/** * web/account.js - Webserver details for account management * * @author Calvin Montgomery */ var webserver = require("./webserver"); var logRequest = webserver.logRequest; var sendJade = require("./jade").sendJade; var Logger = require("../logger"); var db = require("../database"); var $util = require("../utilities"); var Config = require("../config"); /** * Handles a GET request for /account/edit */ function handleAccountEditPage(req, res) { if (webserver.redirectHttps(req, res)) { return; } logRequest(req); var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName }); } /** * Handles a POST request to edit a user"s account */ function handleAccountEdit(req, res) { logRequest(req); var action = req.body.action; switch(action) { case "change_password": handleChangePassword(req, res); break; case "change_email": handleChangeEmail(req, res); break; default: res.send(400); break; } } /** * Handles a request to change the user"s password */ function handleChangePassword(req, res) { var name = req.body.name; var oldpassword = req.body.oldpassword; var newpassword = req.body.newpassword; var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } if (typeof name !== "string" || typeof oldpassword !== "string" || typeof newpassword !== "string") { res.send(400); return; } if (newpassword.length === 0) { sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, errorMessage: "New password must not be empty" }); return; } newpassword = newpassword.substring(0, 100); db.users.verifyLogin(name, oldpassword, function (err, user) { if (err) { sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, errorMessage: err }); return; } db.users.setPassword(name, newpassword, function (err, dbres) { if (err) { sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, errorMessage: err }); return; } Logger.eventlog(webserver.ipForRequest(req) + " changed password for " + name); sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, successMessage: "Password changed." }); }); }); } /** * Handles a request to change the user"s email */ function handleChangeEmail(req, res) { var name = req.body.name; var password = req.body.password; var email = req.body.email; var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } if (typeof name !== "string" || typeof password !== "string" || typeof email !== "string") { res.send(400); return; } if (!$util.isValidEmail(email)) { sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, errorMessage: "Invalid email address" }); return; } db.users.verifyLogin(name, password, function (err, user) { if (err) { sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, errorMessage: err }); return; } db.users.setEmail(name, email, function (err, dbres) { if (err) { sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, errorMessage: err }); return; } // TODO event log Logger.syslog.log(webserver.ipForRequest(req) + " changed email for " + name + " to " + email); sendJade(res, "account-edit", { loggedIn: loginName !== false, loginName: loginName, successMessage: "Email address changed." }); }); }); } /** * Handles a GET request for /account/channels */ function handleAccountChannelPage(req, res) { if (webserver.redirectHttps(req, res)) { return; } logRequest(req); var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } if (loginName) { db.channels.listUserChannels(loginName, function (err, channels) { sendJade(res, "account-channels", { loggedIn: true, loginName: loginName, channels: channels }); }); } else { sendJade(res, "account-channels", { loggedIn: false, channels: [], }); } } /** * Handles a POST request to modify a user"s channels */ function handleAccountChannel(req, res) { logRequest(req); var action = req.body.action; switch(action) { case "new_channel": handleNewChannel(req, res); break; case "delete_channel": handleDeleteChannel(req, res); break; default: res.send(400); break; } } /** * Handles a request to register a new channel */ function handleNewChannel(req, res) { logRequest(req); var name = req.body.name; if (typeof name !== "string") { res.send(400); return; } var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } else { sendJade(res, "account-channels", { loggedIn: false, channels: [] }); return; } db.users.verifyAuth(req.cookies.auth, function (err, user) { if (err) { sendJade(res, "account-channels", { loggedIn: false, channels: [], newChannelError: err }); return; } db.channels.register(name, user.name, function (err, channel) { db.channels.listUserChannels(loginName, function (err2, channels) { sendJade(res, "account-channels", { loggedIn: true, loginName: loginName, channels: err2 ? [] : channels, newChannelError: err ? err : undefined }); }); }); }); } /** * Handles a request to delete a new channel */ function handleDeleteChannel(req, res) { logRequest(req); var name = req.body.name; if (typeof name !== "string") { res.send(400); return; } var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } else { sendJade(res, "account-channels", { loggedIn: false, channels: [], }); return; } db.users.verifyAuth(req.cookies.auth, function (err, user) { if (err) { sendJade(res, "account-channels", { loggedIn: false, channels: [], deleteChannelError: err }); return; } db.channels.lookup(name, function (err, channel) { if (err) { sendJade(res, "account-channels", { loggedIn: true, loginName: loginName, channels: [], deleteChannelError: err }); return; } if (channel.owner !