commit 2cc19b50aa3516f94228752e77dfa9bab3500f49
parent 45eb470a452989d3645c10fa7196428a5b2d7021
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Tue, 13 Dec 2022 21:12:18 -0500
simplify code, remove unnecessary cookie
Diffstat:
4 files changed, 23 insertions(+), 31 deletions(-)
diff --git a/pkg/web/handlers/data.go b/pkg/web/handlers/data.go
@@ -111,6 +111,7 @@ type forgotPasswordData struct {
EncryptedMessage string
Code string
ErrorCode string
+ Token string
Step int64
NewPassword string
ErrorNewPassword string
diff --git a/pkg/web/handlers/handlers.go b/pkg/web/handlers/handlers.go
@@ -574,10 +574,6 @@ func LogoutHandler(ctx echo.Context) error {
return ctx.Redirect(http.StatusFound, "/")
}
-func createPartialRecoveryCookie(value string) *http.Cookie {
- return hutils.CreateCookie(hutils.PartialRecoveryCookieName, value, 10*utils.OneMinuteSecs)
-}
-
func createPartialSessionCookie(value string) *http.Cookie {
return hutils.CreateCookie(hutils.PartialAuthCookieName, value, 10*utils.OneMinuteSecs)
}
@@ -1013,8 +1009,8 @@ func ForgotPasswordHandler(c echo.Context) error {
token := utils.GenerateToken32()
partialRecoveryCache.Set(token, PartialRecoveryItem{user.ID, RecoveryCaptchaCompleted}, cache1.DefaultExpiration)
- c.SetCookie(createPartialRecoveryCookie(token))
+ data.Token = token
data.Step = 2
return c.Render(http.StatusOK, "forgot-password", data)
@@ -1022,18 +1018,15 @@ func ForgotPasswordHandler(c echo.Context) error {
// Receive and validate GPG code/signature
data.Step = 2
- // Step2 is guarded by the "partial-recovery-token" cookie that must be valid
- partialRecoveryCookie, err := c.Cookie(hutils.PartialRecoveryCookieName)
- if err != nil {
- return c.Redirect(http.StatusFound, "/")
- }
- item, found := partialRecoveryCache.Get(partialRecoveryCookie.Value)
- if !found || item.Step != RecoveryCaptchaCompleted {
+ // Step2 is guarded by the "token" that must be valid
+ token := c.Request().PostFormValue("token")
+ item, found := partialRecoveryCache.Get(token)
+ if !found {
return c.Redirect(http.StatusFound, "/")
}
userID := item.UserID
- token, found := pgpTokenCache.Get(userID)
+ pgpToken, found := pgpTokenCache.Get(userID)
if !found {
return c.Redirect(http.StatusFound, "/")
}
@@ -1042,7 +1035,7 @@ func ForgotPasswordHandler(c echo.Context) error {
if data.GpgMode {
data.ToBeSignedMessage = c.Request().PostFormValue("to_be_signed_message")
data.SignedMessage = c.Request().PostFormValue("signed_message")
- if !utils.PgpCheckSignMessage(token.PKey, token.Value, data.SignedMessage) {
+ if !utils.PgpCheckSignMessage(pgpToken.PKey, pgpToken.Value, data.SignedMessage) {
data.ErrorSignedMessage = "invalid signature"
return c.Render(http.StatusOK, "forgot-password", data)
}
@@ -1050,15 +1043,16 @@ func ForgotPasswordHandler(c echo.Context) error {
} else {
data.EncryptedMessage = c.Request().PostFormValue("encrypted_message")
data.Code = c.Request().PostFormValue("pgp_code")
- if data.Code != token.Value {
+ if data.Code != pgpToken.Value {
data.ErrorCode = "invalid code"
return c.Render(http.StatusOK, "forgot-password", data)
}
}
pgpTokenCache.Delete(userID)
- partialRecoveryCache.Set(partialRecoveryCookie.Value, PartialRecoveryItem{userID, RecoveryGpgValidated}, cache1.DefaultExpiration)
+ partialRecoveryCache.Set(token, PartialRecoveryItem{userID, RecoveryGpgValidated}, cache1.DefaultExpiration)
+ data.Token = token
data.Step = 3
return c.Render(http.StatusOK, "forgot-password", data)
@@ -1067,12 +1061,9 @@ func ForgotPasswordHandler(c echo.Context) error {
data.Step = 3
// Step3 is guarded by the "partial-recovery-token" cookie that must be valid
- partialRecoveryCookie, err := c.Cookie(hutils.PartialRecoveryCookieName)
- if err != nil {
- return c.Redirect(http.StatusFound, "/")
- }
- item, found := partialRecoveryCache.Get(partialRecoveryCookie.Value)
- if !found || item.Step != RecoveryGpgValidated {
+ token := c.Request().PostFormValue("token")
+ item, found := partialRecoveryCache.Get(token)
+ if !found {
return c.Redirect(http.StatusFound, "/")
}
userID := item.UserID
@@ -1097,8 +1088,7 @@ func ForgotPasswordHandler(c echo.Context) error {
}
database.CreateSecurityLog(user.ID, database.PasswordRecoverySecurityLog)
- partialRecoveryCache.Delete(partialRecoveryCookie.Value)
- c.SetCookie(hutils.DeleteCookie(hutils.PartialRecoveryCookieName))
+ partialRecoveryCache.Delete(token)
return c.Render(http.StatusFound, "flash", FlashResponse{Message: "Password reset done", Redirect: "/login"})
}
diff --git a/pkg/web/handlers/utils/utils.go b/pkg/web/handlers/utils/utils.go
@@ -14,13 +14,12 @@ import (
)
const (
- HBCookieName = "dkft" // dkf troll
- SignupCookieName = "signup-token"
- AuthCookieName = "auth-token"
- PartialAuthCookieName = "partial-auth-token"
- PartialRecoveryCookieName = "partial-recovery-token"
- AprilFoolCookieName = "april_fool"
- ByteRoadCookieName = "challenge_byte_road_session"
+ HBCookieName = "dkft" // dkf troll
+ SignupCookieName = "signup-token"
+ AuthCookieName = "auth-token"
+ PartialAuthCookieName = "partial-auth-token"
+ AprilFoolCookieName = "april_fool"
+ ByteRoadCookieName = "challenge_byte_road_session"
)
var AccountTooYoungErr = errors.New("account must be at least 3 days old")
diff --git a/pkg/web/public/views/pages/forgot-password.gohtml b/pkg/web/public/views/pages/forgot-password.gohtml
@@ -115,6 +115,7 @@
{{ else if eq .Data.Step 2 }}
<form autocomplete="on" method="post">
<input type="hidden" name="csrf" value="{{ .CSRF }}" />
+ <input type="hidden" name="token" value="{{ .Data.Token }}" />
<input type="hidden" name="form_name" value="step2" />
<input type="hidden" name="gpg_mode" value="{{ .Data.GpgMode }}" />
<fieldset>
@@ -163,6 +164,7 @@
{{ else if eq .Data.Step 3 }}
<form autocomplete="on" method="post">
<input type="hidden" name="csrf" value="{{ .CSRF }}" />
+ <input type="hidden" name="token" value="{{ .Data.Token }}" />
<input type="hidden" name="form_name" value="step3" />
<fieldset>
<div class="row">
