summaryrefslogtreecommitdiff
path: root/lib/VNDB/Handler/Users.pm
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2019-09-30 18:05:28 +0200
committerYorhel <git@yorhel.nl>2019-09-30 18:05:41 +0200
commit2d7e855cfb37f35cb2cd0f8f39754002c20c8a7c (patch)
treeb1ff536adee289c3b6e1a56c1f1a71acd1da6c87 /lib/VNDB/Handler/Users.pm
parent24e08e0f2caf8dede4a0c8a77b8ede1e13899785 (diff)
v2rw: Convert login, logout & insecure-password-change forms
The insecure-password-change flow is now slightly more friendly. The logout functionality has been hardened to use POST and require CSRF.
Diffstat (limited to 'lib/VNDB/Handler/Users.pm')
-rw-r--r--lib/VNDB/Handler/Users.pm61
1 files changed, 2 insertions, 59 deletions
diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm
index 5449669f..08c34245 100644
--- a/lib/VNDB/Handler/Users.pm
+++ b/lib/VNDB/Handler/Users.pm
@@ -13,8 +13,6 @@ use PWLookup;
TUWF::register(
qr{u([1-9]\d*)} => \&userpage,
- qr{u/login} => \&login,
- qr{u([1-9]\d*)/logout} => \&logout,
qr{u/newpass} => \&newpass,
qr{u/newpass/sent} => \&newpass_sent,
qr{u([1-9]\d*)/setpass} => \&setpass,
@@ -171,61 +169,6 @@ sub _check_throttle {
}
-sub login {
- my $self = shift;
-
- return $self->resRedirect('/', 'temp') if $self->authInfo->{id};
-
- my $tm = _check_throttle($self);
- return if !defined $tm;
-
- my $ref = $self->formValidate({ param => 'ref', required => 0, default => '/'})->{ref};
-
- my $frm;
- if($self->reqMethod eq 'POST') {
- return if !$self->authCheckCode;
- $frm = $self->formValidate(
- { post => 'usrname', required => 1, minlength => 2, maxlength => 15 },
- { post => 'usrpass', required => 1, minlength => 4, maxlength => 500 },
- );
-
- if(!$frm->{_err}) {
- $frm->{usrname} = lc $frm->{usrname};
-
- my $ok = $self->authLogin($frm->{usrname}, $frm->{usrpass}, $ref);
-
- if($ok && $self->{password_db} && PWLookup::lookup($self->{password_db}, $frm->{usrpass})) {
- my $u = $self->dbUserGet(username => $frm->{usrname})->[0];
- $self->dbUserLogout($u->{id}, $ok); # Make sure to throw away the session we just created
- return $self->resRedirect("/u$u->{id}/setpass", 'post');
- }
- return if $ok;
-
- $frm->{_err} = [ 'Invalid username or password' ];
- $self->dbThrottleSet(norm_ip($self->reqIP), $tm+$self->{login_throttle}[0]);
- }
- }
-
- $self->htmlHeader(noindex => 1, title => 'Login');
- $self->htmlForm({ frm => $frm, action => '/u/login' }, login => [ 'Login',
- [ hidden => short => 'ref', value => $ref ],
- [ input => short => 'usrname', name => 'Username' ],
- [ static => content => '<a href="/u/register">No account yet?</a>' ],
- [ passwd => short => 'usrpass', name => 'Password' ],
- [ static => content => '<a href="/u/newpass">Forgot your password?</a>' ],
- ]);
- $self->htmlFooter;
-}
-
-
-sub logout {
- my $self = shift;
- my $uid = shift;
- return $self->resNotFound if !$self->authInfo->{id} || $self->authInfo->{id} != $uid;
- $self->authLogout;
-}
-
-
sub newpass {
my $self = shift;
@@ -282,9 +225,9 @@ sub newpass_sent {
}
-# /u+/setpass has two modes: With a token (?t=xxx), to set the password after a
+# /u+/setpass had two modes: With a token (?t=xxx), to set the password after a
# 'register' or 'newpass', or without a token, after the user tried to log in
-# with a weak password.
+# with a weak password (that mode has been moved into v2rw).
sub setpass {
my($self, $uid) = @_;
return $self->resRedirect('/', 'temp') if $self->authInfo->{id};