Mercurial > gemma

annotate pkg/controllers/pwreset.go @ 438:ffdb507d5b42

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Removed db service user. Use an impersonated metamorph user instead.
author Sascha L. Teichmann <sascha.teichmann@intevation.de>
date Tue, 21 Aug 2018 11:33:19 +0200
parents c1047fd04a3a
children fc37e7072022
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
1 package controllers
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
2
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
3 import (
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
4 "bytes"
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
5 "database/sql"
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
6 "encoding/hex"
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
7 "log"
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
8 "net/http"
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
9 "os/exec"
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
10 "strings"
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
11 "text/template"
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
12 "time"
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
13
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 332
diff changeset
14 "github.com/gorilla/mux"
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 332
diff changeset
15
414
c1047fd04a3a Moved project specific Go packages to new pkg folder.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 408
diff changeset
16 "gemma.intevation.de/gemma/pkg/auth"
c1047fd04a3a Moved project specific Go packages to new pkg folder.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 408
diff changeset
17 "gemma.intevation.de/gemma/pkg/common"
c1047fd04a3a Moved project specific Go packages to new pkg folder.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 408
diff changeset
18 "gemma.intevation.de/gemma/pkg/misc"
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
19 )
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
20
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
21 const (
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
22 insertRequestSQL = `INSERT INTO pw_reset.password_reset_requests
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
23 (hash, username) VALUES ($1, $2)`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
24
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
25 countRequestsSQL = `SELECT count(*) FROM pw_reset.password_reset_requests`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
26
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
27 countRequestsUserSQL = `SELECT count(*) FROM pw_reset.password_reset_requests
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
28 WHERE username = $1`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
29
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
30 deleteRequestSQL = `DELETE FROM pw_reset.password_reset_requests
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
31 WHERE hash = $1`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
32
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
33 findRequestSQL = `SELECT lu.email_address, lu.username
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
34 FROM pw_reset.password_reset_requests prr
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
35 JOIN pw_reset.list_users lu on prr.username = lu.username
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
36 WHERE prr.hash = $1`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
37
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
38 cleanupRequestsSQL = `DELETE FROM pw_reset.password_reset_requests
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
39 WHERE issued < $1`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
40
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
41 userExistsSQL = `SELECT email_address
319
ac760b0f22a9 Add special role for password reset
Tom Gottfried <tom@intevation.de>
parents: 317
diff changeset
42 FROM pw_reset.list_users WHERE username = $1`
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
43
319
ac760b0f22a9 Add special role for password reset
Tom Gottfried <tom@intevation.de>
parents: 317
diff changeset
44 updatePasswordSQL = `UPDATE pw_reset.list_users
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
45 SET pw = $1 WHERE username = $2`
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
46 )
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
47
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
48 const (
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
49 hashLength = 16
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
50 passwordLength = 20
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
51 passwordResetValid = 12 * time.Hour
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
52 maxPasswordResets = 1000
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
53 maxPasswordRequestsPerUser = 5
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
54 cleanupPause = 15 * time.Minute
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
55 )
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
56
438
ffdb507d5b42 Removed db service user. Use an impersonated metamorph user instead.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 414
diff changeset
57 const pwResetRole = "pw_reset"
ffdb507d5b42 Removed db service user. Use an impersonated metamorph user instead.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 414
diff changeset
58
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
59 var (
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
60 passwordResetRequestMailTmpl = template.Must(
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
61 template.New("request").Parse(`You have requested a password change
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
62 for your account {{ .User }} on
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
63 {{ .HTTPS }}://{{ .Server }}
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
64
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
65 Please follow this link to get to the page where you can change your password.
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
66
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
67 {{ .HTTPS }}://{{ .Server }}/api/users/passwordreset/{{ .Hash }}
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
68
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
69 The link is only valid for 12 hours.
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
70
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
71 Best regards
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
72 Your service team`))
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
73
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
74 passwordResetMailTmpl = template.Must(
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
75 template.New("reset").Parse(`Your password for your account {{ .User }} on
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
76 {{ .HTTPS }}://{{ .Server }}
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
77
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
78 has been changed to
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
79 {{ .Password }}
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
80
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
81 Change it as soon as possible.
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
82
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
83 Best regards
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
84 Your service team`))
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
85 )
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
86
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
87 func init() {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
88 go removeOutdated()
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
89 }
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
90
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
91 func removeOutdated() {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
92 for {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
93 time.Sleep(cleanupPause)
438
ffdb507d5b42 Removed db service user. Use an impersonated metamorph user instead.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 414
diff changeset
94 err := auth.RunAs(pwResetRole, func(db *sql.DB) error {
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
95 good := time.Now().Add(-passwordResetValid)
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
96 _, err := db.Exec(cleanupRequestsSQL, good)
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
97 return err
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
98 })
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
99 if err != nil {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
100 log.Printf("error: %v\n", err)
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
101 }
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
102 }
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
103 }
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
104
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
105 func requestMessageBody(https, user, hash, server string) string {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
106 var content = struct {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
107 User string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
108 HTTPS string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
109 Server string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
110 Hash string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
111 }{
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
112 User: user,
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
113 HTTPS: https,
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
114 Server: server,
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
115 Hash: hash,
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
116 }
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
117 var buf bytes.Buffer
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
118 if err := passwordResetRequestMailTmpl.Execute(&buf, &content); err != nil {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
119 log.Printf("error: %v\n", err)
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
120 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
121 return buf.String()
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
122 }
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
123
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
124 func changedMessageBody(https, user, password, server string) string {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
125 var content = struct {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
126 User string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
127 HTTPS string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
128 Server string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
129 Password string
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
130 }{
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
131 User: user,
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
132 HTTPS: https,
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
133 Server: server,
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
134 Password: password,
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
135 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
136 var buf bytes.Buffer
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
137 if err := passwordResetMailTmpl.Execute(&buf, &content); err != nil {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
138 log.Printf("error: %v\n", err)
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
139 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
140 return buf.String()
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
141 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
142
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
143 func useHTTPS(req *http.Request) string {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
144 if strings.ToLower(req.URL.Scheme) == "https" {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
145 return "https"
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
146 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
147 return "http"
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
148 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
149
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
150 func generateHash() string {
408
ac23905e64b1 Improve WFS proxy a lot. It now generates signed re-writings.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 339
diff changeset
151 return hex.EncodeToString(common.GenerateRandomKey(hashLength))
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
152 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
153
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
154 func generateNewPassword() string {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
155 // First try pwgen
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
156 out, err := exec.Command("pwgen", "-y", "20", "1").Output()
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
157 if err == nil {
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
158 return strings.TrimSpace(string(out))
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
159 }
317
5cb18bedb3a9 Simplified internal password generator.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 316
diff changeset
160 // Use internal generator.
