Changeset

6193:e977174082ee

mod_invites_register_api: Use set_password() for password resets Previously the code relied on the (weird) behaviour of create_user(), which would update the password for a user account if it already existed. This has several issues, and we plan to deprecate this behaviour of create_user(). The larger issue is that this route does not trigger the user-password-changed event, which can be a security problem. For example, it did not disconnect existing user sessions (this occurs in mod_c2s in response to the event). Switching to set_password() is the right thing to do
author Matthew Wild <mwild1@gmail.com>
date Thu, 06 Feb 2025 10:24:30 +0000
parents 6192:76ae646563ea
children 6194:3e7fe14921d0
files mod_invites_register_api/mod_invites_register_api.lua
diffstat 1 files changed, 32 insertions(+), 26 deletions(-) [+]
line wrap: on
line diff
--- a/mod_invites_register_api/mod_invites_register_api.lua	Thu Feb 06 10:23:08 2025 +0000
+++ b/mod_invites_register_api/mod_invites_register_api.lua	Thu Feb 06 10:24:30 2025 +0000
@@ -75,39 +75,45 @@
 		if reset_for ~= prepped_username then
 			return 403; -- Attempt to use reset invite for incorrect user
 		end
+		local ok, err = usermanager.set_password(prepped_username, password, module.host);
+		if not ok then
+			module:log("error", "Unable to reset password for %s@%s: %s", prepped_username, module.host, err);
+			return 500;
+		end
+		module:fire_event("user-password-reset", user);
 	elseif usermanager.user_exists(prepped_username, module.host) then
 		return 409; -- Conflict
-	end
+	else
+		local registering = {
+			validated_invite = invite;
+			username = prepped_username;
+			host = module.host;
+			ip = request.ip;
+			allowed = true;
+		};
 
-	local registering = {
-		validated_invite = invite;
-		username = prepped_username;
-		host = module.host;
-		ip = request.ip;
-		allowed = true;
-	};
+		module:fire_event("user-registering", registering);
 
-	module:fire_event("user-registering", registering);
-
-	if not registering.allowed then
-		return 403;
-	end
+		if not registering.allowed then
+			return 403;
+		end
 
-	local ok, err = usermanager.create_user(prepped_username, password, module.host);
+		local ok, err = usermanager.create_user(prepped_username, password, module.host);
 
-	if not ok then
-		local err_id = id.short();
-		module:log("warn", "Registration failed (%s): %s", err_id, tostring(err));
-		return 500;
-	end
+		if not ok then
+			local err_id = id.short();
+			module:log("warn", "Registration failed (%s): %s", err_id, tostring(err));
+			return 500;
+		end
 
-	module:fire_event("user-registered", {
-		username = prepped_username;
-		host = module.host;
-		source = "mod_"..module.name;
-		validated_invite = invite;
-		ip = request.ip;
-	});
+		module:fire_event("user-registered", {
+			username = prepped_username;
+			host = module.host;
+			source = "mod_"..module.name;
+			validated_invite = invite;
+			ip = request.ip;
+		});
+	end
 
 	return json.encode({
 		jid = prepped_username .. "@" .. module.host;