Dont allow reusing password reset token, use normal rate limit (#4719)
* Dont allow reusing password reset token, use normal rate limit * fix
This commit is contained in:
parent
a0ad7806cb
commit
4ffaa93431
6 changed files with 54 additions and 95 deletions
|
@ -19,7 +19,7 @@ pub async fn change_password_after_reset(
|
||||||
) -> LemmyResult<Json<SuccessResponse>> {
|
) -> LemmyResult<Json<SuccessResponse>> {
|
||||||
// Fetch the user_id from the token
|
// Fetch the user_id from the token
|
||||||
let token = data.token.clone();
|
let token = data.token.clone();
|
||||||
let local_user_id = PasswordResetRequest::read_from_token(&mut context.pool(), &token)
|
let local_user_id = PasswordResetRequest::read_and_delete(&mut context.pool(), &token)
|
||||||
.await?
|
.await?
|
||||||
.ok_or(LemmyErrorType::TokenNotFound)?
|
.ok_or(LemmyErrorType::TokenNotFound)?
|
||||||
.local_user_id;
|
.local_user_id;
|
||||||
|
|
|
@ -6,7 +6,6 @@ use lemmy_api_common::{
|
||||||
utils::send_password_reset_email,
|
utils::send_password_reset_email,
|
||||||
SuccessResponse,
|
SuccessResponse,
|
||||||
};
|
};
|
||||||
use lemmy_db_schema::source::password_reset_request::PasswordResetRequest;
|
|
||||||
use lemmy_db_views::structs::{LocalUserView, SiteView};
|
use lemmy_db_views::structs::{LocalUserView, SiteView};
|
||||||
use lemmy_utils::error::{LemmyErrorType, LemmyResult};
|
use lemmy_utils::error::{LemmyErrorType, LemmyResult};
|
||||||
|
|
||||||
|
@ -21,15 +20,6 @@ pub async fn reset_password(
|
||||||
.await?
|
.await?
|
||||||
.ok_or(LemmyErrorType::IncorrectLogin)?;
|
.ok_or(LemmyErrorType::IncorrectLogin)?;
|
||||||
|
|
||||||
// Check for too many attempts (to limit potential abuse)
|
|
||||||
let recent_resets_count = PasswordResetRequest::get_recent_password_resets_count(
|
|
||||||
&mut context.pool(),
|
|
||||||
local_user_view.local_user.id,
|
|
||||||
)
|
|
||||||
.await?;
|
|
||||||
if recent_resets_count >= 3 {
|
|
||||||
Err(LemmyErrorType::PasswordResetLimitReached)?
|
|
||||||
}
|
|
||||||
let site_view = SiteView::read_local(&mut context.pool())
|
let site_view = SiteView::read_local(&mut context.pool())
|
||||||
.await?
|
.await?
|
||||||
.ok_or(LemmyErrorType::LocalSiteNotSetup)?;
|
.ok_or(LemmyErrorType::LocalSiteNotSetup)?;
|
||||||
|
|
|
@ -440,7 +440,7 @@ pub async fn send_password_reset_email(
|
||||||
// Insert the row after successful send, to avoid using daily reset limit while
|
// Insert the row after successful send, to avoid using daily reset limit while
|
||||||
// email sending is broken.
|
// email sending is broken.
