fix password update on email confirmation

passwall · Jul 20, 2020 · 139532a · 139532a
1 parent fbba7ad
commit 139532a
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.14
 
 require (
 	github.com/DATA-DOG/go-sqlmock v1.4.1
+	github.com/Luzifer/go-openssl/v4 v4.1.0
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/didip/tollbooth v4.0.2+incompatible
 	github.com/go-playground/validator/v10 v10.2.0
@@ -16,7 +17,7 @@ require (
 	github.com/spf13/viper v1.6.2
 	github.com/stretchr/testify v1.5.1
 	github.com/urfave/negroni v1.0.0
-	golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd
+	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 	golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/yaml.v2 v2.2.8

diff --git a/go.sum b/go.sum
@@ -6,6 +6,10 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/DATA-DOG/go-sqlmock v1.4.1 h1:ThlnYciV1iM/V0OSF/dtkqWb6xo5qITT1TJBG1MRDJM=
 github.com/DATA-DOG/go-sqlmock v1.4.1/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
+github.com/Luzifer/go-openssl v1.2.0 h1:vuvSxN845hEpMbNO0oGezXuxVxV6oemQgQ5QETKmOZk=
+github.com/Luzifer/go-openssl v2.0.0+incompatible h1:EpNNxrPDji4rRzE0KeOeIeV7pHyKe8zF9oNnAXy4mBY=
+github.com/Luzifer/go-openssl/v4 v4.1.0 h1:8qi3Z6f8Aflwub/Cs4FVSmKUEg/lC8GlODbR2TyZ+nM=
+github.com/Luzifer/go-openssl/v4 v4.1.0/go.mod h1:3i1T3Pe6eQK19d86WhuQzjLyMwBaNmGmt3ZceWpWVa4=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/StackExchange/wmi v0.0.0-20170410192909-ea383cf3ba6e/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
 github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
@@ -239,6 +243,8 @@ golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd h1:GGJVjV8waZKRHrgwvtH66z9ZGVurTD1MT0n1Bb+q4aM=
 golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 h1:vEg9joUBmeBcK9iSJftGNf3coIG4HqZElCPehJsfAYM=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

diff --git a/internal/api/auth.go b/internal/api/auth.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
@@ -94,11 +95,14 @@ func Signup(s storage.Store) http.HandlerFunc {
 
 		go app.SendMail([]string{viper.GetString("email.admin")}, subject, body)
 
+		// 9. Send confirmation email to new user
 		confirmationBody := "Last step for use Passwall\n\n"
 		confirmationBody += "Confirmation link: " + viper.GetString("server.domain")
 		confirmationBody += "/auth/confirm/" + userDTO.Email + "/" + confirmationCode
 
 		go app.SendMail([]string{userDTO.Email}, "Passwall Email Confirmation", confirmationBody)
+
+		// Return success message
 		response := model.Response{
 			Code:    http.StatusOK,
 			Status:  Success,
@@ -131,10 +135,11 @@ func Confirm(s storage.Store) http.HandlerFunc {
 			return
 		}
 
-		updatedUser := model.ToUserDTO(usr)
-		updatedUser.EmailVerifiedAt = time.Now()
+		userDTO := model.ToUserDTO(usr)
+		userDTO.MasterPassword = "" // Fix for not to update password
+		userDTO.EmailVerifiedAt = time.Now()
 
-		_, err = app.UpdateUser(s, usr, updatedUser, false)
+		_, err = app.UpdateUser(s, usr, userDTO, false)
 		if err != nil {
 			errs := []string{"User can't updated!", "Raw error: " + err.Error()}
 			message := "Email couldn't confirm!"
@@ -175,11 +180,18 @@ func Signin(s storage.Store) http.HandlerFunc {
 
 		// Check if user exist in database and credentials are true
 		user, err := s.Users().FindByCredentials(loginDTO.Email, loginDTO.MasterPassword)
+		fmt.Println(err)
 		if err != nil {
 			RespondWithError(w, http.StatusUnauthorized, err.Error())
 			return
 		}
 
+		// Check if users email is verified
+		if user.EmailVerifiedAt.IsZero() {
+			RespondWithError(w, http.StatusUnauthorized, "Email is not verified!")
+			return
+		}
+
 		//create token
 		token, err := app.CreateToken(user)
 		if err != nil {

diff --git a/internal/app/crypto.go b/internal/app/crypto.go
@@ -0,0 +1,52 @@
+package app
+
+import (
+	"encoding/json"
+	"log"
+
+	openssl "github.com/Luzifer/go-openssl/v4"
+	"github.com/spf13/viper"
+)
+
+// DecryptJSON ...
+func DecryptJSON(encrypted []byte, v interface{}) error {
+
+	// 1. Get a openssl object and secret key from configs
+	o := openssl.New()
+	secret := viper.GetString("server.aesKey")
+
+	// 2. Decrypt string
+	dec, err := o.DecryptBytes(secret, encrypted, openssl.BytesToKeyMD5)
+	if err != nil {
+		return err
+	}
+
+	// 3. Convert string to JSON
+	if err := json.Unmarshal(dec, v); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// EncryptJSON ...
+func EncryptJSON(v interface{}) ([]byte, error) {
+
+	// 1. Get a openssl object and secret key from configs
+	o := openssl.New()
+	secret := viper.GetString("server.aesKey")
+
+	// 2. Marshall to text
+	text, err := json.Marshal(v)
+	if err != nil {
+		return nil, err
+	}
+
+	// 3. Encrypt it
+	enc, err := o.EncryptBytes(secret, text, openssl.BytesToKeyMD5)
+	if err != nil {
+		return nil, err
+	}
+	log.Println(string(enc))
+	return enc, nil
+}