authelia/internal/handlers/handler_reset_password_step2.go

114 lines
3.1 KiB
Go
Raw Normal View History

package handlers
import (
"fmt"
"regexp"
"github.com/authelia/authelia/v4/internal/middlewares"
"github.com/authelia/authelia/v4/internal/utils"
)
// ResetPasswordPost handler for resetting passwords.
func ResetPasswordPost(ctx *middlewares.AutheliaCtx) {
userSession := ctx.GetSession()
// Those checks unsure that the identity verification process has been initiated and completed successfully
// otherwise PasswordReset would not be set to true. We can improve the security of this check by making the
// request expire at some point because here it only expires when the cookie expires.
if userSession.PasswordResetUsername == nil {
ctx.Error(fmt.Errorf("no identity verification process has been initiated"), messageUnableToResetPassword)
return
}
var requestBody resetPasswordStep2RequestBody
err := ctx.ParseBody(&requestBody)
if err != nil {
ctx.Error(err, messageUnableToResetPassword)
return
}
if err := validatePassword(ctx, requestBody.Password); err != nil {
ctx.Error(err, messagePasswordWeak)
return
}
err = ctx.Providers.UserProvider.UpdatePassword(*userSession.PasswordResetUsername, requestBody.Password)
if err != nil {
switch {
case utils.IsStringInSliceContains(err.Error(), ldapPasswordComplexityCodes),
utils.IsStringInSliceContains(err.Error(), ldapPasswordComplexityErrors):
ctx.Error(err, ldapPasswordComplexityCode)
default:
ctx.Error(err, messageUnableToResetPassword)
}
return
}
ctx.Logger.Debugf("Password of user %s has been reset", *userSession.PasswordResetUsername)
// Reset the request.
userSession.PasswordResetUsername = nil
err = ctx.SaveSession(userSession)
if err != nil {
ctx.Error(fmt.Errorf("unable to update password reset state: %s", err), messageOperationFailed)
return
}
ctx.ReplyOK()
}
// validatePassword validates if the password met the password policy rules.
func validatePassword(ctx *middlewares.AutheliaCtx, password string) error {
// password validation applies only to standard passwor policy.
if !ctx.Configuration.PasswordPolicy.Standard.Enabled {
return nil
}
requireLowercase := ctx.Configuration.PasswordPolicy.Standard.RequireLowercase
requireUppercase := ctx.Configuration.PasswordPolicy.Standard.RequireUppercase
requireNumber := ctx.Configuration.PasswordPolicy.Standard.RequireNumber
requireSpecial := ctx.Configuration.PasswordPolicy.Standard.RequireSpecial
minLength := ctx.Configuration.PasswordPolicy.Standard.MinLength
maxlength := ctx.Configuration.PasswordPolicy.Standard.MaxLength
var patterns []string
if (minLength > 0 && len(password) < minLength) || (maxlength > 0 && len(password) > maxlength) {
return errPasswordPolicyNoMet
}
if requireLowercase {
patterns = append(patterns, "[a-z]+")
}
if requireUppercase {
patterns = append(patterns, "[A-Z]+")
}
if requireNumber {
patterns = append(patterns, "[0-9]+")
}
if requireSpecial {
patterns = append(patterns, "[^a-zA-Z0-9]+")
}
for _, pattern := range patterns {
re, err := regexp.Compile(pattern)
if err != nil {
return err
}
if found := re.MatchString(password); !found {
return errPasswordPolicyNoMet
}
}
return nil
}