From c791844982a3069d29d4407603ae80a0375a05b4 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Fri, 12 Feb 2016 22:04:45 +0100
Subject: [PATCH] Improve password reset link handling.

---
 handlers.go                    | 135 +++++++++++++++++----------------
 main.go                        |   1 +
 templates/pwresetquestion.html |   2 +-
 3 files changed, 73 insertions(+), 65 deletions(-)

diff --git a/handlers.go b/handlers.go
index 5169948..a237783 100644
--- a/handlers.go
+++ b/handlers.go
@@ -57,77 +57,84 @@ func passwordResetRequestPostHandler(w http.ResponseWriter, r *http.Request) {
 
 func passwordResetLinkGetHandler(w http.ResponseWriter, r *http.Request) {
 	urlPart := mux.Vars(r)["secret"]
-	if tokens, e := getFromFileEntryFor(pwResetPath, urlPart, 3); e == nil {
-		createTime, err := strconv.Atoi(tokens[1])
-		if err != nil {
-			log.Fatal("Can't read time from pw reset file", err)
-		}
-		if createTime+resetLinkExp >= int(time.Now().Unix()) {
-			name := tokens[0]
-			tokensUser, err := getFromFileEntryFor(loginsPath, name,
-				5)
-			if err != nil {
-				log.Fatal("Can't read from loings file", err)
-			}
-			if "" != tokensUser[2] {
-				type data struct {
-					Secret   string
-					Question string
-				}
-				err := templ.ExecuteTemplate(w,
-					"pwresetquestion.html", data{
-						Secret:   urlPart,
-						Question: tokensUser[2]})
-				if err != nil {
-					log.Fatal("Trouble executing template",
-						err)
-				}
-			} else {
-				execTemplate(w, "pwreset.html", urlPart)
-			}
-			return
-		}
+	tokens, err := getFromFileEntryFor(pwResetPath, urlPart, 3)
+	if err != nil {
+		http.Redirect(w, r, "/404", 302)
+		return
 	}
-	http.Redirect(w, r, "/404", 302)
+	createTime, err := strconv.Atoi(tokens[1])
+	if err != nil {
+		log.Fatal("Can't read time from pw reset file", err)
+	}
+	if createTime+resetLinkExp < int(time.Now().Unix()) {
+		http.Redirect(w, r, "/404", 302)
+		return
+	}
+	name := tokens[0]
+	tokensUser, err := getFromFileEntryFor(loginsPath, name,
+		5)
+	if err != nil {
+		log.Fatal("Can't read from loings file", err)
+	}
+	if "" != tokensUser[2] {
+		type data struct {
+			Secret   string
+			Question string
+		}
+		err := templ.ExecuteTemplate(w,
+			"pwresetquestion.html", data{
+				Secret:   urlPart,
+				Question: tokensUser[2]})
+		if err != nil {
+			log.Fatal("Trouble executing template", err)
+		}
+		return
+	}
+	execTemplate(w, "pwreset.html", urlPart)
 }
 
 func passwordResetLinkPostHandler(w http.ResponseWriter, r *http.Request) {
 	urlPart := mux.Vars(r)["secret"]
 	name := r.FormValue("name")
-	if tokens, e := getFromFileEntryFor(pwResetPath, urlPart, 3); e == nil {
-		createTime, err := strconv.Atoi(tokens[1])
-		if err != nil {
-			log.Fatal("Can't read time from pw reset file",
-				err)
-		}
-		if tokens[0] == name &&
-			createTime+resetLinkExp >= int(time.Now().Unix()) {
-			tokensOld, err := getFromFileEntryFor(loginsPath, name,
-				5)
-			if err != nil {
-				log.Fatal("Can't get entry for user", err)
-			}
-			if "" != tokensOld[2] &&
-				nil != bcrypt.CompareHashAndPassword(
-					[]byte(tokensOld[3]),
-					[]byte(r.FormValue("secanswer"))) {
-				http.Redirect(w, r, "/", 302)
-				return
-			}
-			hash, err := newPassword(w, r)
-			if err != nil {
-				execTemplate(w, "error.html", err.Error())
-				return
-			}
-			tokensOld[0] = hash
-			line := name + "\t" + strings.Join(tokensOld, "\t")
-			replaceLineStartingWith(loginsPath, tokens[0], line)
-			removeLineStartingWith(pwResetPath, urlPart)
-			execTemplate(w, "feedset.html", "")
-			return
-		}
+	tokens, err := getFromFileEntryFor(pwResetPath, urlPart, 3)
+	if err != nil {
+		http.Redirect(w, r, "/404", 302)
+		return
 	}
-	http.Redirect(w, r, "/", 302)
+	createTime, err := strconv.Atoi(tokens[1])
+	if err != nil {
+		log.Fatal("Can't read time from pw reset file", err)
+	}
+	if createTime+resetLinkExp < int(time.Now().Unix()) {
+		http.Redirect(w, r, "/404", 302)
+		return
+	}
+	if tokens[0] != name {
+		execTemplate(w, "error.html", "Wrong!")
+		removeLineStartingWith(pwResetPath, urlPart)
+		return
+	}
+	tokensUser, err := getFromFileEntryFor(loginsPath, name, 5)
+	if err != nil {
+		log.Fatal("Can't get entry for user", err)
+	}
+	if "" != tokensUser[2] &&
+		nil != bcrypt.CompareHashAndPassword([]byte(tokensUser[3]),
+			[]byte(r.FormValue("secanswer"))) {
+		execTemplate(w, "error.html", "Wrong!")
+		removeLineStartingWith(pwResetPath, urlPart)
+		return
+	}
+	hash, err := newPassword(w, r)
+	if err != nil {
+		execTemplate(w, "error.html", err.Error())
+		return
+	}
+	tokensUser[0] = hash
+	line := name + "\t" + strings.Join(tokensUser, "\t")
+	replaceLineStartingWith(loginsPath, tokens[0], line)
+	removeLineStartingWith(pwResetPath, urlPart)
+	execTemplate(w, "feedset.html", "")
 }
 
 func signUpFormHandler(w http.ResponseWriter, r *http.Request) {
diff --git a/main.go b/main.go
index 34246d2..b001188 100644
--- a/main.go
+++ b/main.go
@@ -241,6 +241,7 @@ func readOptions() (string, int, string, int) {
 			log.Fatal("Trouble reading password")
 		}
 		mailpw = string(bytePassword)
+		fmt.Println("")
 	}
 	return mailserver, mailport, mailpw, port
 }
diff --git a/templates/pwresetquestion.html b/templates/pwresetquestion.html
index d419ae6..372dda5 100644
--- a/templates/pwresetquestion.html
+++ b/templates/pwresetquestion.html
@@ -11,7 +11,7 @@
 
                 <div>
 			<label for="secanswer">Security question: {{ .Question }}</label>
-			<input type="text" id="secanswer" name="secanswer" />
+			<input type="text" id="secanswer" name="secanswer" required />
                 </div>
 
 		<div>