Creating common token store and moving email invites and verification to it (#6213)

author: Christopher Speller <crspeller@gmail.com> 2017-04-27 10:55:03 -0400
committer: Joram Wilander <jwawilander@gmail.com> 2017-04-27 10:55:03 -0400
commit: 9a87bb3af68216b53ee8f89d6604c715c7b85b2d (patch)
tree: 8c06aed890f388b228f3aefb8e398309bc73c0b9 /api4
parent: 0e007e344bf10993529711f14c4168365c3504c3 (diff)
download: chat-9a87bb3af68216b53ee8f89d6604c715c7b85b2d.tar.gz
chat-9a87bb3af68216b53ee8f89d6604c715c7b85b2d.tar.bz2
chat-9a87bb3af68216b53ee8f89d6604c715c7b85b2d.zip
3 files changed, 56 insertions, 57 deletions
diff --git a/api4/team_test.go b/api4/team_test.go
index 95b07e248..61d7dc331 100644
--- a/api4/team_test.go
+++ b/api4/team_test.go
@@ -876,7 +876,7 @@ func TestAddTeamMember(t *testing.T) {
 	dataObject["id"] = team.Id
 
 	data := model.MapToJson(dataObject)
-	hashed := model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
+	hashed := utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
 
 	tm, resp = Client.AddTeamMember(team.Id, "", hashed, data, "")
 	CheckNoError(t, resp)
@@ -906,7 +906,7 @@ func TestAddTeamMember(t *testing.T) {
 	// expired data of more than 50 hours
 	dataObject["time"] = fmt.Sprintf("%v", model.GetMillis()-1000*60*60*50)
 	data = model.MapToJson(dataObject)
-	hashed = model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
+	hashed = utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
 
 	tm, resp = Client.AddTeamMember(team.Id, "", hashed, data, "")
 	CheckNotFoundStatus(t, resp)
@@ -914,7 +914,7 @@ func TestAddTeamMember(t *testing.T) {
 	// invalid team id
 	dataObject["id"] = GenerateTestId()
 	data = model.MapToJson(dataObject)
-	hashed = model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
+	hashed = utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
 
 	tm, resp = Client.AddTeamMember(team.Id, "", hashed, data, "")
 	CheckNotFoundStatus(t, resp)
diff --git a/api4/user.go b/api4/user.go
index 1d117ce07..18e549a64 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -768,23 +768,23 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 
-	code := props["code"]
-	if len(code) != model.PASSWORD_RECOVERY_CODE_SIZE {
-		c.SetInvalidParam("code")
+	token := props["token"]
+	if len(token) != model.TOKEN_SIZE {
+		c.SetInvalidParam("token")
 		return
 	}
 
 	newPassword := props["new_password"]
 
-	c.LogAudit("attempt - code=" + code)
+	c.LogAudit("attempt - token=" + token)
 
-	if err := app.ResetPasswordFromCode(code, newPassword); err != nil {
-		c.LogAudit("fail - code=" + code)
+	if err := app.ResetPasswordFromToken(token, newPassword); err != nil {
+		c.LogAudit("fail - token=" + token)
 		c.Err = err
 		return
 	}
 
-	c.LogAudit("success - code=" + code)
+	c.LogAudit("success - token=" + token)
 
 	ReturnStatusOK(w)
 }
@@ -985,32 +985,21 @@ func getUserAudits(c *Context, w http.ResponseWriter, r *http.Request) {
 func verifyUserEmail(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 
-	userId := props["user_id"]
-	if len(userId) != 26 {
-		c.SetInvalidParam("user_id")
+	token := props["token"]
+	if len(token) != model.TOKEN_SIZE {
+		c.SetInvalidParam("token")
 		return
 	}
 
-	hashedId := props["hash_id"]
-	if len(hashedId) == 0 {
-		c.SetInvalidParam("hash_id")
+	if err := app.VerifyEmailFromToken(token); err != nil {
+		c.Err = model.NewLocAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, err.Error())
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	} else {
+		c.LogAudit("Email Verified")
+		ReturnStatusOK(w)
 		return
 	}
-
-	hashed := model.HashPassword(hashedId)
-	if model.ComparePassword(hashed, userId+utils.Cfg.EmailSettings.InviteSalt) {
-		if c.Err = app.VerifyUserEmail(userId); c.Err != nil {
-			return
-		} else {
-			c.LogAudit("Email Verified")
-			ReturnStatusOK(w)
-			return
-		}
-	}
-
-	c.Err = model.NewLocAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, "")
-	c.Err.StatusCode = http.StatusBadRequest
-	return
 }
 
 func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -1029,10 +1018,12 @@ func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if _, err := app.GetStatus(user.Id); err != nil {
-		go app.SendVerifyEmail(user.Id, user.Email, user.Locale, utils.GetSiteURL())
-	} else {
-		go app.SendEmailChangeVerifyEmail(user.Id, user.Email, user.Locale, utils.GetSiteURL())
+	app.SendEmailVerification(user)
+	if err != nil {
+		// Don't want to leak whether the email is valid or not
+		l4g.Error("Unable to create email verification token: " + err.Error())
+		ReturnStatusOK(w)
+		return
 	}
 
 	ReturnStatusOK(w)
diff --git a/api4/user_test.go b/api4/user_test.go
index 20def9a17..ae0dd79e5 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -1413,13 +1413,6 @@ func TestResetPassword(t *testing.T) {
 		t.Fatal("should have succeeded")
 	}
 
