Merge branch '#4-password-reset' into 'main'
Password reset See merge request compsoc1/skynet/ldap/backend!2
This commit is contained in:
commit
224451292d
9 changed files with 1032 additions and 355 deletions
|
@ -40,3 +40,4 @@ csv = "1.2"
|
||||||
# for email
|
# for email
|
||||||
lettre = "0.10.4"
|
lettre = "0.10.4"
|
||||||
maud = "0.25.0"
|
maud = "0.25.0"
|
||||||
|
|
||||||
|
|
43
README.md
43
README.md
|
@ -81,6 +81,49 @@ Invalid Auth:
|
||||||
|
|
||||||
Generic responses which is used unless otherwise specified above.
|
Generic responses which is used unless otherwise specified above.
|
||||||
|
|
||||||
|
### POST /ldap/recover/password
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"user" : "[OPTIONAL] username looking for reset",
|
||||||
|
"email" : "[OPTIONAL] email looking for reset"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
All responses:
|
||||||
|
```json
|
||||||
|
{"result": "success"}
|
||||||
|
```
|
||||||
|
|
||||||
|
### POST /ldap/recover/password/auth
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"auth" : "Auth key from teh email",
|
||||||
|
"pass" : "Password the user chooses"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Early Errors:
|
||||||
|
```json
|
||||||
|
{"result": "error"}
|
||||||
|
```
|
||||||
|
|
||||||
|
LDAP error:
|
||||||
|
```json
|
||||||
|
{"result": "error", "error": "ldap error"}
|
||||||
|
```
|
||||||
|
|
||||||
|
Success:
|
||||||
|
```json
|
||||||
|
{"result": "success", "success": "Password set"}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Responses
|
||||||
|
|
||||||
|
Generic responses which is used unless otherwise specified above.
|
||||||
|
|
||||||
|
|
||||||
### Success: HTTP 200
|
### Success: HTTP 200
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
|
|
37
src/lib.rs
37
src/lib.rs
|
@ -35,7 +35,14 @@ pub struct AccountsNew {
|
||||||
pub id_student: String,
|
pub id_student: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Deserialize, Serialize, sqlx::FromRow)]
|
#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
|
||||||
|
pub struct AccountsReset {
|
||||||
|
pub user: String,
|
||||||
|
pub auth_code: String,
|
||||||
|
pub date_expiry: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
|
||||||
pub struct Accounts {
|
pub struct Accounts {
|
||||||
pub user: String,
|
pub user: String,
|
||||||
pub uid: i64,
|
pub uid: i64,
|
||||||
|
@ -84,6 +91,26 @@ pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> {
|
||||||
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_new (auth_code)")
|
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_new (auth_code)")
|
||||||
.execute(&pool)
|
.execute(&pool)
|
||||||
.await?;
|
.await?;
|
||||||
|
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_new (date_expiry)")
|
||||||
|
.execute(&pool)
|
||||||
|
.await?;
|
||||||
|
|
||||||
|
sqlx::query(
|
||||||
|
"CREATE TABLE IF NOT EXISTS accounts_reset (
|
||||||
|
user text primary key,
|
||||||
|
auth_code text not null,
|
||||||
|
date_expiry text not null
|
||||||
|
)",
|
||||||
|
)
|
||||||
|
.execute(&pool)
|
||||||
|
.await?;
|
||||||
|
|
||||||
|
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_reset (auth_code)")
|
||||||
|
.execute(&pool)
|
||||||
|
.await?;
|
||||||
|
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_reset (date_expiry)")
|
||||||
|
.execute(&pool)
|
||||||
|
.await?;
|
||||||
|
|
||||||
// this is for active use
|
// this is for active use
|
||||||
sqlx::query(
|
sqlx::query(
|
||||||
|
@ -214,6 +241,10 @@ pub async fn get_wolves(db: &Pool<Sqlite>) -> Vec<AccountWolves> {
|
||||||
.unwrap_or(vec![])
|
.unwrap_or(vec![])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn uid_to_dn(uid: &str) -> String {
|
||||||
|
