Added "Forgot password"

Closes #38
2022-10-14 03:15:57 +02:00 · 2022-10-14 03:15:57 +02:00 · 643a5755c0
commit 643a5755c0
parent b2d67f6ed4
11 changed files with 302 additions and 35 deletions
--- a/backend/.idea/runConfigurations/clippy.xml
+++ b/backend/.idea/runConfigurations/clippy.xml
@ -2,7 +2,7 @@
  <configuration default="false" name="clippy" type="CargoCommandRunConfiguration" factoryName="Cargo Command">
    <option name="command" value="clippy" />
    <option name="workingDirectory" value="file://$PROJECT_DIR$" />
-    <option name="channel" value="DEFAULT" />
+    <option name="channel" value="STABLE" />
    <option name="requiredFeatures" value="true" />
    <option name="allFeatures" value="false" />
    <option name="emulateTerminal" value="false" />
--- a/backend/src/dto.rs
+++ b/backend/src/dto.rs
@ -152,6 +152,17 @@ pub mod requests {
        pub otp: Option<String>
    }
    #[derive(Debug, Deserialize, Serialize, Clone)]
    pub struct SendRecoveryKey {
        pub username: String
    }
    #[derive(Debug, Deserialize, Serialize, Clone)]
    pub struct ResetPassword {
        pub key: String,
        pub password: String
    }
    #[derive(Debug, Deserialize, Serialize, Clone)]
    pub struct TfaSetup {
        pub mail: bool
--- a/backend/src/main.rs
+++ b/backend/src/main.rs
@ -15,7 +15,7 @@ use tiny_http::{Method, Request, Response, ResponseBox, Server, StatusCode};
 use crate::{
    db::DBConnection,
    metrics::TRACER,
-    routes::{get_reply, header, AppError}
+    routes::{header, AppError}
 };
 static THREAD_COUNT: usize = 10;
@ -117,6 +117,8 @@ fn handle_api_request(span: &mut Span, req: &mut Request, pool: db::DBPool) -> R
        ("/api/metrics",                Method::Get)  => metrics::get_metrics(),
        ("/api/auth/login",             Method::Post) => parse_body(span, req).and_then(|v|routes::auth::basic::login(span, req, db, v)),
        ("/api/auth/signup",            Method::Post) => parse_body(span, req).and_then(|v| routes::auth::basic::signup(span, req, db, v)),
        ("/api/auth/send_key",          Method::Post) => parse_body(span, req).and_then(|v| routes::auth::basic::send_key(span, req, db, v)),
        ("/api/auth/reset",             Method::Post) => parse_body(span, req).and_then(|v| routes::auth::basic::reset(span, req, db, v)),
        ("/api/auth/gitlab",            Method::Get)  => routes::auth::gitlab::gitlab(span, req, db),
        ("/api/auth/gitlab_callback",   Method::Get)  => routes::auth::gitlab::gitlab_callback(span, req, db, &query),
        ("/api/fs/download",            Method::Post) => routes::fs::routes::download(span, req, db),
@ -143,7 +145,7 @@ fn handle_api_request(span: &mut Span, req: &mut Request, pool: db::DBPool) -> R
                ("/api/admin/logout",           Method::Post, None)         => parse_body(span, req).and_then(|v| routes::admin::logout(span, req, db, info, v)),
                ("/api/admin/delete",           Method::Post, None)         => parse_body(span, req).and_then(|v| routes::admin::delete_user(span, req, db, info, v)),
                ("/api/admin/disable_2fa",      Method::Post, None)         => parse_body(span, req).and_then(|v| routes::admin::disable_2fa(span, req, db, info, v)),
-                ("/api/admin/is_admin",         Method::Post, None)         => get_reply(&dto::responses::Success { statusCode: 200 }),
+                ("/api/admin/is_admin",         Method::Get, None)          => routes::admin::is_admin(span, req, db, info),
                ("/api/admin/get_token",        Method::Get, Some(v))   => routes::admin::get_token(span, req, db, info, v),
