OpenI
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
Browse Source

Ensure that 2fa is checked on reset-password (#9857) 

* Ensure that 2fa is checked on reset-password

* Apply suggestions from code review

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Properly manage scratch_code regeneration

Co-authored-by: Lauris BH <lauris@nix.lv>
tags/v1.12.0-dev
zeripath GitHub 5 years ago
parent
ec612b33bc
commit
18a37b4b2e
2 changed files with 97 additions and 9 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +75
    -8
      routers/user/auth.go
  2. +22
    -1
      templates/user/auth/reset_passwd.tmpl

+ 75
- 8
routers/user/auth.go View File

@@ -1284,7 +1284,7 @@ func ForgotPasswdPost(ctx *context.Context) {
ctx.HTML(200, tplForgotPassword) ctx.HTML(200, tplForgotPassword)
} }


func commonResetPassword(ctx *context.Context) *models.User {
func commonResetPassword(ctx *context.Context) (*models.User, *models.TwoFactor) {
code := ctx.Query("code") code := ctx.Query("code")


ctx.Data["Title"] = ctx.Tr("auth.reset_password") ctx.Data["Title"] = ctx.Tr("auth.reset_password")
@@ -1296,14 +1296,25 @@ func commonResetPassword(ctx *context.Context) *models.User {


if len(code) == 0 { if len(code) == 0 {
ctx.Flash.Error(ctx.Tr("auth.invalid_code")) ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
return nil
return nil, nil
} }


// Fail early, don't frustrate the user // Fail early, don't frustrate the user
u := models.VerifyUserActiveCode(code) u := models.VerifyUserActiveCode(code)
if u == nil { if u == nil {
ctx.Flash.Error(ctx.Tr("auth.invalid_code")) ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
return nil
return nil, nil
}

twofa, err := models.GetTwoFactorByUID(u.ID)
if err != nil {
if !models.IsErrTwoFactorNotEnrolled(err) {
ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error())
return nil, nil
}
} else {
ctx.Data["has_two_factor"] = true
ctx.Data["scratch_code"] = ctx.QueryBool("scratch_code")
} }


// Show the user that they are affecting the account that they intended to // Show the user that they are affecting the account that they intended to
@@ -1311,10 +1322,10 @@ func commonResetPassword(ctx *context.Context) *models.User {


if nil != ctx.User && u.ID != ctx.User.ID { if nil != ctx.User && u.ID != ctx.User.ID {
ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email)) ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
return nil
return nil, nil
} }


return u
return u, twofa
} }


// ResetPasswd render the account recovery page // ResetPasswd render the account recovery page
@@ -1322,13 +1333,19 @@ func ResetPasswd(ctx *context.Context) {
ctx.Data["IsResetForm"] = true ctx.Data["IsResetForm"] = true


commonResetPassword(ctx) commonResetPassword(ctx)
if ctx.Written() {
return
}


ctx.HTML(200, tplResetPassword) ctx.HTML(200, tplResetPassword)
} }


// ResetPasswdPost response from account recovery request // ResetPasswdPost response from account recovery request
func ResetPasswdPost(ctx *context.Context) { func ResetPasswdPost(ctx *context.Context) {
u := commonResetPassword(ctx)
u, twofa := commonResetPassword(ctx)
if ctx.Written() {
return
}


if u == nil { if u == nil {
// Flash error has been set // Flash error has been set
@@ -1350,6 +1367,39 @@ func ResetPasswdPost(ctx *context.Context) {
return return
} }


// Handle two-factor
regenerateScratchToken := false
if twofa != nil {
if ctx.QueryBool("scratch_code") {
if !twofa.VerifyScratchToken(ctx.Query("token")) {
ctx.Data["IsResetForm"] = true
ctx.Data["Err_Token"] = true
ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil)
return
}
regenerateScratchToken = true
} else {
passcode := ctx.Query("passcode")
ok, err := twofa.ValidateTOTP(passcode)
if err != nil {
ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error())
return
}
if !ok || twofa.LastUsedPasscode == passcode {
ctx.Data["IsResetForm"] = true
ctx.Data["Err_Passcode"] = true
ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil)
return
}

twofa.LastUsedPasscode = passcode
if err = models.UpdateTwoFactor(twofa); err != nil {
ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err)
return
}
}
}

var err error var err error
if u.Rands, err = models.GetUserSalt(); err != nil { if u.Rands, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
@@ -1359,7 +1409,6 @@ func ResetPasswdPost(ctx *context.Context) {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }

u.HashPassword(passwd) u.HashPassword(passwd)
u.MustChangePassword = false u.MustChangePassword = false
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil { if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil {
@@ -1368,9 +1417,27 @@ func ResetPasswdPost(ctx *context.Context) {
} }


log.Trace("User password reset: %s", u.Name) log.Trace("User password reset: %s", u.Name)

ctx.Data["IsResetFailed"] = true ctx.Data["IsResetFailed"] = true
remember := len(ctx.Query("remember")) != 0 remember := len(ctx.Query("remember")) != 0

if regenerateScratchToken {
// Invalidate the scratch token.
_, err = twofa.GenerateScratchToken()
if err != nil {
ctx.ServerError("UserSignIn", err)
return
}
if err = models.UpdateTwoFactor(twofa); err != nil {
ctx.ServerError("UserSignIn", err)
return
}

handleSignInFull(ctx, u, remember, false)
ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
return
}

handleSignInFull(ctx, u, remember, true) handleSignInFull(ctx, u, remember, true)
} }




+ 22
- 1
templates/user/auth/reset_passwd.tmpl View File

@@ -18,7 +18,7 @@
{{end}} {{end}}
{{if .IsResetForm}} {{if .IsResetForm}}
<div class="required inline field {{if .Err_Password}}error{{end}}"> <div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label>
<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required> <input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
</div> </div>
{{if not .user_signed_in}} {{if not .user_signed_in}}
@@ -30,10 +30,31 @@
</div> </div>
</div> </div>
{{end}} {{end}}
{{if .has_two_factor}}
<h4 class="ui dividing header">
{{.i18n.Tr "twofa"}}
</h4>
<div class="ui warning visible message">{{.i18n.Tr "settings.twofa_is_enrolled" | Str2html }}</div>
{{if .scratch_code}}
<div class="required inline field {{if .Err_Token}}error{{end}}">
<label for="token">{{.i18n.Tr "auth.scratch_code"}}</label>
<input id="token" name="token" type="text" autocomplete="off" autofocus required>
</div>
<input type="hidden" name="scratch_code" value="true">
{{else}}
<div class="required inline field {{if .Err_Passcode}}error{{end}}">
<label for="passcode">{{.i18n.Tr "passcode"}}</label>
<input id="passcode" name="passcode" type="number" autocomplete="off" autofocus required>
</div>
{{end}}
{{end}}
<div class="ui divider"></div> <div class="ui divider"></div>
<div class="inline field"> <div class="inline field">
<label></label> <label></label>
<button class="ui blue button">{{.i18n.Tr "auth.reset_password_helper"}}</button> <button class="ui blue button">{{.i18n.Tr "auth.reset_password_helper"}}</button>
{{if and .has_two_factor (not .scratch_code)}}
<a href="{{.Link}}?code={{.Code}}&amp;scratch_code=true">{{.i18n.Tr "auth.use_scratch_code" | Str2html}}</a>
{{end}}
</div> </div>
{{else}} {{else}}
<p class="center">{{.i18n.Tr "auth.invalid_code"}}</p> <p class="center">{{.i18n.Tr "auth.invalid_code"}}</p>


Write Preview
Loading…
Cancel
Save