feat(admin-room): Delete the reset user password message after 60s

Reported-by: Matthias Ahouansou <matthias@ahouansou.cz> Helped-by: Matthias Ahouansou <matthias@ahouansou.cz> Related-to: https://gitlab.com/famedly/conduit/-/issues/432 Signed-off-by: Awiteb <a@4rs.nl>
2025-06-27 16:35:59 +00:00 · 2024-04-14 19:13:56 +03:00 · 2024-04-14 19:13:56 +03:00 · 3e4d85fcee
commit 3e4d85fcee
parent a5e785fa6c
1 changed files with 39 additions and 13 deletions
--- a/src/service/admin/mod.rs
+++ b/src/service/admin/mod.rs
@ -703,19 +703,45 @@ impl Service {

                let new_password = utils::random_string(AUTO_GEN_PASSWORD_LENGTH);

-                Some(
-                    match services()
-                        .users
-                        .set_password(&user_id, Some(new_password.as_str()))
-                    {
-                        Ok(()) => RoomMessageEventContent::text_plain(format!(
-                            "Successfully reset the password for user {user_id}: {new_password}"
-                        )),
-                        Err(e) => RoomMessageEventContent::text_plain(format!(
-                            "Couldn't reset the password for user {user_id}: {e}"
-                        )),
-                    },
-                )
+                if let Err(err) = services()
+                    .users
+                    .set_password(&user_id, Some(new_password.as_str()))
+                {
+                    Some(RoomMessageEventContent::text_plain(format!(
+                        "Couldn't reset the password for user {user_id}: {err}"
+                    )))
+                } else {
+                    // Send the reset password  message to the user, we
+                    // need it's event id to delete it after 60s
+                    let Some(sended_message_event_id) = services()
+                        .admin
+                        .send_message_with_result(&RoomMessageEventContent::text_plain(format!(
+                            "Successfully reset the password for user {user_id}: {new_password} (This message will be deleted after 60s)"
+                        )))
+                        .await?
+                    else {
+                        return Ok(None);
+                    };
+
+                    // Delete the message after 60s because it's contain a plain password
+                    // and the admin room are not encrypted
+                    tokio::spawn(async move {
+                        tokio::time::sleep(tokio::time::Duration::from_secs(60)).await;
+                        if let Err(err) = services()
+                            .admin
+                            .delete_user_message(
+                                sended_message_event_id.as_ref(),
+                                Some("Message contained a plaintext password"),
+                            )
+                            .await
+                        {
+                            tracing::warn!(
+                                "Couldn't delete message containing a plaintext password {err}"
+                            )
+                        }
+                    });
+                    None
+                }
            }
            AdminCommand::CreateUser { username, password } => {
                let is_auto_generated_password = password.is_none();