Various tweaks and improvements

* Inner circle: users have the ability to remove themselves and can avoid being
  invited again in the future.
* Admin actions: add a "Reset Password" ability to user accounts.
* Admin "Create New User" page.
* Rate limit error handling improvements for the login page.
This commit is contained in:
Noah Petherbridge 2024-06-15 15:05:50 -07:00
parent 6d46632270
commit 42aeb60853
17 changed files with 530 additions and 7 deletions

View File

@ -32,9 +32,11 @@ const (
// - Impersonate: ability to log in as a user account
// - Ban: ability to ban/unban users
// - Delete: ability to delete user accounts
ScopeUserCreate = "admin.user.create"
ScopeUserInsight = "admin.user.insights"
ScopeUserImpersonate = "admin.user.impersonate"
ScopeUserBan = "admin.user.ban"
ScopeUserPassword = "admin.user.password"
ScopeUserDelete = "admin.user.delete"
ScopeUserPromote = "admin.user.promote"
@ -65,9 +67,11 @@ var AdminScopeDescriptions = map[string]string{
ScopeForumAdmin: "Ability to manage forums themselves (add or remove forums, edit their properties).",
ScopeAdminScopeAdmin: "Ability to manage admin permissions for other admin accounts.",
ScopeMaintenance: "Ability to activate maintenance mode functions of the website (turn features on or off, disable signups or logins, etc.)",
ScopeUserCreate: "Ability to manually create a new user account, bypassing the signup page.",
ScopeUserInsight: "Ability to see admin insights about a user profile (e.g. their block lists and who blocks them).",
ScopeUserImpersonate: "Ability to log in as any user account (note: this action is logged and notifies all admins when it happens. Admins must write a reason and it is used to diagnose customer support issues, help with their certification picture, or investigate a reported Direct Message conversation they had).",
ScopeUserBan: "Ability to ban or unban user accounts.",
ScopeUserPassword: "Ability to reset a user's password on their behalf.",
ScopeUserDelete: "Ability to fully delete user accounts on their behalf.",
ScopeUserPromote: "Ability to add or remove the admin status flag on a user profile.",
ScopeFeedbackAndReports: "Ability to see admin reports and user feedback.",
@ -97,9 +101,11 @@ func ListAdminScopes() []string {
ScopeForumAdmin,
ScopeAdminScopeAdmin,
ScopeMaintenance,
ScopeUserCreate,
ScopeUserInsight,
ScopeUserImpersonate,
ScopeUserBan,
ScopeUserPassword,
ScopeUserDelete,
ScopeUserPromote,
ScopeFeedbackAndReports,

View File

@ -166,3 +166,51 @@ func RemoveCircle() http.HandlerFunc {
}
})
}
// LeaveCircle allows users to remove themself from the circle.
func LeaveCircle() http.HandlerFunc {
tmpl := templates.Must("account/leave_circle.html")
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
currentUser, err := session.CurrentUser(r)
if err != nil || !currentUser.IsInnerCircle() {
templates.NotFoundPage(w, r)
return
}
// Submitting the form?
if r.Method == http.MethodPost {
var (
confirm = r.PostFormValue("confirm") == "true"
dontReinvite = r.PostFormValue("dont_reinvite") == "true"
)
if !confirm {
templates.Redirect(w, r.URL.Path)
return
}
// Remove them from the circle now.
if err := models.RemoveFromInnerCircle(currentUser); err != nil {
session.FlashError(w, r, "Error updating your inner circle status: %s", err)
templates.Redirect(w, r.URL.Path)
return
}
// Confirmation message, + don't reinvite again?
if dontReinvite {
currentUser.SetProfileField("inner_circle_optout", "true")
session.Flash(w, r, "You have been removed from the inner circle, and you WILL NOT be invited again in the future.")
} else {
session.Flash(w, r, "You have been removed from the inner circle.")
}
templates.Redirect(w, "/me")
return
}
if err := tmpl.Execute(w, r, nil); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
})
}

View File

@ -38,10 +38,23 @@ func Login() http.HandlerFunc {
CooldownAt: config.LoginRateLimitCooldownAt,
Cooldown: config.LoginRateLimitCooldown,
}
var takebackDeferredError bool
if err := limiter.Ping(); err != nil {
session.FlashError(w, r, err.Error())
templates.Redirect(w, r.URL.Path)
return
// Is it a deferred error? Flash it at the end of the request but continue
// to process this login attempt as normal.
if ratelimit.IsDeferredError(err) {
defer func() {
if takebackDeferredError {
return
}
session.FlashError(w, r, err.Error())
}()
} else {
// Lock-out error, show it now and quit.
session.FlashError(w, r, err.Error())
templates.Redirect(w, r.URL.Path)
return
}
}
// Look up their account.
@ -124,6 +137,9 @@ func Login() http.HandlerFunc {
log.Error("Failed to clear login rate limiter: %s", err)
}
// If there was going to be a deferred ratelimit error, take it back.
takebackDeferredError = true
// Redirect to their dashboard.
session.Flash(w, r, "Login successful.")
if strings.HasPrefix(next, "/") {

View File

@ -0,0 +1,62 @@
package admin
import (
"net/http"
"net/mail"
"strings"
"code.nonshy.com/nonshy/website/pkg/models"
"code.nonshy.com/nonshy/website/pkg/session"
"code.nonshy.com/nonshy/website/pkg/templates"
)
// Manually create new user accounts.
func AddUser() http.HandlerFunc {
tmpl := templates.Must("admin/add_user.html")
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodPost {
var (
email = strings.TrimSpace(strings.ToLower(r.PostFormValue("email")))
username = strings.TrimSpace(strings.ToLower(r.PostFormValue("username")))
password = r.PostFormValue("password")
)
// Validate the email.
if _, err := mail.ParseAddress(email); err != nil {
session.FlashError(w, r, "The email address you entered is not valid: %s", err)
templates.Redirect(w, r.URL.Path)
return
}
// Password check.
if len(password) < 3 {
session.FlashError(w, r, "The password is required to be 3+ characters long.")
templates.Redirect(w, r.URL.Path)
return
}
// Validate the username is OK: well formatted, not reserved, not existing.
if err := models.IsValidUsername(username); err != nil {
session.FlashError(w, r, err.Error())
templates.Redirect(w, r.URL.Path)
return
}
// Create the user.
if _, err := models.CreateUser(username, email, password); err != nil {
session.FlashError(w, r, "Couldn't create the user: %s", err)
templates.Redirect(w, r.URL.Path)
return
}
session.Flash(w, r, "Created the username %s with password: %s", username, password)
templates.Redirect(w, r.URL.Path)
return
}
if err := tmpl.Execute(w, r, nil); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
})
}

View File

@ -187,6 +187,31 @@ func UserActions() http.HandlerFunc {
models.LogEvent(user, currentUser, models.ChangeLogAdmin, "users", currentUser.ID, fmt.Sprintf("User admin status updated to: %s", action))
return
}
case "password":
// Scope check.
if !currentUser.HasAdminScope(config.ScopeUserPassword) {
session.FlashError(w, r, "Missing admin scope: %s", config.ScopeUserPassword)
templates.Redirect(w, "/admin")
return
}
if confirm {
password := r.PostFormValue("password")
if len(password) < 3 {
session.FlashError(w, r, "A password of at least 3 characters is required.")
templates.Redirect(w, r.URL.Path+fmt.Sprintf("?intent=password&user_id=%d", user.ID))
return
}
if err := user.SaveNewPassword(password); err != nil {
session.FlashError(w, r, "Failed to set the user's password: %s", err)
} else {
session.Flash(w, r, "The user's password has been updated to: %s", password)
}
templates.Redirect(w, "/u/"+user.Username)
return
}
case "delete":
// Scope check.
if !currentUser.HasAdminScope(config.ScopeUserDelete) {

View File

@ -214,6 +214,7 @@ func UserPhotos() http.HandlerFunc {
"CommentMap": commentMap,
"ViewStyle": viewStyle,
"ExplicitCount": explicitCount,
"InnerCircleOptOut": user.GetProfileField("inner_circle_optout") == "true",
"InnerCircleInviteView": innerCircleInvite,
// Search filters

View File

@ -651,6 +651,14 @@ func (u *User) HashPassword(password string) error {
return nil
}
// SaveNewPassword updates a user's password and saves their record to the database.
func (u *User) SaveNewPassword(password string) error {
if err := u.HashPassword(password); err != nil {
return err
}
return u.Save()
}
// CheckPassword verifies the password is correct. Returns nil on success.
func (u *User) CheckPassword(password string) error {
return bcrypt.CompareHashAndPassword([]byte(u.HashedPassword), []byte(password))

