Password Reset + Bugfixes

This commit is contained in:
Roman Hergenreder 2020-07-02 00:47:45 +02:00
parent db63b55a70
commit 0deb6fff52
15 changed files with 309 additions and 71 deletions

@ -84,7 +84,7 @@ namespace Api {
protected function getUser($id) {
$sql = $this->user->getSQL();
$res = $sql->select("User.uid as userId", "User.name", "User.email", "User.registered_at",
$res = $sql->select("User.uid as userId", "User.name", "User.email", "User.registered_at", "User.confirmed",
"Group.uid as groupId", "Group.name as groupName", "Group.color as groupColor")
->from("User")
->leftJoin("UserGroup", "User.uid", "UserGroup.user_id")
@ -254,7 +254,7 @@ namespace Api\User {
}
$sql = $this->user->getSQL();
$res = $sql->select("User.uid as userId", "User.name", "User.email", "User.registered_at",
$res = $sql->select("User.uid as userId", "User.name", "User.email", "User.registered_at", "User.confirmed",
"Group.uid as groupId", "Group.name as groupName", "Group.color as groupColor")
->from("User")
->leftJoin("UserGroup", "User.uid", "UserGroup.user_id")
@ -278,6 +278,7 @@ namespace Api\User {
"name" => $row["name"],
"email" => $row["email"],
"registered_at" => $row["registered_at"],
"confirmed" => $sql->parseBool($row["confirmed"]),
"groups" => array(),
);
}
@ -310,6 +311,7 @@ namespace Api\User {
return false;
}
$sql = $this->user->getSQL();
$id = $this->getParam("id");
$user = $this->getUser($id);
@ -322,6 +324,7 @@ namespace Api\User {
"name" => $user[0]["name"],
"email" => $user[0]["email"],
"registered_at" => $user[0]["registered_at"],
"confirmed" => $sql->parseBool($user["0"]["confirmed"]),
"groups" => array()
);
@ -450,6 +453,7 @@ namespace Api\User {
'password' => new StringType('password'),
'confirmPassword' => new StringType('confirmPassword'),
));
$this->csrfTokenRequired = false;
}
private function updateUser($uid, $password) {
@ -783,7 +787,7 @@ namespace Api\User {
private function checkToken($token) {
$sql = $this->user->getSQL();
$res = $sql->select("UserToken.token_type", "User.uid", "User.name", "User.email", "User.confirmed")
$res = $sql->select("UserToken.token_type", "User.uid", "User.name", "User.email")
->from("UserToken")
->innerJoin("User", "UserToken.user_id", "User.uid")
->where(new Compare("UserToken.token", $token))
@ -817,7 +821,6 @@ namespace Api\User {
$this->result["user"] = array(
"name" => $tokenEntry["name"],
"email" => $tokenEntry["email"],
"confirmed" => $this->user->getSQL()->parseBool($tokenEntry["confirmed"]),
"uid" => $tokenEntry["uid"]
);
} else {
@ -837,6 +840,7 @@ namespace Api\User {
'email' => new Parameter('email', Parameter::TYPE_EMAIL, true, NULL),
'password' => new StringType('password', -1, true, NULL),
'groups' => new Parameter('groups', Parameter::TYPE_ARRAY, true, NULL),
'confirmed' => new Parameter('confirmed', Parameter::TYPE_BOOLEAN, true, NULL)
));
$this->loginRequired = true;
@ -859,6 +863,7 @@ namespace Api\User {
$email = $this->getParam("email");
$password = $this->getParam("password");
$groups = $this->getParam("groups");
$confirmed = $this->getParam("confirmed");
$email = (!is_null($email) && empty($email)) ? null : $email;
@ -896,6 +901,14 @@ namespace Api\User {
if ($emailChanged) $query->set("email", $email);
if (!is_null($password)) $query->set("password", $this->hashPassword($password));
if (!is_null($confirmed)) {
if ($id === $this->user->getId() && $confirmed === false) {
return $this->createError("Cannot make own account unconfirmed.");
} else {
$query->set("confirmed", $confirmed);
}
}
if (!empty($query->getValues())) {
$query->where(new Compare("User.uid", $id));
$res = $query->execute();
@ -957,7 +970,7 @@ namespace Api\User {
}
}
class RequestResetPassword extends UserAPI {
class RequestPasswordReset extends UserAPI {
public function __construct(User $user, $externalCall = false) {
$parameters = array(
'email' => new Parameter('email', Parameter::TYPE_EMAIL),
@ -969,6 +982,7 @@ namespace Api\User {
}
parent::__construct($user, $externalCall, $parameters);
$this->csrfTokenRequired = false;
}
public function execute($values = array()) {
@ -1010,7 +1024,7 @@ namespace Api\User {
$siteName = htmlspecialchars($settings->getSiteName());
$replacements = array(
"link" => "$baseUrl/confirmEmail?token=$token",
"link" => "$baseUrl/resetPassword?token=$token",
"site_name" => $siteName,
"base_url" => $baseUrl,
"username" => htmlspecialchars($user["name"])
@ -1035,6 +1049,7 @@ namespace Api\User {
private function findUser($email) {
$sql = $this->user->getSQL();
$res = $sql->select("User.uid", "User.name")
->from("User")
->where(new Compare("User.email", $email))
->where(new CondBool("User.confirmed"))
->execute();
@ -1073,6 +1088,8 @@ namespace Api\User {
'password' => new StringType('password'),
'confirmPassword' => new StringType('confirmPassword'),
));
$this->csrfTokenRequired = false;
}
private function updateUser($uid, $password) {
@ -1108,7 +1125,7 @@ namespace Api\User {
}
$result = $req->getResult();
if (strcasecmp($result["token"]["type"], "reset_password") !== 0) {
if (strcasecmp($result["token"]["type"], "password_reset") !== 0) {
return $this->createError("Invalid token type");
} else if (!$this->checkPasswordRequirements($password, $confirmPassword)) {
return false;

