fix: invalidate password reset tokens (baserow#5164)

* fix: invalidate password reset tokens once used

* fix: address feedback

Author: silvestrid

backend/src/baserow/api/errors.py

@@ -20,6 +20,11 @@
 # These are not passwords
 BAD_TOKEN_SIGNATURE = "BAD_TOKEN_SIGNATURE"  # nosec
 EXPIRED_TOKEN_SIGNATURE = "EXPIRED_TOKEN_SIGNATURE"  # nosec
+ERROR_RESET_PASSWORD_TOKEN_USED = (
+    "ERROR_RESET_PASSWORD_TOKEN_USED",
+    HTTP_400_BAD_REQUEST,
+    "The password reset link has already been used.",
+)
 ERROR_HOSTNAME_IS_NOT_ALLOWED = (
     "ERROR_HOSTNAME_IS_NOT_ALLOWED",
     HTTP_400_BAD_REQUEST,

backend/src/baserow/api/user/views.py

@@ -30,6 +30,7 @@
 from baserow.api.errors import (
     BAD_TOKEN_SIGNATURE,
     ERROR_HOSTNAME_IS_NOT_ALLOWED,
+    ERROR_RESET_PASSWORD_TOKEN_USED,
     EXPIRED_TOKEN_SIGNATURE,
 )
 from baserow.api.schemas import get_error_schema
@@ -82,6 +83,7 @@
     InvalidVerificationToken,
     RefreshTokenAlreadyBlacklisted,
     ResetPasswordDisabledError,
+    ResetPasswordTokenAlreadyUsed,
     UserAlreadyExist,
     UserIsLastAdmin,
     UserNotFound,
@@ -434,6 +436,7 @@ class ResetPasswordView(APIView):
                     "BAD_TOKEN_SIGNATURE",
                     "EXPIRED_TOKEN_SIGNATURE",
                     "ERROR_USER_NOT_FOUND",
+                    "ERROR_RESET_PASSWORD_TOKEN_USED",
                     "ERROR_REQUEST_BODY_VALIDATION",
                 ]
             ),
@@ -448,6 +451,7 @@ class ResetPasswordView(APIView):
             SignatureExpired: EXPIRED_TOKEN_SIGNATURE,
             UserNotFound: ERROR_USER_NOT_FOUND,
             ResetPasswordDisabledError: ERROR_DISABLED_RESET_PASSWORD,
+            ResetPasswordTokenAlreadyUsed: ERROR_RESET_PASSWORD_TOKEN_USED,
         }
     )
     @validate_body(ResetPasswordBodyValidationSerializer)

backend/src/baserow/config/settings/base.py

@@ -807,7 +807,7 @@ def __setitem__(self, key, value):
             EXTRA_PUBLIC_WEB_FRONTEND_HOSTNAMES.append(hostname)
 
 FROM_EMAIL = os.getenv("FROM_EMAIL", "no-reply@localhost")
-RESET_PASSWORD_TOKEN_MAX_AGE = 60 * 60 * 48  # 48 hours
+RESET_PASSWORD_TOKEN_MAX_AGE = 60 * 60 * 2  # 2 hours
 CHANGE_EMAIL_TOKEN_MAX_AGE = 60 * 60 * 12  # 12 hours
 
 ROW_PAGE_SIZE_LIMIT = int(os.getenv("BASEROW_ROW_PAGE_SIZE_LIMIT", 200))

backend/src/baserow/contrib/database/data_sync/postgresql_data_sync_type.py

@@ -159,7 +159,7 @@ def _connection(self, instance):
         cursor = None
         connection = None
 
-        if not is_hostname_safe(instance.postgresql_host):
+        if not settings.TESTS and not is_hostname_safe(instance.postgresql_host):
             raise SyncError("It's not allowed to connect to this hostname.")
 
