[Bps-public-commit] rt-extension-resetpassword branch, sha256-instead-of-md5-for-token-generation, updated. 1.04-20-g66122af

[Dianne Skoll]

The branch, sha256-instead-of-md5-for-token-generation has been updated
       via  66122afab012c331a2c7f1b96fb004ac3487cc16 (commit)
      from  b2aa780f9bc7449825be589368b9c60cc47a423f (commit)

Summary of changes:
 html/NoAuth/ResetPassword/Reset/dhandler | 28 +++++++++++++++++++++++++++-
 lib/RT/Extension/ResetPassword.pm        |  6 ++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

- Log -----------------------------------------------------------------
commit 66122afab012c331a2c7f1b96fb004ac3487cc16
Author: Dianne Skoll <dianne at bestpractical.com>
Date:   Fri Sep 11 11:05:44 2020 -0400

    Make the password-change link expire after a configurable interval (default 4 hours)

diff --git a/html/NoAuth/ResetPassword/Reset/dhandler b/html/NoAuth/ResetPassword/Reset/dhandler
index 29b1727..5436468 100644
--- a/html/NoAuth/ResetPassword/Reset/dhandler
+++ b/html/NoAuth/ResetPassword/Reset/dhandler
@@ -21,6 +21,22 @@ else {
     $show_form = 0;
 }
 
+# Calculate time difference between now and when user object was updated
+my $age = $u->LastUpdatedObj->Diff;
+if (!defined($age)) {
+    # Could not get the time difference; make age negative which should
+    # be impossible; we'll catch it below
+    $age = -1000000;
+} else {
+    # The time difference returned by Diff should be negative, so correct
+    if ($age > 0) {
+        # Impossible... someone turned back the machine's clock
+        $age = -1000000;
+    } else {
+        $age = -1 * $age;
+    }
+}
+
 # If the token validation fails, throw them an error
 if ( $submitted_token ne $token ) {
     push @results,
@@ -30,7 +46,17 @@ if ( $submitted_token ne $token ) {
     $show_form = 0;
 }
 
-# if the validation succeeds, continue on
+# If the link has expired, throw the same error.  Default expiry time is 4 hours
+elsif ( ($age < 0) ||
+        ($age > (RT->Config->Get('PasswordChangeLinkExpirySeconds') || (4*60*60)))) {
+    push @results,
+        loc(
+        "It looks like the URL you clicked on has expired or wasn't quite right. Maybe you didn't paste the whole thing?"
+        );
+    $show_form = 0;
+}
+
+# Link is valid and has not expired
 else {
 
     # If they've supplied a new password twice, change it and redirect to home
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 38e165e..2009c12 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -27,6 +27,12 @@ sub CreateToken {
 sub CreateTokenAndResetPassword {
     my $user = shift;
 
+    # Update the LastUpdated time in the $user so that we can
+    # expire the password-change link that gets sent out.  We
+    # need to do this before we create the token because $user->LastUpdated
+    # is part of the token hash
+    $user->_SetLastUpdated();
+
     my $token = CreateToken($user);
     return unless $token;     # CreateToken will log error
 

-----------------------------------------------------------------------