Merge pull request #156 from jrushlow/feature/fake-token

add ability to generate a fake reset token

Author: weaverryan

src/ResetPasswordHelper.php

@@ -154,6 +154,25 @@ public function getTokenLifetime(): int
         return $this->resetRequestLifetime;
     }
 
+    /**
+     * Generate a fake reset token.
+     *
+     * Use this to generate a fake token so that you can, for example, show a
+     * "reset confirmation email sent" page that includes a valid "expiration date",
+     * even if the email was not actually found (and so, a true ResetPasswordToken
+     * was not actually created).
+     *
+     * This method should not be used when timing attacks are a concern.
+     */
+    public function generateFakeResetToken(): ResetPasswordToken
+    {
+        $expiresAt = new \DateTimeImmutable(\sprintf('+%d seconds', $this->resetRequestLifetime));
+
+        $generatedAt = ($expiresAt->getTimestamp() - $this->resetRequestLifetime);
+
+        return new ResetPasswordToken('fake-token', $expiresAt, $generatedAt);
+    }
+
     private function findResetPasswordRequest(string $token): ?ResetPasswordRequestInterface
     {
         $selector = \substr($token, 0, self::SELECTOR_LENGTH);

src/ResetPasswordHelperInterface.php

@@ -15,6 +15,8 @@
 /**
  * @author Jesse Rushlow <jr@rushlow.dev>
  * @author Ryan Weaver   <ryan@symfonycasts.com>
+ *
+ * @method ResetPasswordToken generateFakeResetToken() Generates a fake ResetPasswordToken.
  */
 interface ResetPasswordHelperInterface
 {