StephanRichter
/
Widerhall
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity
Browse Source

implemented resetting passwords 

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
main
Stephan Richter 6 months ago
parent
4dcde76a08
commit
3c864a12ed
13 changed files with 371 additions and 138 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/main/java/de/srsoftware/widerhall/Constants.java
  2. 24
      src/main/java/de/srsoftware/widerhall/Util.java
  3. 24
      src/main/java/de/srsoftware/widerhall/data/Database.java
  4. 21
      src/main/java/de/srsoftware/widerhall/data/MailingList.java
  5. 47
      src/main/java/de/srsoftware/widerhall/data/User.java
  6. 246
      src/main/java/de/srsoftware/widerhall/web/Web.java
  7. 65
      src/test/java/de/srsoftware/widerhall/UtilTest.java
  8. 4
      src/test/java/de/srsoftware/widerhall/data/ListMemberTest.java
  9. 1
      static/templates/login.st
  10. 33
      static/templates/new_password_form.st
  11. 21
      static/templates/reset-pw.st
  12. 17
      static/templates/reset_link_sent.st
  13. 4
      static/templates/subscribe.st

2
src/main/java/de/srsoftware/widerhall/Constants.java
Unescape View File

@ -21,8 +21,10 @@ public class Constants { @@ -21,8 +21,10 @@ public class Constants {
public static final String MESSAGE_ID = "message_id";
public static final String MODERATOR = "moderator";
public static final String MONTH = "month";
public static final String NEW_PASSWORD_FORM = "new_password_form";
public static final String NOTES = "notes";
public static final String PASSWORD = "password";
public static final String PASSWORD_REPEAT = "password-repeat";
public static final String PERMISSIONS = "permissions";
public static final Object PORT = "port";
public static final String PREFIX = "prefix";

24
src/main/java/de/srsoftware/widerhall/Util.java
Unescape View File

@ -4,12 +4,9 @@ import de.srsoftware.tools.translations.Translation; @@ -4,12 +4,9 @@ import de.srsoftware.tools.translations.Translation;
import de.srsoftware.widerhall.data.MailingList;
import de.srsoftware.widerhall.data.User;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.Multipart;
import javax.mail.Part;
import javax.mail.internet.AddressException;
import javax.mail.internet.InternetAddress;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.net.URLEncoder;
@ -19,6 +16,7 @@ import java.security.NoSuchAlgorithmException; @@ -19,6 +16,7 @@ import java.security.NoSuchAlgorithmException;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Map;
import java.util.Random;
import java.util.stream.Collectors;
import static de.srsoftware.widerhall.Constants.*;
@ -28,6 +26,14 @@ public class Util { @@ -28,6 +26,14 @@ public class Util {
private static final MessageDigest SHA256 = getSha256();
private static final String EMAIL_PATTERN = "^[a-zA-Z0-9_!#$%&'*+/=?`{|}~^-]+(?:\\.[a-zA-Z0-9_!#$%&'*+/=?`{|}~^-]+)*@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*$";
public static char boundedChar(int i) {
i = (i<0 ? -i : i) % 62;
i += '0';
if (i>57) i+=7;
if (i>90) i+=6;
return (char) i;
}
public static String dropEmail(String tx) {
return tx.replaceAll( "[.\\-\\w]+@[.\\-\\w]+", "[email_removed]");
}
@ -119,6 +125,18 @@ public class Util { @@ -119,6 +125,18 @@ public class Util {
return email.matches(EMAIL_PATTERN);
}
public static String randomString(int length) {
Random rand = new Random();
StringBuilder sb = new StringBuilder();
for (int i=0; i<length; i++) {
int k = rand.nextInt();
char c = boundedChar(k);
System.out.println("adding '"+c+"'…");
sb.append(c);
}
return sb.toString();
}
public static String sha256(String s) {
byte[] bytes = SHA256.digest(s.getBytes(StandardCharsets.UTF_8));
return hex(bytes);

