Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
ai3
accountserver
Commits
2e6cde96
Commit
2e6cde96
authored
Jun 13, 2019
by
ale
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Expose the ResetPassword action, and fix the ResetResourcePassword endpoint
parent
ae0b11a8
Pipeline
#3423
passed with stages
in 5 minutes and 16 seconds
Changes
3
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
38 additions
and
21 deletions
+38
-21
API.md
API.md
+17
-2
actions_user.go
actions_user.go
+19
-18
server/server.go
server/server.go
+2
-1
No files found.
API.md
View file @
2e6cde96
...
...
@@ -339,6 +339,21 @@ Request parameters:
*
`cur_password`
- current valid password for the user
*
`password`
- new password (unencrypted)
### `/api/user/reset_password`
Admin operation to forcefully reset the password for an account. This
operation will disable all 2FA credentials and it will re-generate the
storage encryption keys. The user will lose access to existing data.
Request parameters:
*
`username`
- name of the user
*
`sso`
- SSO ticket
Response parameters:
*
`password`
- the new random password
### `/api/user/set_password_recovery_hint`
Sets the secondary authentication password (a hint / response pair,
...
...
@@ -447,9 +462,9 @@ Request parameters:
*
`sso`
- SSO ticket
*
`user`
- user to create, with resources
### `/api/recover_
password
`
### `/api/recover_
account
`
Special endpoint for
password
recovery, used by the login FE service
Special endpoint for
account
recovery, used by the login FE service
(sso-server) to retrieve the password recovery hint, and to trigger
password recovery with the user-provided recovery password.
...
...
actions_user.go
View file @
2e6cde96
...
...
@@ -183,41 +183,42 @@ func (r *AccountRecoveryRequest) Serve(rctx *RequestContext) (interface{}, error
return
nil
,
nil
}
// ResetPasswordRequest is an admin operation to forcefully reset the password
// for an account. The user will lose access to all stored email (because the
// encryption keys will be reset) and to 2FA.
// ResetPasswordRequest is an admin operation to forcefully reset the
// password for an account. A new password will be randomly generated
// by the accountserver. The user will lose access to all stored email
// (because the encryption keys will be reset) and to 2FA.
type
ResetPasswordRequest
struct
{
AdminUserRequestBase
}
// ResetPasswordResponse is the response type for ResetPasswordRequest.
type
ResetPasswordResponse
struct
{
Password
string
`json:"password"`
}
// Sanitize the request.
func
(
r
*
ResetPasswordRequest
)
Sanitize
()
{
r
.
AdminUserRequestBase
.
Sanitize
()
// Sanitize the response.
func
(
r
*
ResetPasswordResponse
)
Sanitize
()
{
if
r
.
Password
!=
""
{
r
.
Password
=
sanitizedValue
}
}
// Validate the request.
func
(
r
*
ResetPasswordRequest
)
Validate
(
rctx
*
RequestContext
)
error
{
if
err
:=
rctx
.
fieldValidators
.
password
(
rctx
.
Context
,
r
.
Password
);
err
!=
nil
{
return
newValidationError
(
nil
,
"password"
,
err
.
Error
())
}
return
nil
}
// Serve the request.
func
(
r
*
ResetPasswordRequest
)
Serve
(
rctx
*
RequestContext
)
(
interface
{},
error
)
{
if
err
:=
rctx
.
User
.
resetPassword
(
rctx
.
Context
,
rctx
.
TX
,
r
.
Password
);
err
!=
nil
{
password
:=
randomPassword
()
if
err
:=
rctx
.
User
.
resetPassword
(
rctx
.
Context
,
rctx
.
TX
,
password
);
err
!=
nil
{
return
nil
,
err
}
if
err
:=
rctx
.
User
.
disable2FA
(
rctx
.
Context
,
rctx
.
TX
);
err
!=
nil
{
return
nil
,
err
}
rctx
.
audit
.
Log
(
rctx
,
nil
,
"password changed (admin)"
)
rctx
.
logUserAction
(
&
rctx
.
User
.
User
,
umdb
.
LogTypePasswordReset
,
"password changed (admin)"
)
return
nil
,
nil
rctx
.
audit
.
Log
(
rctx
,
nil
,
"password reset (admin)"
)
rctx
.
logUserAction
(
&
rctx
.
User
.
User
,
umdb
.
LogTypePasswordReset
,
"password reset (admin)"
)
return
&
ResetPasswordResponse
{
Password
:
password
,
},
nil
}
// SetAccountRecoveryHintRequest lets users set the password recovery hint
...
...
server/server.go
View file @
2e6cde96
...
...
@@ -53,6 +53,7 @@ func New(service *as.AccountService, backend as.Backend) *APIServer {
s
.
Register
(
"/api/user/update"
,
&
as
.
UpdateUserRequest
{})
s
.
Register
(
"/api/user/admin_update"
,
&
as
.
AdminUpdateUserRequest
{})
s
.
Register
(
"/api/user/change_password"
,
&
as
.
ChangeUserPasswordRequest
{})
s
.
Register
(
"/api/user/reset_password"
,
&
as
.
ResetPasswordRequest
{})
s
.
Register
(
"/api/user/set_account_recovery_hint"
,
&
as
.
SetAccountRecoveryHintRequest
{})
s
.
Register
(
"/api/user/enable_otp"
,
&
as
.
EnableOTPRequest
{})
s
.
Register
(
"/api/user/disable_otp"
,
&
as
.
DisableOTPRequest
{})
...
...
@@ -63,7 +64,7 @@ func New(service *as.AccountService, backend as.Backend) *APIServer {
s
.
Register
(
"/api/resource/set_status"
,
&
as
.
SetResourceStatusRequest
{})
s
.
Register
(
"/api/resource/create"
,
&
as
.
CreateResourcesRequest
{})
s
.
Register
(
"/api/resource/move"
,
&
as
.
MoveResourceRequest
{})
s
.
Register
(
"/api/resource/reset_password"
,
&
as
.
ResetPasswordRequest
{})
s
.
Register
(
"/api/resource/reset_password"
,
&
as
.
Reset
Resource
PasswordRequest
{})
s
.
Register
(
"/api/resource/email/add_alias"
,
&
as
.
AddEmailAliasRequest
{})
s
.
Register
(
"/api/resource/email/delete_alias"
,
&
as
.
DeleteEmailAliasRequest
{})
s
.
Register
(
"/api/recover_account"
,
&
as
.
AccountRecoveryRequest
{})
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment