commit 2fdf1164d06d373ee7403cae57f7256c66d01ea2
parent 3f16122a6013511c63448fc6f947fcfcffa4e02d
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Sun, 4 Dec 2022 22:40:38 -0500
add doc
Diffstat:
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/pkg/web/handlers/handlers.go b/pkg/web/handlers/handlers.go
@@ -927,8 +927,18 @@ func validateCaptcha(c echo.Context) error {
return nil
}
-var partialRecoveryCache = cache1.New[database.UserID](10*time.Minute, time.Hour)
-var partialRecovery2Cache = cache1.New[database.UserID](10*time.Minute, time.Hour)
+// Password recovery flow has 3 steps
+// 1- Ask for username & captcha & gpg method
+// 2- Validate gpg token/signature
+// 3- Reset password
+// Since the user is not authenticated in any of these steps, we need to guard each steps and ensure the user can access it legitimately.
+// partialRecoveryCache keeps track of users that can access step 2 (captcha was completed)
+// partialRecovery2Cache keeps track of users that can access step 3 (gpg token/sign validated)
+// Note: We cannot reuse the same cache, as a user could complete the captcha and hardcode the request to step 3 directly.
+var (
+ partialRecoveryCache = cache1.New[database.UserID](10*time.Minute, time.Hour)
+ partialRecovery2Cache = cache1.New[database.UserID](10*time.Minute, time.Hour)
+)
func generateCaptchaCssFrames(captchaSec int64) (frames []string) {
step := 100.0 / float64(captchaSec)
