diff options
Diffstat (limited to 'api4')
-rw-r--r-- | api4/team_test.go | 6 | ||||
-rw-r--r-- | api4/user.go | 55 | ||||
-rw-r--r-- | api4/user_test.go | 52 |
3 files changed, 56 insertions, 57 deletions
diff --git a/api4/team_test.go b/api4/team_test.go index 95b07e248..61d7dc331 100644 --- a/api4/team_test.go +++ b/api4/team_test.go @@ -876,7 +876,7 @@ func TestAddTeamMember(t *testing.T) { dataObject["id"] = team.Id data := model.MapToJson(dataObject) - hashed := model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) + hashed := utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) tm, resp = Client.AddTeamMember(team.Id, "", hashed, data, "") CheckNoError(t, resp) @@ -906,7 +906,7 @@ func TestAddTeamMember(t *testing.T) { // expired data of more than 50 hours dataObject["time"] = fmt.Sprintf("%v", model.GetMillis()-1000*60*60*50) data = model.MapToJson(dataObject) - hashed = model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) + hashed = utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) tm, resp = Client.AddTeamMember(team.Id, "", hashed, data, "") CheckNotFoundStatus(t, resp) @@ -914,7 +914,7 @@ func TestAddTeamMember(t *testing.T) { // invalid team id dataObject["id"] = GenerateTestId() data = model.MapToJson(dataObject) - hashed = model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) + hashed = utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) tm, resp = Client.AddTeamMember(team.Id, "", hashed, data, "") CheckNotFoundStatus(t, resp) diff --git a/api4/user.go b/api4/user.go index 1d117ce07..18e549a64 100644 --- a/api4/user.go +++ b/api4/user.go @@ -768,23 +768,23 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) { func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) - code := props["code"] - if len(code) != model.PASSWORD_RECOVERY_CODE_SIZE { - c.SetInvalidParam("code") + token := props["token"] + if len(token) != model.TOKEN_SIZE { + c.SetInvalidParam("token") return } newPassword := props["new_password"] - c.LogAudit("attempt - code=" + code) + c.LogAudit("attempt - token=" + token) - if err := app.ResetPasswordFromCode(code, newPassword); err != nil { - c.LogAudit("fail - code=" + code) + if err := app.ResetPasswordFromToken(token, newPassword); err != nil { + c.LogAudit("fail - token=" + token) c.Err = err return } - c.LogAudit("success - code=" + code) + c.LogAudit("success - token=" + token) ReturnStatusOK(w) } @@ -985,32 +985,21 @@ func getUserAudits(c *Context, w http.ResponseWriter, r *http.Request) { func verifyUserEmail(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) - userId := props["user_id"] - if len(userId) != 26 { - c.SetInvalidParam("user_id") + token := props["token"] + if len(token) != model.TOKEN_SIZE { + c.SetInvalidParam("token") return } - hashedId := props["hash_id"] - if len(hashedId) == 0 { - c.SetInvalidParam("hash_id") + if err := app.VerifyEmailFromToken(token); err != nil { + c.Err = model.NewLocAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, err.Error()) + c.Err.StatusCode = http.StatusBadRequest + return + } else { + c.LogAudit("Email Verified") + ReturnStatusOK(w) return } - - hashed := model.HashPassword(hashedId) - if model.ComparePassword(hashed, userId+utils.Cfg.EmailSettings.InviteSalt) { - if c.Err = app.VerifyUserEmail(userId); c.Err != nil { - return - } else { - c.LogAudit("Email Verified") - ReturnStatusOK(w) - return - } - } - - c.Err = model.NewLocAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, "") - c.Err.StatusCode = http.StatusBadRequest - return } func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) { @@ -1029,10 +1018,12 @@ func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) { return } - if _, err := app.GetStatus(user.Id); err != nil { - go app.SendVerifyEmail(user.Id, user.Email, user.Locale, utils.GetSiteURL()) - } else { - go app.SendEmailChangeVerifyEmail(user.Id, user.Email, user.Locale, utils.GetSiteURL()) + app.SendEmailVerification(user) + if err != nil { + // Don't want to leak whether the email is valid or not + l4g.Error("Unable to create email verification token: " + err.Error()) + ReturnStatusOK(w) + return } ReturnStatusOK(w) diff --git a/api4/user_test.go b/api4/user_test.go index 20def9a17..ae0dd79e5 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -1413,13 +1413,6 @@ func TestResetPassword(t *testing.T) { t.Fatal("should have succeeded") } - var recovery *model.PasswordRecovery - if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil { - t.Fatal(result.Err) - } else { - recovery = result.Data.