From f153498bf4884d956944fa20375bfab8facb812f Mon Sep 17 00:00:00 2001 From: yukirij Date: Tue, 1 Oct 2024 12:40:30 -0700 Subject: [PATCH] Fail login on password reset. --- server/src/manager/data.rs | 75 +++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/server/src/manager/data.rs b/server/src/manager/data.rs index 0d0b0c7..eff3764 100644 --- a/server/src/manager/data.rs +++ b/server/src/manager/data.rs @@ -225,6 +225,7 @@ pub async fn thread_system(mut app:App, bus:Bus) // [TEMPORARY] WORKAROUND FOR PASSWORD RESET if user.secret.is_empty() { + println!("Password reset: {}", user.handle); if let Ok(secret) = argon2::hash_raw(&request.secret.as_bytes(), &salt, &argon_config) { user.secret = secret; if if let Some(app_user) = app.users.get_mut(tuid) { @@ -234,53 +235,53 @@ pub async fn thread_system(mut app:App, bus:Bus) app.filesystem.user_update(uid, &user).ok(); } } - } + } else { + // Verify salted secret against user data + if argon2::verify_raw(&request.secret.as_bytes(), &salt, &user.secret, &argon_config).unwrap_or(false) { + println!("Authenticated user '{}' id {}", user.handle, uid); - // Verify salted secret against user data - if argon2::verify_raw(&request.secret.as_bytes(), &salt, &user.secret, &argon_config).unwrap_or(false) { - println!("Authenticated user '{}' id {}", user.handle, uid); + // Generate authentication token and secret + response.status = STATUS_OK; + rng.fill(&mut response.secret).ok(); + loop { + rng.fill(&mut response.token).ok(); - // Generate authentication token and secret - response.status = STATUS_OK; - rng.fill(&mut response.secret).ok(); - loop { - rng.fill(&mut response.token).ok(); - - if app.auths.get(&response.token).is_none() { - app.auths.set(&response.token, Authentication { - key:response.token, - secret:response.secret, - user:uid, - }); - break; + if app.auths.get(&response.token).is_none() { + app.auths.set(&response.token, Authentication { + key:response.token, + secret:response.secret, + user:uid, + }); + break; + } } - } - // Mark send status. - send_user_status.push(uid); - - // Attach authentication to connection. - if let Some(conn) = app.connections.get_mut(qr.id as usize) { - conn.auth = Some(response.token); - if let Some(cid) = user.connection { - conn.prev = cid; + // Mark send status. + send_user_status.push(uid); + + // Attach authentication to connection. + if let Some(conn) = app.connections.get_mut(qr.id as usize) { + conn.auth = Some(response.token); + if let Some(cid) = user.connection { + conn.prev = cid; + } } - } - // Add connection to chain. - if let Some(user_cid) = user.connection { - if let Some(existing) = app.connections.get(user_cid as usize).cloned() { - if let Some(conn) = app.connections.get_mut(qr.id as usize) { - conn.next = existing.next; + // Add connection to chain. + if let Some(user_cid) = user.connection { + if let Some(existing) = app.connections.get(user_cid as usize).cloned() { + if let Some(conn) = app.connections.get_mut(qr.id as usize) { + conn.next = existing.next; + } + } + } else { + if let Some(user) = app.users.get_mut(tuid) { + user.connection = Some(qr.id); } } } else { - if let Some(user) = app.users.get_mut(tuid) { - user.connection = Some(qr.id); - } + println!("notice: password verification failed."); } - } else { - println!("notice: password verification failed."); } } else { println!("error: user salt id '{}' not found.", user.na_key);