fix: correct order when consuming password reset token

[gigi.git] / src / org / cacert / gigi / dbObjects / User.java

diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java
index f12002334566923764067289aa1f9cb39c281d12..e6afc79666c60f1cf07540b893f08d309a3a4b3a 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -98,10 +98,6 @@ public class User extends CertificateOwner {
         return email;
     }
 
-    public void setEmail(String email) {
-        this.email = email;
-    }
-
     public void changePassword(String oldPass, String newPass) throws GigiApiException {
         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password` FROM `users` WHERE `id`=?");
         ps.setInt(1, getId());
@@ -113,7 +109,11 @@ public class User extends CertificateOwner {
                 throw new GigiApiException("Old password does not match.");
             }
         }
+        setPassword(newPass);
+    }
 
+    private void setPassword(String newPass) throws GigiApiException {
+        GigiPreparedStatement ps;
         PasswordStrengthChecker.assertStrongPassword(newPass, getName(), getEmail());
         ps = DatabaseConnection.getInstance().prepare("UPDATE users SET `password`=? WHERE id=?");
         ps.setString(1, PasswordHash.hash(newPass));
@@ -138,8 +138,9 @@ public class User extends CertificateOwner {
     }
 
     public boolean hasPassedCATS() {
-        GigiPreparedStatement query = DatabaseConnection.getInstance().prepare("SELECT 1 FROM `cats_passed` where `user_id`=? AND `variant_id`=1");
+        GigiPreparedStatement query = DatabaseConnection.getInstance().prepare("SELECT 1 FROM `cats_passed` where `user_id`=? AND `variant_id`=?");
         query.setInt(1, getId());
+        query.setInt(2, CATS.ASSURER_CHALLANGE_ID);
         try (GigiResultSet rs = query.executeQuery()) {
             if (rs.next()) {
                 return true;
@@ -311,8 +312,7 @@ public class User extends CertificateOwner {
 
     public void updateUserData() throws GigiApiException {
         synchronized (Notary.class) {
-            // FIXME: No assurance, not no points.
-            if (getAssurancePoints() != 0) {
+            if (getReceivedAssurances().length != 0) {
                 throw new GigiApiException("No change after assurance allowed.");
             }
             rawUpdateUserData();
@@ -469,30 +469,57 @@ public class User extends CertificateOwner {
         return false;
     }
 
-    public String[] getAdminLog() {
-        GigiPreparedStatement prep = DatabaseConnection.getInstance().prepare("SELECT `when`, type, information FROM `adminLog` WHERE uid=? ORDER BY `when` ASC");
+    public String[] getTrainings() {
+        GigiPreparedStatement prep = DatabaseConnection.getInstance().prepare("SELECT `pass_date`, `type_text` FROM `cats_passed` LEFT JOIN `cats_type` ON `cats_type`.`id`=`cats_passed`.`variant_id`  WHERE `user_id`=? ORDER BY `pass_date` ASC");
         prep.setInt(1, getId());
         GigiResultSet res = prep.executeQuery();
         List<String> entries = new LinkedList<String>();
 
         while (res.next()) {
-            entries.add(res.getString(2) + " (" + res.getString(3) + ")");
+
+            entries.add(DateSelector.getDateFormat().format(res.getTimestamp(1)) + " (" + res.getString(2) + ")");
         }
 
         return entries.toArray(new String[0]);
     }
 
-    public String[] getTrainings() {
-        GigiPreparedStatement prep = DatabaseConnection.getInstance().prepare("SELECT `pass_date`, `type_text` FROM `cats_passed` LEFT JOIN `cats_type` ON `cats_type`.`id`=`cats_passed`.`variant_id`  WHERE `user_id`=? ORDER BY `pass_date` ASC");
-        prep.setInt(1, getId());
-        GigiResultSet res = prep.executeQuery();
-        List<String> entries = new LinkedList<String>();
-
-        while (res.next()) {
+    public int generatePasswordResetTicket(User actor, String token, String privateToken) {
+        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("INSERT INTO `passwordResetTickets` SET `memid`=?, `creator`=?, `token`=?, `private_token`=?");
+        ps.setInt(1, getId());
+        ps.setInt(2, getId());
+        ps.setString(3, token);
+        ps.setString(4, PasswordHash.hash(privateToken));
+        ps.execute();
+        return ps.lastInsertId();
+    }
 
-            entries.add(DateSelector.getDateFormat().format(res.getTimestamp(1)) + " (" + res.getString(2) + ")");
+    public static User getResetWithToken(int id, String token) {
+        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `passwordResetTickets` WHERE `id`=? AND `token`=? AND `used` IS NULL");
+        ps.setInt(1, id);
+        ps.setString(2, token);
+        GigiResultSet res = ps.executeQuery();
+        if ( !res.next()) {
+            return null;
         }
+        return User.getById(res.getInt(1));
+    }
 
-        return entries.toArray(new String[0]);
+    public synchronized void consumePasswordResetTicket(int id, String private_token, String newPassword) throws GigiApiException {
+        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `private_token` FROM `passwordResetTickets` WHERE `id`=? AND `memid`=? AND `used` IS NULL");
+        ps.setInt(1, id);
+        ps.setInt(2, getId());
+        try (GigiResultSet rs = ps.executeQuery()) {
+            if ( !rs.next()) {
+                throw new GigiApiException("Token not found... very bad.");
+            }
+            if (PasswordHash.verifyHash(private_token, rs.getString(1)) == null) {
+                throw new GigiApiException("Private token does not match.");
+            }
+            setPassword(newPassword);
+            ps = DatabaseConnection.getInstance().prepare("UPDATE `passwordResetTickets` SET  `used` = CURRENT_TIMESTAMP WHERE `id`=?");
+            ps.setInt(1, id);
+            ps.executeUpdate();
+        }
     }
+
 }