24
src/main/java/de/srsoftware/widerhall/data/Database.java
Unescape View File

@ -10,6 +10,7 @@ import java.sql.ResultSet; @@ -10,6 +10,7 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.*;
import static de.srsoftware.widerhall.Constants.*;
import static de.srsoftware.widerhall.Util.t;
import static de.srsoftware.widerhall.data.MailingList.HOLD_TIME;
@ -19,6 +20,7 @@ import static de.srsoftware.widerhall.data.MailingList.HOLD_TIME; @@ -19,6 +20,7 @@ import static de.srsoftware.widerhall.data.MailingList.HOLD_TIME;
*/
public class Database {
private static final Logger LOG = LoggerFactory.getLogger(Database.class);
private static final String DB_VERSION = "db_version";
private static Database singleton = null; // we only need one db handle ever. This will be it.
private final Connection conn; // the actual db connection handle within the singleton
@ -295,6 +297,14 @@ public class Database { @@ -295,6 +297,14 @@ public class Database {
return this;
}
private void createVersionTable() throws SQLException {
var sql = "CREATE TABLE %s (%s %s NOT NULL PRIMARY KEY);".formatted(DB_VERSION,DB_VERSION,INT);
var db = Database.open();
db.query(sql).compile().run();
sql = "INSERT INTO %s VALUES (1)".formatted(DB_VERSION);
db.query(sql).compile().run();
}
private boolean columnExists(String tableName, String columnName) throws SQLException {
var rs = Database.open().select("pragma_table_info('"+tableName+"')","COUNT(*) AS num").where("name",columnName).compile().exec();
try {
@ -357,6 +367,7 @@ public class Database { @@ -357,6 +367,7 @@ public class Database {
try {
singleton = new Database(DriverManager.getConnection(url));
singleton.assertTables(); // must not be concatenated to exception above (assertTables accesses singleton)!
singleton.update202405();
} catch (SQLException sqle) {
sqle.printStackTrace();
}
@ -373,6 +384,10 @@ public class Database { @@ -373,6 +384,10 @@ public class Database {
return new Request(sql);
}
public Request query(String sql) {
return new Request(new StringBuilder(sql));
}
/**
* create a SELECT [flields] FROM [table] request.
* If no fields are supplied, a request in the form SELECT * FROM [table] will be generated.
@ -390,7 +405,6 @@ public class Database { @@ -390,7 +405,6 @@ public class Database {
return new Request(sql.append(" FROM ").append(tableName));
}
/**
* check, whether a table with the provided name exists
* @param tbName
@ -420,4 +434,12 @@ public class Database { @@ -420,4 +434,12 @@ public class Database {
public Request update(String tableName) {
return new Request(new StringBuilder("UPDATE ").append(tableName));
}
private Database update202405() throws SQLException {
if (!tableExists(Database.DB_VERSION)) {
createVersionTable();
User.addTokenColumn();
}
return this;
}
}

21
src/main/java/de/srsoftware/widerhall/data/MailingList.java
Unescape View File

@ -49,8 +49,8 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -49,8 +49,8 @@ public class MailingList implements MessageHandler, ProblemListener {
private static final String SMTP_PASS = "smtp_pass";
public static final String TABLE_NAME = "Lists";
private static final int STATE_PENDING = 0;
private static final int STATE_ENABLED = 1; // do we process incoming messages?
private static final int STATE_PUBLIC = 2; // can guests see this ML?
public static final int STATE_ENABLED = 1; // do we process incoming messages?
public static final int STATE_PUBLIC = 2; // can guests see this ML?
public static final int STATE_FORWARD_FROM = 4; // set original sender as FROM when forwarding?
public static final int STATE_FORWARD_ATTACHED = 8; // forward messages as attachment?
public static final int STATE_HIDE_RECEIVERS = 16; // send using BCC receivers
@ -283,6 +283,18 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -283,6 +283,18 @@ public class MailingList implements MessageHandler, ProblemListener {
return hasState(STATE_OPEN_FOR_GUESTS|STATE_OPEN_FOR_SUBSCRIBERS);
}
public static List<MailingList> listActive() {
try {
var list = new ArrayList<MailingList>();
var rs = Database.open().select(TABLE_NAME).where(STATE+" % 2",1).compile().exec();
while (rs.next()) list.add(MailingList.from(rs));
return list;
} catch (SQLException e){
LOG.debug("Failed to load active MailingLists");
}
return List.of();
}
/**
* Load a ML object by it's identifying email address.
* This is a cached method: if the ML has been loaded before, the already-loaded object will be returned.
@ -308,6 +320,7 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -308,6 +320,7 @@ public class MailingList implements MessageHandler, ProblemListener {
return ml;
}
/**
* Load a ML object by it's identifying email address.
* This is a cached method: if the ML has been loaded before, the already-loaded object will be returned.
@ -679,6 +692,10 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -679,6 +692,10 @@ public class MailingList implements MessageHandler, ProblemListener {
}
}
public void sendPasswordReset(String email, String subject,String text) throws MessagingException, UnsupportedEncodingException {
smtp.send(email(),name(),email,subject,text);
}
protected SmtpClient smtp(){
return smtp;
}

