reauth bugfix, ask old password before reset

2023-05-16 18:50:55 +04:00 · 2023-05-16 18:50:55 +04:00 · 7e19a39798
parent 4cfdbb91a6
commit 7e19a39798
5 changed files with 24 additions and 9 deletions
--- a/cmd/idecd/main.go
+++ b/cmd/idecd/main.go
@ -122,10 +122,10 @@ func main() {

 	unveil(*tpl_path_opt, "r")
 	unveil(*style_path_opt, "r")
-	unveil(*echo_opt, "rwc")  // list.txt
-	unveil(*users_opt, "rwc") // points.txt
-	unveil(filepath.Dir(*db_opt), "rwc")
-	unveil(*db_opt+".idx", "rwc")
+	unveil(*echo_opt, "r")				// list.txt
+	unveil(*users_opt, "rwc")			// points.txt
+	unveil(filepath.Dir(*db_opt), "rwc")// db dir
+	unveil(*db_opt+".idx", "rwc")		// db index
 	unveil(os.TempDir(), "rwc")
 	unveil_block()

--- a/cmd/idecd/web.go
+++ b/cmd/idecd/web.go
@ -64,6 +64,11 @@ func www_register(ctx *WebContext, w http.ResponseWriter, r *http.Request) error
 				ii.Error.Printf("Access denied")
 				return errors.New("Access denied")
 			}
+			old_password := r.FormValue("old_password")
+			if !udb.Auth(u.Name, old_password) {
+				ii.Error.Printf("Old password missmatch (%s)", u.Name)
+				return errors.New("Old password missmatch")
+			}
 			password := r.FormValue("password")
 			u.Secret = ii.MakeSecret(u.Name + password)
 			if err := udb.Edit(u); err != nil {
@ -155,9 +160,11 @@ func www_logout(ctx *WebContext, w http.ResponseWriter, r *http.Request) error {
 		token := cookie.Value
 		udb := ctx.www.udb
 		if udb.Access(token) {
-			u := udb.UserInfo(token)
-			u.Token = ""
-			delete(ctx.www.udb.Tokens, token)
+			//ui := udb.UserInfoName(ctx.User.Name)
+			//ui.Token = ""
+			ctx.User.Token = ""
+			udb.Names[ctx.User.Name] = *ctx.User
+			delete(udb.Tokens, token)
 		}
 	}
 	rmcookie := http.Cookie{Name: "token", Value: "", Expires: time.Unix(0, 0)}
--- a/ii/db.go
+++ b/ii/db.go
@ -1128,6 +1128,8 @@ func (db *UDB) LoadUsers() error {
 		u.Mail = a[2]
 		u.Secret = a[3]
 		u.Tags = NewTags(a[4])
+		//u.Token = a[5]
+		//db.Tokens[u.Token] = u.Name
 		db.ById[u.Id] = u.Name
 		db.Names[u.Name] = u
 		db.List = append(db.List, u.Name)
--- a/www/tpl/profile.tpl
+++ b/www/tpl/profile.tpl
@ -3,7 +3,7 @@
 <table id="profile" cellspacing=0 cellpadding=0>
 {{if has_avatar .User.Name}}<img class="avatar" src="/avatar/{{.User.Name}}">{{end}}
 <tr class="odd"><td>Login:</td><td>{{.User.Name}}</td></tr>
-<tr class="even"><td>Token:</td><td>{{.User.Token}}</td></tr>
+<tr class="even"><td>Auth token:</td><td>{{.User.Token}}</td></tr>
 <tr class="odd"><td>e-mail:</td><td>{{.User.Mail}}</td></tr>
 <tr class="even"><td>Addr:</td><td>{{.Selected}}</td></tr>
 <tr class="odd"><td class="links" colspan="2"><a href="{{.PfxPath}}/from/{{.User.Name}}">/from/{{.User.Name}}</a> :: <a href="{{.PfxPath}}/to/{{.User.Name}}">/to/{{.User.Name}}</a>
--- a/www/tpl/reset.tpl
+++ b/www/tpl/reset.tpl
@ -1,9 +1,15 @@
 {{template "header.tpl" $}}
 <form method="post" enctype="application/x-www-form-urlencoded" action="/register">
+<input type="hidden" name="token" value="{{.User.Token}}">
 <table id="login" cellspacing=0 cellpadding=0>

 <tr class="odd"><td>
-<input type="text" name="token" class="login" placeholder="authstr" value="{{.User.Token}}"><br>
+	Reset password
+<!-- <input type="text" name="token" class="login" placeholder="authstr" value="{{.User.Token}}"><br> -->
+</td></tr>
+
+<tr class="even"><td>
+<input type="password" name="old_password" class="passwd" placeholder="old password"><br>
 </td></tr>

 <tr class="even"><td>