Can check the validity of a password reset token

This commit is contained in:
Pierre HUBERT 2023-05-31 11:36:14 +02:00
parent 7f8e41b618
commit 0590197315
4 changed files with 64 additions and 1 deletions

View File

@ -50,3 +50,44 @@ pub async fn create_account(remote_ip: RemoteIP, req: web::Json<CreateAccountBod
// Account successfully created // Account successfully created
Ok(HttpResponse::Created().finish()) Ok(HttpResponse::Created().finish())
} }
#[derive(serde::Deserialize)]
pub struct CheckResetPasswordTokenBody {
token: String,
}
#[derive(serde::Serialize)]
pub struct CheckResetPasswordTokenResponse {
name: String,
}
/// Check reset password token
pub async fn check_reset_password_token(
remote_ip: RemoteIP,
req: web::Json<CheckResetPasswordTokenBody>,
) -> HttpResult {
// Rate limiting
if rate_limiter_service::should_block_action(
remote_ip.0,
RatedAction::CheckResetPasswordTokenFailed,
)
.await?
{
return Ok(HttpResponse::TooManyRequests().finish());
}
let user = match users_service::get_by_pwd_reset_token(&req.token).await {
Ok(t) => t,
Err(e) => {
rate_limiter_service::record_action(
remote_ip.0,
RatedAction::CheckResetPasswordTokenFailed,
)
.await?;
log::error!("Password reset token could not be used: {}", e);
return Ok(HttpResponse::NotFound().finish());
}
};
Ok(HttpResponse::Ok().json(CheckResetPasswordTokenResponse { name: user.name }))
}

View File

@ -27,6 +27,10 @@ async fn main() -> std::io::Result<()> {
"/auth/create_account", "/auth/create_account",
web::post().to(auth_controller::create_account), web::post().to(auth_controller::create_account),
) )
.route(
"/auth/check_reset_password_token",
web::post().to(auth_controller::check_reset_password_token),
)
}) })
.bind(AppConfig::get().listen_address.as_str())? .bind(AppConfig::get().listen_address.as_str())?
.run() .run()

View File

@ -6,24 +6,28 @@ use std::time::Duration;
#[derive(Debug, Copy, Clone)] #[derive(Debug, Copy, Clone)]
pub enum RatedAction { pub enum RatedAction {
CreateAccount, CreateAccount,
CheckResetPasswordTokenFailed,
} }
impl RatedAction { impl RatedAction {
fn id(&self) -> &'static str { fn id(&self) -> &'static str {
match self { match self {
RatedAction::CreateAccount => "create-account", RatedAction::CreateAccount => "create-account",
RatedAction::CheckResetPasswordTokenFailed => "check-reset-password-token",
} }
} }
fn limit(&self) -> usize { fn limit(&self) -> usize {
match self { match self {
RatedAction::CreateAccount => 5, RatedAction::CreateAccount => 5,
RatedAction::CheckResetPasswordTokenFailed => 100,
} }
} }
fn keep_seconds(&self) -> u64 { fn keep_seconds(&self) -> u64 {
match self { match self {
RatedAction::CreateAccount => 3600, RatedAction::CreateAccount => 3600,
RatedAction::CheckResetPasswordTokenFailed => 3600,
} }
} }

View File

@ -10,11 +10,25 @@ use crate::utils::string_utils::rand_str;
use crate::utils::time_utils::time; use crate::utils::time_utils::time;
use diesel::prelude::*; use diesel::prelude::*;
/// Get the information of the user /// Get the information of the user, by its id
pub async fn get_by_id(id: UserID) -> anyhow::Result<User> { pub async fn get_by_id(id: UserID) -> anyhow::Result<User> {
db_connection::execute(|conn| Ok(users::table.filter(users::dsl::id.eq(id.0)).first(conn)?)) db_connection::execute(|conn| Ok(users::table.filter(users::dsl::id.eq(id.0)).first(conn)?))
} }
/// Get the information of the user, by its password reset token
pub async fn get_by_pwd_reset_token(token: &str) -> anyhow::Result<User> {
db_connection::execute(|conn| {
Ok(users::table
.filter(
users::dsl::reset_password_token.eq(token.to_string()).and(
users::dsl::time_gen_reset_token
.ge(time() as i64 - PASSWORD_RESET_TOKEN_DURATION.as_secs() as i64),
),
)
.first(conn)?)
})
}
/// Create a new account /// Create a new account
pub async fn create_account(name: &str, email: &str) -> anyhow::Result<User> { pub async fn create_account(name: &str, email: &str) -> anyhow::Result<User> {
db_connection::execute(|conn| { db_connection::execute(|conn| {