47
src/main/java/de/srsoftware/widerhall/data/User.java
Unescape View File

@ -6,6 +6,7 @@ import java.security.InvalidKeyException; @@ -6,6 +6,7 @@ import java.security.InvalidKeyException;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.util.*;
import static de.srsoftware.widerhall.Constants.*;
@ -20,10 +21,11 @@ public class User { @@ -20,10 +21,11 @@ public class User {
public static final int PERMISSION_ADMIN = 1;
public static final int PERMISSION_CREATE_LISTS = 2;
public static final String HASHED_PASS = "hashedPassword";
public static final String RESET_TOKEN = "resetToken";
public static final String SALT = "salt";
private static final HashMap<String,User> users = new HashMap<>();
private String email, salt, hashedPass, name;
private String email, salt, hashedPass, name, token;
private int permissions;
/**
@ -34,11 +36,12 @@ public class User { @@ -34,11 +36,12 @@ public class User {
* @param hashedPass
* @param permissions
*/
public User(String email, String name, String salt, String hashedPass, int permissions) {
public User(String email, String name, String salt, String hashedPass, String token, int permissions) {
this.email = email.toLowerCase();
this.name = name;
this.salt = salt;
this.hashedPass = hashedPass;
this.token = token;
this.permissions = permissions;
}
@ -81,6 +84,21 @@ public class User { @@ -81,6 +84,21 @@ public class User {
.run();
}
public static void addTokenColumn() throws SQLException {
String sql = "ALTER TABLE %s ADD COLUMN %s %s;".formatted(TABLE_NAME,RESET_TOKEN,VARCHAR);
Database.open().query(sql).compile().run();
}
public static User byToken(String token) throws SQLException {
if (token == null || token.isBlank()) return null;
var rs = Database.open().select(TABLE_NAME).where(RESET_TOKEN,token).compile().exec();
try {
if (rs.next()) return User.from(rs);
return null;
} finally {
rs.close();
}
}
/**
* Create a new user object by hashing it's password and storing user data, salt and hashed password to the db.
@ -96,10 +114,10 @@ public class User { @@ -96,10 +114,10 @@ public class User {
String salt = null;
String hashedPass = null;
if (password != null) {
salt = Util.sha256(email + name + LocalDate.now());
salt = Util.sha256(email + LocalDateTime.now() + name);
hashedPass = Util.sha256(password + salt);
}
return new User(email,name,salt,hashedPass,0).save();
return new User(email,name,salt,hashedPass,null,0).save();
}
/**
@ -115,7 +133,6 @@ public class User { @@ -115,7 +133,6 @@ public class User {
.append(PERMISSIONS).append(" ").append(INT).append(", ")
.append(SALT).append(" ").append(VARCHAR).append(", ")
.append(HASHED_PASS).append(" ").append(VARCHAR)
.append(");");
Database.open().query(sql).compile().run();
}
@ -195,10 +212,16 @@ public class User { @@ -195,10 +212,16 @@ public class User {
rs.getString(NAME),
rs.getString(SALT),
rs.getString(HASHED_PASS),
rs.getString(RESET_TOKEN),
rs.getInt(PERMISSIONS)));
return user;
}
public String generateToken() throws SQLException {
token = Util.randomString(64);
Database.open().update(TABLE_NAME).set(RESET_TOKEN,token).where(EMAIL,this.email).compile().run();
return token;
}
/**
* Loads the user identified by it's email, but only if the provided password matches.
@ -284,4 +307,18 @@ public class User { @@ -284,4 +307,18 @@ public class User {
req.compile().run();
return this;
}
public void setPassword(String newPassword) throws SQLException {
if (newPassword != null) {
String newSalt = Util.sha256(email + LocalDateTime.now() + name);
String newHashedPass = Util.sha256(newPassword + newSalt);
Database.open().update(TABLE_NAME).set(HASHED_PASS,newHashedPass).set(SALT,newSalt).where(EMAIL,email).compile().run();
hashedPass = newHashedPass;
salt = newSalt;
}
}
public String token() {
return token;
}
}

