Creating common token store and moving email invites and verification to it (#6213)

api/oauth_test.go

@@ -5,16 +5,17 @@ package api
 
 import (
 	"encoding/base64"
-	"github.com/mattermost/platform/app"
-	"github.com/mattermost/platform/einterfaces"
-	"github.com/mattermost/platform/model"
-	"github.com/mattermost/platform/utils"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
+
+	"github.com/mattermost/platform/app"
+	"github.com/mattermost/platform/einterfaces"
+	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/utils"
 )
 
 func TestOAuthRegisterApp(t *testing.T) {
@@ -735,7 +736,7 @@ func TestOAuthComplete(t *testing.T) {
 		closeBody(r)
 	}
 
-	stateProps["hash"] = model.HashPassword(utils.Cfg.GitLabSettings.Id)
+	stateProps["hash"] = utils.HashSha256(utils.Cfg.GitLabSettings.Id)
 	state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
 	if r, err := HttpGet(Client.Url+"/login/gitlab/complete?code=123&state="+url.QueryEscape(state), Client.HttpClient, "", true); err == nil {
 		t.Fatal("should have failed - no connection")
@@ -771,7 +772,7 @@ func TestOAuthComplete(t *testing.T) {
 	stateProps["action"] = model.OAUTH_ACTION_EMAIL_TO_SSO
 	delete(stateProps, "team_id")
 	stateProps["redirect_to"] = utils.Cfg.GitLabSettings.AuthEndpoint
-	stateProps["hash"] = model.HashPassword(utils.Cfg.GitLabSettings.Id)
+	stateProps["hash"] = utils.HashSha256(utils.Cfg.GitLabSettings.Id)
 	stateProps["redirect_to"] = "/oauth/authorize"
 	state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
 	if r, err := HttpGet(Client.Url+"/login/"+model.SERVICE_GITLAB+"/complete?code="+url.QueryEscape(code)+"&state="+url.QueryEscape(state), Client.HttpClient, "", false); err == nil {

api/user.go

@@ -34,8 +34,8 @@ func InitUser() {
 	BaseRoutes.Users.Handle("/logout", ApiAppHandler(logout)).Methods("POST")
 	BaseRoutes.Users.Handle("/revoke_session", ApiUserRequired(revokeSession)).Methods("POST")
 	BaseRoutes.Users.Handle("/attach_device", ApiUserRequired(attachDeviceId)).Methods("POST")
-	BaseRoutes.Users.Handle("/verify_email", ApiAppHandler(verifyEmail)).Methods("POST")
-	BaseRoutes.Users.Handle("/resend_verification", ApiAppHandler(resendVerification)).Methods("POST")
+	//DEPRICATED FOR SECURITY USE APIV4 BaseRoutes.Users.Handle("/verify_email", ApiAppHandler(verifyEmail)).Methods("POST")
+	//DEPRICATED FOR SECURITY USE APIV4 BaseRoutes.Users.Handle("/resend_verification", ApiAppHandler(resendVerification)).Methods("POST")
 	BaseRoutes.Users.Handle("/newimage", ApiUserRequired(uploadProfileImage)).Methods("POST")
 	BaseRoutes.Users.Handle("/me", ApiUserRequired(getMe)).Methods("GET")
 	BaseRoutes.Users.Handle("/initial_load", ApiAppHandler(getInitialLoad)).Methods("GET")
@@ -767,22 +767,22 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 
 	code := props["code"]
-	if len(code) != model.PASSWORD_RECOVERY_CODE_SIZE {
+	if len(code) != model.TOKEN_SIZE {
 		c.SetInvalidParam("resetPassword", "code")
 		return
 	}
 
 	newPassword := props["new_password"]
 
-	c.LogAudit("attempt - code=" + code)
+	c.LogAudit("attempt - token=" + code)
 
-	if err := app.ResetPasswordFromCode(code, newPassword); err != nil {
-		c.LogAudit("fail - code=" + code)
+	if err := app.ResetPasswordFromToken(code, newPassword); err != nil {
+		c.LogAudit("fail - token=" + code)
 		c.Err = err
 		return
 	}
 
-	c.LogAudit("success - code=" + code)
+	c.LogAudit("success - token=" + code)
 
 	rdata := map[string]string{}
 	rdata["status"] = "ok"
@@ -992,6 +992,7 @@ func ldapToEmail(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(model.MapToJson(map[string]string{"follow_link": link})))
 }
 
