From: Felix Dörre <felix@dogcraft.de>
Date: Mon, 20 Jun 2016 10:05:33 +0000 (+0200)
Subject: fix: Limit validity of password reset links
X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=78e9a8cba5bf9f8734a64a974c4817368f2918d6

fix: Limit validity of password reset links

fixes #43

Change-Id: I1a36deb81155252a6d465a6f11013ab49f9c9873
---

diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java
index b72af84f..5c9173f9 100644
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -520,7 +520,7 @@ public class User extends CertificateOwner {
     }
 
     public static User getResetWithToken(int id, String token) {
-        try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `memid` FROM `passwordResetTickets` WHERE `id`=? AND `token`=? AND `used` IS NULL")) {
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `memid` FROM `passwordResetTickets` WHERE `id`=? AND `token`=? AND `used` IS NULL AND `created` > CURRENT_TIMESTAMP - interval '96 hours'")) {
             ps.setInt(1, id);
             ps.setString(2, token);
             GigiResultSet res = ps.executeQuery();
@@ -537,7 +537,7 @@ public class User extends CertificateOwner {
             ps.setInt(2, getId());
             GigiResultSet rs = ps.executeQuery();
             if ( !rs.next()) {
-                throw new GigiApiException("Token not found... very bad.");
+                throw new GigiApiException("Token could not be found, has already been used, or is expired.");
             }
             if (PasswordHash.verifyHash(private_token, rs.getString(1)) == null) {
                 throw new GigiApiException("Private token does not match.");
diff --git a/src/org/cacert/gigi/pages/PasswordResetPage.java b/src/org/cacert/gigi/pages/PasswordResetPage.java
index c25fe5c1..a2641db1 100644
--- a/src/org/cacert/gigi/pages/PasswordResetPage.java
+++ b/src/org/cacert/gigi/pages/PasswordResetPage.java
@@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
@@ -52,6 +53,10 @@ public class PasswordResetPage extends Page {
 
         @Override
         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
+            try (GigiPreparedStatement passwordReset = new GigiPreparedStatement("UPDATE `passwordResetTickets` SET `used` = CURRENT_TIMESTAMP WHERE `used` IS NULL AND `created` < CURRENT_TIMESTAMP - interval '96 hours';")) {
+                passwordReset.execute();
+            }
+
             String p1 = req.getParameter("pword1");
             String p2 = req.getParameter("pword2");
             String tok = req.getParameter("private_token");