Password reset.

[perso/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front.git] / api / password_reset.go

diff --git a/api/password_reset.go b/api/password_reset.go
new file mode 100644 (file)
index 0000000..82aaaef
--- /dev/null
+++ b/api/password_reset.go
@@ -0,0 +1,103 @@
+package api
+
+import (
+       "fmt"
+       "time"
+
+       "github.com/dchest/passwordreset"
+       "immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front/db"
+)
+
+var PASSWORD_RESET_SECRET []byte
+
+type PasswordResetQuery struct {
+       In struct {
+               Email string
+       }
+}
+
+func (q PasswordResetQuery) ValidateParams() *Error {
+       if q.In.Email == "" {
+               return &Error{InvalidEmail, "invalid email", fmt.Errorf("invalid email")}
+       }
+
+       return nil
+}
+
+func (q PasswordResetQuery) Run() (interface{}, *Error) {
+       user, err := db.GetUserByEmail(q.In.Email)
+       if err != nil {
+               return nil, NewInternalError(err)
+       }
+
+       if user == nil {
+               return nil, &Error{NotFound, "account not found", fmt.Errorf("'%v' is not registered", q.In.Email)}
+       }
+
+       token := passwordreset.NewToken(q.In.Email, time.Hour*24*1, []byte(user.PasswordHash), PASSWORD_RESET_SECRET)
+       if CONFIG.FreeSMSUser != "" {
+               err := SendSMS(CONFIG.FreeSMSUser, CONFIG.FreeSMSPass, fmt.Sprintf("'%v' request a password reset. Token '/change-password?token=%v'", q.In.Email, token))
+               if err != nil {
+                       return nil, NewInternalError(err)
+               }
+       }
+
+       return "OK", nil
+}
+
+type ChangePasswordQuery struct {
+       In struct {
+               Token    string
+               Password string
+       }
+}
+
+func (q ChangePasswordQuery) ValidateParams() *Error {
+       if q.In.Password == "" {
+               return &Error{InvalidPassword, "invalid password", fmt.Errorf("invalid password")}
+       }
+
+       if q.In.Token == "" {
+               return &Error{BadRequest, "invalid token", fmt.Errorf("invalid token")}
+       }
+
+       return nil
+}
+
+func (q ChangePasswordQuery) Run() (interface{}, *Error) {
+       var user *db.User
+
+       email, err := passwordreset.VerifyToken(q.In.Token, func(email string) ([]byte, error) {
+               var err error
+               user, err = db.GetUserByEmail(email)
+               if err != nil {
+                       return nil, err
+               }
+
+               if user == nil {
+                       return nil, fmt.Errorf("'%v' is not registered", email)
+               }
+
+               return []byte(user.PasswordHash), nil
+
+       }, PASSWORD_RESET_SECRET)
+
+       if err != nil && (err == passwordreset.ErrExpiredToken) {
+               return nil, &Error{BadRequest, "expired token", fmt.Errorf("expired token")}
+       } else if err != nil && (err == passwordreset.ErrMalformedToken || err == passwordreset.ErrWrongSignature) {
+               return nil, &Error{BadRequest, "wrong token", fmt.Errorf("wrong token")}
+       } else if err != nil {
+               return nil, NewInternalError(err)
+       }
+
+       if user == nil {
+               return nil, &Error{BadRequest, "bad request", fmt.Errorf("no user found for email '%v'", email)}
+       }
+
+       err = db.SetPassword(user, q.In.Password)
+       if err != nil {
+               return nil, NewInternalError(err)
+       }
+
+       return "OK", nil
+}