Fix eventing mess in recover/remember

Author: aarondl

CHANGELOG.md

@@ -3,6 +3,23 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [3.0.3] - 2021-02-14
+
+### Fixed
+
+- Fix that EventRecoverStart/EventRecoverEnd were not being called.
+
+### Changed
+
+- Change Remember module to listen to `After(EventRecoverEnd)` in order to
+  invoke its handler to delete the remember cookie & tokens. This previously
+  was not being called so it could be viewed as new behavior though this only
+  applies if you are using both `remember` and `recover` modules.
+
+### Deprecate
+
+- EventPasswordReset is used nowhere and is no longer intended to be used.
+
 ## [3.0.2] - 2020-09-17
 
 ### Fixed

authboss.go

@@ -59,8 +59,11 @@ func (a *Authboss) Init(modulesToLoad ...string) error {
 // In addition to that, it also invalidates any remember me tokens, if the
 // storer supports that kind of operation.
 //
-// If it's also desirable to log the user out, use:
-// authboss.DelKnown(Session|Cookie)
+// Note that it's best practice after having called this method to also delete
+// all the user's logged in sessions. The CURRENT logged in session can be
+// deleted with `authboss.DelKnown(Session|Cookie)` but to delete ALL logged
+// in sessions for a user requires special mechanisms not currently provided
+// by authboss.
 func (a *Authboss) UpdatePassword(ctx context.Context, user AuthableUser, newPassword string) error {
 	pass, err := bcrypt.GenerateFromPassword([]byte(newPassword), a.Config.Modules.BCryptCost)
 	if err != nil {

events.go

@@ -27,6 +27,7 @@ const (
 	EventRecoverEnd
 	EventGetUser
 	EventGetUserSession
+	// Deprecated: EventPasswordReset is used nowhere
 	EventPasswordReset
 	EventLogout
 )

go.sum

@@ -1,12 +1,16 @@
 cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/friendsofgo/errors v0.9.2 h1:X6NYxef4efCBdwI7BgS820zFaN7Cphrmb+Pljdzjtgk=
 github.com/friendsofgo/errors v0.9.2/go.mod h1:yCvFW5AkDIL9qn7suHVLiI/gH228n7PC4Pn44IGoTOI=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok=
 github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

recover/recover.go

@@ -105,6 +105,14 @@ func (r *Recover) StartPost(w http.ResponseWriter, req *http.Request) error {
 
 	ru := authboss.MustBeRecoverable(user)
 
+	req = req.WithContext(context.WithValue(req.Context(), authboss.CTXKeyUser, user))
+	handled, err := r.Authboss.Events.FireBefore(authboss.EventRecoverStart, w, req)
+	if err != nil {
+		return err
+	} else if handled {
+		return nil
+	}
+
 	selector, verifier, token, err := GenerateRecoverCreds()
 	if err != nil {
 		return err
@@ -124,6 +132,11 @@ func (r *Recover) StartPost(w http.ResponseWriter, req *http.Request) error {
 		go r.SendRecoverEmail(req.Context(), ru.GetEmail(), token)
 	}
 
+	_, err = r.Authboss.Events.FireAfter(authboss.EventRecoverStart, w, req)
+	if err != nil {
+		return err
+	}
+
 	logger.Infof("user %s password recovery initiated", ru.GetPID())
 	ro := authboss.RedirectOptions{
 		Code:         http.StatusTemporaryRedirect,
@@ -242,6 +255,14 @@ func (r *Recover) EndPost(w http.ResponseWriter, req *http.Request) error {
 		return r.invalidToken(PageRecoverEnd, w, req)
 	}
 
+	req = req.WithContext(context.WithValue(req.Context(), authboss.CTXKeyUser, user))
+	handled, err := r.Authboss.Events.FireBefore(authboss.EventRecoverEnd, w, req)
+	if err != nil {
+		return err
+	} else if handled {
+		return nil
+	}
+
 	pass, err := bcrypt.GenerateFromPassword([]byte(password), r.Authboss.Config.Modules.BCryptCost)
 	if err != nil {
 		return err
@@ -262,6 +283,11 @@ func (r *Recover) EndPost(w http.ResponseWriter, req *http.Request) error {
 		successMsg += " and logged in"
 	}
 
+	_, err = r.Authboss.Events.FireAfter(authboss.EventRecoverEnd, w, req)
+	if err != nil {
+		return err
+	}
+
 	ro := authboss.RedirectOptions{
 		Code:         http.StatusTemporaryRedirect,
 		RedirectPath: r.Authboss.Config.Paths.RecoverOK,

remember/remember.go

@@ -33,7 +33,7 @@ func (r *Remember) Init(ab *authboss.Authboss) error {
 
 	r.Events.After(authboss.EventAuth, r.RememberAfterAuth)
 	r.Events.After(authboss.EventOAuth2, r.RememberAfterAuth)
-	r.Events.After(authboss.EventPasswordReset, r.AfterPasswordReset)
+	r.Events.After(authboss.EventRecoverEnd, r.AfterPasswordReset)
 
 	return nil
 }