diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/email.go | 20 | ||||
-rw-r--r-- | app/email_test.go | 26 | ||||
-rw-r--r-- | app/oauth.go | 8 | ||||
-rw-r--r-- | app/team.go | 4 | ||||
-rw-r--r-- | app/user.go | 121 |
5 files changed, 126 insertions, 53 deletions
diff --git a/app/email.go b/app/email.go index 235d949be..cd3cb3b4f 100644 --- a/app/email.go +++ b/app/email.go @@ -33,10 +33,10 @@ func SendChangeUsernameEmail(oldUsername, newUsername, email, locale, siteURL st return nil } -func SendEmailChangeVerifyEmail(userId, newUserEmail, locale, siteURL string) *model.AppError { +func SendEmailChangeVerifyEmail(newUserEmail, locale, siteURL, token string) *model.AppError { T := utils.GetUserTranslations(locale) - link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId+utils.Cfg.EmailSettings.InviteSalt), url.QueryEscape(newUserEmail)) + link := fmt.Sprintf("%s/do_verify_email?token=%s&email=%s", siteURL, token, url.QueryEscape(newUserEmail)) subject := T("api.templates.email_change_verify_subject", map[string]interface{}{"SiteName": utils.ClientCfg["SiteName"], @@ -77,10 +77,10 @@ func SendEmailChangeEmail(oldEmail, newEmail, locale, siteURL string) *model.App return nil } -func SendVerifyEmail(userId, userEmail, locale, siteURL string) *model.AppError { +func SendVerifyEmail(userEmail, locale, siteURL, token string) *model.AppError { T := utils.GetUserTranslations(locale) - link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId+utils.Cfg.EmailSettings.InviteSalt), url.QueryEscape(userEmail)) + link := fmt.Sprintf("%s/do_verify_email?token=%s&email=%s", siteURL, token, url.QueryEscape(userEmail)) url, _ := url.Parse(siteURL) @@ -144,7 +144,11 @@ func SendWelcomeEmail(userId string, email string, verified bool, locale, siteUR } if !verified { - link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId+utils.Cfg.EmailSettings.InviteSalt), url.QueryEscape(email)) + token, err := CreateVerifyEmailToken(userId) + if err != nil { + return err + } + link := fmt.Sprintf("%s/do_verify_email?token=%s&email=%s", siteURL, token.Token, url.QueryEscape(email)) bodyPage.Props["VerifyUrl"] = link } @@ -175,11 +179,11 @@ func SendPasswordChangeEmail(email, method, locale, siteURL string) *model.AppEr return nil } -func SendPasswordResetEmail(email string, recovery *model.PasswordRecovery, locale, siteURL string) (bool, *model.AppError) { +func SendPasswordResetEmail(email string, token *model.Token, locale, siteURL string) (bool, *model.AppError) { T := utils.GetUserTranslations(locale) - link := fmt.Sprintf("%s/reset_password_complete?code=%s", siteURL, url.QueryEscape(recovery.Code)) + link := fmt.Sprintf("%s/reset_password_complete?token=%s", siteURL, url.QueryEscape(token.Token)) subject := T("api.templates.reset_subject", map[string]interface{}{"SiteName": utils.ClientCfg["SiteName"]}) @@ -252,7 +256,7 @@ func SendInviteEmails(team *model.Team, senderName string, invites []string, sit props["name"] = team.Name props["time"] = fmt.Sprintf("%v", model.GetMillis()) data := model.MapToJson(props) - hash := model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) + hash := utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) bodyPage.Props["Link"] = fmt.Sprintf("%s/signup_user_complete/?d=%s&h=%s", siteURL, url.QueryEscape(data), url.QueryEscape(hash)) if !utils.Cfg.EmailSettings.SendEmailNotifications { diff --git a/app/email_test.go b/app/email_test.go index 3f57c54f9..b1aa9976c 100644 --- a/app/email_test.go +++ b/app/email_test.go @@ -62,17 +62,17 @@ func TestSendChangeUsernameEmail(t *testing.T) { func TestSendEmailChangeVerifyEmail(t *testing.T) { Setup() - var userId string = "5349853498543jdfvndf9834" var newUserEmail string = "newtest@example.com" var locale string = "en" var siteURL string = "" var expectedPartialMessage string = "You updated your email" var expectedSubject string = "[" + utils.Cfg.TeamSettings.SiteName + "] Verify new email address" + var token string = "TEST_TOKEN" //Delete all the messages before check the sample email utils.DeleteMailBox(newUserEmail) - if err := SendEmailChangeVerifyEmail(userId, newUserEmail, locale, siteURL); err != nil { + if err := SendEmailChangeVerifyEmail(newUserEmail, locale, siteURL, token); err != nil { t.Log(err) t.Fatal("Should send change username email") } else { @@ -160,17 +160,17 @@ func TestSendEmailChangeEmail(t *testing.T) { func TestSendVerifyEmail(t *testing.T) { Setup() - var userId string = "5349853498543jdfvndf9834" var userEmail string = "test@example.com" var locale string = "en" var siteURL string = "" var expectedPartialMessage string = "Please verify your email address by clicking below" var expectedSubject string = "[" + utils.Cfg.TeamSettings.SiteName + "] Email Verification" + var token string = "TEST_TOKEN" //Delete all the messages before check the sample email utils.DeleteMailBox(userEmail) - if err := SendVerifyEmail(userId, userEmail, locale, siteURL); err != nil { + if err := SendVerifyEmail(userEmail, locale, siteURL, token); err != nil { t.Log(err) t.Fatal("Should send change username email") } else { @@ -582,14 +582,22 @@ func TestSendPasswordReset(t *testing.T) { t.Log(resultsEmail.Body.Text) t.Fatal("Wrong Body message") } - var recoveryKey *model.PasswordRecovery - if result := <-Srv.Store.PasswordRecovery().Get(th.BasicUser.Id); result.Err != nil { + loc := strings.Index(resultsEmail.Body.Text, "token=") + if loc == -1 { + t.Log(resultsEmail.Body.Text) + t.Fatal("Code not found in email") + } + loc += 6 + recoveryTokenString := resultsEmail.Body.Text[loc : loc+model.TOKEN_SIZE] + var recoveryToken *model.Token + if result := <-Srv.Store.Token().GetByToken(recoveryTokenString); result.Err != nil { + t.Log(recoveryTokenString) t.Fatal(result.Err) } else { - recoveryKey = result.Data.(*model.PasswordRecovery) - if !strings.Contains(resultsEmail.Body.Text, recoveryKey.Code) { + recoveryToken = result.Data.(*model.Token) + if !strings.Contains(resultsEmail.Body.Text, recoveryToken.Token) { t.Log(resultsEmail.Body.Text) - t.Log(recoveryKey.Code) + t.Log(recoveryToken.Token) t.Fatal("Received wrong recovery code") } } diff --git a/app/oauth.go b/app/oauth.go index 5bbe744d9..03e3c507b 100644 --- a/app/oauth.go +++ b/app/oauth.go @@ -109,7 +109,7 @@ func AllowOAuthAppAccessToUser(userId string, authRequest *model.AuthorizeReques } authData := &model.AuthData{UserId: userId, ClientId: authRequest.ClientId, CreateAt: model.GetMillis(), RedirectUri: authRequest.RedirectUri, State: authRequest.State, Scope: authRequest.Scope} - authData.Code = model.HashPassword(fmt.Sprintf("%v:%v:%v:%v", authRequest.ClientId, authRequest.RedirectUri, authData.CreateAt, userId)) + authData.Code = utils.HashSha256(fmt.Sprintf("%v:%v:%v:%v", authRequest.ClientId, authRequest.RedirectUri, authData.CreateAt, userId)) // this saves the OAuth2 app as authorized authorizedApp := model.Preference{ @@ -167,7 +167,7 @@ func GetOAuthAccessToken(clientId, grantType, redirectUri, code, secret, refresh return nil, model.NewAppError("GetOAuthAccessToken", "api.oauth.get_access_token.redirect_uri.app_error", nil, "", http.StatusBadRequest) } - if !model.ComparePassword(code, fmt.Sprintf("%v:%v:%v:%v", clientId, redirectUri, authData.CreateAt, authData.UserId)) { + if code != utils.HashSha256(fmt.Sprintf("%v:%v:%v:%v", clientId, redirectUri, authData.CreateAt, authData.UserId)) { return nil, model.NewAppError("GetOAuthAccessToken", "api.oauth.get_access_token.expired_code.app_error", nil, "", http.StatusBadRequest) } @@ -530,7 +530,7 @@ func GetAuthorizationCode(service string, props map[string]string, loginHint str endpoint := sso.AuthEndpoint scope := sso.Scope - props["hash"] = model.HashPassword(clientId) + props["hash"] = utils.HashSha256(clientId) state := b64.StdEncoding.EncodeToString([]byte(model.MapToJson(props))) redirectUri := utils.GetSiteURL() + "/signup/" + service + "/complete" @@ -563,7 +563,7 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser stateProps := model.MapFromJson(strings.NewReader(stateStr)) - if !model.ComparePassword(stateProps["hash"], sso.Id) { + if stateProps["hash"] != utils.HashSha256(sso.Id) { return nil, "", nil, model.NewLocAppError("AuthorizeOAuthUser", "api.user.authorize_oauth_user.invalid_state.app_error", nil, "") } diff --git a/app/team.go b/app/team.go index d4e6d6308..47f4f5c15 100644 --- a/app/team.go +++ b/app/team.go @@ -198,7 +198,7 @@ func