246
src/main/java/de/srsoftware/widerhall/web/Web.java
Unescape View File

@ -15,8 +15,7 @@ import java.io.IOException; @@ -15,8 +15,7 @@ import java.io.IOException;
import java.nio.file.Files;
import java.security.InvalidKeyException;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
import java.util.*;
import static de.srsoftware.widerhall.Constants.*;
import static de.srsoftware.widerhall.Util.t;
@ -37,6 +36,7 @@ public class Web extends TemplateServlet { @@ -37,6 +36,7 @@ public class Web extends TemplateServlet {
private static final String POST = "post";
private static final String REGISTER = "register";
private static final String RELOAD = "reload";
private static final String RESET_PASSWORD = "reset-pw";
private static final String SUBSCRIBE = "subscribe";
private static final String UNSUBSCRIBE = "unsubscribe";
private static final String IMAP_HOST = "imap_host";
@ -49,7 +49,7 @@ public class Web extends TemplateServlet { @@ -49,7 +49,7 @@ public class Web extends TemplateServlet {
private static final String SMTP_PASS = "smtp_pass";
private static final int PRIMARY_KEY_CONSTRAINT = 19;
private String addList(HttpServletRequest req, HttpServletResponse resp) {
private String addList(HttpServletRequest req, HttpServletResponse resp, boolean isGet) {
var user = Util.getUser(req);
if (user == null) return redirectTo(LOGIN,resp);
var data = new HashMap<String, Object>();
@ -139,15 +139,16 @@ public class Web extends TemplateServlet { @@ -139,15 +139,16 @@ public class Web extends TemplateServlet {
var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
if (!allowed) return t("You are not allowed to access the archive of this list");
var map = new HashMap<String,Object>();
map.put(LIST,list.email());
var data = new HashMap<String,Object>();
if (user != null) data.put(USER,user);
data.put(LIST,list.email());
var month = req.getParameter(MONTH);
if (month != null && !month.isBlank()){
map.put(MONTH,month);
map.put(MODERATOR,list.mayBeAlteredBy(user));
data.put(MONTH,month);
data.put(MODERATOR,list.mayBeAlteredBy(user));
}
return loadTemplate(ARCHIVE,map,resp);
return loadTemplate(ARCHIVE,data,resp);
}
private String confirm(HttpServletRequest req, HttpServletResponse resp) {
@ -169,17 +170,17 @@ public class Web extends TemplateServlet { @@ -169,17 +170,17 @@ public class Web extends TemplateServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String error = handleGet(req, resp);
String error = handleRequest(req, resp, true);
if (error != null) resp.sendError(400,error);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String error = handlePost(req, resp);
String error = handleRequest(req, resp, false);
if (error != null) resp.sendError(400,error);
}
public String editList(HttpServletRequest req, HttpServletResponse resp) {
public String editList(HttpServletRequest req, HttpServletResponse resp, boolean isGet) {
var user = Util.getUser(req);
if (user == null) return redirectTo(LOGIN,resp);
@ -188,6 +189,7 @@ public class Web extends TemplateServlet { @@ -188,6 +189,7 @@ public class Web extends TemplateServlet {
var list = Util.getMailingList(req);
data.put(LIST,list.safeMap());
if (isGet) return loadTemplate(EDIT_LIST,data,resp);
try {
var allowed = user.hashPermission(PERMISSION_ADMIN) || ListMember.load(list,user).isOwner();
if (!allowed) return loadTemplate(ADMIN,data,resp);
@ -273,11 +275,56 @@ public class Web extends TemplateServlet { @@ -273,11 +275,56 @@ public class Web extends TemplateServlet {
return sqle;
}
private User getSessionUser(HttpServletRequest req) {
return req.getSession().getAttribute(USER) instanceof User user ? user : null;
private String handleLogin(HttpServletRequest req, HttpServletResponse resp,boolean isGet) {
if (isGet) return loadTemplate(LOGIN,null,resp);
var email = req.getParameter("email");
var pass = req.getParameter("pass");
if (email == null || pass == null) return loadTemplate(LOGIN, Map.of("error",t("Missing username or password!")), resp);
if (!Util.isEmail(email)) return loadTemplate(LOGIN, Map.of("error",t("'{}' is not a valid email address!",email)), resp);
try {
var user = User.loadUser(email,pass);
req.getSession().setAttribute("user",user);
// loading user successfull: goto index
resp.sendRedirect(String.join("/",WEB_ROOT,"admin"));
} catch (Exception e) {
try {
LOG.warn("Static.handleLogin failed:",e);
Thread.sleep(10000);
} finally {
return loadTemplate("login", Map.of(ERROR,t("Invalid username/password"),EMAIL,email), resp);
}
}
return null;
}
private String handleGet(HttpServletRequest req, HttpServletResponse resp) {
private String handleNewPassword(HttpServletRequest req, HttpServletResponse resp, boolean isGet) {
var user = Util.getUser(req);
if (user == null) return redirectTo(LOGIN,resp);
var data = new HashMap<String,Object>();
data.put(USER,user.safeMap());
if (!isGet) {
var pass = req.getParameter(PASSWORD);
var repeat = req.getParameter(PASSWORD_REPEAT);
if (pass == null || pass.isBlank()) {
data.put(ERROR, "Please set a password!");
} else if (!pass.equals(repeat)) {
data.put(ERROR, "Passwords do not match");
} else if (Util.simplePassword(pass)) {
data.put(ERROR, "Your password is to simple");
} else {
try {
user.setPassword(pass);
data.put(NOTES,"Your password has been updated!");
return loadTemplate(ADMIN,data,resp);
} catch (SQLException e) {
data.put(ERROR,t("Failed to update password in database: {}",e.getMessage()));