                ("/api/auth/refresh",           Method::Post, None)         => routes::auth::basic::refresh(span, req, db, info),
                ("/api/auth/logout_all",        Method::Post, None)         => routes::auth::basic::logout_all(span, req, db, info),
--- a/backend/src/routes/admin.rs
+++ b/backend/src/routes/admin.rs
@ -110,6 +110,14 @@ pub fn disable_2fa(
    get_reply(&dto::responses::Success { statusCode: 200 })
 }
 pub fn is_admin(_: &Span, _: &mut Request, _: &mut DBConnection, info: UserInfo) -> Result<ResponseBox, AppError> {
    if info.0.role != UserRole::Admin {
        return AppError::Forbidden("Forbidden").err();
    }
    get_reply(&dto::responses::Success { statusCode: 200 })
 }
 pub fn get_token(
    span: &Span,
    _: &mut Request,
--- a/backend/src/routes/auth/basic.rs
+++ b/backend/src/routes/auth/basic.rs
@ -1,12 +1,23 @@
 use std::{collections::HashMap, ops::Add};
 use lettre::Transport;
 use once_cell::sync::Lazy;
 use parking_lot::Mutex;
 use ring::rand::SecureRandom;
 use rustracing_jaeger::Span;
 use tiny_http::{Request, ResponseBox};
 use crate::{
    db::{DBConnection, TfaTypes, UserRole},
    dto,
-    routes::{filters::UserInfo, get_reply, AppError}
+    metrics,
    routes::{auth::tfa::MAIL_SENDER, filters::UserInfo, get_reply, AppError}
 };
 type RecoveryKeyMap = HashMap<String, (i32, chrono::DateTime<chrono::Utc>)>;
 static RECOVERY_KEYS: Lazy<Mutex<RecoveryKeyMap>> = Lazy::new(|| Mutex::new(RecoveryKeyMap::new()));
 const KEY_CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
 pub fn login(
    span: &Span,
    _: &mut Request,
@ -60,6 +71,70 @@ pub fn signup(
    get_reply(&dto::responses::Success { statusCode: 200 })
 }
 pub fn send_key(
    span: &Span,
    _: &mut Request,
    db: &mut DBConnection,
    data: dto::requests::SendRecoveryKey
 ) -> Result<ResponseBox, AppError> {
    // Silently fail to prevent information leak about usernames
    if let Some(user) = db.find_user(span, &data.username, false) {
        let _span = metrics::span("send_recovery_key", span);
        let mut bin = [0_u8; 10];
        crate::routes::auth::SEC_RANDOM.fill(&mut bin).expect("Failed to generate recovery key");
        let code_arr = bin.map(|v| KEY_CHARSET[v as usize % KEY_CHARSET.len()]);
        let code = String::from_utf8_lossy(&code_arr);
        {
            RECOVERY_KEYS.lock().insert(
                code.to_string(),
                (
                    user.id,
                    chrono::Utc::now().add(chrono::Duration::minutes(5))
                )
            );
        }
        let mail = lettre::Message::builder()
            .from("fileserver@mattv.de".parse().unwrap())
            .to(user.name.parse().unwrap())
            .subject("MFileserver - Password reset")
            .body(format!(
                "Your recovery key is: {}\r\nIt is valid for 5 minutes",
                code
            ))
            .unwrap();
        MAIL_SENDER.send(&mail).expect("Failed to send mail");
    }
    get_reply(&dto::responses::Success { statusCode: 200 })
 }
 pub fn reset(
    span: &Span,
    _: &mut Request,
    db: &mut DBConnection,
    data: dto::requests::ResetPassword
 ) -> Result<ResponseBox, AppError> {
    if let Some(entry) = { RECOVERY_KEYS.lock().get(&data.key) } {
        if entry.1 < chrono::Utc::now() {
            return AppError::BadRequest("Invalid key").err();
        }
        if let Some(mut user) = db.get_user(span, entry.0) {
            user.password = super::hash_password(&data.password);
            db.save_user(span, &user);
            db.delete_all_tokens(span, user.id);
            get_reply(&dto::responses::Success { statusCode: 200 })
        } else {
            AppError::BadRequest("Invalid user").err()