== user.name && user.global_rank < 255) { db.channels.listUserChannels(loginName, function (err2, channels) { sendJade(res, "account-channels", { loggedIn: true, loginName: loginName, channels: err2 ? [] : channels, deleteChannelError: "You do not have permission to delete this channel" }); }); return; } db.channels.drop(name, function (err) { db.channels.listUserChannels(loginName, function (err2, channels) { sendJade(res, "account-channels", { loggedIn: true, loginName: loginName, channels: err2 ? [] : channels, deleteChannelError: err ? err : undefined }); }); }); }); }); } /** * Handles a GET request for /account/profile */ function handleAccountProfilePage(req, res) { if (webserver.redirectHttps(req, res)) { return; } logRequest(req); var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } else { sendJade(res, "account-profile", { loggedIn: false, profileImage: "", profileText: "" }); return; } db.users.getProfile(loginName, function (err, profile) { if (err) { sendJade(res, "account-profile", { loggedIn: true, loginName: loginName, profileError: err, profileImage: "", profileText: "" }); return; } sendJade(res, "account-profile", { loggedIn: true, loginName: loginName, profileImage: profile.image, profileText: profile.text, profileError: false }); }); } /** * Handles a POST request to edit a profile */ function handleAccountProfile(req, res) { logRequest(req); var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; } else { sendJade(res, "account-profile", { loggedIn: false, profileImage: "", profileText: "", profileError: "You must be logged in to edit your profile", }); return; } var image = req.body.image; var text = req.body.text; db.users.verifyAuth(req.cookies.auth, function (err, user) { if (err) { sendJade(res, "account-profile", { loggedIn: false, profileImage: "", profileText: "", profileError: err }); return; } db.users.setProfile(user.name, { image: image, text: text }, function (err) { if (err) { sendJade(res, "account-profile", { loggedIn: true, loginName: user.name, profileImage: "", profileText: "", profileError: err }); return; } sendJade(res, "account-profile", { loggedIn: true, loginName: user.name, profileImage: image, profileText: text, profileError: false }); }); }); } /** * Handles a GET request for /account/passwordreset */ function handlePasswordResetPage(req, res) { if (webserver.redirectHttps(req, res)) { return; } logRequest(req); sendJade(res, "account-passwordreset", { reset: false, resetEmail: "", resetErr: false }); } /** * Handles a POST request to reset a user"s password */ function handlePasswordReset(req, res) { logRequest(req); var name = req.body.name, email = req.body.email; if (typeof name !== "string" || typeof email !== "string") { res.send(400); return; } if (!$util.isValidUserName(name)) { sendJade(res, "account-passwordreset", { reset: false, resetEmail: "", resetErr: "Invalid username '" + name + "'" }); return; } db.users.getEmail(name, function (err, actualEmail) { if (err) { sendJade(res, "account-passwordreset", { reset: false, resetEmail: "", resetErr: err }); return; } if (actualEmail !== email.trim()) { sendJade(res, "account-passwordreset", { reset: false, resetEmail: "", resetErr: "Provided email does not match the email address on record for " + name }); return; } else if (actualEmail === "") { sendJade(res, "account-passwordreset", { reset: false, resetEmail: "", resetErr: name + " doesn't have an email address on record. Please contact an " + "administrator to manually reset your password." }); return; } var hash = $util.sha1($util.randomSalt(64)); // 24-hour expiration var expire = Date.now() + 86400000; var ip = webserver.ipForRequest(req); db.addPasswordReset({ ip: ip, name: name, email: email, hash: hash, expire: expire }, function (err, dbres) { if (err) { sendJade(res, "account-passwordreset", { reset: false, resetEmail: "", resetErr: err }); return; } if (!Config.get("mail.enabled")) { sendJade(res, "account-passwordreset", { reset: false, resetEmail: email, resetErr: "This server does not have mail support enabled. Please " + "contact an administrator for assistance." }); return; } var msg = "A password reset request was issued for your " + "account `"+ name + "` on " + Config.get("http.domain") + ". This request is valid for 24 hours. If you did "+ "not initiate this, there is no need to take action."+ " To reset your password, copy and paste the " + "following link into your browser: " + Config.get("http.domain") + "/passwordrecover/"+hash; var mail = { from: "CyTube Services <" + Config.get("mail.from") + ">", to: email, subject: "Password reset request", text: msg }; Config.get("nodemailer").sendMail(mail, function (err, response) { if (err) { Logger.errlog.log("mail fail: " + err); sendJade(res, "account-passwordreset", { reset: false, resetEmail: user.email, resetErr: "Sending reset email failed. Please contact an " + "administrator for assistance." }); } else { sendJade(res, "account-passwordreset", { reset: true, resetEmail: user.email, resetErr: false }); } }); }); }); } /** * Handles a request for /passwordreceover/ */ function handlePasswordRecover(req, res) { var hash = req.query.hash; if (typeof hash !== "string") { res.send(400); return; } var ip = webserver.ipForRequest(req); db.lookupPasswordReset(hash, function (err, row) { if (err) { sendJade(req, "account-passwordrecover", { recovered: false, recoverErr: err, loginName: false }); return; } if (row.ip && row.ip !== ip) { sendJade(req, "account-passwordrecover", { recovered: false, recoverErr: "Your IP address does not match the address " + "used to submit the reset request. For your " + "security, only the IP which initiates the reset " + "may reclaim an account.", loginName: false }); return; } if (Date.now() >= row.expire) { sendJade(req, "account-passwordrecover", { recovered: false, recoverErr: "This password recovery link has expired. Password " + "recovery links are valid only for 24 hours after " + "submission.", loginName: false }); return; } // TODO actual reset }); } module.exports = { /** * Initialize the module */ init: function (app) { app.get("/account/edit", handleAccountEditPage); app.post("/account/edit", handleAccountEdit); app.get("/account/channels", handleAccountChannelPage); app.post("/account/channels", handleAccountChannel); app.get("/account/profile", handleAccountProfilePage); app.post("/account/profile", handleAccountProfile); app.get("/account/passwordreset", handlePasswordResetPage); app.post("/account/passwordreset", handlePasswordReset); } };