Implemented helper for password reset

Dockerfile

@@ -25,6 +25,15 @@ ENV HASHTOPOLIS_LOG_PATH=${HASHTOPOLIS_PATH}/log
 ENV HASHTOPOLIS_CONFIG_PATH=${HASHTOPOLIS_PATH}/config
 ENV HASHTOPOLIS_BINARIES_PATH=${HASHTOPOLIS_PATH}/binaries
 
+ENV HASHTOPOLIS_SSMTP_ENABLE=0
+ENV [email protected]
+ENV HASHTOPOLIS_SSMTP_MAILHUB=example.org:465
+ENV HASHTOPOLIS_SSMTP_HOSTNAME=hashtopolis.example.org
+ENV HASHTOPOLIS_SSMTP_USE_TLS=Yes
+ENV HASHTOPOLIS_SSMTP_USE_STARTTLS=No
+ENV HASHTOPOLIS_SSMTP_AUTH_USER=xxxx
+ENV HASHTOPOLIS_SSMTP_AUTH_PASS=xxxx
+
 # Add support for TLS inspection corporate setups, see .env.sample for details
 ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt 
 
@@ -39,6 +48,7 @@ RUN apt-get update \
     && apt-get -y install git iproute2 procps lsb-release \
     && apt-get -y install mariadb-client \
     && apt-get -y install libpng-dev \
+    && apt-get -y install ssmtp sudo \
 \
     # Install extensions (optional)
     && docker-php-ext-install pdo_mysql gd \
@@ -77,6 +87,11 @@ COPY --from=preprocess /HEA[D] ${HASHTOPOLIS_DOCUMENT_ROOT}/../.git/
 COPY composer.json ${HASHTOPOLIS_DOCUMENT_ROOT}/../
 RUN composer install --working-dir=${HASHTOPOLIS_DOCUMENT_ROOT}/..
 
+RUN echo "www-data ALL=NOPASSWD:SETENV: /usr/local/bin/second-level-docker-entry.sh" >> /etc/sudoers.d/10_docker
+COPY second-level-docker-entry.sh /usr/local/bin
+
+RUN echo "" > /etc/ssmtp/ssmtp.conf
+
 ENV DEBIAN_FRONTEND=dialog
 COPY docker-entrypoint.sh /usr/local/bin
 

docker-compose.yml

@@ -14,6 +14,15 @@ services:
       HASHTOPOLIS_ADMIN_USER: $HASHTOPOLIS_ADMIN_USER
       HASHTOPOLIS_ADMIN_PASSWORD: $HASHTOPOLIS_ADMIN_PASSWORD
       HASHTOPOLIS_APIV2_ENABLE: $HASHTOPOLIS_APIV2_ENABLE
+
+      HASHTOPOLIS_SSMTP_ENABLE: $HASHTOPOLIS_SSMTP_ENABLE
+      HASHTOPOLIS_SSMTP_ROOT: $HASHTOPOLIS_SSMTP_ROOT
+      HASHTOPOLIS_SSMTP_MAILHUB: $HASHTOPOLIS_SSMTP_MAILHUB
+      HASHTOPOLIS_SSMTP_HOSTNAME: $HASHTOPOLIS_SSMTP_HOSTNAME
+      HASHTOPOLIS_SSMTP_USE_TLS: $HASHTOPOLIS_SSMTP_USE_TLS
+      HASHTOPOLIS_SSMTP_USE_STARTTLS: $HASHTOPOLIS_SSMTP_USE_STARTTLS
+      HASHTOPOLIS_SSMTP_AUTH_USER: $HASHTOPOLIS_SSMTP_AUTH_USER
+      HASHTOPOLIS_SSMTP_AUTH_PASS: $HASHTOPOLIS_SSMTP_AUTH_PASS
     depends_on:
       - db
     ports:

docker-entrypoint.sh

@@ -10,6 +10,9 @@ for path in ${paths[@]}; do
   fi
 done
 
+echo "Running required root setups."
+sudo -E /usr/local/bin/second-level-docker-entry.sh
+
 echo "Testing database."
 MYSQL="mysql -u${HASHTOPOLIS_DB_USER} -p${HASHTOPOLIS_DB_PASS} -h ${HASHTOPOLIS_DB_HOST}"
 $MYSQL -e "SELECT 1" > /dev/null 2>&1

