Pierre-Olivier Mercier
57775bbf89
- Replace SHA512-based deterministic token with 32-byte crypto/rand token - Store tokens server-side with 1-hour expiry and single-use semantics - Remove genToken (previously broken due to time.Add immutability bug) - Add CSRF double-submit cookie protection to change/lost/reset forms - Remove token from form action URL (use hidden fields only, POST body) - Add MailFrom field and SMTP_FROM env var for configurable sender address - Add SMTP_PASSWORD_FILE env var for secure SMTP password loading - Add PUBLIC_URL env var and --public-url flag for configurable reset link domain - Use generic error messages in handlers to avoid information disclosure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
67 lines
2.5 KiB
Go
67 lines
2.5 KiB
Go
package main
|
|
|
|
import (
|
|
"errors"
|
|
"log"
|
|
"net/http"
|
|
)
|
|
|
|
func checkPasswdConstraint(password string) error {
|
|
if len(password) < 8 {
|
|
return errors.New("too short, please choose a password at least 8 characters long.")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func changePassword(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "POST" {
|
|
csrfToken, err := setCSRFToken(w)
|
|
if err != nil {
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
displayTmpl(w, "change.html", map[string]interface{}{"csrf_token": csrfToken})
|
|
return
|
|
}
|
|
|
|
if !validateCSRF(r) {
|
|
csrfToken, _ := setCSRFToken(w)
|
|
displayTmplError(w, http.StatusForbidden, "change.html", map[string]interface{}{"error": "Invalid or missing CSRF token. Please try again.", "csrf_token": csrfToken})
|
|
return
|
|
}
|
|
|
|
renderError := func(status int, msg string) {
|
|
csrfToken, _ := setCSRFToken(w)
|
|
displayTmplError(w, status, "change.html", map[string]interface{}{"error": msg, "csrf_token": csrfToken})
|
|
}
|
|
|
|
// Check the two new passwords are identical
|
|
if r.PostFormValue("newpassword") != r.PostFormValue("new2password") {
|
|
renderError(http.StatusNotAcceptable, "New passwords are not identical. Please retry.")
|
|
} else if len(r.PostFormValue("login")) == 0 {
|
|
renderError(http.StatusNotAcceptable, "Please provide a valid login")
|
|
} else if err := checkPasswdConstraint(r.PostFormValue("newpassword")); err != nil {
|
|
renderError(http.StatusNotAcceptable, "The password you chose doesn't respect all constraints: "+err.Error())
|
|
} else {
|
|
conn, err := myLDAP.Connect()
|
|
if err != nil || conn == nil {
|
|
log.Println(err)
|
|
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
|
|
} else if err := conn.ServiceBind(); err != nil {
|
|
log.Println(err)
|
|
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
|
|
} else if dn, err := conn.SearchDN(r.PostFormValue("login"), true); err != nil {
|
|
log.Println(err)
|
|
renderError(http.StatusUnauthorized, "Invalid login or password.")
|
|
} else if err := conn.Bind(dn, r.PostFormValue("password")); err != nil {
|
|
log.Println(err)
|
|
renderError(http.StatusUnauthorized, "Invalid login or password.")
|
|
} else if err := conn.ChangePassword(dn, r.PostFormValue("newpassword")); err != nil {
|
|
log.Println(err)
|
|
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
|
|
} else {
|
|
displayMsg(w, "Password successfully changed!", http.StatusOK)
|
|
}
|
|
}
|
|
}
|