RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/handlers/handler_reset_password_step...

118 lines
3.2 KiB
Go
Raw Normal View History

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
package handlers
import (
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
"bytes"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"fmt"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/middlewares"
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
"github.com/authelia/authelia/v4/internal/templates"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/utils"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
)
fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important.
2022-04-08 04:13:47 +00:00
// ResetPasswordPOST handler for resetting passwords.
func ResetPasswordPOST(ctx *middlewares.AutheliaCtx) {
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
userSession := ctx.GetSession()
// Those checks unsure that the identity verification process has been initiated and completed successfully
// otherwise PasswordReset would not be set to true. We can improve the security of this check by making the
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// request expire at some point because here it only expires when the cookie expires.
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
if userSession.PasswordResetUsername == nil {
refactor(handlers): lower case error messages (#2289) * refactor(handlers): lower case error messages also refactor verifyAuth function to detect malicious activity both with session cookie and authorization header. * refacto(handlers): simplify error construction * fix(handlers): check prefix in authorization header to determine auth method * fix(handlers): determining the method should be done with headers instead of query arg * refacto(handlers): rollback changes of verifyAuth * don't lowercase log messages * Apply suggestions from code review Make sure logger errors are not lowercased. * fix: uppercase logger errors and remove unused param * Do not lowercase logger errors * Remove unused param targetURL * Rename url variable to not conflict with imported package Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-09-17 05:53:40 +00:00
ctx.Error(fmt.Errorf("no identity verification process has been initiated"), messageUnableToResetPassword)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return
}
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
username := *userSession.PasswordResetUsername
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
var requestBody resetPasswordStep2RequestBody
err := ctx.ParseBody(&requestBody)
if err != nil {
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
ctx.Error(err, messageUnableToResetPassword)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return
}
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 00:48:26 +00:00
if err = ctx.Providers.PasswordPolicy.Check(requestBody.Password); err != nil {
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-02 22:32:57 +00:00
ctx.Error(err, messagePasswordWeak)
return
}
fix(handler): missing notification values (#3321) This ensures all template types share the same template values and display them correctly regardless if text/html/other. Fixes #3319.
2022-05-08 22:43:12 +00:00
if err = ctx.Providers.UserProvider.UpdatePassword(username, requestBody.Password); err != nil {
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460) * Added `ActiveDirectory` suite for integration tests with Samba AD * Updated documentation * Minor styling refactor to suites * Clean up LDAP user provisioning * Fix Authelia home splash to reference correct link for webmail * Add notification message for password complexity errors * Add password complexity integration test * Rename implementation default from rfc to custom * add specific defaults for LDAP (activedirectory implementation) * add docs to show the new defaults * add docs explaining the importance of users filter * add tests * update instances of LDAP implementation names to use the new consts where applicable * made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead * update config examples due to the new defaults * apply changes from code review * replace schema default name from MSAD to ActiveDirectory for consistency * fix missing default for username_attribute * replace test raising on empty username attribute with not raising on empty Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 09:59:22 +00:00
switch {
feat(handlers): synology password complexity err on reset (#2083) This responds to the client with the correct error when used with Synology LDAP servers.
