Implement password reset endpoints for APIv4 (#5256)

2 files changed, 138 insertions, 3 deletions

diff --git a/api4/user.go b/api4/user.go
index 56cfc5d90..348ccf46c 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -24,6 +24,8 @@ func InitUser() {
 	BaseRoutes.User.Handle("", ApiSessionRequired(deleteUser)).Methods("DELETE")
 	BaseRoutes.User.Handle("/roles", ApiSessionRequired(updateUserRoles)).Methods("PUT")
 	BaseRoutes.User.Handle("/password", ApiSessionRequired(updatePassword)).Methods("PUT")
+	BaseRoutes.Users.Handle("/password/reset", ApiHandler(resetPassword)).Methods("POST")
+	BaseRoutes.Users.Handle("/password/reset/send", ApiHandler(sendPasswordReset)).Methods("POST")
 
 	BaseRoutes.Users.Handle("/login", ApiHandler(login)).Methods("POST")
 	BaseRoutes.Users.Handle("/logout", ApiHandler(logout)).Methods("POST")
@@ -224,7 +226,7 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func deleteUser(c *Context, w http.ResponseWriter, r *http.Request){
+func deleteUser(c *Context, w http.ResponseWriter, r *http.Request) {
 	c.RequireUserId()
 	if c.Err != nil {
 		return
@@ -236,7 +238,7 @@ func deleteUser(c *Context, w http.ResponseWriter, r *http.Request){
 		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
 		return
 	}
-	
+
 	var user *model.User
 	var err *model.AppError
 
@@ -247,7 +249,7 @@ func deleteUser(c *Context, w http.ResponseWriter, r *http.Request){
 
 	if _, err := app.UpdateActive(user, false); err != nil {
 		c.Err = err
-		return	
+		return
 	}
 
 	ReturnStatusOK(w)
@@ -319,6 +321,49 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) {
+	props := model.MapFromJson(r.Body)
+
+	code := props["code"]
+	if len(code) != model.PASSWORD_RECOVERY_CODE_SIZE {
+		c.SetInvalidParam("code")
+		return
+	}
+
+	newPassword := props["new_password"]
+
+	c.LogAudit("attempt - code=" + code)
+
+	if err := app.ResetPasswordFromCode(code, newPassword, c.GetSiteURL()); err != nil {
+		c.LogAudit("fail - code=" + code)
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("success - code=" + code)
+
+	ReturnStatusOK(w)
+}
+
+func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
+	props := model.MapFromJson(r.Body)
+
+	email := props["email"]
+	if len(email) == 0 {
+		c.SetInvalidParam("email")
+		return
+	}
+
+	if sent, err := app.SendPasswordReset(email, c.GetSiteURL()); err != nil {
+		c.Err = err
+		return
+	} else if sent {
+		c.LogAudit("sent=" + email)
+	}
+
+	ReturnStatusOK(w)
+}
+
 func login(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 
diff --git a/api4/user_test.go b/api4/user_test.go
index bf4612635..37f251c6d 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -6,8 +6,10 @@ package api4
 import (
 	"net/http"
 	"strconv"
+	"strings"
 	"testing"
 
+	"github.com/mattermost/platform/app"
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/utils"
 )
@@ -581,3 +583,91 @@ func TestUpdateUserPassword(t *testing.T) {
 	_, resp = Client.Login(th.BasicUser.Email, adminSetPassword)
 	CheckNoError(t, resp)
 }
+
+func TestResetPassword(t *testing.T) {
+	th := Setup().InitBasic()
+	Client := th.Client
+
+	Client.Logout()
+
+	user := th.BasicUser
+
+	// Delete all the messages before check the reset password
+	utils.DeleteMailBox(user.Email)
+
+	success, resp := Client.SendPasswordResetEmail(user.Email)
+	CheckNoError(t, resp)
+	if !success {
+		t.Fatal("should have succeeded")
+	}
+
+	_, resp = Client.SendPasswordResetEmail("")
+	CheckBadRequestStatus(t, resp)
+
+	// Should not leak whether the email is attached to an account or not
+	success, resp = Client.SendPasswordResetEmail("notreal@example.com")
+	CheckNoError(t, resp)
+	if !success {
+		t.Fatal("should have succeeded")
+	}
+
+	var recovery *model.PasswordRecovery
+	if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil {
+		t.Fatal(result.Err)
+	} else {
+		recovery = result.Data.(*model.PasswordRecovery)
+	}
+
+	// Check if the email was send to the right email address and the recovery key match
+	if resultsMailbox, err := utils.GetMailBox(user.Email); err != nil && !strings.ContainsAny(resultsMailbox[0].To[0], user.Email) {
+		t.Fatal("Wrong To recipient")
+	} else {
+		if resultsEmail, err := utils.GetMessageFromMailbox(user.Email, resultsMailbox[0].ID); err == nil {
+			if !strings.Contains(resultsEmail.Body.Text, recovery.Code) {
+				t.Log(resultsEmail.Body.Text)
+				t.Log(recovery.Code)
+				t.Fatal("Received wrong recovery code")
+			}
+		}
+	}
+
+	_, resp = Client.ResetPassword(recovery.Code, "")
+	CheckBadRequestStatus(t, resp)
+
+	_, resp = Client.ResetPassword(recovery.Code, "newp")
+	CheckBadRequestStatus(t, resp)
+
+	_, resp = Client.ResetPassword("", "newpwd")
+	CheckBadRequestStatus(t, resp)
+
+	_, resp = Client.ResetPassword("junk", "newpwd")
+	CheckBadRequestStatus(t, resp)
+
+	code := ""
+	for i := 0; i < model.PASSWORD_RECOVERY_CODE_SIZE; i++ {
+		code += "a"
+	}
+
+	_, resp = Client.ResetPassword(code, "newpwd")
+	CheckBadRequestStatus(t, resp)
+
+	success, resp = Client.ResetPassword(recovery.Code, "newpwd")
+	CheckNoError(t, resp)
+	if !success {
+		t.Fatal("should have succeeded")
+	}
+
+	Client.Login(user.Email, "newpwd")
+	Client.Logout()
+
+	_, resp = Client.ResetPassword(recovery.Code, "newpwd")
+	CheckBadRequestStatus(t, resp)
+
+	authData := model.NewId()
+	if result := <-app.Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, "", true); result.Err != nil {
+		t.Fatal(result.Err)
+	}
+
+	_, resp = Client.SendPasswordResetEmail(user.Email)
+	CheckBadRequestStatus(t, resp)
+}