-
Notifications
You must be signed in to change notification settings - Fork 1.8k
/
password.go
98 lines (79 loc) · 2.76 KB
/
password.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
/*
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package web
import (
"net/http"
"github.com/gravitational/teleport/lib/client"
"github.com/gravitational/teleport/lib/httplib"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/trace"
"github.com/julienschmidt/httprouter"
"github.com/tstranex/u2f"
)
// changePasswordReq is a request to change user password
type changePasswordReq struct {
// OldPassword is user current password
OldPassword []byte `json:"old_password"`
// NewPassword is user new password
NewPassword []byte `json:"new_password"`
// SecondFactorToken is user 2nd factor token
SecondFactorToken string `json:"second_factor_token"`
// U2FSignResponse is U2F response
U2FSignResponse *u2f.SignResponse `json:"u2f_sign_response"`
}
// changePassword updates users password based on the old password
func (h *Handler) changePassword(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *SessionContext) (interface{}, error) {
var req *changePasswordReq
if err := httplib.ReadJSON(r, &req); err != nil {
return nil, trace.Wrap(err)
}
clt, err := ctx.GetClient()
if err != nil {
return nil, trace.Wrap(err)
}
servicedReq := services.ChangePasswordReq{
User: ctx.GetUser(),
OldPassword: req.OldPassword,
NewPassword: req.NewPassword,
SecondFactorToken: req.SecondFactorToken,
U2FSignResponse: req.U2FSignResponse,
}
err = clt.ChangePassword(servicedReq)
if err != nil {
return nil, trace.Wrap(err)
}
return ok(), nil
}
// u2fChangePasswordRequest is called to get U2F challedge for changing a user password
func (h *Handler) u2fChangePasswordRequest(w http.ResponseWriter, r *http.Request, _ httprouter.Params, ctx *SessionContext) (interface{}, error) {
var req *client.U2fSignRequestReq
if err := httplib.ReadJSON(r, &req); err != nil {
return nil, trace.Wrap(err)
}
clt, err := ctx.GetClient()
if err != nil {
return nil, trace.Wrap(err)
}
u2fReq, err := clt.GetU2FSignRequest(ctx.GetUser(), []byte(req.Pass))
if err != nil && trace.IsAccessDenied(err) {
// logout in case of access denied
logoutErr := h.logout(w, ctx)
if logoutErr != nil {
return nil, trace.Wrap(logoutErr)
}
}
if err != nil {
return nil, trace.Wrap(err)
}
return u2fReq, nil
}