fix(security): redesign password reset tokens using crypto/rand with server-side storage

- Replace SHA512-based deterministic token with 32-byte crypto/rand token - Store tokens server-side with 1-hour expiry and single-use semantics - Remove genToken (previously broken due to time.Add immutability bug) - Add CSRF double-submit cookie protection to change/lost/reset forms - Remove token from form action URL (use hidden fields only, POST body) - Add MailFrom field and SMTP_FROM env var for configurable sender address - Add SMTP_PASSWORD_FILE env var for secure SMTP password loading - Add PUBLIC_URL env var and --public-url flag for configurable reset link domain - Use generic error messages in handlers to avoid information disclosure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 14:44:29 +07:00 · 2026-03-06 14:44:29 +07:00 · 57775bbf89
commit 57775bbf89
parent a2f368eb02
9 changed files with 193 additions and 83 deletions
--- a/static/reset.html
+++ b/static/reset.html
@ -1,8 +1,9 @@
 {{template "header"}}
  <h1 class="display-4">Forgot your password? <small class="text-muted">Define a new one!</small></h1>

-  <form method="post" action="reset?l={{ .login }}&t={{ .token }}">
+  <form method="post" action="reset">
    {{if .error}}<div class="alert alert-danger" role="alert">{{.error}}</div>{{end}}
+    <input type="hidden" name="csrf_token" value="{{ .csrf_token }}">
    <div class="form-group">
      <input required="" class="form-control" id="input_0" type="text" placeholder="Email" value="{{ .login }}" disabled="">
    </div>