authelia/internal/handlers/handler_reset_password_step...

package handlers

import (
	"encoding/json"
	"fmt"
	"time"

	"github.com/authelia/authelia/v4/internal/middlewares"
	"github.com/authelia/authelia/v4/internal/session"
)

func identityRetrieverFromStorage(ctx *middlewares.AutheliaCtx) (*session.Identity, error) {
	var requestBody resetPasswordStep1RequestBody
	err := json.Unmarshal(ctx.PostBody(), &requestBody)

	if err != nil {
		return nil, err
	}

	details, err := ctx.Providers.UserProvider.GetDetails(requestBody.Username)

	if err != nil {
		return nil, err
	}

	if len(details.Emails) == 0 {
		return nil, fmt.Errorf("user %s has no email address configured", requestBody.Username)
	}

	return &session.Identity{
		Username:    requestBody.Username,
		DisplayName: details.DisplayName,
		Email:       details.Emails[0],
	}, nil
}

// ResetPasswordIdentityStart the handler for initiating the identity validation for resetting a password.
// We need to ensure the attacker cannot perform user enumeration by always replying with 200 whatever what happens in backend.
var ResetPasswordIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{
	MailTitle:             "Reset your password",
	MailButtonContent:     "Reset",
	TargetEndpoint:        "/reset-password/step2",
	ActionClaim:           ActionResetPassword,
	IdentityRetrieverFunc: identityRetrieverFromStorage,
}, middlewares.TimingAttackDelay(10, 250, 85, time.Millisecond*500, false))

func resetPasswordIdentityFinish(ctx *middlewares.AutheliaCtx, username string) {
	var (
		userSession session.UserSession
		err         error
	)

	if userSession, err = ctx.GetSession(); err != nil {
		ctx.Logger.Errorf("Unable to get session to clear password reset flag in session for user %s: %s", userSession.Username, err)
	}

	// TODO(c.michaud): use JWT tokens to expire the request in only few seconds for better security.
	userSession.PasswordResetUsername = &username

	if err = ctx.SaveSession(userSession); err != nil {
		ctx.Logger.Errorf("Unable to clear password reset flag in session for user %s: %s", userSession.Username, err)
	}

	ctx.ReplyOK()
}

// ResetPasswordIdentityFinish the handler for finishing the identity validation.
var ResetPasswordIdentityFinish = middlewares.IdentityVerificationFinish(
	middlewares.IdentityVerificationFinishArgs{ActionClaim: ActionResetPassword}, resetPasswordIdentityFinish)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package handlers`

			`import (`
			`"encoding/json"`
			`"fmt"`
fix(middlewares): smart delay on reset password (#2767) This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func. 2022-01-20 23:46:13 +00:00			`"time"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/middlewares"`
			`"github.com/authelia/authelia/v4/internal/session"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

			`func identityRetrieverFromStorage(ctx middlewares.AutheliaCtx) (session.Identity, error) {`
			`var requestBody resetPasswordStep1RequestBody`
			`err := json.Unmarshal(ctx.PostBody(), &requestBody)`

			`if err != nil {`
			`return nil, err`
			`}`

			`details, err := ctx.Providers.UserProvider.GetDetails(requestBody.Username)`

			`if err != nil {`
			`return nil, err`
			`}`

			`if len(details.Emails) == 0 {`
refactor(handlers): lower case error messages (#2289) * refactor(handlers): lower case error messages also refactor verifyAuth function to detect malicious activity both with session cookie and authorization header. * refacto(handlers): simplify error construction * fix(handlers): check prefix in authorization header to determine auth method * fix(handlers): determining the method should be done with headers instead of query arg * refacto(handlers): rollback changes of verifyAuth * don't lowercase log messages * Apply suggestions from code review Make sure logger errors are not lowercased. * fix: uppercase logger errors and remove unused param * Do not lowercase logger errors * Remove unused param targetURL * Rename url variable to not conflict with imported package Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2021-09-17 05:53:40 +00:00			`return nil, fmt.Errorf("user %s has no email address configured", requestBody.Username)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

			`return &session.Identity{`
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-03 12:24:51 +00:00			`Username: requestBody.Username,`
			`DisplayName: details.DisplayName,`
fix(notification): missing display name (#4653) 2022-12-26 23:54:58 +00:00			`Email: details.Emails[0],`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}, nil`
			`}`

			`// ResetPasswordIdentityStart the handler for initiating the identity validation for resetting a password.`
Misc Spelling Corrections - Mostly changes to spelling of comments/docs/displayed text - A few changes to test function names 2020-01-21 00:10:00 +00:00			`// We need to ensure the attacker cannot perform user enumeration by always replying with 200 whatever what happens in backend.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`var ResetPasswordIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{`
			`MailTitle: "Reset your password",`
			`MailButtonContent: "Reset",`
Rewrite authelia frontend to improve user experience. This refactoring simplify the code of the frontend and prepare the portal for receiving a user settings page and an admin page. 2019-11-18 23:37:36 +00:00			`TargetEndpoint: "/reset-password/step2",`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`ActionClaim: ActionResetPassword,`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`IdentityRetrieverFunc: identityRetrieverFromStorage,`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`}, middlewares.TimingAttackDelay(10, 250, 85, time.Millisecond*500, false))`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
			`func resetPasswordIdentityFinish(ctx *middlewares.AutheliaCtx, username string) {`
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`var (`
			`userSession session.UserSession`
			`err error`
			`)`

			`if userSession, err = ctx.GetSession(); err != nil {`
			`ctx.Logger.Errorf("Unable to get session to clear password reset flag in session for user %s: %s", userSession.Username, err)`
			`}`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// TODO(c.michaud): use JWT tokens to expire the request in only few seconds for better security.`
			`userSession.PasswordResetUsername = &username`
[MISC] Refactor and address most errcheck linter ignores (#1511) * [MISC] Refactor and address most errcheck linter ignores This is mostly a quality of life change. When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track. * Handle errors for regulation marks and remove unnecessary logging 2020-12-16 01:47:31 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`if err = ctx.SaveSession(userSession); err != nil {`
[MISC] Refactor and address most errcheck linter ignores (#1511) * [MISC] Refactor and address most errcheck linter ignores This is mostly a quality of life change. When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track. * Handle errors for regulation marks and remove unnecessary logging 2020-12-16 01:47:31 +00:00			`ctx.Logger.Errorf("Unable to clear password reset flag in session for user %s: %s", userSession.Username, err)`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`ctx.ReplyOK()`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

Misc Spelling Corrections - Mostly changes to spelling of comments/docs/displayed text - A few changes to test function names 2020-01-21 00:10:00 +00:00			`// ResetPasswordIdentityFinish the handler for finishing the identity validation.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`var ResetPasswordIdentityFinish = middlewares.IdentityVerificationFinish(`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`middlewares.IdentityVerificationFinishArgs{ActionClaim: ActionResetPassword}, resetPasswordIdentityFinish)`