Ensure that 2fa is checked on reset-password (#9857)
* Ensure that 2fa is checked on reset-password * Apply suggestions from code review Co-Authored-By: Lauris BH <lauris@nix.lv> * Properly manage scratch_code regeneration Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
		
							parent
							
								
									1d7b7504d0
								
							
						
					
					
						commit
						92d6bca41e
					
				
					 2 changed files with 97 additions and 9 deletions
				
			
		|  | @ -1284,7 +1284,7 @@ func ForgotPasswdPost(ctx *context.Context) { | ||||||
| 	ctx.HTML(200, tplForgotPassword) | 	ctx.HTML(200, tplForgotPassword) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func commonResetPassword(ctx *context.Context) *models.User { | func commonResetPassword(ctx *context.Context) (*models.User, *models.TwoFactor) { | ||||||
| 	code := ctx.Query("code") | 	code := ctx.Query("code") | ||||||
| 
 | 
 | ||||||
| 	ctx.Data["Title"] = ctx.Tr("auth.reset_password") | 	ctx.Data["Title"] = ctx.Tr("auth.reset_password") | ||||||
|  | @ -1296,14 +1296,25 @@ func commonResetPassword(ctx *context.Context) *models.User { | ||||||
| 
 | 
 | ||||||
| 	if len(code) == 0 { | 	if len(code) == 0 { | ||||||
| 		ctx.Flash.Error(ctx.Tr("auth.invalid_code")) | 		ctx.Flash.Error(ctx.Tr("auth.invalid_code")) | ||||||
| 		return nil | 		return nil, nil | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	// Fail early, don't frustrate the user | 	// Fail early, don't frustrate the user | ||||||
| 	u := models.VerifyUserActiveCode(code) | 	u := models.VerifyUserActiveCode(code) | ||||||
| 	if u == nil { | 	if u == nil { | ||||||
| 		ctx.Flash.Error(ctx.Tr("auth.invalid_code")) | 		ctx.Flash.Error(ctx.Tr("auth.invalid_code")) | ||||||
| 		return nil | 		return nil, nil | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	twofa, err := models.GetTwoFactorByUID(u.ID) | ||||||
|  | 	if err != nil { | ||||||
|  | 		if !models.IsErrTwoFactorNotEnrolled(err) { | ||||||
|  | 			ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error()) | ||||||
|  | 			return nil, nil | ||||||
|  | 		} | ||||||
|  | 	} else { | ||||||
|  | 		ctx.Data["has_two_factor"] = true | ||||||
|  | 		ctx.Data["scratch_code"] = ctx.QueryBool("scratch_code") | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	// Show the user that they are affecting the account that they intended to | 	// Show the user that they are affecting the account that they intended to | ||||||
|  | @ -1311,10 +1322,10 @@ func commonResetPassword(ctx *context.Context) *models.User { | ||||||
| 
 | 
 | ||||||
| 	if nil != ctx.User && u.ID != ctx.User.ID { | 	if nil != ctx.User && u.ID != ctx.User.ID { | ||||||
| 		ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email)) | 		ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email)) | ||||||
| 		return nil | 		return nil, nil | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	return u | 	return u, twofa | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| // ResetPasswd render the account recovery page | // ResetPasswd render the account recovery page | ||||||
|  | @ -1322,13 +1333,19 @@ func ResetPasswd(ctx *context.Context) { | ||||||
| 	ctx.Data["IsResetForm"] = true | 	ctx.Data["IsResetForm"] = true | ||||||
| 
 | 
 | ||||||
| 	commonResetPassword(ctx) | 	commonResetPassword(ctx) | ||||||
|  | 	if ctx.Written() { | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	ctx.HTML(200, tplResetPassword) | 	ctx.HTML(200, tplResetPassword) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| // ResetPasswdPost response from account recovery request | // ResetPasswdPost response from account recovery request | ||||||
| func ResetPasswdPost(ctx *context.Context) { | func ResetPasswdPost(ctx *context.Context) { | ||||||
| 	u := commonResetPassword(ctx) | 	u, twofa := commonResetPassword(ctx) | ||||||
|  | 	if ctx.Written() { | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	if u == nil { | 	if u == nil { | ||||||
| 		// Flash error has been set | 		// Flash error has been set | ||||||
|  | @ -1350,6 +1367,39 @@ func ResetPasswdPost(ctx *context.Context) { | ||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	// Handle two-factor | ||||||
|  | 	regenerateScratchToken := false | ||||||
|  | 	if twofa != nil { | ||||||
|  | 		if ctx.QueryBool("scratch_code") { | ||||||
|  | 			if !twofa.VerifyScratchToken(ctx.Query("token")) { | ||||||
|  | 				ctx.Data["IsResetForm"] = true | ||||||
|  | 				ctx.Data["Err_Token"] = true | ||||||
|  | 				ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil) | ||||||
|  | 				return | ||||||
|  | 			} | ||||||
|  | 			regenerateScratchToken = true | ||||||
|  | 		} else { | ||||||
|  | 			passcode := ctx.Query("passcode") | ||||||
|  | 			ok, err := twofa.ValidateTOTP(passcode) | ||||||
|  | 			if err != nil { | ||||||
|  | 				ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error()) | ||||||
|  | 				return | ||||||
|  | 			} | ||||||
|  | 			if !ok || twofa.LastUsedPasscode == passcode { | ||||||
|  | 				ctx.Data["IsResetForm"] = true | ||||||
|  | 				ctx.Data["Err_Passcode"] = true | ||||||
|  | 				ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil) | ||||||
|  | 				return | ||||||
|  | 			} | ||||||
|  | 
 | ||||||
|  | 			twofa.LastUsedPasscode = passcode | ||||||