@ -6,7 +6,7 @@ namespace Documents {
use Elements\Document;
use Objects\User;
use Views\Admin\AdminDashboardBody;
use Views\LoginBody;
use Views\Admin\LoginBody;
class Admin extends Document {
public function __construct(User $user, ?string $view = NULL) {

@ -10,7 +10,7 @@ class Link extends StaticView {
const FONTAWESOME = "/css/fontawesome.min.css";
const BOOTSTRAP = "/css/bootstrap.min.css";
const CORE = "/css/style.css";
const ADMIN = "/css/admin.css";
const ACCOUNT = "/css/account.css";
private string $type;
private string $rel;

@ -7,7 +7,6 @@ class Script extends StaticView {
const MIME_TEXT_JAVASCRIPT = "text/javascript";
const CORE = "/js/script.js";
const ADMIN = "/js/admin.js";
const JQUERY = "/js/jquery.min.js";
const INSTALL = "/js/install.js";
const BOOTSTRAP = "/js/bootstrap.bundle.min.js";

@ -7,15 +7,83 @@ namespace Views\Account;
use Elements\Document;
use Elements\View;
class AcceptInvite extends View {
class AcceptInvite extends AccountView {
private bool $success;
private string $message;
private array $invitedUser;
public function __construct(Document $document, $loadView = true) {
parent::__construct($document, $loadView);
$this->title = "Invitation";
$this->description = "Finnish your account registration by choosing a password.";
$this->icon = "user-check";
$this->success = false;
$this->message = "No content";
$this->invitedUser = array();
}
public function getCode() {
$html = parent::getCode();
public function loadView() {
parent::loadView();
return $html;
if (isset($_GET["token"]) && is_string($_GET["token"]) && !empty($_GET["token"])) {
$req = new \Api\User\CheckToken($this->getDocument()->getUser());
$this->success = $req->execute(array("token" => $_GET["token"]));
if ($this->success) {
if (strcmp($req->getResult()["token"]["type"], "invite") !== 0) {
$this->success = false;
$this->message = "The given token has a wrong type.";
} else {
$this->invitedUser = $req->getResult()["user"];
}
} else {
$this->message = "Error confirming e-mail address: " . $req->getLastError();
}
} else {
$this->success = false;
$this->message = "The link you visited is no longer valid";
}
}
protected function getAccountContent() {
if (!$this->success) {
return $this->createErrorText($this->message);
}
$token = htmlspecialchars($_GET["token"], ENT_QUOTES);
$username = $this->invitedUser["name"];
$emailAddress = $this->invitedUser["email"];
return "<h4 class=\"pb-4\">Please fill with your details</h4>
<form>
<input name='token' id='token' type='hidden' value='$token'/>
<div class=\"input-group\">
<div class=\"input-group-append\">
<span class=\"input-group-text\"><i class=\"fas fa-hashtag\"></i></span>
</div>
<input id=\"username\" name=\"username\" placeholder=\"Username\" class=\"form-control\" type=\"text\" maxlength=\"32\" value='$username' disabled>
</div>
<div class=\"input-group mt-3\">
<div class=\"input-group-append\">
<span class=\"input-group-text\"><i class=\"fas fa-at\"></i></span>
</div>
<input type=\"email\" name='email' id='email' class=\"form-control\" placeholder=\"Email\" maxlength=\"64\" value='$emailAddress' disabled>
</div>
<div class=\"input-group mt-3\">
<div class=\"input-group-append\">
<span class=\"input-group-text\"><i class=\"fas fa-key\"></i></span>
</div>
<input type=\"password\" name='password' id='password' class=\"form-control\" placeholder=\"Password\">
</div>
<div class=\"input-group mt-3\">
<div class=\"input-group-append\">
<span class=\"input-group-text\"><i class=\"fas fa-key\"></i></span>
</div>
<input type=\"password\" name='confirmPassword' id='confirmPassword' class=\"form-control\" placeholder=\"Confirm Password\">
</div>
<div class=\"input-group mt-3\">
<button type=\"button\" class=\"btn btn-success\" id='btnAcceptInvite'>Submit</button>
</div>
</form>";
}
}

