diff --git a/CHANGELOG.md b/CHANGELOG.md index d900665..591fadb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,23 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [3.0.3] - 2021-02-14 + +### Fixed + +- Fix that EventRecoverStart/EventRecoverEnd were not being called. + +### Changed + +- Change Remember module to listen to `After(EventRecoverEnd)` in order to + invoke its handler to delete the remember cookie & tokens. This previously + was not being called so it could be viewed as new behavior though this only + applies if you are using both `remember` and `recover` modules. + +### Deprecate + +- EventPasswordReset is used nowhere and is no longer intended to be used. + ## [3.0.2] - 2020-09-17 ### Fixed diff --git a/authboss.go b/authboss.go index 8fec9f1..6120d8e 100644 --- a/authboss.go +++ b/authboss.go @@ -59,8 +59,11 @@ func (a *Authboss) Init(modulesToLoad ...string) error { // In addition to that, it also invalidates any remember me tokens, if the // storer supports that kind of operation. // -// If it's also desirable to log the user out, use: -// authboss.DelKnown(Session|Cookie) +// Note that it's best practice after having called this method to also delete +// all the user's logged in sessions. The CURRENT logged in session can be +// deleted with `authboss.DelKnown(Session|Cookie)` but to delete ALL logged +// in sessions for a user requires special mechanisms not currently provided +// by authboss. func (a *Authboss) UpdatePassword(ctx context.Context, user AuthableUser, newPassword string) error { pass, err := bcrypt.GenerateFromPassword([]byte(newPassword), a.Config.Modules.BCryptCost) if err != nil { diff --git a/events.go b/events.go index e375bd7..10fc75d 100644 --- a/events.go +++ b/events.go @@ -27,6 +27,7 @@ const ( EventRecoverEnd EventGetUser EventGetUserSession + // Deprecated: EventPasswordReset is used nowhere EventPasswordReset EventLogout ) diff --git a/go.sum b/go.sum index 443c832..d775d78 100644 --- a/go.sum +++ b/go.sum @@ -1,12 +1,16 @@ cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/friendsofgo/errors v0.9.2 h1:X6NYxef4efCBdwI7BgS820zFaN7Cphrmb+Pljdzjtgk= github.com/friendsofgo/errors v0.9.2/go.mod h1:yCvFW5AkDIL9qn7suHVLiI/gH228n7PC4Pn44IGoTOI= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= diff --git a/recover/recover.go b/recover/recover.go index 262dc55..5fe7e50 100644 --- a/recover/recover.go +++ b/recover/recover.go @@ -105,6 +105,14 @@ func (r *Recover) StartPost(w http.ResponseWriter, req *http.Request) error { ru := authboss.MustBeRecoverable(user) + req = req.WithContext(context.WithValue(req.Context(), authboss.CTXKeyUser, user)) + handled, err := r.Authboss.Events.FireBefore(authboss.EventRecoverStart, w, req) + if err != nil { + return err + } else if handled { + return nil + } + selector, verifier, token, err := GenerateRecoverCreds() if err != nil { return err @@ -124,6 +132,11 @@ func (r *Recover) StartPost(w http.ResponseWriter, req *http.Request) error { go r.SendRecoverEmail(req.Context(), ru.GetEmail(), token) } + _, err = r.Authboss.Events.FireAfter(authboss.EventRecoverStart, w, req) + if err != nil { + return err + } + logger.Infof("user %s password recovery initiated", ru.GetPID()) ro := authboss.RedirectOptions{ Code: http.StatusTemporaryRedirect, @@ -242,6 +255,14 @@ func (r *Recover) EndPost(w http.ResponseWriter, req *http.Request) error { return r.invalidToken(PageRecoverEnd, w, req) } + req = req.WithContext(context.WithValue(req.Context(), authboss.CTXKeyUser, user)) + handled, err := r.Authboss.Events.FireBefore(authboss.EventRecoverEnd, w, req) + if err != nil { + return err + } else if handled { + return nil + } + pass, err := bcrypt.GenerateFromPassword([]byte(password), r.Authboss.Config.Modules.BCryptCost) if err != nil { return err @@ -262,6 +283,11 @@ func (r *Recover) EndPost(w http.ResponseWriter, req *http.Request) error { successMsg += " and logged in" } + _, err = r.Authboss.Events.FireAfter(authboss.EventRecoverEnd, w, req) + if err != nil { + return err + } + ro := authboss.RedirectOptions{ Code: http.StatusTemporaryRedirect, RedirectPath: r.Authboss.Config.Paths.RecoverOK, diff --git a/remember/remember.go b/remember/remember.go index c88935d..ef90e47 100644 --- a/remember/remember.go +++ b/remember/remember.go @@ -33,7 +33,7 @@ func (r *Remember) Init(ab *authboss.Authboss) error { r.Events.After(authboss.EventAuth, r.RememberAfterAuth) r.Events.After(authboss.EventOAuth2, r.RememberAfterAuth) - r.Events.After(authboss.EventPasswordReset, r.AfterPasswordReset) + r.Events.After(authboss.EventRecoverEnd, r.AfterPasswordReset) return nil }