allow tokens to be embeded in links, expire password tokens

2021-03-02 14:26:58 -05:00 · 2021-03-02 14:26:58 -05:00 · cf851b5021
commit cf851b5021
parent cef06f864b
9 changed files with 98 additions and 7 deletions
--- a/main.go
+++ b/main.go
@ -14,6 +14,7 @@ var tpl *template.Template
 var cookieHandler = securecookie.New(
 	securecookie.GenerateRandomKey(64),
 	securecookie.GenerateRandomKey(32))
+var passwordTokenSet map[string]bool

 func main() {
 	Conf, _ = LoadConfig()
@ -54,6 +55,7 @@ func main() {
 		Conf.MaxID = i
 		log.Printf("Max employeeNumber set to %v\n", Conf.MaxID)
 	}
+	passwordTokenSet = make(map[string]bool)
 	log.Printf("Guildgate starting on %v\n", Conf.Port)
 	if Conf.Tls {
 		log.Printf("Starting TLS\n")
--- a/reset.go
+++ b/reset.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"net/url"

 	"gopkg.in/gomail.v2"
 )
@ -23,7 +24,7 @@ func resetLookup(res http.ResponseWriter, req *http.Request) {
 		return
 	}
 	log.Printf("Found user %v, generating password token\n", uname)
-	token, err := generateToken(uname)
+	token, err := generatePasswordToken(uname)
 	fmt.Println(token)
 	if err != nil {
 		log.Printf("Error generating password token %v\n", err)
@ -44,7 +45,7 @@ func reset(res http.ResponseWriter, req *http.Request) {
 	token := req.FormValue("token")
 	newPass := req.FormValue("new_password")

-	user, err := validateToken(token)
+	user, err := validateToken(token, true)
 	if err != nil {
 		log.Printf("Error validing password reset token: %v\n", err)
 		http.Redirect(res, req, "/reset/error", 302)
@ -74,10 +75,12 @@ func sendMail(recp string, uname string, token string) error {
 		Recipient string
 		Name      string
 		Token     string
+		TokenURL  string
 	}{
 		Recipient: recp,
 		Name:      uname,
 		Token:     token,
+		TokenURL:  url.QueryEscape(token),
 	}

 	m := gomail.NewMessage()
--- a/session.go
+++ b/session.go
@ -47,7 +47,7 @@ func signup(res http.ResponseWriter, req *http.Request) {

 	if Conf.Secret != "" && Conf.Secret != secret {
 		//Checking it as a token
-		_, err := validateToken(secret)
+		_, err := validateToken(secret, false)
 		if err != nil {
 			log.Printf("Bad secret entered: %v\n", err)
 			genericErrorPage(res, "User Creation Failure", "Unregistered", false, "Invalid Secret Token.", "to create account")
--- a/templates/register.html
+++ b/templates/register.html
@ -19,9 +19,10 @@
 			<td>Confirm Password:</td>
 			<td><input type="password" name="confirm_password" id="confirm_password" onchange="check()"/></td>
 			<td><span id='message'></span></td>
+			<td><input type="checkbox" onclick="showPass()">Show Passwords</td>
 		<tr>
-			<td>Secret:</td>
-			<td><input type="password" placeholder="secret" name="secret"></td>
+			<td>Secret Token:</td>
+			<td><input type="password" value="{{.Secret}}" name="secret"></td>
 		</tr>
 		<tr>
 			<td><input type="submit" value="Submit"></td>
@ -45,6 +46,20 @@ function check() {
    } else {
        document.getElementById('message').innerHTML = "Passwords don't match";
    }
+}
+function showPass() {
+	var x = document.getElementById("password");
+	if (x.type === "password") {
+		x.type = "text";
+	} else {
+		x.type = "password";
+	}
+	var x = document.getElementById("confirm_password");
+	if (x.type === "password") {
+		x.type = "text";
+	} else {
+		x.type = "password";
+	}
 }
 	</script>
 {{ template "footer" .}}
--- a/templates/reset_pass.eml
+++ b/templates/reset_pass.eml
@ -6,4 +6,7 @@ Hi {{.Name}},
    Token:
    {{.Token}}

+    You may also use the following link:
+    http://localhost/reset/form?token={{.TokenURL}}
+
 {{end}}
--- a/templates/reset_password_back.html
+++ b/templates/reset_password_back.html
@ -6,7 +6,7 @@
 <form action="/reset/form" method="POST" novalidate>
 	<div>
 		<label>Password Token:</label>
-		<input type="text" name="token">
+		<input type="text" name="token" value="{{.Token}}">
 	</div>
 	<div>
 		<label>New Password:</label>
@ -17,6 +17,9 @@
 		<input type="password" name="confirm_password" id="confirm_password" onchange="check()"/>
 		<span id='message'></span>
 	</div>
+	<div>
+		<input type="checkbox" onclick="showPass()">Show Passwords 
+	</div>
 	<div>
 		<input type="submit" value="Reset">
 	</div>
@ -38,6 +41,20 @@ function check() {
        document.getElementById('message').innerHTML = "Passwords don't match";
    }
 }
+function showPass() {
+	var x = document.getElementById("password");
+	if (x.type === "password") {
+		x.type = "text";
+	} else {
+		x.type = "password";
+	}
+	var x = document.getElementById("confirm_password");
+	if (x.type === "password") {
+		x.type = "text";
+	} else {
+		x.type = "password";
+	}
+}
 </script>

