replace people.email (plaintext) with Fields.EmailEncrypted for privacy/security #285 also comment out all insecure/unused code - to be removed shortly

Author: nelsonic

lib/auth/accounts.ex

@@ -23,7 +23,7 @@ defmodule Auth.Accounts do
 
   """
   def get_person_by_email(email) when is_binary(email) do
-    Repo.get_by(Person, email: email)
+    Repo.get_by(Person, email_hash: email)
   end
 
   @doc """
@@ -40,7 +40,7 @@ defmodule Auth.Accounts do
   """
   def get_person_by_email_and_password(email, password)
       when is_binary(email) and is_binary(password) do
-    person = Repo.get_by(Person, email: email)
+    person = Repo.get_by(Person, email_hash: email)
     if Person.valid_password?(person, password), do: person
   end
 
@@ -267,27 +267,27 @@ defmodule Auth.Accounts do
     end
   end
 
-  @doc """
-  Confirms a person by the given token.
-
-  If the token matches, the person account is marked as confirmed
-  and the token is deleted.
-  """
-  def confirm_person(token) do
-    with {:ok, query} <- PersonToken.verify_email_token_query(token, "confirm"),
-         %Person{} = person <- Repo.one(query),
-         {:ok, %{person: person}} <- Repo.transaction(confirm_person_multi(person)) do
-      {:ok, person}
-    else
-      _ -> :error
-    end
-  end
-
-  defp confirm_person_multi(person) do
-    Ecto.Multi.new()
-    |> Ecto.Multi.update(:person, Person.confirm_changeset(person))
-    |> Ecto.Multi.delete_all(:tokens, PersonToken.person_and_contexts_query(person, ["confirm"]))
-  end
+  # @doc """
+  # Confirms a person by the given token.
+
+  # If the token matches, the person account is marked as confirmed
+  # and the token is deleted.
+  # """
+  # def confirm_person(token) do
+  #   with {:ok, query} <- PersonToken.verify_email_token_query(token, "confirm"),
+  #        %Person{} = person <- Repo.one(query),
+  #        {:ok, %{person: person}} <- Repo.transaction(confirm_person_multi(person)) do
+  #     {:ok, person}
+  #   else
+  #     _ -> :error
+  #   end
+  # end
+
+  # defp confirm_person_multi(person) do
+  #   Ecto.Multi.new()
+  #   |> Ecto.Multi.update(:person, Person.confirm_changeset(person))
+  #   |> Ecto.Multi.delete_all(:tokens, PersonToken.person_and_contexts_query(person, ["confirm"]))
+  # end
 
   ## Reset password
 
@@ -307,26 +307,26 @@ defmodule Auth.Accounts do
     PersonNotifier.deliver_reset_password_instructions(person, reset_password_url_fun.(encoded_token))
   end
 
-  @doc """
-  Gets the person by reset password token.
+  # @doc """
+  # Gets the person by reset password token.
 
-  ## Examples
+  # ## Examples
 
-      iex> get_person_by_reset_password_token("validtoken")
-      %Person{}
+  #     iex> get_person_by_reset_password_token("validtoken")
+  #     %Person{}
 
-      iex> get_person_by_reset_password_token("invalidtoken")
-      nil
+  #     iex> get_person_by_reset_password_token("invalidtoken")
+  #     nil
 
-  """
-  def get_person_by_reset_password_token(token) do
-    with {:ok, query} <- PersonToken.verify_email_token_query(token, "reset_password"),
-         %Person{} = person <- Repo.one(query) do
-      person
-    else
-      _ -> nil
-    end
-  end
+  # """
+  # def get_person_by_reset_password_token(token) do
+  #   with {:ok, query} <- PersonToken.verify_email_token_query(token, "reset_password"),
+  #        %Person{} = person <- Repo.one(query) do
+  #     person
+  #   else
+  #     _ -> nil
+  #   end
+  # end
 
   @doc """
   Resets the person password.

lib/auth/accounts/person.ex

@@ -3,10 +3,11 @@ defmodule Auth.Accounts.Person do
   import Ecto.Changeset
 
   schema "people" do
-    field :email, :string
+    field :confirmed_at, :naive_datetime
+    field :email, Fields.EmailEncrypted
+    field :email_hash, Fields.EmailHash
     field :password, :string, virtual: true, redact: true
     field :hashed_password, :string, redact: true
-    field :confirmed_at, :naive_datetime
 
     timestamps()
   end
@@ -41,11 +42,23 @@ defmodule Auth.Accounts.Person do
     |> validate_password(opts)
   end
 
+  defp put_email_hash(changeset) when not is_nil(changeset.changes.email) do
+    # dbg(changeset)
+    put_change(changeset, :email_hash, String.downcase(changeset.changes.email))
+  end
+
+  defp put_email_hash(changeset) do
+    # dbg(changeset)
+    changeset
+  end
+
+
   defp validate_email(changeset, opts) do
     changeset
     |> validate_required([:email])
     |> validate_format(:email, ~r/^[^\s]+@[^\s]+$/, message: "must have the @ sign and no spaces")
     |> validate_length(:email, max: 160)
+    |> put_email_hash()
     |> maybe_validate_unique_email(opts)
   end
 
@@ -80,8 +93,8 @@ defmodule Auth.Accounts.Person do
   defp maybe_validate_unique_email(changeset, opts) do
     if Keyword.get(opts, :validate_email, true) do
       changeset
-      |> unsafe_validate_unique(:email, Auth.Repo)
-      |> unique_constraint(:email)
+      |> unsafe_validate_unique(:email_hash, Auth.Repo)
+      |> unique_constraint(:email_hash)
     else
       changeset
     end

lib/auth/accounts/person_token.ex

@@ -17,6 +17,8 @@ defmodule Auth.Accounts.PersonToken do
     field :token, :binary
     field :context, :string
     field :sent_to, :string
+    # field :sent_to, Fields.EmailEncrypted
+    # field :email_hash, Fields.EmailHash
     belongs_to :person, Auth.Accounts.Person
 
     timestamps(updated_at: false)
@@ -107,29 +109,29 @@ defmodule Auth.Accounts.PersonToken do
   for resetting the password. For verifying requests to change the email,
   see `verify_change_email_token_query/2`.
   """
-  def verify_email_token_query(token, context) do
-    case Base.url_decode64(token, padding: false) do
-      {:ok, decoded_token} ->
-        hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
-        days = days_for_context(context)
-
-        query =
-          from token in token_and_context_query(hashed_token, context),
-            join: person in assoc(token, :person),
-            where: token.inserted_at > ago(^days, "day") and token.sent_to == person.email,
-            select: person
-
-        {:ok, query}
-      # phx.gen.auth boilerplate code not yet covered by tests ...
-      # coveralls-ignore-start
-      :error ->
-        :error
-      # coveralls-ignore-stop
-    end
-  end
-
-  defp days_for_context("confirm"), do: @confirm_validity_in_days
-  defp days_for_context("reset_password"), do: @reset_password_validity_in_days
+  # def verify_email_token_query(token, context) do
+  #   case Base.url_decode64(token, padding: false) do
+  #     {:ok, decoded_token} ->
+  #       hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
+  #       days = days_for_context(context)
+
+  #       query =
+  #         from token in token_and_context_query(hashed_token, context),
+  #           join: person in assoc(token, :person),
+  #           where: token.inserted_at > ago(^days, "day") and token.sent_to == person.email,
+  #           select: person
+
+  #       {:ok, query}
+  #     # phx.gen.auth boilerplate code not yet covered by tests ...
+  #     # coveralls-ignore-start
+  #     :error ->
+  #       :error
+  #     # coveralls-ignore-stop
+  #   end
+  # end
+
+  # defp days_for_context("confirm"), do: @confirm_validity_in_days
+  # defp days_for_context("reset_password"), do: @reset_password_validity_in_days
 
   @doc """
   Checks if the token is valid and returns its underlying lookup query.

lib/auth_web/controllers/person_confirmation_controller.ex

@@ -30,27 +30,27 @@ defmodule AuthWeb.PersonConfirmationController do
 
   # Do not log in the person after confirmation to avoid a
   # leaked token giving the person access to the account.
-  def update(conn, %{"token" => token}) do
-    case Accounts.confirm_person(token) do
-      {:ok, _} ->
-        conn
-        |> put_flash(:info, "Person confirmed successfully.")
-        |> redirect(to: ~p"/")
-
-      :error ->
-        # If there is a current person and the account was already confirmed,
-        # then odds are that the confirmation link was already visited, either
-        # by some automation or by the person themselves, so we redirect without
-        # a warning message.
-        case conn.assigns do
-          %{current_person: %{confirmed_at: confirmed_at}} when not is_nil(confirmed_at) ->
-            redirect(conn, to: ~p"/")
-
-          %{} ->
-            conn
-            |> put_flash(:error, "Person confirmation link is invalid or it has expired.")
-            |> redirect(to: ~p"/")
-        end
-    end
-  end
+  # def update(conn, %{"token" => token}) do
+  #   case Accounts.confirm_person(token) do
+  #     {:ok, _} ->
+  #       conn
+  #       |> put_flash(:info, "Person confirmed successfully.")
+  #       |> redirect(to: ~p"/")
+
+  #     :error ->
+  #       # If there is a current person and the account was already confirmed,
+  #       # then odds are that the confirmation link was already visited, either
+  #       # by some automation or by the person themselves, so we redirect without
+  #       # a warning message.
+  #       case conn.assigns do
+  #         %{current_person: %{confirmed_at: confirmed_at}} when not is_nil(confirmed_at) ->
+  #           redirect(conn, to: ~p"/")
+
+  #         %{} ->
+  #           conn
+  #           |> put_flash(:error, "Person confirmation link is invalid or it has expired.")
+  #           |> redirect(to: ~p"/")
+  #       end
+  #   end
+  # end
 end

lib/auth_web/controllers/person_reset_password_controller.ex

@@ -3,7 +3,7 @@ defmodule AuthWeb.PersonResetPasswordController do
 
   alias Auth.Accounts
 
-  plug :get_person_by_reset_password_token when action in [:edit, :update]
+  # plug :get_person_by_reset_password_token when action in [:edit, :update]
 
   def new(conn, _params) do
     render(conn, :new)
@@ -13,6 +13,7 @@ defmodule AuthWeb.PersonResetPasswordController do
     if person = Accounts.get_person_by_email(email) do
       Accounts.deliver_person_reset_password_instructions(
         person,
+        # ~p"/people/reset_password/"
         &url(~p"/people/reset_password/#{&1}")
       )
     end
@@ -25,34 +26,34 @@ defmodule AuthWeb.PersonResetPasswordController do
     |> redirect(to: ~p"/")
   end
 
-  def edit(conn, _params) do
-    render(conn, :edit, changeset: Accounts.change_person_password(conn.assigns.person))
-  end
-
-  # Do not log in the person after reset password to avoid a
-  # leaked token giving the person access to the account.
-  def update(conn, %{"person" => person_params}) do
-    case Accounts.reset_person_password(conn.assigns.person, person_params) do
-      {:ok, _} ->
-        conn
-        |> put_flash(:info, "Password reset successfully.")
-        |> redirect(to: ~p"/people/log_in")
-
-      {:error, changeset} ->
-        render(conn, :edit, changeset: changeset)
-    end
-  end
-
-  defp get_person_by_reset_password_token(conn, _opts) do
-    %{"token" => token} = conn.params
-
-    if person = Accounts.get_person_by_reset_password_token(token) do
-      conn |> assign(:person, person) |> assign(:token, token)
-    else
-      conn
-      |> put_flash(:error, "Reset password link is invalid or it has expired.")
-      |> redirect(to: ~p"/")
-      |> halt()
-    end
-  end
+  # def edit(conn, _params) do
+  #   render(conn, :edit, changeset: Accounts.change_person_password(conn.assigns.person))
+  # end
+
+  # # Do not log in the person after reset password to avoid a
+  # # leaked token giving the person access to the account.
+  # def update(conn, %{"person" => person_params}) do
+  #   case Accounts.reset_person_password(conn.assigns.person, person_params) do
+  #     {:ok, _} ->
+  #       conn
+  #       |> put_flash(:info, "Password reset successfully.")
+  #       |> redirect(to: ~p"/people/log_in")
+
+  #     {:error, changeset} ->
+  #       render(conn, :edit, changeset: changeset)
+  #   end
+  # end
+
+  # defp get_person_by_reset_password_token(conn, _opts) do
+  #   %{"token" => token} = conn.params
+
+  #   if person = Accounts.get_person_by_reset_password_token(token) do
+  #     conn |> assign(:person, person) |> assign(:token, token)
+  #   else
+  #     conn
+  #     |> put_flash(:error, "Reset password link is invalid or it has expired.")
+  #     |> redirect(to: ~p"/")
+  #     |> halt()
+  #   end
+  # end
 end

lib/auth_web/router.ex

@@ -57,8 +57,8 @@ defmodule AuthWeb.Router do
     post "/people/log_in", PersonSessionController, :create
     get "/people/reset_password", PersonResetPasswordController, :new
     post "/people/reset_password", PersonResetPasswordController, :create
-    get "/people/reset_password/:token", PersonResetPasswordController, :edit
-    put "/people/reset_password/:token", PersonResetPasswordController, :update
+    # get "/people/reset_password/:token", PersonResetPasswordController, :edit
+    # put "/people/reset_password/:token", PersonResetPasswordController, :update
   end
 
   scope "/", AuthWeb do
@@ -76,6 +76,6 @@ defmodule AuthWeb.Router do
     get "/people/confirm", PersonConfirmationController, :new
     post "/people/confirm", PersonConfirmationController, :create
     get "/people/confirm/:token", PersonConfirmationController, :edit
-    post "/people/confirm/:token", PersonConfirmationController, :update
+    # post "/people/confirm/:token", PersonConfirmationController, :update
   end
 end

mix.exs

@@ -4,7 +4,7 @@ defmodule Auth.MixProject do
   def project do
     [
       app: :auth,
-      version: "0.1.0",
+      version: "2.0.0",
       elixir: "~> 1.14",
       elixirc_paths: elixirc_paths(Mix.env()),
       start_permanent: Mix.env() == :prod,
@@ -67,6 +67,10 @@ defmodule Auth.MixProject do
       {:jason, "~> 1.2"},
       {:plug_cowboy, "~> 2.5"},
 
+      # Field Validation and Encryption: github.com/dwyl/fields
+      {:fields, "~> 2.10.3"},
+
+
       # Check test coverage: github.com/parroty/excoveralls
       {:excoveralls, "~> 0.14.3", only: :test},
     ]