FIX #28129 TIME 01:00 fix password validity

c64a8290 · Jerome Boucher · 0a1eb632 · c64a8290 · c64a8290 · c64a8290
Verified Commit c64a8290 authored 11 months ago by Jerome Boucher
--- a/data/maarchRM/conf/configuration.ini.default
+++ b/data/maarchRM/conf/configuration.ini.default
@@ -450,15 +450,16 @@ adminUsers = "['superadmin']"
 ; Allow the user to modify his or her information
 allowUserModification = true

-; Number of login attempts before the user account is locked. ignored if 0
-; Duration of validity for password. ignored if 0
-; Duration in hour of the generated password. ignored if 0
-; Minimum length for password. ignored if 0
-; Password must content non alphanumeric characters (On|Off, 0|1, true|false)
-; Password must content character digits from 0 to 9 (On|Off, 0|1, true|false)
-; Password must content mixed case alphabetic characters (On|Off, 0|1, true|false)
-; Time in second of the session
-; Lock time in seconds
+; Security parameters for password
+; loginAttempts :                Number of login attempts before the user account is locked. ignored if 0
+; passwordValidity :             Duration of validity for password. ignored if 0
+; newPasswordValidity :          Duration in hour of the generated password. ignored if 0
+; passwordMinLength :            Minimum length for password. ignored if 0
+; passwordRequiresSpecialChars : Password must content non alphanumeric characters (On|Off, 0|1, true|false)
+; passwordRequiresDigits :       Password must content character digits from 0 to 9 (On|Off, 0|1, true|false)
+; passwordRequiresMixedCase :    Password must content mixed case alphabetic characters (On|Off, 0|1, true|false)
+; sessionTimeout :               Time in second of the session
+; lockDelay :                    Lock time in seconds
 securityPolicy = "{
    'loginAttempts' : 3,
    'passwordValidity' : 0,

--- a/src/bundle/auth/Controller/userAccount.php
+++ b/src/bundle/auth/Controller/userAccount.php
@@ -582,7 +582,7 @@ class userAccount

        $encryptedPassword = password_hash($newPassword, PASSWORD_DEFAULT);

-        $oldUserPassword = $this->sdoFactory->read("auth/account", $userAccountId)->password;
+        $oldUserPassword = $this->sdoFactory->read("auth/account", $userAccount)->password;
        $userAccount->password = $encryptedPassword;
        $userAccount->passwordLastChange = \laabs::newTimestamp();
        $userAccount->badPasswordCount = 0;

--- a/src/bundle/auth/Controller/userAuthentication.php
+++ b/src/bundle/auth/Controller/userAuthentication.php
@@ -236,10 +236,11 @@ class userAuthentication
    private function verifyValidity($userAccount, $userLogin)
    {
        if ($this->securityPolicy['passwordValidity'] && $this->securityPolicy["passwordValidity"] != 0) {
-            $userPasswordLastChange = $userAccount->passwordLastChange->getTimestamp() ?? 0;
-            $diff = ($userLogin->lastLogin->getTimestamp() - $userPasswordLastChange);
-            // (timestamp de dernier login - timestamp de dernier chgt mdp) / durée de la session
-            if ($diff > $this->securityPolicy['passwordValidity']) {
+            $userLastPasswordChange = $userAccount->passwordLastChange->getTimestamp();
+            $now = new \DateTime('now');
+            $dayInSeconds = 24 * 3600;
+            $NbDaysSinceLastPasswordModification = ($now->getTimestamp() - $userLastPasswordChange) / $dayInSeconds;
+            if ($NbDaysSinceLastPasswordModification > $this->securityPolicy['passwordValidity']) {
                throw \laabs::newException('auth/userPasswordValidityExpiredRequestException');
            }
        }