WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

check_password_reset_key()

check_password_reset_key( string $key, string $login ): WP_User|WP_Error

In this article

Back to top

Retrieves a user row based on password reset key and login.

Description

A key is considered ‘expired’ if it exactly matches the value of the user_activation_key field, rather than being matched after going through the hashing process. This field is now hashed; old values are no longer accepted but have a different WP_Error code so good user feedback can be provided.

Parameters

$keystringrequired
The password reset key.
$loginstringrequired
The user login.

Return

WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys.

Source

function check_password_reset_key(	#[\SensitiveParameter]	$key,	$login ) {	$key = preg_replace( '/[^a-z0-9]/i', '', $key );	if ( empty( $key ) || ! is_string( $key ) ) {	return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );	}	if ( empty( $login ) || ! is_string( $login ) ) {	return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );	}	$user = get_user_by( 'login', $login );	if ( ! $user ) {	return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );	}	/** * Filters the expiration time of password reset keys. * * @since 4.3.0 * * @param int $expiration The expiration time in seconds. */	$expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS );	if ( str_contains( $user->user_activation_key, ':' ) ) {	list( $pass_request_time, $pass_key ) = explode( ':', $user->user_activation_key, 2 );	$expiration_time = $pass_request_time + $expiration_duration;	} else {	$pass_key = $user->user_activation_key;	$expiration_time = false;	}	if ( ! $pass_key ) {	return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );	}	$hash_is_correct = wp_verify_fast_hash( $key, $pass_key );	if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) {	return $user;	} elseif ( $hash_is_correct && $expiration_time ) {	// Key has an expiration time that's passed.	return new WP_Error( 'expired_key', __( 'Invalid key.' ) );	}	if ( hash_equals( $user->user_activation_key, $key ) || ( $hash_is_correct && ! $expiration_time ) ) {	$return = new WP_Error( 'expired_key', __( 'Invalid key.' ) );	$user_id = $user->ID;	/** * Filters the return value of check_password_reset_key() when an * old-style key or an expired key is used. * * @since 3.7.0 Previously plain-text keys were stored in the database. * @since 4.3.0 Previously key hashes were stored without an expiration time. * * @param WP_Error $return A WP_Error object denoting an expired key. * Return a WP_User object to validate the key. * @param int $user_id The matched user ID. */	return apply_filters( 'password_reset_key_expired', $return, $user_id );	}	return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); }

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘password_reset_expiration’, int $expiration )

Filters the expiration time of password reset keys.

apply_filters( ‘password_reset_key_expired’, WP_Error $return, int $user_id )

Filters the return value of check_password_reset_key() when an old-style key or an expired key is used.

UsesDescription
wp_verify_fast_hash()wp-includes/functions.php

Checks whether a plaintext message matches the hashed value. Used to verify values hashed via wp_fast_hash() .

get_user_by()wp-includes/pluggable.php

Retrieves user info by a given field.

apply_filters()wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.

WP_Error::__construct()wp-includes/class-wp-error.php

Initializes the error.

Show 2 moreShow less

Changelog

VersionDescription
3.1.0Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.