        }
    } else {
        AppError::BadRequest("Invalid key").err()
    }
 }
 pub fn refresh(span: &Span, _: &mut Request, db: &mut DBConnection, info: UserInfo) -> Result<ResponseBox, AppError> {
    db.delete_token(span, info.1.id);
--- a/backend/src/routes/auth/tfa.rs
+++ b/backend/src/routes/auth/tfa.rs
@ -26,7 +26,7 @@ fn build_mail_sender() -> lettre::SmtpTransport {
        .build()
 }
-static MAIL_SENDER: Lazy<lettre::SmtpTransport> = Lazy::new(build_mail_sender);
+pub static MAIL_SENDER: Lazy<lettre::SmtpTransport> = Lazy::new(build_mail_sender);
 fn get_totp(user: &db::User) -> totp_rs::TOTP {
    totp_rs::TOTP::from_rfc6238(
--- a/backend/src/routes/fs/routes.rs
+++ b/backend/src/routes/fs/routes.rs
@ -6,10 +6,9 @@ use std::{
    ops::DerefMut,
    sync::atomic::Ordering
 };
 use image::DynamicImage;
 use fast_image_resize as fir;
-use fast_image_resize::PixelType;
+use image::DynamicImage;
 use rustracing_jaeger::Span;
 use tiny_http::{Request, Response, ResponseBox, StatusCode};
@ -212,18 +211,54 @@ pub fn upload(
                let width = NonZeroU32::try_from(img.width()).unwrap();
                let height = NonZeroU32::try_from(img.height()).unwrap();
                match img {
-                    DynamicImage::ImageLuma8(v) => fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8),
+                    DynamicImage::ImageLuma8(v) =>
-                    DynamicImage::ImageLumaA8(v) => fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8x2),
+                        fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8),
-                    DynamicImage::ImageRgb8(v) => fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8x3),
+                    DynamicImage::ImageLumaA8(v) =>
-                    DynamicImage::ImageRgba8(v) => fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8x4),
+                        fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8x2),
-                    DynamicImage::ImageLuma16(_) => fir::Image::from_vec_u8(width, height, img.to_luma8().into_raw(), fir::PixelType::U8),
+                    DynamicImage::ImageRgb8(v) =>
-                    DynamicImage::ImageLumaA16(_) => fir::Image::from_vec_u8(width, height, img.to_luma_alpha8().into_raw(), fir::PixelType::U8x2),
+                        fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8x3),
-                    DynamicImage::ImageRgb16(_) => fir::Image::from_vec_u8(width, height, img.to_rgb8().into_raw(), fir::PixelType::U8x3),
+                    DynamicImage::ImageRgba8(v) =>
-                    DynamicImage::ImageRgba16(_) => fir::Image::from_vec_u8(width, height, img.to_rgba8().into_raw(), fir::PixelType::U8x4),
+                        fir::Image::from_vec_u8(width, height, v.into_raw(), fir::PixelType::U8x4),
-                    DynamicImage::ImageRgb32F(_) => fir::Image::from_vec_u8(width, height, img.to_rgb8().into_raw(), fir::PixelType::U8x3),
+                    DynamicImage::ImageLuma16(_) =>
-                    DynamicImage::ImageRgba32F(_) => fir::Image::from_vec_u8(width, height, img.to_rgba8().into_raw(), fir::PixelType::U8x4),
+                        fir::Image::from_vec_u8(width, height, img.to_luma8().into_raw(), fir::PixelType::U8),
-                    _ => fir::Image::from_vec_u8(width, height, img.to_rgba8().into_raw(), fir::PixelType::U8x4)
+                    DynamicImage::ImageLumaA16(_) => fir::Image::from_vec_u8(
-                }.expect("Failed to convert preview image")
+                        width,
                        height,
                        img.to_luma_alpha8().into_raw(),
                        fir::PixelType::U8x2
                    ),
                    DynamicImage::ImageRgb16(_) => fir::Image::from_vec_u8(
                        width,
                        height,
                        img.to_rgb8().into_raw(),
                        fir::PixelType::U8x3
                    ),
                    DynamicImage::ImageRgba16(_) => fir::Image::from_vec_u8(
                        width,
                        height,
                        img.to_rgba8().into_raw(),
                        fir::PixelType::U8x4
                    ),
                    DynamicImage::ImageRgb32F(_) => fir::Image::from_vec_u8(
                        width,
                        height,
                        img.to_rgb8().into_raw(),
                        fir::PixelType::U8x3
                    ),
                    DynamicImage::ImageRgba32F(_) => fir::Image::from_vec_u8(
                        width,
                        height,
                        img.to_rgba8().into_raw(),
                        fir::PixelType::U8x4
                    ),
                    _ => fir::Image::from_vec_u8(
                        width,
                        height,
                        img.to_rgba8().into_raw(),
                        fir::PixelType::U8x4
                    )
                }
                .expect("Failed to convert preview image")
            };
            let img = {
                let _span = metrics::span("generate_preview_resize", &prev_span);
@ -233,12 +268,9 @@ pub fn upload(
                    NonZeroU32::try_from(new_dim.1).unwrap(),
                    img.pixel_type()
                );
-                fir::Resizer::new(fir::ResizeAlg::SuperSampling(
+                fir::Resizer::new(fir::ResizeAlg::SuperSampling(fir::FilterType::Hamming, 2))
-                    fir::FilterType::Hamming,
+                    .resize(&img.view(), &mut dst.view_mut())
-                    2
+                    .expect("Failed to resize preview image");
                ))
                .resize(&img.view(), &mut dst.view_mut())
                .expect("Failed to resize preview image");
                dst
            };
            let _span = metrics::span("generate_preview_save", &prev_span);
@ -252,10 +284,10 @@ pub fn upload(
                    img.width().get(),
                    img.height().get(),
                    match img.pixel_type() {
-                        PixelType::U8 => image::ColorType::L8,
+                        fir::PixelType::U8 => image::ColorType::L8,
-                        PixelType::U8x2 => image::ColorType::La8,
+                        fir::PixelType::U8x2 => image::ColorType::La8,
-                        PixelType::U8x3 => image::ColorType::Rgb8,
+                        fir::PixelType::U8x3 => image::ColorType::Rgb8,
-                        PixelType::U8x4 => image::ColorType::Rgba8,
+                        fir::PixelType::U8x4 => image::ColorType::Rgba8,
                        _ => unreachable!()
                    }
                )
--- a/frontend/src/api/auth.ts
+++ b/frontend/src/api/auth.ts
@ -21,6 +21,22 @@ export const auth_signup = (
 		password: password
 	});
 export const send_recovery_key = (
 	username: string
 ): Promise<Responses.Success | Responses.Error> =>
 	post<Requests.SendRecoveryKey>('/api/auth/send_key', {
 		username: username
 	});
 export const reset_password = (
 	key: string,
 	password: string
 ): Promise<Responses.Success | Responses.Error> =>
 	post<Requests.ResetPassword>('/api/auth/reset', {
 		key: key,
 		password: password
 	});
 export const refresh_token = (
 	token: string
 ): Promise<Responses.Login | Responses.Error> =>
