2020-11-22 13:49:34 +01:00
|
|
|
class AuthD::Request
|
2023-06-13 03:15:08 +02:00
|
|
|
IPC::JSON.message AskPasswordRecovery, 3 do
|
2023-06-11 21:10:03 +02:00
|
|
|
property user : UserID
|
2020-11-22 13:49:34 +01:00
|
|
|
|
2023-06-11 21:10:03 +02:00
|
|
|
def initialize(@user)
|
2020-11-22 13:49:34 +01:00
|
|
|
end
|
|
|
|
|
|
2023-06-10 17:26:12 +02:00
|
|
|
def handle(authd : AuthD::Service, fd : Int32)
|
2023-06-11 21:10:03 +02:00
|
|
|
user = authd.user? @user
|
2023-06-12 14:40:03 +02:00
|
|
|
# This is a way for an attacker to know what are the valid logins.
|
|
|
|
|
# Not sure I care enough to fix this.
|
2023-06-14 01:46:38 +02:00
|
|
|
return Response::ErrorUserNotFound.new if user.nil?
|
2020-11-22 13:49:34 +01:00
|
|
|
|
2023-06-11 21:10:03 +02:00
|
|
|
# Create a new random key for password renewal.
|
2020-11-22 13:49:34 +01:00
|
|
|
user.password_renew_key = UUID.random.to_s
|
|
|
|
|
authd.users_per_uid.update user.uid.to_s, user
|
|
|
|
|
|
2023-06-11 21:10:03 +02:00
|
|
|
# TODO: this is debug information. Should be removed once tested.
|
2023-02-09 17:55:34 +01:00
|
|
|
# Once the user is created and stored, we try to contact him
|
|
|
|
|
if authd.configuration.print_password_recovery_parameters
|
|
|
|
|
pp! user.login,
|
|
|
|
|
user.contact.email.not_nil!,
|
|
|
|
|
user.password_renew_key.not_nil!
|
|
|
|
|
end
|
2020-11-22 13:49:34 +01:00
|
|
|
|
2023-02-09 17:55:34 +01:00
|
|
|
mailer_exe = authd.configuration.mailer_exe
|
|
|
|
|
template_name = authd.configuration.recovery_template
|
|
|
|
|
|
|
|
|
|
u_login = user.login
|
|
|
|
|
u_email = user.contact.email.not_nil!
|
|
|
|
|
u_token = user.password_renew_key.not_nil!
|
|
|
|
|
|
|
|
|
|
# Once the user is created and stored, we try to contact him.
|
|
|
|
|
unless Process.run(mailer_exe,
|
|
|
|
|
# PARAMETERS
|
|
|
|
|
[ "send", template_name, u_email ],
|
|
|
|
|
# ENV
|
|
|
|
|
{ "LOGIN" => u_login, "TOKEN" => u_token },
|
|
|
|
|
true # clear environment
|
|
|
|
|
).success?
|
|
|
|
|
raise "cannot contact user #{u_login} address #{u_email}"
|
2020-11-22 13:49:34 +01:00
|
|
|
end
|
|
|
|
|
|
2023-06-11 21:10:03 +02:00
|
|
|
Response::PasswordRecoverySent.new
|
2020-11-22 13:49:34 +01:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
AuthD.requests << AskPasswordRecovery
|
2023-06-13 03:15:08 +02:00
|
|
|
|
|
|
|
|
IPC::JSON.message PasswordRecovery, 4 do
|
|
|
|
|
property user : UserID
|
|
|
|
|
property password_renew_key : String
|
|
|
|
|
property new_password : String
|
|
|
|
|
|
|
|
|
|
def initialize(@user, @password_renew_key, @new_password)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def handle(authd : AuthD::Service, fd : Int32)
|
|
|
|
|
user = authd.user? @user
|
|
|
|
|
# This is a way for an attacker to know what are the valid logins.
|
|
|
|
|
# Not sure I care enough to fix this.
|
2023-06-14 01:46:38 +02:00
|
|
|
return Response::ErrorUserNotFound.new if user.nil?
|
2023-06-13 03:15:08 +02:00
|
|
|
|
|
|
|
|
if user.password_renew_key == @password_renew_key
|
|
|
|
|
user.password_hash = authd.hash_password @new_password
|
|
|
|
|
else
|
2023-06-14 02:07:03 +02:00
|
|
|
return Response::ErrorInvalidRenewKey.new
|
2023-06-13 03:15:08 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
user.password_renew_key = nil
|
|
|
|
|
|
|
|
|
|
authd.users_per_uid.update user.uid.to_s, user
|
|
|
|
|
|
|
|
|
|
Response::PasswordRecovered.new
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
AuthD.requests << PasswordRecovery
|
2020-11-22 13:49:34 +01:00
|
|
|
end
|
