1 files changed, 29 insertions, 19 deletions

diff --git a/plugins/Login/PasswordResetter.php b/plugins/Login/PasswordResetter.php
index e9ce0d75f6..9c706440f9 100644
--- a/plugins/Login/PasswordResetter.php
+++ b/plugins/Login/PasswordResetter.php
@@ -191,20 +191,7 @@ class PasswordResetter
         }
     }
 
-    /**
-     * Confirms a password reset. This should be called after {@link initiatePasswordResetProcess()}
-     * is called.
-     *
-     * This method will get the new password associated with a reset token and set it
-     * as the specified user's password.
-     *
-     * @param string $login The login of the user whose password is being reset.
-     * @param string $resetToken The generated string token contained in the reset password
-     *                           email.
-     * @throws Exception If there is no user with login '$login', if $resetToken is not a
-     *                   valid token or if the token has expired.
-     */
-    public function confirmNewPassword($login, $resetToken)
+    public function checkValidConfirmPasswordToken($login, $resetToken)
     {
         // get password reset info & user info
         $user = self::getUserInformation($login);
@@ -224,15 +211,32 @@ class PasswordResetter
 
         // check that the stored password hash is valid (sanity check)
         $resetPassword = $resetInfo['hash'];
+
         $this->checkPasswordHash($resetPassword);
 
-        // reset password of user
-        $usersManager = $this->usersManagerApi;
-        Access::doAsSuperUser(function () use ($usersManager, $user, $resetPassword) {
+        return $resetPassword;
+    }
+
+    /**
+     * Confirms a password reset. This should be called after {@link initiatePasswordResetProcess()}
+     * is called.
+     *
+     * This method will get the new password associated with a reset token and set it
+     * as the specified user's password.
+     *
+     * @param string $login The login of the user whose password is being reset.
+     * @param string $passwordHash The generated string token contained in the reset password
+     *                           email.
+     * @throws Exception If there is no user with login '$login', if $resetToken is not a
+     *                   valid token or if the token has expired.
+     */
+    public function setHashedPasswordForLogin($login, $passwordHash)
+    {
+        Access::doAsSuperUser(function () use ($login, $passwordHash) {
             $userUpdater = new UserUpdater();
             $userUpdater->updateUserWithoutCurrentPassword(
-                $user['login'],
-                $resetPassword,
+                $login,
+                $passwordHash,
                 $email = false,
                 $isPasswordHashed = true
             );
@@ -293,6 +297,12 @@ class PasswordResetter
         return $token;
     }
 
+    public function doesResetPasswordHashMatchesPassword($passwordPlain, $passwordHash)
+    {
+        $passwordPlain = UsersManager::getPasswordHash($passwordPlain);
+        return $this->passwordHelper->verify($passwordPlain, $passwordHash);
+    }
+
     /**
      * Generates a hash using a hash "identifier" and some data to hash. The hash identifier is
      * a string that differentiates the hash in some way.