format!("uid={},ou=users,dc=skynet,dc=ie", uid)
|
||||||
|
}
|
||||||
|
|
||||||
pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, replace: bool) -> tide::Result<()> {
|
pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, replace: bool) -> tide::Result<()> {
|
||||||
if users.is_empty() {
|
if users.is_empty() {
|
||||||
return Ok(());
|
return Ok(());
|
||||||
|
@ -252,7 +283,3 @@ pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, rep
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn uid_to_dn(uid: &str) -> String {
|
|
||||||
format!("uid={},ou=users,dc=skynet,dc=ie", uid)
|
|
||||||
}
|
|
||||||
|
|
22
src/main.rs
22
src/main.rs
|
@ -1,9 +1,6 @@
|
||||||
use skynet_ldap_backend::{
|
use skynet_ldap_backend::{
|
||||||
db_init, get_config,
|
db_init, get_config,
|
||||||
methods::{
|
methods::{account_new, account_recover, account_update},
|
||||||
account_new::post::{account, email},
|
|
||||||
account_update::post_update_ldap,
|
|
||||||
},
|
|
||||||
State,
|
State,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -23,14 +20,17 @@ async fn main() -> tide::Result<()> {
|
||||||
|
|
||||||
let mut app = tide::with_state(state);
|
let mut app = tide::with_state(state);
|
||||||
|
|
||||||
app.at("/ldap/update").post(post_update_ldap);
|
// for users to update their own profile
|
||||||
app.at("/ldap/new/email").post(email::submit);
|
app.at("/ldap/update").post(account_update::submit);
|
||||||
app.at("/ldap/new/account").post(account::submit);
|
|
||||||
|
// for new users
|
||||||
|
app.at("/ldap/new/email").post(account_new::email::submit);
|
||||||
|
app.at("/ldap/new/account").post(account_new::account::submit);
|
||||||
|
|
||||||
|
// for folks who forget password/username
|
||||||
|
app.at("/ldap/recover/password").post(account_recover::password::reset);
|
||||||
|
app.at("/ldap/recover/password/auth").post(account_recover::password::auth);
|
||||||
|
|
||||||
app.listen(host_port).await?;
|
app.listen(host_port).await?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
Password reset via email
|
|
||||||
*/
|
|
||||||
|
|
|
@ -13,10 +13,7 @@ use tide::{
|
||||||
Request,
|
Request,
|
||||||
};
|
};
|
||||||
|
|
||||||
pub mod post {
|
pub mod email {
|
||||||
use super::*;
|
|
||||||
|
|
||||||
pub mod email {
|
|
||||||
use super::*;
|
use super::*;
|
||||||
|
|
||||||
#[derive(Debug, Deserialize)]
|
#[derive(Debug, Deserialize)]
|
||||||
|
@ -231,9 +228,9 @@ pub mod post {
|
||||||
.fetch_optional(db)
|
.fetch_optional(db)
|
||||||
.await
|
.await
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub mod account {
|
pub mod account {
|
||||||
use super::*;
|
use super::*;
|
||||||
use crate::update_group;
|
use crate::update_group;
|
||||||
|
|
||||||
|
@ -460,5 +457,4 @@ pub mod post {
|
||||||
.fetch_all(db)
|
.fetch_all(db)
|
||||||
.await
|
.await
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
306
src/methods/account_recover.rs
Normal file
306
src/methods/account_recover.rs
Normal file
|
@ -0,0 +1,306 @@
|
||||||
|
use crate::{get_now_iso, random_string, uid_to_dn, Accounts, AccountsReset, Config, State};
|
||||||
|
use chrono::{Duration, SecondsFormat, Utc};
|
||||||
|
use ldap3::{exop::PasswordModify, LdapConn};
|
||||||
|
use lettre::{
|
||||||
|
message::{header, MultiPart, SinglePart},
|
||||||
|
transport::smtp::{authentication::Credentials, response::Response, Error},
|
||||||
|
Message, SmtpTransport, Transport,
|
||||||
|
};
|
||||||
|
use maud::html;
|
||||||
|
use sqlx::{Pool, Sqlite};
|
||||||
|
use tide::{
|
||||||
|
prelude::{json, Deserialize},
|
||||||
|
Request,
|
||||||
|
};
|
||||||
|
|
||||||
|
pub mod password {
|
||||||
|
use super::*;
|
||||||
|
|
||||||
|
#[derive(Debug, Deserialize)]
|
||||||
|
struct PassReset {
|
||||||
|
