travelynx/lib/Travelynx/Controller/Account.pm
2019-04-29 20:12:59 +02:00

462 lines
12 KiB
Perl
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package Travelynx::Controller::Account;
use Mojo::Base 'Mojolicious::Controller';
use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64);
use UUID::Tiny qw(:std);
sub hash_password {
my ($password) = @_;
my @salt_bytes = map { int( rand(255) ) + 1 } ( 1 .. 16 );
my $salt = en_base64( pack( 'C[16]', @salt_bytes ) );
return bcrypt( $password, '$2a$12$' . $salt );
}
sub make_token {
return create_uuid_as_string(UUID_V4);
}
sub login_form {
my ($self) = @_;
$self->render('login');
}
sub do_login {
my ($self) = @_;
my $user = $self->req->param('user');
my $password = $self->req->param('password');
# Keep cookies for 6 months
$self->session( expiration => 60 * 60 * 24 * 180 );
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'login',
invalid => 'csrf',
);
}
else {
if ( $self->authenticate( $user, $password ) ) {
$self->redirect_to( $self->req->param('redirect_to') // '/' );
}
else {
my $data = $self->get_user_password($user);
if ( $data and $data->{status} == 0 ) {
$self->render( 'login', invalid => 'confirmation' );
}
else {
$self->render( 'login', invalid => 'credentials' );
}
}
}
}
sub registration_form {
my ($self) = @_;
$self->render('register');
}
sub register {
my ($self) = @_;
my $user = $self->req->param('user');
my $email = $self->req->param('email');
my $password = $self->req->param('password');
my $password2 = $self->req->param('password2');
my $ip = $self->req->headers->header('X-Forwarded-For');
my $ua = $self->req->headers->user_agent;
my $date = DateTime->now( time_zone => 'Europe/Berlin' )
->strftime('%d.%m.%Y %H:%M:%S %z');
# In case Mojolicious is not running behind a reverse proxy
$ip
//= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port );
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'register',
invalid => 'csrf',
);
return;
}
if ( not length($user) ) {
$self->render( 'register', invalid => 'user_empty' );
return;
}
if ( not length($email) ) {
$self->render( 'register', invalid => 'mail_empty' );
return;
}
if ( $user !~ m{ ^ [0-9a-zA-Z_-]+ $ }x ) {
$self->render( 'register', invalid => 'user_format' );
return;
}
if ( $self->check_if_user_name_exists($user) ) {
$self->render( 'register', invalid => 'user_collision' );
return;
}
if ( $self->check_if_mail_is_blacklisted($email) ) {
$self->render( 'register', invalid => 'mail_blacklisted' );
return;
}
if ( $password ne $password2 ) {
$self->render( 'register', invalid => 'password_notequal' );
return;
}
if ( length($password) < 8 ) {
$self->render( 'register', invalid => 'password_short' );
return;
}
my $token = make_token();
my $pw_hash = hash_password($password);
my $db = $self->pg->db;
my $tx = $db->begin;
my $user_id = $self->add_user( $db, $user, $email, $token, $pw_hash );
my $reg_url = $self->url_for('reg')->to_abs->scheme('https');
my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https');
my $body = "Hallo, ${user}!\n\n";
$body .= "Mit deiner E-Mail-Adresse (${email}) wurde ein Account bei\n";
$body .= "travelynx angelegt.\n\n";
$body
.= "Falls die Registrierung von dir ausging, kannst du den Account unter\n";
$body .= "${reg_url}/${user_id}/${token}\n";
$body .= "freischalten.\n\n";
$body
.= "Falls nicht, ignoriere diese Mail bitte. Nach etwa 48 Stunden wird deine\n";
$body
.= "Mail-Adresse erneut zur Registrierung freigeschaltet. Falls auch diese fehlschlägt,\n";
$body
.= "werden wir sie dauerhaft sperren und keine Mails mehr dorthin schicken.\n\n";
$body .= "Daten zur Registrierung:\n";
$body .= " * Datum: ${date}\n";
$body .= " * Client: ${ip}\n";
$body .= " * UserAgent: ${ua}\n\n\n";
$body .= "Impressum: ${imprint_url}\n";
my $success
