[Bps-public-commit] rt-extension-resetpassword branch, sha256-instead-of-md5-for-token-generation, created. 1.04-19-gb2aa780
Dianne Skoll
dianne at bestpractical.com
Fri Sep 4 15:31:55 EDT 2020
The branch, sha256-instead-of-md5-for-token-generation has been created
at b2aa780f9bc7449825be589368b9c60cc47a423f (commit)
- Log -----------------------------------------------------------------
commit 3ca50515c05f972fb870b4d63b97771a939b501a
Author: Dianne Skoll <dianne at bestpractical.com>
Date: Fri Sep 4 14:15:02 2020 -0400
Refactor code to avoid duplicating token-generating code.
diff --git a/html/NoAuth/ResetPassword/Reset/dhandler b/html/NoAuth/ResetPassword/Reset/dhandler
index ad19b0a..29b1727 100644
--- a/html/NoAuth/ResetPassword/Reset/dhandler
+++ b/html/NoAuth/ResetPassword/Reset/dhandler
@@ -1,4 +1,6 @@
<%init>
+use RT::Extension::ResetPassword;
+
# The URL They're visitng
# @{[$RT::WebURL]}/NoAuth/Reset/@{[$token]}/@{[$u->id]}
my @results;
@@ -11,9 +13,7 @@ my $token;
my $u = RT::User->new($RT::SystemUser);
$u->LoadByCols( id => $id );
if ( $u->id ) {
- $token = Digest::MD5->new()->add( $u->id, $u->__Value('Password'),
- $RT::DatabasePassword, $u->LastUpdated,
- @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset' )->hexdigest();
+ $token = RT::Extension::ResetPassword::CreateToken($u) || '';
}
else {
push @results,
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 21fdfdf..34928b1 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -5,21 +5,27 @@ use warnings;
our $VERSION = '1.06';
-sub CreateTokenAndResetPassword {
+sub CreateToken {
my $user = shift;
unless ( $user && $user->Id ) {
- RT::Logger->error( "Need to provide a loaded RT::User object for CreateTokenAndResetPassword." );
- return;
+ RT::Logger->error( "Need to provide a loaded RT::User object for CreateToken" );
+ return undef;
}
-
- my $token = Digest::MD5->new()->add(
+ return Digest::MD5->new()->add(
$user->id,
$user->__Value('Password'),
$RT::DatabasePassword,
$user->LastUpdated,
@{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
- )->hexdigest();
+ )->hexdigest();
+}
+
+sub CreateTokenAndResetPassword {
+ my $user = shift;
+
+ my $token = CreateToken($user);
+ return unless $token; # CreateToken will log error
my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
To => $user->EmailAddress,
commit b2aa780f9bc7449825be589368b9c60cc47a423f
Author: Dianne Skoll <dianne at bestpractical.com>
Date: Fri Sep 4 15:31:39 2020 -0400
Use SHA256 instead of MD5 to generate the token.
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 34928b1..38e165e 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -3,6 +3,8 @@ package RT::Extension::ResetPassword;
use strict;
use warnings;
+use Digest::SHA qw(sha256_hex);
+
our $VERSION = '1.06';
sub CreateToken {
@@ -12,13 +14,14 @@ sub CreateToken {
RT::Logger->error( "Need to provide a loaded RT::User object for CreateToken" );
return undef;
}
- return Digest::MD5->new()->add(
+
+ return sha256_hex(
$user->id,
$user->__Value('Password'),
$RT::DatabasePassword,
$user->LastUpdated,
@{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
- )->hexdigest();
+ );
}
sub CreateTokenAndResetPassword {
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list