From 37cccdff180aab8bb67a202d35ef5b4e6974432c Mon Sep 17 00:00:00 2001
From: jomo <github@jomo.tv>
Date: Sun, 8 May 2016 19:04:16 +0200
Subject: require uuid for password reset, destroy token after each try

---
 app/controllers/users_controller.rb    | 43 ++++++++++++++++++++--------------
 app/views/users/lost_password.html.erb |  4 ++++
 2 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f53b033..ea56ebf 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -96,7 +96,7 @@ class UsersController < ApplicationController
         @user.ign  = user_profile["name"] # correct case
 
         if validate_token(@user.uuid, @user.email, params[:registration_token])
-          destroy_token(@user.email) # tokens can be used to reset password
+          destroy_token(params[:email])
           @user.last_ip = request.remote_ip # showing in mail
           if @user.save
             session[:user_id] = @user.id
@@ -125,12 +125,13 @@ class UsersController < ApplicationController
           end
           @user.email_token = SecureRandom.hex(16)
         else
+          destroy_token(params[:email])
           flash[:alert] = "Token invalid for this username/email. Please generate a new token!"
-          destroy_token(@user.email) # no chance to brute force
           render action: "new"
         end
       else
-        flash[:alert] = "Error. Your username is not correct or Mojang's servers are down."
+        destroy_token(params[:email])
+        flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!"
         render action: "new"
         return
       end
@@ -273,22 +274,29 @@ class UsersController < ApplicationController
   end
 
   def reset_password
-    user = User.find_by_email(params[:email])
-    if user && validate_token(user.uuid, user.email, params[:secret_token])
-      destroy_token(user.email) # tokens can be used to reset password
-      user.password              = params[:new_password]
-      user.password_confirmation = params[:new_password]
-      if user.save
-        flash[:notice] = "Password reset"
-        redirect_to login_path
+    if profile = User.new(ign: params[:ign]).get_profile
+      uuid = profile && profile["id"]
+      user = uuid && User.find_by(email: params[:email], uuid: uuid)
+      if user && validate_token(user.uuid, user.email, params[:secret_token])
+        destroy_token(params[:email])
+        user.password              = params[:new_password]
+        user.password_confirmation = params[:new_password]
+        if user.save
+          flash[:notice] = "Password has been reset"
+          redirect_to login_path
+          return
+        else
+          flash[:alert] = "Failed to update password. Please generate a new token!"
+        end
       else
-        flash[:alert] = "Failed to update password, please generate a new Token!"
-        render action: "lost_password"
+        destroy_token(params[:email])
+        flash[:alert] = "Token or Email address invalid. Please generate a new token!"
       end
     else
-      flash[:alert] = "Token or Email address invalid!"
-      render action: "lost_password"
+      destroy_token(params[:email])
+      flash[:alert] = "Username is not correct or Mojang's servers are down. Please generate a new token!"
     end
+    render action: "lost_password"
   end
 
   def suggestions
@@ -312,9 +320,10 @@ class UsersController < ApplicationController
     user_token && user_token.token == token
   end
 
+  # delete tokens that have been queried, regardless of matching token
+  # prevents brute forcing
   def destroy_token(email)
-    user_token = RegisterToken.where(email: email).first
-    user_token && user_token.destroy
+    RegisterToken.where(email: email).destroy_all
   end
 
   def set_user
diff --git a/app/views/users/lost_password.html.erb b/app/views/users/lost_password.html.erb
index 9be7bf3..85d4140 100644
--- a/app/views/users/lost_password.html.erb
+++ b/app/views/users/lost_password.html.erb
@@ -5,6 +5,10 @@
 <p>Luckily for you, you can reset your password. Please use the command <code>/gettoken &lt;your email address&gt;</code>, then fill in the form below:</p>
 <%= form_tag reset_password_users_path do |f| %>
   <table>
+    <tr>
+      <td><%= label_tag :ign, "Minecraft name" %></td>
+      <td><%= text_field_tag :ign, nil, placeholder: "Steve", pattern: "[a-zA-Z0-9_]{2,16}", required: true, title: "Your IGN" %></td>
+    </tr>
     <tr>
       <td><%= label_tag :email %></td>
       <td><%= text_field_tag :email, nil, placeholder: "steve@example.com", required: true, pattern: ".+@.+", title: "enter valid email address", "x-moz-errormessage" => "enter valid email address" %></td>
-- 
cgit v1.2.3