TASK] Correct typing errors in german localization

Hey Torben, thanks for your useful extension!

I wanted to fix some minor typing errors in de.locallang.xlf, like

<target>Das Passwort muss mindestesn ein Sonderzeichen enthalten</target>
<target>Das Passwort muss mindestens ein Großbuchstabe enthalten</target>
<target>Passwort wiederhohlen</target>

But it seems this repository is not the current state (GitHub: v1.2.2, TER: v.1.2.3). Therefore, the german localization is missing.

Also: it is correct that I can't override the error message labels? I tried the usual TypoScript approach, but only the form labels and buttons were updated.

plugin.tx_fechangepwd {
    _LOCAL_LANG.de {
        // These labels are updated:
        repeatPassword = Passwort wiederholen
        update = Passwort aktualisieren

        // These changes are not considered:
        passwordsDoNotMatch = Die eingegebenen Passwörter stimmen nicht überein.
        passwordComplexity.failure.capitalCharCheck = Das Passwort muss mindestens einen Großbuchstaben enthalten.
        passwordComplexity.failure.lowerCaseCharCheck = Das Passwort muss mindestens einen Kleinbuchstaben enthalten.
    }
}

[BUG] NoChangePasswordPidException not thrown correctly

How to translate messages/title?

I have a French website and I would like to get title and error messages in french (I'm still using version 1.5.1 on Typo3 8.7.32).
Under Languages, I've updated the fe_change_pwd package, but I'm still getting every messages/title in English.

Based on other extensions, I tried to add the following TS:

plugin.tx_fechangepwd{

_LOCAL_LANG.fr {
currentPassword = Mot de passe actuel
password = Nouveau mot de passe
repeatPassword = Répétez le mot de passe
update = Modifier
validationErrorHeader = ATTENTION

	passwordsDoNotMatch = Les mots de passe ne correspondent pas
	passwordFieldsEmptyOrNotBothFilledOut = Vous devez saisir votre mot de passe dans les 2 champs
	passwordComplexity.failure.minLength = Le mot de passe doit avoir min. %1s caractères

}
}

everthing is ok -> validationErrorHeader (I get the FR title/message), but the 3 following label are not translated.

Is there a bug or am I doing something wrong here?

Thank youin advance for your help.
Joel

[TASK] Add Recursive option for includePageUids and excludePageUids

[DOC] Create REST documentation

[FEATURE] Allow passwords to expire after a certain amount of days

[!!!][TASK] Add TYPO3 11 compatibility

[BUG] Exception in PageAccessService in TYPO3 9.5

in PageAccessService -> extendPidListByChildren()
when the TS Settings:

plugin.tx_fechangepwd {
    settings {
        redirect {
            includePageUids = 11,22,33
    }
}

is set and one of the pages has no subpages.
Then the call
$pids = $this->queryGenerator->getTreeList($startPid, $recursive, 0, 1);
returns an integer (which is a bug in core) and the following strlen($pids) throws the exception:

strlen() expects parameter 1 to be string, integer given

QuickFix: cast return from getTreeList to (string)

[FEATURE] Override changePassword function from ext:felogin

TYPO3 users may still be able to user weak passwords using the forgot password feature of ext:felogin.

Find a way to hook in to the function in ext:felogin

[TASK] Make PwnedPasswordService work with configured proxy

[TASK] Make NoChangePasswordPidException PSR-4 compliant

Derhansen\FeChangePwd\Service\NoChangePasswordPidException does not comply with psr-4 autoloading standard. It will not autoload anymore in Composer v2.0

[TASK] Show message if user is forced to change password

If the user is forced to change the password, a message should be shown in the editAction.

Could be handled with session variables.

[FEATURE] Use pwnedpasswords.com API

Add a configuration switch to check used password against pwnedpasswords.com and deny password, if it is present in the list of breached passwords

Example API Call: https://api.pwnedpasswords.com/range/21BD1

Example from NextCloud

Blogpost:* https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

[TASK] OldPasswordService should not rely of fe_user object

Instead the checkEqualsOldPassword function should use the data from ChangePassword (object must be extended so the current fe_user password hash exists)

[TASK] Remove vendor from plugin registration

[TASK] Move extension icon

[!!!][TASK] Change file extension of TypoScript files

Should be .typoscript

[DOCS] Add information about validator usage for ext:felogin

Add a section in the documentation about how to use the ChangePasswordValidator in ext:felogin to ensure password requirements for password changes performed by ext:felogin

ForceRedirect is not working on Typo3 9.5.4

Hello,

thanks for this nice script, but it will do no redirect if i set a user to [must_change_password].

A page with the plugin is there, and static template and setup is include. Pid set to the page with the plugin for passwortchange.

With or without redirects from the login plugin.

Thanks

Arne Bracht

BUG: Fatal Error plugin Pi1 cannot be determined TYPO3 v9.5.13

"TYPO3\CMS\Extbase\Mvc\Exception: The default controller for extension "FeChangePwd" and plugin "Pi1" can not be determined. Please check for TYPO3\CMS\Extbase\Utility\ExtensionUtility::configurePlugin() in your ext_localconf.php

[TASK] Ensure strong password hashing in TYPO3 9.5

See: TYPO3-PSA-2019-006 (https://typo3.org/security/advisory/typo3-psa-2019-006/)

The current implementation falls back to Phpass in TYPO3 9.5

[TASK] Use PSR-15 Middleware for TYPO3 9.2+

Use PSR-15 Middleware instead of hook

[TASK] Add configurable option to show flash message after password change

Currently, an own view is shown when a user changes the password.
An additional option would be, to enqueue a flash message and redirect to the the edit form.