@ -3,9 +3,7 @@
namespace Views\Account;
use Elements\Document;
use Elements\View;
class Register extends AccountView {

@ -5,17 +5,83 @@ namespace Views\Account;
use Elements\Document;
use Elements\View;
class ResetPassword extends View {
class ResetPassword extends AccountView {
private bool $success;
private string $message;
private ?string $token;
public function __construct(Document $document, $loadView = true) {
parent::__construct($document, $loadView);
$this->title = "Reset Password";
$this->description = "Request a password reset, once you got the e-mail address, you can choose a new password";
$this->icon = "user-lock";
$this->success = true;
$this->message = "";
$this->token = NULL;
}
public function getCode() {
$html = parent::getCode();
public function loadView() {
parent::loadView();
return $html;
if (isset($_GET["token"]) && is_string($_GET["token"]) && !empty($_GET["token"])) {
$this->token = $_GET["token"];
$req = new \Api\User\CheckToken($this->getDocument()->getUser());
$this->success = $req->execute(array("token" => $_GET["token"]));
if ($this->success) {
if (strcmp($req->getResult()["token"]["type"], "password_reset") !== 0) {
$this->success = false;
$this->message = "The given token has a wrong type.";
}
} else {
$this->message = "Error requesting password reset: " . $req->getLastError();
}
}
}
protected function getAccountContent() {
if (!$this->success) {
$html = $this->createErrorText($this->message);
if ($this->token !== null) {
$html .= "<a href='/resetPassword' class='btn btn-primary'>Go back</a>";
}
return $html;
}
if ($this->token === null) {
return "<p class='lead'>Enter your E-Mail address, to receive a password reset token.</p>
<form>
<div class=\"input-group\">
<div class=\"input-group-append\">
<span class=\"input-group-text\"><i class=\"fas fa-at\"></i></span>
</div>
<input id=\"email\" name=\"email\" placeholder=\"E-Mail address\" class=\"form-control\" type=\"email\" maxlength=\"64\" />
</div>
<div class=\"input-group mt-2\">
<button id='btnRequestPasswordReset' class='btn btn-primary'>Request</button>
</div>
";
} else {
return "<h4 class=\"pb-4\">Choose a new password</h4>
<form>
<input name='token' id='token' type='hidden' value='$this->token'/>
<div class=\"input-group mt-3\">
<div class=\"input-group-append\">
<span class=\"input-group-text\"><i class=\"fas fa-key\"></i></span>
</div>
<input type=\"password\" name='password' id='password' class=\"form-control\" placeholder=\"Password\">
</div>
<div class=\"input-group mt-3\">
<div class=\"input-group-append\">
<span class=\"input-group-text\"><i class=\"fas fa-key\"></i></span>
</div>
<input type=\"password\" name='confirmPassword' id='confirmPassword' class=\"form-control\" placeholder=\"Confirm Password\">
</div>
<div class=\"input-group mt-3\">
<button type=\"button\" class=\"btn btn-success\" id='btnResetPassword'>Submit</button>
</div>
</form>";
}
}
}

