Fix the password reset form and possible resolver issue (#3398)

While testing for everything open I noticed two possible
issues. This PR fixes both.

The first is a possible recursion in the resolver. I think
I need to fix up it's transactions a bit in another PR.

The second was that the submit button on the reset form
doesn't work. This fixes that as well as post reset redirecting
to the correct location.

server/core/src/https/views/reset.rs

@@ -24,6 +24,7 @@ use kanidm_proto::internal::{
     CredentialDetail, OperationError, PasskeyDetail, PasswordFeedback, TotpAlgo, UserAuthToken,
     COOKIE_CU_SESSION_TOKEN,
 };
+use kanidmd_lib::prelude::ClientAuthInfo;
 
 use super::constants::Urls;
 use super::navbar::NavbarCtx;
@@ -204,11 +205,41 @@ impl Display for PasskeyClass {
     }
 }
 
+/// When the credential update session is ended through a commit or discard of the changes
+/// we need to redirect the user to a relevant location. This location depends on the sessions
+/// current authentication state. If they are authenticated, they are sent to their profile. If
+/// they are not authenticated, they are sent to the login screen.
+async fn end_session_response(
+    state: ServerState,
+    kopid: KOpId,
+    client_auth_info: ClientAuthInfo,
+    jar: CookieJar,
+) -> axum::response::Result<Response> {
+    let is_logged_in = state
+        .qe_r_ref
+        .handle_auth_valid(client_auth_info, kopid.eventid)
+        .await
+        .is_ok();
+
+    let redirect_location = if is_logged_in {
+        Urls::Profile.as_ref()
+    } else {
+        Urls::Login.as_ref()
+    };
+
+    Ok((
+        jar,
+        HxLocation::from(Uri::from_static(redirect_location)),
+        "",
+    )
+        .into_response())
+}
+
 pub(crate) async fn commit(
     State(state): State<ServerState>,
     Extension(kopid): Extension<KOpId>,
     HxRequest(_hx_request): HxRequest,
-    VerifiedClientInformation(_client_auth_info): VerifiedClientInformation,
+    VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
     DomainInfo(domain_info): DomainInfo,
     jar: CookieJar,
 ) -> axum::response::Result<Response> {
@@ -223,14 +254,14 @@ pub(crate) async fn commit(
     // No longer need the cookie jar.
     let jar = cookies::destroy(jar, COOKIE_CU_SESSION_TOKEN, &state);
 
-    Ok((jar, HxLocation::from(Uri::from_static("/ui")), "").into_response())
+    end_session_response(state, kopid, client_auth_info, jar).await
 }
 
 pub(crate) async fn cancel_cred_update(
     State(state): State<ServerState>,
     Extension(kopid): Extension<KOpId>,
     HxRequest(_hx_request): HxRequest,
-    VerifiedClientInformation(_client_auth_info): VerifiedClientInformation,
+    VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
     DomainInfo(domain_info): DomainInfo,
     jar: CookieJar,
 ) -> axum::response::Result<Response> {
@@ -245,12 +276,7 @@ pub(crate) async fn cancel_cred_update(
     // No longer need the cookie jar.
     let jar = cookies::destroy(jar, COOKIE_CU_SESSION_TOKEN, &state);
 
-    Ok((
+    end_session_response(state, kopid, client_auth_info, jar).await
-        jar,
-        HxLocation::from(Uri::from_static(Urls::Profile.as_ref())),
-        "",
-    )
-        .into_response())
 }
 
 pub(crate) async fn cancel_mfareg(
@@ -782,7 +808,7 @@ pub(crate) async fn view_reset_get(
     State(state): State<ServerState>,
     Extension(kopid): Extension<KOpId>,
     HxRequest(_hx_request): HxRequest,
-    VerifiedClientInformation(_client_auth_info): VerifiedClientInformation,
+    VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
     DomainInfo(domain_info): DomainInfo,
     Query(params): Query<ResetTokenParam>,
     mut jar: CookieJar,
@@ -791,7 +817,7 @@ pub(crate) async fn view_reset_get(
     let cookie = jar.get(COOKIE_CU_SESSION_TOKEN);
     let is_logged_in = state
         .qe_r_ref
-        .handle_auth_valid(_client_auth_info.clone(), kopid.eventid)
+        .handle_auth_valid(client_auth_info.clone(), kopid.eventid)
         .await
         .is_ok();
 

server/core/templates/credentials_reset_form.html

@@ -56,10 +56,9 @@
             Return to the home page
         </button>
         <button class="btn btn-primary"
-            hx-get=(Urls::CredReset)
+            hx-get=""
-            hx-include="#token"
+            hx-include="form"
-            hx-target="#cred-reset-form" hx-select="#cred-reset-form"
+            hx-target="body"
-            hx-swap="outerHTML"
             type="submit">
             Submit
         </button>

server/core/templates/credentials_update_primary.html

@@ -42,7 +42,7 @@
                         </div>
                     </div>
                     <div>
-                        <button type="button" class="btn btn-outline-danger" hx-post="/ui/api/delete_alt_creds" hx-confirm="Delete your Password and any associated MFA?\nNote: this will not remove Passkeys.">
+                        <button type="button" class="btn btn-outline-danger" hx-post="/ui/api/delete_alt_creds" hx-confirm="Delete your Password and any associated alternative authentication methods? NOTE: this will not remove Passkeys.">
                             Delete Alternative Credentials
                         </button>
                     </div>

unix_integration/resolver/src/resolver.rs

@@ -228,6 +228,8 @@ impl Resolver {
             debug!("get_cached_usertoken {:?}", err);
         })?;
 
+        drop(dbtxn);
+
         match r {
             Some((ut, ex)) => {
                 // Are we expired?
@@ -276,6 +278,8 @@ impl Resolver {
         let mut dbtxn = self.db.write().await;
         let r = dbtxn.get_group(grp_id).map_err(|_| ())?;
 
+        drop(dbtxn);
+
         match r {
             Some((ut, ex)) => {
                 // Are we expired?