user: Option<String>,
|
||||||
|
email: Option<String>,
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Handles password resets
|
||||||
|
/// All responses are success, never want to leak info
|
||||||
|
pub async fn reset(mut req: Request<State>) -> tide::Result {
|
||||||
|
let PassReset {
|
||||||
|
user,
|
||||||
|
email,
|
||||||
|
} = req.body_json().await?;
|
||||||
|
|
||||||
|
// check that any mail is not using @skynet.ie
|
||||||
|
if let Some(mail) = &email {
|
||||||
|
if mail.trim().ends_with("@skynet.ie") {
|
||||||
|
// all responses from this are a success
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
let config = &req.state().config;
|
||||||
|
let db = &req.state().db;
|
||||||
|
|
||||||
|
// considering the local db is updated hourly (or less) use that instead of teh ldap for lookups
|
||||||
|
let user_details = match db_get_user(db, &user, &email).await {
|
||||||
|
None => {
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
|
||||||
|
// user does not have a different email address set
|
||||||
|
if user_details.mail.trim().ends_with("@skynet.ie") {
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if a recent password reset request happened lately
|
||||||
|
db_pending_clear_expired(db).await?;
|
||||||
|
|
||||||
|
if db_get_user_reset(db, &user_details.user).await.is_some() {
|
||||||
|
// reset already requested within timeframe
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
|
||||||
|
// send mail
|
||||||
|
let auth = random_string(50);
|
||||||
|
|
||||||
|
if send_mail(config, &user_details, &auth).is_ok() {
|
||||||
|
// save to db
|
||||||
|
|
||||||
|
save_to_db(db, &user_details, &auth).await?;
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(json!({"result": "success"}).into())
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Debug, Deserialize)]
|
||||||
|
pub struct PassResetAuth {
|
||||||
|
auth: String,
|
||||||
|
pass: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
pub async fn auth(mut req: Request<State>) -> tide::Result {
|
||||||
|
let PassResetAuth {
|
||||||
|
auth,
|
||||||
|
pass,
|
||||||
|
} = req.body_json().await?;
|
||||||
|
|
||||||
|
let config = &req.state().config;
|
||||||
|
let db = &req.state().db;
|
||||||
|
|
||||||
|
if db_pending_clear_expired(db).await.is_err() {
|
||||||
|
return Ok(json!({"result": "error"}).into());
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if auth exists
|
||||||
|
let details = match db_get_user_reset_auth(db, &auth).await {
|
||||||
|
None => {
|
||||||
|
return Ok(json!({"result": "error"}).into());
|
||||||
|
}
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
|
||||||
|
if ldap_reset_pw(config, &details, &pass).await.is_err() {
|
||||||
|
return Ok(json!({"result": "error", "error": "ldap error"}).into());
|
||||||
|
};
|
||||||
|
|
||||||
|
Ok(json!({"result": "success", "success": "Password set"}).into())
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_get_user(pool: &Pool<Sqlite>, user_in: &Option<String>, mail_in: &Option<String>) -> Option<Accounts> {
|
||||||
|
let user = match user_in {
|
||||||
|
None => "",
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
let mail = match mail_in {
|
||||||
|
None => "",
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
|
||||||
|
if let Ok(res) = sqlx::query_as::<_, Accounts>(
|
||||||
|
r#"
|
||||||
|
SELECT *
|
||||||
|
FROM accounts
|
||||||
|
WHERE user == ? OR mail ==?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(user)
|
||||||
|
.bind(mail)
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
{
|
||||||
|
if !res.is_empty() {
|
||||||
|
return Some(res[0].to_owned());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsReset>, sqlx::Error> {
|
||||||
|
sqlx::query_as::<_, AccountsReset>(
