1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
package api
import (
"fmt"
"time"
"github.com/dchest/passwordreset"
"git.immae.eu/Cryptoportfolio/Front.git/db"
)
var PASSWORD_RESET_SECRET []byte
type PasswordResetQuery struct {
In struct {
Email string
}
}
func (q PasswordResetQuery) ValidateParams() *Error {
if q.In.Email == "" {
return &Error{InvalidEmail, "invalid email", fmt.Errorf("invalid email")}
}
return nil
}
func (q PasswordResetQuery) Run() (interface{}, *Error) {
user, err := db.GetUserByEmail(q.In.Email)
if err != nil {
return nil, NewInternalError(err)
}
if user == nil {
return nil, &Error{NotFound, "account not found", fmt.Errorf("'%v' is not registered", q.In.Email)}
}
token := passwordreset.NewToken(q.In.Email, time.Hour*24*1, []byte(user.PasswordHash), PASSWORD_RESET_SECRET)
if CONFIG.FreeSMSUser != "" {
err := SendSMS(CONFIG.FreeSMSUser, CONFIG.FreeSMSPass, fmt.Sprintf("'%v' request a password reset. Token '/change-password?token=%v'", q.In.Email, token))
if err != nil {
return nil, NewInternalError(err)
}
}
if MAIL_CONFIG.IsEnabled {
err = SendResetPasswordMail(q.In.Email, token)
if err != nil {
return nil, NewInternalError(err)
}
}
return nil, nil
}
type ChangePasswordQuery struct {
In struct {
Token string
Password string
}
}
func (q ChangePasswordQuery) ValidateParams() *Error {
if q.In.Password == "" {
return &Error{InvalidPassword, "invalid password", fmt.Errorf("invalid password")}
}
if q.In.Token == "" {
return &Error{BadRequest, "invalid token", fmt.Errorf("invalid token")}
}
return nil
}
func (q ChangePasswordQuery) Run() (interface{}, *Error) {
var user *db.User
email, err := passwordreset.VerifyToken(q.In.Token, func(email string) ([]byte, error) {
var err error
user, err = db.GetUserByEmail(email)
if err != nil {
return nil, err
}
if user == nil {
return nil, fmt.Errorf("'%v' is not registered", email)
}
return []byte(user.PasswordHash), nil
}, PASSWORD_RESET_SECRET)
if err != nil && (err == passwordreset.ErrExpiredToken) {
return nil, &Error{BadRequest, "expired token", fmt.Errorf("expired token")}
} else if err != nil && (err == passwordreset.ErrMalformedToken || err == passwordreset.ErrWrongSignature) {
return nil, &Error{BadRequest, "wrong token", fmt.Errorf("wrong token")}
} else if err != nil {
return nil, NewInternalError(err)
}
if user == nil {
return nil, &Error{BadRequest, "bad request", fmt.Errorf("no user found for email '%v'", email)}
}
err = db.SetPassword(user, q.In.Password)
if err != nil {
return nil, NewInternalError(err)
}
return nil, nil
}
|