Redirect after login does not working

Hello!

I tried your ext but I see that Redirect after login does not working...

I using TYPO3 9.5.9 with FE Login for login user

I set checkbox in the flexform
User must change password at next login[must_change_password] = 1

I added to TS

UID = 3 it is my the page with form for change password
plugin.tx_fechangepwd.settings.changePasswordPid = 3

[FEATURE] Add option in DTO to skip current password check

[!!!][TASK] Migrate signal slots to PSR-14 events

[BUG] SQL error if password_expiry_date is empty when creating a fe_user

Hi,

there's a sql error occurring when we create a fe_user without setting a expiry date for the password.
We are on MariaDB with a strict mode, and it apparently not allows empty value for a NOT NULL field.

We found a workaround on the forge ( https://forge.typo3.org/issues/82756 ) that adds "int" to the eval in TCA

'password_expiry_date' => [
        'exclude' => true,
        'label' => 'LLL:EXT:fe_change_pwd/Resources/Private/Language/locallang_be.xlf:label.password_expiry_date',
        'config' => [
            'type' => 'input',
            'renderType' => 'inputDateTime',
            'eval' => 'datetime,int',
        ]
    ],

And we found that "news" extension is using the same workaround for the "datetime" field for instance.

[FEATURE] Make redirect url more configurable

Currently it is only possible to set changePasswordPid via TS. Would be nice to overwrite hardcoded typolink configuration in middleware, e.g. "addQueryString" because sometimes you don't want to forward url param like "tx_felogin_pi1[forgot]=1" if user came from password-forgotten-page.

For my case I just added this little part to fit my needs here: Idleworks@f5497ff
But it would be much better to move the whole typolink configuration to typoscript like

forgotPasswordPage { parameter = addQueryString = 1 addQeuryString.exclude = id absolute = 1 }

Just a suggestion.

[!!!][FEATURE] Move signal slot to controller

Move updatePasswordAfterUpdate to controller

[FEATURE] Add password strength meter

Should use vanilla JavaScript without external dependencies

Example: https://jsfiddle.net/Lko29h8m/1/

[BUG] Fatal Error in SettingsService in TYPO3 9.5

The SettingsService -> getSettings() Method throws a fatal error:

Call to a member function getTreeList() on null
in typo3/sysext/extbase/Classes/Configuration/FrontendConfigurationManager.php line 261

When the following TS is set:

config {
    tx_extbase.persistence {
        storagePid = 123
        recursive = 2
    }
}

When we set recursive = 0 the call to $this->getContentObject()->getTreeList() is not made and no error is thrown.

I think this connects with the changes fo #18. Probably the initialisation of $GLOBALS['TSFE'] is not enough?

[TASK] Execute middleware after typo3/cms-frontend/page-resolver

See conversation in #18

[TASK] Remove milliseconds from timestamps

[FEATURE] Add Signal for hooking in after password update

Hi Torben,

with the 1.5.0 security update the Signal in FrontendUserService is gone. Is there a special reason for that or was it by mistake?

We are sending email notifications to admins on password changes and it would be great to have it back in future versions. I hacked 1.5.0 manually for now.

Best
Robert.

[TASK] Add TYPO3 10 compatibility

[FEATURE] Require current password for password change

Add a configurable setting to require to current password when the user wants to change the password. The setting should be disabled by default, so the change is not considered breaking.

BUG ChangeHmac

Hello,

I've got the following bug when I want to change my password:

Exception while property mapping at property path "": It is not allowed to map property "changeHmac". You need to use $propertyMappingConfiguration->allowProperties('changeHmac') to enable mapping of this property.

Is this an already known problem and how can it be solved?

[TASK] Remove german translation

Remove the german translation files and add documentation about Crowdin for V9

https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ApiOverview/Internationalization/ManagingTranslations.html#xliff-translating-featuretoggle

[FEATURE] Add Symfony Console command to mass set must_change_password

[TASK] Add content element preview icon

[BUG] No TypoScript Settings in Middleware for TYPO3 9.5

Hi,

thank you for this great extension!

I'm running it on TYPO3 9.5.7 and set all configuration options mentioned in the docs (changePasswordPid, allAccessProtectedPages, activated checkbox in user record) but after I log in, there is no redirect.
I figured out that the getSettings() method triggered in middleware request returns always null. Seems like TYPO3 hasn't loaded TypoScript at this point of code and therefore has no redirect method nor a redirect pid.

My workaround for now is, to use the "old" XCLASS why for 8.7.

Old Password check will always fail in 3.0.1

In OldPasswordService::checkEqualsOldPassword you try to check if the provided old pw fits the user's pw.

But what you really do is to check the new password:
/fe_change_pwd/Classes/Service/OldPasswordService.php:38
($changePassword->getPassword1() instead of $changePassword->getCurrentPassword())

The problem came with this commit:
725a8f2#diff-9dfd257b1c359333ba0eb65e99d56dab1327bba65477cdf982ce67835c561a3a