TT#92550 - Implement /api/passwordrecovery

* The new endpoint will only accept POSTs * The request body should have two parameters called 'new_password' and 'token' * First, look for the token in redis (for admins), if not found, look for it in DB (for subscribers), if neither is found, return Change-Id: I4163a0d5bd886961317b21aeca20c8ccfdeab0dd
5 years ago · 654bb1aabe
parent 29647d614b
commit 654bb1aabe
6 changed files with 222 additions and 2 deletions
--- a/lib/NGCP/Panel/Controller/API/PasswordRecovery.pm
+++ b/lib/NGCP/Panel/Controller/API/PasswordRecovery.pm
@ -0,0 +1,157 @@
+package NGCP::Panel::Controller::API::PasswordRecovery;
+use NGCP::Panel::Utils::Generic qw(:all);
+
+use Sipwise::Base;
+
+use boolean qw(true);
+use Data::HAL qw();
+use Data::HAL::Link qw();
+use HTTP::Headers qw();
+use HTTP::Status qw(:constants);
+
+
+sub allowed_methods{
+    return [qw/POST OPTIONS/];
+}
+
+use parent qw/NGCP::Panel::Role::Entities NGCP::Panel::Role::API::PasswordRecovery/;
+
+sub api_description {
+    return 'Recover password following a password reset request.';
+}
+
+sub query_params {
+    return [
+    ];
+}
+
+sub resource_name{
+    return 'passwordrecovery';
+}
+
+sub dispatch_path{
+    return '/api/passwordrecovery/';
+}
+
+sub relation{
+    return 'http://purl.org/sipwise/ngcp-api/#rel-passwordrecovery';
+}
+
+__PACKAGE__->set_config({
+    action => {
+        map { $_ => {
+            Args => 0,
+            Does => [qw(CheckTrailingSlash RequireSSL)],
+            Method => $_,
+            Path => __PACKAGE__->dispatch_path,
+        } } @{ __PACKAGE__->allowed_methods },
+    },
+});
+
+sub POST :Allow {
+    my ($self, $c) = @_;
+
+    my $res;
+
+    $c->user->logout if($c->user);
+
+    my $guard = $c->model('DB')->txn_scope_guard;
+    {
+        my $resource = $self->get_valid_post_data(
+            c => $c,
+            media_type => 'application/json',
+        );
+        last unless $resource;
+
+        my $form = $self->get_form($c);
+        last unless $self->validate_form(
+            c => $c,
+            resource => $resource,
+            form => $form,
+        );
+
+        my ($uuid_bin, $uuid_string);
+        $uuid_string = $resource->{token} // '';
+
+        unless($uuid_string && UUID::parse($uuid_string, $uuid_bin) != -1) {
+            $res = {success => 0};
+            $c->log->error("Invalid password recovery attempt for token '$uuid_string' from '".$c->qs($c->req->address)."'");
+            $c->response->status(HTTP_FORBIDDEN);
+            $c->response->body(JSON::to_json($res));
+            return;
+        }
+
+        my $redis = Redis->new(
+            server => $c->config->{redis}->{central_url},
+            reconnect => 10, every => 500000, # 500ms
+            cnx_timeout => 3,
+        );
+        unless ($redis) {
+            $res = {success => 0};
+            $c->log->error("Failed to connect to central redis url " . $c->config->{redis}->{central_url});
+            $c->response->status(HTTP_INTERNAL_SERVER_ERROR);
+            $c->response->body(JSON::to_json($res));
+            return;
+        }
+        $redis->select($c->config->{'Plugin::Session'}->{redis_db});
+        my $admin = $redis->hget("password_reset:admin::$uuid_string", "user");
+        if ($admin) {
+            $c->log->debug("Entering password recovery for administrator.");
+            my $administrator = $c->model('DB')->resultset('admins')->search({login => $admin})->first;
+            unless ($administrator) {
+                $res = {success => 0};
+                $c->log->error("Invalid password recovery attempt for token '$uuid_string' from '".$c->qs($c->req->address)."'");
+                $c->response->status(HTTP_FORBIDDEN);
+                $c->response->body(JSON::to_json($res));
+                return;
+            }
+            my $ip = $redis->hget("password_reset:admin::$uuid_string", "ip");
+            if ($ip && $ip ne $c->req->address) {
+                $res = {success => 0};
+                $c->log->error("Invalid password recovery attempt for token '$uuid_string' from '".$c->qs($c->req->address)."'");
+                $c->response->status(HTTP_FORBIDDEN);
+                $c->response->body(JSON::to_json($res));
+                return;
+            }
+            $c->log->debug("Updating administrator password.");
+            $administrator->update({
+                saltedpass => NGCP::Panel::Utils::Auth::generate_salted_hash($form->params->{new_password}),
+            });
+            $redis->del("password_reset:admin::$uuid_string");
+            $redis->del("password_reset:admin::$admin");
+        }
+        else {
+            $c->log->debug("Entering password recovery for subscriber.");
+            my $rs = $c->model('DB')->resultset('password_resets')->search({
+                uuid => $uuid_string,
