Password reset (#448)
* Password reset * Various improvements and fixes for password reset - Reorganize src/mail.rs to make it cleaner - add a build_mail function - only make the requests invalid after 2 hours - avoid infintely-growing list of requests by deleting them once completed, or after 24 hours - avoid sending many requests for the same user - validate the password reset form * Avoid locking so many times Fix durations * Remove old requests even if the current one is not valid * Remove unused feature * Also remove the custom_derive and plugin features while we are at it * Forgot a 0 è_é * Avoid panicking while owning a request lock * Use master branch of lettre so that we can build with the latest OpenSSL * Fix the debug mailer
This commit is contained in:
+80
@@ -0,0 +1,80 @@
|
||||
use lettre_email::Email;
|
||||
use std::env;
|
||||
|
||||
pub use self::mailer::*;
|
||||
|
||||
#[cfg(feature = "debug-mailer")]
|
||||
mod mailer {
|
||||
use lettre::{Transport, SendableEmail};
|
||||
use std::{io::Read};
|
||||
|
||||
pub struct DebugTransport;
|
||||
|
||||
impl<'a> Transport<'a> for DebugTransport {
|
||||
type Result = Result<(), ()>;
|
||||
|
||||
fn send(&mut self, email: SendableEmail) -> Self::Result {
|
||||
println!(
|
||||
"{}: from=<{}> to=<{:?}>\n{:#?}",
|
||||
email.message_id().to_string(),
|
||||
email.envelope().from().map(ToString::to_string).unwrap_or_default(),
|
||||
email.envelope().to().to_vec(),
|
||||
{
|
||||
let mut message = String::new();
|
||||
email.message().read_to_string(&mut message).map_err(|_| ())?;
|
||||
message
|
||||
},
|
||||
);
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
pub type Mailer = Option<DebugTransport>;
|
||||
|
||||
pub fn init() -> Mailer {
|
||||
Some(DebugTransport)
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "debug-mailer"))]
|
||||
mod mailer {
|
||||
use lettre::{
|
||||
SmtpTransport,
|
||||
SmtpClient,
|
||||
smtp::{
|
||||
authentication::{Credentials, Mechanism},
|
||||
extension::ClientId,
|
||||
ConnectionReuseParameters,
|
||||
},
|
||||
};
|
||||
use std::env;
|
||||
|
||||
pub type Mailer = Option<SmtpTransport>;
|
||||
|
||||
pub fn init() -> Mailer {
|
||||
let server = env::var("MAIL_SERVER").ok()?;
|
||||
let helo_name = env::var("MAIL_HELO_NAME").unwrap_or_else(|_| "localhost".to_owned());
|
||||
let username = env::var("MAIL_USER").ok()?;
|
||||
let password = env::var("MAIL_PASSWORD").ok()?;
|
||||
let mail = SmtpClient::new_simple(&server).unwrap()
|
||||
.hello_name(ClientId::Domain(helo_name))
|
||||
.credentials(Credentials::new(username, password))
|
||||
.smtp_utf8(true)
|
||||
.authentication_mechanism(Mechanism::Plain)
|
||||
.connection_reuse(ConnectionReuseParameters::NoReuse)
|
||||
.transport();
|
||||
Some(mail)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn build_mail(dest: String, subject: String, body: String) -> Option<Email> {
|
||||
Email::builder()
|
||||
.from(env::var("MAIL_ADDRESS")
|
||||
.or_else(|_| Ok(format!("{}@{}", env::var("MAIL_USER")?, env::var("MAIL_SERVER")?)) as Result<_, env::VarError>)
|
||||
.expect("Mail server is not correctly configured"))
|
||||
.to(dest)
|
||||
.subject(subject)
|
||||
.text(body)
|
||||
.build()
|
||||
.ok()
|
||||
}
|
||||
+17
-2
@@ -1,4 +1,4 @@
|
||||
#![feature(custom_derive, plugin, decl_macro, proc_macro_hygiene)]
|
||||
#![feature(decl_macro, proc_macro_hygiene)]
|
||||
|
||||
extern crate activitypub;
|
||||
extern crate askama_escape;
|
||||
@@ -15,6 +15,8 @@ extern crate gettext_macros;
|
||||
extern crate gettext_utils;
|
||||
extern crate guid_create;
|
||||
extern crate heck;
|
||||
extern crate lettre;
|
||||
extern crate lettre_email;
|
||||
extern crate multipart;
|
||||
extern crate num_cpus;
|
||||
extern crate plume_api;
|
||||
@@ -51,13 +53,14 @@ use plume_models::{
|
||||
use scheduled_thread_pool::ScheduledThreadPool;
|
||||
use std::env;
|
||||
use std::process::exit;
|
||||
use std::sync::Arc;
|
||||
use std::sync::{Arc, Mutex};
|
||||
use std::time::Duration;
|
||||
|
||||
init_i18n!("plume", ar, de, en, es, fr, gl, it, ja, nb, pl, pt, ru);
|
||||
|
||||
mod api;
|
||||
mod inbox;
|
||||
mod mail;
|
||||
#[macro_use]
|
||||
mod template_utils;
|
||||
mod routes;
|
||||
@@ -117,6 +120,12 @@ Then try to restart Plume.
