userpage: password resets

click "forgot password" on login modal, enter a contact method
address/username, submit and check for a link. Requires link reset to be
enabled.

api-userpage.go

@@ -477,3 +477,58 @@ func (app *appContext) UnlinkMyMatrix(gc *gin.Context) {
 	app.storage.DeleteMatrixKey(gc.GetString("jfId"))
 	respondBool(200, true, gc)
 }
+
+// @Summary Generate & send a password reset link if the given email/contact method exists. Doesn't give you any info about it's success.
+// @Produce json
+// @Param address path string true "address/contact method associated w/ your account."
+// @Success 204 {object} boolResponse
+// @Failure 400 {object} boolResponse
+// @Failure 500 {object} boolResponse
+// @Router /my/password/reset/{address} [post]
+// @tags Users
+func (app *appContext) ResetMyPassword(gc *gin.Context) {
+	address := gc.Param("address")
+	if address == "" {
+		app.debug.Println("Ignoring empty request for PWR")
+		respondBool(400, false, gc)
+		return
+	}
+	var pwr InternalPWR
+	var err error
+
+	jfID := app.reverseUserSearch(address)
+	if jfID == "" {
+		app.debug.Printf("Ignoring PWR request: User not found")
+		respondBool(204, true, gc)
+		return
+	}
+	pwr, err = app.GenInternalReset(jfID)
+	if err != nil {
+		app.err.Printf("Failed to get user from Jellyfin: %v", err)
+		respondBool(500, false, gc)
+		return
+	}
+	if app.internalPWRs == nil {
+		app.internalPWRs = map[string]InternalPWR{}
+	}
+	app.internalPWRs[pwr.PIN] = pwr
+	// FIXME: Send to all contact methods
+	msg, err := app.email.constructReset(
+		PasswordReset{
+			Pin:      pwr.PIN,
+			Username: pwr.Username,
+			Expiry:   pwr.Expiry,
+			Internal: true,
+		}, app, false,
+	)
+	if err != nil {
+		app.err.Printf("Failed to construct password reset message for \"%s\": %v", pwr.Username, err)
+		respondBool(500, false, gc)
+		return
+	} else if err := app.sendByID(msg, jfID); err != nil {
+		app.err.Printf("Failed to send password reset message to \"%s\": %v", address, err)
+	} else {
+		app.info.Printf("Sent password reset message to \"%s\"", address)
+	}
+	respondBool(204, true, gc)
+}

email.go

@@ -522,18 +522,6 @@ func (emailer *Emailer) constructCreated(code, username, address string, invite
 	return email, nil
 }
 
-// GenResetLink generates and returns a password reset link.
-func (app *appContext) GenResetLink(pin string) (string, error) {
-	url := app.config.Section("password_resets").Key("url_base").String()
-	var pinLink string
-	if url == "" {
-		return pinLink, fmt.Errorf("disabled as no URL Base provided. Set in Settings > Password Resets.")
-	}
-	// Strip /invite from end of this URL, ik it's ugly.
-	pinLink = fmt.Sprintf("%s/reset?pin=%s", url, pin)
-	return pinLink, nil
-}
-
 func (emailer *Emailer) resetValues(pwr PasswordReset, app *appContext, noSub bool) map[string]interface{} {
 	d, t, expiresIn := emailer.formatExpiry(pwr.Expiry, true, app.datePattern, app.timePattern)
 	message := app.config.Section("messages").Key("message").String()
@@ -835,38 +823,37 @@ func (emailer *Emailer) send(email *Message, address ...string) error {
 	return emailer.sender.Send(emailer.fromName, emailer.fromAddr, email, address...)
 }
 
