From 30d2f0276b9ea2ebc69e1cdeaf58a27aa342fa89 Mon Sep 17 00:00:00 2001
From: or-else <or.else@gmail.com>
Date: Mon, 8 May 2023 18:46:51 -0700
Subject: [PATCH] fix for #861

---
 server/session.go                 | 8 ++++++--
 server/validate/email/validate.go | 5 +++++
 server/validate/tel/validate.go   | 5 +++++
 server/validate/validator.go      | 6 +++++-
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/server/session.go b/server/session.go
index 077b6303..d7c53780 100644
--- a/server/session.go
+++ b/server/session.go
@@ -987,7 +987,7 @@ func (s *Session) authSecretReset(params []byte) error {
 		return types.ErrMalformed
 	}
 
-	// Technically we don't need to check it here, but we are going to mail the 'authName' string to the user.
+	// Technically we don't need to check it here, but we are going to mail the 'authScheme' string to the user.
 	// We have to make sure it does not contain any exploits. This is the simplest check.
 	auther := store.Store.GetLogicalAuthHandler(authScheme)
 	if auther == nil {
@@ -1010,8 +1010,12 @@ func (s *Session) authSecretReset(params []byte) error {
 	if err != nil {
 		return err
 	}
+	tempScheme, err := validator.TempAuthScheme()
+	if err != nil {
+		return err
+	}
 
-	code, _, err := store.Store.GetLogicalAuthHandler("code").GenSecret(&auth.Rec{
+	code, _, err := store.Store.GetLogicalAuthHandler(tempScheme).GenSecret(&auth.Rec{
 		Uid:        uid,
 		AuthLevel:  auth.LevelAuth,
 		Features:   auth.FeatureNoLogin,
diff --git a/server/validate/email/validate.go b/server/validate/email/validate.go
index 1bb8979c..ab8c4c6b 100644
--- a/server/validate/email/validate.go
+++ b/server/validate/email/validate.go
@@ -390,6 +390,11 @@ func (v *validator) Remove(user t.Uid, value string) error {
 	return store.Users.DelCred(user, validatorName, value)
 }
 
+// TempAuthScheme returns a temporary authentication method used by this validator.
+func (v *validator) TempAuthScheme() (string, error) {
+	return "token", nil
+}
+
 // SendMail replacement
 func (v *validator) sendMail(rcpt []string, msg []byte) error {
 
diff --git a/server/validate/tel/validate.go b/server/validate/tel/validate.go
index 00eb6039..de12ba97 100644
--- a/server/validate/tel/validate.go
+++ b/server/validate/tel/validate.go
@@ -248,6 +248,11 @@ func (*validator) Remove(user t.Uid, value string) error {
 	return store.Users.DelCred(user, validatorName, value)
 }
 
+// TempAuthScheme returns a temporary authentication method used by this validator.
+func (v *validator) TempAuthScheme() (string, error) {
+	return "code", nil
+}
+
 // Implement sending the SMS.
 func (*validator) send(to, body string) error {
 	logs.Info.Println("Send SMS, To:", to, "; Text:", body)
diff --git a/server/validate/validator.go b/server/validate/validator.go
index e2c7c89f..3c5b72b0 100644
--- a/server/validate/validator.go
+++ b/server/validate/validator.go
@@ -26,7 +26,7 @@ type Validator interface {
 	// Returns normalized credential prefixed with an appropriate namespace prefix.
 	PreCheck(cred string, params map[string]interface{}) (string, error)
 
-	// Request sends a request for confirmation to the user. Returns true if it's a new credential,
+	// Request sends a request for validation to the user. Returns true if it's a new credential,
 	// false if it re-sent request for an existing unconfirmed credential.
 	//   user: UID of the user making the request.
 	//   cred: credential being validated, such as email or phone.
@@ -52,6 +52,10 @@ type Validator interface {
 
 	// Delete deletes user's record.
 	Delete(user t.Uid) error
+
+	// TempAuthScheme returns a temporary authentication method used by this validator.
+	// It should be either "code" or "token".
+	TempAuthScheme() (string, error)
 }
 
 func ValidateHostURL(origUrl string) (string, error) {
-- 
GitLab