Refactor password reset for extensibility (#6803)

#### What type of PR is this? /kind improvement /area core /milestone 2.20.x #### What this PR does / why we need it: This PR refactors password reset for extensibility. If we want to add another password reset method, first thing we need to do is adding a new password reset method into `halo.security.password-reset-methods[]` and then defining PasswordResetAvailabilityProvider bean. #### Does this PR introduce a user-facing change? ```release-note None ```
2024-10-09 17:04:57 +08:00 · 2024-10-09 17:04:57 +08:00 · ec75564f37
parent 0e4a19d182
commit ec75564f37
28 changed files with 233 additions and 33 deletions
--- a/application/src/main/java/run/halo/app/core/user/service/impl/EmailPasswordRecoveryServiceImpl.java
+++ b/application/src/main/java/run/halo/app/core/user/service/impl/EmailPasswordRecoveryServiceImpl.java
@ -115,7 +115,7 @@ public class EmailPasswordRecoveryServiceImpl implements EmailPasswordRecoverySe
        var tokenHash = hashToken(token);
        var expiresAt = clock.instant().plus(RESET_TOKEN_LIFE_TIME);
        var uri = UriComponentsBuilder.fromUriString("/")
-            .pathSegment("password-reset", token)
+            .pathSegment("password-reset", "email", token)
            .build(true)
            .toUri();
        var resetToken = new ResetToken(tokenHash, username, expiresAt);
--- a/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java
+++ b/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java
@ -2,7 +2,10 @@ package run.halo.app.infra.properties;
 import static org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN;
 import java.net.URI;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.Data;
 import org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy;
 import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode;
@ -20,6 +23,8 @@ public class SecurityProperties {
    private final BasicAuthOptions basicAuth = new BasicAuthOptions();
    private final List<PasswordResetMethod> passwordResetMethods = new ArrayList<>();
    @Data
    public static class BasicAuthOptions {
        /**
@ -57,4 +62,15 @@ public class SecurityProperties {
    public static class RememberMeOptions {
        private Duration tokenValidity = Duration.ofDays(14);
    }
    @Data
    public static class PasswordResetMethod {
        private String name;
        private URI href;
        private URI icon;
    }
 }
--- a/application/src/main/java/run/halo/app/security/preauth/DefaultPasswordResetAvailabilityProviders.java
+++ b/application/src/main/java/run/halo/app/security/preauth/DefaultPasswordResetAvailabilityProviders.java
@ -0,0 +1,42 @@
 package run.halo.app.security.preauth;
 import java.util.List;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.stereotype.Component;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 import run.halo.app.infra.properties.HaloProperties;
 import run.halo.app.infra.properties.SecurityProperties;
 import run.halo.app.infra.properties.SecurityProperties.PasswordResetMethod;
 /**
 * Default password reset availability providers.
 *
 * @author johnniang
 * @since 2.20.0
 */
@Component
 public class DefaultPasswordResetAvailabilityProviders
    implements PasswordResetAvailabilityProviders {
    private final SecurityProperties securityProperties;
    private final List<PasswordResetAvailabilityProvider> providers;
    public DefaultPasswordResetAvailabilityProviders(HaloProperties haloProperties,
        ObjectProvider<PasswordResetAvailabilityProvider> providers) {
        this.securityProperties = haloProperties.getSecurity();
        this.providers = providers.orderedStream().toList();
    }
    @Override
    public Flux<PasswordResetMethod> getAvailableMethods() {
        return Flux.fromIterable(securityProperties.getPasswordResetMethods())
            .filterWhen(method -> providers.stream()
                .filter(provider -> provider.support(method.getName()))
                .findFirst()
                .map(provider -> provider.isAvailable(method))
                .orElseGet(() -> Mono.just(false))
            );
    }
 }
--- a/application/src/main/java/run/halo/app/security/preauth/EmailPasswordResetAvailabilityProvider.java
+++ b/application/src/main/java/run/halo/app/security/preauth/EmailPasswordResetAvailabilityProvider.java
@ -0,0 +1,26 @@
 package run.halo.app.security.preauth;
 import org.springframework.stereotype.Component;
 import reactor.core.publisher.Mono;
 import run.halo.app.infra.properties.SecurityProperties;
 /**
 * Email password reset availability provider.