-func (app *appContext) sendByID(email *Message, ID ...string) error {
+func (app *appContext) sendByID(email *Message, ID ...string) (err error) {
 	for _, id := range ID {
-		var err error
 		if tgChat, ok := app.storage.GetTelegramKey(id); ok && tgChat.Contact && telegramEnabled {
 			err = app.telegram.Send(email, tgChat.ChatID)
-			if err != nil {
+			// if err != nil {
-				return err
+			// 	return err
-			}
+			// }
 		}
 		if dcChat, ok := app.storage.GetDiscordKey(id); ok && dcChat.Contact && discordEnabled {
 			err = app.discord.Send(email, dcChat.ChannelID)
-			if err != nil {
+			// if err != nil {
-				return err
+			// 	return err
-			}
+			// }
 		}
 		if mxChat, ok := app.storage.GetMatrixKey(id); ok && mxChat.Contact && matrixEnabled {
 			err = app.matrix.Send(email, mxChat)
-			if err != nil {
+			// if err != nil {
-				return err
+			// 	return err
-			}
+			// }
 		}
 		if address, ok := app.storage.GetEmailsKey(id); ok && address.Contact && emailEnabled {
 			err = app.email.send(email, address.Addr)
-			if err != nil {
+			// if err != nil {
-				return err
+			// 	return err
-			}
+			// }
-		}
-		if err != nil {
-			return err
 		}
+		// if err != nil {
+		// 	return err
+		// }
 	}
-	return nil
+	return
 }
 
 func (app *appContext) getAddressOrName(jfID string) string {
@@ -879,5 +866,33 @@ func (app *appContext) getAddressOrName(jfID string) string {
 	if addr, ok := app.storage.GetEmailsKey(jfID); ok {
 		return addr.Addr
 	}
+	if mxChat, ok := app.storage.GetMatrixKey(jfID); ok && mxChat.Contact && matrixEnabled {
+		return mxChat.UserID
+	}
+	return ""
+}
+
+func (app *appContext) reverseUserSearch(address string) string {
+	for id, email := range app.storage.GetEmails() {
+		if strings.ToLower(address) == strings.ToLower(email.Addr) {
+			return id
+		}
+	}
+	for id, dcUser := range app.storage.GetDiscord() {
+		if RenderDiscordUsername(dcUser) == strings.ToLower(address) {
+			return id
+		}
+	}
+	tgUsername := strings.TrimPrefix(address, "@")
+	for id, tgUser := range app.storage.GetTelegram() {
+		if tgUsername == tgUser.Username {
+			return id
+		}
+	}
+	for id, mxUser := range app.storage.GetMatrix() {
+		if address == mxUser.UserID {
+			return id
+		}
+	}
 	return ""
 }

html/admin.html

@@ -410,6 +410,9 @@
             </span>
             <span class="button ~warning" alt="{{ .strings.theme }}" id="button-theme"><i class="ri-sun-line"></i></span>
         </div>
+        <div class="top-4 right-4 absolute">
+            <a class="button ~info" href="/my/account"><i class="ri-account-circle-fill mr-2"></i>{{ .strings.myAccount }}</a>
+        </div>
         <div class="page-container">
             <div class="mb-4">
                 <header class="flex flex-wrap items-center justify-between">

html/login-modal.html

@@ -14,6 +14,11 @@
             <label>
                 <input type="submit" class="unfocused">
                 <span class="button ~urge @low full-width center supra submit">{{ .strings.login }}</span>
+                {{ if index . "pwrEnabled" }}
+                    {{ if .pwrEnabled }}
+                        <span class="button ~info @low full-width center supra submit my-2" id="modal-login-pwr">{{ .strings.resetPassword }}</span>
+                    {{ end }}
+                {{ end }}
             </label>
         </form>
     </div>