+                timestamp => { '>=' => NGCP::Panel::Utils::DateTime::current_local->epoch - 300 },
+            });
+
+            my $subscriber = $rs->first ? $rs->first->voip_subscriber : undef;
+            unless($subscriber && $subscriber->provisioning_voip_subscriber) {
+                $res = {success => 0};
+                $c->log->error("Invalid password recovery attempt for token '$uuid_string' from '".$c->qs($c->req->address)."'");
+                $c->response->status(HTTP_FORBIDDEN);
+                $c->response->body(JSON::to_json($res));
+                return;
+            }
+            $c->log->debug("Updating subscriber password.");
+            $subscriber->provisioning_voip_subscriber->update({
+                webpassword => NGCP::Panel::Utils::Auth::generate_salted_hash($form->params->{new_password}),
+            });
+            $rs->delete;
+        }
+
+        $guard->commit;
+
+        $res = { success => 1, message => 'Password reset successfuly completed.' };
+
+        $c->response->status(HTTP_OK);
+        $c->response->body(JSON::to_json($res));
+    }
+    return;
+}
+
+1;
+
+# vim: set tabstop=4 expandtab:
--- a/lib/NGCP/Panel/Controller/Root.pm
+++ b/lib/NGCP/Panel/Controller/Root.pm
@ -126,6 +126,7 @@ sub auto :Private {
        or $c->req->uri->path =~ m|^/resetwebpassword/?$|
        or $c->req->uri->path =~ m|^/resetpassword/?$|
        or $c->req->uri->path =~ m|^/api/passwordreset/?$|
+        or $c->req->uri->path =~ m|^/api/passwordrecovery/?$|
        or $c->req->uri->path =~ m|^/internalsms/receive/?$|
        or $c->req->uri->path =~ m|^/soap/intercept(\.wsdl)?/?$|i
    ) {
--- a/lib/NGCP/Panel/Form/PasswordRecoveryAPI.pm
+++ b/lib/NGCP/Panel/Form/PasswordRecoveryAPI.pm
@ -0,0 +1,35 @@
+package NGCP::Panel::Form::PasswordRecoveryAPI;
+
+use HTML::FormHandler::Moose;
+use Email::Valid;
+use NGCP::Panel::Utils::Form;
+extends 'HTML::FormHandler';
+
+has_field 'new_password' => (
+    type => 'Password',
+    required => 1,
+    label => 'Password',
+);
+
+has_field 'token' => (
+    type => 'Text',
+    required => 1,
+    label => 'Token',
+);
+
+has_block 'fields' => (
+    tag => 'div',
+    class => [qw/modal-body/],
+    render_list => [qw/new_password token/],
+);
+
+sub validate_new_password {
+    my ($self, $field) = @_;
+    my $c = $self->form->ctx;
+    return unless $c;
+
+    NGCP::Panel::Utils::Form::validate_password(c => $c, field => $field);
+}
+
+1;
+# vim: set tabstop=4 expandtab:
--- a/lib/NGCP/Panel/Role/API/PasswordRecovery.pm
+++ b/lib/NGCP/Panel/Role/API/PasswordRecovery.pm
@ -0,0 +1,24 @@
+package NGCP::Panel::Role::API::PasswordRecovery;
+use NGCP::Panel::Utils::Generic qw(:all);
+
+use Sipwise::Base;
+
+use parent 'NGCP::Panel::Role::API';
+
+
+use boolean qw(true);
+use Data::HAL qw();
+use Data::HAL::Link qw();
+use HTTP::Status qw(:constants);
+
+
+sub _item_rs {
+}
+
+sub get_form {
+    my ($self, $c) = @_;
+    return NGCP::Panel::Form::get("NGCP::Panel::Form::PasswordRecoveryAPI", $c);
+}
+
+1;
+# vim: set tabstop=4 expandtab:
--- a/lib/NGCP/Panel/Utils/Auth.pm
+++ b/lib/NGCP/Panel/Utils/Auth.pm
@ -413,7 +413,9 @@ sub initiate_password_reset {
        $redis->hset("password_reset:admin::$uuid_string", 'user', $username);
        $redis->hset("password_reset:admin::$uuid_string", 'ip', $c->req->address);
        $redis->expire("password_reset:admin::$uuid_string", 300);
-        my $url = $c->uri_for_action('/login/recover_password')->as_string . '?token=' . $uuid_string;
+        my $url = $c->req->header('Referer') && $c->req->header('Referer') =~ /\/v2\// ?
+                  $c->req->base . 'v2/recoverpassword?token=' . $uuid_string :
+                  $c->uri_for_action('/login/recover_password')->as_string . '?token=' . $uuid_string;
        NGCP::Panel::Utils::Email::admin_password_reset($c, $admin, $url);
    }
    return {success => 1};
--- a/t/api-rest/api-root.t
+++ b/t/api-rest/api-root.t
@ -110,6 +110,7 @@ $ua = Test::Collection->new()->ua();
        numbers => 1,
        partycallcontrols => 1,
        passwordreset => 1,
+        passwordrecovery => 1,
        pbxdeviceconfigfiles => 1,
        pbxdeviceconfigs => 1,
        pbxdevicefirmwarebinaries => 1,
@ -172,7 +173,7 @@ $ua = Test::Collection->new()->ua();
        vouchers => 1,
    };
    foreach my $link(@links) {
-        my $rex = qr!^</api/[a-z]+/>; rel="collection http://purl\.org/sipwise/ngcp-api/#rel-([a-z]+s|topupcash|managersecretary|passwordreset)"$!;
+        my $rex = qr!^</api/[a-z]+/>; rel="collection http://purl\.org/sipwise/ngcp-api/#rel-([a-z]+s|topupcash|managersecretary|passwordre(set|covery))"$!;
        like($link, $rex, "check for valid link syntax");
        my ($relname) = ($link =~ $rex);
        ok(exists $rels->{$relname}, "check for '$relname' collection in Link");