File

mod_password_reset/mod_password_reset.lua @ 5173:460f78654864

mod_muc_rtbl: also filter messages This was a bit tricky because we don't want to run the JIDs through SHA256 on each message. Took a while to come up with this simple plan of just caching the SHA256 of the JIDs on the occupants. This will leave some dirt in the occupants after unloading the module, but that should be ok; once they cycle the room, the hashes will be gone. This is direly needed, otherwise, there is a tight race between the moderation activities and the actors joining the room.
author Jonas Schäfer <jonas@wielicki.name>
date Tue, 21 Feb 2023 21:37:27 +0100
parent 4976:75b6e5df65f9
line wrap: on
line source

local adhoc_new = module:require "adhoc".new;
local adhoc_simple_form = require "util.adhoc".new_simple_form;
local new_token = require "util.id".long;
local new_error_id = require "util.id".short;
local jid_prepped_split = require "util.jid".prepped_split;
local http_formdecode = require "net.http".formdecode;
local usermanager = require "core.usermanager";
local dataforms_new = require "util.dataforms".new;
local st = require "util.stanza";
local apply_template = require"util.interpolation".new("%b{}", st.xml_escape);

local reset_tokens = module:open_store();

local max_token_age = module:get_option_number("password_reset_validity", 86400);

local serve;
if prosody.process_type == "prosody" then
	local http_files = require "net.http.files";
	serve = http_files.serve;
else
	serve = module:depends"http_files".serve;
end

module:depends("adhoc");
module:depends("http");
local password_policy = module:depends("password_policy");

local form_template = assert(module:load_resource("password_reset/password_reset.html")):read("*a");
local result_template = assert(module:load_resource("password_reset/password_result.html")):read("*a");

function generate_page(event)
	local request, response = event.request, event.response;

	local token = request.url.query;
	local reset_info = token and reset_tokens:get(token);

	response.headers.content_type = "text/html; charset=utf-8";

	if not reset_info or os.difftime(os.time(), reset_info.generated_at) > max_token_age then
		module:log("warn", "Expired token: %s", token or "<none>");
		return apply_template(result_template, { classes = "alert-danger", message = "This link has expired." })
	end

	return apply_template(form_template, {
		jid = reset_info.user.."@"..module.host;
		token = token;
		min_password_length = password_policy.get_policy().length;
	});
end

function handle_form(event)
	local request, response = event.request, event.response;
	local form_data = http_formdecode(request.body);
	local password, token = form_data["password"], form_data["token"];

	local reset_info = reset_tokens:get(token);

	response.headers.content_type = "text/html; charset=utf-8";

	if not reset_info or os.difftime(os.time(), reset_info.generated_at) > max_token_age then
		return apply_template(result_template, { classes = "alert-danger", message = "This link has expired." })
	end

	local policy_ok, policy_err = password_policy.check_password(password);
	if not policy_ok then
		return apply_template(form_template, {
			classes = "alert-danger", message = "Unsuitable password: "..policy_err;
			jid = reset_info.user.."@"..module.host;
			token = token;
			min_password_length = password_policy.get_policy().length;
		})
	end

	local ok, err = usermanager.set_password(reset_info.user, password, module.host);

	if ok then
		reset_tokens:set(token, nil);

		return apply_template(result_template, { classes = "alert-success",
			message = "Your password has been updated! Happy chatting :)" })
	else
		local error_id = new_error_id();
		module:log("warn", "Resetting password for %s failed: %s [%s]", reset_info.user, err, error_id);
		return apply_template(result_template, {
			classes = "alert-danger";
			message = "An unknown error has occurred. Please contact your administrator and quote error id '"..error_id.."'";
		})
	end
end

module:provides("http", {
	route = {
		["GET /bootstrap.min.css"] = serve(module:get_directory() .. "/password_reset/bootstrap.min.css");
		["GET /reset"] = generate_page;
		["POST /reset"] = handle_form;
	};
});

-- Changing a user's password
local reset_password_layout = dataforms_new{
	title = "Generate password reset link";
	instructions = "Please enter the details of the user who needs a reset link.";

	{ name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/adhoc/mod_password_reset" };
	{ name = "accountjid", type = "jid-single", required = true, label = "JID" };
};

local reset_command_handler = adhoc_simple_form(reset_password_layout, function (data, errors)
	if errors then
		local errmsg = {};
		for name, text in pairs(errors) do
			errmsg[#errmsg + 1] = name .. ": " .. text;
		end
		return { status = "completed", error = { message = table.concat(errmsg, "\n") } };
	end

	local jid = data.accountjid;
	local user, host = jid_prepped_split(jid);

	if host ~= module.host then
		return {
			status = "completed";
			error = { message = "You may only generate password reset links for users on "..module.host.."." };
		};
	end

	local token = new_token();
	reset_tokens:set(token, {
		generated_at = os.time();
		user = user;
	});

	return { info = module:http_url() .. "/reset?" .. token, status = "completed" };
end);

local adhoc_reset = adhoc_new(
	"Generate password reset link",
	"password_reset",
	reset_command_handler,
	"admin"
);

module:add_item("adhoc", adhoc_reset);