Files
ragflow/internal/utility/otp.go

158 lines
5.6 KiB
Go
Raw Normal View History

feat(go-api): port forgot-password flow to Go (#15282) (#15290) ## Summary Implements **chunk 1** of #15282 — the four `/api/v1/auth/password/...` endpoints from the login-page Go port. **Chunk 2 (OAuth/OIDC) is deferred** to its own subtask, matching the issue author's own confidence-low recommendation ("multi-provider, stateful redirect flow with external dependencies; recommend its own subtask"). New endpoints, all registered under `apiNoAuth` (forgot-password users are unauthenticated by definition): | Method | Path | Status | |--------|------|--------| | `POST` | `/api/v1/auth/password/forgot/captcha` | new | | `POST` | `/api/v1/auth/password/forgot/otp` | new | | `POST` | `/api/v1/auth/password/forgot/otp/verify` | new | | `POST` | `/api/v1/auth/password/reset` | new | ## Wire compatibility with the Python backend The two backends share state through Redis, so the Go port had to use identical keys, encodings, and constants. Either backend can now validate a code the other minted. - **Redis keys**: `captcha:<email>`, `otp:<email>`, `otp_attempts:<email>`, `otp_last_sent:<email>`, `otp_lock:<email>`, `otp:verified:<email>` — same as `api/utils/web_utils.py`. - **Stored OTP value**: `"<hex_hash>:<hex_salt>"` — same as Python. - **Hash**: HMAC-SHA256 with a `crypto/rand` 16-byte salt — same as `hash_code()`. - **Constants**: `OTP_LENGTH=4`, `OTP_TTL=5min`, `ATTEMPT_LIMIT=5`, `ATTEMPT_LOCK_SECONDS=30min`, `RESEND_COOLDOWN_SECONDS=60s` — all match `api/utils/web_utils.py`. - **Email body**: matches `RESET_CODE_EMAIL_TMPL` byte-for-byte. ## Files ### New | File | Purpose | |---|---| | `internal/utility/otp.go` | OTP/captcha constants, Redis key builders (`CaptchaRedisKey`, `OTPRedisKeys`, `OTPVerifiedRedisKey`), `HashOTPCode`, `GenerateOTPCode` / `GenerateCaptchaCode` / `GenerateOTPSalt` via `crypto/rand`, and `EncodeOTPStorageValue` / `DecodeOTPStorageValue` matching Python's storage shape. | | `internal/utility/smtp.go` | Minimal stdlib `net/smtp` sender. `SendResetCodeEmail(to, otp, ttlMin)` builds an RFC 5322 plain-text message and dispatches via implicit TLS / STARTTLS / plain — same selectors as Python `aiosmtplib`. Returns `SMTPNotConfiguredError` if the config block is empty. | ### Modified | File | Change | |---|---| | `internal/server/config.go` | New `SMTPConfig` struct + `Config.SMTP` field. Field names mirror the `smtp:` keys in `common/settings.py` (`mail_server`, `mail_port`, `mail_use_ssl`, `mail_use_tls`, `mail_username`, `mail_password`, `mail_from_name`, `mail_from_address`, `mail_frontend_url`) so a single `conf/service_conf.yaml` powers both backends. | | `internal/service/user.go` | Four methods — `ForgotIssueCaptcha`, `ForgotSendOTP`, `ForgotVerifyOTP`, `ForgotResetPassword`. Reuses the existing `decryptPassword`, `HashPassword`, `userDAO.Update`, and `utility.GenerateToken` so the reset+auto-login path is identical to `LoginByEmail`. | | `internal/handler/user.go` | Four handlers in the same `c.JSON` shape as `LoginByEmail`. The reset handler rotates the access token and emits an `Authorization` header for auto-login (matches Python `construct_response(auth=user.get_id())`). | | `internal/router/router.go` | Routes registered under `apiNoAuth`, with an explanatory comment on why they sit outside the auth middleware. | ## Known divergence — captcha rendering The Python endpoint returns a rendered `image/JPEG` from the `python-captcha` library. The Go side has **no image-captcha dependency vendored** in `go.mod`, and hand-rolling a raster generator was out of scope for this PR. This commit returns JSON `{captcha: "<text>"}` instead. Implications: - **Backend gate is identical** — the OTP step still verifies the user-submitted captcha string against the Redis value, so the security model is unchanged. - **Frontend impact**: the password-reset page rendering needs a small tweak (text display instead of `<img>`) until a Go captcha library is wired in. - The handler comments call this out explicitly so the next PR knows what to swap. Possible follow-ups (any one closes the gap): 1. Add `github.com/mojocn/base64Captcha` or `github.com/dchest/captcha` to `go.mod` and replace the JSON response with an `image/JPEG`. 2. Hand-roll a 5x7 bitmap font + `image/png` writer using only the stdlib. 3. Render a server-side SVG (cheap, but trivially OCR-able — only useful as a UI shim). ## Test plan - [ ] **Captcha**: `POST /api/v1/auth/password/forgot/captcha?email=<existing>` returns `{code: 0, data: {captcha: "ABCD"}}`. Redis shows `captcha:<email>` with that value and ~60s TTL. Unknown email returns `code: CodeDataError`. - [ ] **OTP send**: `POST /api/v1/auth/password/forgot/otp` with the right captcha mints an OTP, stores `<hash>:<salt>` under `otp:<email>` for 5 min, sends an email, returns success. With a wrong captcha returns `CodeAuthenticationError`. Hitting it again within 60s returns "you still have to wait …" with `CodeNotEffective`. - [ ] **OTP verify**: correct OTP → `code: 0`, OTP keys cleared, `otp:verified:<email>` = `"1"`. Wrong OTP → `code: CodeAuthenticationError`, attempt counter bumped; after 5 wrong tries `otp_lock:<email>` is set and further attempts hit `CodeNotEffective`. - [ ] **Reset**: with the verified flag set, supply a new password (RSA-encrypted+base64, same as `LoginByEmail`). Returns `code: 0`, `Authorization` header set, verified flag deleted. Without the verified flag returns `CodeAuthenticationError`. - [ ] **Wire-compat smoke**: mint an OTP from the Python backend, verify it via the Go endpoint, and vice versa. Should both succeed. - [ ] **SMTP misconfigured**: drop `smtp.mail_server` from `conf/service_conf.yaml`. The OTP-send endpoint should now return "failed to send email" without panicking; check the log for the `SMTPNotConfiguredError` warning. - [ ] **End-to-end FE**: hit the password-reset flow from `web/src/pages/login-next/`. Confirm the text-captcha shim works after the FE tweak. - [ ] `go build ./...` and `go vet ./...` — I could not run these in the sandbox; please confirm a clean build before merging. - [ ] `uv run pytest` to confirm no Python regressions (shared Redis schema). ### Type of change - [x] New Feature (non-breaking change which adds functionality)
2026-06-10 06:27:56 -07:00
//
// Copyright 2026 The InfiniFlow Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// OTP / captcha helpers for the forgot-password flow.
// Constants and key shapes mirror api/utils/web_utils.py so the Python
// and Go backends share the same Redis namespace and contract.
package utility
import (
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"fmt"
"math/big"
"strings"
"time"
)
// Forgot-password constants — match api/utils/web_utils.py.
const (
OTPLength = 4
OTPTTL = 5 * time.Minute
OTPAttemptLimit = 5
OTPAttemptLockDuration = 30 * time.Minute
OTPResendCooldown = 60 * time.Second
)
// otpUpperAlphabet is the OTP alphabet (uppercase letters, same as
// Python ``string.ascii_uppercase``).
const otpUpperAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
// captchaAlphabet is the captcha alphabet (uppercase letters + digits,
// same as Python ``string.ascii_uppercase + string.digits``).
const captchaAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
// normalizeEmail lowercases and trims an email address for keying. Mirrors
// the leading ``email = (email or "").strip().lower()`` in Python's
// otp_keys helper.
func normalizeEmail(email string) string {
return strings.ToLower(strings.TrimSpace(email))
}
// CaptchaIDRedisKey returns the Redis key that holds the active captcha
// for a server-issued captcha_id. The handler returns the id to the
// client and never the code itself, so an attacker cannot read the
// expected answer from the response. Diverges from Python's
// email-keyed ``captcha_key`` on purpose — captchas are 60s-lived
// and never cross between Go and Python in practice, so there is no
// shared-state requirement.
func CaptchaIDRedisKey(captchaID string) string {
return "captcha:" + captchaID
}
// OTPRedisKeys returns the four Redis keys used by the forgot-password
// flow, in the same order as Python's ``otp_keys`` helper:
//
// code, attempts, last_sent, lock
func OTPRedisKeys(email string) (codeKey, attemptsKey, lastSentKey, lockKey string) {
email = normalizeEmail(email)
return "otp:" + email,
"otp_attempts:" + email,
"otp_last_sent:" + email,
"otp_lock:" + email
}
// OTPVerifiedRedisKey returns the Redis key that records a successful OTP
// verification, used as the gate for the password-reset step (matches
// Python ``_verified_key``).
func OTPVerifiedRedisKey(email string) string {
return "otp:verified:" + normalizeEmail(email)
}
// HashOTPCode computes the HMAC-SHA256 of an OTP using the given salt and
// returns its hex digest, matching Python's ``hash_code`` helper.
func HashOTPCode(code string, salt []byte) string {
mac := hmac.New(sha256.New, salt)
mac.Write([]byte(code))
return hex.EncodeToString(mac.Sum(nil))
}
// GenerateOTPSalt returns a cryptographically random 16-byte salt for
// hashing an OTP — same width as Python ``os.urandom(16)``.
func GenerateOTPSalt() ([]byte, error) {
salt := make([]byte, 16)
if _, err := rand.Read(salt); err != nil {
return nil, fmt.Errorf("failed to generate otp salt: %w", err)
}
return salt, nil
}
// GenerateOTPCode generates an OTP of length ``OTPLength`` drawn uniformly
// from ``otpUpperAlphabet`` using crypto/rand (matches Python
// ``secrets.choice``).
func GenerateOTPCode() (string, error) {
return randomStringFromAlphabet(otpUpperAlphabet, OTPLength)
}
// GenerateCaptchaCode generates a captcha of length ``OTPLength`` drawn
// uniformly from ``captchaAlphabet`` using crypto/rand. The shared length
// is intentional — Python uses ``OTP_LENGTH`` for both.
func GenerateCaptchaCode() (string, error) {
return randomStringFromAlphabet(captchaAlphabet, OTPLength)
}
// EncodeOTPStorageValue serializes the (hash, salt) pair the way Python
// stores it in Redis: ``"<hex_hash>:<hex_salt>"``. Returning the salt's
// hex form (not raw bytes) keeps the value safe to store as a Redis
// string and matches the Python encoding so either backend can verify a
// code minted by the other.
func EncodeOTPStorageValue(codeHash string, salt []byte) string {
return codeHash + ":" + hex.EncodeToString(salt)
}
// DecodeOTPStorageValue reverses ``EncodeOTPStorageValue``. Returns the
// stored hash, decoded salt bytes, and a non-nil error if the value is
// malformed.
func DecodeOTPStorageValue(stored string) (codeHash string, salt []byte, err error) {
parts := strings.SplitN(stored, ":", 2)
if len(parts) != 2 {
return "", nil, fmt.Errorf("otp storage value missing salt separator")
}
salt, err = hex.DecodeString(parts[1])
if err != nil {
return "", nil, fmt.Errorf("otp storage salt is not valid hex: %w", err)
}
return parts[0], salt, nil
}
func randomStringFromAlphabet(alphabet string, length int) (string, error) {
if length <= 0 {
return "", fmt.Errorf("random string length must be positive")
}
out := make([]byte, length)
max := big.NewInt(int64(len(alphabet)))
for i := 0; i < length; i++ {
n, err := rand.Int(rand.Reader, max)
if err != nil {
return "", fmt.Errorf("failed to read random byte: %w", err)
}
out[i] = alphabet[n.Int64()]
}
return string(out), nil
}