         baserow_postgresql_connection = (

backend/src/baserow/core/templates/baserow/core/user/password_changed.html

@@ -0,0 +1,206 @@
+{% load i18n %}
+<!doctype html>
+<html lang="und" dir="auto" xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office">
+
+<head>
+  <title></title>
+  <!--[if !mso]><!-->
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <!--<![endif]-->
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <style type="text/css">
+    #outlook a {
+      padding: 0;
+    }
+
+    body {
+      margin: 0;
+      padding: 0;
+      -webkit-text-size-adjust: 100%;
+      -ms-text-size-adjust: 100%;
+    }
+
+    table,
+    td {
+      border-collapse: collapse;
+      mso-table-lspace: 0pt;
+      mso-table-rspace: 0pt;
+    }
+
+    img {
+      border: 0;
+      height: auto;
+      line-height: 100%;
+      outline: none;
+      text-decoration: none;
+      -ms-interpolation-mode: bicubic;
+    }
+
+    p {
+      display: block;
+      margin: 13px 0;
+    }
+  </style>
+  <!--[if mso]>
+    <noscript>
+    <xml>
+    <o:OfficeDocumentSettings>
+      <o:AllowPNG/>
+      <o:PixelsPerInch>96</o:PixelsPerInch>
+    </o:OfficeDocumentSettings>
+    </xml>
+    </noscript>
+    <![endif]-->
+  <!--[if lte mso 11]>
+    <style type="text/css">
+      .mj-outlook-group-fix { width:100% !important; }
+    </style>
+    <![endif]-->
+  <!--[if !mso]><!-->
+  <link href="https://fonts.googleapis.com/css?family=Inter:400,600" rel="stylesheet" type="text/css">
+  <style type="text/css">
+    @import url(https://fonts.googleapis.com/css?family=Inter:400,600);
+  </style>
+  <!--<![endif]-->
+  <style type="text/css">
+    @media only screen and (min-width:480px) {
+      .mj-column-px-190 {
+        width: 190px !important;
+        max-width: 190px;
+      }
+
+      .mj-column-per-50 {
+        width: 50% !important;
+        max-width: 50%;
+      }
+
+      .mj-column-per-100 {
+        width: 100% !important;
+        max-width: 100%;
+      }
+    }
+  </style>
+  <style media="screen and (min-width:480px)">
+    .moz-text-html .mj-column-px-190 {
+      width: 190px !important;
+      max-width: 190px;
+    }
+
+    .moz-text-html .mj-column-per-50 {
+      width: 50% !important;
+      max-width: 50%;
+    }
+
+    .moz-text-html .mj-column-per-100 {
+      width: 100% !important;
+      max-width: 100%;
+    }
+  </style>
+  <style type="text/css">
+    @media only screen and (max-width:479px) {
+      table.mj-full-width-mobile {
+        width: 100% !important;
+      }
+
+      td.mj-full-width-mobile {
+        width: auto !important;
+      }
+    }
+  </style>
+</head>
+
+<body style="word-spacing:normal;">
+  <div aria-roledescription="email" style="" role="article" lang="und" dir="auto">
+    <!--[if mso | IE]><table align="center" border="0" cellpadding="0" cellspacing="0" class="" role="presentation" style="width:600px;" width="600" ><tr><td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;"><![endif]-->
+    <div style="margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:20px 0;text-align:left;">
+              <!--[if mso | IE]><table role="presentation" border="0" cellpadding="0" cellspacing="0"><tr><td class="" style="vertical-align:top;width:190px;" ><![endif]-->
+              <div class="mj-column-px-190 mj-outlook-group-fix" style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;" width="100%">
+                  <tbody>
+                    <tr>
+                      <td align="left" style="font-size:0px;padding:10px 25px;padding-bottom:0;word-break:break-word;">
+                        <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:collapse;border-spacing:0px;">
+                          <tbody>
+                            <tr>
+                              <td style="width:140px;">
+                                <a href="{{ baserow_embedded_share_url }}" target="_blank">
+                                  <img alt="" src="{{ logo_url }}" style="border:0;display:block;outline:none;text-decoration:none;height:auto;width:100%;font-size:13px;" width="140" height="auto" />
+                                </a>
+                              </td>
+                            </tr>
+                          </tbody>
+                        </table>
+                      </td>
+                    </tr>
+                  </tbody>
+                </table>
+              </div>
+              <!--[if mso | IE]></td><td class="" style="vertical-align:top;width:300px;" ><![endif]-->
+              <div class="mj-column-per-50 mj-outlook-group-fix" style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;" width="100%">
+                  <tbody>
+                    <tr>
+                      <td align="left" style="font-size:0px;padding:10px 25px;padding-left:0;word-break:break-word;">
+                        <div style="font-family:Inter,sans-serif;font-size:13px;line-height:170%;text-align:left;color:#070810;">{{ logo_additional_text }}</div>
+                      </td>
+                    </tr>
+                  </tbody>
+                </table>
+              </div>
+              <!--[if mso | IE]></td></tr></table><![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+    <!--[if mso | IE]></td></tr></table><table align="center" border="0" cellpadding="0" cellspacing="0" class="" role="presentation" style="width:600px;" width="600" ><tr><td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;"><![endif]-->
+    <div style="margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:20px 0;text-align:center;">
+              <!--[if mso | IE]><table role="presentation" border="0" cellpadding="0" cellspacing="0"><tr><td class="" style="vertical-align:top;width:600px;" ><![endif]-->
+              <div class="mj-column-per-100 mj-outlook-group-fix" style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;" width="100%">
+                  <tbody>
+                    <tr>
+                      <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                        <div style="font-family:Inter,sans-serif;font-size:22px;font-weight:600;line-height:1;text-align:left;color:#070810;">{% trans "Password changed" %}</div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                        <div style="font-family:Inter,sans-serif;font-size:13px;line-height:170%;text-align:left;color:#070810;">{% blocktrans trimmed with user.username as username and baserow_embedded_share_hostname as baserow_embedded_share_hostname %} The password for your account ({{ username }}) on Baserow ({{ baserow_embedded_share_hostname }}) has been successfully changed. {% endblocktrans %}</div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                        <div style="font-family:Inter,sans-serif;font-size:13px;line-height:170%;text-align:left;color:#070810;">{% blocktrans trimmed %} If you did not make this change, please contact your administrator immediately to secure your account. {% endblocktrans %}</div>
+                      </td>
+                    </tr>
+                    <!-- htmlmin:ignore -->{% if show_baserow_description %}<!-- htmlmin:ignore -->
+                    <tr>
+                      <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                        <div style="font-family:Inter,sans-serif;font-size:13px;line-height:170%;text-align:left;color:#070810;">{% blocktrans trimmed %} Baserow is an open source no-code database tool which allows you to collaborate on projects, customers and more. It gives you the powers of a developer without leaving your browser. {% endblocktrans %}</div>
+                      </td>
+                    </tr>
+                    <!-- htmlmin:ignore -->{% endif %}<!-- htmlmin:ignore -->
+                  </tbody>
+                </table>
+              </div>
+              <!--[if mso | IE]></td></tr></table><![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+    <!--[if mso | IE]></td></tr></table><![endif]-->
+  </div>
+</body>
+
+</html>

