1 package org.cacert.gigi.pages;
3 import java.io.IOException;
4 import java.io.PrintWriter;
5 import java.net.URLEncoder;
6 import java.util.HashMap;
9 import javax.servlet.http.HttpServletRequest;
10 import javax.servlet.http.HttpServletResponse;
12 import org.cacert.gigi.GigiApiException;
13 import org.cacert.gigi.database.GigiPreparedStatement;
14 import org.cacert.gigi.dbObjects.User;
15 import org.cacert.gigi.localisation.Language;
16 import org.cacert.gigi.output.template.Form;
17 import org.cacert.gigi.output.template.MailTemplate;
18 import org.cacert.gigi.output.template.Template;
19 import org.cacert.gigi.output.template.TranslateCommand;
20 import org.cacert.gigi.util.AuthorizationContext;
21 import org.cacert.gigi.util.RandomToken;
22 import org.cacert.gigi.util.ServerConstants;
24 public class PasswordResetPage extends Page {
26 public static final int HOUR_MAX = 96;
28 public static final String PATH = "/passwordReset";
30 public PasswordResetPage() {
31 super("Password Reset");
34 public static class PasswordResetForm extends Form {
36 private static final Template t = new Template(PasswordResetForm.class.getResource("PasswordResetForm.templ"));
42 public PasswordResetForm(HttpServletRequest hsr) throws GigiApiException {
44 String idS = hsr.getParameter("id");
45 String tokS = hsr.getParameter("token");
46 if (idS == null || tokS == null) {
47 throw new GigiApiException("requires id and token");
50 id = Integer.parseInt(idS);
51 } catch (NumberFormatException e) {
52 throw new GigiApiException("requires id to be integer");
54 u = User.getResetWithToken(id, tokS);
56 throw new GigiApiException("User missing or token invalid");
62 public SuccessMessageResult submit(HttpServletRequest req) throws GigiApiException {
63 try (GigiPreparedStatement passwordReset = new GigiPreparedStatement("UPDATE `passwordResetTickets` SET `used` = CURRENT_TIMESTAMP WHERE `used` IS NULL AND `created` < CURRENT_TIMESTAMP - interval '1 hours' * ?;")) {
64 passwordReset.setInt(1, HOUR_MAX);
65 passwordReset.execute();
68 String p1 = req.getParameter("pword1");
69 String p2 = req.getParameter("pword2");
70 String tok = req.getParameter("private_token");
71 if (p1 == null || p2 == null || tok == null) {
72 throw new GigiApiException("Missing form parameter.");
74 if ( !p1.equals(p2)) {
75 throw new GigiApiException("New passwords differ.");
77 u.consumePasswordResetTicket(id, tok, p1);
78 return new SuccessMessageResult(new TranslateCommand("Password reset successful."));
82 protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
83 t.output(out, l, vars);
89 public boolean beforePost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
90 return Form.getForm(req, PasswordResetForm.class).submitExceptionProtected(req, resp);
94 public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
95 if (Form.printFormErrors(req, resp.getWriter())) {
96 PasswordResetForm form = Form.getForm(req, PasswordResetForm.class);
97 form.output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
102 public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
104 new PasswordResetForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
105 } catch (GigiApiException e) {
106 e.format(resp.getWriter(), getLanguage(req));
111 public boolean isPermitted(AuthorizationContext ac) {
115 private static final MailTemplate passwordResetMail = new MailTemplate(PasswordResetPage.class.getResource("PasswordResetMail.templ"));
117 public static void initPasswordResetProcess(User targetUser, HttpServletRequest req, String aword, Language l, String method, String subject) {
118 String ptok = RandomToken.generateToken(32);
119 int id = targetUser.generatePasswordResetTicket(Page.getUser(req), ptok, aword);
121 HashMap<String, Object> vars = new HashMap<>();
122 vars.put("subject", subject);
123 vars.put("method", method);
124 vars.put("link", "https://" + ServerConstants.getWwwHostNamePortSecure() + PasswordResetPage.PATH //
125 + "?id=" + id + "&token=" + URLEncoder.encode(ptok, "UTF-8"));
126 vars.put("hour_max", HOUR_MAX);
128 passwordResetMail.sendMail(l, vars, targetUser.getEmail());
129 } catch (IOException e) {