How it the backend password expiration procedure implemented?

dmitry_fedyuk · May 24, 2017, 9:37am

Step 1. Magento\User\Observer\Backend\AuthObserver::_checkExpiredPassword()

It produces the «It’s time to change your password.» message:

magento/magento2/blob/2.1.6/app/code/Magento/User/Observer/Backend/AuthObserver.php#L182-L205


/**
 * Check whether the latest password is expired
 * Side-effect can be when passwords were changed with different lifetime configuration settings
 *
 * @param array $latestPassword
 * @return void
 */
private function _checkExpiredPassword($latestPassword)
{
    if ($latestPassword && $this->observerConfig->_isLatestPasswordExpired($latestPassword)) {
        if ($this->observerConfig->isPasswordChangeForced()) {
            $message = __('It\'s time to change your password.');
        } else {
            $myAccountUrl = $this->url->getUrl('adminhtml/system_account/');
            $message = __('It\'s time to <a href="%1">change your password</a>.', $myAccountUrl);
        }
        $this->messageManager->addNoticeMessage($message);
        $message = $this->messageManager->getMessages()->getLastAddedMessage();
        if ($message) {
            $message->setIdentifier('magento_user_password_expired')->setIsSticky(true);
            $this->authSession->setPciAdminUserIsPasswordExpired(true);
        }
    }
}

Step 2. Magento\User\Model\Backend\Config\ObserverConfig::_isLatestPasswordExpired()

github.com

magento/magento2/blob/2.1.6/app/code/Magento/User/Model/Backend/Config/ObserverConfig.php#L30-L43


/**
 * Check if latest password is expired
 *
 * @param array $latestPassword
 * @return bool
 */
public function _isLatestPasswordExpired($latestPassword)
{
    if (!isset($latestPassword['expires']) || $this->getAdminPasswordLifetime() == 0) {
        return false;
    } else {
        return (int)$latestPassword['expires'] < time();
    }
}

Step 3A. Magento\User\Model\Backend\Config\ObserverConfig::getAdminPasswordLifetime()

github.com

magento/magento2/blob/2.1.6/app/code/Magento/User/Model/Backend/Config/ObserverConfig.php#L64-L72


/**
 * Get admin password lifetime
 *
 * @return int
 */
public function getAdminPasswordLifetime()
{
    return 86400 * (int)$this->backendConfig->getValue('admin/security/password_lifetime');
}

Step 3B. Magento\User\Model\ResourceModel\User::getLatestPassword()

The backend passwords are stored in the admin_passwords database’s table.
If a password is already expired, then its expires field (of the admin_passwords table) contains a non-zero value.

github.com

magento/magento2/blob/2.1.6/app/code/Magento/User/Model/ResourceModel/User.php#L601-L619


/**
 * Get latest password for specified user id
 * Possible false positive when password was changed several times with different lifetime configuration
 *
 * @param int $userId
 * @return array
 */
public function getLatestPassword($userId)
{
    return $this->getConnection()->fetchRow(
        $this->getConnection()
            ->select()
            ->from($this->getTable('admin_passwords'))
            ->where('user_id = :user_id')
            ->order('password_id ' . \Magento\Framework\DB\Select::SQL_DESC)
            ->limit(1),
        [':user_id' => $userId]
    );
}

dmitry_fedyuk · May 24, 2017, 10:02am