Add email-based password reset (#1779)

* Add email-based password reset Fixes #734 * rename SETPASS to RESETPASS * review fixes * abuse mitigations * SENDPASS and RESETPASS should both touch the client login throttle * Produce a logline and a sno on SENDPASS (since it actually sends an email) * don't re-retrieve the settings value * add email confirmation for NS SET EMAIL * smtp: if require-tls is disabled, don't validate server cert * review fixes * remove cooldown for NS SET EMAIL If you accidentally set the wrong address, the cooldown would prevent you from fixing your mistake. Since we touch the registration throttle anyway, this shouldn't present more of an abuse concern than registration itself.
2021-08-25 22:32:55 -04:00 · 2021-08-25 22:32:55 -04:00 · 8b2f6de3e0
commit 8b2f6de3e0
parent 0baaf0b711
8 changed files with 525 additions and 58 deletions
--- a/default.yaml
+++ b/default.yaml
@ -414,6 +414,13 @@ accounts:
            blacklist-regexes:
            #    - ".*@mailinator.com"
            timeout: 60s
+            # email-based password reset:
+            password-reset:
+                enabled: false
+                # time before we allow resending the email
+                cooldown: 1h
+                # time for which a password reset code is valid
+                timeout: 1d

    # throttle account login attempts (to prevent either password guessing, or DoS
    # attacks on the server aimed at forcing repeated expensive bcrypt computations)