}
}
}
return loadTemplate(NEW_PASSWORD_FORM,data,resp);
}
private String handleRequest(HttpServletRequest req, HttpServletResponse resp, boolean isGet){
var path = Util.getPath(req);
var user = Util.getUser(req);
var data = new HashMap<String,Object>();
@ -285,39 +332,75 @@ public class Web extends TemplateServlet { @@ -285,39 +332,75 @@ public class Web extends TemplateServlet {
if (user != null) data.put(USER,user.safeMap());
if (list != null) data.put(LIST,list.minimalMap());
var interesting = !Set.of("js","jquery","css","OpenSans-Regular.woff","Bhineka.ttf").contains(path);
LOG.debug("{}",interesting?"interesting":"boring");
if (user != null){
switch (path){
case ADD_LIST:
return addList(req,resp,isGet);
case ADMIN:
return loadTemplate(path,data,resp);
case EDIT_LIST:
return editList(req,resp,isGet);
case INSPECT:
return inspect(req,resp,isGet);
case NEW_PASSWORD_FORM:
return handleNewPassword(req,resp,isGet);
}
}
switch (path){
case ARCHIVE:
return archive(list,user,req,resp);
case CSS:
case INDEX:
return loadTemplate(path,data,resp);
case CONFIRM:
return confirm(req,resp);
case LOGIN:
return handleLogin(req,resp,isGet);
case LOGOUT:
req.getSession().invalidate();
return redirectTo(INDEX,resp);
case POST:
return post(req,resp);
case REGISTER:
return registerUser(req,resp,isGet);
case RELOAD:
loadTemplates();
data.put(NOTES,t("Templates have been reloaded!"));
path = INDEX;
case CSS:
case INDEX:
return loadTemplate(path,data,resp);
return loadTemplate(INDEX,data,resp);
case RESET_PASSWORD:
if (!isGet) return resetPassword(req,resp);
// TODO: move following code into resetPassword method
try {
user = User.byToken(req.getParameter(TOKEN));
if (user != null) {
req.getSession().setAttribute("user",user);
return redirectTo(NEW_PASSWORD_FORM,resp);
}
} catch (SQLException sqle){
return loadTemplate(path,Map.of(ERROR,"Failed to add user for token!"),resp);
}
var email = req.getParameter(EMAIL);
return loadTemplate(path,email == null ? null : Map.of(EMAIL,email),resp);
case SUBSCRIBE:
if (!isGet) {
return subscribe(req, resp);
} // TODO: Code für GET-Request mit in subscribe-Methode verschieben
if (list.isOpenFor(user)) {
data.put(LIST,list.email());
return loadTemplate(path, data, resp);
}
return t("You are not allowed to subscribe to '{}'!",list.email());
case UNSUBSCRIBE:
return unsubscribe(req,resp,isGet);
}
/* uninteresting paths */
switch (path){
case "js":
resp.setContentType("text/javascript");
return loadTemplate(path,data,resp);
case LOGIN:
try {
if (User.noUsers()) return loadTemplate(REGISTER, Map.of(NOTES,t("User database is empty. Create admin user first:")), resp);
return loadTemplate(path,null,resp);
} catch (SQLException e) {
return "Error reading user database!";
}
case LOGOUT:
req.getSession().invalidate();
return redirectTo(INDEX,resp);
case "jquery":
resp.setContentType("text/javascript");
return loadFile("jquery-3.6.0.min.js",resp);
@ -329,69 +412,16 @@ public class Web extends TemplateServlet { @@ -329,69 +412,16 @@ public class Web extends TemplateServlet {
return loadFile("Bhineka.ttf",resp); case UNSUBSCRIBE:
data.put(LIST,list.email());
return loadTemplate(path,data,resp);
}
if (user != null){
if (list != null) data.put(LIST,req.getParameter(LIST));
switch (path){
case EDIT_LIST:
return editList(req,resp);
}
return loadTemplate(path,data,resp);
}
return redirectTo(LOGIN,resp);
}
private String handleLogin(HttpServletRequest req, HttpServletResponse resp) {
var email = req.getParameter("email");
var pass = req.getParameter("pass");
if (email == null || pass == null) return loadTemplate("login", Map.of("error",t("Missing username or password!")), resp);
if (!Util.isEmail(email)) return loadTemplate("login", Map.of("error",t("'{}' is not a valid email address!",email)), resp);
try {
var user = User.loadUser(email,pass);
req.getSession().setAttribute("user",user);
// loading user successfull: goto index
resp.sendRedirect(String.join("/",WEB_ROOT,"admin"));
} catch (Exception e) {
try {
LOG.warn("Static.handleLogin failed:",e);
Thread.sleep(10000);
} finally {
return loadTemplate("login", Map.of(ERROR,t("Invalid username/password"),EMAIL,email), resp);
}
}
return null;
}
private String handlePost(HttpServletRequest req, HttpServletResponse resp) {
final var path = Util.getPath(req);
switch (path){
case ADD_LIST:
return addList(req,resp);
case EDIT_LIST:
return editList(req,resp);
case INSPECT:
return inspect(req,resp);
case LOGIN:
return handleLogin(req,resp);
case REGISTER:
return registerUser(req,resp);
case SUBSCRIBE:
return subscribe(req,resp);
case UNSUBSCRIBE:
return unsubscribe(req,resp);
}
return t("No handler for path {}!",path);
}
private String inspect(HttpServletRequest req, HttpServletResponse resp) {
private String inspect(HttpServletRequest req, HttpServletResponse resp, boolean isGet) {
var user = Util.getUser(req);
if (user == null) return redirectTo(LOGIN,resp);
var data = new HashMap<String,Object>();
data.put(USER,user);
var error = false;
var list = Util.getMailingList(req);
@ -399,6 +429,7 @@ public class Web extends TemplateServlet { @@ -399,6 +429,7 @@ public class Web extends TemplateServlet {
error = true;
data.put(ERROR, t("No valid mailing list provided!"));
} else data.put(LIST, list.email());
if (isGet) return loadTemplate(INSPECT,data,resp);
if (!error && !list.mayBeAlteredBy(user)) {
error = true;