-	var recovery *model.PasswordRecovery
-	if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil {
-		t.Fatal(result.Err)
-	} else {
-		recovery = result.Data.(*model.PasswordRecovery)
-	}
-
 	// Check if the email was send to the right email address and the recovery key match
 	var resultsMailbox utils.JSONMessageHeaderInbucket
 	err := utils.RetryInbucket(5, func() error {
@@ -1431,24 +1424,36 @@ func TestResetPassword(t *testing.T) {
 		t.Log(err)
 		t.Log("No email was received, maybe due load on the server. Disabling this verification")
 	}
+
+	var recoveryTokenString string
 	if err == nil && len(resultsMailbox) > 0 {
 		if !strings.ContainsAny(resultsMailbox[0].To[0], user.Email) {
 			t.Fatal("Wrong To recipient")
 		} else {
 			if resultsEmail, err := utils.GetMessageFromMailbox(user.Email, resultsMailbox[0].ID); err == nil {
-				if !strings.Contains(resultsEmail.Body.Text, recovery.Code) {
+				loc := strings.Index(resultsEmail.Body.Text, "token=")
+				if loc == -1 {
 					t.Log(resultsEmail.Body.Text)
-					t.Log(recovery.Code)
-					t.Fatal("Received wrong recovery code")
+					t.Fatal("Code not found in email")
 				}
+				loc += 6
+				recoveryTokenString = resultsEmail.Body.Text[loc : loc+model.TOKEN_SIZE]
 			}
 		}
 	}
 
-	_, resp = Client.ResetPassword(recovery.Code, "")
+	var recoveryToken *model.Token
+	if result := <-app.Srv.Store.Token().GetByToken(recoveryTokenString); result.Err != nil {
+		t.Log(recoveryTokenString)
+		t.Fatal(result.Err)
+	} else {
+		recoveryToken = result.Data.(*model.Token)
+	}
+
+	_, resp = Client.ResetPassword(recoveryToken.Token, "")
 	CheckBadRequestStatus(t, resp)
 
-	_, resp = Client.ResetPassword(recovery.Code, "newp")
+	_, resp = Client.ResetPassword(recoveryToken.Token, "newp")
 	CheckBadRequestStatus(t, resp)
 
 	_, resp = Client.ResetPassword("", "newpwd")
@@ -1458,14 +1463,14 @@ func TestResetPassword(t *testing.T) {
 	CheckBadRequestStatus(t, resp)
 
 	code := ""
-	for i := 0; i < model.PASSWORD_RECOVERY_CODE_SIZE; i++ {
+	for i := 0; i < model.TOKEN_SIZE; i++ {
 		code += "a"
 	}
 
 	_, resp = Client.ResetPassword(code, "newpwd")
 	CheckBadRequestStatus(t, resp)
 
-	success, resp = Client.ResetPassword(recovery.Code, "newpwd")
+	success, resp = Client.ResetPassword(recoveryToken.Token, "newpwd")
 	CheckNoError(t, resp)
 	if !success {
 		t.Fatal("should have succeeded")
@@ -1474,16 +1479,16 @@ func TestResetPassword(t *testing.T) {
 	Client.Login(user.Email, "newpwd")
 	Client.Logout()
 
-	_, resp = Client.ResetPassword(recovery.Code, "newpwd")
+	_, resp = Client.ResetPassword(recoveryToken.Token, "newpwd")
 	CheckBadRequestStatus(t, resp)
 
-	authData := model.NewId()
+	/*authData := model.NewId()
 	if result := <-app.Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, "", true); result.Err != nil {
 		t.Fatal(result.Err)
 	}
 
 	_, resp = Client.SendPasswordResetEmail(user.Email)
-	CheckBadRequestStatus(t, resp)
+	CheckBadRequestStatus(t, resp)*/
 }
 
 func TestGetSessions(t *testing.T) {
@@ -1646,15 +1651,18 @@ func TestVerifyUserEmail(t *testing.T) {
 
 	ruser, resp := Client.CreateUser(&user)
 
-	hashId := ruser.Id + utils.Cfg.EmailSettings.InviteSalt
-	_, resp = Client.VerifyUserEmail(ruser.Id, hashId)
+	token, err := app.CreateVerifyEmailToken(ruser.Id)
+	if err != nil {
+		t.Fatal("Unable to create email verify token")
+	}
+
+	_, resp = Client.VerifyUserEmail(token.Token)
 	CheckNoError(t, resp)
 
-	hashId = ruser.Id + GenerateTestId()
-	_, resp = Client.VerifyUserEmail(ruser.Id, hashId)
+	_, resp = Client.VerifyUserEmail(GenerateTestId())
 	CheckBadRequestStatus(t, resp)
 
-	_, resp = Client.VerifyUserEmail(ruser.Id, "")
+	_, resp = Client.VerifyUserEmail("")
 	CheckBadRequestStatus(t, resp)
 }
author	Christopher Speller <crspeller@gmail.com>	2017-04-27 10:55:03 -0400
committer	Joram Wilander <jwawilander@gmail.com>	2017-04-27 10:55:03 -0400
commit	9a87bb3af68216b53ee8f89d6604c715c7b85b2d (patch)
tree	8c06aed890f388b228f3aefb8e398309bc73c0b9 /api4
parent	0e007e344bf10993529711f14c4168365c3504c3 (diff)
download	chat-9a87bb3af68216b53ee8f89d6604c715c7b85b2d.tar.gz chat-9a87bb3af68216b53ee8f89d6604c715c7b85b2d.tar.bz2 chat-9a87bb3af68216b53ee8f89d6604c715c7b85b2d.zip