2013-12-12 14:48:23 -06:00
|
|
|
/**
|
|
|
|
|
* web/account.js - Webserver details for account management
|
|
|
|
|
*
|
|
|
|
|
* @author Calvin Montgomery <cyzon@cyzon.us>
|
|
|
|
|
*/
|
|
|
|
|
|
2014-01-24 11:20:16 -06:00
|
|
|
var webserver = require("./webserver");
|
2016-07-07 01:11:56 -07:00
|
|
|
var sendPug = require("./pug").sendPug;
|
2014-01-24 11:20:16 -06:00
|
|
|
var Logger = require("../logger");
|
|
|
|
|
var db = require("../database");
|
|
|
|
|
var $util = require("../utilities");
|
|
|
|
|
var Config = require("../config");
|
2014-02-02 15:50:05 -06:00
|
|
|
var Server = require("../server");
|
2015-02-15 21:56:00 -06:00
|
|
|
var session = require("../session");
|
2015-02-22 18:15:22 -06:00
|
|
|
var csrf = require("./csrf");
|
2016-12-13 22:44:23 -08:00
|
|
|
const url = require("url");
|
2017-04-04 23:02:31 -07:00
|
|
|
|
2017-07-08 20:11:54 -07:00
|
|
|
const LOGGER = require('@calzoneman/jsli')('database/accounts');
|
2013-12-12 14:48:23 -06:00
|
|
|
|
2017-08-15 18:23:03 -07:00
|
|
|
let globalMessageBus;
|
|
|
|
|
|
2013-12-12 14:48:23 -06:00
|
|
|
/**
|
|
|
|
|
* Handles a GET request for /account/edit
|
|
|
|
|
*/
|
|
|
|
|
function handleAccountEditPage(req, res) {
|
2014-01-22 21:12:43 -06:00
|
|
|
if (webserver.redirectHttps(req, res)) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {});
|
2013-12-12 14:48:23 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2014-01-24 11:20:16 -06:00
|
|
|
* Handles a POST request to edit a user"s account
|
2013-12-12 14:48:23 -06:00
|
|
|
*/
|
|
|
|
|
function handleAccountEdit(req, res) {
|
2015-02-22 18:15:22 -06:00
|
|
|
csrf.verify(req);
|
|
|
|
|
|
2013-12-12 14:48:23 -06:00
|
|
|
var action = req.body.action;
|
|
|
|
|
switch(action) {
|
2014-01-24 11:20:16 -06:00
|
|
|
case "change_password":
|
2013-12-12 14:48:23 -06:00
|
|
|
handleChangePassword(req, res);
|
|
|
|
|
break;
|
2014-01-24 11:20:16 -06:00
|
|
|
case "change_email":
|
2013-12-12 14:48:23 -06:00
|
|
|
handleChangeEmail(req, res);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
res.send(400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2014-01-24 11:20:16 -06:00
|
|
|
* Handles a request to change the user"s password
|
2013-12-12 14:48:23 -06:00
|
|
|
*/
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
async function handleChangePassword(req, res) {
|
2013-12-12 14:48:23 -06:00
|
|
|
var name = req.body.name;
|
|
|
|
|
var oldpassword = req.body.oldpassword;
|
|
|
|
|
var newpassword = req.body.newpassword;
|
|
|
|
|
|
2014-01-24 11:20:16 -06:00
|
|
|
if (typeof name !== "string" ||
|
|
|
|
|
typeof oldpassword !== "string" ||
|
|
|
|
|
typeof newpassword !== "string") {
|
2013-12-12 14:48:23 -06:00
|
|
|
res.send(400);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (newpassword.length === 0) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2014-01-24 11:20:16 -06:00
|
|
|
errorMessage: "New password must not be empty"
|
2013-12-12 14:48:23 -06:00
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
const reqUser = await webserver.authorize(req);
|
|
|
|
|
if (!reqUser) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2015-02-15 21:56:00 -06:00
|
|
|
errorMessage: "You must be logged in to change your password"
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-12 14:48:23 -06:00
|
|
|
newpassword = newpassword.substring(0, 100);
|
|
|
|
|
|
|
|
|
|
db.users.verifyLogin(name, oldpassword, function (err, user) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2013-12-12 14:48:23 -06:00
|
|
|
errorMessage: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
db.users.setPassword(name, newpassword, function (err, dbres) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2013-12-12 14:48:23 -06:00
|
|
|
errorMessage: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
2015-02-15 21:56:00 -06:00
|
|
|
|
2015-10-27 23:54:32 -07:00
|
|
|
Logger.eventlog.log("[account] " + req.realIP +
|
2014-01-27 18:37:48 -06:00
|
|
|
" changed password for " + name);
|
2015-02-15 21:56:00 -06:00
|
|
|
|
|
|
|
|
db.users.getUser(name, function (err, user) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
return sendPug(res, "account-edit", {
|
2015-02-15 21:56:00 -06:00
|
|
|
errorMessage: err
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var expiration = new Date(parseInt(req.signedCookies.auth.split(":")[1]));
|
|
|
|
|
session.genSession(user, expiration, function (err, auth) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
return sendPug(res, "account-edit", {
|
2015-02-15 21:56:00 -06:00
|
|
|
errorMessage: err
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
webserver.setAuthCookie(req, res, expiration, auth);
|
2015-02-15 21:56:00 -06:00
|
|
|
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2015-02-15 21:56:00 -06:00
|
|
|
successMessage: "Password changed."
