Ensure that 2fa is checked on reset-password (#9857)
* Ensure that 2fa is checked on reset-password * Apply suggestions from code review Co-Authored-By: Lauris BH <lauris@nix.lv> * Properly manage scratch_code regeneration Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
parent
1d7b7504d0
commit
92d6bca41e
2 changed files with 97 additions and 9 deletions
|
@ -1284,7 +1284,7 @@ func ForgotPasswdPost(ctx *context.Context) {
|
||||||
ctx.HTML(200, tplForgotPassword)
|
ctx.HTML(200, tplForgotPassword)
|
||||||
}
|
}
|
||||||
|
|
||||||
func commonResetPassword(ctx *context.Context) *models.User {
|
func commonResetPassword(ctx *context.Context) (*models.User, *models.TwoFactor) {
|
||||||
code := ctx.Query("code")
|
code := ctx.Query("code")
|
||||||
|
|
||||||
ctx.Data["Title"] = ctx.Tr("auth.reset_password")
|
ctx.Data["Title"] = ctx.Tr("auth.reset_password")
|
||||||
|
@ -1296,14 +1296,25 @@ func commonResetPassword(ctx *context.Context) *models.User {
|
||||||
|
|
||||||
if len(code) == 0 {
|
if len(code) == 0 {
|
||||||
ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
|
ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
|
||||||
return nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fail early, don't frustrate the user
|
// Fail early, don't frustrate the user
|
||||||
u := models.VerifyUserActiveCode(code)
|
u := models.VerifyUserActiveCode(code)
|
||||||
if u == nil {
|
if u == nil {
|
||||||
ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
|
ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
|
||||||
return nil
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
twofa, err := models.GetTwoFactorByUID(u.ID)
|
||||||
|
if err != nil {
|
||||||
|
if !models.IsErrTwoFactorNotEnrolled(err) {
|
||||||
|
ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error())
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
ctx.Data["has_two_factor"] = true
|
||||||
|
ctx.Data["scratch_code"] = ctx.QueryBool("scratch_code")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Show the user that they are affecting the account that they intended to
|
// Show the user that they are affecting the account that they intended to
|
||||||
|
@ -1311,10 +1322,10 @@ func commonResetPassword(ctx *context.Context) *models.User {
|
||||||
|
|
||||||
if nil != ctx.User && u.ID != ctx.User.ID {
|
if nil != ctx.User && u.ID != ctx.User.ID {
|
||||||
ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
|
ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
|
||||||
return nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
return u
|
return u, twofa
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResetPasswd render the account recovery page
|
// ResetPasswd render the account recovery page
|
||||||
|
@ -1322,13 +1333,19 @@ func ResetPasswd(ctx *context.Context) {
|
||||||
ctx.Data["IsResetForm"] = true
|
ctx.Data["IsResetForm"] = true
|
||||||
|
|
||||||
commonResetPassword(ctx)
|
commonResetPassword(ctx)
|
||||||
|
if ctx.Written() {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx.HTML(200, tplResetPassword)
|
ctx.HTML(200, tplResetPassword)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResetPasswdPost response from account recovery request
|
// ResetPasswdPost response from account recovery request
|
||||||
func ResetPasswdPost(ctx *context.Context) {
|
func ResetPasswdPost(ctx *context.Context) {
|
||||||
u := commonResetPassword(ctx)
|
u, twofa := commonResetPassword(ctx)
|
||||||
|
if ctx.Written() {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if u == nil {
|
if u == nil {
|
||||||
// Flash error has been set
|
// Flash error has been set
|
||||||
|
@ -1350,6 +1367,39 @@ func ResetPasswdPost(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Handle two-factor
|
||||||
|
regenerateScratchToken := false
|
||||||
|
if twofa != nil {
|
||||||
|
if ctx.QueryBool("scratch_code") {
|
||||||
|
if !twofa.VerifyScratchToken(ctx.Query("token")) {
|
||||||
|
ctx.Data["IsResetForm"] = true
|
||||||
|
ctx.Data["Err_Token"] = true
|
||||||
|
ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
regenerateScratchToken = true
|
||||||
|
} else {
|
||||||
|
passcode := ctx.Query("passcode")
|
||||||
|
ok, err := twofa.ValidateTOTP(passcode)
|
||||||
|
if err != nil {
|
||||||
|
ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error())
