[Bps-public-commit] rt-extension-resetpassword branch, sha256-instead-of-md5-for-token-generation, created. 1.04-18-g2754310

Dianne Skoll dianne at bestpractical.com
Fri Sep 4 14:15:45 EDT 2020 

The branch, sha256-instead-of-md5-for-token-generation has been created
        at  2754310da63d4a15609748bbbe1440e0f6ae20bc (commit)

- Log -----------------------------------------------------------------
commit 2754310da63d4a15609748bbbe1440e0f6ae20bc
Author: Dianne Skoll <dianne at bestpractical.com>
Date:   Fri Sep 4 14:15:02 2020 -0400

    Refactor code to avoid  duplicating token-generating code.
    
    Also, use SHA256 as the hash function instead of MD5.

diff --git a/html/NoAuth/ResetPassword/Reset/dhandler b/html/NoAuth/ResetPassword/Reset/dhandler
index ad19b0a..29b1727 100644
--- a/html/NoAuth/ResetPassword/Reset/dhandler
+++ b/html/NoAuth/ResetPassword/Reset/dhandler
@@ -1,4 +1,6 @@
 <%init>
+use RT::Extension::ResetPassword;
+
 # The URL They're visitng
 # @{[$RT::WebURL]}/NoAuth/Reset/@{[$token]}/@{[$u->id]}
 my @results;
@@ -11,9 +13,7 @@ my $token;
 my $u = RT::User->new($RT::SystemUser);
 $u->LoadByCols( id => $id );
 if ( $u->id ) {
-    $token = Digest::MD5->new()->add( $u->id, $u->__Value('Password'),
-        $RT::DatabasePassword, $u->LastUpdated,
-        @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset' )->hexdigest();
+    $token = RT::Extension::ResetPassword::CreateToken($u) || '';
 }
 else {
     push @results,
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 21fdfdf..38e165e 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -3,23 +3,32 @@ package RT::Extension::ResetPassword;
 use strict;
 use warnings;
 
+use Digest::SHA qw(sha256_hex);
+
 our $VERSION = '1.06';
 
-sub CreateTokenAndResetPassword {
+sub CreateToken {
     my $user = shift;
 
     unless ( $user && $user->Id ) {
-        RT::Logger->error( "Need to provide a loaded RT::User object for CreateTokenAndResetPassword." );
-        return;
+        RT::Logger->error( "Need to provide a loaded RT::User object for CreateToken" );
+        return undef;
     }
 
-    my $token = Digest::MD5->new()->add(
+    return sha256_hex(
         $user->id,
         $user->__Value('Password'),
         $RT::DatabasePassword,
         $user->LastUpdated,
         @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
-    )->hexdigest();
+        );
+}
+
+sub CreateTokenAndResetPassword {
+    my $user = shift;
+
+    my $token = CreateToken($user);
+    return unless $token;     # CreateToken will log error
 
     my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
         To        => $user->EmailAddress,

-----------------------------------------------------------------------

More information about the Bps-public-commit mailing list