add email update confirmation feature (#2612)

* add email update confirmation feature

this allows to require the confirmation of
changed email-addresses, by clicking on a
link, before the new address is written to
the database.

* implemente requested changes after review

- fix whitespaces, 
- remove redundant line breaks
- remove unused 'autoescape' from twig templates
- change from deprecated mycrypt functions to openssl-functions & update tests
- add option to choose cypher method & update docs

* inject fos_user.email_update_confirmation instead of  service_container

* fixes by php-cs-fixer

* added Upgrade instructions

* improve "confirm changed email" documentation

* use symfony validator to validate email

* improve phpDocs

* reference UserInterface instead of User

* update version in upgrade instructions

* changes by php-cs fixer & translation fix

Author: azine

Controller/ProfileController.php

@@ -14,16 +14,20 @@
 use FOS\UserBundle\Event\FilterUserResponseEvent;
 use FOS\UserBundle\Event\FormEvent;
 use FOS\UserBundle\Event\GetResponseUserEvent;
+use FOS\UserBundle\Event\UserEvent;
 use FOS\UserBundle\Form\Factory\FactoryInterface;
 use FOS\UserBundle\FOSUserEvents;
+use FOS\UserBundle\Model\User;
 use FOS\UserBundle\Model\UserInterface;
 use FOS\UserBundle\Model\UserManagerInterface;
+use FOS\UserBundle\Services\EmailConfirmation\EmailUpdateConfirmation;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Translation\Translator;
 
 /**
  * Controller managing the user profile.
@@ -102,4 +106,54 @@ public function editAction(Request $request)
             'form' => $form->createView(),
         ));
     }
+
+    /**
+     * Confirm user`s email update.
+     *
+     * @param Request $request
+     * @param string  $token
+     *
+     * @return \Symfony\Component\HttpFoundation\RedirectResponse
+     */
+    public function confirmEmailUpdateAction(Request $request, $token)
+    {
+        $userManager = $this->container->get('fos_user.user_manager');
+
+        /** @var User $user */
+        $user = $userManager->findUserByConfirmationToken($token);
+
+        // If user was not found throw 404 exception
+        if (!$user) {
+            /** @var Translator $translator */
+            $translator = $this->get('translator');
+            throw $this->createNotFoundException($translator->trans('email_update.error.message', array(), 'FOSUserBundle'));
+        }
+
+        // Show invalid token message if the user id found via token does not match the current users id (e.g. anon. or other user)
+        if (!($this->getUser() instanceof UserInterface) || ($user->getId() !== $this->getUser()->getId())) {
+            /** @var Translator $translator */
+            $translator = $this->get('translator');
+            throw new AccessDeniedException($translator->trans('email_update.error.message', array(), 'FOSUserBundle'));
+        }
+
+        /** @var EmailUpdateConfirmation $emailUpdateConfirmation */
+        $emailUpdateConfirmation = $this->get('fos_user.email_update_confirmation');
+
+        $emailUpdateConfirmation->setUser($user);
+
+        $newEmail = $emailUpdateConfirmation->fetchEncryptedEmailFromConfirmationLink($request->get('target'));
+
+        // Update user email
+        if ($newEmail) {
+            $user->setConfirmationToken($emailUpdateConfirmation->getEmailConfirmedToken());
+            $user->setEmail($newEmail);
+        }
+
+        $userManager->updateUser($user);
+
+        $event = new UserEvent($user, $request);
+        $this->get('event_dispatcher')->dispatch(FOSUserEvents::EMAIL_UPDATE_SUCCESS, $event);
+
+        return $this->redirect($this->generateUrl('fos_user_profile_show'));
+    }
 }

DependencyInjection/Configuration.php

@@ -109,6 +109,14 @@ private function addProfileSection(ArrayNodeDefinition $node)
                                 ->end()
                             ->end()
                         ->end()
+                        ->arrayNode('email_update_confirmation')
+                            ->addDefaultsIfNotSet()
+                            ->children()
+                                ->booleanNode('enabled')->defaultFalse()->end()
+                                ->scalarNode('cypher_method')->defaultNull()->end()
+                                ->scalarNode('email_template')->defaultValue('@FOSUser/Profile/email_update_confirmation.txt.twig')->end()
+                            ->end()
+                        ->end()
                     ->end()
                 ->end()
             ->end();

