diff options
| author | Omar Roth <omarroth@hotmail.com> | 2019-04-22 10:18:17 -0500 |
|---|---|---|
| committer | Omar Roth <omarroth@hotmail.com> | 2019-04-22 10:18:17 -0500 |
| commit | 64aecba7a020f85993f3ce06246d8793fa948b52 (patch) | |
| tree | 0360009a8d290c645e3638b89c3723092d96d921 /src | |
| parent | 30e567e8b63052d657f03e709be2662cafec62af (diff) | |
| download | invidious-64aecba7a020f85993f3ce06246d8793fa948b52.tar.gz invidious-64aecba7a020f85993f3ce06246d8793fa948b52.tar.bz2 invidious-64aecba7a020f85993f3ce06246d8793fa948b52.zip | |
Add option to change passwords
Diffstat (limited to 'src')
| -rw-r--r-- | src/invidious.cr | 80 | ||||
| -rw-r--r-- | src/invidious/views/change_password.ecr | 32 | ||||
| -rw-r--r-- | src/invidious/views/preferences.ecr | 4 |
3 files changed, 116 insertions, 0 deletions
diff --git a/src/invidious.cr b/src/invidious.cr index fb8ebbe4..3780a2f0 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -1875,6 +1875,86 @@ post "/data_control" do |env| env.redirect referer end +get "/change_password" do |env| + locale = LOCALES[env.get("preferences").as(Preferences).locale]? + + user = env.get? "user" + sid = env.get? "sid" + referer = get_referer(env) + + if user + user = user.as(User) + sid = sid.as(String) + csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB) + + templated "change_password" + else + env.redirect referer + end +end + +post "/change_password" do |env| + locale = LOCALES[env.get("preferences").as(Preferences).locale]? + + user = env.get? "user" + sid = env.get? "sid" + referer = get_referer(env) + + if user + user = user.as(User) + sid = sid.as(String) + token = env.params.body["csrf_token"]? + + # We don't store passwords for Google accounts + if !user.password + error_message = "Cannot change password for Google accounts" + next templated "error" + end + + begin + validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) + rescue ex + error_message = ex.message + env.response.status_code = 400 + next templated "error" + end + + password = env.params.body["password"]? + if !password + error_message = translate(locale, "Password is a required field") + next templated "error" + end + + new_passwords = env.params.body.select { |k, v| k.match(/^new_password\[\d+\]$/) }.map { |k, v| v } + + if new_passwords.size <= 1 || new_passwords.uniq.size != 1 + error_message = translate(locale, "New passwords must match") + next templated "error" + end + + new_password = new_passwords.uniq[0] + if new_password.empty? + error_message = translate(locale, "Password cannot be empty") + next templated "error" + end + + if new_password.size > 55 + error_message = translate(locale, "Password cannot be longer than 55 characters") + next templated "error" + end + + if Crypto::Bcrypt::Password.new(user.password.not_nil!) != password + error_message = translate(locale, "Incorrect password") + next templated "error" + end + + new_password = Crypto::Bcrypt::Password.create(new_password, cost: 10) + PG_DB.exec("UPDATE users SET password = $1 WHERE email = $2", new_password.to_s, user.email) + end + + env.redirect referer +end + get "/delete_account" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? diff --git a/src/invidious/views/change_password.ecr b/src/invidious/views/change_password.ecr new file mode 100644 index 00000000..2e68556b --- /dev/null +++ b/src/invidious/views/change_password.ecr @@ -0,0 +1,32 @@ +<% content_for "header" do %> +<title><%= translate(locale, "Change password") %> - Invidious</title> +<% end %> + +<div class="pure-g"> + <div class="pure-u-1 pure-u-lg-1-5"></div> + <div class="pure-u-1 pure-u-lg-3-5"> + <div class="h-box"> + <form class="pure-form pure-form-aligned" action="/change_password?referer=<%= URI.escape(referer) %>" method="post"> + <legend><%= translate(locale, "Change password") %></legend> + + <fieldset> + <label for="password"><%= translate(locale, "Password") %> :</label> + <input required class="pure-input-1" name="password" type="password" placeholder="<%= translate(locale, "Password") %>"> + + <label for="new_password[0]"><%= translate(locale, "New password") %> :</label> + <input required class="pure-input-1" name="new_password[0]" type="password" placeholder="<%= translate(locale, "New password") %>"> + + <label for="new_password[1]"><%= translate(locale, "New password") %> :</label> + <input required class="pure-input-1" name="new_password[1]" type="password" placeholder="<%= translate(locale, "New password") %>"> + + <button type="submit" name="action" value="change_password" class="pure-button pure-button-primary"> + <%= translate(locale, "Change password") %> + </button> + + <input type="hidden" name="csrf_token" value="<%= URI.escape(csrf_token) %>"> + </fieldset> + </form> + </div> + </div> + <div class="pure-u-1 pure-u-lg-1-5"></div> +</div> diff --git a/src/invidious/views/preferences.ecr b/src/invidious/views/preferences.ecr index 1af53488..5d2c35b1 100644 --- a/src/invidious/views/preferences.ecr +++ b/src/invidious/views/preferences.ecr @@ -214,6 +214,10 @@ function update_value(element) { </div> <div class="pure-control-group"> + <a href="/change_password?referer=<%= URI.escape(referer) %>"><%= translate(locale, "Change password") %></a> + </div> + + <div class="pure-control-group"> <a href="/data_control?referer=<%= URI.escape(referer) %>"><%= translate(locale, "Import/export data") %></a> </div> |