408
ac23905e64b1 Improve WFS proxy a lot. It now generates signed re-writings.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 339
diff changeset
161 return common.RandomString(20)
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
162 }
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
163
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
164 func passwordResetRequest(
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
165 input interface{},
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
166 req *http.Request,
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
167 _ *sql.DB,
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
168 ) (jr JSONResult, err error) {
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
169
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
170 user := input.(*PWResetUser)
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
171
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
172 if user.User == "" {
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
173 err = JSONError{http.StatusBadRequest, "Invalid user name"}
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
174 return
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
175 }
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
176
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
177 var hash, email string
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
178
438
ffdb507d5b42 Removed db service user. Use an impersonated metamorph user instead.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 414
diff changeset
179 if err = auth.RunAs(pwResetRole, func(db *sql.DB) error {
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
180
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
181 var count int64
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
182 if err := db.QueryRow(countRequestsSQL).Scan(&count); err != nil {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
183 return err
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
184 }
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
185
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
186 // Limit total number of password requests.
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
187 if count >= maxPasswordResets {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
188 return JSONError{
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
189 Code: http.StatusServiceUnavailable,
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
190 Message: "Too much password reset request",
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
191 }
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
192 }
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
193
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
194 err := db.QueryRow(userExistsSQL, user.User).Scan(&email)
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
195
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
196 switch {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
197 case err == sql.ErrNoRows:
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
198 return JSONError{http.StatusNotFound, "User does not exist."}
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
199 case err != nil:
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
200 return err
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
201 }
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
202
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
203 if err := db.QueryRow(countRequestsUserSQL, user.User).Scan(&count); err != nil {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
204 return err
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
205 }
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
206
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
207 // Limit requests per user
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
208 if count >= maxPasswordRequestsPerUser {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
209 return JSONError{
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
210 Code: http.StatusServiceUnavailable,
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
211 Message: "Too much password reset requests for user",
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
212 }
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
213 }
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
214
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
215 hash = generateHash()
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
216 _, err = db.Exec(insertRequestSQL, hash, user.User)
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
217 return err
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
218 }); err == nil {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
219 body := requestMessageBody(useHTTPS(req), user.User, hash, req.Host)
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
220
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 332
diff changeset
221 if err = misc.SendMail(email, "Password Reset Link", body); err == nil {
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
222 jr.Result = &struct {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
223 SendTo string `json:"send-to"`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
224 }{email}
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
225 }
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
226 }
302
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
227 return
0777aa6de45b Password reset. Part I
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
228 }
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
229
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
230 func passwordReset(
316
423d0f1d8ee0 JSON input is not used when doing a password reset.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 315
diff changeset
231 _ interface{},
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
232 req *http.Request,
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
233 _ *sql.DB,
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
234 ) (jr JSONResult, err error) {
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
235
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
236 hash := mux.Vars(req)["hash"]
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
237 if _, err = hex.DecodeString(hash); err != nil {
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
238 err = JSONError{http.StatusBadRequest, "Invalid hash"}
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
239 return
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
240 }
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
241
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
242 var email, user, password string
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
243
438
ffdb507d5b42 Removed db service user. Use an impersonated metamorph user instead.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 414
diff changeset
244 if err = auth.RunAs(pwResetRole, func(db *sql.DB) error {
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
245 err := db.QueryRow(findRequestSQL, hash).Scan(&email, &user)
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
246 switch {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
247 case err == sql.ErrNoRows:
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
248 return JSONError{http.StatusNotFound, "No such hash"}
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
249 case err != nil:
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
250 return err
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
251 }
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
252 password = generateNewPassword()
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
253 res, err := db.Exec(updatePasswordSQL, password, user)
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
254 if err != nil {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
255 return err
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
256 }
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
257 if n, err2 := res.RowsAffected(); err2 == nil && n == 0 {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
258 return JSONError{http.StatusNotFound, "User not found"}
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
259 }
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
260 _, err = db.Exec(deleteRequestSQL, hash)
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
261 return err
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
262 }); err == nil {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
263 body := changedMessageBody(useHTTPS(req), user, password, req.Host)
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 332
diff changeset
264 if err = misc.SendMail(email, "Password Reset Done", body); err == nil {
321
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
265 jr.Result = &struct {
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
266 SendTo string `json:"send-to"`
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
267 }{email}
974a5e4c0055 Persist password reset requests in database.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 319
diff changeset
268 }
310
4bee4ba6dc58 Password reset: Part III
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 304
diff changeset
269 }
304
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
270 return
69e291f26bbd Password reset: Part II.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 302
diff changeset
271 }