|
|
|
|
|
});
|
|
|
|
|
});
|
2013-12-12 14:48:23 -06:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2014-01-24 11:20:16 -06:00
|
|
|
* Handles a request to change the user"s email
|
2013-12-12 14:48:23 -06:00
|
|
|
*/
|
|
|
|
|
function handleChangeEmail(req, res) {
|
|
|
|
|
var name = req.body.name;
|
|
|
|
|
var password = req.body.password;
|
|
|
|
|
var email = req.body.email;
|
|
|
|
|
|
2014-01-24 11:20:16 -06:00
|
|
|
if (typeof name !== "string" ||
|
|
|
|
|
typeof password !== "string" ||
|
|
|
|
|
typeof email !== "string") {
|
2013-12-12 14:48:23 -06:00
|
|
|
res.send(400);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-27 18:37:48 -06:00
|
|
|
if (!$util.isValidEmail(email) && email !== "") {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2014-01-24 11:20:16 -06:00
|
|
|
errorMessage: "Invalid email address"
|
2013-12-12 14:48:23 -06:00
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
db.users.verifyLogin(name, password, function (err, user) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2013-12-12 14:48:23 -06:00
|
|
|
errorMessage: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
db.users.setEmail(name, email, function (err, dbres) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2013-12-12 14:48:23 -06:00
|
|
|
errorMessage: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
2015-10-27 23:54:32 -07:00
|
|
|
Logger.eventlog.log("[account] " + req.realIP +
|
2014-01-27 18:37:48 -06:00
|
|
|
" changed email for " + name +
|
|
|
|
|
" to " + email);
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-edit", {
|
2014-01-24 11:20:16 -06:00
|
|
|
successMessage: "Email address changed."
|
2013-12-12 14:48:23 -06:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles a GET request for /account/channels
|
|
|
|
|
*/
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
async function handleAccountChannelPage(req, res) {
|
2014-01-22 21:12:43 -06:00
|
|
|
if (webserver.redirectHttps(req, res)) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
const user = await webserver.authorize(req);
|
|
|
|
|
// TODO: error message
|
|
|
|
|
if (!user) {
|
2016-07-07 01:11:56 -07:00
|
|
|
return sendPug(res, "account-channels", {
|
2015-02-15 21:56:00 -06:00
|
|
|
channels: []
|
|
|
|
|
});
|
2013-12-12 14:48:23 -06:00
|
|
|
}
|
2013-12-26 23:38:35 -05:00
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
db.channels.listUserChannels(user.name, function (err, channels) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2015-02-15 21:56:00 -06:00
|
|
|
channels: channels
|
2013-12-12 14:48:23 -06:00
|
|
|
});
|
2015-02-15 21:56:00 -06:00
|
|
|
});
|
2013-12-12 14:48:23 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2014-01-24 11:20:16 -06:00
|
|
|
* Handles a POST request to modify a user"s channels
|
2013-12-12 14:48:23 -06:00
|
|
|
*/
|
|
|
|
|
function handleAccountChannel(req, res) {
|
2015-02-22 18:15:22 -06:00
|
|
|
csrf.verify(req);
|
|
|
|
|
|
2013-12-12 14:48:23 -06:00
|
|
|
var action = req.body.action;
|
|
|
|
|
switch(action) {
|
2014-01-24 11:20:16 -06:00
|
|
|
case "new_channel":
|
2013-12-12 14:48:23 -06:00
|
|
|
handleNewChannel(req, res);
|
|
|
|
|
break;
|
2014-01-24 11:20:16 -06:00
|
|
|
case "delete_channel":
|
2013-12-12 14:48:23 -06:00
|
|
|
handleDeleteChannel(req, res);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
res.send(400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles a request to register a new channel
|
|
|
|
|
*/
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
async function handleNewChannel(req, res) {
|
2013-12-26 23:38:35 -05:00
|
|
|
|
|
|
|
|
var name = req.body.name;
|
2014-01-24 11:20:16 -06:00
|
|
|
if (typeof name !== "string") {
|
2013-12-26 23:38:35 -05:00
|
|
|
res.send(400);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
const user = await webserver.authorize(req);
|
|
|
|
|
// TODO: error message
|
|
|
|
|
if (!user) {
|
2016-07-07 01:11:56 -07:00
|
|
|
return sendPug(res, "account-channels", {
|
2013-12-26 23:38:35 -05:00
|
|
|
channels: []
|
|
|
|
|
});
|
|
|
|
|
}
|
2015-02-15 21:56:00 -06:00
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
db.channels.listUserChannels(user.name, function (err, channels) {
|
2013-12-26 23:38:35 -05:00
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2013-12-26 23:38:35 -05:00
|
|
|
channels: [],
|
|
|
|
|
newChannelError: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
2014-01-20 12:42:20 -06:00
|
|
|
|
2015-02-15 21:56:00 -06:00
|
|
|
if (name.match(Config.get("reserved-names.channels"))) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2015-02-15 21:56:00 -06:00
|
|
|
channels: channels,
|
|
|
|
|
newChannelError: "That channel name is reserved"
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
2014-02-05 18:05:52 -06:00
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
if (channels.length >= Config.get("max-channels-per-user")
|
|
|
|
|
&& user.global_rank < 255) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2015-02-15 21:56:00 -06:00
|
|
|
channels: channels,
|
|
|
|
|
newChannelError: "You are not allowed to register more than " +
|
|
|
|
|
Config.get("max-channels-per-user") + " channels."
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
2014-02-06 10:37:00 -06:00
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
db.channels.register(name, user.name, function (err, channel) {
|
2015-02-15 21:56:00 -06:00
|
|
|
if (!err) {
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
Logger.eventlog.log("[channel] " + user.name + "@" +
|
2015-10-27 23:54:32 -07:00
|
|
|
req.realIP +
|
2015-02-15 21:56:00 -06:00
|
|
|
" registered channel " + name);
|
2017-08-15 18:55:36 -07:00
|
|
|
globalMessageBus.emit('ChannelRegistered', {
|
|
|
|
|
channel: name
|
|
|
|
|
});
|
2014-02-02 15:50:05 -06:00
|
|
|
|
2015-02-15 21:56:00 -06:00
|
|
|
channels.push({
|
|
|
|
|
name: name
|
|
|
|
|
});
|
|
|
|
|
}
|
2014-02-02 15:50:05 -06:00
|
|
|
|
2014-02-06 10:37:00 -06:00
|
|
|
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2015-02-15 21:56:00 -06:00
|
|
|
channels: channels,
|
|
|
|
|
newChannelError: err ? err : undefined
|
2013-12-26 23:38:35 -05:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
2013-12-12 14:48:23 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles a request to delete a new channel
|
|
|
|
|
*/
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
async function handleDeleteChannel(req, res) {
|
2013-12-26 23:38:35 -05:00
|
|
|
var name = req.body.name;
|
2014-01-24 11:20:16 -06:00
|
|
|
if (typeof name !== "string") {
|
2013-12-26 23:38:35 -05:00
|
|
|
res.send(400);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
const user = await webserver.authorize(req);
|
|
|
|
|
// TODO: error
|
|
|
|
|
if (!user) {
|
2016-07-07 01:11:56 -07:00
|
|
|
return sendPug(res, "account-channels", {
|
2013-12-26 23:38:35 -05:00
|
|
|
channels: [],
|
|
|
|
|
});
|
|
|
|
|
}
|
2015-02-15 21:56:00 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
db.channels.lookup(name, function (err, channel) {
|
2013-12-26 23:38:35 -05:00
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2013-12-26 23:38:35 -05:00
|
|
|
channels: [],
|
|
|
|
|
deleteChannelError: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
2014-01-20 12:42:20 -06:00
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
if ((!channel.owner || channel.owner.toLowerCase() !== user.name.toLowerCase()) && user.global_rank < 255) {
|
|
|
|
|
db.channels.listUserChannels(user.name, function (err2, channels) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2015-02-15 21:56:00 -06:00
