mbess/minauthator
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Activity Actions

feat(reset_password): add invitation and reset password activation basic flow

Browse source
This commit is contained in:
Matthieu Bessat 2024-12-02 18:39:00 +01:00
parent b956bdbf05
commit 8d20cab18f
14 changed files with 328 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
docs/draft.md
View file

@ -7,3 +7,47 @@ https://stackoverflow.com/questions/79118231/how-to-access-the-axum-request-path
## Oauth2 test
-> authorize
# User flow
## Invitation flow
- Create invite
- generate A random
- user.reset_password_token = A
- user.status = "Invited"
- Send email with link to https://instance/reset-password?token=A&reason=invitation
- GET /reset-password?token=A&reason=invitation
- verification of token
- show form
- POST /reset-password
- BODY: with params token
- check token validity
- set new password hash
- if user.status == "invited"
- enable new account (user.status = "active")
- send welcome email
- redirect to login page with a message
- we need to redirect to the login page, so the user remember how to login later, and can
verify the setup of his/her password manager.
We can instead send link to https://instance/invitation?token=A
## Reset password flow
- Reset password request
- generate A random
- user.reset_password_token = A
- Send email with link to https://instance/reset-password?token=A&reason=lost_password
- GET /reset-password?token=A&reason=lost_password
- verification of token
- show form
- POST /reset-password
- BODY: with params token
- check token validity
- set new password hash
- redirect to login page with a message
- we need to redirect to the login page, so the user remember how to login later, and can
verify the setup of his/her password manager.
We can instead send link to https://instance/reset-password?token=A

1
lib/http_server/src/controllers/ui/mod.rs
View file

@ -6,3 +6,4 @@ pub mod me;
pub mod logout;
pub mod user_panel;
pub mod apps;
pub mod reset_password;

2
lib/http_server/src/controllers/ui/register.rs
View file

@ -51,7 +51,7 @@ pub async fn perform_register(
password_hash,
status: UserStatus::Active,
roles: Json(Vec::new()), // take the default role in the config
activation_token: None,
reset_password_token: None,
created_at: Utc::now(),
website: None,
last_login_at: None

139
lib/http_server/src/controllers/ui/reset_password.rs Normal file
View file

@ -0,0 +1,139 @@
use axum::{extract::{MatchedPath, Query, State}, http::StatusCode, response::{Html, IntoResponse, Redirect}, Extension, Form};
use log::{error, info};
use serde::{Deserialize, Serialize};
use minijinja::context;
use fully_pub::fully_pub;
use crate::{renderer::TemplateRenderer, AppState};
use kernel::models::user::{User, UserStatus};
use utils::get_password_hash;
#[derive(Debug, Deserialize, Serialize)]
#[fully_pub]
enum ResetPasswordReason {
LostPassword,
Invitation
}
#[derive(Debug, Deserialize, Serialize)]
#[fully_pub]
struct ResetPasswordQueryParams {
token: String
}
pub async fn reset_password_form(
State(app_state): State<AppState>,
path: MatchedPath,
Extension(renderer): Extension<TemplateRenderer>,
Query(query_params): Query<ResetPasswordQueryParams>
) -> impl IntoResponse {
let reason: ResetPasswordReason = match path.as_str() {
"/invitation" => ResetPasswordReason::Invitation,
"/reset-password" => ResetPasswordReason::LostPassword,
_ => unreachable!()
};
// 1. Verify token
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
.bind(&query_params.token)
.fetch_one(&app_state.db.0)
.await;
let _user = match user_res {
Ok(u) => u,
Err(sqlx::Error::RowNotFound) => {
return (
StatusCode::BAD_REQUEST,
Html("Invalid reset password token.")
).into_response();
},
Err(err) => {
error!("Failed to retreive user from reset password token. {}", err);
return (
StatusCode::INTERNAL_SERVER_ERROR,
Html("Internal server error: Failed to retreive user.")
).into_response();
}
};
renderer.render(
"pages/reset_password",
context!(
reason => reason,
token => query_params.token,
)
).into_response()
}
#[derive(Debug, Deserialize)]
#[fully_pub]
struct ResetPasswordForm {
token: String,
password: String,
password_confirmation: String
}
pub async fn perform_reset_password(
State(app_state): State<AppState>,
Form(reset_form): Form<ResetPasswordForm>
) -> impl IntoResponse {
// 1. Verify token
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
.bind(&reset_form.token)
.fetch_one(&app_state.db.0)
.await;
let user = match user_res {
Ok(u) => u,
Err(sqlx::Error::RowNotFound) => {
return (
StatusCode::BAD_REQUEST,
Html("Invalid reset password token.")
).into_response();
},
Err(err) => {
error!("Failed to retreive user from reset password token. {}", err);
return (
StatusCode::INTERNAL_SERVER_ERROR,
Html("Internal server error: Failed to retreive user.")
).into_response();
}
};
if reset_form.password != reset_form.password_confirmation {
return (
StatusCode::BAD_REQUEST,
Html("Form data error: The two passwords are differents.")
).into_response();
}
let password_hash = Some(
get_password_hash(reset_form.password)
.expect("To process password").1
);
if user.status == UserStatus::Invited {
info!("The password of an Invited user was set: activation of user account");
// TODO: send welcome email
}
let res = sqlx::query("UPDATE users
SET password_hash = $2, status = $3, reset_password_token = NULL
WHERE id = $1
")
.bind(user.id)
.bind(password_hash)
.bind(UserStatus::Active)
.execute(&app_state.db.0)
.await;
match res {
Err(err) => {
error!("Cannot update user: {}", err);
return (
StatusCode::INTERNAL_SERVER_ERROR,
Html("Internal server error: Failed to update user.")
).into_response();
},
Ok(_v) => {
info!("Changed user's password successfuly.");
}
};
// TODO: add either "Successfully changed password" or "Account enabled successfully" message
Redirect::to("/login").into_response()
}

3
lib/http_server/src/router.rs
View file

@ -19,6 +19,9 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
.route("/register", post(ui::register::perform_register))
.route("/login", get(ui::login::login_form))
.route("/login", post(ui::login::perform_login))
.route("/invitation", get(ui::reset_password::reset_password_form))
.route("/reset-password", get(ui::reset_password::reset_password_form))
.route("/reset-password", post(ui::reset_password::perform_reset_password))
.layer(middleware::from_fn_with_state(app_state.clone(), renderer_middleware))
.layer(middleware::from_fn_with_state(app_state.clone(), user_auth::auth_middleware));

11
lib/http_server/src/templates/pages/error.html Normal file
View file

@ -0,0 +1,11 @@
{% extends "layouts/base.html" %}
{% block body %}
<h1>Internal server error</h1>
{% if error %}
<div class="alert alert-danger">
We are sorry. We've rencountered an unrecoverable error.
</div>
{% endif %}
{% endblock %}

54
lib/http_server/src/templates/pages/reset_password.html Normal file
View file

@ -0,0 +1,54 @@
{% extends "layouts/base.html" %}
{% block body %}
{% if reason == "Invitation" %}
<h1>Invitation</h1>
{% endif %}
{% if reason == "LostPassword" %}
<h1>Reset your password</h1>
{% endif %}
<!-- Reset password form -->
{% if error %}
<div class="alert alert-danger">
Error: {{ error }}
</div>
{% endif %}
{% if info %}
<div class="alert alert-info">
Info: {{ info }}
</div>
{% endif %}
{% if reason == "Invitation" %}
<p>
Pour activer votre compte, veuillez définir votre mot de passe.
</p>
{% endif %}
{% if reason == "LostPassword" %}
<p>
Votre mot de passe est perdu, veuillez définir un nouveau mot de passe.
</p>
{% endif %}
<form id="reset-password-form" method="post" action="/reset-password">
<div class="mb-3">
<label for="password" class="form-label">New password</label>
<input
id="password" name="password" type="password"
required
class="form-control"
/>
</div>
<div class="mb-3">
<label for="password" class="form-label">New password confirmation</label>
<input
id="password_confirmation" name="password_confirmation" type="password"
required
class="form-control"
/>
</div>
<input
id="token" name="token" type="hidden"
value="{{ token }}"
/>
<button type="submit" class="btn btn-primary">Change password</button>
</form>
{% endblock %}

7
lib/kernel/src/models/user.rs
View file

@ -7,8 +7,9 @@ use sqlx::types::Json;
#[derive(strum_macros::Display)]
#[fully_pub]
enum UserStatus {
Active,
Disabled
Disabled,
Invited,
Active
}
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
@ -24,7 +25,7 @@ struct User {
password_hash: Option<String>, // argon2 password hash
status: UserStatus,
roles: Json<Vec<String>>,
activation_token: Option<String>,
reset_password_token: Option<String>,
last_login_at: Option<DateTime<Utc>>,
created_at: DateTime<Utc>

24
migrations/all.sql
View file

@ -1,18 +1,18 @@
DROP TABLE IF EXISTS users;
CREATE TABLE users (
id TEXT PRIMARY KEY,
handle TEXT NOT NULL UNIQUE,
full_name TEXT,
email TEXT UNIQUE,
website TEXT,
picture BLOB,
roles TEXT NOT NULL, -- json array of user roles
id TEXT PRIMARY KEY,
handle TEXT NOT NULL UNIQUE,
full_name TEXT,
email TEXT UNIQUE,
website TEXT,
picture BLOB,
roles TEXT NOT NULL, -- json array of user roles
status TEXT CHECK(status IN ('Active','Disabled')) NOT NULL DEFAULT 'Disabled',
password_hash TEXT,
activation_token TEXT,
last_login_at DATETIME,
created_at DATETIME NOT NULL
status TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
password_hash TEXT,
reset_password_token TEXT,
last_login_at DATETIME,
created_at DATETIME NOT NULL
);
DROP TABLE IF EXISTS authorizations;

2
tests/hurl_integration/scenario_1/init_db.sh
View file

@ -1,3 +1,5 @@
#!/usr/bin/bash
password_hash="$(echo -n "root" | argon2 salt_06cGGWYDJCZ -e)"
echo $password_hash
SQL=$(cat <<EOF

9
tests/hurl_integration/user_invitation_scenario/config.toml Normal file
View file

@ -0,0 +1,9 @@
applications = []
roles = []
[instance]
base_uri = "http://localhost:8086"
name = "Example org"
logo_uri = "https://example.org/logo.png"

9
tests/hurl_integration/user_invitation_scenario/init_db.sh Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/bash
SQL=$(cat <<EOF
INSERT INTO users
(id, handle, email, roles, status, reset_password_token, created_at)
VALUES
('$(uuid)', 'invited_user', 'invited-user@example.org', '[]', 'Invited', 'Z433-Y001-V987-P500', '2024-11-30T00:00:00Z');
EOF)
echo $SQL | sqlite3 $DB_PATH

28
tests/hurl_integration/user_invitation_scenario/main.hurl Normal file
View file

@ -0,0 +1,28 @@
GET {{ base_url }}/api
HTTP 200
[Asserts]
jsonpath "$.software" == "Minauthator"
GET {{ base_url }}/invitation
[QueryStringParams]
token: Z433-Y001-V987-P500
HTTP 200
[Asserts]
xpath "string(///h1)" contains "Invitation"
POST {{ base_url }}/reset-password
[FormParams]
token: Z433-Y001-V987-P500
password: newpassword10!
password_confirmation: newpassword10!
HTTP 303
[Asserts]
header "Location" == "/login"
POST {{ base_url }}/login
[FormParams]
login: invited_user
password: newpassword10!
HTTP 303
[Asserts]
cookie "minauthator_jwt" exists

15
tests/manual/create_test_user.sql
View file

@ -1,5 +1,12 @@
INSERT INTO users
(id, handle, email, roles, status, password_hash, created_at)
VALUES
('30c134a7-d541-4ec7-9310-9c8e298077db', 'test', 'test@example.org', '[]', 'Active', '$argon2i$v=19$m=4096,t=3,p=1$V2laYjAwTlFHOUpiekRlVzRQUU0$33h8XwAWM3pKQM7Ksler0l7rMJfseTuWPJKrdX/cGyc', '2024-11-30T00:00:00Z');
-- INSERT INTO users
-- (id, handle, email, roles, status, password_hash, created_at)
-- VALUES
-- ('30c134a7-d541-4ec7-9310-9c8e298077db', 'test', 'test@example.org', '[]', 'Active', '$argon2i$v=19$m=4096,t=3,p=1$V2laYjAwTlFHOUpiekRlVzRQUU0$33h8XwAWM3pKQM7Ksler0l7rMJfseTuWPJKrdX/cGyc', '2024-11-30T00:00:00Z');
--
INSERT INTO users
(id, handle, email, roles, status, reset_password_token, created_at)
VALUES
('00000001-0042-0001-0001-00000000432', 'invited_user1', 'invited-user1@example.org', '[]', 'Invited', 'A909-Z539-L128-O400', '2024-11-30T00:00:00Z');