|
||||||
let local_user_id = user.local_user.id;
|
let local_user_id = user.local_user.id;
|
||||||
PasswordResetRequest::create_token(pool, local_user_id, token.clone()).await?;
|
PasswordResetRequest::create(pool, local_user_id, token.clone()).await?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,49 +1,22 @@
|
||||||
use crate::{
|
use crate::{
|
||||||
diesel::OptionalExtension,
|
diesel::OptionalExtension,
|
||||||
newtypes::LocalUserId,
|
newtypes::LocalUserId,
|
||||||
schema::password_reset_request::dsl::{local_user_id, password_reset_request, published, token},
|
schema::password_reset_request::dsl::{password_reset_request, published, token},
|
||||||
source::password_reset_request::{PasswordResetRequest, PasswordResetRequestForm},
|
source::password_reset_request::{PasswordResetRequest, PasswordResetRequestForm},
|
||||||
traits::Crud,
|
|
||||||
utils::{get_conn, DbPool},
|
utils::{get_conn, DbPool},
|
||||||
};
|
};
|
||||||
use diesel::{
|
use diesel::{
|
||||||
|
delete,
|
||||||
dsl::{insert_into, now, IntervalDsl},
|
dsl::{insert_into, now, IntervalDsl},
|
||||||
result::Error,
|
result::Error,
|
||||||
sql_types::Timestamptz,
|
sql_types::Timestamptz,
|
||||||
ExpressionMethods,
|
ExpressionMethods,
|
||||||
IntoSql,
|
IntoSql,
|
||||||
QueryDsl,
|
|
||||||
};
|
};
|
||||||
use diesel_async::RunQueryDsl;
|
use diesel_async::RunQueryDsl;
|
||||||
|
|
||||||
#[async_trait]
|
|
||||||
impl Crud for PasswordResetRequest {
|
|
||||||
type InsertForm = PasswordResetRequestForm;
|
|
||||||
type UpdateForm = PasswordResetRequestForm;
|
|
||||||
type IdType = i32;
|
|
||||||
|
|
||||||
async fn create(pool: &mut DbPool<'_>, form: &PasswordResetRequestForm) -> Result<Self, Error> {
|
|
||||||
let conn = &mut get_conn(pool).await?;
|
|
||||||
insert_into(password_reset_request)
|
|
||||||
.values(form)
|
|
||||||
.get_result::<Self>(conn)
|
|
||||||
.await
|
|
||||||
}
|
|
||||||
async fn update(
|
|
||||||
pool: &mut DbPool<'_>,
|
|
||||||
password_reset_request_id: i32,
|
|
||||||
form: &PasswordResetRequestForm,
|
|
||||||
) -> Result<Self, Error> {
|
|
||||||
let conn = &mut get_conn(pool).await?;
|
|
||||||
diesel::update(password_reset_request.find(password_reset_request_id))
|
|
||||||
.set(form)
|
|
||||||
.get_result::<Self>(conn)
|
|
||||||
.await
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl PasswordResetRequest {
|
impl PasswordResetRequest {
|
||||||
pub async fn create_token(
|
pub async fn create(
|
||||||
pool: &mut DbPool<'_>,
|
pool: &mut DbPool<'_>,
|
||||||
from_local_user_id: LocalUserId,
|
from_local_user_id: LocalUserId,
|
||||||
token_: String,
|
token_: String,
|
||||||
|
@ -52,30 +25,21 @@ impl PasswordResetRequest {
|
||||||
local_user_id: from_local_user_id,
|
local_user_id: from_local_user_id,
|
||||||
token: token_.into(),
|
token: token_.into(),
|
||||||
};
|
};
|
||||||
|
|
||||||
Self::create(pool, &form).await
|
|
||||||
}
|
|
||||||
pub async fn read_from_token(pool: &mut DbPool<'_>, token_: &str) -> Result<Option<Self>, Error> {
|
|
||||||
let conn = &mut get_conn(pool).await?;
|
let conn = &mut get_conn(pool).await?;
|
||||||
password_reset_request
|
insert_into(password_reset_request)
|
||||||
|
.values(form)
|
||||||
|
.get_result::<Self>(conn)
|
||||||
|
.await
|
||||||
|
}
|
||||||
|
|
||||||
|
pub async fn read_and_delete(pool: &mut DbPool<'_>, token_: &str) -> Result<Option<Self>, Error> {
|
||||||
|
