From 0590197315d4ffa29d6286cef04bac0fef83daf0 Mon Sep 17 00:00:00 2001
From: Pierre Hubert <pierre.git@communiquons.org>
Date: Wed, 31 May 2023 11:36:14 +0200
Subject: [PATCH] Can check the validity of a password reset token

---
 .../src/controllers/auth_controller.rs        | 41 +++++++++++++++++++
 geneit_backend/src/main.rs                    |  4 ++
 .../src/services/rate_limiter_service.rs      |  4 ++
 geneit_backend/src/services/users_service.rs  | 16 +++++++-
 4 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/geneit_backend/src/controllers/auth_controller.rs b/geneit_backend/src/controllers/auth_controller.rs
index a95cd39..bccd011 100644
--- a/geneit_backend/src/controllers/auth_controller.rs
+++ b/geneit_backend/src/controllers/auth_controller.rs
@@ -50,3 +50,44 @@ pub async fn create_account(remote_ip: RemoteIP, req: web::Json<CreateAccountBod
     // Account successfully created
     Ok(HttpResponse::Created().finish())
 }
+
+#[derive(serde::Deserialize)]
+pub struct CheckResetPasswordTokenBody {
+    token: String,
+}
+
+#[derive(serde::Serialize)]
+pub struct CheckResetPasswordTokenResponse {
+    name: String,
+}
+
+/// Check reset password token
+pub async fn check_reset_password_token(
+    remote_ip: RemoteIP,
+    req: web::Json<CheckResetPasswordTokenBody>,
+) -> HttpResult {
+    // Rate limiting
+    if rate_limiter_service::should_block_action(
+        remote_ip.0,
+        RatedAction::CheckResetPasswordTokenFailed,
+    )
+    .await?
+    {
+        return Ok(HttpResponse::TooManyRequests().finish());
+    }
+
+    let user = match users_service::get_by_pwd_reset_token(&req.token).await {
+        Ok(t) => t,
+        Err(e) => {
+            rate_limiter_service::record_action(
+                remote_ip.0,
+                RatedAction::CheckResetPasswordTokenFailed,
+            )
+            .await?;
+            log::error!("Password reset token could not be used: {}", e);
+            return Ok(HttpResponse::NotFound().finish());
+        }
+    };
+
+    Ok(HttpResponse::Ok().json(CheckResetPasswordTokenResponse { name: user.name }))
+}
diff --git a/geneit_backend/src/main.rs b/geneit_backend/src/main.rs
index a408992..7961389 100644
--- a/geneit_backend/src/main.rs
+++ b/geneit_backend/src/main.rs
@@ -27,6 +27,10 @@ async fn main() -> std::io::Result<()> {
                 "/auth/create_account",
                 web::post().to(auth_controller::create_account),
             )
+            .route(
+                "/auth/check_reset_password_token",
+                web::post().to(auth_controller::check_reset_password_token),
+            )
     })
     .bind(AppConfig::get().listen_address.as_str())?
     .run()
diff --git a/geneit_backend/src/services/rate_limiter_service.rs b/geneit_backend/src/services/rate_limiter_service.rs
index 5447bce..b4a3254 100644
--- a/geneit_backend/src/services/rate_limiter_service.rs
+++ b/geneit_backend/src/services/rate_limiter_service.rs
@@ -6,24 +6,28 @@ use std::time::Duration;
 #[derive(Debug, Copy, Clone)]
 pub enum RatedAction {
     CreateAccount,
+    CheckResetPasswordTokenFailed,
 }
 
 impl RatedAction {
     fn id(&self) -> &'static str {
         match self {
             RatedAction::CreateAccount => "create-account",
+            RatedAction::CheckResetPasswordTokenFailed => "check-reset-password-token",
         }
     }
 
     fn limit(&self) -> usize {
         match self {
             RatedAction::CreateAccount => 5,
+            RatedAction::CheckResetPasswordTokenFailed => 100,
         }
     }
 
     fn keep_seconds(&self) -> u64 {
         match self {
             RatedAction::CreateAccount => 3600,
+            RatedAction::CheckResetPasswordTokenFailed => 3600,
         }
     }
 
diff --git a/geneit_backend/src/services/users_service.rs b/geneit_backend/src/services/users_service.rs
index 5a49c80..caef213 100644
--- a/geneit_backend/src/services/users_service.rs
+++ b/geneit_backend/src/services/users_service.rs
@@ -10,11 +10,25 @@ use crate::utils::string_utils::rand_str;
 use crate::utils::time_utils::time;
 use diesel::prelude::*;
 
-/// Get the information of the user
+/// Get the information of the user, by its id
 pub async fn get_by_id(id: UserID) -> anyhow::Result<User> {
     db_connection::execute(|conn| Ok(users::table.filter(users::dsl::id.eq(id.0)).first(conn)?))
 }
 
+/// Get the information of the user, by its password reset token
+pub async fn get_by_pwd_reset_token(token: &str) -> anyhow::Result<User> {
+    db_connection::execute(|conn| {
+        Ok(users::table
+            .filter(
+                users::dsl::reset_password_token.eq(token.to_string()).and(
+                    users::dsl::time_gen_reset_token
+                        .ge(time() as i64 - PASSWORD_RESET_TOKEN_DURATION.as_secs() as i64),
+                ),
+            )
+            .first(conn)?)
+    })
+}
+
 /// Create a new account
 pub async fn create_account(name: &str, email: &str) -> anyhow::Result<User> {
     db_connection::execute(|conn| {