From 913295ebd73d096d1ad982c08d758cf3decbcf3f Mon Sep 17 00:00:00 2001
From: Dominika Liberda <dominika@sakamoto.pl>
Date: Fri, 6 Nov 2020 00:27:48 +0100
Subject: [PATCH] BE: implemented password reset

---
 code/common.sh                | 52 +++++++++++++++++++++++++++++++++--
 webroot/api/collect.shs       |  5 +++-
 webroot/api/login.shs         |  2 +-
 webroot/api/packages.shs      |  4 ++-
 webroot/api/reset_confirm.shs | 11 ++++++++
 webroot/api/reset_request.shs | 28 +++++++++++++++++++
 webroot/api/session.shs       |  9 +++---
 7 files changed, 101 insertions(+), 10 deletions(-)
 create mode 100644 webroot/api/reset_confirm.shs
 create mode 100644 webroot/api/reset_request.shs

diff --git a/code/common.sh b/code/common.sh
index 7b93eef..26877ce 100644
--- a/code/common.sh
+++ b/code/common.sh
@@ -82,12 +82,58 @@ function get_account_mail() {
 	cat secret/mail.dat | grep "^$1:" | awk -F: '{print $2}'
 }
 
-#account_verified(session)
-function account_verified {
+#account_verified(username)
+function account_verified() {
 	[[ $1 == '' ]] && return
-	if [[ "$(cat secret/mail.dat | grep -P "^$(session_get_username "$1"):" | awk -F: '{print $4}')" != "yes" ]]; then
+	if [[ "$(cat secret/mail.dat | grep -P "^$1:" | awk -F: '{print $4}')" != "yes" ]]; then
 		return 0
 	else
 		return 1
 	fi
 }
+
+#account_gen_reset_code(username, force)
+function account_gen_reset_code() {
+	[[ "$1" == '' ]] && return
+
+	if ! account_verified "$1"; then
+		data="$(cat secret/mail.dat | grep -P "^$1:")"
+		
+		user="$1"
+		mail="$(awk -F: '{print $2}' <<< "$data")"
+		old_code="$(awk -F: '{print $3}' <<< "$data")"
+		timestamp="$(awk -F: '{print $5}' <<< "$data")"
+
+		new_timestamp="$(date "+%s")"
+		new_code="$RANDOM"
+
+		if [[ $(date "+%s") -gt $((timestamp+3600)) || $2 == true ]]; then
+			sed -i "s/$user:$mail:$old_code:yes:$timestamp/$user:$mail:$new_code:yes:$new_timestamp/" secret/mail.dat
+			echo -n "$new_code"$(date "+%d%m%y") | sha1sum | awk '{print $1}' | cut -c 1-10
+			return 0
+		else
+			return 2
+		fi
+	else
+		return 1
+	fi
+}
+
+#reset_pwd(username, hash, password)
+function reset_pwd() {
+	[[ "$1" == '' || "$2" == '' || "$3" == '' ]] && return
+	user="$1"
+	hash="$2"
+	pass="$3"
+
+	if [[ "$(echo -n $(cat secret/mail.dat | grep -P "^$user:" | awk -F: '{print $3}')$(date "+%d%m%y") | sha1sum | awk '{print $1}' | cut -c 1-10)" == "$hash" ]]; then
+		delete_account "$user"
+		register "$user" "$pass"
+
+		# prevents resetting the password with the same hash twice
+		account_gen_reset_code "$user" true >> /dev/null
+		return 0
+	else
+		return 1
+	fi	
+}
diff --git a/webroot/api/collect.shs b/webroot/api/collect.shs
index 200c780..a5ccd90 100644
--- a/webroot/api/collect.shs
+++ b/webroot/api/collect.shs
@@ -1,5 +1,8 @@
 #!/bin/bash
-silent=yes source "${cfg[namespace]}/webroot/api/session.shs"
+if ! silent=yes source "${cfg[namespace]}/webroot/api/session.shs"; then
+	return
+fi
+
 source "${cfg[namespace]}/code/common.sh"
 
