State token validity in password reset emails

[gruntmaster-page.git] / lib / Plack / App / Gruntmaster.pm

diff --git a/lib/Plack/App/Gruntmaster.pm b/lib/Plack/App/Gruntmaster.pm
index f091892c75364acab62bec77a11defab31818a61..2edc6dc2999daa3cbb9006cb3954e25b48fe4ada 100644 (file)
--- a/lib/Plack/App/Gruntmaster.pm
+++ b/lib/Plack/App/Gruntmaster.pm
@@ -16,9 +16,11 @@ use Web::Simple;
 use Gruntmaster::Data;
 use Plack::App::Gruntmaster::HTML;
 
+use Email::Sender::Simple qw/sendmail/;
+use Email::Simple;
+
 use warnings NONFATAL => 'all';
 no warnings 'illegalproto';
-no if $] >= 5.017011, warnings => 'experimental::smartmatch';
 
 ##################################################
 
@@ -34,6 +36,7 @@ use constant CONTENT_TYPES => +{
        pas => 'text/x-pascal',
        pl => 'text/x-perl',
        py => 'text/x-python',
+       l => 'text/plain',
 };
 
 use constant FORMAT_EXTENSION => {
@@ -47,6 +50,7 @@ use constant FORMAT_EXTENSION => {
        PASCAL => 'pas',
        PERL => 'pl',
        PYTHON => 'py',
+       SBCL => 'l',
 };
 
 use constant NOT_FOUND => [404, ['Content-Type' => 'text/plain'], ['Not found']];
@@ -114,8 +118,11 @@ sub dispatch_request{
                sub (/src/:job) {
                        return NOT_FOUND if !job;
                        my $isowner = remote_user && remote_user->id eq job->rawowner;
-                       forbid !$isowner && (job->private || job->problem->private || job->contest && job->contest->is_running);
-                       my @headers = ('X-Forever' => 1, 'Cache-Control' => 'public, max-age=604800', 'Content-Type' => CONTENT_TYPES->{job->format});
+                       my $private = job->private || job->problem->private || job->contest && job->contest->is_running;
+                       forbid !$isowner && $private;
+                       my $privacy = $private ? 'private' : 'public';
+                       my @headers = ('X-Forever' => 1, 'Cache-Control' => "$privacy, max-age=604800", 'Content-Type' => CONTENT_TYPES->{job->format});
+                       push @headers, (Vary => 'Authorization') if $private;
                        [200, \@headers, [job->source]]
                },
 
@@ -241,6 +248,7 @@ sub dispatch_request{
                        my $source = $prog ? read_file $prog->path : $_{source_code};
                        unlink $prog->path if $prog;
                        my $private = (problem->private && !$_{contest}) ? 1 : 0;
+                       $private = 1 if contest && contest->is_pending;
                        my $newjob = db->jobs->create({
                                maybe contest => $_{contest},
                                private => $private,
@@ -254,7 +262,52 @@ sub dispatch_request{
 
                        purge '/log/';
                        [303, [Location => '/log/' . $newjob->id], []]
-               }
+               },
+
+               sub (/action/request-reset + %:username=) {
+                       return reply 'Password resets are disabled' unless $ENV{GRUNTMASTER_RESET_FROM};
+                       my $user = db->user($_{username});
+                       return reply 'No such user' unless $user;
+                       my $token = join ':', $user->make_reset_hmac;
+                       my $body = <<EOF;
+Someone has requested a password reset for your account.
+
+To reset your password, please submit the reset password form on the
+website using the following information:
+
+Username: $_{username}
+Password: <your new password>
+Reset token: $token
+
+The token is valid for 24 hours.
+EOF
+                       my $email = Email::Simple->create(
+                               header => [
+                                       From    => $ENV{GRUNTMASTER_RESET_FROM},
+                                       To      => $user->email,
+                                       Subject => 'Password reset token',
+                               ],
+                               body => $body,
+                       );
+
+                       my $ok = 0;
+                       eval {
+                               sendmail $email;
+                               $ok = 1;
+                       };
+                       return reply 'Email sent' if $ok;
+                       reply "Failure sending email: $@";
+               },
+
+               sub (/action/reset + %:username=&:password=&:token=) {
+                       my $user = db->user($_{username});
+                       return reply 'No such user' unless $user;
+                       my ($token, $exp) = split ':', $_{token};
+                       return reply 'Reset token is expired' if time >= $exp;
+                       return reply 'Bad reset token' unless $user->make_reset_hmac($exp) eq $token;
+                       $user->set_passphrase($_{password});
+                       reply 'Password reset successfully';
+               },
        }
 }