(*model.PasswordRecovery) - } - // Check if the email was send to the right email address and the recovery key match var resultsMailbox utils.JSONMessageHeaderInbucket err := utils.RetryInbucket(5, func() error { @@ -1431,24 +1424,36 @@ func TestResetPassword(t *testing.T) { t.Log(err) t.Log("No email was received, maybe due load on the server. Disabling this verification") } + + var recoveryTokenString string if err == nil && len(resultsMailbox) > 0 { if !strings.ContainsAny(resultsMailbox[0].To[0], user.Email) { t.Fatal("Wrong To recipient") } else { if resultsEmail, err := utils.GetMessageFromMailbox(user.Email, resultsMailbox[0].ID); err == nil { - if !strings.Contains(resultsEmail.Body.Text, recovery.Code) { + loc := strings.Index(resultsEmail.Body.Text, "token=") + if loc == -1 { t.Log(resultsEmail.Body.Text) - t.Log(recovery.Code) - t.Fatal("Received wrong recovery code") + t.Fatal("Code not found in email") } + loc += 6 + recoveryTokenString = resultsEmail.Body.Text[loc : loc+model.TOKEN_SIZE] } } } - _, resp = Client.ResetPassword(recovery.Code, "") + var recoveryToken *model.Token + if result := <-app.Srv.Store.Token().GetByToken(recoveryTokenString); result.Err != nil { + t.Log(recoveryTokenString) + t.Fatal(result.Err) + } else { + recoveryToken = result.Data.(*model.Token) + } + + _, resp = Client.ResetPassword(recoveryToken.Token, "") CheckBadRequestStatus(t, resp) - _, resp = Client.ResetPassword(recovery.Code, "newp") + _, resp = Client.ResetPassword(recoveryToken.Token, "newp") CheckBadRequestStatus(t, resp) _, resp = Client.ResetPassword("", "newpwd") @@ -1458,14 +1463,14 @@ func TestResetPassword(t *testing.T) { CheckBadRequestStatus(t, resp) code := "" - for i := 0; i < model.PASSWORD_RECOVERY_CODE_SIZE; i++ { + for i := 0; i < model.TOKEN_SIZE; i++ { code += "a" } _, resp = Client.ResetPassword(code, "newpwd") CheckBadRequestStatus(t, resp) - success, resp = Client.ResetPassword(recovery.Code, "newpwd") + success, resp = Client.ResetPassword(recoveryToken.Token, "newpwd") CheckNoError(t, resp) if !success { t.Fatal("should have succeeded") @@ -1474,16 +1479,16 @@ func TestResetPassword(t *testing.T) { Client.Login(user.Email, "newpwd") Client.Logout() - _, resp = Client.ResetPassword(recovery.Code, "newpwd") + _, resp = Client.ResetPassword(recoveryToken.Token, "newpwd") CheckBadRequestStatus(t, resp) - authData := model.NewId() + /*authData := model.NewId() if result := <-app.Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, "", true); result.Err != nil { t.Fatal(result.Err) } _, resp = Client.SendPasswordResetEmail(user.Email) - CheckBadRequestStatus(t, resp) + CheckBadRequestStatus(t, resp)*/ } func TestGetSessions(t *testing.T) { @@ -1646,15 +1651,18 @@ func TestVerifyUserEmail(t *testing.T) { ruser, resp := Client.CreateUser(&user) - hashId := ruser.Id + utils.Cfg.EmailSettings.InviteSalt - _, resp = Client.VerifyUserEmail(ruser.Id, hashId) + token, err := app.CreateVerifyEmailToken(ruser.Id) + if err != nil { + t.Fatal("Unable to create email verify token") + } + + _, resp = Client.VerifyUserEmail(token.Token) CheckNoError(t, resp) - hashId = ruser.Id + GenerateTestId() - _, resp = Client.VerifyUserEmail(ruser.Id, hashId) + _, resp = Client.VerifyUserEmail(GenerateTestId()) CheckBadRequestStatus(t, resp) - _, resp = Client.VerifyUserEmail(ruser.Id, "") + _, resp = Client.VerifyUserEmail("") CheckBadRequestStatus(t, resp) } |