@ -1,10 +1,11 @@
<?php
namespace Views;
namespace Views\Admin;
use Elements\Body;
use Elements\Link;
use Elements\Script;
use Views\LanguageFlags;
class LoginBody extends Body {
@ -19,8 +20,8 @@ class LoginBody extends Body {
$head->loadBootstrap();
$head->addJS(Script::CORE);
$head->addCSS(Link::CORE);
$head->addJS(Script::ADMIN);
$head->addCSS(Link::ADMIN);
$head->addJS(Script::ACCOUNT);
$head->addCSS(Link::ACCOUNT);
}
public function getCode() {
@ -37,14 +38,6 @@ class LoginBody extends Body {
$domain = $_SERVER['HTTP_HOST'];
$protocol = getProtocol();
$accountCreated = "";
if(isset($_GET["accountCreated"])) {
$accountCreated =
'<div class="alert alert-success mt-3" id="accountCreated">
Your account was successfully created, you may now login with your credentials
</div>';
}
$html .= "
<body>
<div class=\"container mt-4\">
@ -63,13 +56,12 @@ class LoginBody extends Body {
<label class=\"form-check-label\" for=\"stayLoggedIn\">$stayLoggedIn</label>
</div>
<button class=\"btn btn-lg btn-primary btn-block\" id=\"btnLogin\" type=\"button\">$login</button>
<div class=\"alert alert-danger hidden\" role=\"alert\" id=\"loginError\"></div>
<div class=\"alert alert-danger\" style='display:none' role=\"alert\" id=\"alertMessage\"></div>
<span class=\"flags position-absolute\">$flags</span>
</form>
<div class=\"p-1\">
<a href=\"$protocol://$domain\">$iconBack&nbsp;$backToStartPage</a>
</div>
$accountCreated
</div>
</div>
</div>

@ -11,6 +11,30 @@ $(document).ready(function () {
$("#alertMessage").hide();
}
// Login
$("#btnLogin").click(function() {
const username = $("#username").val();
const password = $("#password").val();
const createdDiv = $("#accountCreated");
const stayLoggedIn = $("#stayLoggedIn").is(":checked");
const btn = $(this);
hideAlert();
btn.prop("disabled", true);
btn.html("Logging in… <i class=\"fa fa-spin fa-circle-notch\"></i>");
jsCore.apiCall("/user/login", {"username": username, "password": password, "stayLoggedIn": stayLoggedIn }, function(res) {
if (res.success) {
document.location.reload();
} else {
btn.html("Login");
btn.prop("disabled", false);
$("#password").val("");
createdDiv.hide();
showAlert(res.msg);
}
});
});
$("#btnRegister").click(function (e) {
e.preventDefault();
e.stopPropagation();
@ -43,4 +67,86 @@ $(document).ready(function () {
});
}
});
$("#btnAcceptInvite").click(function (e) {
e.preventDefault();
e.stopPropagation();
let btn = $(this);
let token = $("#token").val();
let password = $("#password").val();
let confirmPassword = $("#confirmPassword").val();
if(password !== confirmPassword) {
showAlert("danger", "Your passwords did not match.");
} else {
let textBefore = btn.text();
let params = { token: token, password: password, confirmPassword: confirmPassword };
btn.prop("disabled", true);
btn.html("Submitting… <i class='fas fa-spin fa-spinner'></i>")
jsCore.apiCall("user/acceptInvite", params, (res) => {
btn.prop("disabled", false);
btn.text(textBefore);
if (!res.success) {
showAlert("danger", res.msg);
} else {
showAlert("success", "Account successfully created. You may now login.");
$("input").val("");
}
});
}
});
$("#btnRequestPasswordReset").click(function (e) {
e.preventDefault();
e.stopPropagation();
let btn = $(this);
let email = $("#email").val();
let textBefore = btn.text();
btn.prop("disabled", true);
btn.html("Submitting… <i class='fas fa-spin fa-spinner'></i>")
jsCore.apiCall("user/requestPasswordReset", { email: email }, (res) => {
btn.prop("disabled", false);
btn.text(textBefore);
if (!res.success) {
showAlert("danger", res.msg);
} else {
showAlert("success", "If the e-mail address exists and is linked to a account, you will receive a password reset token.");
$("input").val("");
}
});
});
$("#btnResetPassword").click(function (e) {
e.preventDefault();
e.stopPropagation();
let btn = $(this);
let token = $("#token").val();
let password = $("#password").val();
let confirmPassword = $("#confirmPassword").val();
if(password !== confirmPassword) {
showAlert("danger", "Your passwords did not match.");
} else {
let textBefore = btn.text();
let params = { token: token, password: password, confirmPassword: confirmPassword };
btn.prop("disabled", true);
btn.html("Submitting… <i class='fas fa-spin fa-spinner'></i>")
jsCore.apiCall("user/resetPassword", params, (res) => {
btn.prop("disabled", false);
btn.text(textBefore);
if (!res.success) {
showAlert("danger", res.msg);
} else {
showAlert("success", "Your password was successfully changed. You may now login.");
$("input").val("");
}
});
}
});
});