+/* Disabling for security reasons. Use apiv4
 func verifyEmail(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 
@@ -1039,7 +1040,7 @@ func resendVerification(c *Context, w http.ResponseWriter, r *http.Request) {
 			go app.SendEmailChangeVerifyEmail(user.Id, user.Email, user.Locale, utils.GetSiteURL())
 		}
 	}
-}
+}*/
 
 func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) {
 	secret, err := app.GenerateMfaSecret(c.Session.UserId)

api/user_test.go

@@ -184,7 +184,7 @@ func TestLogin(t *testing.T) {
 	props["display_name"] = rteam2.Data.(*model.Team).DisplayName
 	props["time"] = fmt.Sprintf("%v", model.GetMillis())
 	data := model.MapToJson(props)
-	hash := model.HashPassword(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
+	hash := utils.HashSha256(fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt))
 
 	ruser2, err := Client.CreateUserFromSignup(&user2, data, hash)
 	if err != nil {
@@ -1316,13 +1316,6 @@ func TestResetPassword(t *testing.T) {
 
 	Client.Must(Client.SendPasswordReset(user.Email))
 
-	var recovery *model.PasswordRecovery
-	if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil {
-		t.Fatal(result.Err)
-	} else {
-		recovery = result.Data.(*model.PasswordRecovery)
-	}
-
 	//Check if the email was send to the rigth email address and the recovery key match
 	var resultsMailbox utils.JSONMessageHeaderInbucket
 	err := utils.RetryInbucket(5, func() error {
@@ -1335,25 +1328,42 @@ func TestResetPassword(t *testing.T) {
 		t.Log("No email was received, maybe due load on the server. Disabling this verification")
 	}
 
+	var recoveryTokenString string
 	if err == nil && len(resultsMailbox) > 0 {
 		if !strings.ContainsAny(resultsMailbox[0].To[0], user.Email) {
 			t.Fatal("Wrong To recipient")
 		} else {
 			if resultsEmail, err := utils.GetMessageFromMailbox(user.Email, resultsMailbox[0].ID); err == nil {
-				if !strings.Contains(resultsEmail.Body.Text, recovery.Code) {
+				loc := strings.Index(resultsEmail.Body.Text, "token=")
+				if loc == -1 {
+					t.Log(recoveryTokenString)
 					t.Log(resultsEmail.Body.Text)
-					t.Log(recovery.Code)
-					t.Fatal("Received wrong recovery code")
+					t.Fatal("Code not found in email")
 				}
+				loc += 6
+				recoveryTokenString = resultsEmail.Body.Text[loc : loc+model.TOKEN_SIZE]
+				t.Log(resultsEmail.Body.Text)
 			}
 		}
 	}
 
-	if _, err := Client.ResetPassword(recovery.Code, ""); err == nil {
+	var recoveryToken *model.Token
+	if result := <-app.Srv.Store.Token().GetByToken(recoveryTokenString); result.Err != nil {
+		t.Log(recoveryTokenString)
+		t.Fatal(result.Err)
+	} else {
+		recoveryToken = result.Data.(*model.Token)
+	}
+
+	if recoveryToken.Token != recoveryTokenString {
+		t.Fatal("Did not send the correct token. DB: "+recoveryToken.Token, " Sent: "+recoveryTokenString)
+	}
+
+	if _, err := Client.ResetPassword(recoveryToken.Token, ""); err == nil {
 		t.Fatal("Should have errored - no password")
 	}
 
-	if _, err := Client.ResetPassword(recovery.Code, "newp"); err == nil {
+	if _, err := Client.ResetPassword(recoveryToken.Token, "newp"); err == nil {
 		t.Fatal("Should have errored - password too short")
 	}
 
@@ -1366,38 +1376,26 @@ func TestResetPassword(t *testing.T) {
 	}
 
 	code := ""
-	for i := 0; i < model.PASSWORD_RECOVERY_CODE_SIZE; i++ {
+	for i := 0; i < model.TOKEN_SIZE; i++ {
 		code += "a"
 	}
 	if _, err := Client.ResetPassword(code, "newpwd1"); err == nil {
 		t.Fatal("Should have errored - bad code")
 	}
 
-	if _, err := Client.ResetPassword(recovery.Code, "newpwd1"); err != nil {
-		t.Log(recovery.Code)
+	if _, err := Client.ResetPassword(recoveryToken.Token, "newpwd1"); err != nil {
+		t.Log(recoveryToken.Token)
 		t.Fatal(err)
 	}
 
-	Client.Logout()
-	Client.Must(Client.LoginById(user.Id, "newpwd1"))
-	Client.SetTeamId(team.Id)
-
-	Client.Must(Client.SendPasswordReset(user.Email))
-
-	if result := <-app.Srv.Store.PasswordRecovery().Get(user.Id); result.Err != nil {
-		t.Fatal(result.Err)
-	} else {
-		recovery = result.Data.(*model.PasswordRecovery)
-	}
-
-	authData := model.NewId()
+	/*authData := model.NewId()
 	if result := <-app.Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, "", true); result.Err != nil {
 		t.Fatal(result.Err)
 	}
 
 	if _, err := Client.ResetPassword(recovery.Code, "newpwd1"); err == nil {
 		t.Fatal("Should have errored - sso user")
-	}
+	}*/
 }
 
 func TestUserUpdateNotify(t *testing.T) {