From 9a87bb3af68216b53ee8f89d6604c715c7b85b2d Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Thu, 27 Apr 2017 10:55:03 -0400 Subject: Creating common token store and moving email invites and verification to it (#6213) --- api/oauth_test.go | 13 +++++++------ api/user.go | 17 ++++++++-------- api/user_test.go | 58 +++++++++++++++++++++++++++---------------------------- 3 files changed, 44 insertions(+), 44 deletions(-) (limited to 'api') diff --git a/api/oauth_test.go b/api/oauth_test.go index 014facb44..3d71d8e90 100644 --- a/api/oauth_test.go +++ b/api/oauth_test.go @@ -5,16 +5,17 @@ package api import ( "encoding/base64" - "github.com/mattermost/platform/app" - "github.com/mattermost/platform/einterfaces" - "github.com/mattermost/platform/model" - "github.com/mattermost/platform/utils" "io" "io/ioutil" "net/http" "net/url" "strings" "testing" + + "github.com/mattermost/platform/app" + "github.com/mattermost/platform/einterfaces" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" ) func TestOAuthRegisterApp(t *testing.T) { @@ -735,7 +736,7 @@ func TestOAuthComplete(t *testing.T) { closeBody(r) } - stateProps["hash"] = model.HashPassword(utils.Cfg.GitLabSettings.Id) + stateProps["hash"] = utils.HashSha256(utils.Cfg.GitLabSettings.Id) state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps))) if r, err := HttpGet(Client.Url+"/login/gitlab/complete?code=123&state="+url.QueryEscape(state), Client.HttpClient, "", true); err == nil { t.Fatal("should have failed - no connection") @@ -771,7 +772,7 @@ func TestOAuthComplete(t *testing.T) { stateProps["action"] = model.OAUTH_ACTION_EMAIL_TO_SSO delete(stateProps, "team_id") stateProps["redirect_to"] = utils.Cfg.GitLabSettings.AuthEndpoint - stateProps["hash"] = model.HashPassword(utils.Cfg.GitLabSettings.Id) + stateProps["hash"] = utils.HashSha256(utils.Cfg.GitLabSettings.Id) stateProps["redirect_to"] = "/oauth/authorize" state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps))) if r, err := HttpGet(Client.Url+"/login/"+model.SERVICE_GITLAB+"/complete?code="+url.QueryEscape(code)+"&state="+url.QueryEscape(state), Client.HttpClient, "", false); err == nil { diff --git a/api/user.go b/api/user.go index 8b32dff36..eb249cb39 100644 --- a/api/user.go +++ b/api/user.go @@ -34,8 +34,8 @@ func InitUser() { BaseRoutes.Users.Handle("/logout", ApiAppHandler(logout)).Methods("POST") BaseRoutes.Users.Handle("/revoke_session", ApiUserRequired(revokeSession)).Methods("POST") BaseRoutes.Users.Handle("/attach_device", ApiUserRequired(attachDeviceId)).Methods("POST") - BaseRoutes.Users.Handle("/verify_email", ApiAppHandler(verifyEmail)).Methods("POST") - BaseRoutes.Users.Handle("/resend_verification", ApiAppHandler(resendVerification)).Methods("POST") + //DEPRICATED FOR SECURITY USE APIV4 BaseRoutes.Users.Handle("/verify_email", ApiAppHandler(verifyEmail)).Methods("POST") + //DEPRICATED FOR SECURITY USE APIV4 BaseRoutes.Users.Handle("/resend_verification", ApiAppHandler(resendVerification)).Methods("POST") BaseRoutes.Users.Handle("/newimage", ApiUserRequired(uploadProfileImage)).Methods("POST") BaseRoutes.Users.Handle("/me", ApiUserRequired(getMe)).Methods("GET") BaseRoutes.Users.Handle("/initial_load", ApiAppHandler(getInitialLoad)).Methods("GET") @@ -767,22 +767,22 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) code := props["code"] - if len(code) != model.PASSWORD_RECOVERY_CODE_SIZE { + if len(code) != model.TOKEN_SIZE { c.SetInvalidParam("resetPassword", "code") return } newPassword := props["new_password"] - c.LogAudit("attempt - code=" + code) + c.LogAudit("attempt - token=" + code) - if err := app.ResetPasswordFromCode(code, newPassword); err != nil { - c.LogAudit("fail - code=" + code) + if err := app.ResetPasswordFromToken(code, newPassword); err != nil { + c.LogAudit("fail - token=" + code) c.Err = err return } - c.LogAudit("success - code=" + code) + c.LogAudit("success - token=" + code) rdata := map[string]string{} rdata["status"] = "ok" @@ -992,6 +992,7 @@ func ldapToEmail(c *Context, w http.ResponseWriter, r *http.Request) { w.Write([]byte(model.MapToJson(map[string]string{"follow_link": link}))) } +/* Disabling for security reasons. Use apiv4 func verifyEmail(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) @@ -1039,7 +1040,7 @@ func resendVerification(c *Context, w http.ResponseWriter, r *http.Request) { go app.SendEmailChangeVerifyEmail(user.Id, user.Email, user.Locale, utils.GetSiteURL()) } } -} +}*/ func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) { secret, err := app.GenerateMfaSecret(c.Session.UserId) diff --git a/api/user_test.go b/api/user_test.go index 5e7db1248..d9234d356 100644 --- a/api/user_test.go +++ b/api/user_test.go @@ -184,7 +184,7 @@ func TestLogin(t *testing.T) { props["display_name"] = rteam2.Data.