Software / code / prosody-modules
Changeset
6193:e977174082ee
mod_invites_register_api: Use set_password() for password resets
Previously the code relied on the (weird) behaviour of create_user(), which
would update the password for a user account if it already existed. This has
several issues, and we plan to deprecate this behaviour of create_user().
The larger issue is that this route does not trigger the user-password-changed
event, which can be a security problem. For example, it did not disconnect
existing user sessions (this occurs in mod_c2s in response to the event).
Switching to set_password() is the right thing to do
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 06 Feb 2025 10:24:30 +0000 |
| parents | 6192:76ae646563ea |
| children | 6194:3e7fe14921d0 |
| files | mod_invites_register_api/mod_invites_register_api.lua |
| diffstat | 1 files changed, 32 insertions(+), 26 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_invites_register_api/mod_invites_register_api.lua Thu Feb 06 10:23:08 2025 +0000 +++ b/mod_invites_register_api/mod_invites_register_api.lua Thu Feb 06 10:24:30 2025 +0000 @@ -75,39 +75,45 @@ if reset_for ~= prepped_username then return 403; -- Attempt to use reset invite for incorrect user end + local ok, err = usermanager.set_password(prepped_username, password, module.host); + if not ok then + module:log("error", "Unable to reset password for %s@%s: %s", prepped_username, module.host, err); + return 500; + end + module:fire_event("user-password-reset", user); elseif usermanager.user_exists(prepped_username, module.host) then return 409; -- Conflict - end + else + local registering = { + validated_invite = invite; + username = prepped_username; + host = module.host; + ip = request.ip; + allowed = true; + }; - local registering = { - validated_invite = invite; - username = prepped_username; - host = module.host; - ip = request.ip; - allowed = true; - }; + module:fire_event("user-registering", registering); - module:fire_event("user-registering", registering); - - if not registering.allowed then - return 403; - end + if not registering.allowed then + return 403; + end - local ok, err = usermanager.create_user(prepped_username, password, module.host); + local ok, err = usermanager.create_user(prepped_username, password, module.host); - if not ok then - local err_id = id.short(); - module:log("warn", "Registration failed (%s): %s", err_id, tostring(err)); - return 500; - end + if not ok then + local err_id = id.short(); + module:log("warn", "Registration failed (%s): %s", err_id, tostring(err)); + return 500; + end - module:fire_event("user-registered", { - username = prepped_username; - host = module.host; - source = "mod_"..module.name; - validated_invite = invite; - ip = request.ip; - }); + module:fire_event("user-registered", { + username = prepped_username; + host = module.host; + source = "mod_"..module.name; + validated_invite = invite; + ip = request.ip; + }); + end return json.encode({ jid = prepped_username .. "@" .. module.host;
