camzalewski/personal-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Use user ID in password reset route in order to properly compare token hashes.

Browse source
This commit is contained in:
mikestefanello 2021-12-16 19:49:33 -05:00
parent e6a5fa58c7
commit b383be5dac
6 changed files with 40 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

37
auth/auth.go
View file

@ -3,7 +3,6 @@ package auth
import ( import (
"crypto/rand" "crypto/rand"
"encoding/hex" "encoding/hex"
"errors"
"time" "time"
"goweb/config" "goweb/config"
@ -29,6 +28,13 @@ func (e NotAuthenticatedError) Error() string {
return "user not authenticated" return "user not authenticated"
} }
type InvalidTokenError struct{}
// Error implements the error interface.
func (e InvalidTokenError) Error() string {
return "invalid token"
}
type Client struct { type Client struct {
config *config.Config config *config.Config
orm *ent.Client orm *ent.Client
@ -115,30 +121,31 @@ func (c *Client) GeneratePasswordResetToken(ctx echo.Context, userID int) (strin
return token, pt, err return token, pt, err
} }
func (c *Client) GetValidPasswordToken(ctx echo.Context, token string) (*ent.PasswordToken, error) { func (c *Client) GetValidPasswordToken(ctx echo.Context, token string, userID int) (*ent.PasswordToken, error) {
// Hash the token in order to match in the database // Ensure expired tokens are never returned
hash, err := c.HashPassword(token) expiration := time.Now().Add(-c.config.App.PasswordTokenExpiration)
if err != nil {
return nil, err
}
// Query to find a matching token // Query to find all tokens for te user that haven't expired
pt, err := c.orm.PasswordToken. // We need to get all of them in order to properly match the token to the hashes
pts, err := c.orm.PasswordToken.
Query(). Query().
Where(passwordtoken.Hash(hash)). Where(passwordtoken.HasUserWith(user.ID(userID))).
First(ctx.Request().Context()) Where(passwordtoken.CreatedAtGTE(expiration)).
All(ctx.Request().Context())
if err != nil { if err != nil {
ctx.Logger().Error(err) ctx.Logger().Error(err)
return nil, err return nil, err
} }
// Check if the token is no longer valid // Check all tokens for a hash match
if pt.CreatedAt.Before(time.Now().Add(-c.config.App.PasswordTokenExpiration)) { for _, pt := range pts {
return nil, errors.New("token has expired") if err := c.CheckPassword(token, pt.Hash); err == nil {
return pt, nil
}
} }
return pt, nil return nil, InvalidTokenError{}
} }
func (c *Client) RandomToken(length int) string { func (c *Client) RandomToken(length int) string {

17
middleware/auth.go
View file

@ -2,6 +2,7 @@ package middleware
import ( import (
"net/http" "net/http"
"strconv"
"goweb/auth" "goweb/auth"
"goweb/context" "goweb/context"
@ -34,16 +35,22 @@ func LoadAuthenticatedUser(authClient *auth.Client) echo.MiddlewareFunc {
func LoadValidPasswordToken(authClient *auth.Client) echo.MiddlewareFunc { func LoadValidPasswordToken(authClient *auth.Client) echo.MiddlewareFunc {
return func(next echo.HandlerFunc) echo.HandlerFunc { return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error { return func(c echo.Context) error {
tokenParam := c.Param("password_token") userID, err := strconv.Atoi(c.Param("user"))
if tokenParam == "" { if err != nil {
c.Logger().Warn("missing password token path parameter")
return echo.NewHTTPError(http.StatusNotFound, "Not found") return echo.NewHTTPError(http.StatusNotFound, "Not found")
} }
token, err := authClient.GetValidPasswordToken(c, tokenParam) tokenParam := c.Param("password_token")
if err != nil {
token, err := authClient.GetValidPasswordToken(c, tokenParam, userID)
switch err.(type) {
case nil:
case auth.InvalidTokenError:
msg.Warning(c, "The link is either invalid or has expired. Please request a new one.") msg.Warning(c, "The link is either invalid or has expired. Please request a new one.")
return c.Redirect(http.StatusFound, c.Echo().Reverse("forgot_password")) return c.Redirect(http.StatusFound, c.Echo().Reverse("forgot_password"))
default:
c.Logger().Error(err)
return echo.NewHTTPError(http.StatusInternalServerError, "Internal server error")
} }
c.Set(context.PasswordTokenKey, token) c.Set(context.PasswordTokenKey, token)

2
routes/forgot_password.go
View file

@ -66,7 +66,7 @@ func (f *ForgotPassword) Post(c echo.Context) error {
u, err := f.Container.ORM.User. u, err := f.Container.ORM.User.
Query(). Query().
Where(user.Email(form.Email)). Where(user.Email(form.Email)).
First(c.Request().Context()) Only(c.Request().Context())
if err != nil { if err != nil {
switch err.(type) { switch err.(type) {

2
routes/login.go
View file

@ -61,7 +61,7 @@ func (l *Login) Post(c echo.Context) error {
u, err := l.Container.ORM.User. u, err := l.Container.ORM.User.
Query(). Query().
Where(user.Email(form.Email)). Where(user.Email(form.Email)).
First(c.Request().Context()) Only(c.Request().Context())
if err != nil { if err != nil {
switch err.(type) { switch err.(type) {

2
routes/register.go
View file

@ -42,6 +42,8 @@ func (r *Register) Post(c echo.Context) error {
return r.Get(c) return r.Get(c)
} }
// TODO: Validation for dupe email addresses
// Parse the form values // Parse the form values
form := new(RegisterForm) form := new(RegisterForm)
if err := c.Bind(form); err != nil { if err := c.Bind(form); err != nil {

4
routes/router.go
View file

@ -106,6 +106,6 @@ func userRoutes(c *container.Container, g *echo.Group, ctr controller.Controller
resetGroup := noAuth.Group("/password/reset", middleware.LoadValidPasswordToken(c.Auth)) resetGroup := noAuth.Group("/password/reset", middleware.LoadValidPasswordToken(c.Auth))
reset := ResetPassword{Controller: ctr} reset := ResetPassword{Controller: ctr}
resetGroup.GET("/token/:password_token", reset.Get).Name = "reset_password" resetGroup.GET("/token/:user/:password_token", reset.Get).Name = "reset_password"
resetGroup.POST("/token/:password_token", reset.Post).Name = "reset_password.post" resetGroup.POST("/token/:user/:password_token", reset.Post).Name = "reset_password.post"
} }