html/user.html

@@ -6,6 +6,7 @@
             window.notificationsEnabled = {{ .notifications }};
             window.ombiEnabled = {{ .ombiEnabled }};
             window.langFile = JSON.parse({{ .language }});
+            window.pwrEnabled = {{ .pwrEnabled }};
             window.linkResetEnabled = {{ .linkResetEnabled }};
             window.language = "{{ .langName }}";
             window.telegramEnabled = {{ .telegramEnabled }};
@@ -43,6 +44,30 @@
                 </div>
             </div>
         </div>
+        {{ if .pwrEnabled }}
+        <div id="modal-pwr" class="modal">
+            <div class="card relative mx-auto my-[10%] w-4/5 lg:w-1/3 ~neutral @low">
+                <span class="heading">{{ .strings.resetPassword }}</span>
+                <p class="content my-2">
+                {{ if .linkResetEnabled }}
+                    {{ .strings.resetPasswordThroughLink }}
+                {{ else }}
+                    {{ .strings.resetPasswordThroughJellyfin }}
+                {{ end }}
+                </p>
+                <div class="row">
+                    <input type="text" class="col sm field ~neutral @low input" id="pwr-address" placeholder="example@example.com | user#1234 | @user:host | @username">
+                </div>
+                {{ if .linkResetEnabled }}
+                    <span class="button ~info @low full-width center mt-4" id="pwr-submit">
+                        {{ .strings.submit }}
+                    </span>
+                {{ else }}
+                    <a class="button ~info @low full-width center mt-4" href="{{ .jfLink }}" target="_blank">{{ .strings.continue }}</a>
+                {{ end }}
+            </div>
+        </div>
+        {{ end }}
         {{ template "login-modal.html" . }}
         {{ template "account-linking.html" . }}
         <div id="notification-box"></div>
@@ -68,6 +93,8 @@
             </span>
             <span class="button ~warning" alt="{{ .strings.theme }}" id="button-theme"><i class="ri-sun-line"></i></span>
             <span class="button ~critical @low mb-4 unfocused" id="logout-button">{{ .strings.logout }}</span>
+        </div>
+        <div class="top-4 right-4 absolute">
             <a class="button ~info unfocused" href="/" id="admin-back-button"><i class="ri-arrow-left-fill mr-2"></i>{{ .strings.admin }}</a>
         </div>
         <div class="page-container unfocused">

lang/common/en-us.json

@@ -38,7 +38,8 @@
         "expiry": "Expiry",
         "add": "Add",
         "edit": "Edit",
-        "delete": "Delete"
+        "delete": "Delete",
+        "myAccount": "My Account"
     },
     "notifications": {
         "errorLoginBlank": "The username and/or password were left blank.",

lang/form/en-us.json

@@ -27,7 +27,11 @@
         "customMessagePlaceholderHeader": "Customize this card",
         "customMessagePlaceholderContent": "Click the user page edit button in settings to customize this card, or show one on the login screen, and don't worry, the user can't see this.",
         "userPageSuccessMessage": "You can see and change details about your account later on the {myAccount} page.",
-        "myAccount": "My Account"
+        "resetPassword": "Reset Password",
+        "resetPasswordThroughJellyfin": "To reset your password, visit {jfLink} and press the \"Forgot Password\" button.",
+        "resetPasswordThroughLink": "To reset your password, enter your email address or a linked contact method username, and submit. A link will be sent to reset your password.",
+        "resetSent": "Reset Sent.",
+        "resetSentDescription": "If an account with the given contact method exists, a password reset link has been sent to all contact methods available. The code will expire in 30 minutes."
     },
     "notifications": {
         "errorUserExists": "User already exists.",

pwreset.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"strings"
 	"time"
@@ -25,6 +26,18 @@ func (app *appContext) GenInternalReset(userID string) (InternalPWR, error) {
 	return pwr, nil
 }
 
+// GenResetLink generates and returns a password reset link.
+func (app *appContext) GenResetLink(pin string) (string, error) {
+	url := app.config.Section("password_resets").Key("url_base").String()
+	var pinLink string
+	if url == "" {
+		return pinLink, fmt.Errorf("disabled as no URL Base provided. Set in Settings > Password Resets.")
+	}
+	// Strip /invite from end of this URL, ik it's ugly.
+	pinLink = fmt.Sprintf("%s/reset?pin=%s", url, pin)
+	return pinLink, nil
+}
+
 func (app *appContext) StartPWR() {
 	app.info.Println("Starting password reset daemon")
 	path := app.config.Section("password_resets").Key("watch_directory").String()