|
|
|
channels: err2 ? [] : channels,
|
|
|
|
|
deleteChannelError: "You do not have permission to delete this channel"
|
2014-01-26 00:01:36 -06:00
|
|
|
});
|
2015-02-15 21:56:00 -06:00
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
2014-01-26 00:01:36 -06:00
|
|
|
|
2015-02-15 21:56:00 -06:00
|
|
|
db.channels.drop(name, function (err) {
|
|
|
|
|
if (!err) {
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
Logger.eventlog.log("[channel] " + user.name + "@" +
|
2015-10-27 23:54:32 -07:00
|
|
|
req.realIP + " deleted channel " +
|
2015-02-15 21:56:00 -06:00
|
|
|
name);
|
2013-12-26 23:38:35 -05:00
|
|
|
}
|
2014-02-07 10:45:28 -06:00
|
|
|
|
2017-08-15 18:55:36 -07:00
|
|
|
globalMessageBus.emit('ChannelDeleted', {
|
|
|
|
|
channel: name
|
|
|
|
|
});
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
db.channels.listUserChannels(user.name, function (err2, channels) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-channels", {
|
2015-02-15 21:56:00 -06:00
|
|
|
channels: err2 ? [] : channels,
|
|
|
|
|
deleteChannelError: err ? err : undefined
|
2013-12-26 23:38:35 -05:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles a GET request for /account/profile
|
|
|
|
|
*/
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
async function handleAccountProfilePage(req, res) {
|
2014-01-22 21:12:43 -06:00
|
|
|
if (webserver.redirectHttps(req, res)) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
const user = await webserver.authorize(req);
|
|
|
|
|
// TODO: error message
|
|
|
|
|
if (!user) {
|
2016-07-07 01:11:56 -07:00
|
|
|
return sendPug(res, "account-profile", {
|
2014-01-24 11:20:16 -06:00
|
|
|
profileImage: "",
|
|
|
|
|
profileText: ""
|
2013-12-26 23:38:35 -05:00
|
|
|
});
|
2015-02-15 21:56:00 -06:00
|
|
|
}
|
2013-12-26 23:38:35 -05:00
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
db.users.getProfile(user.name, function (err, profile) {
|
2015-02-15 21:56:00 -06:00
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-profile", {
|
2015-02-15 21:56:00 -06:00
|
|
|
profileError: err,
|
|
|
|
|
profileImage: "",
|
|
|
|
|
profileText: ""
|
2014-08-04 18:01:57 -07:00
|
|
|
});
|
2015-02-15 21:56:00 -06:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-profile", {
|
2015-02-15 21:56:00 -06:00
|
|
|
profileImage: profile.image,
|
|
|
|
|
profileText: profile.text,
|
|
|
|
|
profileError: false
|
2013-12-26 23:38:35 -05:00
|
|
|
});
|
2015-02-15 21:56:00 -06:00
|
|
|
});
|
2013-12-26 23:38:35 -05:00
|
|
|
}
|
|
|
|
|
|
2016-12-13 22:44:23 -08:00
|
|
|
function validateProfileImage(image, callback) {
|
|
|
|
|
var prefix = "Invalid URL for profile image: ";
|
|
|
|
|
var link = image.trim();
|
|
|
|
|
if (!link) {
|
|
|
|
|
process.nextTick(callback, null, link);
|
|
|
|
|
} else {
|
|
|
|
|
var data = url.parse(link);
|
|
|
|
|
if (!data.protocol || data.protocol !== 'https:') {
|
|
|
|
|
process.nextTick(callback,
|
|
|
|
|
new Error(prefix + " URL must begin with 'https://'"));
|
|
|
|
|
} else if (!data.host) {
|
|
|
|
|
process.nextTick(callback,
|
|
|
|
|
new Error(prefix + "missing hostname"));
|
|
|
|
|
} else {
|
|
|
|
|
process.nextTick(callback, null, link);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-26 23:38:35 -05:00
|
|
|
/**
|
|
|
|
|
* Handles a POST request to edit a profile
|
|
|
|
|
*/
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
async function handleAccountProfile(req, res) {
|
2015-02-22 18:15:22 -06:00
|
|
|
csrf.verify(req);
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
const user = await webserver.authorize(req);
|
|
|
|
|
// TODO: error message
|
|
|
|
|
if (!user) {
|
2016-07-07 01:11:56 -07:00
|
|
|
return sendPug(res, "account-profile", {
|
2014-01-20 12:42:20 -06:00
|
|
|
profileImage: "",
|
|
|
|
|
profileText: "",
|
|
|
|
|
profileError: "You must be logged in to edit your profile",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-13 22:44:23 -08:00
|
|
|
var rawImage = String(req.body.image).substring(0, 255);
|
|
|
|
|
var text = String(req.body.text).substring(0, 255);
|
|
|
|
|
|
|
|
|
|
validateProfileImage(rawImage, (error, image) => {
|
|
|
|
|
if (error) {
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
db.users.getProfile(user.name, function (err, profile) {
|
2016-12-13 22:44:23 -08:00
|
|
|
var errorMessage = err || error.message;
|
|
|
|
|
sendPug(res, "account-profile", {
|
|
|
|
|
profileImage: profile ? profile.image : "",
|
|
|
|
|
profileText: profile ? profile.text : "",
|
|
|
|
|
profileError: errorMessage
|
|
|
|
|
});
|
2014-01-20 12:42:20 -06:00
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Skip full user auth for most page renders
Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
2017-08-01 21:40:26 -07:00
|
|
|
db.users.setProfile(user.name, { image: image, text: text }, function (err) {
|
2016-12-13 22:44:23 -08:00
|
|
|
if (err) {
|
|
|
|
|
sendPug(res, "account-profile", {
|
|
|
|
|
profileImage: "",
|
|
|
|
|
profileText: "",
|
|
|
|
|
profileError: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-15 18:23:03 -07:00
|
|
|
globalMessageBus.emit('UserProfileChanged', {
|
|
|
|
|
user: user.name,
|
|
|
|
|
profile: {
|
|
|
|
|
image,
|
|
|
|
|
text
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
2016-12-13 22:44:23 -08:00
|
|
|
sendPug(res, "account-profile", {
|
|
|
|
|
profileImage: image,
|
|
|
|
|
profileText: text,
|
|
|
|
|
profileError: false
|
|
|
|
|
});
|
2014-01-20 12:42:20 -06:00
|
|
|
});
|
|
|
|
|
});
|
2013-12-12 14:48:23 -06:00
|
|
|
}
|
|
|
|
|
|
2014-01-23 22:59:08 -06:00
|
|
|
/**
|
|
|
|
|
* Handles a GET request for /account/passwordreset
|
|
|
|
|
*/
|
|
|
|
|
function handlePasswordResetPage(req, res) {
|
|
|
|
|
if (webserver.redirectHttps(req, res)) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-23 22:59:08 -06:00
|
|
|
reset: false,
|
|
|
|
|
resetEmail: "",
|
|
|
|
|
resetErr: false
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2014-02-01 13:03:08 -06:00
|
|
|
* Handles a POST request to reset a user's password
|
2014-01-23 22:59:08 -06:00
|
|
|
*/
|
|
|
|
|
function handlePasswordReset(req, res) {
|
2015-02-22 18:15:22 -06:00
|
|
|
csrf.verify(req);
|
|
|
|
|
|
2014-01-23 22:59:08 -06:00
|
|
|
var name = req.body.name,
|
|
|
|
|
email = req.body.email;
|
|
|
|
|
|
|
|
|
|
if (typeof name !== "string" || typeof email !== "string") {
|
|
|
|
|
res.send(400);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!$util.isValidUserName(name)) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-23 22:59:08 -06:00
|
|
|
reset: false,
|
|
|
|
|
resetEmail: "",
|
|
|
|
|
resetErr: "Invalid username '" + name + "'"
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
db.users.getEmail(name, function (err, actualEmail) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-23 22:59:08 -06:00
|
|
|
reset: false,
|
|
|
|
|
resetEmail: "",
|
|
|
|
|
resetErr: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (actualEmail !== email.trim()) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-23 22:59:08 -06:00
|
|
|
reset: false,
|
|
|
|
|
resetEmail: "",
|
|
|
|
|
resetErr: "Provided email does not match the email address on record for " + name
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
} else if (actualEmail === "") {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-23 22:59:08 -06:00
|
|
|
reset: false,
|
|
|
|
|
resetEmail: "",
|
|
|
|
|
resetErr: name + " doesn't have an email address on record. Please contact an " +
|
|
|
|
|
"administrator to manually reset your password."