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !ok || twofa.LastUsedPasscode == passcode {
|
||||||
|
ctx.Data["IsResetForm"] = true
|
||||||
|
ctx.Data["Err_Passcode"] = true
|
||||||
|
ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
twofa.LastUsedPasscode = passcode
|
||||||
|
if err = models.UpdateTwoFactor(twofa); err != nil {
|
||||||
|
ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
if u.Rands, err = models.GetUserSalt(); err != nil {
|
if u.Rands, err = models.GetUserSalt(); err != nil {
|
||||||
ctx.ServerError("UpdateUser", err)
|
ctx.ServerError("UpdateUser", err)
|
||||||
|
@ -1359,7 +1409,6 @@ func ResetPasswdPost(ctx *context.Context) {
|
||||||
ctx.ServerError("UpdateUser", err)
|
ctx.ServerError("UpdateUser", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
u.HashPassword(passwd)
|
u.HashPassword(passwd)
|
||||||
u.MustChangePassword = false
|
u.MustChangePassword = false
|
||||||
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil {
|
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil {
|
||||||
|
@ -1368,9 +1417,27 @@ func ResetPasswdPost(ctx *context.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Trace("User password reset: %s", u.Name)
|
log.Trace("User password reset: %s", u.Name)
|
||||||
|
|
||||||
ctx.Data["IsResetFailed"] = true
|
ctx.Data["IsResetFailed"] = true
|
||||||
remember := len(ctx.Query("remember")) != 0
|
remember := len(ctx.Query("remember")) != 0
|
||||||
|
|
||||||
|
if regenerateScratchToken {
|
||||||
|
// Invalidate the scratch token.
|
||||||
|
_, err = twofa.GenerateScratchToken()
|
||||||
|
if err != nil {
|
||||||
|
ctx.ServerError("UserSignIn", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err = models.UpdateTwoFactor(twofa); err != nil {
|
||||||
|
ctx.ServerError("UserSignIn", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
handleSignInFull(ctx, u, remember, false)
|
||||||
|
ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
|
||||||
|
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
handleSignInFull(ctx, u, remember, true)
|
handleSignInFull(ctx, u, remember, true)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
{{end}}
|
{{end}}
|
||||||
{{if .IsResetForm}}
|
{{if .IsResetForm}}
|
||||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
|
||||||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
|
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
|
||||||
</div>
|
</div>
|
||||||
{{if not .user_signed_in}}
|
{{if not .user_signed_in}}
|
||||||
|
@ -30,10 +30,31 @@
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
{{end}}
|
{{end}}
|
||||||
|
{{if .has_two_factor}}
|
||||||
|
<h4 class="ui dividing header">
|
||||||
|
{{.i18n.Tr "twofa"}}
|
||||||
|
</h4>
|
||||||
|
<div class="ui warning visible message">{{.i18n.Tr "settings.twofa_is_enrolled" | Str2html }}</div>
|
||||||
|
{{if .scratch_code}}
|
||||||
|
<div class="required inline field {{if .Err_Token}}error{{end}}">
|
||||||
|
<label for="token">{{.i18n.Tr "auth.scratch_code"}}</label>
|
||||||
|
<input id="token" name="token" type="text" autocomplete="off" autofocus required>
|
||||||
|
</div>
|
||||||
|
<input type="hidden" name="scratch_code" value="true">
|
||||||
|
{{else}}
|
||||||
|
<div class="required inline field {{if .Err_Passcode}}error{{end}}">
|
||||||
|
<label for="passcode">{{.i18n.Tr "passcode"}}</label>
|
||||||
|
<input id="passcode" name="passcode" type="number" autocomplete="off" autofocus required>
|
||||||
|
</div>
|
||||||
|
{{end}}
|
||||||
|
{{end}}
|
||||||
<div class="ui divider"></div>
|
<div class="ui divider"></div>
|
||||||
<div class="inline field">
|
<div class="inline field">
|
||||||
<label></label>
|
<label></label>
|
||||||
<button class="ui blue button">{{.i18n.Tr "auth.reset_password_helper"}}</button>
|
<button class="ui blue button">{{.i18n.Tr "auth.reset_password_helper"}}</button>
|
||||||
|
{{if and .has_two_factor (not .scratch_code)}}
|
||||||
|
<a href="{{.Link}}?code={{.Code}}&scratch_code=true">{{.i18n.Tr "auth.use_scratch_code" | Str2html}}</a>
|
||||||
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
{{else}}
|
{{else}}
|
||||||
<p class="center">{{.i18n.Tr "auth.invalid_code"}}</p>
|
<p class="center">{{.i18n.Tr "auth.invalid_code"}}</p>
|
||||||
|
|
Reference in a new issue