fix(security): redesign password reset tokens using crypto/rand with server-side storage
- Replace SHA512-based deterministic token with 32-byte crypto/rand token - Store tokens server-side with 1-hour expiry and single-use semantics - Remove genToken (previously broken due to time.Add immutability bug) - Add CSRF double-submit cookie protection to change/lost/reset forms - Remove token from form action URL (use hidden fields only, POST body) - Add MailFrom field and SMTP_FROM env var for configurable sender address - Add SMTP_PASSWORD_FILE env var for secure SMTP password loading - Add PUBLIC_URL env var and --public-url flag for configurable reset link domain - Use generic error messages in handlers to avoid information disclosure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
a2f368eb02
commit
57775bbf89
9 changed files with 193 additions and 83 deletions
34
change.go
34
change.go
|
|
@ -16,34 +16,50 @@ func checkPasswdConstraint(password string) error {
|
|||
|
||||
func changePassword(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != "POST" {
|
||||
displayTmpl(w, "change.html", map[string]interface{}{})
|
||||
csrfToken, err := setCSRFToken(w)
|
||||
if err != nil {
|
||||
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
displayTmpl(w, "change.html", map[string]interface{}{"csrf_token": csrfToken})
|
||||
return
|
||||
}
|
||||
|
||||
if !validateCSRF(r) {
|
||||
csrfToken, _ := setCSRFToken(w)
|
||||
displayTmplError(w, http.StatusForbidden, "change.html", map[string]interface{}{"error": "Invalid or missing CSRF token. Please try again.", "csrf_token": csrfToken})
|
||||
return
|
||||
}
|
||||
|
||||
renderError := func(status int, msg string) {
|
||||
csrfToken, _ := setCSRFToken(w)
|
||||
displayTmplError(w, status, "change.html", map[string]interface{}{"error": msg, "csrf_token": csrfToken})
|
||||
}
|
||||
|
||||
// Check the two new passwords are identical
|
||||
if r.PostFormValue("newpassword") != r.PostFormValue("new2password") {
|
||||
displayTmplError(w, http.StatusNotAcceptable, "change.html", map[string]interface{}{"error": "New passwords are not identical. Please retry."})
|
||||
renderError(http.StatusNotAcceptable, "New passwords are not identical. Please retry.")
|
||||
} else if len(r.PostFormValue("login")) == 0 {
|
||||
displayTmplError(w, http.StatusNotAcceptable, "change.html", map[string]interface{}{"error": "Please provide a valid login"})
|
||||
renderError(http.StatusNotAcceptable, "Please provide a valid login")
|
||||
} else if err := checkPasswdConstraint(r.PostFormValue("newpassword")); err != nil {
|
||||
displayTmplError(w, http.StatusNotAcceptable, "change.html", map[string]interface{}{"error": "The password you chose doesn't respect all constraints: " + err.Error()})
|
||||
renderError(http.StatusNotAcceptable, "The password you chose doesn't respect all constraints: "+err.Error())
|
||||
} else {
|
||||
conn, err := myLDAP.Connect()
|
||||
if err != nil || conn == nil {
|
||||
log.Println(err)
|
||||
displayTmplError(w, http.StatusInternalServerError, "change.html", map[string]interface{}{"error": err.Error()})
|
||||
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
|
||||
} else if err := conn.ServiceBind(); err != nil {
|
||||
log.Println(err)
|
||||
displayTmplError(w, http.StatusInternalServerError, "change.html", map[string]interface{}{"error": err.Error()})
|
||||
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
|
||||
} else if dn, err := conn.SearchDN(r.PostFormValue("login"), true); err != nil {
|
||||
log.Println(err)
|
||||
displayTmplError(w, http.StatusInternalServerError, "change.html", map[string]interface{}{"error": err.Error()})
|
||||
renderError(http.StatusUnauthorized, "Invalid login or password.")
|
||||
} else if err := conn.Bind(dn, r.PostFormValue("password")); err != nil {
|
||||
log.Println(err)
|
||||
displayTmplError(w, http.StatusUnauthorized, "change.html", map[string]interface{}{"error": err.Error()})
|
||||
renderError(http.StatusUnauthorized, "Invalid login or password.")
|
||||
} else if err := conn.ChangePassword(dn, r.PostFormValue("newpassword")); err != nil {
|
||||
log.Println(err)
|
||||
displayTmplError(w, http.StatusInternalServerError, "change.html", map[string]interface{}{"error": err.Error()})
|
||||
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
|
||||
} else {
|
||||
displayMsg(w, "Password successfully changed!", http.StatusOK)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue