Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Lost password code cannot be used twice #60

Merged
merged 3 commits into from
Feb 11, 2022
+92 −16
Merged

fix: Lost password code cannot be used twice #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2a0bf03
fix: Lost password code cannot be used twice
Feb 9, 2022
4b3e21d
Oups
Feb 9, 2022
cb6d962
credo fix
jonas-martinez Feb 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .vscode/thunder-tests/thunderclient.db
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@
{"containerId":"62ce82a7-3adf-421e-ab6f-a82a6c3d3b30","sortNum":140000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/apps/:app_id/builds","url":"{{endpoint}}/api/apps/{{app_id}}/builds","method":"GET","modified":"2022-02-07T14:40:50.556Z","created":"2022-02-07T14:40:42.762Z","_id":"6e87ed47-8c53-49ad-8808-0b73a29ed30d","params":[],"tests":[]}
Nesqwik marked this conversation as resolved.
Show resolved Hide resolved
{"containerId":"92e1989e-b7e4-4274-847e-4a81bab928fe","sortNum":120000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/apps/:app_id/environments","url":"{{endpoint}}/api/apps/{{app_id}}/environments","method":"POST","modified":"2022-02-07T14:38:06.932Z","created":"2022-02-07T14:37:48.537Z","_id":"80a611dd-15be-4498-8606-6d4df450a71d","params":[],"body":{"type":"json","raw":"{\n \"name\": \"test\", \n \"is_ephemeral\": false\n}","form":[]},"tests":[]}
{"containerId":"880bc176-0b50-44c1-b255-0b804958e79a","sortNum":200000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/runner/builds/:build_id","url":"{{endpoint}}/runner/builds/{{build_id}}?secret={{runner_secret}}","method":"PUT","modified":"2022-02-07T14:52:24.876Z","created":"2022-02-07T14:46:14.276Z","_id":"8fd40007-6b67-4f63-993a-48af573b1c83","params":[{"name":"secret","value":"{{runner_secret}}","isPath":false}],"body":{"type":"json","raw":"{\n \"status\": \"success\"\n}","form":[]},"tests":[]}
{"containerId":"4bf14235-9c4a-4826-98f4-26eda1430256","sortNum":230000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/password/lost","url":"{{endpoint}}/auth/password/lost","method":"POST","modified":"2022-02-09T08:55:19.524Z","created":"2022-02-09T08:55:06.117Z","_id":"9b950d6f-61fc-436e-8525-aa2d5013478d","params":[],"body":{"type":"json","raw":"{\n \"email\": \"{{email}}\"\n}","form":[]},"tests":[]}
{"containerId":"2cd2ddaa-4e51-4e24-98a3-0aa25fa60e9a","sortNum":10000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/apps","url":"{{endpoint}}/api/apps","method":"GET","modified":"2022-02-07T14:34:47.437Z","created":"2022-02-07T13:33:12.352Z","_id":"9e90a63f-52ab-4882-8228-99728cc789fa","params":[],"tests":[]}
{"containerId":"a94213ca-8f76-4321-98c8-c7963d59efb9","sortNum":80000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/verify/dev","url":"{{endpoint}}/api/verify/dev","method":"PUT","modified":"2022-02-08T10:39:10.877Z","created":"2022-02-07T14:08:57.271Z","_id":"b10f0e02-4ea0-4d37-ac20-70fb71f40f36","params":[],"body":{"type":"json","raw":"{\n \"code\": \"{{dev_code}}\"\n}","form":[]},"tests":[{"type":"set-env-var","custom":"json.data.access_token","action":"setto","value":"{{access_token}}"}]}
{"containerId":"4bf14235-9c4a-4826-98f4-26eda1430256","sortNum":240000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/password/lost","url":"{{endpoint}}/auth/password/lost","method":"PUT","modified":"2022-02-09T09:00:59.866Z","created":"2022-02-09T08:55:37.432Z","_id":"a9f67f98-9262-4526-9713-e83174da9208","params":[],"body":{"type":"json","raw":"{\n \"email\": \"{{email}}\",\n \"code\": \"{{password_lost_code}}\",\n \"password\": \"{{new_password}}\",\n \"password_confirmation\": \"{{new_password}}\"\n}","form":[]},"tests":[]}
{"containerId":"a94213ca-8f76-4321-98c8-c7963d59efb9","sortNum":80000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/verify/dev","url":"{{endpoint}}/api/verify/dev","method":"PUT","modified":"2022-02-07T14:09:21.910Z","created":"2022-02-07T14:08:57.271Z","_id":"b10f0e02-4ea0-4d37-ac20-70fb71f40f36","params":[],"body":{"type":"json","raw":"{\n \"code\": \"caeee9e4-2bc7-4c4f-b3fa-a64a2a53d97d\"\n}","form":[]},"tests":[]}
{"containerId":"92e1989e-b7e4-4274-847e-4a81bab928fe","sortNum":110000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/app/:app_id/environments","url":"{{endpoint}}/api/apps/{{app_id}}/environments","method":"GET","modified":"2022-02-07T14:37:14.546Z","created":"2022-02-07T14:35:31.436Z","_id":"bc5eb2e8-2365-458e-beaf-70a9f30807cd","params":[],"tests":[]}
{"containerId":"997859ea-5139-4d88-9114-97a8c7e102f3","sortNum":190000,"headers":[{"name":"Accept","value":"*/*"},{"name":"User-Agent","value":"Thunder Client (https://www.thunderclient.com)"}],"colId":"786cd85e-2a59-44b6-a835-45cd23e28b73","name":"/me/apps","url":"{{endpoint}}/api/me/apps","method":"GET","modified":"2022-02-07T14:44:55.745Z","created":"2022-02-07T14:44:53.103Z","_id":"cf80af68-34b9-4c7c-83df-19efe66dcd08","params":[],"tests":[]}
24 changes: 11 additions & 13 deletions apps/lenra/lib/lenra/services/password_services.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,14 @@ defmodule Lenra.PasswordServices do

