Merge branch '#4-password-reset' into 'main'

Password reset See merge request compsoc1/skynet/ldap/backend!2
2023-08-06 17:22:31 +00:00 · 2023-08-06 17:22:31 +00:00 · 224451292d
commit 224451292d
parent a97964700a 0b385cafab
9 changed files with 1032 additions and 355 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -40,3 +40,4 @@ csv = "1.2"
 # for email
 lettre = "0.10.4"
 maud = "0.25.0"
+
--- a/README.md
+++ b/README.md
@ -81,6 +81,49 @@ Invalid Auth:

 Generic responses which is used unless otherwise specified above.

+### POST /ldap/recover/password
+
+```json
+{
+  "user" : "[OPTIONAL] username looking for reset",
+  "email" : "[OPTIONAL] email looking for reset"
+}
+```
+
+All responses:
+```json
+{"result": "success"}
+```
+
+### POST /ldap/recover/password/auth
+
+```json
+{ 
+  "auth" : "Auth key from teh email",
+  "pass" : "Password the user chooses"
+}
+```
+
+Early Errors:
+```json
+{"result": "error"}
+```
+
+LDAP error:
+```json
+{"result": "error", "error": "ldap error"}
+```
+
+Success:
+```json
+{"result": "success", "success": "Password set"}
+```
+
+## Responses
+
+Generic responses which is used unless otherwise specified above.
+
+
 ### Success: HTTP 200
 ```json
 {
--- a/src/lib.rs
+++ b/src/lib.rs
@ -35,7 +35,14 @@ pub struct AccountsNew {
    pub id_student: String,
 }

-#[derive(Debug, Deserialize, Serialize, sqlx::FromRow)]
+#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
+pub struct AccountsReset {
+    pub user: String,
+    pub auth_code: String,
+    pub date_expiry: String,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
 pub struct Accounts {
    pub user: String,
    pub uid: i64,
@ -84,6 +91,26 @@ pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> {
    sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_new (auth_code)")
        .execute(&pool)
        .await?;
+    sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_new (date_expiry)")
+        .execute(&pool)
+        .await?;
+
+    sqlx::query(
+        "CREATE TABLE IF NOT EXISTS accounts_reset (
+            user text primary key,
+            auth_code text not null,
+            date_expiry text not null
+         )",
+    )
+    .execute(&pool)
+    .await?;
+
+    sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_reset (auth_code)")
+        .execute(&pool)
+        .await?;
+    sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_reset (date_expiry)")
+        .execute(&pool)
+        .await?;

    // this is for active use
    sqlx::query(
@ -214,6 +241,10 @@ pub async fn get_wolves(db: &Pool<Sqlite>) -> Vec<AccountWolves> {
    .unwrap_or(vec![])
 }

+pub fn uid_to_dn(uid: &str) -> String {
+    format!("uid={},ou=users,dc=skynet,dc=ie", uid)
+}
+
 pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, replace: bool) -> tide::Result<()> {
    if users.is_empty() {
        return Ok(());
@ -252,7 +283,3 @@ pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, rep

    Ok(())
 }
-
-pub fn uid_to_dn(uid: &str) -> String {
-    format!("uid={},ou=users,dc=skynet,dc=ie", uid)
-}
--- a/src/main.rs
+++ b/src/main.rs
@ -1,9 +1,6 @@
 use skynet_ldap_backend::{
    db_init, get_config,
-    methods::{
-        account_new::post::{account, email},
-        account_update::post_update_ldap,
-    },
+    methods::{account_new, account_recover, account_update},
    State,
 };

@ -23,14 +20,17 @@ async fn main() -> tide::Result<()> {

    let mut app = tide::with_state(state);

-    app.at("/ldap/update").post(post_update_ldap);
-    app.at("/ldap/new/email").post(email::submit);
-    app.at("/ldap/new/account").post(account::submit);
+    // for users to update their own profile
+    app.at("/ldap/update").post(account_update::submit);
+
+    // for new users
+    app.at("/ldap/new/email").post(account_new::email::submit);
+    app.at("/ldap/new/account").post(account_new::account::submit);
+
+    // for folks who forget password/username
+    app.at("/ldap/recover/password").post(account_recover::password::reset);
+    app.at("/ldap/recover/password/auth").post(account_recover::password::auth);

    app.listen(host_port).await?;
    Ok(())
 }
-
-/*
-Password reset via email
-*/
--- a/src/methods/account_new.rs
+++ b/src/methods/account_new.rs
@ -13,10 +13,7 @@ use tide::{
    Request,
 };

-pub mod post {
-    use super::*;
-
-    pub mod email {
+pub mod email {
    use super::*;

    #[derive(Debug, Deserialize)]
@ -231,9 +228,9 @@ pub mod post {
        .fetch_optional(db)
        .await
    }
-    }
+}

-    pub mod account {
+pub mod account {
    use super::*;
    use crate::update_group;

@ -460,5 +457,4 @@ pub mod post {
        .fetch_all(db)
        .await
    }
-    }
 }
--- a/src/methods/account_recover.rs
+++ b/src/methods/account_recover.rs
@ -0,0 +1,306 @@
+use crate::{get_now_iso, random_string, uid_to_dn, Accounts, AccountsReset, Config, State};
+use chrono::{Duration, SecondsFormat, Utc};
+use ldap3::{exop::PasswordModify, LdapConn};
+use lettre::{
+    message::{header, MultiPart, SinglePart},
+    transport::smtp::{authentication::Credentials, response::Response, Error},
+    Message, SmtpTransport, Transport,
+};
+use maud::html;
+use sqlx::{Pool, Sqlite};
+use tide::{
+    prelude::{json, Deserialize},
+    Request,
+};
+
+pub mod password {
+    use super::*;
+
+    #[derive(Debug, Deserialize)]
+    struct PassReset {
+        user: Option<String>,
+        email: Option<String>,
+    }
+
+    /// Handles password resets
+    /// All responses are success, never want to leak info
+    pub async fn reset(mut req: Request<State>) -> tide::Result {
+        let PassReset {
+            user,
+            email,
+        } = req.body_json().await?;
+
+        // check that any mail is not using @skynet.ie
+        if let Some(mail) = &email {
+            if mail.trim().ends_with("@skynet.ie") {
+                // all responses from this are a success
+                return Ok(json!({"result": "success"}).into());
+            }
+        }
+
+        let config = &req.state().config;
+        let db = &req.state().db;
+
+        // considering the local db is updated hourly (or less) use that instead of teh ldap for lookups
+        let user_details = match db_get_user(db, &user, &email).await {
+            None => {
+                return Ok(json!({"result": "success"}).into());
+            }
+            Some(x) => x,
+        };
+
+        // user does not have a different email address set
+        if user_details.mail.trim().ends_with("@skynet.ie") {
+            return Ok(json!({"result": "success"}).into());
+        }
+
+        // check if a recent password reset request happened lately
+        db_pending_clear_expired(db).await?;
+
+        if db_get_user_reset(db, &user_details.user).await.is_some() {
+            // reset already requested within timeframe
+            return Ok(json!({"result": "success"}).into());
+        }
+
+        // send mail
+        let auth = random_string(50);
+
+        if send_mail(config, &user_details, &auth).is_ok() {
+            // save to db
+
+            save_to_db(db, &user_details, &auth).await?;
+        }
+
+        Ok(json!({"result": "success"}).into())
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct PassResetAuth {
+        auth: String,
+        pass: String,
+    }
+
+    pub async fn auth(mut req: Request<State>) -> tide::Result {
+        let PassResetAuth {
+            auth,
+            pass,
+        } = req.body_json().await?;
+
+        let config = &req.state().config;
+        let db = &req.state().db;
+
+        if db_pending_clear_expired(db).await.is_err() {
+            return Ok(json!({"result": "error"}).into());
+        }
+
+        // check if auth exists
+        let details = match db_get_user_reset_auth(db, &auth).await {
+            None => {
+                return Ok(json!({"result": "error"}).into());
+            }
+            Some(x) => x,
+        };
+
+        if ldap_reset_pw(config, &details, &pass).await.is_err() {
+            return Ok(json!({"result": "error", "error": "ldap error"}).into());
+        };
+
+        Ok(json!({"result": "success", "success": "Password set"}).into())
+    }
+
+    async fn db_get_user(pool: &Pool<Sqlite>, user_in: &Option<String>, mail_in: &Option<String>) -> Option<Accounts> {
+        let user = match user_in {
+            None => "",
+            Some(x) => x,
+        };
+        let mail = match mail_in {
+            None => "",
+            Some(x) => x,
+        };
+
+        if let Ok(res) = sqlx::query_as::<_, Accounts>(
+            r#"
+        SELECT *
+        FROM accounts
+        WHERE user == ? OR mail ==?
+        "#,
+        )
+        .bind(user)
+        .bind(mail)
+        .fetch_all(pool)
+        .await
+        {
+            if !res.is_empty() {
+                return Some(res[0].to_owned());
+            }
+        }
+
+        None
+    }
+
+    async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsReset>, sqlx::Error> {
+        sqlx::query_as::<_, AccountsReset>(
+            r#"
+        DELETE 
+        FROM accounts_reset
+        WHERE date_expiry < ?
