diff options
author | Yorhel <git@yorhel.nl> | 2011-08-23 14:55:14 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2011-08-23 14:55:14 +0200 |
commit | 18c681f059389646d0b48b305ccf5e7622cb47e4 (patch) | |
tree | 61b631703f3c3c68913502decf56c752683c8a2d /lib/VNDB/Util/Auth.pm | |
parent | 341928b722fa6c276ae8c091aebd3f33cc2cbd60 (diff) |
Re-structured password recovery feature
Rather than setting an automatically password, reset the password and
send an email with a secure token instead. The password can then be set
again using this token.
This doesn't really have an advantage at this point, just makes the
interface and code more consistent when I update the registration code
to do something similar.
Diffstat (limited to 'lib/VNDB/Util/Auth.pm')
-rw-r--r-- | lib/VNDB/Util/Auth.pm | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index 06ed1984..c7e8b973 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -13,7 +13,10 @@ use TUWF ':html'; use VNDB::Func; -our @EXPORT = qw| authInit authLogin authLogout authInfo authCan authPreparePass authGetCode authCheckCode authPref |; +our @EXPORT = qw| + authInit authLogin authLogout authInfo authCan authPreparePass + authPrepareReset authValidateReset authGetCode authCheckCode authPref +|; # initializes authentication information and checks the vndb_auth cookie @@ -114,7 +117,7 @@ sub _authCheck { # Encryption algorithm for user passwords # Arguments: self, pass, salt # Returns: encrypted password (in hex) -sub _authEncryptPass{ +sub _authEncryptPass { my($self, $pass, $salt, $bin) = @_; return sha256_hex($self->{global_salt} . encode_utf8($pass) . encode_utf8($salt)); } @@ -123,7 +126,7 @@ sub _authEncryptPass{ # Prepares a plaintext password for database storage # Arguments: pass # Returns: list (pass, salt) -sub authPreparePass{ +sub authPreparePass { my($self, $pass) = @_; my $salt = join '', map chr(rand(93)+33), 1..9; my $hash = _authEncryptPass($self, $pass, $salt); @@ -131,6 +134,27 @@ sub authPreparePass{ } +# Generates a random token that can be used to reset the password. +# Returns: token, token-encrypted, salt +sub authPrepareReset { + my $self = shift; + my $token = sha1_hex(join('', Time::HiRes::gettimeofday()) . join('', map chr(rand(93)+33), 1..9)); + my $salt = join '', map chr(rand(93)+33), 1..9; + my $token_e = sha1_hex(lc($token).$salt); + return ($token, $token_e, $salt); +} + + +# Checks whether the password reset token is valid. +# Arguments: $u obj, token +sub authValidateReset { + my($self, $u, $t) = @_; + return 0 if !$u->{salt} || !$u->{passwd} || length $u->{passwd} != 40 + || lc sha1_hex(lc($t).$u->{salt}) ne lc $u->{passwd}; + return 1; +} + + # Generate a code to be used later on to validate that the form was indeed # submitted from our site and by the same user/visitor. Not limited to # logged-in users. |