AddUserToTeamByTeamId(teamId string, user *model.User) *model.AppError { func AddUserToTeamByHash(userId string, hash string, data string) (*model.Team, *model.AppError) { props := model.MapFromJson(strings.NewReader(data)) - if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { + if hash != utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { return nil, model.NewLocAppError("JoinUserToTeamByHash", "api.user.create_user.signup_link_invalid.app_error", nil, "") } @@ -757,7 +757,7 @@ func GetTeamIdFromQuery(query url.Values) (string, *model.AppError) { data := query.Get("d") props := model.MapFromJson(strings.NewReader(data)) - if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { + if hash != utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { return "", model.NewAppError("GetTeamIdFromQuery", "api.oauth.singup_with_oauth.invalid_link.app_error", nil, "", http.StatusBadRequest) } diff --git a/app/user.go b/app/user.go index 86e7cf0b0..3d33fb317 100644 --- a/app/user.go +++ b/app/user.go @@ -30,6 +30,13 @@ import ( "github.com/mattermost/platform/utils" ) +const ( + TOKEN_TYPE_PASSWORD_RECOVERY = "password_recovery" + TOKEN_TYPE_VERIFY_EMAIL = "verify_email" + PASSWORD_RECOVER_EXPIRY_TIME = 1000 * 60 * 60 // 1 hour + VERIFY_EMAIL_EXPIRY_TIME = 1000 * 60 * 60 // 1 hour +) + func CreateUserWithHash(user *model.User, hash string, data string) (*model.User, *model.AppError) { if err := IsUserSignUpAllowed(); err != nil { return nil, err @@ -37,7 +44,7 @@ func CreateUserWithHash(user *model.User, hash string, data string) (*model.User props := model.MapFromJson(strings.NewReader(data)) - if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { + if hash != utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { return nil, model.NewLocAppError("CreateUserWithHash", "api.user.create_user.signup_link_invalid.app_error", nil, "") } @@ -978,11 +985,9 @@ func UpdateUser(user *model.User, sendNotifications bool) (*model.User, *model.A }() if utils.Cfg.EmailSettings.RequireEmailVerification { - go func() { - if err := SendEmailChangeVerifyEmail(rusers[0].Id, rusers[0].Email, rusers[0].Locale, utils.GetSiteURL()); err != nil { - l4g.Error(err.Error()) - } - }() + if err := SendEmailVerification(rusers[0]); err != nil { + l4g.Error(err.Error()) + } } } @@ -1084,19 +1089,19 @@ func UpdatePasswordSendEmail(user *model.User, newPassword, method string) *mode return nil } -func ResetPasswordFromCode(code, newPassword string) *model.AppError { - var recovery *model.PasswordRecovery +func ResetPasswordFromToken(userSuppliedTokenString, newPassword string) *model.AppError { + var token *model.Token var err *model.AppError - if recovery, err = GetPasswordRecovery(code); err != nil { + if token, err = GetPasswordRecoveryToken(userSuppliedTokenString); err != nil { return err } else { - if model.GetMillis()-recovery.CreateAt >= model.PASSWORD_RECOVER_EXPIRY_TIME { + if model.GetMillis()-token.CreateAt >= PASSWORD_RECOVER_EXPIRY_TIME { return model.NewAppError("resetPassword", "api.user.reset_password.link_expired.app_error", nil, "", http.StatusBadRequest) } } var user *model.User - if user, err = GetUser(recovery.UserId); err != nil { + if user, err = GetUser(token.Extra); err != nil { return err } @@ -1110,7 +1115,7 @@ func ResetPasswordFromCode(code, newPassword string) *model.AppError { return err } - if err := DeletePasswordRecoveryForUser(recovery.UserId); err != nil { + if err := DeleteToken(token); err != nil { l4g.Error(err.Error()) } @@ -1128,39 +1133,42 @@ func SendPasswordReset(email string, siteURL string) (bool, *model.AppError) { return false, model.NewAppError("SendPasswordReset", "api.user.send_password_reset.sso.app_error", nil, "userId="+user.Id, http.StatusBadRequest) } - var recovery *model.PasswordRecovery - if recovery, err = CreatePasswordRecovery(user.Id); err != nil { + var token *model.Token + if token, err = CreatePasswordRecoveryToken(user.Id); err != nil { return false, err } - if _, err := SendPasswordResetEmail(email, recovery, user.Locale, siteURL); err != nil { + if _, err := SendPasswordResetEmail(email, token, user.Locale, siteURL); err != nil { return false, model.NewLocAppError("SendPasswordReset", "api.user.send_password_reset.send.app_error", nil, "err="+err.Message) } return