(*model.Team).DisplayName props["time"] = fmt.Sprintf("%v", model.GetMillis()) data := model.MapToJson(props) - hash := model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) + hash := utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) ruser2, err := Client.CreateUserFromSignup(&user2, data, hash) if err != nil { @@ -1316,13 +1316,6 @@ func TestResetPassword(t *testing.T) { Client.Must(Client.SendPasswordReset(user.Email)) - var recovery *model.PasswordRecovery - if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil { - t.Fatal(result.Err) - } else { - recovery = result.Data.(*model.PasswordRecovery) - } - //Check if the email was send to the rigth email address and the recovery key match var resultsMailbox utils.JSONMessageHeaderInbucket err := utils.RetryInbucket(5, func() error { @@ -1335,25 +1328,42 @@ func TestResetPassword(t *testing.T) { t.Log("No email was received, maybe due load on the server. Disabling this verification") } + var recoveryTokenString string if err == nil && len(resultsMailbox) > 0 { if !strings.ContainsAny(resultsMailbox[0].To[0], user.Email) { t.Fatal("Wrong To recipient") } else { if resultsEmail, err := utils.GetMessageFromMailbox(user.Email, resultsMailbox[0].ID); err == nil { - if !strings.Contains(resultsEmail.Body.Text, recovery.Code) { + loc := strings.Index(resultsEmail.Body.Text, "token=") + if loc == -1 { + t.Log(recoveryTokenString) t.Log(resultsEmail.Body.Text) - t.Log(recovery.Code) - t.Fatal("Received wrong recovery code") + t.Fatal("Code not found in email") } + loc += 6 + recoveryTokenString = resultsEmail.Body.Text[loc : loc+model.TOKEN_SIZE] + t.Log(resultsEmail.Body.Text) } } } - if _, err := Client.ResetPassword(recovery.Code, ""); err == nil { + var recoveryToken *model.Token + if result := <-app.Srv.Store.Token().GetByToken(recoveryTokenString); result.Err != nil { + t.Log(recoveryTokenString) + t.Fatal(result.Err) + } else { + recoveryToken = result.Data.(*model.Token) + } + + if recoveryToken.Token != recoveryTokenString { + t.Fatal("Did not send the correct token. DB: "+recoveryToken.Token, " Sent: "+recoveryTokenString) + } + + if _, err := Client.ResetPassword(recoveryToken.Token, ""); err == nil { t.Fatal("Should have errored - no password") } - if _, err := Client.ResetPassword(recovery.Code, "newp"); err == nil { + if _, err := Client.ResetPassword(recoveryToken.Token, "newp"); err == nil { t.Fatal("Should have errored - password too short") } @@ -1366,38 +1376,26 @@ func TestResetPassword(t *testing.T) { } code := "" - for i := 0; i < model.PASSWORD_RECOVERY_CODE_SIZE; i++ { + for i := 0; i < model.TOKEN_SIZE; i++ { code += "a" } if _, err := Client.ResetPassword(code, "newpwd1"); err == nil { t.Fatal("Should have errored - bad code") } - if _, err := Client.ResetPassword(recovery.Code, "newpwd1"); err != nil { - t.Log(recovery.Code) + if _, err := Client.ResetPassword(recoveryToken.Token, "newpwd1"); err != nil { + t.Log(recoveryToken.Token) t.Fatal(err) } - Client.Logout() - Client.Must(Client.LoginById(user.Id, "newpwd1")) - Client.SetTeamId(team.Id) - - Client.Must(Client.SendPasswordReset(user.Email)) - - if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil { - t.Fatal(result.Err) - } else { - recovery = result.Data.(*model.PasswordRecovery) - } - - authData := model.NewId() + /*authData := model.NewId() if result := <-app.Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, "", true); result.Err != nil { t.Fatal(result.Err) } if _, err := Client.ResetPassword(recovery.Code, "newpwd1"); err == nil { t.Fatal("Should have errored - sso user") - } + }*/ } func TestUserUpdateNotify(t *testing.T) { -- cgit v1.2.3-1-g7c22