backend/src/baserow/core/templates/baserow/core/user/password_changed.mjml.eta

@@ -0,0 +1,28 @@
+<% layout("../../base.layout.eta") %>
+
+<mj-section>
+  <mj-column>
+    <mj-text mj-class="title">{% trans "Password changed" %}</mj-text>
+    <mj-text mj-class="text">
+      {% blocktrans trimmed with user.username as username and baserow_embedded_share_hostname as baserow_embedded_share_hostname %}
+        The password for your account ({{ username }}) on
+        Baserow ({{ baserow_embedded_share_hostname }}) has been successfully changed.
+      {% endblocktrans %}
+    </mj-text>
+    <mj-text mj-class="text">
+      {% blocktrans trimmed %}
+        If you did not make this change, please contact your administrator immediately
+        to secure your account.
+      {% endblocktrans %}
+    </mj-text>
+    <mj-raw><!-- htmlmin:ignore -->{% if show_baserow_description %}<!-- htmlmin:ignore --></mj-raw>
+      <mj-text mj-class="text">
+        {% blocktrans trimmed %}
+          Baserow is an open source no-code database tool which allows you to collaborate
+          on projects, customers and more. It gives you the powers of a developer without
+          leaving your browser.
+        {% endblocktrans %}
+      </mj-text>
+    <mj-raw><!-- htmlmin:ignore -->{% endif %}<!-- htmlmin:ignore --></mj-raw>
+  </mj-column>
+</mj-section>

backend/src/baserow/core/user/emails.py

@@ -25,6 +25,22 @@ def get_context(self):
         return context
 
 
+class PasswordChangedEmail(BaseEmailMessage):
+    template_name = "baserow/core/user/password_changed.html"
+
+    def __init__(self, user, *args, **kwargs):
+        self.user = user
+        super().__init__(*args, **kwargs)
+
+    def get_subject(self):
+        return _("Password changed - Baserow")
+
+    def get_context(self):
+        context = super().get_context()
+        context.update(user=self.user)
+        return context
+
+
 class AccountDeletionScheduled(BaseEmailMessage):
     template_name = "baserow/core/user/account_deletion_scheduled.html"
 

backend/src/baserow/core/user/exceptions.py

@@ -38,6 +38,10 @@ class ResetPasswordDisabledError(Exception):
     """Raised when a password reset is attempted but the password reset is disabled."""
 
 
+class ResetPasswordTokenAlreadyUsed(Exception):
+    """Raised when a password reset token has already been used."""
+
+
 class DeactivatedUserException(Exception):
     pass