handle reset password edge cases properly and consistently

This commit is contained in:
AJ ONeal 2018-10-07 20:18:21 +00:00
parent d3a4d76d0e
commit f8cf890b41
3 changed files with 84 additions and 52 deletions

View File

@ -219,7 +219,8 @@ email_not_associate = The email address is not associated with any account.
send_reset_mail = Click here to resend your password reset email send_reset_mail = Click here to resend your password reset email
reset_password = Reset Your Password reset_password = Reset Your Password
invalid_code = Your confirmation code is invalid or has expired. invalid_code = Your confirmation code is invalid or has expired.
reset_password_helper = Click here to reset your password reset_password_helper = Reset Password
reset_password_wrong_user = You are signed in as %s, but the password reset link is for %s
password_too_short = Password length cannot be less than %d characters. password_too_short = Password length cannot be less than %d characters.
non_local_account = Non-local users can not update their password through the Gitea web interface. non_local_account = Non-local users can not update their password through the Gitea web interface.
verify = Verify verify = Verify

View File

@ -1139,73 +1139,89 @@ func ForgotPasswdPost(ctx *context.Context) {
ctx.HTML(200, tplForgotPassword) ctx.HTML(200, tplForgotPassword)
} }
func commonResetPassword(ctx *context.Context) *models.User {
code := ctx.Query("code")
ctx.Data["Title"] = ctx.Tr("auth.reset_password")
ctx.Data["Code"] = code
if nil != ctx.User {
ctx.Data["user_signed_in"] = true
}
if len(code) == 0 {
ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
return nil
}
// Fail early, don't frustrate the user
u := models.VerifyUserActiveCode(code)
if u == nil {
ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
return nil
}
// Show the user that they are affecting the account that they intended to
ctx.Data["user_email"] = u.Email
if nil != ctx.User && u.ID != ctx.User.ID {
ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
return nil
}
return u
}
// ResetPasswd render the reset password page // ResetPasswd render the reset password page
func ResetPasswd(ctx *context.Context) { func ResetPasswd(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("auth.reset_password")
// TODO for security and convenience, show the username / email here
code := ctx.Query("code")
if len(code) == 0 {
ctx.Error(404)
return
}
ctx.Data["Code"] = code
ctx.Data["IsResetForm"] = true ctx.Data["IsResetForm"] = true
_ = commonResetPassword(ctx)
ctx.HTML(200, tplResetPassword) ctx.HTML(200, tplResetPassword)
} }
// ResetPasswdPost response from reset password request // ResetPasswdPost response from reset password request
func ResetPasswdPost(ctx *context.Context) { func ResetPasswdPost(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("auth.reset_password") u := commonResetPassword(ctx)
code := ctx.Query("code") if u == nil {
if len(code) == 0 { // Flash error has been set
ctx.Error(404) ctx.HTML(200, tplResetPassword)
return return
} }
ctx.Data["Code"] = code
if u := models.VerifyUserActiveCode(code); u != nil { // Validate password length.
// Validate password length. passwd := ctx.Query("password")
passwd := ctx.Query("password") if len(passwd) < setting.MinPasswordLength {
if len(passwd) < setting.MinPasswordLength { ctx.Data["IsResetForm"] = true
ctx.Data["IsResetForm"] = true ctx.Data["Err_Password"] = true
ctx.Data["Err_Password"] = true ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil)
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil)
return
}
var err error
if u.Rands, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err)
return
}
if u.Salt, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err)
return
}
// Just in case the user is signed in to another account
handleSignOut(ctx)
u.HashPassword(passwd)
u.MustChangePassword = false
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil {
ctx.ServerError("UpdateUser", err)
return
}
log.Trace("User password reset: %s", u.Name)
// TODO change the former form to have password retype and remember me,
// then sign in here instead of redirecting
ctx.Redirect(setting.AppSubURL + "/user/login")
return return
} }
var err error
if u.Rands, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err)
return
}
if u.Salt, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err)
return
}
u.HashPassword(passwd)
u.MustChangePassword = false
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil {
ctx.ServerError("UpdateUser", err)
return
}
log.Trace("User password reset: %s", u.Name)
ctx.Data["IsResetFailed"] = true ctx.Data["IsResetFailed"] = true
ctx.HTML(200, tplResetPassword) remember := len(ctx.Query("remember")) != 0
handleSignInFull(ctx, u, remember, true)
} }
// MustChangePassword renders the page to change a user's password // MustChangePassword renders the page to change a user's password

View File

@ -10,11 +10,26 @@
</h2> </h2>
<div class="ui attached segment"> <div class="ui attached segment">
{{template "base/alert" .}} {{template "base/alert" .}}
{{if .user_email }}
<div class="inline field">
<label for="user_name">{{.i18n.Tr "email"}}</label>
<input id="user_name" type="text" value="{{ .user_email }}" disabled>
</div>
{{end}}
{{if .IsResetForm}} {{if .IsResetForm}}
<div class="required inline field {{if .Err_Password}}error{{end}}"> <div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label> <label for="password">{{.i18n.Tr "password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required> <input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
</div> </div>
{{if not .user_signed_in}}
<div class="inline field">
<label></label>
<div class="ui checkbox">
<label>{{.i18n.Tr "auth.remember_me"}}</label>
<input name="remember" type="checkbox">
</div>
</div>
{{end}}
<div class="ui divider"></div> <div class="ui divider"></div>
<div class="inline field"> <div class="inline field">
<label></label> <label></label>