Password Resets: Ignore magic link visits from bots

For #108. Literally just searches the useragent for "Bot", seems good enough for Telegram atleast.
2021-05-29 19:24:00 +01:00 · 2021-05-29 19:24:00 +01:00 · 953a66ec47
parent fb6256d1ed
commit 953a66ec47
2 changed files with 33 additions and 23 deletions
--- a/pwreset.go
+++ b/pwreset.go
@ -54,10 +54,12 @@ func pwrMonitor(app *appContext, watcher *fsnotify.Watcher) {
 				var pwr PasswordReset
 				data, err := os.ReadFile(event.Name)
 				if err != nil {
+					app.debug.Printf("PWR: Failed to read file: %v", err)
 					return
 				}
 				err = json.Unmarshal(data, &pwr)
 				if len(pwr.Pin) == 0 || err != nil {
+					app.debug.Printf("PWR: Failed to read PIN: %v", err)
 					return
 				}
 				app.info.Printf("New password reset for user \"%s\"", pwr.Username)
--- a/views.go
+++ b/views.go
@ -137,6 +137,7 @@ func (app *appContext) AdminPage(gc *gin.Context) {
 }

 func (app *appContext) ResetPassword(gc *gin.Context) {
+	isBot := strings.Contains(gc.Request.Header.Get("User-Agent"), "Bot")
 	pin := gc.Query("pin")
 	if pin == "" {
 		app.NoRouteHandler(gc)
@ -151,32 +152,39 @@ func (app *appContext) ResetPassword(gc *gin.Context) {
 		"success":        false,
 		"ombiEnabled":    app.config.Section("ombi").Key("enabled").MustBool(false),
 	}
-	resp, status, err := app.jf.ResetPassword(pin)
-	if status == 200 && err == nil && resp.Success {
-		data["success"] = true
-		data["pin"] = pin
-	} else {
-		app.err.Printf("Password Reset failed (%d): %v", status, err)
-	}
 	defer gcHTML(gc, http.StatusOK, "password-reset.html", data)
-	if app.config.Section("ombi").Key("enabled").MustBool(false) {
-		jfUser, status, err := app.jf.UserByName(resp.UsersReset[0], false)
-		if status != 200 || err != nil {
-			app.err.Printf("Failed to get user \"%s\" from jellyfin/emby (%d): %v", resp.UsersReset[0], status, err)
-			return
+	// If it's a bot, pretend to be a success so the preview is nice.
+	if isBot {
+		app.debug.Println("PWR: Ignoring magic link visit from bot")
+		data["success"] = true
+		data["pin"] = "NO-BO-TS"
+	} else {
+		resp, status, err := app.jf.ResetPassword(pin)
+		if status == 200 && err == nil && resp.Success {
+			data["success"] = true
+			data["pin"] = pin
+		} else {
+			app.err.Printf("Password Reset failed (%d): %v", status, err)
 		}
-		ombiUser, status, err := app.getOmbiUser(jfUser.ID)
-		if status != 200 || err != nil {
-			app.err.Printf("Failed to get user \"%s\" from ombi (%d): %v", resp.UsersReset[0], status, err)
-			return
+		if app.config.Section("ombi").Key("enabled").MustBool(false) {
+			jfUser, status, err := app.jf.UserByName(resp.UsersReset[0], false)
+			if status != 200 || err != nil {
+				app.err.Printf("Failed to get user \"%s\" from jellyfin/emby (%d): %v", resp.UsersReset[0], status, err)
+				return
+			}
+			ombiUser, status, err := app.getOmbiUser(jfUser.ID)
+			if status != 200 || err != nil {
+				app.err.Printf("Failed to get user \"%s\" from ombi (%d): %v", resp.UsersReset[0], status, err)
+				return
+			}
+			ombiUser["password"] = pin
+			status, err = app.ombi.ModifyUser(ombiUser)
+			if status != 200 || err != nil {
+				app.err.Printf("Failed to set password for ombi user \"%s\" (%d): %v", ombiUser["userName"], status, err)
+				return
+			}
+			app.debug.Printf("Reset password for ombi user \"%s\"", ombiUser["userName"])
 		}
-		ombiUser["password"] = pin
-		status, err = app.ombi.ModifyUser(ombiUser)
-		if status != 200 || err != nil {
-			app.err.Printf("Failed to set password for ombi user \"%s\" (%d): %v", ombiUser["userName"], status, err)
-			return
-		}
-		app.debug.Printf("Reset password for ombi user \"%s\"", ombiUser["userName"])
 	}
 }