feat(security): #328 delete old sessions for change and forgot password
This commit was merged in pull request #335.
This commit is contained in:
@@ -48,9 +48,9 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
|
||||
router.Handle("/auth/change-password", handler.handleChangePasswordPage())
|
||||
router.Handle("/api/auth/change-password", handler.handleChangePasswordComp())
|
||||
|
||||
router.Handle("/auth/reset-password", handler.handleResetPasswordPage())
|
||||
router.Handle("/api/auth/reset-password", handler.handleForgotPasswordComp())
|
||||
router.Handle("/api/auth/reset-password-actual", handler.handleForgotPasswordResponseComp())
|
||||
router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
|
||||
router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
|
||||
router.Handle("/api/auth/forgot-password-actual", handler.handleForgotPasswordResponseComp())
|
||||
}
|
||||
|
||||
var (
|
||||
@@ -93,12 +93,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
if err == service.ErrInvaidCredentials {
|
||||
utils.TriggerToast(w, r, "error", "Invalid email or password")
|
||||
http.Error(w, "Invalid email or password", http.StatusUnauthorized)
|
||||
if err == service.ErrInvalidCredentials {
|
||||
utils.TriggerToast(w, r, "error", "Invalid email or password", http.StatusUnauthorized)
|
||||
} else {
|
||||
log.Error("Error signing in: %v", err)
|
||||
http.Error(w, "An error occurred", http.StatusInternalServerError)
|
||||
utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
|
||||
}
|
||||
return
|
||||
}
|
||||
@@ -198,16 +196,16 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
|
||||
|
||||
if err != nil {
|
||||
if errors.Is(err, types.ErrInternal) {
|
||||
utils.TriggerToast(w, r, "error", "An error occurred")
|
||||
utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
|
||||
return
|
||||
} else if errors.Is(err, service.ErrInvalidEmail) {
|
||||
utils.TriggerToast(w, r, "error", "The email provided is invalid")
|
||||
utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
// If the "service.ErrAccountExists", then just continue
|
||||
}
|
||||
|
||||
utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.")
|
||||
utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -261,15 +259,13 @@ func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
|
||||
|
||||
password := r.FormValue("password")
|
||||
|
||||
_, err := handler.service.SignIn(user.Email, password)
|
||||
err := handler.service.DeleteAccount(user, password)
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Password not correct")
|
||||
return
|
||||
}
|
||||
|
||||
err = handler.service.DeleteAccount(user)
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error")
|
||||
if err == service.ErrInvalidCredentials {
|
||||
utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
|
||||
} else {
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@@ -297,8 +293,8 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
|
||||
func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
user := middleware.GetUser(r)
|
||||
if user == nil {
|
||||
session := middleware.GetSession(r)
|
||||
if session == nil || session.User == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
@@ -306,22 +302,22 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
|
||||
currPass := r.FormValue("current-password")
|
||||
newPass := r.FormValue("new-password")
|
||||
|
||||
err := handler.service.ChangePassword(user, currPass, newPass)
|
||||
err := handler.service.ChangePassword(session, currPass, newPass)
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Password not correct")
|
||||
utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
utils.TriggerToast(w, r, "success", "Password changed")
|
||||
utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
|
||||
}
|
||||
}
|
||||
|
||||
func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
|
||||
func (handler AuthImpl) handleForgotPasswordPage() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
user := middleware.GetUser(r)
|
||||
if user == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
if user != nil {
|
||||
utils.DoRedirect(w, r, "/")
|
||||
return
|
||||
}
|
||||
|
||||
@@ -335,15 +331,19 @@ func (handler AuthImpl) handleForgotPasswordComp() http.HandlerFunc {
|
||||
|
||||
email := r.FormValue("email")
|
||||
if email == "" {
|
||||
utils.TriggerToast(w, r, "error", "Please enter an email")
|
||||
utils.TriggerToast(w, r, "error", "Please enter an email", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
err := handler.service.SendForgotPasswordMail(email)
|
||||
_, err := utils.WaitMinimumTime(securityWaitDuration, func() (interface{}, error) {
|
||||
err := handler.service.SendForgotPasswordMail(email)
|
||||
return nil, err
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error")
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
|
||||
} else {
|
||||
utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent")
|
||||
utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent", http.StatusOK)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -354,23 +354,18 @@ func (handler AuthImpl) handleForgotPasswordResponseComp() http.HandlerFunc {
|
||||
pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL"))
|
||||
if err != nil {
|
||||
log.Error("Could not get current URL: %v", err)
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error")
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
token := pageUrl.Query().Get("token")
|
||||
if token == "" {
|
||||
utils.TriggerToast(w, r, "error", "No token")
|
||||
return
|
||||
}
|
||||
|
||||
newPass := r.FormValue("new-password")
|
||||
|
||||
err = handler.service.ForgotPassword(token, newPass)
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", err.Error())
|
||||
utils.TriggerToast(w, r, "error", err.Error(), http.StatusInternalServerError)
|
||||
} else {
|
||||
utils.TriggerToast(w, r, "success", "Password changed")
|
||||
utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user