createForm(::class); $form->handleRequest($request); if ($form->isSubmitted() && $form->isValid()) { /** @var string $email */ $email = $form->get('')->getData(); return $this->processSendingPasswordResetEmail($email, $mailer ); } return $this->render('reset_password/request.html.twig', [ 'requestForm' => $form, ]); } /** * Confirmation page after a user has requested a password reset. */ #[Route('/check-email', name: 'app_check_email')] public function checkEmail(): Response { // Generate a fake token if the user does not exist or someone hit this page directly. // This prevents exposing whether or not a user was found with the given email address or not if (null === ($resetToken = $this->getTokenObjectFromSession())) { $resetToken = $this->resetPasswordHelper->generateFakeResetToken(); } return $this->render('reset_password/check_email.html.twig', [ 'resetToken' => $resetToken, ]); } /** * Validates and process the reset URL that the user clicked in their email. */ #[Route('/reset/{token}', name: 'app_reset_password')] public function reset(Request $request, UserPasswordHasherInterface $passwordHasher, string $token = null): Response { if ($token) { // We store the token in session and remove it from the URL, to avoid the URL being // loaded in a browser and potentially leaking the token to 3rd party JavaScript. $this->storeTokenInSession($token); return $this->redirectToRoute('app_reset_password'); } $token = $this->getTokenFromSession(); if (null === $token) { throw $this->createNotFoundException('No reset password token found in the URL or in the session.'); } try { /** @var $user */ $user = $this->resetPasswordHelper->validateTokenAndFetchUser($token); } catch (ResetPasswordExceptionInterface $e) { $this->addFlash('reset_password_error', sprintf( '%s - %s', , $e->getReason() )); return $this->redirectToRoute('app_forgot_password_request'); } // The token is valid; allow the user to change their password. $form = $this->createForm(::class); $form->handleRequest($request); if ($form->isSubmitted() && $form->isValid()) { // A password reset token should be used only once, remove it. $this->resetPasswordHelper->removeResetRequest($token); /** @var string $plainPassword */ $plainPassword = $form->get('plainPassword')->getData(); // Encode(hash) the plain password, and set it. $user->($passwordHasher->hashPassword($user, $plainPassword)); $this->entityManager->flush(); // The session is cleaned up after the password has been changed. $this->cleanSessionAfterReset(); return $this->redirectToRoute(''); } return $this->render('reset_password/reset.html.twig', [ 'resetForm' => $form, ]); } private function processSendingPasswordResetEmail(string $emailFormData, MailerInterface $mailer): RedirectResponse { $user = $this->entityManager->getRepository(::class)->findOneBy([ '' => $emailFormData, ]); // Do not reveal whether a user account was found or not. if (!$user) { return $this->redirectToRoute('app_check_email'); } try { $resetToken = $this->resetPasswordHelper->generateResetToken($user); } catch (ResetPasswordExceptionInterface $e) { // If you want to tell the user why a reset email was not sent, uncomment // the lines below and change the redirect to 'app_forgot_password_request'. // Caution: This may reveal if a user is registered or not. // // $this->addFlash('reset_password_error', sprintf( // '%s - %s', // , // $e->getReason() // )); return $this->redirectToRoute('app_check_email'); } $email = (new TemplatedEmail()) ->from(new Address('', '')) ->to((string) $user->()) ->subject('Your password reset request') ->htmlTemplate('reset_password/email.html.twig') ->context([ 'resetToken' => $resetToken, ]) ; $mailer->send($email); // Store the token object in session for retrieval in check-email route. $this->setTokenObjectInSession($resetToken); return $this->redirectToRoute('app_check_email'); } }