|
||||||
|
r#"
|
||||||
|
DELETE
|
||||||
|
FROM accounts_reset
|
||||||
|
WHERE date_expiry < ?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(get_now_iso(false))
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_get_user_reset(pool: &Pool<Sqlite>, user: &str) -> Option<AccountsReset> {
|
||||||
|
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
|
||||||
|
r#"
|
||||||
|
SELECT *
|
||||||
|
FROM accounts_reset
|
||||||
|
WHERE user == ?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(user)
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
{
|
||||||
|
if !res.is_empty() {
|
||||||
|
return Some(res[0].to_owned());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_get_user_reset_auth(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsReset> {
|
||||||
|
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
|
||||||
|
r#"
|
||||||
|
SELECT *
|
||||||
|
FROM accounts_reset
|
||||||
|
WHERE auth == ?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(auth)
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
{
|
||||||
|
if !res.is_empty() {
|
||||||
|
return Some(res[0].to_owned());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn ldap_reset_pw(config: &Config, details: &AccountsReset, pass: &str) -> Result<(), ldap3::LdapError> {
|
||||||
|
let mut ldap = LdapConn::new(&config.ldap_host)?;
|
||||||
|
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
|
||||||
|
|
||||||
|
let dn = uid_to_dn(&details.user);
|
||||||
|
|
||||||
|
// if so then set password
|
||||||
|
let tmp = PasswordModify {
|
||||||
|
// none as we are staying on the same connection
|
||||||
|
user_id: Some(&dn),
|
||||||
|
old_pass: None,
|
||||||
|
new_pass: Some(pass),
|
||||||
|
};
|
||||||
|
|
||||||
|
ldap.extended(tmp)?.success()?;
|
||||||
|
ldap.unbind()?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn send_mail(config: &Config, record: &Accounts, auth: &str) -> Result<Response, Error> {
|
||||||
|
let recipient = &record.user;
|
||||||
|
let mail = &record.mail;
|
||||||
|
let url_base = "https://sso.skynet.ie";
|
||||||
|
let link_new = format!("{url_base}/recovery_pass?auth={auth}");
|
||||||
|
let discord = "https://discord.gg/mkuKJkCuyM";
|
||||||
|
let sender = format!("UL Computer Society <{}>", &config.mail_user);
|
||||||
|
|
||||||
|
// Create the html we want to send.
|
||||||
|
let html = html! {
|
||||||
|
head {
|
||||||
|
title { "Hello from Skynet!" }
|
||||||
|
style type="text/css" {
|
||||||
|
"h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
div style="display: flex; flex-direction: column; align-items: center;" {
|
||||||
|
h2 { "Hello from Skynet!" }
|
||||||
|
// Substitute in the name of our recipient.
|
||||||
|
p { "Hi " (recipient) "," }
|
||||||
|
p {
|
||||||
|
"Here is your password reset link:"
|
||||||
|
br;
|
||||||
|
a href=(link_new) { (link_new) }
|
||||||
|
}
|
||||||
|
p {
|
||||||
|
"If did not request this please ignore."
|
||||||
|
}
|
||||||
|
p {
|
||||||
|
"UL Computer Society"
|
||||||
|
br;
|
||||||
|
"Skynet Team"
|
||||||
|
br;
|
||||||
|
a href=(discord) { (discord) }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
let body_text = format!(
|
||||||
|
r#"
|
||||||
|
Hi {recipient}
|
||||||
|
|
||||||
|
Here is your password reset link:
|
||||||
|
{link_new}
|
||||||
|
|
||||||
|
If did not request this please ignore.
|
||||||
|
|
||||||
|
UL Computer Society
|
||||||
|
Skynet Team
|
||||||
|
{discord}
|
||||||
|
"#
|
||||||
|
);
|
||||||
|
|
||||||
|
// Build the message.
|
||||||
|
let email = Message::builder()
|
||||||
|
.from(sender.parse().unwrap())
|
||||||
|
.to(mail.parse().unwrap())
|
||||||
|
.subject("Skynet: Password Reset")
|
||||||
|
.multipart(
|
||||||
|
// This is composed of two parts.
|
||||||
|
// also helps not trip spam settings (uneven number of url's
|
||||||
|
MultiPart::alternative()
|
||||||
|
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
|
||||||
|
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
|
||||||
|
)
|
||||||
|
.expect("failed to build email");
|
||||||
|
|
||||||
|
let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
|
||||||
|
|
||||||
|
// Open a remote connection to gmail using STARTTLS
|
||||||
|
let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
|
||||||
|
|
||||||
|
// Send the email
|
||||||
|
mailer.send(&email)
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn save_to_db(db: &Pool<Sqlite>, record: &Accounts, auth: &str) -> Result<Option<AccountsReset>, sqlx::Error> {
|
||||||
|
// lets start off a 4 hour timeout on password resets
|
||||||
|
let offset = Utc::now() + Duration::hours(4);
|
||||||
|
|
||||||
|
sqlx::query_as::<_, AccountsReset>(
|
||||||
|
"
|
||||||
|
INSERT OR REPLACE INTO accounts_reset (user, auth_code, date_expiry)
|
||||||
|
VALUES (?1, ?2, ?3)
|
||||||
|
",
|
||||||
|
)
|
||||||
|
.bind(record.user.to_owned())
|
||||||
|
.bind(auth.to_owned())
|
||||||
|
.bind(offset.to_rfc3339_opts(SecondsFormat::Millis, true))
|
||||||
|
.fetch_optional(db)
|
||||||
|
.await
|
||||||
|
}
|
||||||
|
}
|
|
@ -25,7 +25,7 @@ pub struct ModifyResult {
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Handles updating a single field with the users own password
|
/// Handles updating a single field with the users own password
|
||||||
pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
|
pub async fn submit(mut req: Request<State>) -> tide::Result {
|
||||||
let LdapUpdate {
|
let LdapUpdate {
|
||||||
user,
|
user,
|
||||||
pass,
|
pass,
|
||||||
|
|
|
@ -1,2 +1,4 @@
|
||||||
pub mod account_new;
|
pub mod account_new;
|
||||||
|
pub mod account_recover;
|
||||||
pub mod account_update;
|
pub mod account_update;
|
||||||
|
pub mod password_reset;
|
||||||
|
|
302
src/methods/password_reset.rs
Normal file
302
src/methods/password_reset.rs
Normal file
|
@ -0,0 +1,302 @@
|
||||||
|
use crate::{get_now_iso, random_string, uid_to_dn, Accounts, AccountsReset, Config, State};
|
||||||
|
use chrono::{Duration, SecondsFormat, Utc};
|
||||||
|
use ldap3::{exop::PasswordModify, LdapConn};
|
||||||
|
use lettre::{
|
||||||
|
message::{header, MultiPart, SinglePart},
|
||||||
|
transport::smtp::{authentication::Credentials, response::Response, Error},
|
||||||
|
Message, SmtpTransport, Transport,
|
||||||
|
};
|
||||||
|
use maud::html;
|
||||||
|
use sqlx::{Pool, Sqlite};
|
||||||
|
use tide::{
|
||||||
|
prelude::{json, Deserialize},
|
||||||
|
Request,
|
||||||
|
};
|
||||||
|
|
||||||
|
#[derive(Debug, Deserialize)]
|
||||||
|
pub struct PassReset {
|
||||||
|
user: Option<String>,
|
||||||
|
email: Option<String>,
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Handles password resets
|
||||||
|
/// All responses are success, never want to leak info
|
||||||
|
pub async fn post_password_reset(mut req: Request<State>) -> tide::Result {
|
||||||
|
let PassReset {
|
||||||
|
user,
|
||||||
|
email,
|
||||||
|
} = req.body_json().await?;
|
||||||
|
|
||||||
|
// check that any mail is not using @skynet.ie
|
||||||
|
if let Some(mail) = &email {
|
||||||
|
if mail.trim().ends_with("@skynet.ie") {
|
||||||
|
// all responses from this are a success
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
let config = &req.state().config;
|
||||||
|
let db = &req.state().db;
|
||||||
|
|
||||||
|
// considering the local db is updated hourly (or less) use that instead of teh ldap for lookups
|
||||||
|
let user_details = match db_get_user(db, &user, &email).await {
|
||||||
|
None => {
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
|
||||||
|
// user does not have a different email address set
|
||||||
|
if user_details.mail.trim().ends_with("@skynet.ie") {
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if a recent password reset request happened lately
|
||||||
|
db_pending_clear_expired(db).await?;
|
||||||
|
|
||||||
|
if db_get_user_reset(db, &user_details.user).await.is_some() {
|
||||||
|
// reset already requested within timeframe
|
||||||
|
return Ok(json!({"result": "success"}).into());
|
||||||
|
}
|
||||||
|
|
||||||
|
// send mail
|
||||||
|
let auth = random_string(50);
|
||||||
|
|
||||||
|
if send_mail(config, &user_details, &auth).is_ok() {
|
||||||
|
// save to db
|
||||||
|
|
||||||
|
save_to_db(db, &user_details, &auth).await?;
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(json!({"result": "success"}).into())
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Debug, Deserialize)]
|
||||||
|
pub struct PassResetAuth {
|
||||||
|
auth: String,
|
||||||
|
pass: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
pub async fn post_password_auth(mut req: Request<State>) -> tide::Result {
|
||||||
|
let PassResetAuth {
|
||||||
|
auth,
|
||||||
|
pass,
|
||||||
|
} = req.body_json().await?;
|
||||||
|
|
||||||
|
let config = &req.state().config;
|
||||||
|
let db = &req.state().db;
|
||||||
|
|
||||||
|
if db_pending_clear_expired(db).await.is_err() {
|
||||||
|
return Ok(json!({"result": "error"}).into());
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if auth exists
|
||||||
|
let details = match db_get_user_reset_auth(db, &auth).await {
|
||||||
|
None => {
|
||||||
|
return Ok(json!({"result": "error"}).into());
|
||||||
|
}
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
|
||||||
|
if ldap_reset_pw(config, &details, &pass).await.is_err() {
|
||||||
|
return Ok(json!({"result": "error", "error": "ldap error"}).into());
|
||||||
|
};
|
||||||
|
|
||||||
|
Ok(json!({"result": "success", "success": "Password set"}).into())
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_get_user(pool: &Pool<Sqlite>, user_in: &Option<String>, mail_in: &Option<String>) -> Option<Accounts> {
|
||||||
|
let user = match user_in {
|
||||||
|
None => "",
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
let mail = match mail_in {
|
||||||
|
None => "",
|
||||||
|
Some(x) => x,
|
||||||
|
};
|
||||||
|
|
||||||
|
if let Ok(res) = sqlx::query_as::<_, Accounts>(
|
||||||
|
r#"
|
||||||
|
SELECT *
|
||||||
|
FROM accounts
|
||||||
|
WHERE user == ? OR mail ==?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(user)
|
||||||
|
.bind(mail)
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
{
|
||||||
|
if !res.is_empty() {
|
||||||
|
return Some(res[0].to_owned());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsReset>, sqlx::Error> {
|
||||||
|
sqlx::query_as::<_, AccountsReset>(
|
||||||
|
r#"
|
||||||
|
DELETE
|
||||||
|
FROM accounts_reset
|
||||||
|
WHERE date_expiry < ?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(get_now_iso(false))
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_get_user_reset(pool: &Pool<Sqlite>, user: &str) -> Option<AccountsReset> {
|
||||||
|
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
|
||||||
|
r#"
|
||||||
|
SELECT *
|
||||||
|
FROM accounts_reset
|
||||||
|
WHERE user == ?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(user)
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
{
|
||||||
|
if !res.is_empty() {
|
||||||
|
return Some(res[0].to_owned());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn db_get_user_reset_auth(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsReset> {
|
||||||
|
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
|
||||||
|
r#"
|
||||||
|
SELECT *
|
||||||
|
FROM accounts_reset
|
||||||
|
WHERE auth == ?