47
pkg/ratelimit/errors.go Normal file
View File

@ -0,0 +1,47 @@
package ratelimit
import "fmt"
// ErrLockedOut is a lock-out error, sent when the user is currently throttled and
// the website is NOT to even test their password if logging in.
type ErrLockedOut struct {
message string
}
// ErrDeferred is a rate limit error which can be shown to the user AFTER their current
// login attempt is tried. For example, if they've failed to log in a few times and aren't
// currently in a LockedOut cooldown period, you can test their password and then show
// them the deferred error message at the end of the request.
type ErrDeferred struct {
message string
deferred bool
}
func NewLockedOutError(message string, v ...interface{}) ErrLockedOut {
return ErrLockedOut{
message: fmt.Sprintf(message, v...),
}
}
func NewDeferredError(message string, v ...interface{}) ErrDeferred {
return ErrDeferred{
message: fmt.Sprintf(message, v...),
deferred: true,
}
}
// IsDeferredError returns whether a ratelimit error is deferred.
func IsDeferredError(err error) bool {
if err2, ok := err.(ErrDeferred); ok {
return err2.deferred
}
return false
}
func (e ErrLockedOut) Error() string {
return e.message
}
func (e ErrDeferred) Error() string {
return e.message
}

View File

@ -26,6 +26,13 @@ type Data struct {
}
// Ping the rate limiter.
//
// The returned error can be one of the following types:
//
// - ErrLockedOut if the user is being cooled down - the caller should not attempt to process their request.
// - ErrDeferred if the rate limiter is being invokved - the caller can process their request, and if failed, show this error.
//
// Other error types signify internal errors, e.g. inability to set a Redis key.
func (l *Limiter) Ping() error {
var (
key = l.Key()
@ -38,7 +45,7 @@ func (l *Limiter) Ping() error {
// Are we cooling down?
if now.Before(data.NotBefore) {
return fmt.Errorf(
return NewLockedOutError(
"You are doing that too often. Please wait %s before trying again.",
utility.FormatDurationCoarse(data.NotBefore.Sub(now)),
)
@ -49,7 +56,7 @@ func (l *Limiter) Ping() error {
// Have we hit the wall?
if data.Pings >= l.Limit {
return fmt.Errorf(
return NewLockedOutError(
"You have hit the rate limit; please wait the full %s before trying again.",
utility.FormatDurationCoarse(l.Window),
)
@ -61,7 +68,7 @@ func (l *Limiter) Ping() error {
if err := redis.Set(key, data, l.Window); err != nil {
return fmt.Errorf("Couldn't set Redis key for rate limiter: %s", err)
}
return fmt.Errorf(
return NewDeferredError(
"Please wait %s before trying again. You have %d more attempt(s) remaining before you will be locked "+
"out for %s.",
utility.FormatDurationCoarse(l.Cooldown),

View File

@ -78,6 +78,7 @@ func New() http.Handler {
mux.Handle("GET /admin/unimpersonate", middleware.LoginRequired(admin.Unimpersonate()))
mux.Handle("GET /inner-circle", middleware.LoginRequired(account.InnerCircle()))
mux.Handle("/inner-circle/invite", middleware.LoginRequired(account.InviteCircle()))
mux.Handle("/inner-circle/leave", middleware.LoginRequired(account.LeaveCircle()))
mux.Handle("GET /admin/transparency/{username}", middleware.LoginRequired(admin.Transparency()))
// Certification Required. Pages that only full (verified) members can access.
@ -99,6 +100,7 @@ func New() http.Handler {
mux.Handle("/admin/feedback", middleware.AdminRequired(config.ScopeFeedbackAndReports, admin.Feedback()))
mux.Handle("/admin/user-action", middleware.AdminRequired("", admin.UserActions()))
mux.Handle("/admin/maintenance", middleware.AdminRequired(config.ScopeMaintenance, admin.Maintenance()))
mux.Handle("/admin/add-user", middleware.AdminRequired(config.ScopeUserCreate, admin.AddUser()))
mux.Handle("/forum/admin", middleware.AdminRequired(config.ScopeForumAdmin, forum.Manage()))
mux.Handle("/forum/admin/edit", middleware.AdminRequired(config.ScopeForumAdmin, forum.AddEdit()))
mux.Handle("/inner-circle/remove", middleware.LoginRequired(account.RemoveCircle()))

View File

@ -206,6 +206,13 @@
features such as the Chat Room.
</li>
</ul>
<h2>Leave the inner circle</h2>
<p>
If you would like to opt-out and leave the inner circle, you may do so by clicking
<a href="/inner-circle/leave">here</a>.
</p>
</div>
</div>

View File

@ -0,0 +1,87 @@
{{define "title"}}Leave the Inner Circle{{end}}
{{define "content"}}
<div class="container">
<section class="hero is-inner-circle is-bold">
<div class="hero-body">
<div class="container">
<h1 class="title has-text-light">
<img src="/static/img/circle-24.png" class="mr-1">
Leave the Inner Circle
</h1>
</div>
</div>
</section>
<div class="block p-4">
<div class="level">
<div class="level-item">
<div class="card" style="max-width: 512px">
<header class="card-header has-background-link">
<p class="card-header-title has-text-light">
<img src="/static/img/circle-16.png" class="mr-2">
Leave the Inner Circle
</p>
</header>
<div class="card-content content">
<form id="leave_circle" method="POST" action="/inner-circle/leave">
{{InputCSRF}}
<input type="hidden" name="confirm" value="true">
<p>
Are you sure that you want to <strong>leave the {{PrettyCircle}}?</strong>
</p>
<p>
This action can not be un-done easily; after leaving the inner circle, the only
way back in is for somebody in the circle to invite you again.
</p>
<p>
In case you <strong>do not want</strong> to be invited into the circle again,
you can check the box below.
</p>
<label class="checkbox mb-4 has-text-warning">
<input type="checkbox"
name="dont_reinvite"
id="dont_reinvite"
value="true">
Don't let anyone invite me to the {{PrettyCircle}} again.
</label>
<div class="block has-text-center">
<button type="submit" class="button is-danger">Leave the Inner Circle</button>
<button type="button" class="button is-success" onclick="history.back()">Cancel</button>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
{{end}}
{{define "scripts"}}
<script>
document.addEventListener("DOMContentLoaded", () => {
let $form = document.querySelector("#leave_circle"),
$cb = document.querySelector("#dont_reinvite");
$form.addEventListener("submit", (e) => {
if ($cb.checked) {
if (!window.confirm(
"Are you sure you want to leave the circle, permanently?\n\n" +
"You have requested that nobody can re-invite you into the circle again in the future. " +
"This action CAN NOT be undone!\n\n" +
"If you want to leave open the possibility to be re-invited in the future, click Cancel " +
"and un-check that box."
)) {
e.preventDefault();
return false;
}
}
});
})
</script>
{{end}}

View File

@ -515,6 +515,12 @@
<span>Add/Remove admin rights</span>
</a>
</li>
<li>
<a href="/admin/user-action?intent=password&user_id={{.User.ID}}">
<span class="icon"><i class="fa fa-lock"></i></span>
<span>Reset Password</span>
</a>
</li>
<li>
<a href="/admin/user-action?intent=delete&user_id={{.User.ID}}">
<span class="icon"><i class="fa fa-trash"></i></span>

View File

@ -0,0 +1,154 @@
{{define "title"}}Admin - Create User Account{{end}}
{{define "content"}}
{{$Root := .}}
<div class="container">
<section class="hero is-danger is-bold">
<div class="hero-body">
<div class="container">
<h1 class="title">
Create User Accont
</h1>
</div>
</div>
</section>
<form method="POST" action="{{.Request.URL.Path}}">
{{InputCSRF}}
<div class="p-4">
<p class="block">
This page allows you to create a new user account. A common use case may include
when a new user was trying to sign up, but couldn't receive the confirmation e-mail,
and they reached out to have their account created manually.
</p>
<p class="block">
<strong>Important:</strong> we want all users to have verified e-mail addresses. This
form should generally only be used when somebody has e-mailed our support@ address and
we will use their sender e-mail address for the account.
</p>
<div class="field">
<label class="label" for="email">Email address:</label>
<input type="email" class="input"
placeholder="name@domain.com"
name="email"
id="email">
</div>
<div class="field">
<label class="label" for="username">Username:</label>
<input type="text" class="input"
name="username"
id="username">
<small class="has-text-grey">Usernames are 3 to 32 characters a-z 0-9 . -</small>
<!-- Username checking -->
<div class="notification is-info is-light py-2 px-4 mt-1"
id="username-checking" style="display: none">
<i class="fa fa-spinner fa-spin mr-1"></i> Checking username...
</div>
<div class="notification is-success is-light py-2 px-4 mt-1"
id="username-ok" style="display: none">
<i class="fa fa-check mr-1"></i> Looks good!
</div>
<div class="notification is-danger is-light py-2 px-4 mt-1"
id="username-error" style="display: none">
<i class="fa fa-xmark mr-1"></i> That username is already taken!
</div>
</div>
<div class="field">
<label class="label" for="password">Password:</label>
<input type="text" class="input"
name="password"
id="password">
<a href="#" id="random-password" class="has-text-warning is-size-7">
<i class="fa fa-refresh"></i> Random password
</a>
</div>
<div class="block">
<button type="submit" class="button is-primary"
name="intent" value="save">
Save Settings
</button>
</div>
</div>
</div>
{{end}}
{{define "scripts"}}
<script>
window.addEventListener("DOMContentLoaded", (event) => {
// Password randomization.
const $password = document.querySelector("#password"),
$randomize = document.querySelector("#random-password");
alphabet = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz0123456789";
$randomize.addEventListener("click", (e) => {
e.preventDefault();
let password = "";
for (let i = 0; i < 16; i++) {
password += alphabet[parseInt(Math.random() * alphabet.length)];
}
$password.value = password;
});
// Set up username checking script.
const $username = document.querySelector("#username"),
$unCheck = document.querySelector("#username-checking"),
$unOK = document.querySelector("#username-ok"),
$unError = document.querySelector("#username-error");
let onChange = (e) => {
$unCheck.style.display = "block";
$unOK.style.display = "none";
$unError.style.display = "none";
if ($username.value.length < 3) {
$unCheck.style.display = "none";
return;
};
return fetch("/v1/users/check-username", {
method: "POST",
mode: "same-origin",
cache: "no-cache",
credentials: "same-origin",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
"username": $username.value,
}),
})
.then((response) => response.json())
.then((data) => {
if (data.StatusCode !== 200) {
window.alert(data.data.error);
return;
}
let result = data.data;
if (result.OK) {
$unOK.style.display = "block";
$unError.style.display = "none";
} else {
$unOK.style.display = "none";
$unError.style.display = "block";
}
}).catch(resp => {
window.alert(resp);
}).finally(() => {
$unCheck.style.display = "none";
})
};
if ($username != undefined) {
$username.addEventListener("change", onChange);
$username.addEventListener("blur", onChange);
}
});
</script>
{{end}}

View File

@ -63,6 +63,12 @@
Admin Permissions Management
</a>
</li>
<li>
<a href="/admin/add-user">
<i class="fa fa-user mr-2"></i>
Create User Account
</a>
</li>
<li>
<a href="/admin/maintenance">
<i class="fa fa-wrench mr-2"></i>

View File

@ -28,6 +28,9 @@
{{else if eq .Intent "promote"}}
<i class="mr-2 fa fa-peace"></i>
Promote User
{{else if eq .Intent "password"}}
<i class="mr-2 fa fa-lock"></i>
Reset Password
{{else if eq .Intent "delete"}}
<i class="mr-2 fa fa-trash"></i>
Delete User
@ -239,6 +242,44 @@
Remove Admin
</button>
</div>
{{else if eq .Intent "password"}}
<p class="block">
This page allows you to reset a user's password on their behalf. For example, if
they have forgotten their password and aren't receiving the e-mail reset link and
they reached out for manual assistance.
</p>
<div class="field">
<label class="label" for="password">New password:</label>
<input type="text" class="input" name="password" id="password" placeholder="Password">
<a href="#" id="random-password" class="has-text-warning is-size-7">
<i class="fa fa-refresh mr-2"></i> Random password
</a>
</div>
<div class="field has-text-centered">
<button type="submit" name="action" value="password" class="button is-danger">
Update Password
</button>
<a href="/u/{{.User.Username}}" class="button is-success">Cancel</a>
</div>
<script>
window.addEventListener("DOMContentLoaded", (event) => {
// Password randomization.
const $password = document.querySelector("#password"),
$randomize = document.querySelector("#random-password");
alphabet = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz0123456789";
$randomize.addEventListener("click", (e) => {
e.preventDefault();
let password = "";
for (let i = 0; i < 16; i++) {
password += alphabet[parseInt(Math.random() * alphabet.length)];
}
$password.value = password;
});
});
</script>
{{else if eq .Intent "delete"}}
<div class="block content">
<p>

View File

@ -488,7 +488,7 @@
{{end}}
<!-- Inner circle invitation -->
{{if not .IsSiteGallery}}
{{if and (not .IsSiteGallery) (not .InnerCircleOptOut)}}
{{if and (.CurrentUser.IsInnerCircle) (not .User.InnerCircle) (ne .CurrentUser.Username .User.Username) (ge .PublicPhotoCount .InnerCircleMinimumPublicPhotos)}}
<div class="block mt-0">
<span class="icon"><img src="/static/img/circle-16.png"></span>