+        "#,
+        )
+        .bind(get_now_iso(false))
+        .fetch_all(pool)
+        .await
+    }
+
+    async fn db_get_user_reset(pool: &Pool<Sqlite>, user: &str) -> Option<AccountsReset> {
+        if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
+            r#"
+        SELECT *
+        FROM accounts_reset
+        WHERE user == ?
+        "#,
+        )
+        .bind(user)
+        .fetch_all(pool)
+        .await
+        {
+            if !res.is_empty() {
+                return Some(res[0].to_owned());
+            }
+        }
+
+        None
+    }
+
+    async fn db_get_user_reset_auth(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsReset> {
+        if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
+            r#"
+        SELECT *
+        FROM accounts_reset
+        WHERE auth == ?
+        "#,
+        )
+        .bind(auth)
+        .fetch_all(pool)
+        .await
+        {
+            if !res.is_empty() {
+                return Some(res[0].to_owned());
+            }
+        }
+
+        None
+    }
+
+    async fn ldap_reset_pw(config: &Config, details: &AccountsReset, pass: &str) -> Result<(), ldap3::LdapError> {
+        let mut ldap = LdapConn::new(&config.ldap_host)?;
+        ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
+
+        let dn = uid_to_dn(&details.user);
+
+        // if so then set password
+        let tmp = PasswordModify {
+            // none as we are staying on the same connection
+            user_id: Some(&dn),
+            old_pass: None,
+            new_pass: Some(pass),
+        };
+
+        ldap.extended(tmp)?.success()?;
+        ldap.unbind()?;
+
+        Ok(())
+    }
+
+    fn send_mail(config: &Config, record: &Accounts, auth: &str) -> Result<Response, Error> {
+        let recipient = &record.user;
+        let mail = &record.mail;
+        let url_base = "https://sso.skynet.ie";
+        let link_new = format!("{url_base}/recovery_pass?auth={auth}");
+        let discord = "https://discord.gg/mkuKJkCuyM";
+        let sender = format!("UL Computer Society <{}>", &config.mail_user);
+
+        // Create the html we want to send.
+        let html = html! {
+            head {
+                title { "Hello from Skynet!" }
+                style type="text/css" {
+                    "h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
+                }
+            }
+            div style="display: flex; flex-direction: column; align-items: center;" {
+                h2 { "Hello from Skynet!" }
+                // Substitute in the name of our recipient.
+                p { "Hi " (recipient) "," }
+                p {
+                    "Here is your password reset link:"
+                    br;
+                    a href=(link_new) { (link_new) }
+                }
+                p {
+                    "If did not request this please ignore."
+                }
+                p {
+                    "UL Computer Society"
+                    br;
+                    "Skynet Team"
+                    br;
+                    a href=(discord) { (discord) }
+                }
+            }
+        };
+
+        let body_text = format!(
+            r#"
+        Hi {recipient}
+        
+        Here is your password reset link:
+        {link_new}
+        
+        If did not request this please ignore.
+        
+        UL Computer Society
+        Skynet Team
+        {discord}
+        "#
+        );
+
+        // Build the message.
+        let email = Message::builder()
+            .from(sender.parse().unwrap())
+            .to(mail.parse().unwrap())
+            .subject("Skynet: Password Reset")
+            .multipart(
+                // This is composed of two parts.