@ -1,28 +0,0 @@
$(document).ready(function() {
// Login
$("#username").keypress(function(e) { if(e.which === 13) $("#password").focus(); });
$("#password").keypress(function(e) { if(e.which === 13) $("#btnLogin").click(); });
$("#btnLogin").click(function() {
const username = $("#username").val();
const password = $("#password").val();
const errorDiv = $("#loginError");
const createdDiv = $("#accountCreated");
const stayLoggedIn = $("#stayLoggedIn").is(":checked");
const btn = $(this);
errorDiv.hide();
btn.prop("disabled", true);
btn.html("Logging in… <i class=\"fa fa-spin fa-circle-notch\"></i>");
jsCore.apiCall("/user/login", {"username": username, "password": password, "stayLoggedIn": stayLoggedIn }, function(data) {
document.location.reload();
}, function(err) {
btn.html("Login");
btn.prop("disabled", false);
$("#password").val("");
createdDiv.hide();
errorDiv.html(err);
errorDiv.show();
});
});
});

6
js/admin.min.js vendored

File diff suppressed because one or more lines are too long

@ -35,8 +35,8 @@ export default class API {
return data && data.success && data.loggedIn;
}
async editUser(id, username, email, password, groups) {
return this.apiCall("user/edit", { "id": id, "username": username, "email": email, "password": password, "groups": groups });
async editUser(id, username, email, password, groups, confirmed) {
return this.apiCall("user/edit", { id: id, username: username, email: email, password: password, groups: groups, confirmed: confirmed });
}
async logout() {

@ -43,7 +43,8 @@ export default class EditUser extends React.Component {
name: res.user.name,
email: res.user.email || "",
groups: res.user.groups,
password: ""
password: "",
confirmed: res.user.confirmed
}
});
this.parent.api.fetchGroups(1, 50).then((res) => {
@ -61,11 +62,15 @@ export default class EditUser extends React.Component {
onChangeInput(event) {
const target = event.target;
const value = target.value;
let value = target.value;
const name = target.name;
if (target.type === "checkbox") {
value = !!target.checked;
}
if (name === "search") {
this.setState({ ...this.state, searchString: value });
this.setState({...this.state, searchString: value});
} else {
this.setState({ ...this.state, user: { ...this.state.user, [name]: value } });
}
@ -85,9 +90,10 @@ export default class EditUser extends React.Component {
const email = this.state.user["email"];
let password = this.state.user["password"].length > 0 ? this.state.user["password"] : null;
let groups = Object.keys(this.state.user.groups);
let confirmed = this.state.user["confirmed"];
this.setState({ ...this.state, isSaving: true});
this.parent.api.editUser(id, username, email, password, groups).then((res) => {
this.parent.api.editUser(id, username, email, password, groups, confirmed).then((res) => {
let alerts = this.state.alerts.slice();
if (res.success) {
@ -262,6 +268,15 @@ export default class EditUser extends React.Component {
</span>
</div>
<div className={"form-check"}>
<input type={"checkbox"} className={"form-check-input"}
onChange={this.onChangeInput.bind(this)}
id={"confirmed"} name={"confirmed"} checked={this.state.user.confirmed}/>
<label className={"form-check-label"} htmlFor={"confirmed"}>
Confirmed
</label>
</div>
<Link to={"/admin/users"} className={"btn btn-info mt-2 mr-2"}>
<Icon icon={"arrow-left"}/>
&nbsp;Back

@ -167,6 +167,8 @@ export default class UserOverview extends React.Component {
}
let user = this.state.users.data[uid];
let confirmedIcon = <Icon icon={user["confirmed"] ? "check" : "times"}/>;
let groups = [];
for (let groupId in user.groups) {
@ -193,6 +195,7 @@ export default class UserOverview extends React.Component {
{getPeriodString(user["registered_at"])}
</span>
</td>
<td className={"text-center"}>{confirmedIcon}</td>
<td>
<Link to={"/admin/user/edit/" + uid} className={"text-reset"}>
<Icon icon={"pencil-alt"} data-effect={"solid"}
@ -212,6 +215,7 @@ export default class UserOverview extends React.Component {
<td/>
<td/>
<td/>
<td/>
</tr>
);
}
@ -251,6 +255,7 @@ export default class UserOverview extends React.Component {
<th>Email</th>
<th>Groups</th>
<th>Registered</th>
<th className={"text-center"}>Confirmed</th>
<th><Icon icon={"tools"} /></th>
</tr>
</thead>