diff options
author | jomo <github@jomo.tv> | 2016-05-08 19:04:16 +0200 |
---|---|---|
committer | jomo <github@jomo.tv> | 2016-05-08 19:04:16 +0200 |
commit | 37cccdff180aab8bb67a202d35ef5b4e6974432c (patch) | |
tree | 51b4d65e241a43644764995c99ca5715534eb6e7 | |
parent | 1f51e9d82344ba8d3e39c38db6e720740f42f8b9 (diff) |
require uuid for password reset, destroy token after each try
-rw-r--r-- | app/controllers/users_controller.rb | 43 | ||||
-rw-r--r-- | app/views/users/lost_password.html.erb | 4 |
2 files changed, 30 insertions, 17 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index f53b033..ea56ebf 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -96,7 +96,7 @@ class UsersController < ApplicationController @user.ign = user_profile["name"] # correct case if validate_token(@user.uuid, @user.email, params[:registration_token]) - destroy_token(@user.email) # tokens can be used to reset password + destroy_token(params[:email]) @user.last_ip = request.remote_ip # showing in mail if @user.save session[:user_id] = @user.id @@ -125,12 +125,13 @@ class UsersController < ApplicationController end @user.email_token = SecureRandom.hex(16) else + destroy_token(params[:email]) flash[:alert] = "Token invalid for this username/email. Please generate a new token!" - destroy_token(@user.email) # no chance to brute force render action: "new" end else - flash[:alert] = "Error. Your username is not correct or Mojang's servers are down." + destroy_token(params[:email]) + flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!" render action: "new" return end @@ -273,22 +274,29 @@ class UsersController < ApplicationController end def reset_password - user = User.find_by_email(params[:email]) - if user && validate_token(user.uuid, user.email, params[:secret_token]) - destroy_token(user.email) # tokens can be used to reset password - user.password = params[:new_password] - user.password_confirmation = params[:new_password] - if user.save - flash[:notice] = "Password reset" - redirect_to login_path + if profile = User.new(ign: params[:ign]).get_profile + uuid = profile && profile["id"] + user = uuid && User.find_by(email: params[:email], uuid: uuid) + if user && validate_token(user.uuid, user.email, params[:secret_token]) + destroy_token(params[:email]) + user.password = params[:new_password] + user.password_confirmation = params[:new_password] + if user.save + flash[:notice] = "Password has been reset" + redirect_to login_path + return + else + flash[:alert] = "Failed to update password. Please generate a new token!" + end else - flash[:alert] = "Failed to update password, please generate a new Token!" - render action: "lost_password" + destroy_token(params[:email]) + flash[:alert] = "Token or Email address invalid. Please generate a new token!" end else - flash[:alert] = "Token or Email address invalid!" - render action: "lost_password" + destroy_token(params[:email]) + flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!" end + render action: "lost_password" end def suggestions @@ -312,9 +320,10 @@ class UsersController < ApplicationController user_token && user_token.token == token end + # delete tokens that have been queried, regardless of matching token + # prevents brute forcing def destroy_token(email) - user_token = RegisterToken.where(email: email).first - user_token && user_token.destroy + RegisterToken.where(email: email).destroy_all end def set_user diff --git a/app/views/users/lost_password.html.erb b/app/views/users/lost_password.html.erb index 9be7bf3..85d4140 100644 --- a/app/views/users/lost_password.html.erb +++ b/app/views/users/lost_password.html.erb @@ -6,6 +6,10 @@ <%= form_tag reset_password_users_path do |f| %> <table> <tr> + <td><%= label_tag :ign, "Minecraft name" %></td> + <td><%= text_field_tag :ign, nil, placeholder: "Steve", pattern: "[a-zA-Z0-9_]{2,16}", required: true, title: "Your IGN" %></td> + </tr> + <tr> <td><%= label_tag :email %></td> <td><%= text_field_tag :email, nil, placeholder: "steve@example.com", required: true, pattern: ".+@.+", title: "enter valid email address", "x-moz-errormessage" => "enter valid email address" %></td> </tr> |