router.go

@@ -148,6 +148,7 @@ func (app *appContext) loadRoutes(router *gin.Engine) {
 			router.GET(p+"/my/token/login", app.getUserTokenLogin)
 			router.GET(p+"/my/token/refresh", app.getUserTokenRefresh)
 			router.GET(p+"/my/confirm/:jwt", app.ConfirmMyAction)
+			router.POST(p+"/my/password/reset/:address", app.ResetMyPassword)
 		}
 	}
 	if *SWAGGER {

ts/typings/d.ts

@@ -110,6 +110,7 @@ declare interface Modals {
     discord: Modal;
     matrix: Modal;
     sendPWR?: Modal;
+    pwr?: Modal;
     logs: Modal;
     email?: Modal;
 }

ts/user.ts

@@ -16,6 +16,7 @@ interface userWindow extends Window {
     discordInviteLink: boolean;
     matrixUserID: string;
     discordSendPINMessage: string;
+    pwrEnabled: string;
 }
 
 declare var window: userWindow;
@@ -44,10 +45,38 @@ window.modals = {} as Modals;
     if (window.matrixEnabled) {
         window.modals.matrix = new Modal(document.getElementById("modal-matrix"), false);
     }
+    if (window.pwrEnabled) {
+        window.modals.pwr = new Modal(document.getElementById("modal-pwr"), false);
+        window.modals.pwr.onclose = () => {
+            window.modals.login.show();
+        };
+        const resetButton = document.getElementById("modal-login-pwr");
+        resetButton.onclick = () => {
+            window.modals.login.close();
+            window.modals.pwr.show();
+        }
+    }
 })();
 
 window.notifications = new notificationBox(document.getElementById('notification-box') as HTMLDivElement, 5);
 
+if (window.pwrEnabled && window.linkResetEnabled) {
+    const submitButton = document.getElementById("pwr-submit");
+    const input = document.getElementById("pwr-address") as HTMLInputElement;
+    submitButton.onclick = () => _post("/my/password/reset/" + input.value, null, (req: XMLHttpRequest) => {
+        if (req.readyState != 4) return;
+        if (req.status != 204) {
+            window.notifications.customError("unkownError", window.lang.notif("errorUnknown"));;
+            window.modals.pwr.close();
+            return;
+        }
+        window.modals.pwr.modal.querySelector(".heading").textContent = window.lang.strings("resetSent");
+        window.modals.pwr.modal.querySelector(".content").textContent = window.lang.strings("resetSentDescription");
+        submitButton.classList.add("unfocused");
+        input.classList.add("unfocused");
+    });
+}
+
 const grid = document.querySelector(".grid");
 var rootCard = document.getElementById("card-user");
 var contactCard = document.getElementById("card-contact");

views.go

@@ -157,6 +157,7 @@ func (app *appContext) AdminPage(gc *gin.Context) {
 		"jellyfinLogin":    app.jellyfinLogin,
 		"jfAdminOnly":      jfAdminOnly,
 		"jfAllowAll":       jfAllowAll,
+		"userPageEnabled":  app.config.Section("user_page").Key("enabled").MustBool(false),
 	})
 }
 
@@ -177,6 +178,7 @@ func (app *appContext) MyUserPage(gc *gin.Context) {
 		"discordEnabled":    discordEnabled,
 		"matrixEnabled":     matrixEnabled,
 		"ombiEnabled":       ombiEnabled,
+		"pwrEnabled":        app.config.Section("password_resets").Key("enabled").MustBool(false),
 		"linkResetEnabled":  app.config.Section("password_resets").Key("link_reset").MustBool(false),
 		"notifications":     notificationsEnabled,
 		"username":          !app.config.Section("email").Key("no_username").MustBool(false),
@@ -184,6 +186,7 @@ func (app *appContext) MyUserPage(gc *gin.Context) {
 		"validationStrings": app.storage.lang.User[lang].ValidationStrings,
 		"language":          app.storage.lang.User[lang].JSON,
 		"langName":          lang,
+		"jfLink":            app.config.Section("ui").Key("redirect_url").String(),
 	}
 	if telegramEnabled {
 		data["telegramUsername"] = app.telegram.username