web UI/REST API: add password reset

In order to reset the password from the admin/client user interface, an SMTP configuration must be added and the user/admin must have an email address. You can prohibit the reset functionality on a per-user basis by using a specific restriction. Fixes #597
2025-12-06 22:30:56 +03:00 · 2021-11-13 13:25:43 +01:00
parent b331dc5686
commit 78233ff9a3
25 changed files with 1787 additions and 60 deletions
--- a/httpd/resetcode.go
+++ b/httpd/resetcode.go
@@ -0,0 +1,43 @@
+package httpd
+
+import (
+	"sync"
+	"time"
+
+	"github.com/drakkan/sftpgo/v2/util"
+)
+
+var (
+	resetCodeLifespan = 10 * time.Minute
+	resetCodes        sync.Map
+)
+
+type resetCode struct {
+	Code      string
+	Username  string
+	IsAdmin   bool
+	ExpiresAt time.Time
+}
+
+func (c *resetCode) isExpired() bool {
+	return c.ExpiresAt.Before(time.Now().UTC())
+}
+
+func newResetCode(username string, isAdmin bool) *resetCode {
+	return &resetCode{
+		Code:      util.GenerateUniqueID(),
+		Username:  username,
+		IsAdmin:   isAdmin,
+		ExpiresAt: time.Now().Add(resetCodeLifespan).UTC(),
+	}
+}
+
+func cleanupExpiredResetCodes() {
+	resetCodes.Range(func(key, value interface{}) bool {
+		c, ok := value.(*resetCode)
+		if !ok || c.isExpired() {
+			resetCodes.Delete(key)
+		}
+		return true
+	})
+}