web UI/REST API: add password reset

In order to reset the password from the admin/client user interface,
an SMTP configuration must be added and the user/admin must have an email
address.
You can prohibit the reset functionality on a per-user basis by using a
specific restriction.

Fixes #597

httpd/api_user.go

@@ -12,6 +12,7 @@ import (
 	"github.com/drakkan/sftpgo/v2/dataprovider"
 	"github.com/drakkan/sftpgo/v2/kms"
 	"github.com/drakkan/sftpgo/v2/sdk"
+	"github.com/drakkan/sftpgo/v2/smtp"
 	"github.com/drakkan/sftpgo/v2/util"
 	"github.com/drakkan/sftpgo/v2/vfs"
 )
@@ -186,6 +187,40 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
 	disconnectUser(username)
 }
 
+func forgotUserPassword(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+
+	if !smtp.IsEnabled() {
+		sendAPIResponse(w, r, nil, "No SMTP configuration", http.StatusBadRequest)
+		return
+	}
+
+	err := handleForgotPassword(r, getURLParam(r, "username"), false)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+
+	sendAPIResponse(w, r, err, "Check your email for the confirmation code", http.StatusOK)
+}
+
+func resetUserPassword(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+
+	var req pwdReset
+	err := render.DecodeJSON(r.Body, &req)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
+		return
+	}
+	_, _, err = handleResetPassword(r, req.Code, req.Password, false)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+	sendAPIResponse(w, r, err, "Password reset successful", http.StatusOK)
+}
+
 func disconnectUser(username string) {
 	for _, stat := range common.Connections.GetStats() {
 		if stat.Username == username {