env.example

@@ -9,3 +9,12 @@ HASHTOPOLIS_DB_HOST=db
 
 HASHTOPOLIS_APIV2_ENABLE=0
 HASHTOPOLIS_BACKEND_URL=http://localhost:8080/api/v2
+
+HASHTOPOLIS_SSMTP_ENABLE=0
+[email protected]
+HASHTOPOLIS_SSMTP_MAILHUB=example.org:465
+HASHTOPOLIS_SSMTP_HOSTNAME=hashtopolis.example.org
+HASHTOPOLIS_SSMTP_USE_TLS=Yes
+HASHTOPOLIS_SSMTP_USE_STARTTLS=No
+HASHTOPOLIS_SSMTP_AUTH_USER=username
+HASHTOPOLIS_SSMTP_AUTH_PASS=password

second-level-docker-entry.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# set up SSMTP config
+if [[ $HASHTOPOLIS_SSMTP_ENABLE == 1 ]]; then
+  echo "Setting up SSMTP config..."
+  echo -e "\
+root=${HASHTOPOLIS_SSMTP_ROOT}\n\
+mailhub=${HASHTOPOLIS_SSMTP_MAILHUB}\n\
+hostname=${HASHTOPOLIS_SSMTP_HOSTNAME}\n\
+UseTLS=${HASHTOPOLIS_SSMTP_USE_TLS}\n\
+UseSTARTTLS=${HASHTOPOLIS_SSMTP_USE_STARTTLS}\n\
+AuthUser=${HASHTOPOLIS_SSMTP_AUTH_USER}\n\
+AuthPass=${HASHTOPOLIS_SSMTP_AUTH_PASS}\n\
+FromLineOverride=NO\n\
+#Debug=YES\n" > /etc/ssmtp/ssmtp.conf
+fi

src/api/v2/index.php

@@ -132,7 +132,7 @@ public function get($key): string {
     include(dirname(__FILE__) . '/../../inc/confv2.php');
     return new JwtAuthentication([
         "path" => "/",
-        "ignore" => ["/api/v2/auth/token", "/api/v2/openapi.json"],
+        "ignore" => ["/api/v2/auth/token", "/api/v2/helper/resetUserPassword", "/api/v2/openapi.json"],
         "secret" => $PEPPER[0],
         "attribute" => false,
         "secure" => false,
@@ -272,6 +272,7 @@ public function process(Request $request, RequestHandler $handler): Response {
 require __DIR__ . "/../../inc/apiv2/helper/importFile.routes.php";
 require __DIR__ . "/../../inc/apiv2/helper/purgeTask.routes.php";
 require __DIR__ . "/../../inc/apiv2/helper/resetChunk.routes.php";
+require __DIR__ . "/../../inc/apiv2/helper/resetUserPassword.routes.php";
 require __DIR__ . "/../../inc/apiv2/helper/setUserPassword.routes.php";
 
 $app->run();

src/inc/apiv2/helper/resetUserPassword.routes.php

@@ -0,0 +1,40 @@
+<?php
+
+use DBA\User;
+use \Psr\Http\Message\ServerRequestInterface;
+
+require_once(dirname(__FILE__) . "/../common/AbstractHelperAPI.class.php");
+
+class ResetUserPasswordHelperAPI extends AbstractHelperAPI {
+  public static function getBaseUri(): string {
+    return "/api/v2/helper/resetUserPassword";
+  }
+
+  public static function getAvailableMethods(): array {
+    return ['POST'];
+  }
+
+  public function getRequiredPermissions(string $method): array {
+    return [];
+  }
+
+  public function preCommon(ServerRequestInterface $request): void {
+    // nothing, there is no user for this request as it is an unauthenticated request
+  }
+
+  public function getFormFields(): array {
+    return [
+      User::EMAIL => ["type" => "str"],
+      User::USERNAME => ["type" => "str"],
+    ];
+  }
+
+  public function actionPost($data): array|null {
+    UserUtils::userForgotPassword($data[User::USERNAME], $data[User::EMAIL]);
+
+    # TODO: Check how to handle custom return messages that are not object, probably we want that to be in some kind of standardized form.
+    return ["reset" => "success"];
+  }
+}
+
+ResetUserPasswordHelperAPI::register($app);

