Can generate a reset token if password is valid

2025-10-30 23:24:42 +00:00 · 2020-07-13 14:20:28 +02:00
parent d33e1fe77c
commit e4b361ab12
5 changed files with 63 additions and 1 deletions
--- a/src/api_data/mod.rs
+++ b/src/api_data/mod.rs
@@ -45,4 +45,5 @@ pub mod user_membership_api;
 mod type_container_api;
 pub mod res_check_email_exists;
 pub mod res_check_security_questions_exists;
-pub mod res_get_security_questions;
+pub mod res_get_security_questions;
+pub mod res_check_security_answers;
--- a/src/api_data/res_check_security_answers.rs
+++ b/src/api_data/res_check_security_answers.rs
@@ -0,0 +1,17 @@
+//! # Check security answsers result
+//!
+//! If the user gave valid security answers, we give him a password reset token.
+//!
+//! @author Pierre Hubert
+use serde::Serialize;
+
+#[derive(Serialize)]
+pub struct ResCheckSecurityAnswers {
+    reset_token: String
+}
+
+impl ResCheckSecurityAnswers {
+    pub fn new(reset_token: String) -> ResCheckSecurityAnswers {
+        ResCheckSecurityAnswers { reset_token }
+    }
+}
--- a/src/controllers/account_controller.rs
+++ b/src/controllers/account_controller.rs
@@ -1,6 +1,9 @@
+use percent_encoding::percent_decode_str;
+
 use crate::api_data::current_user_id::CurrentUserID;
 use crate::api_data::login_success::LoginSuccess;
 use crate::api_data::res_check_email_exists::ResCheckEmailExists;
+use crate::api_data::res_check_security_answers::ResCheckSecurityAnswers;
 use crate::api_data::res_check_security_questions_exists::ResCheckSecurityQuestionsExists;
 use crate::api_data::res_get_security_questions::ResGetSecurityQuestions;
 use crate::controllers::routes::RequestResult;
@@ -118,4 +121,31 @@ pub fn get_security_questions(r: &mut HttpRequestHandler) -> RequestResult {
    }

    r.set_response(ResGetSecurityQuestions::new(&user))
+}
+
+/// Check the security answers given by a user to reset a password
+pub fn check_security_answers(r: &mut HttpRequestHandler) -> RequestResult {
+    let user = r.post_user_info_from_email("email")?;
+
+    if !user.has_security_questions() {
+        r.forbidden("Specified user has not setup security questions !".to_string())?;
+    }
+
+    let answers: Vec<String> = r.post_string_opt("answers", 3, true)?
+        .split("&")
+        .map(|s| percent_decode_str(s).decode_utf8_lossy().to_lowercase().trim().to_string())
+        .collect::<Vec<String>>();
+
+    if answers.len() != 2 {
+        r.forbidden("Please specify two answers!".to_string())?;
+    }
+
+    if answers[0] != user.security_answer_1.unwrap().to_lowercase().trim() ||
+        answers[1] != user.security_answer_2.unwrap().to_lowercase().trim() {
+        r.forbidden("Invalid security answers!".to_string())?;
+    }
+
+    let token = account_helper::generate_password_reset_token(&user.id)?;
+
+    r.set_response(ResCheckSecurityAnswers::new(token))
 }
--- a/src/controllers/routes.rs
+++ b/src/controllers/routes.rs
@@ -78,6 +78,7 @@ pub fn get_routes() -> Vec<Route> {
        Route::post_without_login("/account/exists_email", Box::new(account_controller::exists_mail)),
        Route::post_without_login("/account/has_security_questions", Box::new(account_controller::has_security_questions)),
        Route::post_without_login("/account/get_security_questions", Box::new(account_controller::get_security_questions)),
+        Route::post_without_login("/account/check_security_answers", Box::new(account_controller::check_security_answers)),

        // User controller
        Route::post_without_login("/user/getInfo", Box::new(user_controller::get_single)),
--- a/src/helpers/account_helper.rs
+++ b/src/helpers/account_helper.rs
@@ -114,6 +114,19 @@ pub fn destroy_all_user_tokens(id: &UserID) -> ResultBoxError {
        .exec()
 }

+/// Generate a new password reset token
+pub fn generate_password_reset_token(user_id: &UserID) -> ResultBoxError<String> {
+    let token = rand_str(255);
+
+    database::UpdateInfo::new(USERS_TABLE)
+        .cond_user_id("ID", user_id)
+        .set_str("password_reset_token", &token)
+        .set_u64("password_reset_token_time_create", time())
+        .exec()?;
+
+    Ok(token)
+}
+
 /// Check out whether a virtual directory is taken by a user or not
 pub fn check_user_directory_availability(dir: &str, user_id: Option<UserID>) -> ResultBoxError<bool> {
    let found_user = user_helper::find_user_by_virtual_directory(dir);