2021-06-16 02:50:14 +00:00
case utils.IsStringInSliceContains(err.Error(), ldapPasswordComplexityCodes),
utils.IsStringInSliceContains(err.Error(), ldapPasswordComplexityErrors):
refactor(handlers): lower case error messages (#2289) * refactor(handlers): lower case error messages also refactor verifyAuth function to detect malicious activity both with session cookie and authorization header. * refacto(handlers): simplify error construction * fix(handlers): check prefix in authorization header to determine auth method * fix(handlers): determining the method should be done with headers instead of query arg * refacto(handlers): rollback changes of verifyAuth * don't lowercase log messages * Apply suggestions from code review Make sure logger errors are not lowercased. * fix: uppercase logger errors and remove unused param * Do not lowercase logger errors * Remove unused param targetURL * Rename url variable to not conflict with imported package Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-09-17 05:53:40 +00:00
ctx.Error(err, ldapPasswordComplexityCode)
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460) * Added `ActiveDirectory` suite for integration tests with Samba AD * Updated documentation * Minor styling refactor to suites * Clean up LDAP user provisioning * Fix Authelia home splash to reference correct link for webmail * Add notification message for password complexity errors * Add password complexity integration test * Rename implementation default from rfc to custom * add specific defaults for LDAP (activedirectory implementation) * add docs to show the new defaults * add docs explaining the importance of users filter * add tests * update instances of LDAP implementation names to use the new consts where applicable * made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead * update config examples due to the new defaults * apply changes from code review * replace schema default name from MSAD to ActiveDirectory for consistency * fix missing default for username_attribute * replace test raising on empty username attribute with not raising on empty Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 09:59:22 +00:00
default:
refactor(handlers): lower case error messages (#2289) * refactor(handlers): lower case error messages also refactor verifyAuth function to detect malicious activity both with session cookie and authorization header. * refacto(handlers): simplify error construction * fix(handlers): check prefix in authorization header to determine auth method * fix(handlers): determining the method should be done with headers instead of query arg * refacto(handlers): rollback changes of verifyAuth * don't lowercase log messages * Apply suggestions from code review Make sure logger errors are not lowercased. * fix: uppercase logger errors and remove unused param * Do not lowercase logger errors * Remove unused param targetURL * Rename url variable to not conflict with imported package Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-09-17 05:53:40 +00:00
ctx.Error(err, messageUnableToResetPassword)
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460) * Added `ActiveDirectory` suite for integration tests with Samba AD * Updated documentation * Minor styling refactor to suites * Clean up LDAP user provisioning * Fix Authelia home splash to reference correct link for webmail * Add notification message for password complexity errors * Add password complexity integration test * Rename implementation default from rfc to custom * add specific defaults for LDAP (activedirectory implementation) * add docs to show the new defaults * add docs explaining the importance of users filter * add tests * update instances of LDAP implementation names to use the new consts where applicable * made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead * update config examples due to the new defaults * apply changes from code review * replace schema default name from MSAD to ActiveDirectory for consistency * fix missing default for username_attribute * replace test raising on empty username attribute with not raising on empty Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 09:59:22 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return
}
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
ctx.Logger.Debugf("Password of user %s has been reset", username)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
// Reset the request.
userSession.PasswordResetUsername = nil
fix(handler): missing notification values (#3321) This ensures all template types share the same template values and display them correctly regardless if text/html/other. Fixes #3319.
2022-05-08 22:43:12 +00:00
if err = ctx.SaveSession(userSession); err != nil {
refactor(handlers): lower case error messages (#2289) * refactor(handlers): lower case error messages also refactor verifyAuth function to detect malicious activity both with session cookie and authorization header. * refacto(handlers): simplify error construction * fix(handlers): check prefix in authorization header to determine auth method * fix(handlers): determining the method should be done with headers instead of query arg * refacto(handlers): rollback changes of verifyAuth * don't lowercase log messages * Apply suggestions from code review Make sure logger errors are not lowercased. * fix: uppercase logger errors and remove unused param * Do not lowercase logger errors * Remove unused param targetURL * Rename url variable to not conflict with imported package Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-09-17 05:53:40 +00:00
ctx.Error(fmt.Errorf("unable to update password reset state: %s", err), messageOperationFailed)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return
}
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
// Send Notification.
userInfo, err := ctx.Providers.UserProvider.GetDetails(username)
if err != nil {
ctx.Logger.Error(err)
ctx.ReplyOK()
return
}
if len(userInfo.Emails) == 0 {
ctx.Logger.Error(fmt.Errorf("user %s has no email address configured", username))
ctx.ReplyOK()
return
}
disableHTML := false
refactor(configuration): remove ptr for duoapi and notifier (#3200) This adds to the ongoing effort to remove all pointers to structs in the configuration without breaking backwards compatibility.
