From 15bc05b3d47d9cc941433a78146c92dec9e0c104 Mon Sep 17 00:00:00 2001 From: ntr Date: Thu, 9 Jan 2020 16:33:19 +1000 Subject: [PATCH] remove current password requirement so you can change pw after recovery --- client/src/components/account.top.jsx | 22 ++++------- server/src/account.rs | 54 +++++++++++++-------------- server/src/http.rs | 4 +- server/src/mail.rs | 8 ++-- 4 files changed, 40 insertions(+), 48 deletions(-) diff --git a/client/src/components/account.top.jsx b/client/src/components/account.top.jsx index b2500d62..eb4acec0 100644 --- a/client/src/components/account.top.jsx +++ b/client/src/components/account.top.jsx @@ -19,8 +19,8 @@ const addState = connect( } = state; - function sendSetPassword(current, password) { - postData('/account/password', { current, password }) + function sendSetPassword(password) { + postData('/account/password', { password }) .then(res => res.json()) .then(data => { if (data.error) return errorToast(data.error); @@ -74,7 +74,7 @@ class AccountStatus extends Component { super(props); this.state = { - passwordState: { current: '', password: '', confirm: ''}, + passwordState: { password: '', confirm: ''}, emailState: null, unsubState: false, }; @@ -105,8 +105,8 @@ class AccountStatus extends Component { passwordState.password === passwordState.confirm; const setPasswordDisabled = () => { - const { current, password, confirm } = passwordState; - return !(passwordsEqual() && password && current && confirm); + const { password, confirm } = passwordState; + return !(passwordsEqual() && password && confirm); } const tlClick = e => { @@ -173,15 +173,7 @@ class AccountStatus extends Component {

Password

- - +
diff --git a/server/src/account.rs b/server/src/account.rs index 08d1ca74..f180cf70 100644 --- a/server/src/account.rs +++ b/server/src/account.rs @@ -213,42 +213,42 @@ pub fn new_img(tx: &mut Transaction, id: Uuid) -> Result { Account::try_from(row) } -pub fn set_password(tx: &mut Transaction, id: Uuid, current: &String, password: &String) -> Result { +pub fn set_password(tx: &mut Transaction, id: Uuid, password: &String) -> Result { if password.len() < PASSWORD_MIN_LEN || password.len() > 100 { return Err(MnmlHttpError::PasswordUnacceptable); } - let query = " - SELECT id, password - FROM accounts - WHERE id = $1 - "; + // let query = " + // SELECT id, password + // FROM accounts + // WHERE id = $1 + // "; - let result = tx - .query(query, &[&id])?; + // let result = tx + // .query(query, &[&id])?; - let row = match result.iter().next() { - Some(row) => row, - None => { - let mut rng = thread_rng(); - let garbage: String = iter::repeat(()) - .map(|()| rng.sample(Alphanumeric)) - .take(64) - .collect(); + // let row = match result.iter().next() { + // Some(row) => row, + // None => { + // let mut rng = thread_rng(); + // let garbage: String = iter::repeat(()) + // .map(|()| rng.sample(Alphanumeric)) + // .take(64) + // .collect(); - // verify garbage to prevent timing attacks - verify(garbage.clone(), &garbage).ok(); - return Err(MnmlHttpError::AccountNotFound); - }, - }; + // // verify garbage to prevent timing attacks + // verify(garbage.clone(), &garbage).ok(); + // return Err(MnmlHttpError::AccountNotFound); + // }, + // }; - let id: Uuid = row.get(0); - let db_pw: String = row.get(1); + // let id: Uuid = row.get(0); + // let db_pw: String = row.get(1); - // return bad request to prevent being logged out - if !verify(current, &db_pw)? { - return Err(MnmlHttpError::BadRequest); - } + // // return bad request to prevent being logged out + // if !verify(current, &db_pw)? { + // return Err(MnmlHttpError::BadRequest); + // } let password = hash(&password, PASSWORD_ROUNDS)?; diff --git a/server/src/http.rs b/server/src/http.rs index 88e7b51b..34b3b994 100644 --- a/server/src/http.rs +++ b/server/src/http.rs @@ -369,7 +369,7 @@ fn recover(req: &mut Request) -> IronResult { #[derive(Debug,Clone,Deserialize)] struct SetPassword { - current: String, + // current: String, password: String, } @@ -385,7 +385,7 @@ fn set_password(req: &mut Request) -> IronResult { let db = state.pool.get().or(Err(MnmlHttpError::DbError))?; let mut tx = db.transaction().or(Err(MnmlHttpError::DbError))?; - let token = account::set_password(&mut tx, a.id, ¶ms.current, ¶ms.password)?; + let token = account::set_password(&mut tx, a.id, ¶ms.password)?; tx.commit().or(Err(MnmlHttpError::ServerError))?; diff --git a/server/src/mail.rs b/server/src/mail.rs index d5083021..8f3b351f 100644 --- a/server/src/mail.rs +++ b/server/src/mail.rs @@ -42,10 +42,10 @@ pub enum Mail { fn recover(email: &String, name: &String, token: &String) -> SendableEmail { let body = format!("{:}, the link below will recover your account. -please change your password immediately in the account page. -this link will expire in 48 hours or once used. +please change your password immediately in the account page +as this link will expire in 48 hours or once used. -http://mnml.gg/api/account/recover?recover_token={:} +https://mnml.gg/api/account/recover?recover_token={:} glhf --mnml", name, token); @@ -63,7 +63,7 @@ glhf fn confirm(email: &String, name: &String, token: &String) -> SendableEmail { let confirm_body = format!("{:}, please click the link below to confirm your email -http://mnml.gg/api/account/email/confirm?confirm_token={:} +https://mnml.gg/api/account/email/confirm?confirm_token={:} glhf --mnml", name, token);