+1 -7

pegasus/lib/api/server/requestPasswordReset.ml

··· 2 2 3 3 let request_password_reset (actor : Data_store.Types.actor) db = 4 4 let did = actor.did in 5 5 - let code = 6 6 - "pwd-" 7 7 - ^ String.sub 8 8 - Digestif.SHA256.( 9 9 - digest_string (did ^ Int.to_string @@ Util.now_ms ()) |> to_hex ) 10 10 - 0 8 11 11 - in 5 5 + let code = Util.make_code () in 12 6 let expires_at = Util.now_ms () + (10 * 60 * 1000) in 13 7 let%lwt () = Data_store.set_auth_code ~did ~code ~expires_at db in 14 8 Util.send_email_or_log ~recipients:[To actor.email]

+1 -3

pegasus/lib/api/server/resetPassword.ml

··· 9 9 | Some actor -> ( 10 10 match (actor.auth_code, actor.auth_code_expires_at) with 11 11 | Some auth_code, Some auth_expires_at 12 12 - when String.starts_with ~prefix:"pwd-" auth_code 13 13 - && token = auth_code 14 14 - && Util.now_ms () < auth_expires_at -> 12 12 + when token = auth_code && Util.now_ms () < auth_expires_at -> 15 13 let%lwt () = Data_store.update_password ~did:actor.did ~password db in 16 14 Lwt.return_ok actor.did 17 15 | _ ->

+5 -10

pegasus/lib/util.ml

··· 473 473 with Not_found -> false 474 474 475 475 let make_code () = 476 476 - let () = Random.self_init () in 477 477 - let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" in 478 478 - let len = String.length chars in 479 479 - let s = Bytes.create 10 in 480 480 - for i = 0 to 9 do 481 481 - let random_index = Random.int len in 482 482 - Bytes.set s i chars.[random_index] 483 483 - done ; 484 484 - let str = Bytes.to_string s in 485 485 - String.sub str 0 5 ^ "-" ^ String.sub str 5 5 476 476 + let () = Mirage_crypto_rng_unix.use_default () in 477 477 + let token = 478 478 + Multibase.Base32.encode_string @@ Mirage_crypto_rng_unix.getrandom 32 479 479 + in 480 480 + String.sub token 0 5 ^ "-" ^ String.sub token 5 5 486 481 487 482 module type Template = sig 488 483 type props