2022-04-15 23:34:26 +00:00
if ctx.Configuration.Notifier.SMTP != nil {
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
disableHTML = ctx.Configuration.Notifier.SMTP.DisableHTMLEmails
}
fix(notification): incorrect date header format (#3684) * fix(notification): incorrect date header format The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself. * test: fix tests and linting issues * fix: misc issues * refactor: misc refactoring * docs: add example for envelope with message id * refactor: organize smtp notifier * refactor: move subject interpolation * refactor: include additional placeholders * docs: fix missing link * docs: gravity * fix: rcpt to command * refactor: remove mid * refactor: apply suggestions Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * refactor: include pid Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-07-18 00:56:09 +00:00
values := templates.EmailPasswordResetValues{
Title: "Password changed successfully",
DisplayName: userInfo.DisplayName,
RemoteIP: ctx.RemoteIP().String(),
fix(handler): missing notification values (#3321) This ensures all template types share the same template values and display them correctly regardless if text/html/other. Fixes #3319.
2022-05-08 22:43:12 +00:00
}
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
fix(notification): text emails not encoded properly (#3854) This fixes an issue where the plain text portion of emails is not encoded with quoted printable encoding.
2022-08-26 21:39:20 +00:00
bufHTML, bufText := &bytes.Buffer{}, &bytes.Buffer{}
fix(handler): missing notification values (#3321) This ensures all template types share the same template values and display them correctly regardless if text/html/other. Fixes #3319.
2022-05-08 22:43:12 +00:00
if !disableHTML {
fix(notification): incorrect date header format (#3684) * fix(notification): incorrect date header format The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself. * test: fix tests and linting issues * fix: misc issues * refactor: misc refactoring * docs: add example for envelope with message id * refactor: organize smtp notifier * refactor: move subject interpolation * refactor: include additional placeholders * docs: fix missing link * docs: gravity * fix: rcpt to command * refactor: remove mid * refactor: apply suggestions Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * refactor: include pid Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-07-18 00:56:09 +00:00
if err = ctx.Providers.Templates.ExecuteEmailPasswordResetTemplate(bufHTML, values, templates.HTMLFormat); err != nil {
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
ctx.Logger.Error(err)
ctx.ReplyOK()
return
}
}
fix(notification): incorrect date header format (#3684) * fix(notification): incorrect date header format The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself. * test: fix tests and linting issues * fix: misc issues * refactor: misc refactoring * docs: add example for envelope with message id * refactor: organize smtp notifier * refactor: move subject interpolation * refactor: include additional placeholders * docs: fix missing link * docs: gravity * fix: rcpt to command * refactor: remove mid * refactor: apply suggestions Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * refactor: include pid Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-07-18 00:56:09 +00:00
if err = ctx.Providers.Templates.ExecuteEmailPasswordResetTemplate(bufText, values, templates.PlainTextFormat); err != nil {
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
ctx.Logger.Error(err)
ctx.ReplyOK()
return
}
fix(notification): incorrect date header format (#3684) * fix(notification): incorrect date header format The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself. * test: fix tests and linting issues * fix: misc issues * refactor: misc refactoring * docs: add example for envelope with message id * refactor: organize smtp notifier * refactor: move subject interpolation * refactor: include additional placeholders * docs: fix missing link * docs: gravity * fix: rcpt to command * refactor: remove mid * refactor: apply suggestions Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * refactor: include pid Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-07-18 00:56:09 +00:00
addresses := userInfo.Addresses()
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
ctx.Logger.Debugf("Sending an email to user %s (%s) to inform that the password has changed.",
fix(notification): incorrect date header format (#3684) * fix(notification): incorrect date header format The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself. * test: fix tests and linting issues * fix: misc issues * refactor: misc refactoring * docs: add example for envelope with message id * refactor: organize smtp notifier * refactor: move subject interpolation * refactor: include additional placeholders * docs: fix missing link * docs: gravity * fix: rcpt to command * refactor: remove mid * refactor: apply suggestions Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * refactor: include pid Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-07-18 00:56:09 +00:00
username, addresses[0])
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
fix(notification): text emails not encoded properly (#3854) This fixes an issue where the plain text portion of emails is not encoded with quoted printable encoding.
2022-08-26 21:39:20 +00:00
if err = ctx.Providers.Notifier.Send(addresses[0], "Password changed successfully", bufText.Bytes(), bufHTML.Bytes()); err != nil {
feat(notification): password reset notification custom templates (#2828) Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully. Closes #2755, Closes #2756 Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 12:24:51 +00:00
ctx.Logger.Error(err)
ctx.ReplyOK()
return
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}