|
||||
.limit("forms", form_size * 1024)
|
||||
.limit("json", activity_size * 1024));
|
||||
|
||||
let mail = mail::init();
|
||||
if mail.is_none() && config.environment.is_prod() {
|
||||
println!("Warning: the email server is not configured (or not completely).");
|
||||
println!("Please refer to the documentation to see how to configure it.");
|
||||
}
|
||||
|
||||
rocket::custom(config)
|
||||
.mount("/", routes![
|
||||
routes::blogs::details,
|
||||
@@ -177,6 +186,10 @@ Then try to restart Plume.
|
||||
routes::session::new,
|
||||
routes::session::create,
|
||||
routes::session::delete,
|
||||
routes::session::password_reset_request_form,
|
||||
routes::session::password_reset_request,
|
||||
routes::session::password_reset_form,
|
||||
routes::session::password_reset,
|
||||
|
||||
routes::static_files,
|
||||
|
||||
@@ -222,6 +235,8 @@ Then try to restart Plume.
|
||||
routes::errors::unprocessable_entity,
|
||||
routes::errors::server_error
|
||||
])
|
||||
.manage(Arc::new(Mutex::new(mail)))
|
||||
.manage::<Arc<Mutex<Vec<routes::session::ResetRequest>>>>(Arc::new(Mutex::new(vec![])))
|
||||
.manage(dbpool)
|
||||
.manage(workpool)
|
||||
.manage(searcher)
|
||||
|
||||
+145
-4
@@ -1,19 +1,23 @@
|
||||
use lettre::Transport;
|
||||
use rocket::{
|
||||
State,
|
||||
http::{Cookie, Cookies, SameSite, uri::Uri},
|
||||
response::Redirect,
|
||||
request::{LenientForm,FlashMessage}
|
||||
request::{LenientForm, FlashMessage, Form}
|
||||
};
|
||||
use rocket::http::ext::IntoOwned;
|
||||
use rocket_i18n::I18n;
|
||||
use std::borrow::Cow;
|
||||
use std::{borrow::Cow, sync::{Arc, Mutex}, time::Instant};
|
||||
use validator::{Validate, ValidationError, ValidationErrors};
|
||||
use template_utils::Ructe;
|
||||
|
||||
use plume_models::{
|
||||
BASE_URL, Error,
|
||||
db_conn::DbConn,
|
||||
users::{User, AUTH_COOKIE}
|
||||
};
|
||||
|
||||
use mail::{build_mail, Mailer};
|
||||
use routes::errors::ErrorPage;
|
||||
|
||||
#[get("/login?<m>")]
|
||||
pub fn new(user: Option<User>, conn: DbConn, m: Option<String>, intl: I18n) -> Ructe {
|
||||
@@ -76,7 +80,7 @@ pub fn create(conn: DbConn, form: LenientForm<LoginForm>, flash: Option<FlashMes
|
||||
|
||||
let uri = Uri::parse(&destination)
|
||||
.map(|x| x.into_owned())
|
||||
.map_err(|_| render!(session::login(
|
||||
.map_err(|_| render!(session::login(
|
||||
&(&*conn, &intl.catalog, None),
|
||||
None,
|
||||
&*form,
|
||||
@@ -101,3 +105,140 @@ pub fn delete(mut cookies: Cookies) -> Redirect {
|
||||
}
|
||||
Redirect::to("/")
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct ResetRequest {
|
||||
pub mail: String,
|
||||
pub id: String,
|
||||
pub creation_date: Instant,
|
||||
}
|
||||
|
||||
impl PartialEq for ResetRequest {
|
||||
fn eq(&self, other: &Self) -> bool {
|
||||
self.id == other.id
|
||||
}
|
||||
}
|
||||
|
||||
#[get("/password-reset")]
|
||||
pub fn password_reset_request_form(conn: DbConn, intl: I18n) -> Ructe {
|
||||
render!(session::password_reset_request(
|
||||
&(&*conn, &intl.catalog, None),
|
||||
&ResetForm::default(),
|
||||
ValidationErrors::default()
|
||||
))
|
||||
}
|
||||
|
||||
#[derive(FromForm, Validate, Default)]
|
||||
pub struct ResetForm {
|
||||
#[validate(email)]
|
||||
pub email: String,
|
||||
}
|
||||
|
||||
#[post("/password-reset", data = "<form>")]
|
||||
pub fn password_reset_request(
|
||||
conn: DbConn,
|
||||
intl: I18n,
|
||||
mail: State<Arc<Mutex<Mailer>>>,
|
||||
form: Form<ResetForm>,
|
||||
requests: State<Arc<Mutex<Vec<ResetRequest>>>>
|
||||
) -> Ructe {
|
||||
let mut requests = requests.lock().unwrap();
|
||||
// Remove outdated requests (more than 1 day old) to avoid the list to grow too much
