Skip to content

Commit

Permalink
Merge pull request #566 from openziti/token-revocation
Browse files Browse the repository at this point in the history 
Regenerate Account Token (#191)
  • Loading branch information
@michaelquigley
michaelquigley authored Feb 15, 2024
2 parents 8cc0ca0 + 28d3002 commit 48d3424
Show file tree
Hide file tree
Showing 31 changed files with 1,620 additions and 28 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

## v0.4.25

FEATURE: The web console now supports revoking your current account token and generating a new one (https://github.com/openziti/zrok/issues/191)

CHANGE: Creating a reserved share checks for token collision and returns a more appropriate error message (https://github.com/openziti/zrok/issues/531)

CHANGE: Update UI to add a 'true' value on `reserved` boolean (https://github.com/openziti/zrok/issues/443)
Expand Down
1 change: 1 addition & 0 deletions controller/controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ func Run(inCfg *config.Config) error {
api.AccountRegisterHandler = newRegisterHandler(cfg)
api.AccountResetPasswordHandler = newResetPasswordHandler(cfg)
api.AccountResetPasswordRequestHandler = newResetPasswordRequestHandler()
api.AccountResetTokenHandler = newResetTokenHandler()
api.AccountVerifyHandler = newVerifyHandler()
api.AdminCreateFrontendHandler = newCreateFrontendHandler()
api.AdminCreateIdentityHandler = newCreateIdentityHandler()
Expand Down
62 changes: 62 additions & 0 deletions controller/resetToken.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
package controller

import (
"github.com/go-openapi/runtime/middleware"
"github.com/openziti/zrok/rest_model_zrok"
"github.com/openziti/zrok/rest_server_zrok/operations/account"
"github.com/sirupsen/logrus"
)

type resetTokenHandler struct{}

func newResetTokenHandler() *resetTokenHandler {
return &resetTokenHandler{}
}

func (handler *resetTokenHandler) Handle(params account.ResetTokenParams, principal *rest_model_zrok.Principal) middleware.Responder {
if params.Body.EmailAddress == "" {
logrus.Error("missing email")
return account.NewResetTokenNotFound()
}
logrus.Infof("received token reset request for email '%v'", params.Body.EmailAddress)

tx, err := str.Begin()
if err != nil {
logrus.Errorf("error starting transaction for '%v': %v", params.Body.EmailAddress, err)
return account.NewResetTokenInternalServerError()
}
defer tx.Rollback()

a, err := str.FindAccountWithEmail(params.Body.EmailAddress, tx)
if err != nil {
logrus.Errorf("error finding account for '%v': %v", params.Body.EmailAddress, err)
return account.NewResetTokenNotFound()
}
if a.Deleted {
logrus.Errorf("account '%v' for '%v' deleted", a.Email, a.Token)
return account.NewResetTokenNotFound()
}

// Need to create new token and invalidate all other resources
token, err := CreateToken()
if err != nil {
logrus.Errorf("error creating token for request '%v': %v", params.Body.EmailAddress, err)
return account.NewResetTokenInternalServerError()
}

a.Token = token

if _, err := str.UpdateAccount(a, tx); err != nil {
logrus.Errorf("error updating account for request '%v': %v", params.Body.EmailAddress, err)
return account.NewResetTokenInternalServerError()
}

if err := tx.Commit(); err != nil {
logrus.Errorf("error committing '%v' (%v): %v", params.Body.EmailAddress, a.Email, err)
return account.NewResetTokenInternalServerError()
}

logrus.Infof("reset token for '%v'", a.Email)

return account.NewResetTokenOK().WithPayload(&account.ResetTokenOKBody{Token: token})
}
19 changes: 9 additions & 10 deletions controller/share.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,15 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
logrus.Errorf("invalid unique name '%v' for account '%v'", uniqueName, principal.Email)
return share.NewShareUnprocessableEntity()
}
shareExists, err := str.ShareWithTokenExists(uniqueName, trx)
if err != nil {
logrus.Errorf("error checking share for token collision: %v", err)
return share.NewUpdateShareInternalServerError()
}
if shareExists {
logrus.Errorf("token '%v' already exists; cannot create share", uniqueName)
return share.NewShareConflict()
}
shrToken = uniqueName
}

Expand Down Expand Up @@ -135,16 +144,6 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
sshr.FrontendEndpoint = &sshr.ShareMode
}

sh, err := str.FindShareWithToken(sshr.Token, trx)
if err != nil {
logrus.Errorf("error checking share for token collision: %v", err)
return share.NewShareInternalServerError()
}
if sh != nil {
logrus.Errorf("token '%v' already exists; cannot create share", sshr.Token)
return share.NewShareConflict()
}

sid, err := str.CreateShare(envId, sshr, trx)
if err != nil {
logrus.Errorf("error creating share record: %v", err)
Expand Down
8 changes: 8 additions & 0 deletions controller/store/share.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@ func (str *Store) FindShareWithToken(shrToken string, tx *sqlx.Tx) (*Share, erro
return shr, nil
}

func (str *Store) ShareWithTokenExists(shrToken string, tx *sqlx.Tx) (bool, error) {
count := 0
if err := tx.QueryRowx("select count(0) from shares where token = $1 and not deleted", shrToken).Scan(&count); err != nil {
return true, errors.Wrap(err, "error selecting share count by token")
}
return count > 0, nil
}

func (str *Store) FindShareWithZIdAndDeleted(zId string, tx *sqlx.Tx) (*Share, error) {
shr := &Share{}
if err := tx.QueryRowx("select * from shares where z_id = $1", zId).StructScan(shr); err != nil {
Expand Down
41 changes: 41 additions & 0 deletions rest_client_zrok/account/account_client.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

146 changes: 146 additions & 0 deletions rest_client_zrok/account/reset_token_parameters.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 48d3424

Please sign in to comment.