feat(security): #328 delete old sessions for change and forgot password
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 40s
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 40s
This commit is contained in:
@@ -18,11 +18,12 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
ErrInvaidCredentials = errors.New("invalid email or password")
|
||||
ErrInvalidPassword = errors.New("password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
|
||||
ErrInvalidEmail = errors.New("invalid email")
|
||||
ErrAccountExists = errors.New("account already exists")
|
||||
ErrSessionIdInvalid = errors.New("session ID is invalid")
|
||||
ErrInvalidCredentials = errors.New("invalid email or password")
|
||||
ErrInvalidPassword = errors.New("password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
|
||||
ErrInvalidEmail = errors.New("invalid email")
|
||||
ErrAccountExists = errors.New("account already exists")
|
||||
ErrSessionIdInvalid = errors.New("session ID is invalid")
|
||||
ErrTokenInvalid = errors.New("token is invalid")
|
||||
)
|
||||
|
||||
type User struct {
|
||||
@@ -65,9 +66,9 @@ type Auth interface {
|
||||
SignInAnonymous() (*Session, error)
|
||||
SignOut(sessionId string) error
|
||||
|
||||
DeleteAccount(user *User) error
|
||||
DeleteAccount(user *User, currPass string) error
|
||||
|
||||
ChangePassword(user *User, currPass, newPass string) error
|
||||
ChangePassword(session *Session, currPass, newPass string) error
|
||||
|
||||
SendForgotPasswordMail(email string) error
|
||||
ForgotPassword(token string, newPass string) error
|
||||
@@ -98,7 +99,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
|
||||
user, err := service.db.GetUserByEmail(email)
|
||||
if err != nil {
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
return nil, ErrInvaidCredentials
|
||||
return nil, ErrInvalidCredentials
|
||||
} else {
|
||||
return nil, types.ErrInternal
|
||||
}
|
||||
@@ -107,7 +108,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
|
||||
hash := GetHashPassword(password, user.Salt)
|
||||
|
||||
if subtle.ConstantTimeCompare(hash, user.Password) == 0 {
|
||||
return nil, ErrInvaidCredentials
|
||||
return nil, ErrInvalidCredentials
|
||||
}
|
||||
|
||||
session, err := service.createSession(user.Id)
|
||||
@@ -297,9 +298,19 @@ func (service AuthImpl) SignOut(sessionId string) error {
|
||||
return service.db.DeleteSession(sessionId)
|
||||
}
|
||||
|
||||
func (service AuthImpl) DeleteAccount(user *User) error {
|
||||
func (service AuthImpl) DeleteAccount(user *User, currPass string) error {
|
||||
|
||||
err := service.db.DeleteUser(user.Id)
|
||||
userDb, err := service.db.GetUser(user.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
|
||||
currHash := GetHashPassword(currPass, userDb.Salt)
|
||||
if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
|
||||
return ErrInvalidCredentials
|
||||
}
|
||||
|
||||
err = service.db.DeleteUser(user.Id)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -309,7 +320,7 @@ func (service AuthImpl) DeleteAccount(user *User) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) error {
|
||||
func (service AuthImpl) ChangePassword(session *Session, currPass, newPass string) error {
|
||||
|
||||
if !isPasswordValid(newPass) {
|
||||
return ErrInvalidPassword
|
||||
@@ -319,18 +330,18 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
|
||||
return ErrInvalidPassword
|
||||
}
|
||||
|
||||
_, err := service.SignIn(user.Email, currPass)
|
||||
userDb, err := service.db.GetUser(session.User.Id)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
userDb, err := service.db.GetUser(user.Id)
|
||||
if err != nil {
|
||||
return err
|
||||
currHash := GetHashPassword(currPass, userDb.Salt)
|
||||
|
||||
if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
|
||||
return ErrInvalidCredentials
|
||||
}
|
||||
|
||||
newHash := GetHashPassword(newPass, userDb.Salt)
|
||||
|
||||
userDb.Password = newHash
|
||||
|
||||
err = service.db.UpdateUser(userDb)
|
||||
@@ -338,11 +349,23 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
|
||||
return err
|
||||
}
|
||||
|
||||
sessions, err := service.db.GetSessions(userDb.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
for _, s := range sessions {
|
||||
if s.Id != session.Id {
|
||||
err = service.db.DeleteSession(s.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (service AuthImpl) SendForgotPasswordMail(email string) error {
|
||||
|
||||
tokenStr, err := service.random.String(32)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -383,7 +406,7 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
|
||||
|
||||
token, err := service.db.GetToken(tokenStr)
|
||||
if err != nil {
|
||||
return err
|
||||
return ErrTokenInvalid
|
||||
}
|
||||
|
||||
err = service.db.DeleteToken(tokenStr)
|
||||
@@ -391,6 +414,11 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
if token.Type != db.TokenTypePasswordReset ||
|
||||
token.ExpiresAt.Before(service.clock.Now()) {
|
||||
return ErrTokenInvalid
|
||||
}
|
||||
|
||||
user, err := service.db.GetUser(token.UserId)
|
||||
if err != nil {
|
||||
log.Error("Could not get user from token: %v", err)
|
||||
@@ -405,6 +433,18 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
sessions, err := service.db.GetSessions(user.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
|
||||
for _, session := range sessions {
|
||||
err = service.db.DeleteSession(session.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user