camzalewski/personal-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Include password token entity ID in reset URL in order to prevent loading all tokens.

Browse source
This commit is contained in:
mikestefanello 2022-01-27 08:44:12 -05:00
parent 5c64cd6191
commit f4c98ba523
7 changed files with 50 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

4
routes/forgot_password.go
View file

@ -76,7 +76,7 @@ func (c *ForgotPassword) Post(ctx echo.Context) error {
}
// Generate the token
token, _, err := c.Container.Auth.GeneratePasswordResetToken(ctx, u.ID)
token, pt, err := c.Container.Auth.GeneratePasswordResetToken(ctx, u.ID)
if err != nil {
return c.Fail(ctx, err, "error generating password reset token")
}
@ -84,7 +84,7 @@ func (c *ForgotPassword) Post(ctx echo.Context) error {
ctx.Logger().Infof("generated password reset token for user %d", u.ID)
// Email the user
url := ctx.Echo().Reverse("reset_password", u.ID, token)
url := ctx.Echo().Reverse("reset_password", u.ID, pt.ID, token)
err = c.Container.Mail.
Compose().
To(u.Email).

4
routes/router.go
View file

@ -104,6 +104,6 @@ func userRoutes(c *services.Container, g *echo.Group, ctr controller.Controller)
middleware.LoadValidPasswordToken(c.Auth),
)
reset := ResetPassword{Controller: ctr}
resetGroup.GET("/token/:user/:password_token", reset.Get).Name = "reset_password"
resetGroup.POST("/token/:user/:password_token", reset.Post).Name = "reset_password.post"
resetGroup.GET("/token/:user/:password_token/:token", reset.Get).Name = "reset_password"
resetGroup.POST("/token/:user/:password_token/:token", reset.Post).Name = "reset_password.post"
}