add custom error for password reset

2018-05-30 18:24:53 +02:00
parent 06ea1cb44d
commit 4731cfe7c2
3 changed files with 27 additions and 16 deletions
--- a/server/router/passwordresetroute/controller.go
+++ b/server/router/passwordresetroute/controller.go
@@ -20,7 +20,7 @@ const (
 	baseURL                    = "http://localhost:5000"
 	passwordResetEmailSubject  = "Reset Your Password"
 	passwordResetEmailMainBody = "To reset your password click here or copy the following link and paste it into your browser: \n\n " + baseURL + "/#/reset-password/"
-	passwordResetEmailFooter   = "\nThis link expires in " + string(tokenExpirationTime) + " minutes"
+	passwordResetEmailFooter   = "\nThis link expires in 90 minutes"
 )

 var (
@@ -46,30 +46,29 @@ func controllerInstance(svc *applicationservice.Service, cfg *config.Config) *co
 }

 func (c *controller) handleResetRequest(ctx echo.Context) error {
-	fmt.Println("\n\nRequest...")
 	userEmail, err := routeutils.GetAndValidateStringParam(ctx, "email", "mandatory field")
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	fmt.Println("\nEmail : ", userEmail)
-
 	//find if user with email exists
 	user, err := c.svc.Users.GetByEmail(userEmail)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

+	if user.Email == nil || (*user.Email != userEmail) {
+		return routeutils.ResponseAPIOK(ctx, nil) //more secure, don't inform user (attacker) that email doesn't exists
+	}
+
 	//create and store reset token

 	timeNow := time.Now()
-	expirationTime := timeNow.Add(time.Hour * tokenExpirationTime)
+	expirationTime := timeNow.Add(time.Minute * tokenExpirationTime)

 	randomArray := make([]byte, randomStringLength)
 	rand.Read(randomArray)
-	h := sha256.New()
-	h.Write(randomArray)
-	token := string(h.Sum(nil))
+	token := fmt.Sprintf("%x", sha256.Sum256(randomArray))

 	passwordResetEntry := viewmodel.PasswordReset{
 		User:    user,
--- a/server/router/routeutils/response.go
+++ b/server/router/routeutils/response.go
@@ -102,6 +102,11 @@ func ResponseAPINotEligibleWithMessageError(c echo.Context, message string) erro
 	return ResponseAPIError(c, http.StatusForbidden, message, false)
 }

+//ResponseAPIPasswordResetFailed returns a standard API error when password reset fails
+func ResponseAPIPasswordResetFailed(c echo.Context, message string) error {
+	return ResponseAPIError(c, http.StatusForbidden, message, false)
+}
+
 func ignoreDefaultWrappedErrors(c echo.Context, errorToHandle *errors.WrappedError, handler func(echo.Context, error) error) error {
 	err := errorToHandle.GetOriginalError()