DependencyInjection/FOSUserExtension.php

@@ -137,6 +137,9 @@ private function loadProfile(array $config, ContainerBuilder $container, XmlFile
     {
         $loader->load('profile.xml');
 
+        $container->setParameter('fos_user.email_update_confirmation.template', $config['email_update_confirmation']['email_template']);
+        $container->setParameter('fos_user.email_update_confirmation.cypher_method', $config['email_update_confirmation']['cypher_method']);
+
         $this->remapParametersNamespaces($config, $container, array(
             'form' => 'fos_user.profile.form.%s',
         ));

Doctrine/EmailUpdateListener.php

@@ -0,0 +1,80 @@
+<?php
+
+/*
+ * This file is part of the FOSUserBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\UserBundle\Doctrine;
+
+use Doctrine\ORM\Event\PreUpdateEventArgs;
+use FOS\UserBundle\Model\UserInterface;
+use FOS\UserBundle\Services\EmailConfirmation\EmailUpdateConfirmation;
+use Symfony\Component\HttpFoundation\RequestStack;
+
+/**
+ * Class EmailUpdateListener.
+ */
+class EmailUpdateListener
+{
+    /**
+     * @var EmailUpdateConfirmation
+     */
+    private $emailUpdateConfirmation;
+
+    /**
+     * @var RequestStack
+     */
+    private $requestStack;
+
+    /**
+     * Constructor.
+     *
+     * @param EmailUpdateConfirmation $emailUpdateConfirmation
+     * @param RequestStack            $requestStack
+     */
+    public function __construct(EmailUpdateConfirmation $emailUpdateConfirmation, RequestStack $requestStack)
+    {
+        $this->emailUpdateConfirmation = $emailUpdateConfirmation;
+        $this->requestStack = $requestStack;
+    }
+
+    /**
+     * Pre update listener based on doctrine common.
+     *
+     * @param PreUpdateEventArgs $args
+     */
+    public function preUpdate(PreUpdateEventArgs $args)
+    {
+        $object = $args->getObject();
+
+        if ($object instanceof UserInterface && $args instanceof PreUpdateEventArgs) {
+            $user = $object;
+
+            if ($user->getConfirmationToken() != $this->emailUpdateConfirmation->getEmailConfirmedToken() && isset($args->getEntityChangeSet()['email'])) {
+                $oldEmail = $args->getEntityChangeSet()['email'][0];
+                $newEmail = $args->getEntityChangeSet()['email'][1];
+
+                $user->setEmail($oldEmail);
+
+                // Configure email confirmation
+                $this->emailUpdateConfirmation->setUser($user);
+                $this->emailUpdateConfirmation->setEmail($newEmail);
+                $this->emailUpdateConfirmation->setConfirmationRoute('fos_user_update_email_confirm');
+                $this->emailUpdateConfirmation->getMailer()->sendUpdateEmailConfirmation(
+                    $user,
+                    $this->emailUpdateConfirmation->generateConfirmationLink($this->requestStack->getCurrentRequest()),
+                    $newEmail
+                );
+            }
+
+            if ($user->getConfirmationToken() == $this->emailUpdateConfirmation->getEmailConfirmedToken()) {
+                $user->setConfirmationToken(null);
+            }
+        }
+    }
+}

EventListener/FlashListener.php

@@ -30,6 +30,8 @@ class FlashListener implements EventSubscriberInterface
         FOSUserEvents::PROFILE_EDIT_COMPLETED => 'profile.flash.updated',
         FOSUserEvents::REGISTRATION_COMPLETED => 'registration.flash.user_created',
         FOSUserEvents::RESETTING_RESET_COMPLETED => 'resetting.flash.success',
+        FOSUserEvents::EMAIL_UPDATE_SUCCESS => 'email_update.flash.success',
+        FOSUserEvents::EMAIL_UPDATE_INITIALIZE => 'email_update.flash.info',
     );
 
     /**
@@ -67,6 +69,8 @@ public static function getSubscribedEvents()
             FOSUserEvents::PROFILE_EDIT_COMPLETED => 'addSuccessFlash',
             FOSUserEvents::REGISTRATION_COMPLETED => 'addSuccessFlash',
             FOSUserEvents::RESETTING_RESET_COMPLETED => 'addSuccessFlash',
+            FOSUserEvents::EMAIL_UPDATE_SUCCESS => 'addSuccessFlash',
+            FOSUserEvents::EMAIL_UPDATE_INITIALIZE => 'addInfoFlash',
         );
     }
 
