check_password_reset_key

Retrieves a user row based on password reset key and login.

Description

(WP_User|WP_Error) check_password_reset_key( (string) $key, (string) $login ); 

A key is considered expired if it exactly matches the value of the user_activation_key field, rather than being matched after going through the hashing process. This field is now hashed; old values are no longer accepted but have a different WP_Error code so good user feedback can be provided.

Returns (WP_User|WP_Error)

WP_User object on success, WP_Error object for invalid or expired keys.

Parameters (2)

0. $key (string)
Hash to validate sending user's password.
1. $login (string)
The user login.

Usage

  1. if ( !function_exists( 'check_password_reset_key' ) ) { 
  2. require_once ABSPATH . WPINC . '/user.php'; 
  3.  
  4. // Hash to validate sending user's password. 
  5. $key = ''; 
  6.  
  7. // The user login. 
  8. $login = ''; 
  9.  
  10. // NOTICE! Understand what this does before running. 
  11. $result = check_password_reset_key($key, $login); 
  12.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/user.php  
  1. function check_password_reset_key($key, $login) { 
  2. global $wpdb, $wp_hasher; 
  3.  
  4. $key = preg_replace('/[^a-z0-9]/i', '', $key); 
  5.  
  6. if ( empty( $key ) || !is_string( $key ) ) 
  7. return new WP_Error('invalid_key', __('Invalid key')); 
  8.  
  9. if ( empty($login) || !is_string($login) ) 
  10. return new WP_Error('invalid_key', __('Invalid key')); 
  11.  
  12. $row = $wpdb->get_row( $wpdb->prepare( "SELECT ID, user_activation_key FROM $wpdb->users WHERE user_login = %s", $login ) ); 
  13. if ( ! $row ) 
  14. return new WP_Error('invalid_key', __('Invalid key')); 
  15.  
  16. if ( empty( $wp_hasher ) ) { 
  17. $wp_hasher = new PasswordHash( 8, true ); 
  18.  
  19. /** 
  20. * Filters the expiration time of password reset keys. 
  21. * @since 4.3.0 
  22. * @param int $expiration The expiration time in seconds. 
  23. */ 
  24.  
  25. if ( false !== strpos( $row->user_activation_key, ':' ) ) { 
  26. list( $pass_request_time, $pass_key ) = explode( ':', $row->user_activation_key, 2 ); 
  27. $expiration_time = $pass_request_time + $expiration_duration; 
  28. } else { 
  29. $pass_key = $row->user_activation_key; 
  30. $expiration_time = false; 
  31.  
  32. if ( ! $pass_key ) { 
  33. return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 
  34.  
  35. $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key ); 
  36.  
  37. if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) { 
  38. return get_userdata( $row->ID ); 
  39. } elseif ( $hash_is_correct && $expiration_time ) { 
  40. // Key has an expiration time that's passed 
  41. return new WP_Error( 'expired_key', __( 'Invalid key' ) ); 
  42.  
  43. if ( hash_equals( $row->user_activation_key, $key ) || ( $hash_is_correct && ! $expiration_time ) ) { 
  44. $return = new WP_Error( 'expired_key', __( 'Invalid key' ) ); 
  45. $user_id = $row->ID; 
  46.  
  47. /** 
  48. * Filters the return value of check_password_reset_key() when an 
  49. * old-style key is used. 
  50. * @since 3.7.0 Previously plain-text keys were stored in the database. 
  51. * @since 4.3.0 Previously key hashes were stored without an expiration time. 
  52. * @param WP_Error $return A WP_Error object denoting an expired key. 
  53. * Return a WP_User object to validate the key. 
  54. * @param int $user_id The matched user ID. 
  55. */ 
  56. return apply_filters( 'password_reset_key_expired', $return, $user_id ); 
  57.  
  58. return new WP_Error( 'invalid_key', __( 'Invalid key' ) );