From 1405eb6ea3fe95fcb9c205c6c4c250433d48819c Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Sat, 6 Apr 2019 11:20:10 +0200 Subject: [PATCH] Add password change form --- lib/Travelynx.pm | 12 ++++- lib/Travelynx/Controller/Account.pm | 81 ++++++++++++++++++++++++++--- templates/account.html.ep | 10 ++-- templates/change_password.html.ep | 69 ++++++++++++++++++++++++ 4 files changed, 160 insertions(+), 12 deletions(-) create mode 100644 templates/change_password.html.ep diff --git a/lib/Travelynx.pm b/lib/Travelynx.pm index 3de3b9e..b9132f3 100755 --- a/lib/Travelynx.pm +++ b/lib/Travelynx.pm @@ -583,7 +583,8 @@ qq{select * from pending_mails where email = ? and num_tries > 1;} elsif ( $user->{cancelled} ) { # Same - $self->checkout($station, 1, $self->app->action_type->{cancelled_to}); + $self->checkout( $station, 1, + $self->app->action_type->{cancelled_to} ); } my $success = $self->app->action_query->execute( @@ -876,6 +877,13 @@ qq{select * from pending_mails where email = ? and num_tries > 1;} } ); + $self->helper( + 'set_user_password' => sub { + my ( $self, $uid, $password ) = @_; + $self->app->set_password_query->execute( $password, $uid ); + } + ); + $self->helper( 'check_if_user_name_exists' => sub { my ( $self, $user_name ) = @_; @@ -1322,12 +1330,14 @@ qq{select * from pending_mails where email = ? and num_tries > 1;} ); $authed_r->get('/account')->to('account#account'); + $authed_r->get('/change_password')->to('account#password_form'); $authed_r->get('/export.json')->to('account#json_export'); $authed_r->get('/history')->to('traveling#history'); $authed_r->get('/history/:year/:month')->to('traveling#monthly_history'); $authed_r->get('/history.json')->to('traveling#json_history'); $authed_r->get('/journey/:id')->to('traveling#journey_details'); $authed_r->get('/s/*station')->to('traveling#station'); + $authed_r->post('/change_password')->to('account#change_password'); $authed_r->post('/delete')->to('account#delete'); $authed_r->post('/logout')->to('account#do_logout'); $authed_r->post('/set_token')->to('api#set_token'); diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm index 7360899..9e8c1fb 100644 --- a/lib/Travelynx/Controller/Account.pm +++ b/lib/Travelynx/Controller/Account.pm @@ -136,11 +136,12 @@ sub register { .= "werden wir sie dauerhaft sperren und keine Mails mehr dorthin schicken.\n\n"; $body .= "Daten zur Registrierung:\n"; $body .= " * Datum: ${date}\n"; - $body .= " * Verwendete IP: ${ip}\n"; - $body .= " * Verwendeter Browser gemäß User Agent: ${ua}\n\n\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; $body .= "Impressum: ${imprint_url}\n"; - my $success = $self->sendmail->custom($email, 'Registrierung bei travelynx', $body); + my $success + = $self->sendmail->custom( $email, 'Registrierung bei travelynx', $body ); if ($success) { $self->app->dbh->commit; $self->render( 'login', from => 'register' ); @@ -214,6 +215,73 @@ sub do_logout { $self->redirect_to('/login'); } +sub password_form { + my ($self) = @_; + + $self->render('change_password'); +} + +sub change_password { + my ($self) = @_; + my $old_password = $self->req->param('oldpw'); + my $password = $self->req->param('newpw'); + my $password2 = $self->req->param('newpw2'); + + if ( $self->validation->csrf_protect->has_error('csrf_token') ) { + $self->render( 'change_password', invalid => 'csrf' ); + return; + } + + if ( $password ne $password2 ) { + $self->render( 'change_password', invalid => 'password_notequal' ); + return; + } + + if ( length($password) < 8 ) { + $self->render( 'change_password', invalid => 'password_short' ); + return; + } + + if ( + not $self->authenticate( + $self->current_user->{name}, + $self->param('oldpw') + ) + ) + { + $self->render( 'change_password', invalid => 'password' ); + return; + } + + my $pw_hash = hash_password($password); + $self->set_user_password( $self->current_user->{id}, $pw_hash ); + + $self->redirect_to('account'); + + my $user = $self->current_user->{name}; + my $email = $self->current_user->{email}; + my $ip = $self->req->headers->header('X-Forwarded-For'); + my $ua = $self->req->headers->user_agent; + my $date = DateTime->now( time_zone => 'Europe/Berlin' ) + ->strftime('%d.%m.%Y %H:%M:%S %z'); + + # In case Mojolicious is not running behind a reverse proxy + $ip + //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port ); + my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); + + my $body = "Hallo ${user},\n\n"; + $body + .= "Das Passwort deines travelynx-Accounts wurde soeben geändert.\n\n"; + $body .= "Daten zur Änderung:\n"; + $body .= " * Datum: ${date}\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; + $body .= "Impressum: ${imprint_url}\n"; + + $self->sendmail->custom( $email, 'travelynx: Passwort geändert', $body ); +} + sub account { my ($self) = @_; @@ -231,9 +299,10 @@ sub json_export { while ( my @row = $query->fetchrow_array ) { my ( - $action_id, $action, $raw_ts, $ds100, $name, - $train_type, $train_line, $train_no, $train_id, - $raw_sched_ts, $raw_real_ts, $raw_route, $raw_messages + $action_id, $action, $raw_ts, $ds100, + $name, $train_type, $train_line, $train_no, + $train_id, $raw_sched_ts, $raw_real_ts, $raw_route, + $raw_messages ) = @row; push( diff --git a/templates/account.html.ep b/templates/account.html.ep index 99178d9..dd808a6 100644 --- a/templates/account.html.ep +++ b/templates/account.html.ep @@ -38,6 +38,10 @@ Mail <%= $acc->{email} %> + + Passwort + ändern + Registriert am <%= $acc->{registered_at}->strftime('%d.%m.%Y %H:%M') %> @@ -46,9 +50,7 @@
-
-
-
+
%= form_for 'logout' => begin %= csrf_field %= end
-
-
% my $token = get_api_token(); diff --git a/templates/change_password.html.ep b/templates/change_password.html.ep new file mode 100644 index 0000000..bae28d9 --- /dev/null +++ b/templates/change_password.html.ep @@ -0,0 +1,69 @@ +% if (my $invalid = stash('invalid')) { +
+
+
+
+ % if ($invalid eq 'csrf') { + Ungültiger CSRF-Token +