 *
 * @author johnniang
 * @since 2.20.0
 */
@Component
 public class EmailPasswordResetAvailabilityProvider implements PasswordResetAvailabilityProvider {
    @Override
    public Mono<Boolean> isAvailable(SecurityProperties.PasswordResetMethod method) {
        // TODO Check the email notifier is available in the future
        return Mono.just(true);
    }
    @Override
    public boolean support(String name) {
        return "email".equals(name);
    }
 }
--- a/application/src/main/java/run/halo/app/security/preauth/PasswordResetAvailabilityProvider.java
+++ b/application/src/main/java/run/halo/app/security/preauth/PasswordResetAvailabilityProvider.java
@ -0,0 +1,30 @@
 package run.halo.app.security.preauth;
 import reactor.core.publisher.Mono;
 import run.halo.app.infra.properties.SecurityProperties;
 /**
 * Password reset availability provider.
 *
 * @author johnniang
 * @since 2.20.0
 */
 public interface PasswordResetAvailabilityProvider {
    /**
     * Check if the password reset method is available.
     *
     * @param method password reset method
     * @return true if available, false otherwise
     */
    Mono<Boolean> isAvailable(SecurityProperties.PasswordResetMethod method);
    /**
     * Check if the provider supports the name.
     *
     * @param name password reset method name
     * @return true if supports, false otherwise
     */
    boolean support(String name);
 }
--- a/application/src/main/java/run/halo/app/security/preauth/PasswordResetAvailabilityProviders.java
+++ b/application/src/main/java/run/halo/app/security/preauth/PasswordResetAvailabilityProviders.java
@ -0,0 +1,31 @@
 package run.halo.app.security.preauth;
 import reactor.core.publisher.Flux;
 import run.halo.app.infra.properties.SecurityProperties.PasswordResetMethod;
 /**
 * Password reset availability providers.
 *
 * @author johnniang
 * @since 2.20.0
 */
 public interface PasswordResetAvailabilityProviders {
    /**
     * Get available password reset methods.
     *
     * @return available password reset methods
     */
    Flux<PasswordResetMethod> getAvailableMethods();
    /**
     * Get other available password reset methods.
     *
     * @param methodName method name
     * @return other available password reset methods
     */
    default Flux<PasswordResetMethod> getOtherAvailableMethods(String methodName) {
        return getAvailableMethods().filter(method -> !method.getName().equals(methodName));
    }
 }
--- a/application/src/main/java/run/halo/app/security/preauth/PreAuthEmailPasswordResetEndpoint.java
+++ b/application/src/main/java/run/halo/app/security/preauth/PreAuthEmailPasswordResetEndpoint.java
@ -33,7 +33,10 @@ import run.halo.app.infra.utils.IpAddressUtils;
 * @since 2.20.0
 */
@Component
-class PreAuthPasswordResetEndpoint {
+class PreAuthEmailPasswordResetEndpoint {
    private static final String SEND_TEMPLATE = "password-reset/email/send";
    private static final String RESET_TEMPLATE = "password-reset/email/reset";
    private final EmailPasswordRecoveryService emailPasswordRecoveryService;
@ -41,32 +44,44 @@ class PreAuthPasswordResetEndpoint {
    private final RateLimiterRegistry rateLimiterRegistry;
-    public PreAuthPasswordResetEndpoint(EmailPasswordRecoveryService emailPasswordRecoveryService,
+    private final PasswordResetAvailabilityProviders passwordResetAvailabilityProviders;
    public PreAuthEmailPasswordResetEndpoint(
        EmailPasswordRecoveryService emailPasswordRecoveryService,
        MessageSource messageSource,
-        RateLimiterRegistry rateLimiterRegistry
+        RateLimiterRegistry rateLimiterRegistry,
        PasswordResetAvailabilityProviders passwordResetAvailabilityProviders
    ) {
        this.emailPasswordRecoveryService = emailPasswordRecoveryService;
        this.messageSource = messageSource;
        this.rateLimiterRegistry = rateLimiterRegistry;
        this.passwordResetAvailabilityProviders = passwordResetAvailabilityProviders;
    }
    @Bean
    RouterFunction<ServerResponse> preAuthPasswordResetEndpoints() {
-        return RouterFunctions.nest(path("/password-reset"), RouterFunctions.route()
+        return RouterFunctions.nest(path("/password-reset/email"), RouterFunctions.route()
-            .GET("", request -> ServerResponse.ok().render("password-reset"))
+            .GET("", request -> {
                return ServerResponse.ok().render(SEND_TEMPLATE, Map.of(
                    "otherMethods",
                    passwordResetAvailabilityProviders.getOtherAvailableMethods("email")
                ));
            })
            .GET("/{resetToken}",
                request -> {
                    var token = request.pathVariable("resetToken");
                    return emailPasswordRecoveryService.getValidResetToken(token)
                        .flatMap(resetToken -> {
                            // TODO Check the 2FA of the user
-                            return ServerResponse.ok().render("password-reset-link", Map.of(
+                            return ServerResponse.ok().render(RESET_TEMPLATE, Map.of(
                                "username", resetToken.username()
                            ));
                        })
                        .onErrorResume(InvalidResetTokenException.class,
                            e -> ServerResponse.status(HttpStatus.FOUND)
-                                .location(URI.create("/password-reset"))
+                                .location(
                                    URI.create("/password-reset/email?error=invalid_reset_token")
                                )
                                .build()
                                .transformDeferred(rateLimiterForPasswordResetVerification(
                                    request.exchange().getRequest()
@ -94,7 +109,7 @@ class PreAuthPasswordResetEndpoint {
                                "Password can't be blank",
                                locale
                            );
-                            return ServerResponse.ok().render("password-reset-link", Map.of(
+                            return ServerResponse.ok().render(RESET_TEMPLATE, Map.of(
                                "error", error
                            ));
                        }
@ -105,13 +120,13 @@ class PreAuthPasswordResetEndpoint {
                                "Password and confirm password mismatch",
                                locale
                            );
-                            return ServerResponse.ok().render("password-reset-link", Map.of(
+                            return ServerResponse.ok().render(RESET_TEMPLATE, Map.of(
                                "error", error
                            ));
                        }
                        return emailPasswordRecoveryService.changePassword(password, token)
                            .then(ServerResponse.status(HttpStatus.FOUND)
-                                .location(URI.create("/login?passwordReset"))
+                                .location(URI.create("/login?password_reset"))
                                .build()
                            )
                            .onErrorResume(InvalidResetTokenException.class, e -> {
@ -121,7 +136,7 @@ class PreAuthPasswordResetEndpoint {
                                    "Invalid reset token",
                                    locale
                                );
-                                return ServerResponse.ok().render("password-reset-link", Map.of(
+                                return ServerResponse.ok().render(RESET_TEMPLATE, Map.of(
                                    "error", error
                                )).transformDeferred(rateLimiterForPasswordResetVerification(
                                    request.exchange().getRequest()
@ -148,12 +163,12 @@ class PreAuthPasswordResetEndpoint {
                                    "Email can't be blank",
                                    locale
                                );
-                                return ServerResponse.ok().render("password-reset", Map.of(
+                                return ServerResponse.ok().render(SEND_TEMPLATE, Map.of(
                                    "error", error
                                ));
                            }
                            return emailPasswordRecoveryService.sendPasswordResetEmail(email)
-                                .then(ServerResponse.ok().render("password-reset", Map.of(
+                                .then(ServerResponse.ok().render(SEND_TEMPLATE, Map.of(
                                    "sent", true
                                )))
                                .transformDeferred(rateLimiterForSendPasswordResetEmail(
--- a/application/src/main/resources/application.yaml
+++ b/application/src/main/resources/application.yaml
@ -42,6 +42,11 @@ halo:
      - pathPattern: /upload/**
        locations:
          - migrate-from-1.x
  security:
    password-reset-methods:
      - name: email
        href: /password-reset/email
        icon: /images/password-reset-methods/email.svg
 springdoc:
  api-docs:
--- a/application/src/main/resources/static/images/password-reset-methods/email.svg
+++ b/application/src/main/resources/static/images/password-reset-methods/email.svg
@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="rgba(75,85,99,1)"><path d="M3 3H21C21.5523 3 22 3.44772 22 4V20C22 20.5523 21.5523 21 21 21H3C2.44772 21 2 20.5523 2 20V4C2 3.44772 2.44772 3 3 3ZM20 7.23792L12.0718 14.338L4 7.21594V19H20V7.23792ZM4.51146 5L12.0619 11.662L19.501 5H4.51146Z"></path></svg>
--- a/application/src/main/resources/static/styles/main.css
+++ b/application/src/main/resources/static/styles/main.css
@ -283,7 +283,7 @@
    background: #f9fafb;
 }
-.auth-provider-items {
+.pill-items {
    all: unset;
    gap: var(--spacing-sm);
    margin: 0;
@ -292,7 +292,7 @@
    justify-content: center;
 }
-.auth-provider-items li {
+.pill-items li {
    all: unset;
    border-radius: var(--rounded-lg);
    overflow: hidden;
@ -302,7 +302,7 @@
    transition-duration: 0.15s;
 }
-.auth-provider-items li a {
+.pill-items li a {
    gap: var(--spacing-sm);
    font-size: var(--text-sm);
    padding: 0.7em 1em;
@ -312,21 +312,21 @@
    text-decoration: none;
 }
-.auth-provider-items li img {
+.pill-items li img {
    width: 1.5em;
    height: 1.5em;
 }
-.auth-provider-items li:hover {
+.pill-items li:hover {
    border-color: var(--color-primary);
    background: #f3f4f6;
 }
-.auth-provider-items li:hover a {
+.pill-items li:hover a {
    color: #111827;
 }
-.auth-provider-items li:focus-within {
+.pill-items li:focus-within {
    border-color: var(--color-primary);
 }
--- a/application/src/main/resources/templates/gateway_modules/common_fragments.html
+++ b/application/src/main/resources/templates/gateway_modules/common_fragments.html
@ -109,7 +109,7 @@
            <th:block th:text="#{socialLogin.label}"></th:block>
            <hr />
        </div>
-        <ul class="auth-provider-items">
+        <ul class="pill-items">
            <li th:each="provider : ${socialAuthProviders}">
                <a th:href="${provider.spec.authenticationUrl}">
                    <img th:src="${provider.spec.logo}" />
@ -120,6 +120,26 @@
    </th:block>
 </div>
 <div th:remove="tag" th:fragment="passwordResetMethods">
    <th:block th:unless="${#lists.isEmpty(otherMethods)}">
        <div class="divider-wrapper">
            <hr />
            <th:block th:text="#{passwordResetMethods.label}"></th:block>
            <hr />
        </div>
        <ul class="pill-items">
            <li th:each="method : ${otherMethods}">
                <a th:href="${method.href}">
                    <img th:src="${method.icon}" />
                    <span
                        th:text="${#messages.msgOrNull('passwordResetMethods.' + method.name + '.displayName') ?: method.name}"
                    ></span>
                </a>
            </li>
        </ul>
    </th:block>
 </div>
 <div th:remove="tag" th:fragment="signupNoticeContent">
    <style>
        .signup-notice-content {
--- a/application/src/main/resources/templates/gateway_modules/common_fragments.properties
+++ b/application/src/main/resources/templates/gateway_modules/common_fragments.properties
@ -7,3 +7,6 @@ signupNotice.link=立即注册
 loginNotice.description=已有账号，
 loginNotice.link=立即登录
 returnToSite=返回网站
 passwordResetMethods.label=其他重置方式
 passwordResetMethods.email.displayName=通过邮件重置
--- a/application/src/main/resources/templates/gateway_modules/common_fragments_en.properties
+++ b/application/src/main/resources/templates/gateway_modules/common_fragments_en.properties
@ -7,3 +7,6 @@ signupNotice.link=Sign up
 loginNotice.description=Already have an account,
 loginNotice.link=Login now
 returnToSite=Return to site
 passwordResetMethods.label=Other Reset Methods
 passwordResetMethods.email.displayName=Reset via Email
--- a/application/src/main/resources/templates/gateway_modules/common_fragments_es.properties
+++ b/application/src/main/resources/templates/gateway_modules/common_fragments_es.properties
@ -7,3 +7,6 @@ signupNotice.link=Regístrate ahora
 loginNotice.description=Ya tienes una cuenta,
 loginNotice.link=Inicia sesión ahora
 returnToSite=Volver al sitio
 passwordResetMethods.label=Otros Métodos de Restablecimiento
 passwordResetMethods.email.displayName=Restablecer por Correo Electrónico
--- a/application/src/main/resources/templates/gateway_modules/common_fragments_zh_TW.properties
+++ b/application/src/main/resources/templates/gateway_modules/common_fragments_zh_TW.properties
@ -7,3 +7,6 @@ signupNotice.link=立即註冊
 loginNotice.description=已有帳號，
 loginNotice.link=立即登入
 returnToSite=返回網站
 passwordResetMethods.label=其他重置方式
 passwordResetMethods.email.displayName=通過郵件重置
--- a/application/src/main/resources/templates/gateway_modules/form_fragments.html
+++ b/application/src/main/resources/templates/gateway_modules/form_fragments.html
@ -245,7 +245,7 @@
 <form
    th:fragment="passwordResetLink"
    class="halo-form"
-    th:action="@{/password-reset/{resetToken}(resetToken=${resetToken})}"
+    th:action="@{/password-reset/email/{resetToken}(resetToken=${resetToken})}"
    method="post"
 >
    <div class="alert alert-error" role="alert" th:if="${error}">
@ -280,7 +280,7 @@
            <button type="submit" th:text="#{form.passwordReset.sent.submit}"></button>
        </div>
    </form>
-    <form th:unless="${sent}" class="halo-form" th:action="@{/password-reset}" method="post">
+    <form th:unless="${sent}" class="halo-form" th:action="@{/password-reset/email}" method="post">
        <div class="alert alert-error" th:if="${error}">
            <strong th:text="${error}"></strong>
        </div>
--- a/application/src/main/resources/templates/gateway_modules/login_fragments.html
+++ b/application/src/main/resources/templates/gateway_modules/login_fragments.html
@ -6,7 +6,7 @@
            <th:block th:text="#{otherLogin.label}"></th:block>
            <hr />
        </div>
-        <ul class="auth-provider-items">
+        <ul class="pill-items">
            <li th:each="provider : ${formAuthProviders}">
                <a th:href="'/login?method=' + ${provider.metadata.name}">
                    <img th:src="${provider.spec.logo}" />
--- a/application/src/main/resources/templates/login_local.html
+++ b/application/src/main/resources/templates/login_local.html
@ -45,7 +45,7 @@
            <a
                class="form-item-extra-link"
                tabindex="-1"
-                th:href="@{/password-reset}"
+                th:href="@{/password-reset/email}"
                th:text="#{form.password.forgot}"
            >
            </a>
--- a/application/src/main/resources/templates/password-reset/email/reset.html
+++ b/application/src/main/resources/templates/password-reset/email/reset.html
--- a/application/src/main/resources/templates/password-reset/email/reset.properties
+++ b/application/src/main/resources/templates/password-reset/email/reset.properties
--- a/application/src/main/resources/templates/password-reset/email/reset_en.properties
+++ b/application/src/main/resources/templates/password-reset/email/reset_en.properties
--- a/application/src/main/resources/templates/password-reset/email/reset_es.properties
+++ b/application/src/main/resources/templates/password-reset/email/reset_es.properties
--- a/application/src/main/resources/templates/password-reset/email/reset_zh_TW.properties
+++ b/application/src/main/resources/templates/password-reset/email/reset_zh_TW.properties
--- a/application/src/main/resources/templates/password-reset/email/send.html
+++ b/application/src/main/resources/templates/password-reset/email/send.html
@ -9,6 +9,8 @@
            <div class="halo-form-wrapper">
                <h1 class="form-title" th:text="${sent} ? #{sent.title} : #{title}"></h1>
                <form th:replace="~{gateway_modules/form_fragments::passwordReset}"></form>
                <div th:replace="~{gateway_modules/common_fragments::passwordResetMethods}"></div>
            </div>
            <div th:replace="~{gateway_modules/common_fragments::languageSwitcher}"></div>
--- a/application/src/main/resources/templates/password-reset/email/send.properties
+++ b/application/src/main/resources/templates/password-reset/email/send.properties
--- a/application/src/main/resources/templates/password-reset/email/send_en.properties
+++ b/application/src/main/resources/templates/password-reset/email/send_en.properties
--- a/application/src/main/resources/templates/password-reset/email/send_es.properties
+++ b/application/src/main/resources/templates/password-reset/email/send_es.properties
--- a/application/src/main/resources/templates/password-reset/email/send_zh_TW.properties
+++ b/application/src/main/resources/templates/password-reset/email/send_zh_TW.properties
		`@ -0,0 +1 @@`
							`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="rgba(75,85,99,1)"><path d="M3 3H21C21.5523 3 22 3.44772 22 4V20C22 20.5523 21.5523 21 21 21H3C2.44772 21 2 20.5523 2 20V4C2 3.44772 2.44772 3 3 3ZM20 7.23792L12.0718 14.338L4 7.21594V19H20V7.23792ZM4.51146 5L12.0619 11.662L19.501 5H4.51146Z"></path></svg>`