web UI/REST API: add password reset

In order to reset the password from the admin/client user interface, an SMTP configuration must be added and the user/admin must have an email address. You can prohibit the reset functionality on a per-user basis by using a specific restriction. Fixes #597
2025-12-06 22:30:56 +03:00 · 2021-11-13 13:25:43 +01:00
parent b331dc5686
commit 78233ff9a3
25 changed files with 1787 additions and 60 deletions
--- a/httpd/api_admin.go
+++ b/httpd/api_admin.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-chi/render"

 	"github.com/drakkan/sftpgo/v2/dataprovider"
+	"github.com/drakkan/sftpgo/v2/smtp"
 	"github.com/drakkan/sftpgo/v2/util"
 )

@@ -214,6 +215,39 @@ func updateAdminProfile(w http.ResponseWriter, r *http.Request) {
 	sendAPIResponse(w, r, err, "Profile updated", http.StatusOK)
 }

+func forgotAdminPassword(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	if !smtp.IsEnabled() {
+		sendAPIResponse(w, r, nil, "No SMTP configuration", http.StatusBadRequest)
+		return
+	}
+
+	err := handleForgotPassword(r, getURLParam(r, "username"), true)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+
+	sendAPIResponse(w, r, err, "Check your email for the confirmation code", http.StatusOK)
+}
+
+func resetAdminPassword(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+
+	var req pwdReset
+	err := render.DecodeJSON(r.Body, &req)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
+		return
+	}
+	_, _, err = handleResetPassword(r, req.Code, req.Password, true)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+	sendAPIResponse(w, r, err, "Password reset successful", http.StatusOK)
+}
+
 func changeAdminPassword(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)