From 95a62f56e09fc1909738a50f8d5cf3cd55059c9b Mon Sep 17 00:00:00 2001
From: Ilya Prokopenko <dsrev@protonmail.com>
Date: Fri, 26 May 2023 16:27:40 +0700
Subject: [PATCH] Auth: Add disabling the password reset page

---
 Web/Presenters/AuthPresenter.php     | 6 ++++++
 Web/Presenters/templates/@layout.xml | 2 +-
 openvk-example.yml                   | 1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/Web/Presenters/AuthPresenter.php b/Web/Presenters/AuthPresenter.php
index bbb45d28..2f178900 100644
--- a/Web/Presenters/AuthPresenter.php
+++ b/Web/Presenters/AuthPresenter.php
@@ -207,6 +207,9 @@ final class AuthPresenter extends OpenVKPresenter
     
     function renderFinishRestoringPassword(): void
     {
+        if(OPENVK_ROOT_CONF['openvk']['preferences']['security']['disablePasswordRestoring'])
+            $this->notFound();
+
         $request = $this->restores->getByToken(str_replace(" ", "+", $this->queryParam("key")));
         if(!$request || !$request->isStillValid()) {
             $this->flash("err", tr("token_manipulation_error"), tr("token_manipulation_error_comment"));
@@ -241,6 +244,9 @@ final class AuthPresenter extends OpenVKPresenter
     
     function renderRestore(): void
     {
+        if(OPENVK_ROOT_CONF['openvk']['preferences']['security']['disablePasswordRestoring'])
+            $this->notFound();
+
         if(!is_null($this->user))
             $this->redirect($this->user->identity->getURL());
 
diff --git a/Web/Presenters/templates/@layout.xml b/Web/Presenters/templates/@layout.xml
index f211c2c1..cd6e4891 100644
--- a/Web/Presenters/templates/@layout.xml
+++ b/Web/Presenters/templates/@layout.xml
@@ -220,7 +220,7 @@
                             <input type="hidden" name="hash" value="{$csrfToken}" />
                             <input type="submit" value="{_log_in}" class="button" style="display: inline-block; font-family: Tahoma" />
                             <a href="/reg"><input type="button" value="{_registration}" class="button" style="font-family: Tahoma" /></a><br><br>
-                            <a href="/restore">{_forgot_password}</a>
+                            {if !OPENVK_ROOT_CONF['openvk']['preferences']['security']['disablePasswordRestoring']}<a href="/restore">{_forgot_password}</a>{/if}
                         </form>
                     {/ifset}
                 </div>
diff --git a/openvk-example.yml b/openvk-example.yml
index c0428283..ad878af0 100644
--- a/openvk-example.yml
+++ b/openvk-example.yml
@@ -28,6 +28,7 @@ openvk:
             forcePhoneVerification: false
             forceEmailVerification: false
             forceStrongPassword: false
+            disablePasswordRestoring: true # turn this off if you have configured e-mail sending correctly
             enableSu: true
             rateLimits:
                 actions: 5