true, nil } -func CreatePasswordRecovery(userId string) (*model.PasswordRecovery, *model.AppError) { - recovery := &model.PasswordRecovery{} - recovery.UserId = userId +func CreatePasswordRecoveryToken(userId string) (*model.Token, *model.AppError) { + token := model.NewToken(TOKEN_TYPE_PASSWORD_RECOVERY, userId) - if result := <-Srv.Store.PasswordRecovery().SaveOrUpdate(recovery); result.Err != nil { + if result := <-Srv.Store.Token().Save(token); result.Err != nil { return nil, result.Err } - return recovery, nil + return token, nil } -func GetPasswordRecovery(code string) (*model.PasswordRecovery, *model.AppError) { - if result := <-Srv.Store.PasswordRecovery().GetByCode(code); result.Err != nil { - return nil, model.NewAppError("GetPasswordRecovery", "api.user.reset_password.invalid_link.app_error", nil, result.Err.Error(), http.StatusBadRequest) +func GetPasswordRecoveryToken(token string) (*model.Token, *model.AppError) { + if result := <-Srv.Store.Token().GetByToken(token); result.Err != nil { + return nil, model.NewAppError("GetPasswordRecoveryToken", "api.user.reset_password.invalid_link.app_error", nil, result.Err.Error(), http.StatusBadRequest) } else { - return result.Data.(*model.PasswordRecovery), nil + token := result.Data.(*model.Token) + if token.Type != TOKEN_TYPE_PASSWORD_RECOVERY { + return nil, model.NewAppError("GetPasswordRecoveryToken", "api.user.reset_password.broken_token.app_error", nil, "", http.StatusBadRequest) + } + return token, nil } } -func DeletePasswordRecoveryForUser(userId string) *model.AppError { - if result := <-Srv.Store.PasswordRecovery().Delete(userId); result.Err != nil { +func DeleteToken(token *model.Token) *model.AppError { + if result := <-Srv.Store.Token().Delete(token.Token); result.Err != nil { return result.Err } @@ -1250,10 +1258,6 @@ func PermanentDeleteUser(user *model.User) *model.AppError { return result.Err } - if result := <-Srv.Store.PasswordRecovery().Delete(user.Id); result.Err != nil { - return result.Err - } - l4g.Warn(utils.T("api.user.permanent_delete_user.deleted.warn"), user.Email, user.Id) return nil @@ -1272,6 +1276,63 @@ func PermanentDeleteAllUsers() *model.AppError { return nil } +func SendEmailVerification(user *model.User) *model.AppError { + token, err := CreateVerifyEmailToken(user.Id) + if err != nil { + return err + } + + if _, err := GetStatus(user.Id); err != nil { + go SendVerifyEmail(user.Email, user.Locale, utils.GetSiteURL(), token.Token) + } else { + go SendEmailChangeVerifyEmail(user.Email, user.Locale, utils.GetSiteURL(), token.Token) + } + + return nil +} + +func VerifyEmailFromToken(userSuppliedTokenString string) *model.AppError { + var token *model.Token + var err *model.AppError + if token, err = GetVerifyEmailToken(userSuppliedTokenString); err != nil { + return err + } else { + if model.GetMillis()-token.CreateAt >= PASSWORD_RECOVER_EXPIRY_TIME { + return model.NewAppError("resetPassword", "api.user.reset_password.link_expired.app_error", nil, "", http.StatusBadRequest) + } + if err := VerifyUserEmail(token.Extra); err != nil { + return err + } + if err := DeleteToken(token); err != nil { + l4g.Error(err.Error()) + } + } + + return nil +} + +func CreateVerifyEmailToken(userId string) (*model.Token, *model.AppError) { + token := model.NewToken(TOKEN_TYPE_VERIFY_EMAIL, userId) + + if result := <-Srv.Store.Token().Save(token); result.Err != nil { + return nil, result.Err + } + + return token, nil +} + +func GetVerifyEmailToken(token string) (*model.Token, *model.AppError) { + if result := <-Srv.Store.Token().GetByToken(token); result.Err != nil { + return nil, model.NewAppError("GetVerifyEmailToken", "api.user.verify_email.bad_link.app_error", nil, result.Err.Error(), http.StatusBadRequest) + } else { + token := result.Data.(*model.Token) + if token.Type != TOKEN_TYPE_VERIFY_EMAIL { + return nil, model.NewAppError("GetVerifyEmailToken", "api.user.verify_email.broken_token.app_error", nil, "", http.StatusBadRequest) + } + return token, nil + } +} + func VerifyUserEmail(userId string) *model.AppError { if err := (<-Srv.Store.User().VerifyEmail(userId)).Err; err != nil { return err |