remove current password requirement so you can change pw after recovery
This commit is contained in:
ntr
parent
4f6c3decd6
commit
15bc05b3d4
@ -19,8 +19,8 @@ const addState = connect(
|
|||||||
} = state;
|
} = state;
|
||||||
|
|
||||||
|
|
||||||
function sendSetPassword(current, password) {
|
function sendSetPassword(password) {
|
||||||
postData('/account/password', { current, password })
|
postData('/account/password', { password })
|
||||||
.then(res => res.json())
|
.then(res => res.json())
|
||||||
.then(data => {
|
.then(data => {
|
||||||
if (data.error) return errorToast(data.error);
|
if (data.error) return errorToast(data.error);
|
||||||
@ -74,7 +74,7 @@ class AccountStatus extends Component {
|
|||||||
super(props);
|
super(props);
|
||||||
|
|
||||||
this.state = {
|
this.state = {
|
||||||
passwordState: { current: '', password: '', confirm: ''},
|
passwordState: { password: '', confirm: ''},
|
||||||
emailState: null,
|
emailState: null,
|
||||||
unsubState: false,
|
unsubState: false,
|
||||||
};
|
};
|
||||||
@ -105,8 +105,8 @@ class AccountStatus extends Component {
|
|||||||
passwordState.password === passwordState.confirm;
|
passwordState.password === passwordState.confirm;
|
||||||
|
|
||||||
const setPasswordDisabled = () => {
|
const setPasswordDisabled = () => {
|
||||||
const { current, password, confirm } = passwordState;
|
const { password, confirm } = passwordState;
|
||||||
return !(passwordsEqual() && password && current && confirm);
|
return !(passwordsEqual() && password && confirm);
|
||||||
}
|
}
|
||||||
|
|
||||||
const tlClick = e => {
|
const tlClick = e => {
|
||||||
@ -173,15 +173,7 @@ class AccountStatus extends Component {
|
|||||||
</div>
|
</div>
|
||||||
<div>
|
<div>
|
||||||
<h3>Password</h3>
|
<h3>Password</h3>
|
||||||
<label for="current">Password:</label>
|
<label for="current">Set Password:</label>
|
||||||
<input
|
|
||||||
class="login-input"
|
|
||||||
type="password"
|
|
||||||
name="current"
|
|
||||||
value={passwordState.current}
|
|
||||||
onInput={linkState(this, 'passwordState.current')}
|
|
||||||
placeholder="current"
|
|
||||||
/>
|
|
||||||
<input
|
<input
|
||||||
class="login-input"
|
class="login-input"
|
||||||
type="password"
|
type="password"
|
||||||
@ -202,7 +194,7 @@ class AccountStatus extends Component {
|
|||||||
/>
|
/>
|
||||||
<button
|
<button
|
||||||
disabled={setPasswordDisabled()}
|
disabled={setPasswordDisabled()}
|
||||||
onClick={() => sendSetPassword(passwordState.current, passwordState.password)}>
|
onClick={() => sendSetPassword(passwordState.password)}>
|
||||||
Set Password
|
Set Password
|
||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@ -213,42 +213,42 @@ pub fn new_img(tx: &mut Transaction, id: Uuid) -> Result<Account, Error> {
|
|||||||
Account::try_from(row)
|
Account::try_from(row)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn set_password(tx: &mut Transaction, id: Uuid, current: &String, password: &String) -> Result<String, MnmlHttpError> {
|
pub fn set_password(tx: &mut Transaction, id: Uuid, password: &String) -> Result<String, MnmlHttpError> {
|
||||||
if password.len() < PASSWORD_MIN_LEN || password.len() > 100 {
|
if password.len() < PASSWORD_MIN_LEN || password.len() > 100 {
|
||||||
return Err(MnmlHttpError::PasswordUnacceptable);
|
return Err(MnmlHttpError::PasswordUnacceptable);
|
||||||
}
|
}
|
||||||
|
|
||||||
let query = "
|
// let query = "
|
||||||
SELECT id, password
|
// SELECT id, password
|
||||||
FROM accounts
|
// FROM accounts
|
||||||
WHERE id = $1
|
// WHERE id = $1
|
||||||
";
|
// ";
|
||||||
|
|
||||||
let result = tx
|
// let result = tx
|
||||||
.query(query, &[&id])?;
|
// .query(query, &[&id])?;
|
||||||
|
|
||||||
let row = match result.iter().next() {
|
// let row = match result.iter().next() {
|
||||||
Some(row) => row,
|