+                // also helps not trip spam settings (uneven number of url's
+                MultiPart::alternative()
+                    .singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
+                    .singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
+            )
+            .expect("failed to build email");
+
+        let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
+
+        // Open a remote connection to gmail using STARTTLS
+        let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
+
+        // Send the email
+        mailer.send(&email)
+    }
+
+    async fn save_to_db(db: &Pool<Sqlite>, record: &Accounts, auth: &str) -> Result<Option<AccountsReset>, sqlx::Error> {
+        // lets start off a 4 hour timeout on password resets
+        let offset = Utc::now() + Duration::hours(4);
+
+        sqlx::query_as::<_, AccountsReset>(
+            "
+        INSERT OR REPLACE INTO accounts_reset (user, auth_code, date_expiry)
+        VALUES (?1, ?2, ?3)
+        ",
+        )
+        .bind(record.user.to_owned())
+        .bind(auth.to_owned())
+        .bind(offset.to_rfc3339_opts(SecondsFormat::Millis, true))
+        .fetch_optional(db)
+        .await
+    }
+}
--- a/src/methods/account_update.rs
+++ b/src/methods/account_update.rs
@ -25,7 +25,7 @@ pub struct ModifyResult {
 }

 /// Handles updating a single field with the users own password
-pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
+pub async fn submit(mut req: Request<State>) -> tide::Result {
    let LdapUpdate {
        user,
        pass,
--- a/src/methods/mod.rs
+++ b/src/methods/mod.rs
@ -1,2 +1,4 @@
 pub mod account_new;
+pub mod account_recover;
 pub mod account_update;
+pub mod password_reset;
--- a/src/methods/password_reset.rs
+++ b/src/methods/password_reset.rs
@ -0,0 +1,302 @@
+use crate::{get_now_iso, random_string, uid_to_dn, Accounts, AccountsReset, Config, State};
+use chrono::{Duration, SecondsFormat, Utc};
+use ldap3::{exop::PasswordModify, LdapConn};
+use lettre::{
+    message::{header, MultiPart, SinglePart},
+    transport::smtp::{authentication::Credentials, response::Response, Error},
+    Message, SmtpTransport, Transport,
+};
+use maud::html;
+use sqlx::{Pool, Sqlite};
+use tide::{
+    prelude::{json, Deserialize},
+    Request,
+};
+
+#[derive(Debug, Deserialize)]
+pub struct PassReset {
+    user: Option<String>,
+    email: Option<String>,
+}
+
+/// Handles password resets
+/// All responses are success, never want to leak info
+pub async fn post_password_reset(mut req: Request<State>) -> tide::Result {
+    let PassReset {
+        user,
+        email,
+    } = req.body_json().await?;
+
+    // check that any mail is not using @skynet.ie
+    if let Some(mail) = &email {
+        if mail.trim().ends_with("@skynet.ie") {
+            // all responses from this are a success
+            return Ok(json!({"result": "success"}).into());
+        }
+    }
+
+    let config = &req.state().config;
+    let db = &req.state().db;
+
+    // considering the local db is updated hourly (or less) use that instead of teh ldap for lookups
+    let user_details = match db_get_user(db, &user, &email).await {
+        None => {
+            return Ok(json!({"result": "success"}).into());
+        }
+        Some(x) => x,
+    };
+
+    // user does not have a different email address set
+    if user_details.mail.trim().ends_with("@skynet.ie") {
+        return Ok(json!({"result": "success"}).into());
+    }
+
+    // check if a recent password reset request happened lately
+    db_pending_clear_expired(db).await?;
+
+    if db_get_user_reset(db, &user_details.user).await.is_some() {
+        // reset already requested within timeframe
+        return Ok(json!({"result": "success"}).into());
+    }
+
+    // send mail
+    let auth = random_string(50);
+
+    if send_mail(config, &user_details, &auth).is_ok() {
+        // save to db
+
+        save_to_db(db, &user_details, &auth).await?;
+    }
+
+    Ok(json!({"result": "success"}).into())
+}
+
+#[derive(Debug, Deserialize)]
+pub struct PassResetAuth {
+    auth: String,
+    pass: String,
+}
+
+pub async fn post_password_auth(mut req: Request<State>) -> tide::Result {
+    let PassResetAuth {
+        auth,
+        pass,
+    } = req.body_json().await?;
+
+    let config = &req.state().config;
+    let db = &req.state().db;
+
+    if db_pending_clear_expired(db).await.is_err() {
+        return Ok(json!({"result": "error"}).into());
+    }
+
+    // check if auth exists
+    let details = match db_get_user_reset_auth(db, &auth).await {
+        None => {
+            return Ok(json!({"result": "error"}).into());
+        }
+        Some(x) => x,
+    };
+
+    if ldap_reset_pw(config, &details, &pass).await.is_err() {
+        return Ok(json!({"result": "error", "error": "ldap error"}).into());
+    };
+
+    Ok(json!({"result": "success", "success": "Password set"}).into())
+}
+
+async fn db_get_user(pool: &Pool<Sqlite>, user_in: &Option<String>, mail_in: &Option<String>) -> Option<Accounts> {
+    let user = match user_in {
+        None => "",
+        Some(x) => x,
+    };
+    let mail = match mail_in {
+        None => "",
+        Some(x) => x,
+    };
+
+    if let Ok(res) = sqlx::query_as::<_, Accounts>(
+        r#"
+        SELECT *
+        FROM accounts
+        WHERE user == ? OR mail ==?