 {{ template "footer" .}}
--- a/templates/token.html
+++ b/templates/token.html
@ -7,5 +7,7 @@
 <textarea id="token_area" name="generated_token" rows="4" cols="50">
 {{ .Token }}
 </textarea>
+<p>You can also share this link: <a href="http://localhost:8080/register?secret={{.TokenURL}}">http://localhost:8080/register?secret={{.TokenURL}}</a>
+</p>
 {{template "footer" .}}
 {{ end }}
--- a/token.go
+++ b/token.go
@ -31,7 +31,25 @@ func generateToken(sponsor string) (string, error) {
 	}
 }

-func validateToken(tok string) (string, error) {
+func generatePasswordToken(sponsor string) (string, error) {
+	claim := tokenClaim{
+		Sponsor: sponsor,
+		StandardClaims: jwt.StandardClaims{
+			ExpiresAt: time.Now().UTC().Unix() + 3600,
+			Issuer:    "GuildGate",
+		},
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claim)
+	signedToken, err := token.SignedString([]byte(Conf.Secret))
+	if err != nil {
+		return "", err
+	} else {
+		passwordTokenSet[signedToken] = true
+		return signedToken, nil
+	}
+}
+
+func validateToken(tok string, pass bool) (string, error) {
 	token, err := jwt.ParseWithClaims(
 		strings.TrimSpace(tok),
 		&tokenClaim{},
@ -49,6 +67,16 @@ func validateToken(tok string) (string, error) {
 	if claims.ExpiresAt < time.Now().UTC().Unix() {
 		return "", errors.New("Token has expired")
 	}
+	if pass {
+		if !passwordTokenSet[tok] {
+			return "", errors.New("Password token already used")
+		} else {
+			log.Printf("Valid Password token received; sponsored by %v\n", claims.Sponsor)
+			delete(passwordTokenSet, tok)
+			return claims.Sponsor, nil
+		}
+	}
+
 	log.Printf("Valid token received; sponsored by %v\n", claims.Sponsor)
 	return claims.Sponsor, nil
 }
--- a/web.go
+++ b/web.go
@ -3,6 +3,7 @@ package main
 import (
 	"log"
 	"net/http"
+	"net/url"
 )

 func profilePage(res http.ResponseWriter, req *http.Request) {
@ -124,17 +125,26 @@ func resetPageFront(res http.ResponseWriter, req *http.Request) {
 func resetPageBack(res http.ResponseWriter, req *http.Request) {
 	log.Println("GET /reset/form")
 	u := getUserName(req)
+	token := ""
 	if u != "" {
 		http.Redirect(res, req, "/", 302) //TODO create password change form, direct to that
 	} else {
+		keys, ok := req.URL.Query()["token"]
+		if !ok || len(keys[0]) < 1 {
+			token = ""
+		} else {
+			token = keys[0]
+		}
 		data := struct {
 			Title    string
 			Username string
 			LoggedIn bool
+			Token    string
 		}{
 			"Reset Password",
 			"Unregistered",
 			false,
+			token,
 		}
 		tpl.ExecuteTemplate(res, "reset_password_page_back", data)
 	}
@ -152,17 +162,26 @@ func resetErrorPage(res http.ResponseWriter, req *http.Request) {
 func signupPage(res http.ResponseWriter, req *http.Request) {
 	log.Println("GET /register")
 	u := getUserName(req)
+	secret := ""
 	if u != "" {
 		http.Redirect(res, req, "/", 302)
 	} else {
+		keys, ok := req.URL.Query()["secret"]
+		if !ok || len(keys[0]) < 1 {
+			secret = ""
+		} else {
+			secret = keys[0]
+		}
 		data := struct {
 			Title    string
 			Username string
 			LoggedIn bool
+			Secret   string
 		}{
 			"Register",
 			"Unregistered",
 			false,
+			secret,
 		}
 		tpl.ExecuteTemplate(res, "register", data)
 	}
@ -212,11 +231,13 @@ func tokenPage(res http.ResponseWriter, req *http.Request) {
 		Username string
 		LoggedIn bool
 		Token    string
+		TokenURL string
 	}{
 		"Token Generation",
 		u,
 		true,
 		token,
+		url.QueryEscape(token),
 	}
 	tpl.ExecuteTemplate(res, "token", data)
 }