objective categorical abstract machine language personal data server
Use base32 for email tokens
+7
-20
+1
-7
pegasus/lib/api/server/requestPasswordReset.ml
+1
-7
pegasus/lib/api/server/requestPasswordReset.ml
···
2
2
3
3
let request_password_reset (actor : Data_store.Types.actor) db =
4
4
let did = actor.did in
5
-
let code =
6
-
"pwd-"
7
-
^ String.sub
8
-
Digestif.SHA256.(
9
-
digest_string (did ^ Int.to_string @@ Util.now_ms ()) |> to_hex )
10
-
0 8
11
-
in
5
+
let code = Util.make_code () in
12
6
let expires_at = Util.now_ms () + (10 * 60 * 1000) in
13
7
let%lwt () = Data_store.set_auth_code ~did ~code ~expires_at db in
14
8
Util.send_email_or_log ~recipients:[To actor.email]
+1
-3
pegasus/lib/api/server/resetPassword.ml
+1
-3
pegasus/lib/api/server/resetPassword.ml
···
9
9
| Some actor -> (
10
10
match (actor.auth_code, actor.auth_code_expires_at) with
11
11
| Some auth_code, Some auth_expires_at
12
-
when String.starts_with ~prefix:"pwd-" auth_code
13
-
&& token = auth_code
14
-
&& Util.now_ms () < auth_expires_at ->
12
+
when token = auth_code && Util.now_ms () < auth_expires_at ->
15
13
let%lwt () = Data_store.update_password ~did:actor.did ~password db in
16
14
Lwt.return_ok actor.did
17
15
| _ ->
+5
-10
pegasus/lib/util.ml
+5
-10
pegasus/lib/util.ml
···
473
473
with Not_found -> false
474
474
475
475
let make_code () =
476
-
let () = Random.self_init () in
477
-
let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" in
478
-
let len = String.length chars in
479
-
let s = Bytes.create 10 in
480
-
for i = 0 to 9 do
481
-
let random_index = Random.int len in
482
-
Bytes.set s i chars.[random_index]
483
-
done ;
484
-
let str = Bytes.to_string s in
485
-
String.sub str 0 5 ^ "-" ^ String.sub str 5 5
476
+
let () = Mirage_crypto_rng_unix.use_default () in
477
+
let token =
478
+
Multibase.Base32.encode_string @@ Mirage_crypto_rng_unix.getrandom 32
479
+
in
480
+
String.sub token 0 5 ^ "-" ^ String.sub token 5 5
486
481
487
482
module type Template = sig
488
483
type props