users: refactor password reset flow.

The old password reset flow: * User requests a password reset. * Danbooru generates a password reset nonce. * Danbooru emails user a password reset confirmation link. * User follows link to password reset confirmation page. * The link contains a nonce authenticating the user. * User confirms password reset. * Danbooru resets user's password to a random string. * Danbooru emails user their new password in plaintext. The new password reset flow: * User requests a password reset. * Danbooru emails user a password reset link. * User follows link to password edit page. * The link contains a signed_user_id param authenticating the user. * User changes their own password.
2020-03-08 21:03:36 -05:00
parent f25bace766
commit 5625458f69
30 changed files with 133 additions and 395 deletions
--- a/app/logical/danbooru/message_verifier.rb
+++ b/app/logical/danbooru/message_verifier.rb
@@ -8,12 +8,12 @@ module Danbooru
      @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: JSON, digest: "SHA256")
    end

-    def generate(*options)
-      verifier.generate(*options, purpose: purpose)
+    def generate(*args, **options)
+      verifier.generate(*args, purpose: purpose, **options)
    end

-    def verified(*options)
-      verifier.verified(*options, purpose: purpose)
+    def verify(*args, **options)
+      verifier.verify(*args, purpose: purpose, **options)
    end
  end
 end
--- a/app/logical/danbooru_maintenance.rb
+++ b/app/logical/danbooru_maintenance.rb
@@ -19,7 +19,6 @@ module DanbooruMaintenance
  end

  def weekly
-    safely { UserPasswordResetNonce.prune! }
    safely { TagRelationshipRetirementService.find_and_retire! }
    safely { ApproverPruner.dmail_inactive_approvers! }
  end
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -16,6 +16,8 @@ class SessionLoader

    if has_api_authentication?
      load_session_for_api
+    elsif params[:signed_user_id]
+      load_param_user(params[:signed_user_id])
    elsif session[:user_id]
      load_session_user
    elsif cookie_password_hash_valid?
@@ -79,6 +81,11 @@ class SessionLoader
    end
  end

+  def load_param_user(signed_user_id)
+    session[:user_id] = Danbooru::MessageVerifier.new(:login).verify(signed_user_id)
+    load_session_user
+  end
+
  def load_session_user
    user = User.find_by_id(session[:user_id])
    CurrentUser.user = user if user