]> WPIA git - gigi.git/commitdiff
projects / gigi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 44e9a4e)
fix: Limit validity of password reset links
authorFelix Dörre <felix@dogcraft.de>
Mon, 20 Jun 2016 10:05:33 +0000 (12:05 +0200)
committerFelix Dörre <felix@dogcraft.de>
Thu, 23 Jun 2016 10:29:59 +0000 (12:29 +0200)
fixes #43

Change-Id: I1a36deb81155252a6d465a6f11013ab49f9c9873

src/org/cacert/gigi/dbObjects/User.java patch | blob | history
src/org/cacert/gigi/pages/PasswordResetPage.java patch | blob | history

diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java
index b72af84fbc03eb840e82ae69f95e96bd5d503f58..5c9173f93161271e5e700f0c3d45dd1eff08bdd7 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -520,7 +520,7 @@ public class User extends CertificateOwner {
     }
 
     public static User getResetWithToken(int id, String token) {
-        try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `memid` FROM `passwordResetTickets` WHERE `id`=? AND `token`=? AND `used` IS NULL")) {
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `memid` FROM `passwordResetTickets` WHERE `id`=? AND `token`=? AND `used` IS NULL AND `created` > CURRENT_TIMESTAMP - interval '96 hours'")) {
             ps.setInt(1, id);
             ps.setString(2, token);
             GigiResultSet res = ps.executeQuery();
@@ -537,7 +537,7 @@ public class User extends CertificateOwner {
             ps.setInt(2, getId());
             GigiResultSet rs = ps.executeQuery();
             if ( !rs.next()) {
-                throw new GigiApiException("Token not found... very bad.");
+                throw new GigiApiException("Token could not be found, has already been used, or is expired.");
             }
             if (PasswordHash.verifyHash(private_token, rs.getString(1)) == null) {
                 throw new GigiApiException("Private token does not match.");
diff --git a/src/org/cacert/gigi/pages/PasswordResetPage.java b/src/org/cacert/gigi/pages/PasswordResetPage.java
index c25fe5c1b7fed60bba5087738fe469a0de780c6c..a2641db10736f5e553aeaa13e9cf80e9b97679f3 100644 (file)
--- a/src/org/cacert/gigi/pages/PasswordResetPage.java
+++ b/src/org/cacert/gigi/pages/PasswordResetPage.java
@@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
@@ -52,6 +53,10 @@ public class PasswordResetPage extends Page {
 
         @Override
         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
+            try (GigiPreparedStatement passwordReset = new GigiPreparedStatement("UPDATE `passwordResetTickets` SET `used` = CURRENT_TIMESTAMP WHERE `used` IS NULL AND `created` < CURRENT_TIMESTAMP - interval '96 hours';")) {
+                passwordReset.execute();
+            }
+
             String p1 = req.getParameter("pword1");
             String p2 = req.getParameter("pword2");
             String tok = req.getParameter("private_token");
WPIA Certificate Web Issuance Platform