Pierre-Olivier Mercier
57775bbf89
- Replace SHA512-based deterministic token with 32-byte crypto/rand token - Store tokens server-side with 1-hour expiry and single-use semantics - Remove genToken (previously broken due to time.Add immutability bug) - Add CSRF double-submit cookie protection to change/lost/reset forms - Remove token from form action URL (use hidden fields only, POST body) - Add MailFrom field and SMTP_FROM env var for configurable sender address - Add SMTP_PASSWORD_FILE env var for secure SMTP password loading - Add PUBLIC_URL env var and --public-url flag for configurable reset link domain - Use generic error messages in handlers to avoid information disclosure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 lines
703 B
HTML
13 lines
703 B
HTML
{{template "header"}}
|
|
<h1 class="display-4">Forgot your password? <small class="text-muted">We'll send you a link by e-mail to reset it!</small></h1>
|
|
|
|
<form method="post" action="lost">
|
|
{{if .error}}<div class="alert alert-danger" role="alert">{{.error}}</div>{{end}}
|
|
<input type="hidden" name="csrf_token" value="{{ .csrf_token }}">
|
|
<div class="form-group">
|
|
<input name="login" required="" class="form-control" id="input_0" type="text" placeholder="Login" autofocus>
|
|
</div>
|
|
<button class="btn btn-primary" type="submit">Reset my password</button>
|
|
<a href="/change" class="btn btn-outline-success">Just want to change your password?</a>
|
|
</form>
|
|
{{template "footer"}}
|