Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(NOBIDS) prevent pw reset if not allowed #2847

Merged
merged 3 commits into from
Mar 12, 2024
Merged

(NOBIDS) prevent pw reset if not allowed #2847

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5fd8756
(NOBIDS) prevent pw reset if not allowed
guybrush Mar 11, 2024
f39f0c5
(NOBIDS) use password-reset-not-allowed error
guybrush Mar 11, 2024
377a8e8
(NOBIDS) misc: add command: disable-user-per-email
guybrush Mar 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions db/migrations/20240311140000_add_users_password_reset_not_allowed.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
-- +goose Up
-- +goose StatementBegin
SELECT 'up SQL query - add column users.password_reset_not_allowed';
ALTER TABLE users ADD COLUMN IF NOT EXISTS password_reset_not_allowed BOOLEAN NOT NULL DEFAULT FALSE;
-- +goose StatementEnd

-- +goose Down
-- +goose StatementBegin
SELECT 'down SQL query - drop column users.password_reset_not_allowed';
ALTER TABLE users DROP COLUMN IF EXISTS password_reset_not_allowed;
-- +goose StatementEnd
25 changes: 20 additions & 5 deletions handlers/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -553,12 +553,18 @@ func RequestResetPasswordPost(w http.ResponseWriter, r *http.Request) {
}

var rateLimitError *types.RateLimitError
var passwordResetNotAllowedError *types.PasswordResetNotAllowedError
err = sendPasswordResetEmail(email)
if err != nil && !errors.As(err, &rateLimitError) {
logger.Errorf("error sending reset-email: %v", err)
utils.SetFlash(w, r, authSessionName, authInternalServerErrorFlashMsg)
} else if err != nil && errors.As(err, &rateLimitError) {
utils.SetFlash(w, r, authSessionName, fmt.Sprintf("Error: The ratelimit for sending emails has been exceeded, please try again in %v.", err.(*types.RateLimitError).TimeLeft.Round(time.Second)))
if err != nil {
switch {
case errors.As(err, &passwordResetNotAllowedError):
utils.SetFlash(w, r, authSessionName, "Error: Password reset is not allowed for this user.")
case errors.As(err, &rateLimitError):
utils.SetFlash(w, r, authSessionName, fmt.Sprintf("Error: The ratelimit for sending emails has been exceeded, please try again in %v.", err.(*types.RateLimitError).TimeLeft.Round(time.Second)))
default:
logger.Errorf("error sending reset-email: %v", err)
utils.SetFlash(w, r, authSessionName, authInternalServerErrorFlashMsg)
}
} else {
utils.SetFlash(w, r, authSessionName, "An email has been sent which contains a link to reset your password.")
}
Expand Down Expand Up @@ -736,6 +742,15 @@ func sendPasswordResetEmail(email string) error {
}
defer tx.Rollback()

var passwordResetNotAllowed bool
err = tx.Get(&passwordResetNotAllowed, "SELECT COALESCE(password_reset_not_allowed, true) FROM users WHERE email = $1", email)
if err != nil {
return fmt.Errorf("error getting password_reset_not_allowed: %w", err)
}
if passwordResetNotAllowed {
return &types.PasswordResetNotAllowedError{}
}

var lastTs *time.Time
err = tx.Get(&lastTs, "SELECT password_reset_ts FROM users WHERE email = $1", email)
if err != nil && !errors.Is(err, sql.ErrNoRows) {
Expand Down
18 changes: 13 additions & 5 deletions handlers/user.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1046,13 +1046,14 @@ func UserUpdatePasswordPost(w http.ResponseWriter, r *http.Request) {
pwdOld := r.FormValue("old-password")

currentUser := struct {
ID int64 `db:"id"`
Email string `db:"email"`
Password string `db:"password"`
Confirmed bool `db:"email_confirmed"`
ID int64 `db:"id"`
Email string `db:"email"`
Password string `db:"password"`
Confirmed bool `db:"email_confirmed"`
PasswordResetNotAllowed bool `db:"password_reset_not_allowed"`
}{}

err = db.FrontendWriterDB.Get(&currentUser, "SELECT id, email, password, email_confirmed FROM users WHERE id = $1", user.UserID)
err = db.FrontendWriterDB.Get(&currentUser, "SELECT id, email, password, email_confirmed, password_reset_not_allowed FROM users WHERE id = $1", user.UserID)
if err != nil {
if err != sql.ErrNoRows {
logger.Errorf("error retrieving password for user %v: %v", user.UserID, err)
Expand All @@ -1063,6 +1064,13 @@ func UserUpdatePasswordPost(w http.ResponseWriter, r *http.Request) {
return
}

if currentUser.PasswordResetNotAllowed {
session.AddFlash("Error: Password reset is not allowed for this account!")
session.Save(r, w)
http.Redirect(w, r, "/user/settings", http.StatusSeeOther)
return
}

if !currentUser.Confirmed {
session.AddFlash("Error: Email has not been confirmed, please click the link in the email we sent you or <a href='/resend'>resend link</a>!")
session.Save(r, w)
Expand Down
7 changes: 7 additions & 0 deletions types/templates.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1326,6 +1326,13 @@ type StakeWithUsPageData struct {
FlashMessage string
RecaptchaKey string
}

type PasswordResetNotAllowedError struct{}

func (e *PasswordResetNotAllowedError) Error() string {
return "password reset not allowed for this account"
}

type RateLimitError struct {
TimeLeft time.Duration
}
Expand Down
Loading