@ -451,10 +482,8 @@ public class Web extends TemplateServlet { @@ -451,10 +482,8 @@ public class Web extends TemplateServlet {
}
}
private String registerUser(HttpServletRequest req, HttpServletResponse resp) {
private String registerUser(HttpServletRequest req, HttpServletResponse resp, boolean isGet) {
if (isGet) return loadTemplate(REGISTER,null,resp);
var email = req.getParameter("email");
var pass = req.getParameter("pass");
var pass_repeat = req.getParameter("pass_repeat");
@ -463,9 +492,9 @@ public class Web extends TemplateServlet { @@ -463,9 +492,9 @@ public class Web extends TemplateServlet {
if (email == null || email.isBlank() ||
name == null || name.isBlank() ||
pass == null || pass.isBlank() ||
pass_repeat == null || pass_repeat.isBlank()) return loadTemplate(REGISTER,Map.of(ERROR,t("Fill all fields, please!"),NAME,name,EMAIL,email),resp);
if (!pass.equals(pass_repeat)) return loadTemplate(REGISTER,Map.of(ERROR,t("Passwords do not match!"),NAME,name,EMAIL,email),resp);
if (Util.simplePassword(pass)) return loadTemplate(REGISTER,Map.of(ERROR,t("Password to short or to simple!"),NAME,name,EMAIL,email),resp);
pass_repeat == null || pass_repeat.isBlank()) return loadTemplate(REGISTER,Map.of(ERROR,t("Fill all fields, please!"),NAME,name,EMAIL,email),resp);
if (!pass.equals(pass_repeat)) return loadTemplate(REGISTER,Map.of(ERROR,t("Passwords do not match!"),NAME,name,EMAIL,email),resp);
if (Util.simplePassword(pass)) return loadTemplate(REGISTER,Map.of(ERROR,t("Password to short or to simple!"),NAME,name,EMAIL,email),resp);
var firstUser = false;
try {
@ -474,7 +503,6 @@ public class Web extends TemplateServlet { @@ -474,7 +503,6 @@ public class Web extends TemplateServlet {
return t("Failed to access user database: {}",e.getMessage());
}
try {
var user = User.create(email, name, pass);
if (firstUser) user.addPermission(PERMISSION_ADMIN|User.PERMISSION_CREATE_LISTS);
@ -486,6 +514,33 @@ public class Web extends TemplateServlet { @@ -486,6 +514,33 @@ public class Web extends TemplateServlet {
}
}
private String resetPassword(HttpServletRequest req, HttpServletResponse resp) {
var email = req.getParameter("email");
if (email == null) return loadTemplate("login", Map.of("error",t("Missing email address!")), resp);
if (!Util.isEmail(email)) return loadTemplate("login", Map.of("error",t("'{}' is not a valid email address!",email)), resp);
try {
var user = User.load(email);
if (user != null) {
MailingList list = ListMember.listsOf(user).stream().map(ListMember::list).filter(ml -> ml.hasState(STATE_ENABLED)).findAny().orElse(null);
if (list == null) list = MailingList.listActive().stream().findAny().orElse(null);
if (list == null) throw new NullPointerException("no active List found!");
String token = user.generateToken();
var host = Arrays.stream(req.getRequestURL().toString().split("/")).filter(s -> !s.isEmpty() && !s.startsWith("http")).findFirst().orElse("unknwon host");
var link = req.getRequestURL().toString()+"?token="+token;
var subject = t("Reset your password at {}",host);
var text = t("Somebody asked to reset your account password at {}.\n\nIf that was you, please open the following link in your web browser:\n\n{}\n\nIf you did not expect this email, please ignore it.",host,link);
list.sendPasswordReset(email,subject,text);
return loadTemplate("reset_link_sent",null,resp);
}
} catch (Exception e){
return loadTemplate(Util.getPath(req),Map.of(EMAIL,email,ERROR,"Failed to send reset email: "+e.getMessage()),resp);
}
return null;
}
private String subscribe(HttpServletRequest req, HttpServletResponse resp) {
var name = req.getParameter(NAME);
var email = req.getParameter(EMAIL);
@ -517,6 +572,7 @@ public class Web extends TemplateServlet { @@ -517,6 +572,7 @@ public class Web extends TemplateServlet {
int code = cause.getErrorCode();
if (code == PRIMARY_KEY_CONSTRAINT) try {// user already exists
user = User.loadUser(email,pass);
req.getSession().setAttribute("user",user);
skipConfirmation = pass != null; // subscription with email address already known to database
// success → subscribe
} catch (InvalidKeyException | SQLException e) {
@ -555,11 +611,9 @@ public class Web extends TemplateServlet { @@ -555,11 +611,9 @@ public class Web extends TemplateServlet {
}
}
private String unsubscribe(HttpServletRequest req, HttpServletResponse resp) {
private String unsubscribe(HttpServletRequest req, HttpServletResponse resp, boolean isGet) {
var data = new HashMap<String,Object>();
var user = getSessionUser(req);
var user = Util.getUser(req);
var email = req.getParameter(EMAIL);
var list = Util.getMailingList(req);
data.put(EMAIL,email);
@ -568,6 +622,7 @@ public class Web extends TemplateServlet { @@ -568,6 +622,7 @@ public class Web extends TemplateServlet {
data.put(ERROR,t("No list provided by form data!"));
return loadTemplate(UNSUBSCRIBE,data,resp);
} else data.put(LIST,list.email());
if (isGet) return loadTemplate(UNSUBSCRIBE,data,resp);
if (user == null) {
if (email == null || email.isBlank()) {
data.put(ERROR, t("Email is required for list un-subscription!"));
@ -607,7 +662,6 @@ public class Web extends TemplateServlet { @@ -607,7 +662,6 @@ public class Web extends TemplateServlet {
LOG.warn("Problem during unscubsription of {} from {}:",user.email(),list.email(),e);
data.put(ERROR,"Failed to unsubscribe!");
return loadTemplate(UNSUBSCRIBE,data,resp);
}
}
}

