require uuid for password reset, destroy token after each try

author: jomo <github@jomo.tv> 2016-05-08 19:04:16 +0200
committer: jomo <github@jomo.tv> 2016-05-08 19:04:16 +0200
commit: 37cccdff180aab8bb67a202d35ef5b4e6974432c (patch)
tree: 51b4d65e241a43644764995c99ca5715534eb6e7
parent: 1f51e9d82344ba8d3e39c38db6e720740f42f8b9 (diff)
2 files changed, 30 insertions, 17 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f53b033..ea56ebf 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -96,7 +96,7 @@ class UsersController < ApplicationController
         @user.ign  = user_profile["name"] # correct case
 
         if validate_token(@user.uuid, @user.email, params[:registration_token])
-          destroy_token(@user.email) # tokens can be used to reset password
+          destroy_token(params[:email])
           @user.last_ip = request.remote_ip # showing in mail
           if @user.save
             session[:user_id] = @user.id
@@ -125,12 +125,13 @@ class UsersController < ApplicationController
           end
           @user.email_token = SecureRandom.hex(16)
         else
+          destroy_token(params[:email])
           flash[:alert] = "Token invalid for this username/email. Please generate a new token!"
-          destroy_token(@user.email) # no chance to brute force
           render action: "new"
         end
       else
-        flash[:alert] = "Error. Your username is not correct or Mojang's servers are down."
+        destroy_token(params[:email])
+        flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!"
         render action: "new"
         return
       end
@@ -273,22 +274,29 @@ class UsersController < ApplicationController
   end
 
   def reset_password
-    user = User.find_by_email(params[:email])
-    if user && validate_token(user.uuid, user.email, params[:secret_token])
-      destroy_token(user.email) # tokens can be used to reset password
-      user.password              = params[:new_password]
-      user.password_confirmation = params[:new_password]
-      if user.save
-        flash[:notice] = "Password reset"
-        redirect_to login_path
+    if profile = User.new(ign: params[:ign]).get_profile
+      uuid = profile && profile["id"]
+      user = uuid && User.find_by(email: params[:email], uuid: uuid)
+      if user && validate_token(user.uuid, user.email, params[:secret_token])
+        destroy_token(params[:email])
+        user.password              = params[:new_password]
+        user.password_confirmation = params[:new_password]
+        if user.save
+          flash[:notice] = "Password has been reset"
+          redirect_to login_path
+          return
+        else
+          flash[:alert] = "Failed to update password. Please generate a new token!"
+        end
       else
-        flash[:alert] = "Failed to update password, please generate a new Token!"
-        render action: "lost_password"
+        destroy_token(params[:email])
+        flash[:alert] = "Token or Email address invalid. Please generate a new token!"
       end
     else
-      flash[:alert] = "Token or Email address invalid!"
-      render action: "lost_password"
+      destroy_token(params[:email])
+      flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!"
     end
+    render action: "lost_password"
   end
 
   def suggestions
@@ -312,9 +320,10 @@ class UsersController < ApplicationController
     user_token && user_token.token == token
   end
 
+  # delete tokens that have been queried, regardless of matching token
+  # prevents brute forcing
   def destroy_token(email)
-    user_token = RegisterToken.where(email: email).first
-    user_token && user_token.destroy
+    RegisterToken.where(email: email).destroy_all
   end
 
   def set_user
diff --git a/app/views/users/lost_password.html.erb b/app/views/users/lost_password.html.erb
index 9be7bf3..85d4140 100644
--- a/app/views/users/lost_password.html.erb
+++ b/app/views/users/lost_password.html.erb
@@ -6,6 +6,10 @@
 <%= form_tag reset_password_users_path do |f| %>
   <table>
     <tr>
+      <td><%= label_tag :ign, "Minecraft name" %></td>
+      <td><%= text_field_tag :ign, nil, placeholder: "Steve", pattern: "[a-zA-Z0-9_]{2,16}", required: true, title: "Your IGN" %></td>
+    </tr>
+    <tr>
       <td><%= label_tag :email %></td>
       <td><%= text_field_tag :email, nil, placeholder: "steve@example.com", required: true, pattern: ".+@.+", title: "enter valid email address", "x-moz-errormessage" => "enter valid email address" %></td>
     </tr>
author	jomo <github@jomo.tv>	2016-05-08 19:04:16 +0200
committer	jomo <github@jomo.tv>	2016-05-08 19:04:16 +0200
commit	37cccdff180aab8bb67a202d35ef5b4e6974432c (patch)
tree	51b4d65e241a43644764995c99ca5715534eb6e7
parent	1f51e9d82344ba8d3e39c38db6e720740f42f8b9 (diff)