summaryrefslogtreecommitdiff
path: root/lib/VNWeb/Auth.pm
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2019-10-03 13:33:04 +0200
committerYorhel <git@yorhel.nl>2019-10-03 15:08:56 +0200
commit0965af5fd74cf53503bb7ae0262d31c25f894385 (patch)
tree771bb390d19521bce14874ca2c55fb3ba51bce56 /lib/VNWeb/Auth.pm
parent97bfe01c28df6df181aa3fa6e4e9cecd983efb11 (diff)
SQL: Add session types + use sessions for password reset tokens
This improves the password reset workflow a bit. The users.passwd field is now no longer used for reset tokens, meaning that the current password isn't affected until the user actually clicks the link and changes it. It is now also possible to have multiple active password reset tokens, in case one of the emails got lost. All existing tokens are invalidated when the user finally changes their password. Tokens are now valid for at most 1 week instead of indefinitely.
Diffstat (limited to 'lib/VNWeb/Auth.pm')
-rw-r--r--lib/VNWeb/Auth.pm9
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/VNWeb/Auth.pm b/lib/VNWeb/Auth.pm
index 50ad6bc6..0b43074a 100644
--- a/lib/VNWeb/Auth.pm
+++ b/lib/VNWeb/Auth.pm
@@ -152,7 +152,7 @@ sub _load_session {
my $user = $uid ? tuwf->dbRowi(
'SELECT id, username, perm FROM users
WHERE id = ', \$uid,
- 'AND', sql_func(user_isloggedin => 'id', sql_fromhex($token_db))
+ 'AND', sql_func(user_isvalidsession => 'id', sql_fromhex($token_db), \'web')
) : {};
# Drop the cookie if it's not valid
@@ -198,9 +198,8 @@ sub logout {
}
-# Replaces the user's password with a random token that can be used to reset
-# the password. Returns ($uid, $token) if the email address is found in the DB,
-# () otherwise.
+# Create a random token that can be used to reset the password.
+# Returns ($uid, $token) if the email address is found in the DB, () otherwise.
sub resetpass {
my(undef, $mail) = @_;
my $token = unpack 'H*', urandom(20);
@@ -215,7 +214,7 @@ sub resetpass {
sub isvalidtoken {
my(undef, $uid, $token) = @_;
tuwf->dbVali(
- select => sql_func(user_isvalidtoken => \$uid, sql_fromhex sha1_hex lc $token)
+ select => sql_func(user_isvalidsession => \$uid, sql_fromhex(sha1_hex lc $token), \'pass')
);
}