src/inc/handlers/ForgotHandler.class.php

@@ -1,51 +1,24 @@
 <?php
 
-use DBA\QueryFilter;
-use DBA\User;
-use DBA\Factory;
-
 class ForgotHandler implements Handler {
   public function __construct($configId = null) {
     //we need nothing to load
   }
 
   public function handle($action) {
-    switch ($action) {
-      case DForgotAction::RESET:
-        $this->forgot($_POST['username'], $_POST['email']);
-        break;
-      default:
-        UI::addMessage(UI::ERROR, "Invalid action!");
-        break;
-    }
-  }
-
-  private function forgot($username, $email) {
-    $username = htmlentities($username, ENT_QUOTES, "UTF-8");
-    $qF = new QueryFilter(User::USERNAME, $username, "=");
-    $res = Factory::getUserFactory()->filter([Factory::FILTER => $qF]);
-    if ($res == null || sizeof($res) == 0) {
-      UI::addMessage(UI::ERROR, "No such user!");
-      return;
-    }
-    $user = $res[0];
-    if ($user->getEmail() != $email) {
-      UI::addMessage(UI::ERROR, "No such user!");
-      return;
-    }
-    $newSalt = Util::randomString(20);
-    $newPass = Util::randomString(10);
-    $newHash = Encryption::passwordHash($newPass, $newSalt);
-
-    $tmpl = new Template("email/forgot");
-    $tmplPlain = new Template("email/forgot.plain");
-    $obj = array('username' => $user->getUsername(), 'password' => $newPass);
-    if (Util::sendMail($user->getEmail(), "Password reset", $tmpl->render($obj), $tmplPlain->render($obj))) {
-      Factory::getUserFactory()->mset($user, [User::PASSWORD_HASH => $newHash, User::PASSWORD_SALT => $newSalt, User::IS_COMPUTED_PASSWORD => 1]);
-      UI::addMessage(UI::SUCCESS, "Password reset! You should receive an email soon.");
+    try {
+      switch ($action) {
+        case DForgotAction::RESET:
+          UserUtils::userForgotPassword($_POST['username'], $_POST['email']);
+          UI::addMessage(UI::SUCCESS, "Password reset! You should receive an email soon.");
+          break;
+        default:
+          UI::addMessage(UI::ERROR, "Invalid action!");
+          break;
+      }
     }
-    else {
-      UI::addMessage(UI::ERROR, "Password reset failed because of an error when sending the email! Please check if PHP is able to send emails.");
+    catch (HTException $e) {
+      UI::addMessage(UI::ERROR, $e->getMessage());
     }
   }
 }

src/inc/utils/UserUtils.class.php

@@ -48,6 +48,32 @@ public static function deleteUser($userId, $adminUser) {
     Factory::getUserFactory()->delete($user);
   }
 
+  public static function userForgotPassword($username, $email) {
+    $username = htmlentities($username, ENT_QUOTES, "UTF-8");
+    $qF = new QueryFilter(User::USERNAME, $username, "=");
+    $res = Factory::getUserFactory()->filter([Factory::FILTER => $qF]);
+    if ($res == null || sizeof($res) == 0) {
+      throw new HTException("No such user!");
+    }
+    $user = $res[0];
+    if ($user->getEmail() != $email) {
+      throw new HTException("No such user!");
+    }
+    $newSalt = Util::randomString(20);
+    $newPass = Util::randomString(10);
+    $newHash = Encryption::passwordHash($newPass, $newSalt);
+
+    $tmpl = new Template("email/forgot");
+    $tmplPlain = new Template("email/forgot.plain");
+    $obj = array('username' => $user->getUsername(), 'password' => $newPass);
+    if (Util::sendMail($user->getEmail(), "Password reset", $tmpl->render($obj), $tmplPlain->render($obj))) {
+      Factory::getUserFactory()->mset($user, [User::PASSWORD_HASH => $newHash, User::PASSWORD_SALT => $newSalt, User::IS_COMPUTED_PASSWORD => 1]);
+    }
+    else {
+      throw new HTException("Password reset failed because of an error when sending the email! Please check if PHP is able to send emails.");
+    }
+  }
+
   /**
    * @param int $userId
    * @throws HTException