|
||||||
|
"#,
|
||||||
|
)
|
||||||
|
.bind(auth)
|
||||||
|
.fetch_all(pool)
|
||||||
|
.await
|
||||||
|
{
|
||||||
|
if !res.is_empty() {
|
||||||
|
return Some(res[0].to_owned());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn ldap_reset_pw(config: &Config, details: &AccountsReset, pass: &str) -> Result<(), ldap3::LdapError> {
|
||||||
|
let mut ldap = LdapConn::new(&config.ldap_host)?;
|
||||||
|
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
|
||||||
|
|
||||||
|
let dn = uid_to_dn(&details.user);
|
||||||
|
|
||||||
|
// if so then set password
|
||||||
|
let tmp = PasswordModify {
|
||||||
|
// none as we are staying on the same connection
|
||||||
|
user_id: Some(&dn),
|
||||||
|
old_pass: None,
|
||||||
|
new_pass: Some(pass),
|
||||||
|
};
|
||||||
|
|
||||||
|
ldap.extended(tmp)?.success()?;
|
||||||
|
ldap.unbind()?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn send_mail(config: &Config, record: &Accounts, auth: &str) -> Result<Response, Error> {
|
||||||
|
let recipient = &record.user;
|
||||||
|
let mail = &record.mail;
|
||||||
|
let url_base = "https://sso.skynet.ie";
|
||||||
|
let link_new = format!("{url_base}/recovery_pass?auth={auth}");
|
||||||
|
let discord = "https://discord.gg/mkuKJkCuyM";
|
||||||
|
let sender = format!("UL Computer Society <{}>", &config.mail_user);
|
||||||
|
|
||||||
|
// Create the html we want to send.
|
||||||
|
let html = html! {
|
||||||
|
head {
|
||||||
|
title { "Hello from Skynet!" }
|
||||||
|
style type="text/css" {
|
||||||
|
"h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
div style="display: flex; flex-direction: column; align-items: center;" {
|
||||||
|
h2 { "Hello from Skynet!" }
|
||||||
|
// Substitute in the name of our recipient.
|
||||||
|
p { "Hi " (recipient) "," }
|
||||||
|
p {
|
||||||
|
"Here is your password reset link:"
|
||||||
|
br;
|
||||||
|
a href=(link_new) { (link_new) }
|
||||||
|
}
|
||||||
|
p {
|
||||||
|
"If did not request this please ignore."
|
||||||
|
}
|
||||||
|
p {
|
||||||
|
"UL Computer Society"
|
||||||
|
br;
|
||||||
|
"Skynet Team"
|
||||||
|
br;
|
||||||
|
a href=(discord) { (discord) }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
let body_text = format!(
|
||||||
|
r#"
|
||||||
|
Hi {recipient}
|
||||||
|
|
||||||
|
Here is your password reset link:
|
||||||
|
{link_new}
|
||||||
|
|
||||||
|
If did not request this please ignore.
|
||||||
|
|
||||||
|
UL Computer Society
|
||||||
|
Skynet Team
|
||||||
|
{discord}
|
||||||
|
"#
|
||||||
|
);
|
||||||
|
|
||||||
|
// Build the message.
|
||||||
|
let email = Message::builder()
|
||||||
|
.from(sender.parse().unwrap())
|
||||||
|
.to(mail.parse().unwrap())
|
||||||
|
.subject("Skynet: Password Reset")
|
||||||
|
.multipart(
|
||||||
|
// This is composed of two parts.
|
||||||
|
// also helps not trip spam settings (uneven number of url's
|
||||||
|
MultiPart::alternative()
|
||||||
|
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
|
||||||
|
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
|
||||||
|
)
|
||||||
|
.expect("failed to build email");
|
||||||
|
|
||||||
|
let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
|
||||||
|
|
||||||
|
// Open a remote connection to gmail using STARTTLS
|
||||||
|
let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
|
||||||
|
|
||||||
|
// Send the email
|
||||||
|
mailer.send(&email)
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn save_to_db(db: &Pool<Sqlite>, record: &Accounts, auth: &str) -> Result<Option<AccountsReset>, sqlx::Error> {
|
||||||
|
// lets start off a 4 hour timeout on password resets
|
||||||
|
let offset = Utc::now() + Duration::hours(4);
|
||||||
|
|
||||||
|
sqlx::query_as::<_, AccountsReset>(
|
||||||
|
"
|
||||||
|
INSERT OR REPLACE INTO accounts_reset (user, auth_code, date_expiry)
|
||||||
|
VALUES (?1, ?2, ?3)
|
||||||
|
",
|
||||||
|
)
|
||||||
|
.bind(record.user.to_owned())
|
||||||
|
.bind(auth.to_owned())
|
||||||
|
.bind(offset.to_rfc3339_opts(SecondsFormat::Millis, true))
|
||||||
|
.fetch_optional(db)
|
||||||
|
.await
|
||||||
|
}
|
Loading…
Reference in a new issue