Password Resets: Ignore magic link visits from bots

For #108. Literally just searches the useragent for "Bot", seems good enough for Telegram atleast.
4 years ago · 953a66ec47
parent fb6256d1ed
commit 953a66ec47
2 changed files with 32 additions and 22 deletions
--- a/pwreset.go
+++ b/pwreset.go
@ -54,10 +54,12 @@ func pwrMonitor(app *appContext, watcher *fsnotify.Watcher) {
 				var pwr PasswordReset
 				data, err := os.ReadFile(event.Name)
 				if err != nil {
 					app.debug.Printf("PWR: Failed to read file: %v", err)
 					return
 				}
 				err = json.Unmarshal(data, &pwr)
 				if len(pwr.Pin) == 0 || err != nil {
 					app.debug.Printf("PWR: Failed to read PIN: %v", err)
 					return
 				}
 				app.info.Printf("New password reset for user \"%s\"", pwr.Username)
--- a/views.go
+++ b/views.go
@ -137,6 +137,7 @@ func (app *appContext) AdminPage(gc *gin.Context) {
 }
 func (app *appContext) ResetPassword(gc *gin.Context) {
 	isBot := strings.Contains(gc.Request.Header.Get("User-Agent"), "Bot")
 	pin := gc.Query("pin")
 	if pin == "" {
 		app.NoRouteHandler(gc)
@ -151,32 +152,39 @@ func (app *appContext) ResetPassword(gc *gin.Context) {
 		"success":        false,
 		"ombiEnabled":    app.config.Section("ombi").Key("enabled").MustBool(false),
 	}
-	resp, status, err := app.jf.ResetPassword(pin)
+	defer gcHTML(gc, http.StatusOK, "password-reset.html", data)
-	if status == 200 && err == nil && resp.Success {
+	// If it's a bot, pretend to be a success so the preview is nice.
 	if isBot {
 		app.debug.Println("PWR: Ignoring magic link visit from bot")
 		data["success"] = true
-		data["pin"] = pin
+		data["pin"] = "NO-BO-TS"
 	} else {
-		app.err.Printf("Password Reset failed (%d): %v", status, err)
+		resp, status, err := app.jf.ResetPassword(pin)
-	}
+		if status == 200 && err == nil && resp.Success {
-	defer gcHTML(gc, http.StatusOK, "password-reset.html", data)
+			data["success"] = true
-	if app.config.Section("ombi").Key("enabled").MustBool(false) {
+			data["pin"] = pin
-		jfUser, status, err := app.jf.UserByName(resp.UsersReset[0], false)
+		} else {
-		if status != 200 || err != nil {
+			app.err.Printf("Password Reset failed (%d): %v", status, err)
 			app.err.Printf("Failed to get user \"%s\" from jellyfin/emby (%d): %v", resp.UsersReset[0], status, err)
 			return
 		}
 		ombiUser, status, err := app.getOmbiUser(jfUser.ID)
 		if status != 200 || err != nil {
 			app.err.Printf("Failed to get user \"%s\" from ombi (%d): %v", resp.UsersReset[0], status, err)
 			return
 		}
-		ombiUser["password"] = pin
+		if app.config.Section("ombi").Key("enabled").MustBool(false) {
-		status, err = app.ombi.ModifyUser(ombiUser)
+			jfUser, status, err := app.jf.UserByName(resp.UsersReset[0], false)
-		if status != 200 || err != nil {
+			if status != 200 || err != nil {
-			app.err.Printf("Failed to set password for ombi user \"%s\" (%d): %v", ombiUser["userName"], status, err)
+				app.err.Printf("Failed to get user \"%s\" from jellyfin/emby (%d): %v", resp.UsersReset[0], status, err)
-			return
+				return
 			}
 			ombiUser, status, err := app.getOmbiUser(jfUser.ID)
 			if status != 200 || err != nil {
 				app.err.Printf("Failed to get user \"%s\" from ombi (%d): %v", resp.UsersReset[0], status, err)
 				return
 			}
 			ombiUser["password"] = pin
 			status, err = app.ombi.ModifyUser(ombiUser)
 			if status != 200 || err != nil {
 				app.err.Printf("Failed to set password for ombi user \"%s\" (%d): %v", ombiUser["userName"], status, err)
 				return
 			}
 			app.debug.Printf("Reset password for ombi user \"%s\"", ombiUser["userName"])
 		}
 		app.debug.Printf("Reset password for ombi user \"%s\"", ombiUser["userName"])
 	}
 }