65
src/test/java/de/srsoftware/widerhall/UtilTest.java
Unescape View File

@ -4,6 +4,7 @@ import junit.framework.TestCase; @@ -4,6 +4,7 @@ import junit.framework.TestCase;
import java.util.Map;
import java.util.TreeMap;
import static de.srsoftware.widerhall.Util.*;
public class UtilTest extends TestCase {
@ -17,17 +18,17 @@ public class UtilTest extends TestCase { @@ -17,17 +18,17 @@ public class UtilTest extends TestCase {
}
public void testHex(){
assertEquals("00",Util.hex(0));
assertEquals("09",Util.hex(9));
assertEquals("0A",Util.hex(10));
assertEquals("0F",Util.hex(15));
assertEquals("10",Util.hex(16));
assertEquals("19",Util.hex(25));
assertEquals("FF",Util.hex(255));
assertEquals("00",hex(0));
assertEquals("09",hex(9));
assertEquals("0A",hex(10));
assertEquals("0F",hex(15));
assertEquals("10",hex(16));
assertEquals("19",hex(25));
assertEquals("FF",hex(255));
}
public void testSha256() {
assertEquals("9F722959A023C02A3BA0FAFDBA81ADED642D6610EFF5DCA32DCE35132E16B6C5",Util.sha256("Dies ist ein Test"));
assertEquals("9F722959A023C02A3BA0FAFDBA81ADED642D6610EFF5DCA32DCE35132E16B6C5",sha256("Dies ist ein Test"));
}
public void testTranslate() {
@ -35,30 +36,40 @@ public class UtilTest extends TestCase { @@ -35,30 +36,40 @@ public class UtilTest extends TestCase {
}
public void testIsEmail() {
assertFalse(Util.isEmail("Test"));
assertFalse(Util.isEmail("Test@"));
assertFalse(Util.isEmail("@Test"));
assertTrue(Util.isEmail("Test@Domain"));
assertFalse(Util.isEmail("Test@Domain@Test"));
assertFalse(isEmail("Test"));
assertFalse(isEmail("Test@"));
assertFalse(isEmail("@Test"));
assertTrue(isEmail("Test@Domain"));
assertFalse(isEmail("Test@Domain@Test"));
}
public void testSimplePassword() {
assertTrue(Util.simplePassword("$@%€#")); // too short
assertTrue(Util.simplePassword("test123")); // no special chars
assertFalse(Util.simplePassword("test$23")); // contains special chars
assertTrue(Util.simplePassword("skgjafdsg")); // chars only
assertTrue(Util.simplePassword("986535465")); // digits only
assertFalse(Util.simplePassword("test9523")); // mixed digits and chars
assertFalse(Util.simplePassword("8986546054")); // digits only, but long enough
assertFalse(Util.simplePassword("salgksdjbw")); // chars only, but long enough
assertTrue(simplePassword("$@%€#")); // too short
assertTrue(simplePassword("test123")); // no special chars
assertFalse(simplePassword("test$23")); // contains special chars
assertTrue(simplePassword("skgjafdsg")); // chars only
assertTrue(simplePassword("986535465")); // digits only
assertFalse(simplePassword("test9523")); // mixed digits and chars
assertFalse(simplePassword("8986546054")); // digits only, but long enough
assertFalse(simplePassword("salgksdjbw")); // chars only, but long enough
}
public void testUnsetFlags(){
assertEquals(0,Util.unset(31,1,2,4,8,16));
assertEquals(1,Util.unset(31,2,4,8,16));
assertEquals(2,Util.unset(31,1,4,8,16));
assertEquals(4,Util.unset(31,1,2,8,16));
assertEquals(8,Util.unset(31,1,2,4,16));
assertEquals(16,Util.unset(31,1,2,4,8));
assertEquals(0,unset(31,1,2,4,8,16));
assertEquals(1,unset(31,2,4,8,16));
assertEquals(2,unset(31,1,4,8,16));
assertEquals(4,unset(31,1,2,8,16));
assertEquals(8,unset(31,1,2,4,16));
assertEquals(16,unset(31,1,2,4,8));
}
public void testBoundedChar(){
assertEquals('0',boundedChar(0));
assertEquals('9',boundedChar(9));
assertEquals('A',boundedChar(10));
assertEquals('Z',boundedChar(35));
assertEquals('a',boundedChar(36));
assertEquals('z',boundedChar(61));
assertEquals('0',boundedChar(62));
}
}