--- a/frontend/src/api/fs.ts
+++ b/frontend/src/api/fs.ts
@ -1,10 +1,5 @@
 import type { Requests, Responses, UploadFile } from '@/dto';
-import {
+import { get_token, post_token, isErrorResponse } from './base';
 	get_token,
 	post_token,
 	post_token_form,
 	isErrorResponse
 } from './base';
 import axios from 'axios';
 export const get_root = (
--- a/frontend/src/dto/index.ts
+++ b/frontend/src/dto/index.ts
@ -32,6 +32,15 @@ export namespace Requests {
 		otp?: string;
 	}
 	export interface SendRecoveryKey extends Base {
 		username: string;
 	}
 	export interface ResetPassword extends Base {
 		key: string;
 		password: string;
 	}
 	export interface TfaSetup extends Base {
 		mail: boolean;
 	}
--- a/frontend/src/views/ForgotPasswordView.vue
+++ b/frontend/src/views/ForgotPasswordView.vue
@ -0,0 +1,119 @@
 <script setup lang="ts">
 import { ref } from 'vue';
 import { Auth, isErrorResponse } from '@/api';
 import { useMessage, NInput, NGrid, NGi, NButton, NCard } from 'naive-ui';
 import { useRouter } from 'vue-router';
 import { loadingMsgWrapper } from '@/utils';
 const router = useRouter();
 const message = useMessage();
 const email = ref('');
 const code = ref('');
 const password = ref('');
 const password2 = ref('');
 const enterCode = ref(false);
 const reset = loadingMsgWrapper(message, async () => {
 	if (password.value !== password2.value) {
 		message.error("Passwords don't match");
 		return;
 	}
 	const res = await Auth.reset_password(code.value, password.value);
 	if (isErrorResponse(res)) {
 		message.error(`Failed to reset password: ${res.message}`);
 	} else {
 		message.success('Password reset', {
 			duration: 2000
 		});
 		login();
 	}
 });
 const sendKey = loadingMsgWrapper(message, async () => {
 	const res = await Auth.send_recovery_key(email.value);
 	if (isErrorResponse(res)) {
 		message.error(`Failed to send recovery key: ${res.message}`);
 	} else {
 		message.success('If the email is registered a mail has been sent', {
 			duration: 10000
 		});
 		enterCode.value = true;
 	}
 });
 function login() {
 	router.replace('login');
 }
 function onKey(event: KeyboardEvent) {
 	if (event.key == 'Enter') enterCode.value ? reset() : sendKey();
 }
 </script>
 <template>
 	<n-card>
 		<n-grid cols="2" x-gap="16" y-gap="16">
 			<template v-if="enterCode">
 				<n-gi span="2">
 					<n-input
 						:key="1"
 						type="text"
 						placeholder="Recovery key"
 						v-model:value="code"
 						maxlength="10"
 						autofocus
 						@keyup="onKey"
 					/>
 				</n-gi>
 				<n-gi span="2">
 					<n-input
 						type="password"
 						placeholder="Password"
 						v-model:value="password"
 						@keyup="onKey"
 					/>
 				</n-gi>
 				<n-gi span="2">
 					<n-input
 						type="password"
 						placeholder="Repeat password"
 						v-model:value="password2"
 						@keyup="onKey"
 					/>
 				</n-gi>
 				<n-gi>
 					<n-button type="info" @click="reset">
 						Reset password
 					</n-button>
 				</n-gi>
 				<n-gi style="text-align: right">
 					<n-button ghost @click="login">Go to login</n-button>
 				</n-gi>
 			</template>
 			<template v-else>
 				<n-gi span="2">
 					<n-input
 						:key="2"
 						type="text"
 						placeholder="Email"
 						v-model:value="email"
 						autofocus
 						:input-props="{ type: 'email' }"
 						@keyup="onKey"
 					/>
 				</n-gi>
 				<n-gi>
 					<n-button type="info" @click="sendKey">
 						Send recovery key
 					</n-button>
 				</n-gi>
 				<n-gi style="text-align: right">
 					<n-button ghost @click="login">Go to login</n-button>
 				</n-gi>
 			</template>
 		</n-grid>
 	</n-card>
 </template>
 <style scoped></style>