ntr/mnml
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove current password requirement so you can change pw after recovery

Browse Source
This commit is contained in:
ntr 2020-01-09 16:33:19 +10:00
parent 4f6c3decd6
commit 15bc05b3d4
4 changed files with 40 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
client/src/components/account.top.jsx
View File

@ -19,8 +19,8 @@ const addState = connect(
} = state;
function sendSetPassword(current, password) {
postData('/account/password', { current, password })
function sendSetPassword(password) {
postData('/account/password', { password })
.then(res => res.json())
.then(data => {
if (data.error) return errorToast(data.error);
@ -74,7 +74,7 @@ class AccountStatus extends Component {
super(props);
this.state = {
passwordState: { current: '', password: '', confirm: ''},
passwordState: { password: '', confirm: ''},
emailState: null,
unsubState: false,
};
@ -105,8 +105,8 @@ class AccountStatus extends Component {
passwordState.password === passwordState.confirm;
const setPasswordDisabled = () => {
const { current, password, confirm } = passwordState;
return !(passwordsEqual() && password && current && confirm);
const { password, confirm } = passwordState;
return !(passwordsEqual() && password && confirm);
}
const tlClick = e => {
@ -173,15 +173,7 @@ class AccountStatus extends Component {
</div>
<div>
<h3>Password</h3>
<label for="current">Password:</label>
<input
class="login-input"
type="password"
name="current"
value={passwordState.current}
onInput={linkState(this, 'passwordState.current')}
placeholder="current"
/>
<label for="current">Set Password:</label>
<input
class="login-input"
type="password"
@ -202,7 +194,7 @@ class AccountStatus extends Component {
/>
<button
disabled={setPasswordDisabled()}
onClick={() => sendSetPassword(passwordState.current, passwordState.password)}>
onClick={() => sendSetPassword(passwordState.password)}>
Set Password
</button>
</div>

54
server/src/account.rs
View File

@ -213,42 +213,42 @@ pub fn new_img(tx: &mut Transaction, id: Uuid) -> Result<Account, Error> {
Account::try_from(row)
}
pub fn set_password(tx: &mut Transaction, id: Uuid, current: &String, password: &String) -> Result<String, MnmlHttpError> {
pub fn set_password(tx: &mut Transaction, id: Uuid, password: &String) -> Result<String, MnmlHttpError> {
if password.len() < PASSWORD_MIN_LEN || password.len() > 100 {
return Err(MnmlHttpError::PasswordUnacceptable);
}
let query = "
SELECT id, password
FROM accounts
WHERE id = $1
";
// let query = "
// SELECT id, password
// FROM accounts
// WHERE id = $1
// ";
let result = tx
.query(query, &[&id])?;
// let result = tx
// .query(query, &[&id])?;
let row = match result.iter().next() {
Some(row) => row,
None => {
let mut rng = thread_rng();
let garbage: String = iter::repeat(())
.map(|()| rng.sample(Alphanumeric))
.take(64)
.collect();
// let row = match result.iter().next() {
// Some(row) => row,
// None => {
// let mut rng = thread_rng();
// let garbage: String = iter::repeat(())
// .map(|()| rng.sample(Alphanumeric))
// .take(64)
// .collect();
// verify garbage to prevent timing attacks
verify(garbage.clone(), &garbage).ok();
return Err(MnmlHttpError::AccountNotFound);
},
};
// // verify garbage to prevent timing attacks
// verify(garbage.clone(), &garbage).ok();
// return Err(MnmlHttpError::AccountNotFound);
// },
// };
let id: Uuid = row.get(0);
let db_pw: String = row.get(1);
// let id: Uuid = row.get(0);
// let db_pw: String = row.get(1);
// return bad request to prevent being logged out
if !verify(current, &db_pw)? {
return Err(MnmlHttpError::BadRequest);
}
// // return bad request to prevent being logged out
// if !verify(current, &db_pw)? {
// return Err(MnmlHttpError::BadRequest);
// }
let password = hash(&password, PASSWORD_ROUNDS)?;

4
server/src/http.rs
View File

@ -369,7 +369,7 @@ fn recover(req: &mut Request) -> IronResult<Response> {
#[derive(Debug,Clone,Deserialize)]
struct SetPassword {
current: String,
// current: String,
password: String,
}
@ -385,7 +385,7 @@ fn set_password(req: &mut Request) -> IronResult<Response> {
let db = state.pool.get().or(Err(MnmlHttpError::DbError))?;
let mut tx = db.transaction().or(Err(MnmlHttpError::DbError))?;
let token = account::set_password(&mut tx, a.id, &params.current, &params.password)?;
let token = account::set_password(&mut tx, a.id, &params.password)?;
tx.commit().or(Err(MnmlHttpError::ServerError))?;

8
server/src/mail.rs
View File

@ -42,10 +42,10 @@ pub enum Mail {
fn recover(email: &String, name: &String, token: &String) -> SendableEmail {
let body = format!("{:},
the link below will recover your account.
please change your password immediately in the account page.
this link will expire in 48 hours or once used.
please change your password immediately in the account page
as this link will expire in 48 hours or once used.
http://mnml.gg/api/account/recover?recover_token={:}
https://mnml.gg/api/account/recover?recover_token={:}
glhf
--mnml", name, token);
@ -63,7 +63,7 @@ glhf
fn confirm(email: &String, name: &String, token: &String) -> SendableEmail {
let confirm_body = format!("{:},
please click the link below to confirm your email
http://mnml.gg/api/account/email/confirm?confirm_token={:}
https://mnml.gg/api/account/email/confirm?confirm_token={:}
glhf
--mnml", name, token);