def update_lost_password(
%User{} = user,
%PasswordCode{} = password_code,
params
) do
with :ok <- check_old_password(user, params) do
Repo.insert(Password.new(user, params))
Ecto.Multi.new()
|> Ecto.Multi.insert(:new_password, Password.new(user, params))
|> Ecto.Multi.delete(:delete_password_code, password_code)
|> Repo.transaction()
end
end

Expand Down Expand Up @@ -74,25 +78,19 @@ defmodule Lenra.PasswordServices do
end

def check_password_code_valid(%User{} = user, code) do
password_code =
Repo.all(
from(u in User,
join: p in assoc(u, :password_code),
where: p.code == ^code,
select: p
)
)
user = Repo.preload(user, [:password_code])

with true <- not is_nil(List.first(password_code)),
true <- date_difference(password_code) do
{:ok, user}
with true <- not is_nil(user.password_code),
true <- user.password_code.code == code,
true <- date_difference(user.password_code) do
{:ok, user.password_code}
else
false -> {:error, :no_such_password_code}
end
end

@validity_time 3600
def date_difference([password_code | _tail]) do
def date_difference(password_code) do
if NaiveDateTime.diff(NaiveDateTime.utc_now(), password_code.inserted_at) <= @validity_time and
NaiveDateTime.diff(NaiveDateTime.utc_now(), password_code.inserted_at) >= 0 do
true
Expand Down
24 changes: 24 additions & 0 deletions apps/lenra/test/lenra/services/password_services_test.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
defmodule LenraServers.PasswordServicesTest do
@moduledoc """
Test the Password services
"""

use Lenra.RepoCase, async: true

alias Lenra.{PasswordServices, Repo}

test "The password code should be deleted after password modification" do
{:ok, %{inserted_user: user}} = register_john_doe()
{:ok, _} = PasswordServices.send_password_code(user)
user! = Repo.preload(user, [:password_code])
password_code = user!.password_code
assert not is_nil(password_code)

assert {:ok, ^password_code} = PasswordServices.check_password_code_valid(user!, password_code.code)
assert {:ok, _} = PasswordServices.update_lost_password(user!, password_code, %{"password" => "MyNewPassword42!"})

# Force reload the password code
user! = Repo.preload(user!, [:password_code], force: true)
assert is_nil(user!.password_code)
end
end
7 changes: 5 additions & 2 deletions apps/lenra_web/lib/lenra_web/controllers/user_controller.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,8 @@ defmodule LenraWeb.UserController do

def password_lost_modification(conn, params) do
with {:ok, user} <- get_user_with_email(params["email"]),
{:ok, _} <- PasswordServices.check_password_code_valid(user, params["code"]),
{:ok, _password} <- PasswordServices.update_lost_password(user, params) do
{:ok, password_code} <- PasswordServices.check_password_code_valid(user, params["code"]),
{:ok, _password} <- PasswordServices.update_lost_password(user, password_code, params) do
reply(conn)
end
end
Expand All @@ -94,6 +94,9 @@ defmodule LenraWeb.UserController do
_error -> nil
end

# This is an intended behavior.
# If the email does not exists, we should not return an error to the client.
# Otherwise it gives an information to hackers and allow brutforce
reply(conn)
end
end
49 changes: 49 additions & 0 deletions apps/lenra_web/test/controllers/user_controller_test.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,55 @@ defmodule LenraWeb.UserControllerTest do
assert Map.has_key?(data, "access_token")
end

@tag :auth_user
test "Using lost password code twice should fail the second time", %{conn: conn} do
new_password = "New@password42"
new_password2 = "New@password1337"

# Ask for a lost password code
conn! =
post(
conn,
Routes.user_path(conn, :password_lost_code, %{
"email" => @john_doe_user_params["email"]
})
)

# Retrive the code (not returned by the controller)
user = Repo.get_by(User, email: @john_doe_user_params["email"])
password_code = Repo.get_by(PasswordCode, user_id: user.id)

# Change password first time
conn! =
put(
conn!,
Routes.user_path(conn!, :password_lost_modification, %{
"email" => @john_doe_user_params["email"],
"code" => password_code.code,
"password" => new_password,
"password_confirmation" => new_password
})
)

# First one should succeed
assert %{"success" => true} = json_response(conn!, 200)

# Change password a second time with another password but the same code
conn! =
put(
conn!,
Routes.user_path(conn!, :password_lost_modification, %{
"email" => @john_doe_user_params["email"],
"code" => password_code.code,
"password" => new_password2,
"password_confirmation" => new_password2
})
)

# Second one should fail
assert %{"success" => false} = json_response(conn!, 400)
end

test "change lost password wrong email test", %{conn: conn} do
post(conn, Routes.user_path(conn, :register, @john_doe_user_params))

Expand Down