From 6f25668215f7f9fe20bfaf3dd72e2262a6d8915e Mon Sep 17 00:00:00 2001 From: Maxim Filippov Date: Sun, 22 Sep 2019 16:08:07 +0300 Subject: [PATCH 1/3] Admin API: Add ability to force user's password reset --- CHANGELOG.md | 2 ++ docs/api/admin_api.md | 8 ++++++ lib/pleroma/user.ex | 17 ++++++++++++ lib/pleroma/user/info.ex | 13 ++++++--- .../web/admin_api/admin_api_controller.ex | 9 +++++++ lib/pleroma/web/oauth/oauth_controller.ex | 5 ++++ lib/pleroma/web/router.ex | 1 + lib/pleroma/workers/background_worker.ex | 5 ++++ test/user_test.exs | 17 ++++++++++++ .../admin_api/admin_api_controller_test.exs | 26 ++++++++++++++++++ test/web/oauth/oauth_controller_test.exs | 27 +++++++++++++++++++ .../twitter_api/password_controller_test.exs | 21 +++++++++++++++ 12 files changed, 148 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 84b64e2b9..e5a84f5ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] ### Added - Refreshing poll results for remote polls +- Admin API: Add ability to force user's password reset + ### Changed - **Breaking:** Elixir >=1.8 is now required (was >= 1.7) - Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings) diff --git a/docs/api/admin_api.md b/docs/api/admin_api.md index 7637fa0d4..c6b9dd2b6 100644 --- a/docs/api/admin_api.md +++ b/docs/api/admin_api.md @@ -310,6 +310,14 @@ Note: Available `:permission_group` is currently moderator and admin. 404 is ret - Params: none - Response: password reset token (base64 string) +## `/api/pleroma/admin/users/:nickname/force_password_reset` + +### Force passord reset for a user with a given nickname + +- Methods: `PATCH` +- Params: none +- Response: none (code `204`) + ## `/api/pleroma/admin/reports` ### Get a list of reports - Method `GET` diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index fb1f24254..ab253a274 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -269,6 +269,7 @@ def password_update_changeset(struct, params) do |> validate_required([:password, :password_confirmation]) |> validate_confirmation(:password) |> put_password_hash + |> put_embed(:info, User.Info.set_password_reset_pending(struct.info, false)) end @spec reset_password(User.t(), map) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()} @@ -285,6 +286,20 @@ def reset_password(%User{id: user_id} = user, data) do end end + def force_password_reset_async(user) do + BackgroundWorker.enqueue("force_password_reset", %{"user_id" => user.id}) + end + + @spec force_password_reset(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()} + def force_password_reset(user) do + info_cng = User.Info.set_password_reset_pending(user.info, true) + + user + |> change() + |> put_embed(:info, info_cng) + |> update_and_set_cache() + end + def register_changeset(struct, params \\ %{}, opts \\ []) do bio_limit = Pleroma.Config.get([:instance, :user_bio_length], 5000) name_limit = Pleroma.Config.get([:instance, :user_name_length], 100) @@ -1115,6 +1130,8 @@ def delete(%User{} = user) do BackgroundWorker.enqueue("delete_user", %{"user_id" => user.id}) end + def perform(:force_password_reset, user), do: force_password_reset(user) + @spec perform(atom(), User.t()) :: {:ok, User.t()} def perform(:delete, %User{} = user) do {:ok, _user} = ActivityPub.delete(user) diff --git a/lib/pleroma/user/info.ex b/lib/pleroma/user/info.ex index b150a57cd..67abc3ecd 100644 --- a/lib/pleroma/user/info.ex +++ b/lib/pleroma/user/info.ex @@ -20,6 +20,7 @@ defmodule Pleroma.User.Info do field(:following_count, :integer, default: nil) field(:locked, :boolean, default: false) field(:confirmation_pending, :boolean, default: false) + field(:password_reset_pending, :boolean, default: false) field(:confirmation_token, :string, default: nil) field(:default_scope, :string, default: "public") field(:blocks, {:array, :string}, default: []) @@ -82,6 +83,14 @@ def set_activation_status(info, deactivated) do |> validate_required([:deactivated]) end + def set_password_reset_pending(info, pending) do + params = %{password_reset_pending: pending} + + info + |> cast(params, [:password_reset_pending]) + |> validate_required([:password_reset_pending]) + end + def update_notification_settings(info, settings) do settings = settings @@ -333,9 +342,7 @@ defp valid_field?(%{"name" => name, "value" => value}) do name_limit = Pleroma.Config.get([:instance, :account_field_name_length], 255) value_limit = Pleroma.Config.get([:instance, :account_field_value_length], 255) - is_binary(name) && - is_binary(value) && - String.length(name) <= name_limit && + is_binary(name) && is_binary(value) && String.length(name) <= name_limit && String.length(value) <= value_limit end diff --git a/lib/pleroma/web/admin_api/admin_api_controller.ex b/lib/pleroma/web/admin_api/admin_api_controller.ex index 8a8091daa..711e4dfc2 100644 --- a/lib/pleroma/web/admin_api/admin_api_controller.ex +++ b/lib/pleroma/web/admin_api/admin_api_controller.ex @@ -447,6 +447,15 @@ def get_password_reset(conn, %{"nickname" => nickname}) do |> json(token.token) end + @doc "Force password reset for a given user" + def force_password_reset(conn, %{"nickname" => nickname}) do + (%User{local: true} = user) = User.get_cached_by_nickname(nickname) + + User.force_password_reset_async(user) + + json_response(conn, :no_content, "") + end + def list_reports(conn, params) do params = params diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index 81eae2c8b..a57670e02 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -202,6 +202,8 @@ def token_exchange( {:ok, app} <- Token.Utils.fetch_app(conn), {:auth_active, true} <- {:auth_active, User.auth_active?(user)}, {:user_active, true} <- {:user_active, !user.info.deactivated}, + {:password_reset_pending, false} <- + {:password_reset_pending, user.info.password_reset_pending}, {:ok, scopes} <- validate_scopes(app, params), {:ok, auth} <- Authorization.create_authorization(app, user, scopes), {:ok, token} <- Token.exchange_token(app, auth) do @@ -215,6 +217,9 @@ def token_exchange( {:user_active, false} -> render_error(conn, :forbidden, "Your account is currently disabled") + {:password_reset_pending, true} -> + render_error(conn, :forbidden, "Password reset is required") + _error -> render_invalid_credentials_error(conn) end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index b9b85fd67..a306c1b80 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -186,6 +186,7 @@ defmodule Pleroma.Web.Router do post("/users/email_invite", AdminAPIController, :email_invite) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) + patch("/users/:nickname/force_password_reset", AdminAPIController, :force_password_reset) get("/users", AdminAPIController, :list_users) get("/users/:nickname", AdminAPIController, :user_show) diff --git a/lib/pleroma/workers/background_worker.ex b/lib/pleroma/workers/background_worker.ex index 082f20ab7..7ffc8eabe 100644 --- a/lib/pleroma/workers/background_worker.ex +++ b/lib/pleroma/workers/background_worker.ex @@ -26,6 +26,11 @@ def perform(%{"op" => "delete_user", "user_id" => user_id}, _job) do User.perform(:delete, user) end + def perform(%{"op" => "force_password_reset", "user_id" => user_id}, _job) do + user = User.get_cached_by_id(user_id) + User.perform(:force_password_reset, user) + end + def perform( %{ "op" => "blocks_import", diff --git a/test/user_test.exs b/test/user_test.exs index 39ba69668..164172405 100644 --- a/test/user_test.exs +++ b/test/user_test.exs @@ -1690,4 +1690,21 @@ test "changes email", %{user: user} do assert {:ok, %User{email: "cofe@cofe.party"}} = User.change_email(user, "cofe@cofe.party") end end + + describe "set_password_reset_pending/2" do + setup do + [user: insert(:user)] + end + + test "sets password_reset_pending to true", %{user: user} do + %{password_reset_pending: password_reset_pending} = user.info + + refute password_reset_pending + + {:ok, %{info: %{password_reset_pending: password_reset_pending}}} = + User.force_password_reset(user) + + assert password_reset_pending + end + end end diff --git a/test/web/admin_api/admin_api_controller_test.exs b/test/web/admin_api/admin_api_controller_test.exs index 108143f6a..f00e02a7a 100644 --- a/test/web/admin_api/admin_api_controller_test.exs +++ b/test/web/admin_api/admin_api_controller_test.exs @@ -4,11 +4,13 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do use Pleroma.Web.ConnCase + use Oban.Testing, repo: Pleroma.Repo alias Pleroma.Activity alias Pleroma.HTML alias Pleroma.ModerationLog alias Pleroma.Repo + alias Pleroma.Tests.ObanHelpers alias Pleroma.User alias Pleroma.UserInviteToken alias Pleroma.Web.CommonAPI @@ -2351,6 +2353,30 @@ test "returns the log with pagination", %{conn: conn, admin: admin} do "@#{admin.nickname} followed relay: https://example.org/relay" end end + + describe "PATCH /users/:nickname/force_password_reset" do + setup %{conn: conn} do + admin = insert(:user, info: %{is_admin: true}) + user = insert(:user) + + %{conn: assign(conn, :user, admin), admin: admin, user: user} + end + + test "sets password_reset_pending to true", %{admin: admin, user: user} do + assert user.info.password_reset_pending == false + + conn = + build_conn() + |> assign(:user, admin) + |> patch("/api/pleroma/admin/users/#{user.nickname}/force_password_reset") + + assert json_response(conn, 204) == "" + + ObanHelpers.perform_all() + + assert User.get_by_id(user.id).info.password_reset_pending == true + end + end end # Needed for testing diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index 2780e1746..8b88fd784 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -831,6 +831,33 @@ test "rejects token exchange for valid credentials belonging to deactivated user refute Map.has_key?(resp, "access_token") end + test "rejects token exchange for user with password_reset_pending set to true" do + password = "testpassword" + + user = + insert(:user, + password_hash: Comeonin.Pbkdf2.hashpwsalt(password), + info: %{password_reset_pending: true} + ) + + app = insert(:oauth_app, scopes: ["read", "write"]) + + conn = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "password", + "username" => user.nickname, + "password" => password, + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + + assert resp = json_response(conn, 403) + + assert resp["error"] == "Password reset is required" + refute Map.has_key?(resp, "access_token") + end + test "rejects an invalid authorization code" do app = insert(:oauth_app) diff --git a/test/web/twitter_api/password_controller_test.exs b/test/web/twitter_api/password_controller_test.exs index 3a7246ea8..dc6d4e3e3 100644 --- a/test/web/twitter_api/password_controller_test.exs +++ b/test/web/twitter_api/password_controller_test.exs @@ -6,6 +6,7 @@ defmodule Pleroma.Web.TwitterAPI.PasswordControllerTest do use Pleroma.Web.ConnCase alias Pleroma.PasswordResetToken + alias Pleroma.User alias Pleroma.Web.OAuth.Token import Pleroma.Factory @@ -56,5 +57,25 @@ test "it returns HTTP 200", %{conn: conn} do assert Comeonin.Pbkdf2.checkpw("test", user.password_hash) assert length(Token.get_user_tokens(user)) == 0 end + + test "it sets password_reset_pending to false", %{conn: conn} do + user = insert(:user, info: %{password_reset_pending: true}) + + {:ok, token} = PasswordResetToken.create_token(user) + {:ok, _access_token} = Token.create_token(insert(:oauth_app), user, %{}) + + params = %{ + "password" => "test", + password_confirmation: "test", + token: token.token + } + + conn + |> assign(:user, user) + |> post("/api/pleroma/password_reset", %{data: params}) + |> html_response(:ok) + + assert User.get_by_id(user.id).info.password_reset_pending == false + end end end From d72d4757a8e66c29d58e0a3b7fb36356ae419a54 Mon Sep 17 00:00:00 2001 From: Maxim Filippov Date: Sun, 22 Sep 2019 23:13:48 +0300 Subject: [PATCH 2/3] Format --- lib/pleroma/user/info.ex | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/user/info.ex b/lib/pleroma/user/info.ex index 67abc3ecd..99745f496 100644 --- a/lib/pleroma/user/info.ex +++ b/lib/pleroma/user/info.ex @@ -342,7 +342,9 @@ defp valid_field?(%{"name" => name, "value" => value}) do name_limit = Pleroma.Config.get([:instance, :account_field_name_length], 255) value_limit = Pleroma.Config.get([:instance, :account_field_value_length], 255) - is_binary(name) && is_binary(value) && String.length(name) <= name_limit && + is_binary(name) && + is_binary(value) && + String.length(name) <= name_limit && String.length(value) <= value_limit end From cf1960d5961a3a01a6d92c44ab4a6d0ce9570a09 Mon Sep 17 00:00:00 2001 From: Maxim Filippov Date: Sun, 22 Sep 2019 23:14:18 +0300 Subject: [PATCH 3/3] Better changelog wording --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5a84f5ae..f28299666 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] ### Added - Refreshing poll results for remote polls -- Admin API: Add ability to force user's password reset +- Admin API: Add ability to require password reset ### Changed - **Breaking:** Elixir >=1.8 is now required (was >= 1.7)