Verify passwords for activation

This is to prevent 3rd party activation

Author: ashimokawa

models/user.go

@@ -902,6 +902,16 @@ func VerifyUserActiveCode(code string) (user *User) {
 	return nil
 }
 
+// VerifyUserActiveCode verifies active code and password when activating account
+func VerifyUserActiveCodeAndPassword(code string, password string) (user *User) {
+	if user = VerifyUserActiveCode(code); user != nil {
+		if user.ValidatePassword(password) {
+			return user
+		}
+	}
+	return nil
+}
+
 // VerifyActiveEmailCode verifies active email code when active account
 func VerifyActiveEmailCode(code, email string) *EmailAddress {
 	minutes := setting.Service.ActiveCodeLives

routers/user/auth.go

@@ -39,7 +39,7 @@ const (
 	tplSignIn base.TplName = "user/auth/signin"
 	// tplSignUp template path for sign up page
 	tplSignUp base.TplName = "user/auth/signup"
-	// TplActivate template path for activate user
+	// Tpl template path for activate user
 	TplActivate       base.TplName = "user/auth/activate"
 	tplForgotPassword base.TplName = "user/auth/forgot_passwd"
 	tplResetPassword  base.TplName = "user/auth/reset_passwd"
@@ -1215,6 +1215,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 // Activate render activate user page
 func Activate(ctx *context.Context) {
 	code := ctx.Query("code")
+	password := ctx.Query("password")
+
 	if len(code) == 0 {
 		ctx.Data["IsActivatePage"] = true
 		if ctx.User.IsActive {
@@ -1240,8 +1242,15 @@ func Activate(ctx *context.Context) {
 		return
 	}
 
-	// Verify code.
-	if user := models.VerifyUserActiveCode(code); user != nil {
+	if len(password) == 0 {
+		ctx.Data["Code"] = code
+		ctx.Data["NeedsPassword"] = true
+		ctx.HTML(200, TplActivate)
+		return
+	}
+
+	// Verify code and password
+	if user := models.VerifyUserActiveCodeAndPassword(code, password); user != nil {
 		user.IsActive = true
 		var err error
 		if user.Rands, err = models.GetUserSalt(); err != nil {

templates/user/auth/activate.tmpl

@@ -18,7 +18,20 @@
 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.SignedUser.Email|Escape) .ActiveCodeLives | Str2html}}</p>
 						{{end}}
 					{{else}}
-						{{if .IsSendRegisterMail}}
+						{{if .NeedsPassword}}
+							<form class="ui form" action="/user/activate" method="post">
+								<div class="required inline field">
+									<label for="password">{{.i18n.Tr "password"}}</label>
+									<input id="password" name="password" type="password" autocomplete="off" required>
+								</div>
+
+								<div class="inline field">
+									<label></label>
+									<button class="ui green button">{{.i18n.Tr "install.confirm_password"}}</button>
+								</div>
+								<input id="code" name="code" type="hidden" value="{{.Code}}">
+							</form>
+						{{else if .IsSendRegisterMail}}
 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.Email|Escape) .ActiveCodeLives | Str2html}}</p>
 						{{else if .IsActivateFailed}}
 							<p>{{.i18n.Tr "auth.invalid_code"}}</p>