Commit 2e6cde96 authored by ale's avatar ale

Expose the ResetPassword action, and fix the ResetResourcePassword endpoint

parent ae0b11a8
Pipeline #3423 passed with stages
in 5 minutes and 16 seconds
......@@ -339,6 +339,21 @@ Request parameters:
* `cur_password` - current valid password for the user
* `password` - new password (unencrypted)
### `/api/user/reset_password`
Admin operation to forcefully reset the password for an account. This
operation will disable all 2FA credentials and it will re-generate the
storage encryption keys. The user will lose access to existing data.
Request parameters:
* `username` - name of the user
* `sso` - SSO ticket
Response parameters:
* `password` - the new random password
### `/api/user/set_password_recovery_hint`
Sets the secondary authentication password (a hint / response pair,
......@@ -447,9 +462,9 @@ Request parameters:
* `sso` - SSO ticket
* `user` - user to create, with resources
### `/api/recover_password`
### `/api/recover_account`
Special endpoint for password recovery, used by the login FE service
Special endpoint for account recovery, used by the login FE service
(sso-server) to retrieve the password recovery hint, and to trigger
password recovery with the user-provided recovery password.
......
......@@ -183,41 +183,42 @@ func (r *AccountRecoveryRequest) Serve(rctx *RequestContext) (interface{}, error
return nil, nil
}
// ResetPasswordRequest is an admin operation to forcefully reset the password
// for an account. The user will lose access to all stored email (because the
// encryption keys will be reset) and to 2FA.
// ResetPasswordRequest is an admin operation to forcefully reset the
// password for an account. A new password will be randomly generated
// by the accountserver. The user will lose access to all stored email
// (because the encryption keys will be reset) and to 2FA.
type ResetPasswordRequest struct {
AdminUserRequestBase
}
// ResetPasswordResponse is the response type for ResetPasswordRequest.
type ResetPasswordResponse struct {
Password string `json:"password"`
}
// Sanitize the request.
func (r *ResetPasswordRequest) Sanitize() {
r.AdminUserRequestBase.Sanitize()
// Sanitize the response.
func (r *ResetPasswordResponse) Sanitize() {
if r.Password != "" {
r.Password = sanitizedValue
}
}
// Validate the request.
func (r *ResetPasswordRequest) Validate(rctx *RequestContext) error {
if err := rctx.fieldValidators.password(rctx.Context, r.Password); err != nil {
return newValidationError(nil, "password", err.Error())
}
return nil
}
// Serve the request.
func (r *ResetPasswordRequest) Serve(rctx *RequestContext) (interface{}, error) {
if err := rctx.User.resetPassword(rctx.Context, rctx.TX, r.Password); err != nil {
password := randomPassword()
if err := rctx.User.resetPassword(rctx.Context, rctx.TX, password); err != nil {
return nil, err
}
if err := rctx.User.disable2FA(rctx.Context, rctx.TX); err != nil {
return nil, err
}
rctx.audit.Log(rctx, nil, "password changed (admin)")
rctx.logUserAction(&rctx.User.User, umdb.LogTypePasswordReset, "password changed (admin)")
return nil, nil
rctx.audit.Log(rctx, nil, "password reset (admin)")
rctx.logUserAction(&rctx.User.User, umdb.LogTypePasswordReset, "password reset (admin)")
return &ResetPasswordResponse{
Password: password,
}, nil
}
// SetAccountRecoveryHintRequest lets users set the password recovery hint
......
......@@ -53,6 +53,7 @@ func New(service *as.AccountService, backend as.Backend) *APIServer {
s.Register("/api/user/update", &as.UpdateUserRequest{})
s.Register("/api/user/admin_update", &as.AdminUpdateUserRequest{})
s.Register("/api/user/change_password", &as.ChangeUserPasswordRequest{})
s.Register("/api/user/reset_password", &as.ResetPasswordRequest{})
s.Register("/api/user/set_account_recovery_hint", &as.SetAccountRecoveryHintRequest{})
s.Register("/api/user/enable_otp", &as.EnableOTPRequest{})
s.Register("/api/user/disable_otp", &as.DisableOTPRequest{})
......@@ -63,7 +64,7 @@ func New(service *as.AccountService, backend as.Backend) *APIServer {
s.Register("/api/resource/set_status", &as.SetResourceStatusRequest{})
s.Register("/api/resource/create", &as.CreateResourcesRequest{})
s.Register("/api/resource/move", &as.MoveResourceRequest{})
s.Register("/api/resource/reset_password", &as.ResetPasswordRequest{})
s.Register("/api/resource/reset_password", &as.ResetResourcePasswordRequest{})
s.Register("/api/resource/email/add_alias", &as.AddEmailAliasRequest{})
s.Register("/api/resource/email/delete_alias", &as.DeleteEmailAliasRequest{})
s.Register("/api/recover_account", &as.AccountRecoveryRequest{})
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment