invalidate password reset token

2021-12-03 20:36:13 +01:00 · 2021-12-03 20:36:13 +01:00 · 7a973041e5
commit 7a973041e5
parent 55cce4532f
5 changed files with 19 additions and 2 deletions
--- a/src/main/java/de/jalin/ldapadmin/ldap/PasswordValidator.java
+++ b/src/main/java/de/jalin/ldapadmin/ldap/PasswordValidator.java
@ -8,7 +8,7 @@ import org.apache.commons.codec.binary.Base64;

 public class PasswordValidator {

-    private static final int MIN_PASSWORD_LEN = 6;
+    private static final int MIN_PASSWORD_LEN = 8;
 	private static final Base64 BASE64 = new Base64();
 	private static final String LABEL = "{SSHA512}";
 	private static final String SALT_CHARACTERS = 
--- a/src/main/java/de/jalin/ldapadmin/web/ResetPasswordServlet.java
+++ b/src/main/java/de/jalin/ldapadmin/web/ResetPasswordServlet.java
@ -8,6 +8,10 @@ import java.io.PrintStream;
 import java.io.PrintWriter;
 import java.io.Writer;
 import java.net.InetAddress;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.nio.file.attribute.FileTime;
 import java.security.NoSuchAlgorithmException;
 import java.util.Collection;
 import java.util.SortedMap;
@ -53,7 +57,17 @@ public class ResetPasswordServlet extends AbstractLDAPServlet {
        cleanSession(httpSession);
        final String token = req.getParameter("token");
        if (token != null && !token.isEmpty()) {
-            final File passwdResetFile = new File(tempDir + "/passwd" + token + ".tmp");
+            final String pathToTempFile = tempDir + "/passwd" + token + ".tmp";
+			final File passwdResetFile = new File(pathToTempFile);
+            final BasicFileAttributes fileAttributes = Files.readAttributes(Paths.get(pathToTempFile), BasicFileAttributes.class);
+            final FileTime creationTime = fileAttributes.creationTime();
+            final long threeHoursDifference = 10800000L;
+			if (creationTime.compareTo(FileTime.fromMillis(System.currentTimeMillis() - threeHoursDifference)) < 0) {
+                LOG.warning("password reset token has expired");
+                httpSession.setAttribute("errormessage", new Messages(req.getLocale()).getString("ResetPasswordServlet.passwordreset_tokenexpired"));
+                req.getRequestDispatcher("/reset-password.jsp").forward(req, resp);
+                return;
+            }
            if (passwdResetFile.exists() && passwdResetFile.canRead()) {
                try (final BufferedReader reader = new BufferedReader(new FileReader(passwdResetFile))) {
                    final String[] uidAndEMail = reader.readLine().split(":");
--- a/src/main/resources/de/jalin/ldapadmin/web/messages.properties
+++ b/src/main/resources/de/jalin/ldapadmin/web/messages.properties
@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Could not reach email service
 ResetPasswordServlet.error_sending_password_reset=Error sending email
 ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required.
 ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request.
+ResetPasswordServlet.passwordreset_tokenexpired=The password reset token has expired
 ResetPasswordServlet.password_changed=Password changed
 ResetPasswordServlet.passwords_donot_match=Passwords do not match
 ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters 
--- a/src/main/resources/de/jalin/ldapadmin/web/messages_de.properties
+++ b/src/main/resources/de/jalin/ldapadmin/web/messages_de.properties
@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Konnte Mail Server nicht erreich
 ResetPasswordServlet.error_sending_password_reset=Fehler beim Versand der E-Mail f\u00fcr das Setzen eines neuen Passworts.
 ResetPasswordServlet.invalid_password_reuse=Das Passwort wurde bereits verwendet. Die Passwort-Richtlinie verlangt die Definition eines neuen Passworts.
 ResetPasswordServlet.no_valid_passwordreset_request=Es konnte keine g\u00fcltige Anforderung f\u00fcr ein neues Passwort zugeordnet werden.
+ResetPasswordServlet.passwordreset_tokenexpired=Das Token zum Passwort-Zur\u00fcchsetzen ist abgelaufen.
 ResetPasswordServlet.password_changed=Ihr neues Passwort ist gespeichert.
 ResetPasswordServlet.passwords_donot_match=Die beiden Passwort-Eingaben stimmen nicht \u00fcberein.
 ResetPasswordServlet.simple_password=Ihr Passwort ist zu einfach. Es sollte mindestens einen Klein- und Gro\u00dfbuchstaben und eine Ziffer oder Sonderzeichen enthalten sowie eine Mindestl\u00e4nge von 12 Zeichen aufweisen 
--- a/src/main/resources/de/jalin/ldapadmin/web/messages_en.properties
+++ b/src/main/resources/de/jalin/ldapadmin/web/messages_en.properties
@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Could not reach email service
 ResetPasswordServlet.error_sending_password_reset=Error sending email
 ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required.
 ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request.
+ResetPasswordServlet.passwordreset_tokenexpired=The password reset token has expired
 ResetPasswordServlet.password_changed=Password changed
 ResetPasswordServlet.passwords_donot_match=Passwords do not match
 ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters