From f5afb11032913fe523bd688954b4923f357c7802 Mon Sep 17 00:00:00 2001
From: Ivan Tashkinov <ivantashkinov@gmail.com>
Date: Tue, 11 Dec 2018 20:17:49 +0300
Subject: [PATCH] [#114] Initial implementation of user password reset emails
 (user-initiated).

---
 lib/pleroma/emails/user_email.ex              | 37 +++++++++++++++++++
 lib/pleroma/web/router.ex                     |  2 +-
 .../web/twitter_api/twitter_api_controller.ex | 19 ++++++++++
 3 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 lib/pleroma/emails/user_email.ex

diff --git a/lib/pleroma/emails/user_email.ex b/lib/pleroma/emails/user_email.ex
new file mode 100644
index 000000000..46d8b9c2d
--- /dev/null
+++ b/lib/pleroma/emails/user_email.ex
@@ -0,0 +1,37 @@
+defmodule Pleroma.UserEmail do
+  @moduledoc "User emails"
+
+  import Swoosh.Email
+
+  alias Pleroma.Web.{Endpoint, Router}
+
+  defp instance_config, do: Pleroma.Config.get(:instance)
+
+  defp instance_name, do: instance_config()[:name]
+
+  defp from do
+    {instance_name(), instance_config()[:email]}
+  end
+
+  def password_reset_email(user, password_reset_token) when is_binary(password_reset_token) do
+    password_reset_url =
+      Router.Helpers.util_url(
+        Endpoint,
+        :show_password_reset,
+        password_reset_token
+      )
+
+    html_body = """
+    <h3>Reset your password at #{instance_name()}</h3>
+    <p>Someone has requested password change for your account at #{instance_name()}.</p>
+    <p>If it was you, visit the following link to proceed: <a href="#{password_reset_url}">reset password</a>.</p>
+    <p>If it was someone else, nothing to worry about: your data is secure and your password has not been changed.</p>
+    """
+
+    new()
+    |> to({user.name, user.email})
+    |> from(from())
+    |> subject("Password reset")
+    |> html_body(html_body)
+  end
+end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 19b8750fc..6253a28db 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -277,7 +277,7 @@ defmodule Pleroma.Web.Router do
     get("/statusnet/conversation/:id", TwitterAPI.Controller, :fetch_conversation)
 
     post("/account/register", TwitterAPI.Controller, :register)
-    post("/account/reset_password", TwitterAPI.Controller, :reset_password)
+    post("/account/password_reset", TwitterAPI.Controller, :password_reset)
 
     get("/search", TwitterAPI.Controller, :search)
     get("/statusnet/tags/timeline/:tag", TwitterAPI.Controller, :public_and_external_timeline)
diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
index 786849aa3..8837db566 100644
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@@ -1,5 +1,9 @@
 defmodule Pleroma.Web.TwitterAPI.Controller do
   use Pleroma.Web, :controller
+
+  import Pleroma.Web.ControllerHelper, only: [json_response: 3]
+
+  alias Pleroma.Formatter
   alias Pleroma.Web.TwitterAPI.{TwitterAPI, UserView, ActivityView, NotificationView}
   alias Pleroma.Web.CommonAPI
   alias Pleroma.{Repo, Activity, Object, User, Notification}
@@ -322,6 +326,21 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
     end
   end
 
+  def password_reset(conn, params) do
+    nickname_or_email = params["email"] || params["nickname"]
+
+    with is_binary(nickname_or_email),
+         %User{local: true} = user <- User.get_by_nickname_or_email(nickname_or_email) do
+      {:ok, token_record} = Pleroma.PasswordResetToken.create_token(user)
+
+      user
+      |> Pleroma.UserEmail.password_reset_email(token_record.token)
+      |> Pleroma.Mailer.deliver()
+
+      json_response(conn, :no_content, "")
+    end
+  end
+
   def update_avatar(%{assigns: %{user: user}} = conn, params) do
     {:ok, object} = ActivityPub.upload(params, type: :avatar)
     change = Changeset.change(user, %{avatar: object.data})