0

I'm trying to do a "i forgot my password" functionality. My problem is that if i try to do a Doctrine query and send password to email it retrieves password encrypted. I look at some webs that DoctrineGuard don't have this functionality and only have register and login functionality.

Is it true?

In this case, how i can do a remember password function?

thanks

Ned Batchelder
  • 364,293
  • 75
  • 561
  • 662
nebur85
  • 133
  • 2
  • 13

3 Answers3

3

From version 5.0.0 the great sfDoctrineGuard-Plugin has a built-in forgot-password module. But in the corresponding readme there is sparse info how to use it :))

[TODO: document the forgot password feature]

To use the forgot-password feature do the following (assuming you already installed the plugin and normal signin is working):

  1. enable the module in settings.yml (and enable i18n as it's using it):

    all:
  .setting:
  enabled_modules: [default, sfGuardAuth, sfGuardForgotPassword]
  i18n: true

  2. add routes in routing.yml (the automatic adding didn't work for me). And make sure you include a rule @homepage which is used for redirecting.

    sf_guard_forgot_password_change:
  url:   /forgot_password/:unique_key
  class: sfDoctrineRoute
  options: { model: sfGuardForgotPassword, type: object }
  param: { module: sfGuardForgotPassword, action: change }
  requirements:
    sf_method: [get, post]

sf_guard_forgot_password:
  url:   /forgot_password
  param: { module: sfGuardForgotPassword, action: index }

  3. enable the mailing in factories.yml (beware of differences for prod/dev env.. See also the official doc.):

    all:
  mailer:
    class: sfMailer
    param:
    logging:           %SF_LOGGING_ENABLED%
    charset:           %SF_CHARSET%
    delivery_strategy: realtime
    transport:
      class: Swift_SmtpTransport
      param:
        host:       smtp.example.com
        port:       25
        encryption: ~
        username:   test@example.com
        password:   p4ssw0rd

  4. add senders address to app.yml (and routing which doesn't work automatic for me). Address in app.yml and factories.yml should be same, otherwise the smtp-server might complain:

     all:
  sf_guard_plugin:
    routes_register: true
    default_from_email: test@example.com

  5. Touch the apps/your_app/modules/sfGuardForgotPassword/config/security.yml to make the request form accessible while logged out: 

    secure:
  is_secure: true      
index:
  is_secure: false       
change:
  is_secure: false

  6. clear the cache with ./symfony cc.

Now forget your password.

Community
  • 1
  • 1
Tapper
  • 1,393
  • 17
  • 28
  • 1
    Only thing, instead of `apps/your_app/sfGuardForgotPassword/config/security.yml`, it should read `apps/your_app/modules/sfGuardForgotPassword/config/security.yml` – jaudette Feb 28 '13 at 23:18
1

Password are hashed and then save to the database, thus you can't recover the password once it has been saved.

There are several ways you can create a "password lost" function :

  • Send a new password by email (not really secure but some people like it anyway)
  • Send the user an email with a reset password link (and a unique token), which either gives the user a new password, or allow the user to enter a new password.
DuoSRX
  • 4,179
  • 3
  • 26
  • 32
  • Where you say that first method is not secure? In second method you say... set a random password, send it in a link like.... user/reset/xdErDerfEFe where "xdErDerfEFe" is token and in that action do a select where password = that... and allow change after? – nebur85 Apr 26 '10 at 21:31
  • The first method is less secure because if for example someone has access to the user inbox he can see his new password whereas with the second method, the token is only used once and then is useless after the password have been changed. – DuoSRX Apr 27 '10 at 07:20
  • I try to do something like... 1)Put password and if username is registered do a random password and do setpassword. 2) It send a email like... 'username/password/xxxx' where xxx is generanted password 3) If you click then try to find a username with this password. My problem is that password is encrypted and i can't find how is real encripted password :( Do you understand me? – nebur85 Apr 27 '10 at 13:12
0

If I recall reading right, the sfDoctrineGuard doesn't have a "getPassword" method that would do what it needs to... retrieve the password unencrypted.

I'm using DuoSRX's first recommendation: creating a new password, saving it with $user->setPassword (which handles salting & hashing automatically), and emailing it to the user. The user is then advised to login and create a new password.

Tom
  • 30,090
  • 27
  • 90
  • 124