deblan/journalduhacker
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

embed timestamp in password reset token, only work for 24 hours

Browse source
This commit is contained in:
joshua stein 2014-04-15 00:46:14 -05:00
parent 993e1e84ae
commit aab34a9936
2 changed files with 21 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
app/controllers/login_controller.rb
View file

@ -55,25 +55,29 @@ class LoginController < ApplicationController
def set_new_password
@title = "Reset Password"
if params[:token].blank? ||
!(@reset_user = User.where(:password_reset_token => params[:token].to_s).first)
if (m = params[:token].to_s.match(/^(\d+)-/)) &&
(Time.now - Time.at(m[1].to_i)) < 24.hours
@reset_user = User.where(:password_reset_token => params[:token].to_s).first
end
if @reset_user
if params[:password].present?
@reset_user.password = params[:password]
@reset_user.password_confirmation = params[:password_confirmation]
@reset_user.password_reset_token = nil
# this will get reset upon save
@reset_user.session_token = nil
if @reset_user.save && @reset_user.is_active?
session[:u] = @reset_user.session_token
return redirect_to "/"
end
end
else
flash[:error] = "Invalid reset token. It may have already been " <<
"used or you may have copied it incorrectly."
return redirect_to forgot_password_url
end
if params[:password].present?
@reset_user.password = params[:password]
@reset_user.password_confirmation = params[:password_confirmation]
@reset_user.password_reset_token = nil
# this will get reset upon save
@reset_user.session_token = nil
if @reset_user.save && @reset_user.is_active?
session[:u] = @reset_user.session_token
return redirect_to "/"
end
end
end
end

2
app/models/user.rb
View file

@ -174,7 +174,7 @@ class User < ActiveRecord::Base
end
def initiate_password_reset_for_ip(ip)
self.password_reset_token = Utils.random_str(40)
self.password_reset_token = "#{Time.now.to_i}-#{Utils.random_str(30)}"
self.save!
PasswordReset.password_reset_link(self, ip).deliver