= $self->sendmail->custom( $email, 'Registrierung bei travelynx', $body );
if ($success) {
$tx->commit;
$self->render( 'login', from => 'register' );
}
else {
$self->render( 'register', invalid => 'sendmail' );
}
}
sub verify {
my ($self) = @_;
my $id = $self->stash('id');
my $token = $self->stash('token');
my @db_user = $self->get_user_token($id);
if ( not @db_user ) {
$self->render( 'register', invalid => 'token' );
return;
}
my ( $db_name, $db_status, $db_token ) = @db_user;
if ( not $db_name or $token ne $db_token or $db_status != 0 ) {
$self->render( 'register', invalid => 'token' );
return;
}
$self->app->pg->db->update( 'users', { status => 1 }, { id => $id } );
$self->render( 'login', from => 'verification' );
}
sub delete {
my ($self) = @_;
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'account', invalid => 'csrf' );
return;
}
if ( $self->param('action') eq 'delete' ) {
if (
not $self->authenticate(
$self->current_user->{name},
$self->param('password')
)
)
{
$self->render( 'account', invalid => 'password' );
return;
}
$self->flag_user_deletion( $self->current_user->{id} );
}
else {
$self->unflag_user_deletion( $self->current_user->{id} );
}
$self->redirect_to('account');
}
sub do_logout {
my ($self) = @_;
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'login', invalid => 'csrf' );
return;
}
$self->logout;
$self->redirect_to('/login');
}
sub password_form {
my ($self) = @_;
$self->render('change_password');
}
sub change_password {
my ($self) = @_;
my $old_password = $self->req->param('oldpw');
my $password = $self->req->param('newpw');
my $password2 = $self->req->param('newpw2');
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'change_password', invalid => 'csrf' );
return;
}
if ( $password ne $password2 ) {
$self->render( 'change_password', invalid => 'password_notequal' );
return;
}
if ( length($password) < 8 ) {
$self->render( 'change_password', invalid => 'password_short' );
return;
}
if (
not $self->authenticate(
$self->current_user->{name},
$self->param('oldpw')
)
)
{
$self->render( 'change_password', invalid => 'password' );
return;
}
my $pw_hash = hash_password($password);
$self->set_user_password( $self->current_user->{id}, $pw_hash );
$self->redirect_to('account');
my $user = $self->current_user->{name};
my $email = $self->current_user->{email};
my $ip = $self->req->headers->header('X-Forwarded-For');
my $ua = $self->req->headers->user_agent;
my $date = DateTime->now( time_zone => 'Europe/Berlin' )
->strftime('%d.%m.%Y %H:%M:%S %z');
# In case Mojolicious is not running behind a reverse proxy
$ip
//= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port );
my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https');
my $body = "Hallo ${user},\n\n";
$body
.= "Das Passwort deines travelynx-Accounts wurde soeben geändert.\n\n";
$body .= "Daten zur Änderung:\n";
$body .= " * Datum: ${date}\n";
$body .= " * Client: ${ip}\n";
$body .= " * UserAgent: ${ua}\n\n\n";
$body .= "Impressum: ${imprint_url}\n";
$self->sendmail->custom( $email, 'travelynx: Passwort geändert', $body );
}
sub request_password_reset {
my ($self) = @_;
if ( $self->param('action') and $self->param('action') eq 'initiate' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'recover_password', invalid => 'csrf' );
return;
}
my $name = $self->param('user');
my $email = $self->param('email');
my $uid = $self->get_uid_by_name_and_mail( $name, $email );
if ( not $uid ) {
$self->render( 'recover_password', invalid => 'credentials' );
return;
}
my $token = make_token();
my $db = $self->pg->db;
my $tx = $db->begin;
my $error = $self->mark_for_password_reset( $db, $uid, $token );
if ($error) {
$self->render( 'recover_password', invalid => $error );
return;
}
my $ip = $self->req->headers->header('X-Forwarded-For');
my $ua = $self->req->headers->user_agent;
my $date = DateTime->now( time_zone => 'Europe/Berlin' )
->strftime('%d.%m.%Y %H:%M:%S %z');
# In case Mojolicious is not running behind a reverse proxy
$ip
//= sprintf( '%s:%s', $self->tx->remote_address,
$self->tx->remote_port );
my $recover_url = $self->url_for('recover')->to_abs->scheme('https');
my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https');
my $body = "Hallo ${name},\n\n";
$body .= "Unter ${recover_url}/${uid}/${token}\n";
$body
.= "kannst du ein neues Passwort für deinen travelynx-Account vergeben.\n\n";
$body
.= "Du erhältst diese Mail, da mit deinem Accountnamen und deiner Mail-Adresse\n";
$body
.= "ein Passwort-Reset angefordert wurde. Falls diese Anfrage nicht von dir\n";
$body .= "ausging, kannst du sie ignorieren.\n\n";
$body .= "Daten zur Anfrage:\n";
$body .= " * Datum: ${date}\n";
$body .= " * Client: ${ip}\n";
$body .= " * UserAgent: ${ua}\n\n\n";
$body .= "Impressum: ${imprint_url}\n";
my $success
= $self->sendmail->custom( $email, 'travelynx: Neues Passwort',
$body );
if ($success) {
$tx->commit;
$self->render( 'recover_password', success => 1 );
}
else {
$self->render( 'recover_password', invalid => 'sendmail' );
}
}
elsif ( $self->param('action')
and $self->param('action') eq 'set_password' )
{
my $id = $self->param('id');
my $token = $self->param('token');
my $password = $self->param('newpw');
my $password2 = $self->param('newpw2');
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'set_password', invalid => 'csrf' );
return;
}
if ( not $self->verify_password_token( $id, $token ) ) {
$self->render( 'recover_password', invalid => 'token' );
return;
}
if ( $password ne $password2 ) {
$self->render( 'set_password', invalid => 'password_notequal' );
return;
}
if ( length($password) < 8 ) {
$self->render( 'set_password', invalid => 'password_short' );
return;
}
my $pw_hash = hash_password($password);
$self->set_user_password( $id, $pw_hash );
my $account = $self->get_user_data($id);
if ( not $self->authenticate( $account->{name}, $password ) ) {
$self->render( 'set_password',
invalid => 'Authentication failure WTF?' );
}
$self->redirect_to('account');
$self->remove_password_token( $id, $token );
my $user = $account->{name};
my $email = $account->{email};
my $ip = $self->req->headers->header('X-Forwarded-For');
my $ua = $self->req->headers->user_agent;
my $date = DateTime->now( time_zone => 'Europe/Berlin' )
->strftime('%d.%m.%Y %H:%M:%S %z');
# In case Mojolicious is not running behind a reverse proxy
$ip
//= sprintf( '%s:%s', $self->tx->remote_address,
$self->tx->remote_port );
my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https');
my $body = "Hallo ${user},\n\n";
$body
.= "Das Passwort deines travelynx-Accounts wurde soeben über die";
$body .= " 'Passwort vergessen'-Funktion geändert.\n\n";
$body .= "Daten zur Änderung:\n";
$body .= " * Datum: ${date}\n";
$body .= " * Client: ${ip}\n";
$body .= " * UserAgent: ${ua}\n\n\n";
$body .= "Impressum: ${imprint_url}\n";
$self->sendmail->custom( $email, 'travelynx: Passwort geändert',
$body );
}
else {
$self->render('recover_password');
}
}
sub recover_password {
my ($self) = @_;
my $id = $self->stash('id');
my $token = $self->stash('token');
if ( $self->verify_password_token( $id, $token ) ) {
$self->render('set_password');
}
else {
$self->render( 'recover_password', invalid => 'token' );
}
}
sub account {
my ($self) = @_;
$self->render('account');
}
sub json_export {
my ($self) = @_;
my $uid = $self->current_user->{id};
my $db = $self->pg->db;
$self->render(
json => {
account => $db->select( 'users', '*', { id => $uid } )->hash,
in_transit => [
$db->select( 'in_transit', '*', { user_id => $uid } )
->hashes->each
],
journeys => [
$db->select( 'journeys', '*', { user_id => $uid } )
->hashes->each
],
}
);
}
1;