From 7ec37914a13b3ef6c00748dad539d59fc4a8ad5f Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <rpm@fthiessen.de>
Date: Mon, 18 Jan 2021 18:05:10 +0100
Subject: [PATCH] [System] Send welcome and password-changed notifications,
 allow custom text per config file

---
 flaschengeist.example.toml                 | 31 +++++++++++++++
 flaschengeist/controller/userController.py | 45 ++++++++++++++--------
 flaschengeist/models/user.py               |  2 +-
 3 files changed, 60 insertions(+), 18 deletions(-)

diff --git a/flaschengeist.example.toml b/flaschengeist.example.toml
index 6953678..efe1efe 100644
--- a/flaschengeist.example.toml
+++ b/flaschengeist.example.toml
@@ -7,6 +7,8 @@ auth = "auth_plain"
 #root = /api
 # Set secret key
 secret_key = "V3ryS3cr3t"
+# Domain used by frontend
+#domain = "flaschengeist.local"
 
 [LOGGING]
 file = "/tmp/flaschengeist-debug.log"
@@ -34,6 +36,35 @@ enabled = true
 # admin_dn =
 # default_gid =
 
+[MESSAGES]
+welcome_subject = "Welcome to Flaschengeist {name}"
+welcome_text = '''
+Hello {name}!
+Welcome to Flaschengeist!
+Have fun :)
+'''
+
+password_subject = "Flaschengeist - Password reset"
+password_text = '''
+Hello {name}!
+There was a password reset request for username: {username}
+
+To change your password, click on this link:
+{link}
+'''
+
+password_changed_subject = "Flaschengeist - Password changed"
+password_changed_text = '''
+Hello {name}!
+Your password was changed for username: {username}
+
+If this was not you, please contact the support.
+'''
+
+##################
+#     PLUGINS    #
+##################
+
 #[users]
 # always enabled
 #
diff --git a/flaschengeist/controller/userController.py b/flaschengeist/controller/userController.py
index 1781755..eefcdeb 100644
--- a/flaschengeist/controller/userController.py
+++ b/flaschengeist/controller/userController.py
@@ -4,6 +4,7 @@ from datetime import datetime, timedelta, timezone
 from werkzeug.exceptions import NotFound, BadRequest, Forbidden
 
 from flaschengeist import logger
+from flaschengeist.config import config
 from flaschengeist.database import db
 from flaschengeist.utils.hook import Hook
 from flaschengeist.models.user import User, Role, _PasswordReset
@@ -35,26 +36,22 @@ def request_reset(user: User):
     if not reset.expires or reset.expires < expires:
         expires = expires + timedelta(hours=12)
         reset.expires = expires
-        reset.token = secrets.token_urlsafe(16)
+        reset.token = secrets.token_urlsafe(24)
+        db.session.commit()
 
-    subject = "Flaschengeist - Passwort zurücksetzten"
-    domain = "flaschengeist.local"
-    text = f"""Hallo {user.display_name},
-Jemand hat das Zurücksetzen des Passworts für dein Flaschengeist Benutzerkonto angefordert.
-
-Benutzername: {user.userid}
-
-Falls das nicht beabsichtigt war, ignoriere diese E-Mail einfach. Es wird dann nichts passieren.
-
-Um dein Passwort zurückzusetzen, besuche folgende Adresse, der Link ist 12 Stunden gültig:
-
-<https://{domain}/reset?token={reset.token}>
- """
-    db.session.commit()
+    subject = str(config["MESSAGES"]["password_subject"]).format(name=user.display_name, username=user.userid)
+    text = str(config["MESSAGES"]["password_text"]).format(
+        name=user.display_name,
+        username=user.userid,
+        link=f'https://{config["FLASCHENGEIST"]["domain"]}/reset?token={reset.token}'
+    )
     messageController.send_message(messageController.Message(user, text, subject))
 
 
 def reset_password(token: str, password: str):
+    if len(token) != 32:
+        raise BadRequest
+
     reset = _PasswordReset.query.filter(_PasswordReset.token == token).one_or_none()
     logger.debug(f"Token is {'valid' if reset else 'invalid'}")
     if not reset or reset.expires < datetime.now(tz=timezone.utc):
@@ -101,8 +98,13 @@ def modify_user(user, password, new_password=None):
     current_app.config["FG_AUTH_BACKEND"].modify_user(user, password, new_password)
 
     if new_password:
-        # TODO: Password changed mail
-        logger.error(f"Password changed for user {user.userid}")
+        logger.debug(f"Password changed for user {user.userid}")
+        subject = str(config["MESSAGES"]["password_changed_subject"]).format(name=user.display_name, username=user.userid)
+        text = str(config["MESSAGES"]["password_changed_text"]).format(
+            name=user.display_name,
+            username=user.userid,
+        )
+        messageController.send_message(messageController.Message(user, text, subject))
 
 
 def get_users():
@@ -150,6 +152,15 @@ def register(data):
 
     db.session.add(user)
     db.session.commit()
+
+    if user.mail and len(user.mail) > 3:
+        subject = str(config["MESSAGES"]["welcome_subject"]).format(name=user.display_name, username=user.userid)
+        text = str(config["MESSAGES"]["welcome_text"]).format(
+            name=user.display_name,
+            username=user.userid,
+        )
+        messageController.send_message(messageController.Message(user, text, subject))
+
     return user
 
 
diff --git a/flaschengeist/models/user.py b/flaschengeist/models/user.py
index a25fd33..62940d8 100644
--- a/flaschengeist/models/user.py
+++ b/flaschengeist/models/user.py
@@ -107,7 +107,7 @@ class _PasswordReset(db.Model):
     __tablename__ = "password_reset"
     _user_id: User = db.Column("user", db.Integer, db.ForeignKey("user.id"), primary_key=True)
     user: User = db.relationship("User", foreign_keys=[_user_id])
-    token: str = db.Column(db.String(30))
+    token: str = db.Column(db.String(32))
     expires: datetime = db.Column(UtcDateTime)