|  | 			if err = models.UpdateTwoFactor(twofa); err != nil { | ||||||
|  | 				ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err) | ||||||
|  | 				return | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	var err error | 	var err error | ||||||
| 	if u.Rands, err = models.GetUserSalt(); err != nil { | 	if u.Rands, err = models.GetUserSalt(); err != nil { | ||||||
| 		ctx.ServerError("UpdateUser", err) | 		ctx.ServerError("UpdateUser", err) | ||||||
|  | @ -1359,7 +1409,6 @@ func ResetPasswdPost(ctx *context.Context) { | ||||||
| 		ctx.ServerError("UpdateUser", err) | 		ctx.ServerError("UpdateUser", err) | ||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
| 
 |  | ||||||
| 	u.HashPassword(passwd) | 	u.HashPassword(passwd) | ||||||
| 	u.MustChangePassword = false | 	u.MustChangePassword = false | ||||||
| 	if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil { | 	if err := models.UpdateUserCols(u, "must_change_password", "passwd", "rands", "salt"); err != nil { | ||||||
|  | @ -1368,9 +1417,27 @@ func ResetPasswdPost(ctx *context.Context) { | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	log.Trace("User password reset: %s", u.Name) | 	log.Trace("User password reset: %s", u.Name) | ||||||
| 
 |  | ||||||
| 	ctx.Data["IsResetFailed"] = true | 	ctx.Data["IsResetFailed"] = true | ||||||
| 	remember := len(ctx.Query("remember")) != 0 | 	remember := len(ctx.Query("remember")) != 0 | ||||||
|  | 
 | ||||||
|  | 	if regenerateScratchToken { | ||||||
|  | 		// Invalidate the scratch token. | ||||||
|  | 		_, err = twofa.GenerateScratchToken() | ||||||
|  | 		if err != nil { | ||||||
|  | 			ctx.ServerError("UserSignIn", err) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  | 		if err = models.UpdateTwoFactor(twofa); err != nil { | ||||||
|  | 			ctx.ServerError("UserSignIn", err) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		handleSignInFull(ctx, u, remember, false) | ||||||
|  | 		ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used")) | ||||||
|  | 		ctx.Redirect(setting.AppSubURL + "/user/settings/security") | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	handleSignInFull(ctx, u, remember, true) | 	handleSignInFull(ctx, u, remember, true) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -18,7 +18,7 @@ | ||||||
| 					{{end}} | 					{{end}} | ||||||
| 					{{if .IsResetForm}} | 					{{if .IsResetForm}} | ||||||
| 						<div class="required inline field {{if .Err_Password}}error{{end}}"> | 						<div class="required inline field {{if .Err_Password}}error{{end}}"> | ||||||
| 							<label for="password">{{.i18n.Tr "password"}}</label> | 							<label for="password">{{.i18n.Tr "settings.new_password"}}</label> | ||||||
| 							<input id="password" name="password" type="password"  value="{{.password}}" autocomplete="off" autofocus required> | 							<input id="password" name="password" type="password"  value="{{.password}}" autocomplete="off" autofocus required> | ||||||
| 						</div> | 						</div> | ||||||
| 						{{if not .user_signed_in}} | 						{{if not .user_signed_in}} | ||||||
|  | @ -30,10 +30,31 @@ | ||||||
| 							</div> | 							</div> | ||||||
| 						</div> | 						</div> | ||||||
| 						{{end}} | 						{{end}} | ||||||
|  | 						{{if .has_two_factor}} | ||||||
|  | 						<h4 class="ui dividing header"> | ||||||
|  | 							{{.i18n.Tr "twofa"}} | ||||||
|  | 						</h4> | ||||||
|  | 						<div class="ui warning visible message">{{.i18n.Tr "settings.twofa_is_enrolled" | Str2html }}</div> | ||||||
|  | 						{{if .scratch_code}} | ||||||
|  | 						<div class="required inline field {{if .Err_Token}}error{{end}}"> | ||||||
|  | 							<label for="token">{{.i18n.Tr "auth.scratch_code"}}</label> | ||||||
|  | 							<input id="token" name="token" type="text" autocomplete="off" autofocus required> | ||||||
|  | 						</div> | ||||||
|  | 						<input type="hidden" name="scratch_code" value="true"> | ||||||
|  | 						{{else}} | ||||||
|  | 						<div class="required inline field {{if .Err_Passcode}}error{{end}}"> | ||||||
|  | 							<label for="passcode">{{.i18n.Tr "passcode"}}</label> | ||||||
|  | 							<input id="passcode" name="passcode" type="number" autocomplete="off" autofocus required> | ||||||
|  | 						</div> | ||||||
|  | 						{{end}} | ||||||
|  | 						{{end}} | ||||||
| 						<div class="ui divider"></div> | 						<div class="ui divider"></div> | ||||||
| 						<div class="inline field"> | 						<div class="inline field"> | ||||||
| 							<label></label> | 							<label></label> | ||||||
| 							<button class="ui blue button">{{.i18n.Tr "auth.reset_password_helper"}}</button> | 							<button class="ui blue button">{{.i18n.Tr "auth.reset_password_helper"}}</button> | ||||||
|  | 							{{if and .has_two_factor (not .scratch_code)}} | ||||||
|  | 								<a href="{{.Link}}?code={{.Code}}&scratch_code=true">{{.i18n.Tr "auth.use_scratch_code" | Str2html}}</a> | ||||||
|  | 							{{end}} | ||||||
| 						</div> | 						</div> | ||||||
| 					{{else}} | 					{{else}} | ||||||
| 						<p class="center">{{.i18n.Tr "auth.invalid_code"}}</p> | 						<p class="center">{{.i18n.Tr "auth.invalid_code"}}</p> | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		
		Reference in a new issue
	
	 zeripath
						zeripath