If your users forget their login password, they can reset it using a link sent to their email address.
Add the following routing resource to register the require routes:
# app/config/routing.yml
forgotten_passwords:
resource: "@PerformUserBundle/Resources/config/routing/forgot_password.yml"
prefix: /forgot-password
Three new routes will be created for you:
perform_user_forgot_password ANY ANY ANY /forgot-password/
perform_user_forgot_password_reset ANY ANY ANY /forgot-password/reset
perform_user_forgot_password_success ANY ANY ANY /forgot-password/success
Note
The /forgot-password path prefix is just a suggestion, and can be changed to suit your needs.
A forgot your password? link will also appear on the login form.
A user can now request a password reset email using the new routes.
Additionally, if routing_crud.yml is loaded, an administrator will be able
to manage password reset tokens for all users.
There may be moments you want to force a user to reset their password. This can be especially useful for new accounts where you’ve sent them a one-time login URL, or if you suspect an account password has been compromised.
The User entity has a passwordExpiresAt datetime property.
When this date passes, the password is considered invalid.
Set it to a date in the past to require the user to reset their password when they next login.
<?php
/* @var Perform\UserBundle\Entity\User $user */
$user->setPasswordExpiresAt(new \DateTime('-1 day');
/* @var Doctrine\ORM\EntityManagerInterface $em */
$em->persist($user);
$em->flush();
Note
A required password reset will not be enforced when impersonating a user, since you don’t want the impersonator to set a new password that the actual user does not know.
Note
Whenever you use the UserManager to update a password, passwordExpiresAt will be updated to a date in the future, configured with the perform_user.password_valid_duration option.
This is usually sensible, but if not, simply set it back to the previous value after calling UserManager#updatePassword.