src/org/cacert/gigi/pages/PasswordResetPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import java.io.IOException;
   4 import java.io.PrintWriter;
   5 import java.io.StringWriter;
   6 import java.net.URLEncoder;
   7 import java.util.HashMap;
   8 import java.util.Map;
   9
  10 import javax.servlet.http.HttpServletRequest;
  11 import javax.servlet.http.HttpServletResponse;
  12
  13 import org.cacert.gigi.GigiApiException;
  14 import org.cacert.gigi.database.GigiPreparedStatement;
  15 import org.cacert.gigi.dbObjects.User;
  16 import org.cacert.gigi.email.SendMail;
  17 import org.cacert.gigi.localisation.Language;
  18 import org.cacert.gigi.output.template.Form;
  19 import org.cacert.gigi.output.template.SprintfCommand;
  20 import org.cacert.gigi.output.template.Template;
  21 import org.cacert.gigi.util.AuthorizationContext;
  22 import org.cacert.gigi.util.RandomToken;
  23 import org.cacert.gigi.util.ServerConstants;
  24
  25 public class PasswordResetPage extends Page {
  26
  27     public static final int HOUR_MAX = 96;
  28
  29     public static final String PATH = "/passwordReset";
  30
  31     public PasswordResetPage() {
  32         super("Password Reset");
  33     }
  34
  35     public static class PasswordResetForm extends Form {
  36
  37         private static final Template t = new Template(PasswordResetForm.class.getResource("PasswordResetForm.templ"));
  38
  39         private User u;
  40
  41         private int id;
  42
  43         public PasswordResetForm(HttpServletRequest hsr) throws GigiApiException {
  44             super(hsr, PATH);
  45             String idS = hsr.getParameter("id");
  46             String tokS = hsr.getParameter("token");
  47             if (idS == null || tokS == null) {
  48                 throw new GigiApiException("requires id and token");
  49             }
  50             try {
  51                 id = Integer.parseInt(idS);
  52             } catch (NumberFormatException e) {
  53                 throw new GigiApiException("requires id to be integer");
  54             }
  55             u = User.getResetWithToken(id, tokS);
  56             if (u == null) {
  57                 throw new GigiApiException("User missing or token invalid");
  58             }
  59
  60         }
  61
  62         @Override
  63         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
  64             try (GigiPreparedStatement passwordReset = new GigiPreparedStatement("UPDATE `passwordResetTickets` SET `used` = CURRENT_TIMESTAMP WHERE `used` IS NULL AND `created` < CURRENT_TIMESTAMP - interval '1 hours' * ?;")) {
  65                 passwordReset.setInt(1, HOUR_MAX);
  66                 passwordReset.execute();
  67             }
  68
  69             String p1 = req.getParameter("pword1");
  70             String p2 = req.getParameter("pword2");
  71             String tok = req.getParameter("private_token");
  72             if (p1 == null || p2 == null || tok == null) {
  73                 throw new GigiApiException("Missing form parameter.");
  74             }
  75             if ( !p1.equals(p2)) {
  76                 throw new GigiApiException("New passwords differ.");
  77             }
  78             u.consumePasswordResetTicket(id, tok, p1);
  79             return true;
  80         }
  81
  82         @Override
  83         protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
  84
  85             t.output(out, l, vars);
  86         }
  87
  88     }
  89
  90     @Override
  91     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  92         PasswordResetForm form = Form.getForm(req, PasswordResetForm.class);
  93         try {
  94             form.submit(resp.getWriter(), req);
  95             resp.getWriter().println(getLanguage(req).getTranslation("Password reset successful."));
  96             return;
  97         } catch (GigiApiException e) {
  98             e.format(resp.getWriter(), getLanguage(req));
  99         }
 100         form.output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
 101     }
 102
 103     @Override
 104     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
 105         try {
 106             new PasswordResetForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
 107         } catch (GigiApiException e) {
 108             e.format(resp.getWriter(), getLanguage(req));
 109         }
 110     }
 111
 112     @Override
 113     public boolean isPermitted(AuthorizationContext ac) {
 114         return true;
 115     }
 116
 117     public static void initPasswordResetProcess(PrintWriter out, User targetUser, HttpServletRequest req, String aword, Language l, String method, String subject) {
 118         String ptok = RandomToken.generateToken(32);
 119         int id = targetUser.generatePasswordResetTicket(Page.getUser(req), ptok, aword);
 120         try {
 121             StringWriter sw = new StringWriter();
 122             PrintWriter outMail = new PrintWriter(sw);
 123             outMail.print(l.getTranslation("Hi,") + "\n\n");
 124             outMail.print(method);
 125             outMail.print("\n\nhttps://");
 126             outMail.print(ServerConstants.getWwwHostNamePortSecure() + PasswordResetPage.PATH);
 127             outMail.print("?id=");
 128             outMail.print(id);
 129             outMail.print("&token=");
 130             outMail.print(URLEncoder.encode(ptok, "UTF-8"));
 131             outMail.print("\n");
 132             outMail.print("\n");
 133             SprintfCommand.createSimple("This process will expire in {0} hours.", Integer.toString(HOUR_MAX)).output(outMail, l, new HashMap<String, Object>());
 134             outMail.print("\n");
 135             outMail.print("\n");
 136             outMail.print(l.getTranslation("Best regards"));
 137             outMail.print("\n");
 138             outMail.print(l.getTranslation("SomeCA.org Support!"));
 139             outMail.close();
 140             SendMail.getInstance().sendMail(Page.getUser(req).getEmail(), "[SomeCA.org] " + subject, sw.toString(), "support@cacert.org", null, null, null, null, false);
 141             out.println(Page.getLanguage(req).getTranslation("Password reset successful."));
 142         } catch (IOException e) {
 143             e.printStackTrace();
 144         }
 145
 146     }
 147 }