2019-05-02 18:17:27 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-03-07 13:45:33 -05:00
|
|
|
class UsersEmailController < ApplicationController
|
|
|
|
|
2018-01-31 23:17:59 -05:00
|
|
|
requires_login only: [:index, :update]
|
2016-03-07 14:40:11 -05:00
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
skip_before_action :check_xhr, only: [
|
|
|
|
:confirm_old_email,
|
|
|
|
:show_confirm_old_email,
|
|
|
|
:confirm_new_email,
|
|
|
|
:show_confirm_new_email
|
|
|
|
]
|
|
|
|
|
|
|
|
skip_before_action :redirect_to_login_if_required, only: [
|
|
|
|
:confirm_old_email,
|
2020-10-06 23:02:24 -04:00
|
|
|
:show_confirm_old_email
|
2019-11-20 02:31:25 -05:00
|
|
|
]
|
|
|
|
|
|
|
|
before_action :require_login, only: [
|
|
|
|
:confirm_old_email,
|
2020-10-06 23:02:24 -04:00
|
|
|
:show_confirm_old_email
|
2019-11-20 02:31:25 -05:00
|
|
|
]
|
2016-03-07 13:45:33 -05:00
|
|
|
|
|
|
|
def index
|
|
|
|
end
|
|
|
|
|
2020-06-10 12:11:49 -04:00
|
|
|
def create
|
|
|
|
if !SiteSetting.enable_secondary_emails
|
|
|
|
return render json: failed_json, status: 410
|
|
|
|
end
|
|
|
|
|
|
|
|
params.require(:email)
|
|
|
|
user = fetch_user_from_params
|
|
|
|
|
|
|
|
RateLimiter.new(user, "email-hr-#{request.remote_ip}", 6, 1.hour).performed!
|
|
|
|
RateLimiter.new(user, "email-min-#{request.remote_ip}", 3, 1.minute).performed!
|
|
|
|
|
|
|
|
updater = EmailUpdater.new(guardian: guardian, user: user)
|
|
|
|
updater.change_to(params[:email], add: true)
|
|
|
|
|
|
|
|
if updater.errors.present?
|
|
|
|
return render_json_error(updater.errors.full_messages)
|
|
|
|
end
|
|
|
|
|
|
|
|
render body: nil
|
|
|
|
rescue RateLimiter::LimitExceeded
|
|
|
|
render_json_error(I18n.t("rate_limiter.slow_down"))
|
|
|
|
end
|
|
|
|
|
2016-03-07 13:45:33 -05:00
|
|
|
def update
|
|
|
|
params.require(:email)
|
|
|
|
user = fetch_user_from_params
|
|
|
|
|
2020-06-10 12:11:49 -04:00
|
|
|
RateLimiter.new(user, "email-hr-#{request.remote_ip}", 6, 1.hour).performed!
|
|
|
|
RateLimiter.new(user, "email-min-#{request.remote_ip}", 3, 1.minute).performed!
|
2016-03-07 13:45:33 -05:00
|
|
|
|
2020-06-04 01:09:10 -04:00
|
|
|
updater = EmailUpdater.new(guardian: guardian, user: user)
|
2016-03-07 14:40:11 -05:00
|
|
|
updater.change_to(params[:email])
|
2016-03-07 13:45:33 -05:00
|
|
|
|
2016-03-07 14:40:11 -05:00
|
|
|
if updater.errors.present?
|
|
|
|
return render_json_error(updater.errors.full_messages)
|
|
|
|
end
|
2016-03-07 13:45:33 -05:00
|
|
|
|
2017-08-31 00:06:56 -04:00
|
|
|
render body: nil
|
2016-03-07 13:45:33 -05:00
|
|
|
rescue RateLimiter::LimitExceeded
|
|
|
|
render_json_error(I18n.t("rate_limiter.slow_down"))
|
|
|
|
end
|
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
def confirm_new_email
|
|
|
|
load_change_request(:new)
|
|
|
|
|
|
|
|
if @change_request&.change_state != EmailChangeRequest.states[:authorizing_new]
|
|
|
|
@error = I18n.t("change_email.already_done")
|
|
|
|
end
|
2018-02-20 01:44:51 -05:00
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
redirect_url = path("/u/confirm-new-email/#{params[:token]}")
|
2018-02-20 01:44:51 -05:00
|
|
|
|
2020-01-15 05:27:12 -05:00
|
|
|
RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed! if params[:second_factor_token].present?
|
|
|
|
|
|
|
|
if !@error
|
|
|
|
# this is needed becase the form posts this field as JSON and it can be a
|
2020-02-19 18:52:21 -05:00
|
|
|
# hash when authenticating security key.
|
2020-01-15 05:27:12 -05:00
|
|
|
if params[:second_factor_method].to_i == UserSecondFactor.methods[:security_key]
|
|
|
|
begin
|
|
|
|
params[:second_factor_token] = JSON.parse(params[:second_factor_token])
|
|
|
|
rescue JSON::ParserError
|
|
|
|
raise Discourse::InvalidParameters
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
second_factor_authentication_result = @user.authenticate_second_factor(params, secure_session)
|
|
|
|
if !second_factor_authentication_result.ok
|
|
|
|
flash[:invalid_second_factor] = true
|
|
|
|
flash[:invalid_second_factor_message] = second_factor_authentication_result.error
|
|
|
|
redirect_to redirect_url
|
|
|
|
return
|
|
|
|
end
|
2019-11-20 02:31:25 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
if !@error
|
|
|
|
updater = EmailUpdater.new
|
|
|
|
if updater.confirm(params[:token]) == :complete
|
|
|
|
updater.user.user_stat.reset_bounce_score!
|
|
|
|
else
|
|
|
|
@error = I18n.t("change_email.already_done")
|
2018-02-20 01:44:51 -05:00
|
|
|
end
|
2019-11-20 02:31:25 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
if @error
|
|
|
|
flash[:error] = @error
|
|
|
|
redirect_to redirect_url
|
|
|
|
else
|
|
|
|
redirect_to "#{redirect_url}?done=true"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def show_confirm_new_email
|
|
|
|
load_change_request(:new)
|
|
|
|
|
|
|
|
if params[:done].to_s == "true"
|
|
|
|
@done = true
|
|
|
|
end
|
2018-02-20 01:44:51 -05:00
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
if @change_request&.change_state != EmailChangeRequest.states[:authorizing_new]
|
|
|
|
@error = I18n.t("change_email.already_done")
|
|
|
|
end
|
2018-02-20 01:44:51 -05:00
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
@show_invalid_second_factor_error = flash[:invalid_second_factor]
|
2020-01-15 05:27:12 -05:00
|
|
|
@invalid_second_factor_message = flash[:invalid_second_factor_message]
|
2018-02-20 01:44:51 -05:00
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
if !@error
|
2020-01-15 05:27:12 -05:00
|
|
|
@backup_codes_enabled = @user.backup_codes_enabled?
|
|
|
|
if params[:show_backup].to_s == "true" && @backup_codes_enabled
|
|
|
|
@show_backup_codes = true
|
|
|
|
else
|
|
|
|
if @user.totp_enabled?
|
2019-11-20 02:31:25 -05:00
|
|
|
@show_second_factor = true
|
|
|
|
end
|
2020-01-15 05:27:12 -05:00
|
|
|
if @user.security_keys_enabled?
|
|
|
|
Webauthn.stage_challenge(@user, secure_session)
|
|
|
|
@show_security_key = params[:show_totp].to_s == "true" ? false : true
|
|
|
|
@security_key_challenge = Webauthn.challenge(@user, secure_session)
|
|
|
|
@security_key_allowed_credential_ids = Webauthn.allowed_credentials(@user, secure_session)[:allowed_credential_ids]
|
|
|
|
end
|
2017-12-21 20:18:12 -05:00
|
|
|
end
|
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
@to_email = @change_request.new_email
|
|
|
|
end
|
|
|
|
|
|
|
|
render layout: 'no_ember'
|
|
|
|
end
|
|
|
|
|
|
|
|
def confirm_old_email
|
|
|
|
load_change_request(:old)
|
|
|
|
|
|
|
|
if @change_request&.change_state != EmailChangeRequest.states[:authorizing_old]
|
|
|
|
@error = I18n.t("change_email.already_done")
|
|
|
|
end
|
|
|
|
|
|
|
|
redirect_url = path("/u/confirm-old-email/#{params[:token]}")
|
|
|
|
|
|
|
|
if !@error
|
|
|
|
updater = EmailUpdater.new
|
|
|
|
if updater.confirm(params[:token]) != :authorizing_new
|
|
|
|
@error = I18n.t("change_email.already_done")
|
2018-02-20 01:44:51 -05:00
|
|
|
end
|
2017-02-20 04:37:01 -05:00
|
|
|
end
|
2016-03-07 14:40:11 -05:00
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
if @error
|
|
|
|
flash[:error] = @error
|
|
|
|
redirect_to redirect_url
|
|
|
|
else
|
|
|
|
redirect_to "#{redirect_url}?done=true"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def show_confirm_old_email
|
|
|
|
load_change_request(:old)
|
|
|
|
|
|
|
|
if @change_request&.change_state != EmailChangeRequest.states[:authorizing_old]
|
|
|
|
@error = I18n.t("change_email.already_done")
|
|
|
|
end
|
|
|
|
|
|
|
|
if params[:done].to_s == "true"
|
|
|
|
@almost_done = true
|
|
|
|
end
|
|
|
|
|
|
|
|
if !@error
|
|
|
|
@from_email = @user.email
|
|
|
|
@to_email = @change_request.new_email
|
|
|
|
end
|
|
|
|
|
2016-03-07 14:40:11 -05:00
|
|
|
render layout: 'no_ember'
|
|
|
|
end
|
|
|
|
|
2019-11-20 02:31:25 -05:00
|
|
|
private
|
|
|
|
|
|
|
|
def load_change_request(type)
|
|
|
|
expires_now
|
|
|
|
|
|
|
|
@token = EmailToken.confirmable(params[:token])
|
|
|
|
|
|
|
|
if @token
|
|
|
|
if type == :old
|
|
|
|
@change_request = @token.user&.email_change_requests.where(old_email_token_id: @token.id).first
|
|
|
|
elsif type == :new
|
|
|
|
@change_request = @token.user&.email_change_requests.where(new_email_token_id: @token.id).first
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
@user = @token&.user
|
|
|
|
|
|
|
|
if (!@user || !@change_request)
|
|
|
|
@error = I18n.t("change_email.already_done")
|
|
|
|
end
|
|
|
|
|
2020-10-06 23:02:24 -04:00
|
|
|
if current_user && current_user.id != @user&.id
|
2019-11-20 02:31:25 -05:00
|
|
|
@error = I18n.t 'change_email.wrong_account_error'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def require_login
|
|
|
|
if !current_user
|
|
|
|
redirect_to_login
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-03-07 13:45:33 -05:00
|
|
|
end
|