From 1405eb6ea3fe95fcb9c205c6c4c250433d48819c Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Sat, 6 Apr 2019 11:20:10 +0200
Subject: Add password change form

---
 lib/Travelynx.pm                    | 12 +++++-
 lib/Travelynx/Controller/Account.pm | 81 ++++++++++++++++++++++++++++++++++---
 2 files changed, 86 insertions(+), 7 deletions(-)

(limited to 'lib')

diff --git a/lib/Travelynx.pm b/lib/Travelynx.pm
index 3de3b9e..b9132f3 100755
--- a/lib/Travelynx.pm
+++ b/lib/Travelynx.pm
@@ -583,7 +583,8 @@ qq{select * from pending_mails where email = ? and num_tries > 1;}
 					elsif ( $user->{cancelled} ) {
 
 						# Same
-						$self->checkout($station, 1, $self->app->action_type->{cancelled_to});
+						$self->checkout( $station, 1,
+							$self->app->action_type->{cancelled_to} );
 					}
 
 					my $success = $self->app->action_query->execute(
@@ -876,6 +877,13 @@ qq{select * from pending_mails where email = ? and num_tries > 1;}
 		}
 	);
 
+	$self->helper(
+		'set_user_password' => sub {
+			my ( $self, $uid, $password ) = @_;
+			$self->app->set_password_query->execute( $password, $uid );
+		}
+	);
+
 	$self->helper(
 		'check_if_user_name_exists' => sub {
 			my ( $self, $user_name ) = @_;
@@ -1322,12 +1330,14 @@ qq{select * from pending_mails where email = ? and num_tries > 1;}
 	);
 
 	$authed_r->get('/account')->to('account#account');
+	$authed_r->get('/change_password')->to('account#password_form');
 	$authed_r->get('/export.json')->to('account#json_export');
 	$authed_r->get('/history')->to('traveling#history');
 	$authed_r->get('/history/:year/:month')->to('traveling#monthly_history');
 	$authed_r->get('/history.json')->to('traveling#json_history');
 	$authed_r->get('/journey/:id')->to('traveling#journey_details');
 	$authed_r->get('/s/*station')->to('traveling#station');
+	$authed_r->post('/change_password')->to('account#change_password');
 	$authed_r->post('/delete')->to('account#delete');
 	$authed_r->post('/logout')->to('account#do_logout');
 	$authed_r->post('/set_token')->to('api#set_token');
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index 7360899..9e8c1fb 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -136,11 +136,12 @@ sub register {
 	  .= "werden wir sie dauerhaft sperren und keine Mails mehr dorthin schicken.\n\n";
 	$body .= "Daten zur Registrierung:\n";
 	$body .= " * Datum: ${date}\n";
-	$body .= " * Verwendete IP: ${ip}\n";
-	$body .= " * Verwendeter Browser gemäß User Agent: ${ua}\n\n\n";
+	$body .= " * Client: ${ip}\n";
+	$body .= " * UserAgent: ${ua}\n\n\n";
 	$body .= "Impressum: ${imprint_url}\n";
 
-	my $success = $self->sendmail->custom($email, 'Registrierung bei travelynx', $body);
+	my $success
+	  = $self->sendmail->custom( $email, 'Registrierung bei travelynx', $body );
 	if ($success) {
 		$self->app->dbh->commit;
 		$self->render( 'login', from => 'register' );
@@ -214,6 +215,73 @@ sub do_logout {
 	$self->redirect_to('/login');
 }
 
+sub password_form {
+	my ($self) = @_;
+
+	$self->render('change_password');
+}
+
+sub change_password {
+	my ($self)       = @_;
+	my $old_password = $self->req->param('oldpw');
+	my $password     = $self->req->param('newpw');
+	my $password2    = $self->req->param('newpw2');
+
+	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
+		$self->render( 'change_password', invalid => 'csrf' );
+		return;
+	}
+
+	if ( $password ne $password2 ) {
+		$self->render( 'change_password', invalid => 'password_notequal' );
+		return;
+	}
+
+	if ( length($password) < 8 ) {
+		$self->render( 'change_password', invalid => 'password_short' );
+		return;
+	}
+
+	if (
+		not $self->authenticate(
+			$self->current_user->{name},
+			$self->param('oldpw')
+		)
+	  )
+	{
+		$self->render( 'change_password', invalid => 'password' );
+		return;
+	}
+
+	my $pw_hash = hash_password($password);
+	$self->set_user_password( $self->current_user->{id}, $pw_hash );
+
+	$self->redirect_to('account');
+
+	my $user  = $self->current_user->{name};
+	my $email = $self->current_user->{email};
+	my $ip    = $self->req->headers->header('X-Forwarded-For');
+	my $ua    = $self->req->headers->user_agent;
+	my $date  = DateTime->now( time_zone => 'Europe/Berlin' )
+	  ->strftime('%d.%m.%Y %H:%M:%S %z');
+
+	# In case Mojolicious is not running behind a reverse proxy
+	$ip
+	  //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port );
+	my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https');
+
+	my $body = "Hallo ${user},\n\n";
+	$body
+	  .= "Das Passwort deines travelynx-Accounts wurde soeben geändert.\n\n";
+	$body .= "Daten zur Änderung:\n";
+	$body .= " * Datum: ${date}\n";
+	$body .= " * Client: ${ip}\n";
+	$body .= " * UserAgent: ${ua}\n\n\n";
+	$body .= "Impressum: ${imprint_url}\n";
+
+	$self->sendmail->custom( $email, 'travelynx: Passwort geändert', $body );
+}
+
 sub account {
 	my ($self) = @_;
 
@@ -231,9 +299,10 @@ sub json_export {
 
 	while ( my @row = $query->fetchrow_array ) {
 		my (
-			$action_id, $action,       $raw_ts,      $ds100,     $name,
-			$train_type,   $train_line,  $train_no,  $train_id,
-			$raw_sched_ts, $raw_real_ts, $raw_route, $raw_messages
+			$action_id, $action,       $raw_ts,      $ds100,
+			$name,      $train_type,   $train_line,  $train_no,
+			$train_id,  $raw_sched_ts, $raw_real_ts, $raw_route,
+			$raw_messages
 		) = @row;
 
 		push(
-- 
cgit v1.2.3