Merge branch 'fix/2020-10-hash_rkey' into staging/fixes

Kristan Kenney · Kristan Kenney · commit 8fdc9d916a4c · 2020-10-24T08:49:58.000-03:00
diff --git a/bin/v-change-user-rkey b/bin/v-change-user-rkey
@@ -1,8 +1,8 @@
 #!/bin/bash
-# info: change user password
-# options: USER
+# info: change user random key
+# options: USER [HASH]
 #
-# The function changes user's password and updates RKEY value.
+# The function changes user's RKEY value thats has been used for security value to be used forgot password function only.
 
 
 #----------------------------------------------------------#
@@ -11,8 +11,9 @@
 
 # Argument definition
 user=$1
+hash=$2
 
-
+echo $rkeyhash;
 # Importing system enviroment  as we run this script
 # mostly by cron wich not read it by itself
 source /etc/profile
@@ -25,14 +26,21 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '1' "$#" 'USER'
+check_args '1' "$#" 'USER [HASH]'
 is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
+if [ ! -z "$hash" ]; then
+    password=$hash
+    is_password_valid
+    hash=$password;
+else
+    hash=$(generate_password)
+fi
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
@@ -44,7 +52,7 @@ d=$(date +%s)
 #----------------------------------------------------------#
 
 # Changing RKEY value
-update_user_value "$user" '$RKEY' "$(generate_password)"
+update_user_value "$user" '$RKEY' "$hash"
 
 #check if RKEYEXP exists
 if [ -z "$(grep RKEYEXP $USER_DATA/user.conf)" ]; then
diff --git a/web/reset/index.php b/web/reset/index.php
@@ -20,11 +20,16 @@
         $data = json_decode(implode('', $output), true);
         if($email == $data[$user]['CONTACT']){
             //genrate new rkey
-            exec ("/usr/bin/sudo /usr/local/hestia/bin/v-change-user-rkey ".$v_user."", $output, $return_var);
+            $rkey = substr( password_hash( 'hestiacp', PASSWORD_DEFAULT ), 5, 12 );
+            $hash = password_hash($rkey, PASSWORD_DEFAULT);
+            $v_rkey = tempnam("/tmp","vst");
+            $fp = fopen($v_rkey, "w");
+            fwrite($fp, $hash."\n");
+            fclose($fp);
+            exec ("/usr/bin/sudo /usr/local/hestia/bin/v-change-user-rkey ".$v_user." ".$v_rkey."", $output, $return_var);
             unset($output);
             exec ($cmd." ".$v_user." json", $output, $return_var);
             $data = json_decode(implode('', $output), true);
-            $rkey = $data[$user]['RKEY'];
             $name = $data[$user]['NAME'];
             $contact = $data[$user]['CONTACT'];
             $to = $data[$user]['CONTACT'];
@@ -58,7 +63,7 @@
         if ( $return_var == 0 ) {
             $data = json_decode(implode('', $output), true);
             $rkey = $data[$user]['RKEY'];
-            if (hash_equals($rkey, $_POST['code'])) {
+            if (password_verify($_POST['code'], $rkey)) {
                 unset($output);
                 exec("/usr/bin/sudo /usr/local/hestia/bin/v-get-user-value ".$v_user." RKEYEXP", $output,$return_var);
                 if($output[0] > time() - 900){
