invalidate password reset token

This commit is contained in:
Peter Hormanns 2021-12-03 20:36:13 +01:00
parent 55cce4532f
commit 7a973041e5
5 changed files with 19 additions and 2 deletions

View File

@ -8,7 +8,7 @@ import org.apache.commons.codec.binary.Base64;
public class PasswordValidator { public class PasswordValidator {
private static final int MIN_PASSWORD_LEN = 6; private static final int MIN_PASSWORD_LEN = 8;
private static final Base64 BASE64 = new Base64(); private static final Base64 BASE64 = new Base64();
private static final String LABEL = "{SSHA512}"; private static final String LABEL = "{SSHA512}";
private static final String SALT_CHARACTERS = private static final String SALT_CHARACTERS =

View File

@ -8,6 +8,10 @@ import java.io.PrintStream;
import java.io.PrintWriter; import java.io.PrintWriter;
import java.io.Writer; import java.io.Writer;
import java.net.InetAddress; import java.net.InetAddress;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.attribute.BasicFileAttributes;
import java.nio.file.attribute.FileTime;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Collection; import java.util.Collection;
import java.util.SortedMap; import java.util.SortedMap;
@ -53,7 +57,17 @@ public class ResetPasswordServlet extends AbstractLDAPServlet {
cleanSession(httpSession); cleanSession(httpSession);
final String token = req.getParameter("token"); final String token = req.getParameter("token");
if (token != null && !token.isEmpty()) { if (token != null && !token.isEmpty()) {
final File passwdResetFile = new File(tempDir + "/passwd" + token + ".tmp"); final String pathToTempFile = tempDir + "/passwd" + token + ".tmp";
final File passwdResetFile = new File(pathToTempFile);
final BasicFileAttributes fileAttributes = Files.readAttributes(Paths.get(pathToTempFile), BasicFileAttributes.class);
final FileTime creationTime = fileAttributes.creationTime();
final long threeHoursDifference = 10800000L;
if (creationTime.compareTo(FileTime.fromMillis(System.currentTimeMillis() - threeHoursDifference)) < 0) {
LOG.warning("password reset token has expired");
httpSession.setAttribute("errormessage", new Messages(req.getLocale()).getString("ResetPasswordServlet.passwordreset_tokenexpired"));
req.getRequestDispatcher("/reset-password.jsp").forward(req, resp);
return;
}
if (passwdResetFile.exists() && passwdResetFile.canRead()) { if (passwdResetFile.exists() && passwdResetFile.canRead()) {
try (final BufferedReader reader = new BufferedReader(new FileReader(passwdResetFile))) { try (final BufferedReader reader = new BufferedReader(new FileReader(passwdResetFile))) {
final String[] uidAndEMail = reader.readLine().split(":"); final String[] uidAndEMail = reader.readLine().split(":");

View File

@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Could not reach email service
ResetPasswordServlet.error_sending_password_reset=Error sending email ResetPasswordServlet.error_sending_password_reset=Error sending email
ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required. ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required.
ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request. ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request.
ResetPasswordServlet.passwordreset_tokenexpired=The password reset token has expired
ResetPasswordServlet.password_changed=Password changed ResetPasswordServlet.password_changed=Password changed
ResetPasswordServlet.passwords_donot_match=Passwords do not match ResetPasswordServlet.passwords_donot_match=Passwords do not match
ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters

View File

@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Konnte Mail Server nicht erreich
ResetPasswordServlet.error_sending_password_reset=Fehler beim Versand der E-Mail f\u00fcr das Setzen eines neuen Passworts. ResetPasswordServlet.error_sending_password_reset=Fehler beim Versand der E-Mail f\u00fcr das Setzen eines neuen Passworts.
ResetPasswordServlet.invalid_password_reuse=Das Passwort wurde bereits verwendet. Die Passwort-Richtlinie verlangt die Definition eines neuen Passworts. ResetPasswordServlet.invalid_password_reuse=Das Passwort wurde bereits verwendet. Die Passwort-Richtlinie verlangt die Definition eines neuen Passworts.
ResetPasswordServlet.no_valid_passwordreset_request=Es konnte keine g\u00fcltige Anforderung f\u00fcr ein neues Passwort zugeordnet werden. ResetPasswordServlet.no_valid_passwordreset_request=Es konnte keine g\u00fcltige Anforderung f\u00fcr ein neues Passwort zugeordnet werden.
ResetPasswordServlet.passwordreset_tokenexpired=Das Token zum Passwort-Zur\u00fcchsetzen ist abgelaufen.
ResetPasswordServlet.password_changed=Ihr neues Passwort ist gespeichert. ResetPasswordServlet.password_changed=Ihr neues Passwort ist gespeichert.
ResetPasswordServlet.passwords_donot_match=Die beiden Passwort-Eingaben stimmen nicht \u00fcberein. ResetPasswordServlet.passwords_donot_match=Die beiden Passwort-Eingaben stimmen nicht \u00fcberein.
ResetPasswordServlet.simple_password=Ihr Passwort ist zu einfach. Es sollte mindestens einen Klein- und Gro\u00dfbuchstaben und eine Ziffer oder Sonderzeichen enthalten sowie eine Mindestl\u00e4nge von 12 Zeichen aufweisen ResetPasswordServlet.simple_password=Ihr Passwort ist zu einfach. Es sollte mindestens einen Klein- und Gro\u00dfbuchstaben und eine Ziffer oder Sonderzeichen enthalten sowie eine Mindestl\u00e4nge von 12 Zeichen aufweisen

View File

@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Could not reach email service
ResetPasswordServlet.error_sending_password_reset=Error sending email ResetPasswordServlet.error_sending_password_reset=Error sending email
ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required. ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required.
ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request. ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request.
ResetPasswordServlet.passwordreset_tokenexpired=The password reset token has expired
ResetPasswordServlet.password_changed=Password changed ResetPasswordServlet.password_changed=Password changed
ResetPasswordServlet.passwords_donot_match=Passwords do not match ResetPasswordServlet.passwords_donot_match=Passwords do not match
ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters