feat: Improved password security policy (#2345)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-06-07 17:26:08 +05:30
parent d1b3c7b0c2
commit 467b45b427
36 changed files with 284 additions and 151 deletions
--- a/app/controllers/api/v1/accounts/agents_controller.rb
+++ b/app/controllers/api/v1/accounts/agents_controller.rb
@@ -58,9 +58,10 @@ class Api::V1::Accounts::AgentsController < Api::V1::Accounts::BaseController
  end

  def new_agent_params
-    time = Time.now.to_i
+    # intial string ensures the password requirements are met
+    temp_password = "1!aA#{SecureRandom.alphanumeric(12)}"
    params.require(:agent).permit(:email, :name, :role)
-          .merge!(password: time, password_confirmation: time, inviter: current_user)
+          .merge!(password: temp_password, password_confirmation: temp_password, inviter: current_user)
  end

  def agents
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@@ -18,7 +18,7 @@ class Api::V1::AccountsController < Api::BaseController
      account_name: account_params[:account_name],
      user_full_name: account_params[:user_full_name],
      email: account_params[:email],
-      confirmed: confirmed?,
+      user_password: account_params[:password],
      user: current_user
    ).perform
    if @user
@@ -46,17 +46,13 @@ class Api::V1::AccountsController < Api::BaseController

  private

-  def confirmed?
-    super_admin? && params[:confirmed]
-  end
-
  def fetch_account
    @account = current_user.accounts.find(params[:id])
    @current_account_user = @account.account_users.find_by(user_id: current_user.id)
  end

  def account_params
-    params.permit(:account_name, :email, :name, :locale, :domain, :support_email, :auto_resolve_duration, :user_full_name)
+    params.permit(:account_name, :email, :name, :password, :locale, :domain, :support_email, :auto_resolve_duration, :user_full_name)
  end

  def check_signup_enabled
--- a/app/controllers/api/v1/widget/messages_controller.rb
+++ b/app/controllers/api/v1/widget/messages_controller.rb
@@ -20,7 +20,7 @@ class Api::V1::Widget::MessagesController < Api::V1::Widget::BaseController
      @message.update!(message_update_params[:message])
    end
  rescue StandardError => e
-    render json: { error: @contact.errors, message: e.message }.to_json, status: 500
+    render json: { error: @contact.errors, message: e.message }.to_json, status: :internal_server_error
  end

  private
--- a/app/controllers/concerns/access_token_auth_helper.rb
+++ b/app/controllers/concerns/access_token_auth_helper.rb
@@ -17,13 +17,8 @@ module AccessTokenAuthHelper
    Current.user = @resource if current_user.is_a?(User)
  end

-  def super_admin?
-    @resource.present? && @resource.is_a?(SuperAdmin)
-  end
-
  def validate_bot_access_token!
    return if Current.user.is_a?(User)
-    return if super_admin?
    return if agent_bot_accessible?

    render_unauthorized('Access to this endpoint is not authorized for bots')
--- a/app/controllers/devise_overrides/confirmations_controller.rb
+++ b/app/controllers/devise_overrides/confirmations_controller.rb
@@ -1,34 +1,29 @@
 class DeviseOverrides::ConfirmationsController < Devise::ConfirmationsController
+  include AuthHelper
  skip_before_action :require_no_authentication, raise: false
  skip_before_action :authenticate_user!, raise: false

  def create
    @confirmable = User.find_by(confirmation_token: params[:confirmation_token])
+    render_confirmation_success and return if @confirmable&.confirm

-    if confirm
-      render_confirmation_success
-    else
-      render_confirmation_error
-    end
+    render_confirmation_error
  end

-  protected
-
-  def confirm
-    @confirmable&.confirm || (@confirmable&.confirmed_at && @confirmable&.reset_password_token)
-  end
+  private

  def render_confirmation_success
-    render json: { "message": 'Success', "redirect_url": create_reset_token_link(@confirmable) }, status: :ok
+    send_auth_headers(@confirmable)
+    render partial: 'devise/auth.json', locals: { resource: @confirmable }
  end

  def render_confirmation_error
    if @confirmable.blank?
-      render json: { "message": 'Invalid token', "redirect_url": '/' }, status: 422
+      render json: { message: 'Invalid token', redirect_url: '/' }, status: :unprocessable_entity
    elsif @confirmable.confirmed_at
-      render json: { "message": 'Already confirmed', "redirect_url": '/' }, status: 422
+      render json: { message: 'Already confirmed', redirect_url: '/' }, status: :unprocessable_entity
    else
-      render json: { "message": 'Failure', "redirect_url": '/' }, status: 422
+      render json: { message: 'Failure', redirect_url: '/' }, status: :unprocessable_entity
    end
  end

--- a/app/controllers/devise_overrides/passwords_controller.rb
+++ b/app/controllers/devise_overrides/passwords_controller.rb
@@ -13,7 +13,7 @@ class DeviseOverrides::PasswordsController < Devise::PasswordsController
      send_auth_headers(@recoverable)
      render partial: 'devise/auth.json', locals: { resource: @recoverable }
    else
-      render json: { "message": 'Invalid token', "redirect_url": '/' }, status: 422
+      render json: { message: 'Invalid token', redirect_url: '/' }, status: :unprocessable_entity
    end
  end

@@ -27,7 +27,7 @@ class DeviseOverrides::PasswordsController < Devise::PasswordsController
    end
  end

-  protected
+  private

  def reset_password_and_confirmation(recoverable)
    recoverable.confirm unless recoverable.confirmed? # confirm if user resets password without confirming anytime before
@@ -40,7 +40,7 @@ class DeviseOverrides::PasswordsController < Devise::PasswordsController

  def build_response(message, status)
    render json: {
-      "message": message
+      message: message
    }, status: status
  end
 end