+        "#,
+    )
+    .bind(user)
+    .bind(mail)
+    .fetch_all(pool)
+    .await
+    {
+        if !res.is_empty() {
+            return Some(res[0].to_owned());
+        }
+    }
+
+    None
+}
+
+async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsReset>, sqlx::Error> {
+    sqlx::query_as::<_, AccountsReset>(
+        r#"
+        DELETE 
+        FROM accounts_reset
+        WHERE date_expiry < ?
+        "#,
+    )
+    .bind(get_now_iso(false))
+    .fetch_all(pool)
+    .await
+}
+
+async fn db_get_user_reset(pool: &Pool<Sqlite>, user: &str) -> Option<AccountsReset> {
+    if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
+        r#"
+        SELECT *
+        FROM accounts_reset
+        WHERE user == ?
+        "#,
+    )
+    .bind(user)
+    .fetch_all(pool)
+    .await
+    {
+        if !res.is_empty() {
+            return Some(res[0].to_owned());
+        }
+    }
+
+    None
+}
+
+async fn db_get_user_reset_auth(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsReset> {
+    if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
+        r#"
+        SELECT *
+        FROM accounts_reset
+        WHERE auth == ?
+        "#,
+    )
+    .bind(auth)
+    .fetch_all(pool)
+    .await
+    {
+        if !res.is_empty() {
+            return Some(res[0].to_owned());
+        }
+    }
+
+    None
+}
+
+async fn ldap_reset_pw(config: &Config, details: &AccountsReset, pass: &str) -> Result<(), ldap3::LdapError> {
+    let mut ldap = LdapConn::new(&config.ldap_host)?;
+    ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
+
+    let dn = uid_to_dn(&details.user);
+
+    // if so then set password
+    let tmp = PasswordModify {
+        // none as we are staying on the same connection
+        user_id: Some(&dn),
+        old_pass: None,
+        new_pass: Some(pass),
+    };
+
+    ldap.extended(tmp)?.success()?;
+    ldap.unbind()?;
+
+    Ok(())
+}
+
+fn send_mail(config: &Config, record: &Accounts, auth: &str) -> Result<Response, Error> {
+    let recipient = &record.user;
+    let mail = &record.mail;
+    let url_base = "https://sso.skynet.ie";
+    let link_new = format!("{url_base}/recovery_pass?auth={auth}");
+    let discord = "https://discord.gg/mkuKJkCuyM";
+    let sender = format!("UL Computer Society <{}>", &config.mail_user);
+
+    // Create the html we want to send.
+    let html = html! {
+        head {
+            title { "Hello from Skynet!" }
+            style type="text/css" {
+                "h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
+            }
+        }
+        div style="display: flex; flex-direction: column; align-items: center;" {
+            h2 { "Hello from Skynet!" }
+            // Substitute in the name of our recipient.
+            p { "Hi " (recipient) "," }
+            p {
+                "Here is your password reset link:"
+                br;
+                a href=(link_new) { (link_new) }
+            }
+            p {
+                "If did not request this please ignore."
+            }
+            p {
+                "UL Computer Society"
+                br;
+                "Skynet Team"
+                br;
+                a href=(discord) { (discord) }
+            }
+        }
+    };
+
+    let body_text = format!(
+        r#"
+        Hi {recipient}
+        
+        Here is your password reset link:
+        {link_new}
+        
+        If did not request this please ignore.
+        
+        UL Computer Society
+        Skynet Team
+        {discord}
+        "#
+    );
+
+    // Build the message.
+    let email = Message::builder()
+        .from(sender.parse().unwrap())
+        .to(mail.parse().unwrap())
+        .subject("Skynet: Password Reset")
+        .multipart(
+            // This is composed of two parts.
+            // also helps not trip spam settings (uneven number of url's
+            MultiPart::alternative()
+                .singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
+                .singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
+        )
+        .expect("failed to build email");
+
+    let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
+
+    // Open a remote connection to gmail using STARTTLS
+    let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
+
+    // Send the email
+    mailer.send(&email)
+}
+
+async fn save_to_db(db: &Pool<Sqlite>, record: &Accounts, auth: &str) -> Result<Option<AccountsReset>, sqlx::Error> {
+    // lets start off a 4 hour timeout on password resets
+    let offset = Utc::now() + Duration::hours(4);
+
+    sqlx::query_as::<_, AccountsReset>(
+        "
+        INSERT OR REPLACE INTO accounts_reset (user, auth_code, date_expiry)
+        VALUES (?1, ?2, ?3)
+        ",
+    )
+    .bind(record.user.to_owned())
+    .bind(auth.to_owned())
+    .bind(offset.to_rfc3339_opts(SecondsFormat::Millis, true))
+    .fetch_optional(db)
+    .await
+}