From 85545aba62546f219a9c9730945511412a3174ef Mon Sep 17 00:00:00 2001 From: jloup Date: Fri, 4 May 2018 11:55:15 +0200 Subject: Password reset. --- api/api.go | 16 ++++++++ api/auth_jwt.go | 4 -- api/free_sms.go | 26 +++++++++++++ api/password_reset.go | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++ api/routes.go | 19 ++++++++++ api/user.go | 7 ++++ 6 files changed, 171 insertions(+), 4 deletions(-) create mode 100644 api/free_sms.go create mode 100644 api/password_reset.go (limited to 'api') diff --git a/api/api.go b/api/api.go index 7b7be49..42b9923 100644 --- a/api/api.go +++ b/api/api.go @@ -7,6 +7,22 @@ import ( "github.com/gin-gonic/gin" ) +var CONFIG Config + +type Config struct { + JwtSecret string `toml:"jwt_secret"` + PasswordResetSecret string `toml:"password_reset_secret"` + FreeSMSUser string `toml:"free_sms_user"` + FreeSMSPass string `toml:"free_sms_pass"` +} + +func SetConfig(config Config) { + CONFIG = config + + JWT_SECRET = []byte(config.JwtSecret) + PASSWORD_RESET_SECRET = []byte(config.PasswordResetSecret) +} + type Error struct { Code ErrorCode UserMessage string diff --git a/api/auth_jwt.go b/api/auth_jwt.go index 5ce1593..db7e3f4 100644 --- a/api/auth_jwt.go +++ b/api/auth_jwt.go @@ -20,10 +20,6 @@ type JwtClaims struct { jwt.StandardClaims } -func SetJwtSecretKey(secret string) { - JWT_SECRET = []byte(secret) -} - func VerifyJwtToken(token string) (JwtClaims, error) { if len(JWT_SECRET) == 0 { return JwtClaims{}, fmt.Errorf("not initialized jwt secret") diff --git a/api/free_sms.go b/api/free_sms.go new file mode 100644 index 0000000..f09a1d1 --- /dev/null +++ b/api/free_sms.go @@ -0,0 +1,26 @@ +package api + +import ( + "fmt" + "net/http" + "net/url" +) + +func SendSMS(user, pass, msg string) error { + form := url.Values{ + "user": []string{user}, + "pass": []string{pass}, + "msg": []string{msg}, + } + + response, err := http.Get(fmt.Sprintf("https://smsapi.free-mobile.fr/sendmsg?%s", form.Encode())) + if err != nil { + return err + } + + if response.StatusCode != 200 { + return fmt.Errorf("Cannot send sms: status code %v", response.StatusCode) + } + + return nil +} diff --git a/api/password_reset.go b/api/password_reset.go new file mode 100644 index 0000000..82aaaef --- /dev/null +++ b/api/password_reset.go @@ -0,0 +1,103 @@ +package api + +import ( + "fmt" + "time" + + "github.com/dchest/passwordreset" + "immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front/db" +) + +var PASSWORD_RESET_SECRET []byte + +type PasswordResetQuery struct { + In struct { + Email string + } +} + +func (q PasswordResetQuery) ValidateParams() *Error { + if q.In.Email == "" { + return &Error{InvalidEmail, "invalid email", fmt.Errorf("invalid email")} + } + + return nil +} + +func (q PasswordResetQuery) Run() (interface{}, *Error) { + user, err := db.GetUserByEmail(q.In.Email) + if err != nil { + return nil, NewInternalError(err) + } + + if user == nil { + return nil, &Error{NotFound, "account not found", fmt.Errorf("'%v' is not registered", q.In.Email)} + } + + token := passwordreset.NewToken(q.In.Email, time.Hour*24*1, []byte(user.PasswordHash), PASSWORD_RESET_SECRET) + if CONFIG.FreeSMSUser != "" { + err := SendSMS(CONFIG.FreeSMSUser, CONFIG.FreeSMSPass, fmt.Sprintf("'%v' request a password reset. Token '/change-password?token=%v'", q.In.Email, token)) + if err != nil { + return nil, NewInternalError(err) + } + } + + return "OK", nil +} + +type ChangePasswordQuery struct { + In struct { + Token string + Password string + } +} + +func (q ChangePasswordQuery) ValidateParams() *Error { + if q.In.Password == "" { + return &Error{InvalidPassword, "invalid password", fmt.Errorf("invalid password")} + } + + if q.In.Token == "" { + return &Error{BadRequest, "invalid token", fmt.Errorf("invalid token")} + } + + return nil +} + +func (q ChangePasswordQuery) Run() (interface{}, *Error) { + var user *db.User + + email, err := passwordreset.VerifyToken(q.In.Token, func(email string) ([]byte, error) { + var err error + user, err = db.GetUserByEmail(email) + if err != nil { + return nil, err + } + + if user == nil { + return nil, fmt.Errorf("'%v' is not registered", email) + } + + return []byte(user.PasswordHash), nil + + }, PASSWORD_RESET_SECRET) + + if err != nil && (err == passwordreset.ErrExpiredToken) { + return nil, &Error{BadRequest, "expired token", fmt.Errorf("expired token")} + } else if err != nil && (err == passwordreset.ErrMalformedToken || err == passwordreset.ErrWrongSignature) { + return nil, &Error{BadRequest, "wrong token", fmt.Errorf("wrong token")} + } else if err != nil { + return nil, NewInternalError(err) + } + + if user == nil { + return nil, &Error{BadRequest, "bad request", fmt.Errorf("no user found for email '%v'", email)} + } + + err = db.SetPassword(user, q.In.Password) + if err != nil { + return nil, NewInternalError(err) + } + + return "OK", nil +} diff --git a/api/routes.go b/api/routes.go index cdf3dd9..22af0e7 100644 --- a/api/routes.go +++ b/api/routes.go @@ -25,6 +25,8 @@ var Groups = []Group{ []Route{ {"POST", []gin.HandlerFunc{Signup}, "/signup"}, {"POST", []gin.HandlerFunc{Signin}, "/signin"}, + {"POST", []gin.HandlerFunc{PasswordReset}, "/passwordreset"}, + {"POST", []gin.HandlerFunc{ChangePassword}, "/changepassword"}, }, }, { @@ -132,3 +134,20 @@ func UpdateMarketConfig(c *gin.Context) { RunQuery(query, c) } + +func PasswordReset(c *gin.Context) { + query := &PasswordResetQuery{} + + query.In.Email = c.PostForm("email") + + RunQuery(query, c) +} + +func ChangePassword(c *gin.Context) { + query := &ChangePasswordQuery{} + + query.In.Token = c.PostForm("token") + query.In.Password = c.PostForm("password") + + RunQuery(query, c) +} diff --git a/api/user.go b/api/user.go index 1dc69e4..9fd9479 100644 --- a/api/user.go +++ b/api/user.go @@ -74,6 +74,13 @@ func (q SignupQuery) Run() (interface{}, *Error) { return nil, NewInternalError(fmt.Errorf("cannot create jwt token %v", err)) } + if CONFIG.FreeSMSUser != "" { + err := SendSMS(CONFIG.FreeSMSUser, CONFIG.FreeSMSPass, fmt.Sprintf("New user signup '%v'", q.In.Email)) + if err != nil { + return nil, NewInternalError(err) + } + } + return SignResult{token}, nil } -- cgit v1.2.3