 data=$(curl -s -X POST -H "$(get_auth_string)" -H "Content-type: application/json" "https://api-inmobile-pl.easypack24.net/v1/collect/validate" --data '{"geoPoint":{"accuracy":"1","latitude":"'"${post_data[lat]}"'","longitude":"'"${post_data[lon]}"'"},"parcel":{"openCode":"'"${post_data[openCode]}"'","shipmentNumber":"'"${post_data[id]}"'"}}')
diff --git a/webroot/api/login.shs b/webroot/api/login.shs
index d306197..5ca6054 100644
--- a/webroot/api/login.shs
+++ b/webroot/api/login.shs
@@ -1,5 +1,5 @@
 #!/bin/bash
-source code/common.sh
+source "${cfg[namespace]}/code/common.sh"
 
 if [[ "${post_data[login]}" != '' && "${post_data[password]}" != '' ]]; then
 	login "${post_data[login]}" "${post_data[password]}"
diff --git a/webroot/api/packages.shs b/webroot/api/packages.shs
index 04e7e6b..211a811 100644
--- a/webroot/api/packages.shs
+++ b/webroot/api/packages.shs
@@ -1,5 +1,7 @@
 #!/bin/bash
-silent=yes source "${cfg[namespace]}/webroot/api/session.shs"
+if ! silent=yes source "${cfg[namespace]}/webroot/api/session.shs"; then
+	return
+fi
 
 data=$(curl -s -H "$(get_auth_string)" "https://api-inmobile-pl.easypack24.net/v1/parcel?updatedAfter=1970-01-01T00:00:00.000Z")
 
diff --git a/webroot/api/reset_confirm.shs b/webroot/api/reset_confirm.shs
new file mode 100644
index 0000000..2cc3d5e
--- /dev/null
+++ b/webroot/api/reset_confirm.shs
@@ -0,0 +1,11 @@
+#!/bin/bash
+source "${cfg[namespace]}/code/common.sh"
+
+reset_pwd "${post_data[login]}" "${post_data[hash]}" "${post_data[password]}"
+status=$?
+
+if [[ $status == 0 ]]; then
+	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args 200 "Your password has been reset!"
+else
+	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args 1 "Something went wrong. Check your form."
+fi
diff --git a/webroot/api/reset_request.shs b/webroot/api/reset_request.shs
new file mode 100644
index 0000000..9915af3
--- /dev/null
+++ b/webroot/api/reset_request.shs
@@ -0,0 +1,28 @@
+#!/bin/bash
+[[ "${post_data[login]}" == '' ]] && jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args 0 "AAAA" && return
+source "${cfg[namespace]}/code/common.sh"
+
+hash="$(account_gen_reset_code "${post_data[login]}")"
+result=$?
+
+if [[ $result == 1 ]]; then
+	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args 1 "This account doesn't exist or wasn't verified."
+elif [[ $result == 2 ]]; then
+	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args 2 "Ratelimited."
+elif [[ $result == 0 ]]; then
+	sender_name="${cfg[who]}" mailsend "$(get_account_mail ${post_data[login]})" "OCW password reset" \
+"Hi ${post_data[login]},
+
+Someone (probably you) has requested a password reset on your OCW account.
+To reset your password, paste below text into the password reset form:
+
+$hash
+
+NEVER give this code to anybody - this would grant full control over your account.
+If you didn't request a password reset, you can safely ignore this message.
+
+Have a wonderful day!
+~ ${cfg[who]}" &
+
+	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args 200 "Reset e-mail sent!"
+fi
diff --git a/webroot/api/session.shs b/webroot/api/session.shs
index c6301d8..32805a5 100644
--- a/webroot/api/session.shs
+++ b/webroot/api/session.shs
@@ -3,14 +3,15 @@ source "${cfg[namespace]}/code/common.sh"
 
 if ! session_verify "${cookies[sh_session]}"; then
 	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args -1 "You're not logged in!"
-	return
-elif account_verified "${cookies[sh_session]}"; then
+	return 1
+elif account_verified "$(session_get_username "${cookies[sh_session]}")"; then
 	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args -2 "You didn't verify your mail!"
-	return
+	return 1
 elif check_if_user_exists "authToken"; then
 	jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args -3 "You didn't verify your phone!"
-	return
+	return 1
 else
 	[[ "$silent" != "yes" ]] && jq -n '{status: $ARGS.positional[0], msg: $ARGS.positional[1]}' --args 200 "OK"
+	return 0
 fi