require uuid for password reset, destroy token after each try
This commit is contained in:
jomo
@@ -96,7 +96,7 @@ class UsersController < ApplicationController
|
|||||||
@user.ign = user_profile["name"] # correct case
|
@user.ign = user_profile["name"] # correct case
|
||||||
|
|
||||||
if validate_token(@user.uuid, @user.email, params[:registration_token])
|
if validate_token(@user.uuid, @user.email, params[:registration_token])
|
||||||
destroy_token(@user.email) # tokens can be used to reset password
|
destroy_token(params[:email])
|
||||||
@user.last_ip = request.remote_ip # showing in mail
|
@user.last_ip = request.remote_ip # showing in mail
|
||||||
if @user.save
|
if @user.save
|
||||||
session[:user_id] = @user.id
|
session[:user_id] = @user.id
|
||||||
@@ -125,12 +125,13 @@ class UsersController < ApplicationController
|
|||||||
end
|
end
|
||||||
@user.email_token = SecureRandom.hex(16)
|
@user.email_token = SecureRandom.hex(16)
|
||||||
else
|
else
|
||||||
|
destroy_token(params[:email])
|
||||||
flash[:alert] = "Token invalid for this username/email. Please generate a new token!"
|
flash[:alert] = "Token invalid for this username/email. Please generate a new token!"
|
||||||
destroy_token(@user.email) # no chance to brute force
|
|
||||||
render action: "new"
|
render action: "new"
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
flash[:alert] = "Error. Your username is not correct or Mojang's servers are down."
|
destroy_token(params[:email])
|
||||||
|
flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!"
|
||||||
render action: "new"
|
render action: "new"
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
@@ -273,22 +274,29 @@ class UsersController < ApplicationController
|
|||||||
end
|
end
|
||||||
|
|
||||||
def reset_password
|
def reset_password
|
||||||
user = User.find_by_email(params[:email])
|
if profile = User.new(ign: params[:ign]).get_profile
|
||||||
if user && validate_token(user.uuid, user.email, params[:secret_token])
|
uuid = profile && profile["id"]
|
||||||
destroy_token(user.email) # tokens can be used to reset password
|
user = uuid && User.find_by(email: params[:email], uuid: uuid)
|
||||||
user.password = params[:new_password]
|
if user && validate_token(user.uuid, user.email, params[:secret_token])
|
||||||
user.password_confirmation = params[:new_password]
|
destroy_token(params[:email])
|
||||||
if user.save
|
user.password = params[:new_password]
|
||||||
flash[:notice] = "Password reset"
|
user.password_confirmation = params[:new_password]
|
||||||
redirect_to login_path
|
if user.save
|
||||||
|
flash[:notice] = "Password has been reset"
|
||||||
|
redirect_to login_path
|
||||||
|
return
|
||||||
|
else
|
||||||
|
flash[:alert] = "Failed to update password. Please generate a new token!"
|
||||||
|
end
|
||||||
else
|
else
|
||||||
flash[:alert] = "Failed to update password, please generate a new Token!"
|
destroy_token(params[:email])
|
||||||
render action: "lost_password"
|
flash[:alert] = "Token or Email address invalid. Please generate a new token!"
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
flash[:alert] = "Token or Email address invalid!"
|
destroy_token(params[:email])
|
||||||
render action: "lost_password"
|
flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!"
|
||||||
end
|
end
|
||||||
|
render action: "lost_password"
|
||||||
end
|
end
|
||||||
|
|
||||||
def suggestions
|
def suggestions
|
||||||
@@ -312,9 +320,10 @@ class UsersController < ApplicationController
|
|||||||
user_token && user_token.token == token
|
user_token && user_token.token == token
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# delete tokens that have been queried, regardless of matching token
|
||||||
|
# prevents brute forcing
|
||||||
def destroy_token(email)
|
def destroy_token(email)
|
||||||
user_token = RegisterToken.where(email: email).first
|
RegisterToken.where(email: email).destroy_all
|
||||||
user_token && user_token.destroy
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def set_user
|
def set_user
|
||||||
|
|||||||
@@ -5,6 +5,10 @@
|
|||||||
<p>Luckily for you, you can reset your password. Please use the command <code>/gettoken <your email address></code>, then fill in the form below:</p>
|
<p>Luckily for you, you can reset your password. Please use the command <code>/gettoken <your email address></code>, then fill in the form below:</p>
|
||||||
<%= form_tag reset_password_users_path do |f| %>
|
<%= form_tag reset_password_users_path do |f| %>
|
||||||
<table>
|
<table>
|
||||||
|
<tr>
|
||||||
|
<td><%= label_tag :ign, "Minecraft name" %></td>
|
||||||
|
<td><%= text_field_tag :ign, nil, placeholder: "Steve", pattern: "[a-zA-Z0-9_]{2,16}", required: true, title: "Your IGN" %></td>
|
||||||
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td><%= label_tag :email %></td>
|
<td><%= label_tag :email %></td>
|
||||||
<td><%= text_field_tag :email, nil, placeholder: "steve@example.com", required: true, pattern: ".+@.+", title: "enter valid email address", "x-moz-errormessage" => "enter valid email address" %></td>
|
<td><%= text_field_tag :email, nil, placeholder: "steve@example.com", required: true, pattern: ".+@.+", title: "enter valid email address", "x-moz-errormessage" => "enter valid email address" %></td>
|
||||||
|
|||||||
Reference in New Issue
Block a user