let conn = &mut get_conn(pool).await?;
|
||||||
|
delete(password_reset_request)
|
||||||
.filter(token.eq(token_))
|
.filter(token.eq(token_))
|
||||||
.filter(published.gt(now.into_sql::<Timestamptz>() - 1.days()))
|
.filter(published.gt(now.into_sql::<Timestamptz>() - 1.days()))
|
||||||
.first(conn)
|
|
||||||
.await
|
|
||||||
.optional()
|
|
||||||
}
|
|
||||||
|
|
||||||
pub async fn get_recent_password_resets_count(
|
|
||||||
pool: &mut DbPool<'_>,
|
|
||||||
user_id: LocalUserId,
|
|
||||||
) -> Result<i64, Error> {
|
|
||||||
let conn = &mut get_conn(pool).await?;
|
|
||||||
password_reset_request
|
|
||||||
.filter(local_user_id.eq(user_id))
|
|
||||||
.filter(published.gt(now.into_sql::<Timestamptz>() - 1.days()))
|
|
||||||
.count()
|
|
||||||
.get_result(conn)
|
.get_result(conn)
|
||||||
.await
|
.await
|
||||||
|
.optional()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -94,62 +58,64 @@ mod tests {
|
||||||
traits::Crud,
|
traits::Crud,
|
||||||
utils::build_db_pool_for_tests,
|
utils::build_db_pool_for_tests,
|
||||||
};
|
};
|
||||||
|
use lemmy_utils::error::LemmyResult;
|
||||||
use pretty_assertions::assert_eq;
|
use pretty_assertions::assert_eq;
|
||||||
use serial_test::serial;
|
use serial_test::serial;
|
||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
#[serial]
|
#[serial]
|
||||||
async fn test_crud() {
|
async fn test_password_reset() -> LemmyResult<()> {
|
||||||
let pool = &build_db_pool_for_tests().await;
|
let pool = &build_db_pool_for_tests().await;
|
||||||
let pool = &mut pool.into();
|
let pool = &mut pool.into();
|
||||||
|
|
||||||
let inserted_instance = Instance::read_or_create(pool, "my_domain.tld".to_string())
|
// Setup
|
||||||
.await
|
let inserted_instance = Instance::read_or_create(pool, "my_domain.tld".to_string()).await?;
|
||||||
.unwrap();
|
|
||||||
|
|
||||||
let new_person = PersonInsertForm::builder()
|
let new_person = PersonInsertForm::builder()
|
||||||
.name("thommy prw".into())
|
.name("thommy prw".into())
|
||||||
.public_key("pubkey".to_string())
|
.public_key("pubkey".to_string())
|
||||||
.instance_id(inserted_instance.id)
|
.instance_id(inserted_instance.id)
|
||||||
.build();
|
.build();
|
||||||
|
let inserted_person = Person::create(pool, &new_person).await?;
|
||||||
let inserted_person = Person::create(pool, &new_person).await.unwrap();
|
|
||||||
|
|
||||||
let new_local_user = LocalUserInsertForm::builder()
|
let new_local_user = LocalUserInsertForm::builder()
|
||||||
.person_id(inserted_person.id)
|
.person_id(inserted_person.id)
|
||||||
.password_encrypted("pass".to_string())
|
.password_encrypted("pass".to_string())
|
||||||
.build();
|
.build();
|
||||||
|
let inserted_local_user = LocalUser::create(pool, &new_local_user, vec![]).await?;
|
||||||
|
|
||||||
let inserted_local_user = LocalUser::create(pool, &new_local_user, vec![])
|
// Create password reset token
|
||||||
.await
|
|
||||||
.unwrap();
|
|
||||||
|
|
||||||
let token = "nope";
|
let token = "nope";
|
||||||
|
|
||||||
let inserted_password_reset_request =
|
let inserted_password_reset_request =
|
||||||
PasswordResetRequest::create_token(pool, inserted_local_user.id, token.to_string())
|
PasswordResetRequest::create(pool, inserted_local_user.id, token.to_string()).await?;
|
||||||
.await
|
|
||||||
|
// Read it and verify
|
||||||
|
let read_password_reset_request = PasswordResetRequest::read_and_delete(pool, token)
|
||||||
|
.await?