@@ -83,6 +87,19 @@ public function addSuccessFlash(Event $event, $eventName)
         $this->session->getFlashBag()->add('success', $this->trans(self::$successMessages[$eventName]));
     }
 
+    /**
+     * @param Event  $event
+     * @param string $eventName
+     */
+    public function addInfoFlash(Event $event, $eventName)
+    {
+        if (!isset(self::$successMessages[$eventName])) {
+            throw new \InvalidArgumentException('This event does not correspond to a known flash message');
+        }
+
+        $this->session->getFlashBag()->add('info', $this->trans(self::$successMessages[$eventName]));
+    }
+
     /**
      * @param string$message
      * @param array $params

FOSUserEvents.php

@@ -318,4 +318,22 @@ final class FOSUserEvents
      * @Event("FOS\UserBundle\Event\UserEvent")
      */
     const USER_DEMOTED = 'fos_user.user.demoted';
+
+    /**
+     * The EMAIL_UPDATE_INITIALIZE event occurs when the email update process is initialized.
+     *
+     * This event allows you to access the user and to add some behaviour after email update is initialized..
+     *
+     * @Event("FOS\UserBundle\Event\UserEvent")
+     */
+    const EMAIL_UPDATE_INITIALIZE = 'fos_user.update_email.initialize';
+
+    /**
+     * The EMAIL_UPDATE_SUCCESS event occurs when the email was successfully updated through confirmation link.
+     *
+     * This event allows you to access the user and to add some behaviour after email was confirmed and updated..
+     *
+     * @Event("FOS\UserBundle\Event\UserEvent")
+     */
+    const EMAIL_UPDATE_SUCCESS = 'fos_user.update_email.success';
 }

Mailer/Mailer.php

@@ -84,6 +84,24 @@ public function sendResettingEmailMessage(UserInterface $user)
         $this->sendEmailMessage($rendered, $this->parameters['from_email']['resetting'], (string) $user->getEmail());
     }
 
+    /**
+     * Send confirmation link to specified new user email.
+     *
+     * @param UserInterface $user
+     * @param string        $confirmationUrl
+     * @param string        $toEmail
+     */
+    public function sendUpdateEmailConfirmation(UserInterface $user, $confirmationUrl, $toEmail)
+    {
+        $template = $this->parameters['template']['email_updating'];
+        $rendered = $this->templating->render($template, array(
+            'user' => $user,
+            'confirmationUrl' => $confirmationUrl,
+        ));
+
+        $this->sendEmailMessage($rendered, $this->parameters['from_email']['resetting'], $toEmail);
+    }
+
     /**
      * @param string       $renderedTemplate
      * @param array|string $fromEmail

Mailer/MailerInterface.php

@@ -31,4 +31,13 @@ public function sendConfirmationEmailMessage(UserInterface $user);
      * @param UserInterface $user
      */
     public function sendResettingEmailMessage(UserInterface $user);
+
+    /**
+     * Send an email to a user to confirm the changed email address.
+     *
+     * @param UserInterface $user
+     * @param string        $confirmationUrl
+     * @param string        $toEmail
+     */
+    public function sendUpdateEmailConfirmation(UserInterface $user, $confirmationUrl, $toEmail);
 }

Mailer/NoopMailer.php

@@ -37,4 +37,12 @@ public function sendResettingEmailMessage(UserInterface $user)
     {
         // nothing happens.
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function sendUpdateEmailConfirmation(UserInterface $user, $confirmationUrl, $toEmail)
+    {
+        // nothing happens.
+    }
 }

Mailer/TwigSwiftMailer.php

@@ -119,4 +119,24 @@ protected function sendMessage($templateName, $context, $fromEmail, $toEmail)
 
         $this->mailer->send($message);
     }
+
+    /**
+     * Send confirmation link to specified new user email.
+     *
+     * @param UserInterface $user
+     * @param $confirmationUrl
+     * @param $toEmail
+     *
+     * @return bool
+     */
+    public function sendUpdateEmailConfirmation(UserInterface $user, $confirmationUrl, $toEmail)
+    {
+        $template = $this->parameters['template']['email_updating'];
+        $context = array(
+            'user' => $user,
+            'confirmationUrl' => $confirmationUrl,
+        );
+
+        $this->sendMessage($template, $context, $this->parameters['from_email']['confirmation'], $toEmail);
+    }
 }