|
||||
requests.retain(|r| r.creation_date.elapsed().as_secs() < 24 * 60 * 60);
|
||||
|
||||
if User::find_by_email(&*conn, &form.email).is_ok() && !requests.iter().any(|x| x.mail == form.email.clone()) {
|
||||
let id = plume_common::utils::random_hex();
|
||||
|
||||
requests.push(ResetRequest {
|
||||
mail: form.email.clone(),
|
||||
id: id.clone(),
|
||||
creation_date: Instant::now(),
|
||||
});
|
||||
|
||||
let link = format!("https://{}/password-reset/{}", *BASE_URL, id);
|
||||
if let Some(message) = build_mail(
|
||||
form.email.clone(),
|
||||
i18n!(intl.catalog, "Password reset"),
|
||||
i18n!(intl.catalog, "Here is the link to reset your password: {0}"; link)
|
||||
) {
|
||||
match *mail.lock().unwrap() {
|
||||
Some(ref mut mail) => { mail.send(message.into()).map_err(|_| eprintln!("Couldn't send password reset mail")).ok(); }
|
||||
None => {}
|
||||
}
|
||||
}
|
||||
}
|
||||
render!(session::password_reset_request_ok(
|
||||
&(&*conn, &intl.catalog, None)
|
||||
))
|
||||
}
|
||||
|
||||
#[get("/password-reset/<token>")]
|
||||
pub fn password_reset_form(conn: DbConn, intl: I18n, token: String, requests: State<Arc<Mutex<Vec<ResetRequest>>>>) -> Result<Ructe, ErrorPage> {
|
||||
requests.lock().unwrap().iter().find(|x| x.id == token.clone()).ok_or(Error::NotFound)?;
|
||||
Ok(render!(session::password_reset(
|
||||
&(&*conn, &intl.catalog, None),
|
||||
&NewPasswordForm::default(),
|
||||
ValidationErrors::default()
|
||||
)))
|
||||
}
|
||||
|
||||
#[derive(FromForm, Default, Validate)]
|
||||
#[validate(
|
||||
schema(
|
||||
function = "passwords_match",
|
||||
skip_on_field_errors = "false",
|
||||
message = "Passwords are not matching"
|
||||
)
|
||||
)]
|
||||
pub struct NewPasswordForm {
|
||||
pub password: String,
|
||||
pub password_confirmation: String,
|
||||
}
|
||||
|
||||
fn passwords_match(form: &NewPasswordForm) -> Result<(), ValidationError> {
|
||||
if form.password != form.password_confirmation {
|
||||
Err(ValidationError::new("password_match"))
|
||||
} else {
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[post("/password-reset/<token>", data = "<form>")]
|
||||
pub fn password_reset(
|
||||
conn: DbConn,
|
||||
intl: I18n,
|
||||
token: String,
|
||||
requests: State<Arc<Mutex<Vec<ResetRequest>>>>,
|
||||
form: Form<NewPasswordForm>
|
||||
) -> Result<Redirect, Ructe> {
|
||||
form.validate()
|
||||
.and_then(|_| {
|
||||
let mut requests = requests.lock().unwrap();
|
||||
let req = requests.iter().find(|x| x.id == token.clone()).ok_or(to_validation(0))?.clone();
|
||||
if req.creation_date.elapsed().as_secs() < 60 * 60 * 2 { // Reset link is only valid for 2 hours
|
||||
requests.retain(|r| *r != req);
|
||||
let user = User::find_by_email(&*conn, &req.mail).map_err(to_validation)?;
|
||||
user.reset_password(&*conn, &form.password).ok();
|
||||
Ok(Redirect::to(uri!(new: m = i18n!(intl.catalog, "Your password was successfully reset."))))
|
||||
} else {
|
||||
Ok(Redirect::to(uri!(new: m = i18n!(intl.catalog, "Sorry, but the link expired. Try again"))))
|
||||
}
|
||||
})
|
||||
.map_err(|err| {
|
||||
render!(session::password_reset(
|
||||
&(&*conn, &intl.catalog, None),
|
||||
&form,
|
||||
err
|
||||
))
|
||||
})
|
||||
}
|
||||
|
||||
fn to_validation<T>(_: T) -> ValidationErrors {
|
||||
let mut errors = ValidationErrors::new();
|
||||
errors.add("", ValidationError {
|
||||
code: Cow::from("server_error"),
|
||||
message: Some(Cow::from("An unknown error occured")),
|
||||
params: std::collections::HashMap::new()
|
||||
});
|
||||
errors
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user