From edb5f94b7ccd080da9b0eada85c6bd4ad7b8520b Mon Sep 17 00:00:00 2001 From: Calvin Montgomery Date: Thu, 19 Aug 2021 20:55:02 -0700 Subject: [PATCH] Add a POST flow to password recovery (#871) --- package.json | 2 +- src/web/account.js | 43 +++++++++++++++++++++++++-- templates/account-passwordrecover.pug | 3 ++ 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index b7ad6e15..907bea68 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "author": "Calvin Montgomery", "name": "CyTube", "description": "Online media synchronizer and chat", - "version": "3.82.1", + "version": "3.82.2", "repository": { "url": "http://github.com/calzoneman/sync" }, diff --git a/src/web/account.js b/src/web/account.js index 41bf6733..db59d348 100644 --- a/src/web/account.js +++ b/src/web/account.js @@ -631,7 +631,45 @@ function handlePasswordReset(req, res) { /** * Handles a request for /account/passwordrecover/ */ -function handlePasswordRecover(req, res) { +function handleGetPasswordRecover(req, res) { + var hash = req.params.hash; + if (typeof hash !== "string") { + res.send(400); + return; + } + + var ip = req.realIP; + + db.lookupPasswordReset(hash, function (err, row) { + if (err) { + sendPug(res, "account-passwordrecover", { + recovered: false, + recoverErr: err + }); + return; + } + + if (Date.now() >= row.expire) { + sendPug(res, "account-passwordrecover", { + recovered: false, + recoverErr: "This password recovery link has expired. Password " + + "recovery links are valid only for 24 hours after " + + "submission." + }); + return; + } + + sendPug(res, "account-passwordrecover", { + confirm: true, + recovered: false + }); + }); +} + +/** + * Handles a POST request for /account/passwordrecover/ + */ +function handlePostPasswordRecover(req, res) { var hash = req.params.hash; if (typeof hash !== "string") { res.send(400); @@ -703,7 +741,8 @@ module.exports = { app.post("/account/profile", handleAccountProfile); app.get("/account/passwordreset", handlePasswordResetPage); app.post("/account/passwordreset", handlePasswordReset); - app.get("/account/passwordrecover/:hash", handlePasswordRecover); + app.get("/account/passwordrecover/:hash", handleGetPasswordRecover); + app.post("/account/passwordrecover/:hash", handlePostPasswordRecover); app.get("/account", function (req, res) { res.redirect("/login"); }); diff --git a/templates/account-passwordrecover.pug b/templates/account-passwordrecover.pug index 09e3b119..a2b63d78 100644 --- a/templates/account-passwordrecover.pug +++ b/templates/account-passwordrecover.pug @@ -7,6 +7,9 @@ block content .alert.alert-success.center.messagebox strong Your password has been changed p Your account has been assigned the temporary password #{recoverPw}. You may now use this password to log in and choose a new password by visiting the change password/email page. + else if confirm + form(role="form", method="POST") + button.btn.btn-primary.btn-block(type="submit") Click here to reset password else .alert.alert-danger.center.messagebox strong Password recovery failed