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
let expected_password_reset_request = PasswordResetRequest {
|
|
||||||
id: inserted_password_reset_request.id,
|
|
||||||
local_user_id: inserted_local_user.id,
|
|
||||||
token: token.to_string().into(),
|
|
||||||
published: inserted_password_reset_request.published,
|
|
||||||
};
|
|
||||||
|
|
||||||
let read_password_reset_request = PasswordResetRequest::read_from_token(pool, token)
|
|
||||||
.await
|
|
||||||
.unwrap()
|
|
||||||
.unwrap();
|
|
||||||
let num_deleted = Person::delete(pool, inserted_person.id).await.unwrap();
|
|
||||||
Instance::delete(pool, inserted_instance.id).await.unwrap();
|
|
||||||
|
|
||||||
assert_eq!(expected_password_reset_request, read_password_reset_request);
|
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
expected_password_reset_request,
|
inserted_password_reset_request.id,
|
||||||
inserted_password_reset_request
|
read_password_reset_request.id
|
||||||
);
|
);
|
||||||
|
assert_eq!(
|
||||||
|
inserted_password_reset_request.local_user_id,
|
||||||
|
read_password_reset_request.local_user_id
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
inserted_password_reset_request.token,
|
||||||
|
read_password_reset_request.token
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
inserted_password_reset_request.published,
|
||||||
|
read_password_reset_request.published
|
||||||
|
);
|
||||||
|
|
||||||
|
// Cannot reuse same token again
|
||||||
|
let read_password_reset_request = PasswordResetRequest::read_and_delete(pool, token).await?;
|
||||||
|
assert!(read_password_reset_request.is_none());
|
||||||
|
|
||||||
|
// Cleanup
|
||||||
|
let num_deleted = Person::delete(pool, inserted_person.id).await?;
|
||||||
|
Instance::delete(pool, inserted_instance.id).await?;
|
||||||
assert_eq!(1, num_deleted);
|
assert_eq!(1, num_deleted);
|
||||||
|
Ok(())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -161,7 +161,6 @@ pub enum LemmyErrorType {
|
||||||
PermissiveRegex,
|
PermissiveRegex,
|
||||||
InvalidRegex,
|
InvalidRegex,
|
||||||
CaptchaIncorrect,
|
CaptchaIncorrect,
|
||||||
PasswordResetLimitReached,
|
|
||||||
CouldntCreateAudioCaptcha,
|
CouldntCreateAudioCaptcha,
|
||||||
InvalidUrlScheme,
|
InvalidUrlScheme,
|
||||||
CouldntSendWebmention,
|
CouldntSendWebmention,
|
||||||
|
|
|
@ -278,6 +278,11 @@ pub fn config(cfg: &mut web::ServiceConfig, rate_limit: &RateLimitCell) {
|
||||||
.wrap(rate_limit.register())
|
.wrap(rate_limit.register())
|
||||||
.route(web::post().to(login)),
|
.route(web::post().to(login)),
|
||||||
)
|
)
|
||||||
|
.service(
|
||||||
|
web::resource("/user/password_reset")
|
||||||
|
.wrap(rate_limit.register())
|
||||||
|
.route(web::post().to(reset_password)),
|
||||||
|
)
|
||||||
.service(
|
.service(
|
||||||
// Handle captcha separately
|
// Handle captcha separately
|
||||||
web::resource("/user/get_captcha")
|
web::resource("/user/get_captcha")
|
||||||
|
@ -318,7 +323,6 @@ pub fn config(cfg: &mut web::ServiceConfig, rate_limit: &RateLimitCell) {
|
||||||
// TODO Account actions. I don't like that they're in /user maybe /accounts
|
// TODO Account actions. I don't like that they're in /user maybe /accounts
|
||||||
.route("/logout", web::post().to(logout))
|
.route("/logout", web::post().to(logout))
|
||||||
.route("/delete_account", web::post().to(delete_account))
|
.route("/delete_account", web::post().to(delete_account))
|
||||||
.route("/password_reset", web::post().to(reset_password))
|
|
||||||
.route(
|
.route(
|
||||||
"/password_change",
|
"/password_change",
|
||||||
web::post().to(change_password_after_reset),
|
web::post().to(change_password_after_reset),
|
||||||
|
|
Loading…
Reference in a new issue