4
src/test/java/de/srsoftware/widerhall/data/ListMemberTest.java
Unescape View File

@ -110,7 +110,7 @@ public class ListMemberTest extends TestCase { @@ -110,7 +110,7 @@ public class ListMemberTest extends TestCase {
}*/
public void testSafeMap() {
var user = new User("email","name","salt","hash",0);
var user = new User("email","name","salt","hash",null,0);
var lm = new ListMember(null,user,ListMember.STATE_AWAITING_CONFIRMATION,"token");
assertEquals(Map.of(EMAIL,"email",NAME,"name",STATE,"awaiting confirmation"),lm.safeMap());
}
@ -137,7 +137,7 @@ public class ListMemberTest extends TestCase { @@ -137,7 +137,7 @@ public class ListMemberTest extends TestCase {
}*/
public void testUser() {
var user = new User("email","name","salt","hash",0);
var user = new User("email","name","salt","hash",null,0);
var lm = new ListMember(null,user,ListMember.STATE_AWAITING_CONFIRMATION,"token");
assertEquals(user,lm.user());
}

1
static/templates/login.st
Unescape View File

@ -19,5 +19,6 @@ @@ -19,5 +19,6 @@
<button type="submit">Login</button>
</fieldset>
</form>
<a href="reset-pw«if(data.email)»?email=«data.email»«endif»">Forgot password?</a>
</body>
</html>

33
static/templates/new_password_form.st
Unescape View File

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
<!DOCTYPE html>
<html>
«head()»
«userinfo()»
<body id="login">
«navigation()»
«messages()»
<h1>Set new account password</h1>
<form method="POST">
<fieldset>
Dear «if(data.user.name)»«data.user.name»«else»«data.user.email»«endif», you may now set a new password for your account «data.email»:
<legend>Login credentials</legend>
<label>
<input enabled="false" value="«data.user.email»" />
Email address
</label>
<label>
<input type="password" name="password" value="" id="password" />
Password
</label>
<label>
<input type="password" name="password-repeat" value="" id="password-repeat" />
Password (repeat)
</label>
<input type="hidden" name="token" value="«data.token»" />
<button type="submit">Save new password</button>
</fieldset>
</form>
<a href="reset-pw">Forgot password?</a>
</body>
</html>

21
static/templates/reset-pw.st
Unescape View File

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
<!DOCTYPE html>
<html>
«head()»
<body id="login">
«navigation()»
«messages()»
<h1>Widerhall password recovery</h1>
<form method="POST">
<fieldset>
<legend>Forgot password?</legend>
If you have lost or forgot your password, please enter your email below.
Upon pressing the "Reset password" button, you will be sent an email with a link allowing you to set a new password.
<label>
<input type="text" name="email" value="«data.email»" id="email" />
Email address
</label>
<button type="submit">Reset password</button>
</fieldset>
</form>
</body>
</html>

17
static/templates/reset_link_sent.st
Unescape View File

@ -0,0 +1,17 @@ @@ -0,0 +1,17 @@
<!DOCTYPE html>
<html>
«head()»
<body id="login">
«navigation()»
«messages()»
<h1>Confirmation</h1>
<fieldset>
<legend>
Link sent
</legend>
An email was sent to you:<br/>
This mail contains a link, that proves you are in control about the resprective mail address. Open the received link in a web browser and you will be able to set a new password.
</fieldset>
</body>
</html>

4
static/templates/subscribe.st
Unescape View File

@ -11,11 +11,11 @@ @@ -11,11 +11,11 @@
<fieldset>
<legend>Suscribe to "«data.list»"</legend>
<label>
<input type="text" name="name" value="«if(data.name)»«data.name»«else»«data.user.name»«endif»">
<input type="text" name="name" value="«if(data.user)»«data.user.name»«else»«data.name»«endif»">
Name
</label>
<label>
<input type="text" name="email" value="«if(data.email)»«data.email»«else»«data.user.email»«endif»">
<input type="text" name="email" value="«if(data.user)»«data.user.email»«else»«data.email»«endif»">
Email
</label>
<label>

Write Preview
Loading…
Cancel
Save