Sind Cookies aktiviert? Ansonsten könnte es sich um einen + Fall von CSRF + handeln.

+ % } + % elsif ($invalid eq 'password_notequal') { + Passwort ungültig +

Die angegebenen neuen Passwörter sind nicht identisch.

+ % } + % elsif ($invalid eq 'password_short') { + Passwort zu kurz +

Das neue Passwort muss mindestens acht Zeichen lang sein.

+ % } + % elsif ($invalid eq 'password') { + Ungültiges Passwort +

Das aktuelle Passwort wurde nicht korrekt eingegeben.

+ % } + % else { + Unbekannter Fehler +

„<%= $invalid %>“

+ % } +
+
+
+
+% } + +

Passwort ändern

+%= form_for '/change_password' => (method => 'POST') => begin + %= csrf_field +
+
+ lock + %= password_field 'oldpw', id => 'oldpassword', class => 'validate', required => undef, autocomplete => 'current-password' + +
+
+
+
+ lock + %= password_field 'newpw', id => 'password', class => 'validate', required => undef, minlength => 8, autocomplete => 'new-password' + +
+
+ lock + %= password_field 'newpw2', id => 'password2', class => 'validate', required => undef, minlength => 8, autocomplete => 'new-password' + +
+
+
+
+
+
+ +
+
+
+
+%= end