// Some(row) => row,
|
||||||
None => {
|
// None => {
|
||||||
let mut rng = thread_rng();
|
// let mut rng = thread_rng();
|
||||||
let garbage: String = iter::repeat(())
|
// let garbage: String = iter::repeat(())
|
||||||
.map(|()| rng.sample(Alphanumeric))
|
// .map(|()| rng.sample(Alphanumeric))
|
||||||
.take(64)
|
// .take(64)
|
||||||
.collect();
|
// .collect();
|
||||||
|
|
||||||
// verify garbage to prevent timing attacks
|
// // verify garbage to prevent timing attacks
|
||||||
verify(garbage.clone(), &garbage).ok();
|
// verify(garbage.clone(), &garbage).ok();
|
||||||
return Err(MnmlHttpError::AccountNotFound);
|
// return Err(MnmlHttpError::AccountNotFound);
|
||||||
},
|
// },
|
||||||
};
|
// };
|
||||||
|
|
||||||
let id: Uuid = row.get(0);
|
// let id: Uuid = row.get(0);
|
||||||
let db_pw: String = row.get(1);
|
// let db_pw: String = row.get(1);
|
||||||
|
|
||||||
// return bad request to prevent being logged out
|
// // return bad request to prevent being logged out
|
||||||
if !verify(current, &db_pw)? {
|
// if !verify(current, &db_pw)? {
|
||||||
return Err(MnmlHttpError::BadRequest);
|
// return Err(MnmlHttpError::BadRequest);
|
||||||
}
|
// }
|
||||||
|
|
||||||
let password = hash(&password, PASSWORD_ROUNDS)?;
|
let password = hash(&password, PASSWORD_ROUNDS)?;
|
||||||
|
|
||||||
|
|||||||
@ -369,7 +369,7 @@ fn recover(req: &mut Request) -> IronResult<Response> {
|
|||||||
|
|
||||||
#[derive(Debug,Clone,Deserialize)]
|
#[derive(Debug,Clone,Deserialize)]
|
||||||
struct SetPassword {
|
struct SetPassword {
|
||||||
current: String,
|
// current: String,
|
||||||
password: String,
|
password: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -385,7 +385,7 @@ fn set_password(req: &mut Request) -> IronResult<Response> {
|
|||||||
let db = state.pool.get().or(Err(MnmlHttpError::DbError))?;
|
let db = state.pool.get().or(Err(MnmlHttpError::DbError))?;
|
||||||
let mut tx = db.transaction().or(Err(MnmlHttpError::DbError))?;
|
let mut tx = db.transaction().or(Err(MnmlHttpError::DbError))?;
|
||||||
|
|
||||||
let token = account::set_password(&mut tx, a.id, ¶ms.current, ¶ms.password)?;
|
let token = account::set_password(&mut tx, a.id, ¶ms.password)?;
|
||||||
|
|
||||||
tx.commit().or(Err(MnmlHttpError::ServerError))?;
|
tx.commit().or(Err(MnmlHttpError::ServerError))?;
|
||||||
|
|
||||||
|
|||||||
@ -42,10 +42,10 @@ pub enum Mail {
|
|||||||
fn recover(email: &String, name: &String, token: &String) -> SendableEmail {
|
fn recover(email: &String, name: &String, token: &String) -> SendableEmail {
|
||||||
let body = format!("{:},
|
let body = format!("{:},
|
||||||
the link below will recover your account.
|
the link below will recover your account.
|
||||||
please change your password immediately in the account page.
|
please change your password immediately in the account page
|
||||||
this link will expire in 48 hours or once used.
|
as this link will expire in 48 hours or once used.
|
||||||
|
|
||||||
http://mnml.gg/api/account/recover?recover_token={:}
|
https://mnml.gg/api/account/recover?recover_token={:}
|
||||||
|
|
||||||
glhf
|
glhf
|
||||||
--mnml", name, token);
|
--mnml", name, token);
|
||||||
@ -63,7 +63,7 @@ glhf
|
|||||||
fn confirm(email: &String, name: &String, token: &String) -> SendableEmail {
|
fn confirm(email: &String, name: &String, token: &String) -> SendableEmail {
|
||||||
let confirm_body = format!("{:},
|
let confirm_body = format!("{:},
|
||||||
please click the link below to confirm your email
|
please click the link below to confirm your email
|
||||||
http://mnml.gg/api/account/email/confirm?confirm_token={:}
|
https://mnml.gg/api/account/email/confirm?confirm_token={:}
|
||||||
|
|
||||||
glhf
|
glhf
|
||||||
--mnml", name, token);
|
--mnml", name, token);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user