From 8994032a68da279acdcc22963d7d6eda2d0e59f8 Mon Sep 17 00:00:00 2001 From: Yorhel Date: Sun, 10 Jan 2016 11:05:59 +0100 Subject: Require current password on /u+/edit + only hash password once on /u+/setpass --- lib/VNDB/Handler/Users.pm | 10 +++++++++- lib/VNDB/Util/Auth.pm | 35 ++++++++++++++++++++++------------- 2 files changed, 31 insertions(+), 14 deletions(-) (limited to 'lib/VNDB') diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm index 6b30db7b..0228b003 100644 --- a/lib/VNDB/Handler/Users.pm +++ b/lib/VNDB/Handler/Users.pm @@ -166,6 +166,7 @@ sub login { ); if(!$frm->{_err}) { + $frm->{usrname} = lc $frm->{usrname}; return if $self->authLogin($frm->{usrname}, $frm->{usrpass}, $ref); $frm->{_err} = [ 'login_failed' ]; $self->dbThrottleSet(norm_ip($self->reqIP), $tm+$self->{login_throttle}[0]); @@ -269,7 +270,7 @@ sub setpass { my %o = (email_confirmed => 1); $o{passwd} = $self->authPreparePass($frm->{usrpass}); $self->dbUserEdit($uid, %o); - return $self->authLogin($u->{username}, $frm->{usrpass}, "/u$uid"); + return $self->authCreateSession($u->{username}, "/u$uid"); } } @@ -369,6 +370,7 @@ sub edit { { post => 'ign_votes', required => 0, default => 0 }, ) : (), { post => 'mail', template => 'email' }, + { post => 'curpass', required => 0, minlength => 4, maxlength => 64, template => 'ascii', default => '' }, { post => 'usrpass', required => 0, minlength => 4, maxlength => 64, template => 'ascii' }, { post => 'usrpass2', required => 0, minlength => 4, maxlength => 64, template => 'ascii' }, { post => 'hide_list', required => 0, default => 0, enum => [0,1] }, @@ -382,6 +384,10 @@ sub edit { ); push @{$frm->{_err}}, 'passmatch' if ($frm->{usrpass} || $frm->{usrpass2}) && (!$frm->{usrpass} || !$frm->{usrpass2} || $frm->{usrpass} ne $frm->{usrpass2}); + push @{$frm->{_err}}, 'invalidpass' + if !($self->authInfo->{id} != $u->{id} && $self->authCan('usermod')) + && ($frm->{usrpass} || $frm->{usrpass2}) && !$self->authCheck($u->{username}, $frm->{curpass}); + if(!$frm->{_err}) { $frm->{skin} = '' if $frm->{skin} eq $self->{skin_default}; $self->dbUserPrefSet($uid, $_ => $frm->{$_}) for (qw|skin customcss show_nsfw traits_sexual tags_all hide_list spoilers|); @@ -410,6 +416,7 @@ sub edit { $frm->{tags_cat} ||= [ split /,/, $u->{prefs}{tags_cat}||$self->{default_tags_cat} ]; $frm->{ign_votes} = $u->{ign_votes} if !defined $frm->{ign_votes}; $frm->{skin} ||= $self->{skin_default}; + $frm->{usrpass} = $frm->{usrpass2} = $frm->{curpass} = ''; # create the page $self->htmlHeader(title => mt('_usere_title'), noindex => 1); @@ -436,6 +443,7 @@ sub edit { [ part => title => mt '_usere_changepass' ], [ static => content => mt '_usere_changepass_msg' ], + [ passwd => short => 'curpass', name => mt '_usere_curpass' ], [ passwd => short => 'usrpass', name => mt '_usere_password' ], [ passwd => short => 'usrpass2', name => mt '_usere_confirm' ], diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index 0c3b5b73..9c742dc7 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -14,7 +14,7 @@ use VNDB::Func; our @EXPORT = qw| - authInit authLogin authLogout authInfo authCan authPreparePass + authInit authLogin authLogout authInfo authCan authPreparePass authCreateSession authCheck authPrepareReset authValidateReset authGetCode authCheckCode authPref |; @@ -50,18 +50,10 @@ sub authInit { # login, arguments: user, password, url-to-redirect-to-on-success # returns 1 on success (redirected), 0 otherwise (no reply sent) sub authLogin { - my $self = shift; - my $user = lc(scalar shift); - my $pass = shift; - my $to = shift; - - if(_authCheck($self, $user, $pass)) { - my $token = urandom(20); - my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id}; - $self->dbSessionAdd($self->{_auth}{id}, sha1 $token); + my($self, $user, $pass, $to) = @_; - $self->resRedirect($to, 'post'); - $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year + if($self->authCheck($user, $pass)) { + $self->authCreateSession($user, $to); return 1; } @@ -69,6 +61,23 @@ sub authLogin { } +# Args: user, url-to-redirect-to-on-success +# Should only be called if the user is already authenticated (i.e. after authCheck or when the user just confirmed his email address). +sub authCreateSession { + my($self, $user, $to) = @_; + + $self->{_auth} = $self->dbUserGet(username => $user, what => 'extended notifycount')->[0] if $user; + die "No valid user!" if !$self->{_auth}{id}; + + my $token = urandom(20); + my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id}; + $self->dbSessionAdd($self->{_auth}{id}, sha1 $token); + + $self->resRedirect($to, 'post'); + $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year +} + + # clears authentication cookie and redirects to / sub authLogout { my $self = shift; @@ -104,7 +113,7 @@ sub authCan { # Checks for a valid login and writes information in _auth # Arguments: user, pass # Returns: 1 if login is valid, 0 otherwise -sub _authCheck { +sub authCheck { my($self, $user, $pass) = @_; return 0 if !$user || length($user) > 15 || length($user) < 2 || !$pass; -- cgit v1.2.3