gosora/common/password_reset.go
Azareal e22ddfec40 Added support for password resets.
Sha256 hashes are now stored in the SFile structures, this will come of use later.
Rows should be properly closed in DefaultTopicStore.BulkGetMap.
All errors should be properly reported now in DefaultTopicStore.BulkGetMap.
Rows should be properly closed in DefaultUserStore.BulkGetMap.
All errors should be properly reported now in DefaultUserStore.BulkGetMap.
Don't have an account on the login page should now be linkified.
Renamed tempra-simple to tempra_simple to avoid breaking the template transpiler.
Fixed up bits and pieces of login.html on every theme.
Removed an old commented code chunk from template_init.go
widget_wol widgets should now get minified.
bindToAlerts() should now unbind the alert items before attempting to bind to them.
Tweaked the SendValidationEmail phrase.
Removed a layer of indentation from DefaultAuth.ValidateMFAToken and added the ErrNoMFAToken error for when MFA isn't setup on the specified account.
Email validation now uses a constant time compare to mitigate certain classes of timing attacks.

Added the /accounts/password-reset/ route.
Added the /accounts/password-reset/submit/ route.
Added the /accounts/password-reset/token/ route.
Added the /accounts/password-reset/token/submit/ route.
Added the password_resets table.

Added the password_reset_email_fail phrase.
Added the password_reset phrase.
Added the password_reset_token phrase.
Added the password_reset_email_sent phrase.
Added the password_reset_token_token_verified phrase.
Added the login_forgot_password phrase.
Added the password_reset_head phrase.
Added the password_reset_username phrase.
Added the password_reset_button phrase.
Added the password_reset_subject phrase.
Added the password_reset_body phrase.
Added the password_reset_token_head phrase.
Added the password_reset_token_password phrase.
Added the password_reset_token_confirm_password phrase.
Added the password_reset_mfa_token phrase.
Added the password_reset_token_button phrase.

You will need to run the updater or patcher for this commit.
2019-03-11 18:47:45 +10:00

66 lines
1.5 KiB
Go

package common
import (
"crypto/subtle"
"database/sql"
"errors"
"github.com/Azareal/Gosora/query_gen"
)
var PasswordResetter *DefaultPasswordResetter
var ErrBadResetToken = errors.New("This reset token has expired.")
type DefaultPasswordResetter struct {
getTokens *sql.Stmt
create *sql.Stmt
delete *sql.Stmt
}
func NewDefaultPasswordResetter(acc *qgen.Accumulator) (*DefaultPasswordResetter, error) {
return &DefaultPasswordResetter{
getTokens: acc.Select("password_resets").Columns("token").Where("uid = ?").Prepare(),
create: acc.Insert("password_resets").Columns("email, uid, validated, token, createdAt").Fields("?,?,0,?,UTC_TIMESTAMP()").Prepare(),
delete: acc.Delete("password_resets").Where("uid =?").Prepare(),
}, acc.FirstError()
}
func (r *DefaultPasswordResetter) Create(email string, uid int, token string) error {
_, err := r.create.Exec(email, uid, token)
return err
}
func (r *DefaultPasswordResetter) FlushTokens(uid int) error {
_, err := r.delete.Exec(uid)
return err
}
func (r *DefaultPasswordResetter) ValidateToken(uid int, token string) error {
rows, err := r.getTokens.Query(uid)
if err != nil {
return err
}
defer rows.Close()
var success = false
for rows.Next() {
var rtoken string
err := rows.Scan(&rtoken)
if err != nil {
return err
}
if subtle.ConstantTimeCompare([]byte(token), []byte(rtoken)) == 1 {
success = true
}
}
err = rows.Err()
if err != nil {
return err
}
if !success {
return ErrBadResetToken
}
return nil
}