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-24 11:20:16 -06:00
|
|
|
var hash = $util.sha1($util.randomSalt(64));
|
|
|
|
|
// 24-hour expiration
|
|
|
|
|
var expire = Date.now() + 86400000;
|
2015-10-27 23:54:32 -07:00
|
|
|
var ip = req.realIP;
|
2014-01-24 11:20:16 -06:00
|
|
|
|
|
|
|
|
db.addPasswordReset({
|
|
|
|
|
ip: ip,
|
|
|
|
|
name: name,
|
|
|
|
|
email: email,
|
|
|
|
|
hash: hash,
|
|
|
|
|
expire: expire
|
|
|
|
|
}, function (err, dbres) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-24 11:20:16 -06:00
|
|
|
reset: false,
|
|
|
|
|
resetEmail: "",
|
|
|
|
|
resetErr: err
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-27 18:37:48 -06:00
|
|
|
Logger.eventlog.log("[account] " + ip + " requested password recovery for " +
|
|
|
|
|
name + " <" + email + ">");
|
|
|
|
|
|
2014-01-24 11:20:16 -06:00
|
|
|
if (!Config.get("mail.enabled")) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-24 11:20:16 -06:00
|
|
|
reset: false,
|
|
|
|
|
resetEmail: email,
|
|
|
|
|
resetErr: "This server does not have mail support enabled. Please " +
|
|
|
|
|
"contact an administrator for assistance."
|
|
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var msg = "A password reset request was issued for your " +
|
|
|
|
|
"account `"+ name + "` on " + Config.get("http.domain") +
|
|
|
|
|
". This request is valid for 24 hours. If you did "+
|
|
|
|
|
"not initiate this, there is no need to take action."+
|
|
|
|
|
" To reset your password, copy and paste the " +
|
|
|
|
|
"following link into your browser: " +
|
2014-02-01 13:03:08 -06:00
|
|
|
Config.get("http.domain") + "/account/passwordrecover/"+hash;
|
2014-01-24 11:20:16 -06:00
|
|
|
|
|
|
|
|
var mail = {
|
2015-02-20 07:53:33 +11:00
|
|
|
from: Config.get("mail.from-name") + " <" + Config.get("mail.from-address") + ">",
|
2014-01-24 11:20:16 -06:00
|
|
|
to: email,
|
|
|
|
|
subject: "Password reset request",
|
|
|
|
|
text: msg
|
|
|
|
|
};
|
|
|
|
|
|
2014-02-28 16:20:58 -06:00
|
|
|
Config.get("mail.nodemailer").sendMail(mail, function (err, response) {
|
2014-01-24 11:20:16 -06:00
|
|
|
if (err) {
|
2017-04-04 23:02:31 -07:00
|
|
|
LOGGER.error("mail fail: " + err);
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-24 11:20:16 -06:00
|
|
|
reset: false,
|
2014-03-01 17:37:59 -06:00
|
|
|
resetEmail: email,
|
2014-01-24 11:20:16 -06:00
|
|
|
resetErr: "Sending reset email failed. Please contact an " +
|
|
|
|
|
"administrator for assistance."
|
|
|
|
|
});
|
|
|
|
|
} else {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordreset", {
|
2014-01-24 11:20:16 -06:00
|
|
|
reset: true,
|
2014-03-01 17:37:59 -06:00
|
|
|
resetEmail: email,
|
2014-01-24 11:20:16 -06:00
|
|
|
resetErr: false
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
});
|
2014-01-23 22:59:08 -06:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-24 11:20:16 -06:00
|
|
|
/**
|
2014-02-01 13:03:08 -06:00
|
|
|
* Handles a request for /account/passwordrecover/<hash>
|
2014-01-24 11:20:16 -06:00
|
|
|
*/
|
|
|
|
|
function handlePasswordRecover(req, res) {
|
2014-02-01 13:03:08 -06:00
|
|
|
var hash = req.params.hash;
|
2014-01-24 11:20:16 -06:00
|
|
|
if (typeof hash !== "string") {
|
|
|
|
|
res.send(400);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-27 23:54:32 -07:00
|
|
|
var ip = req.realIP;
|
2014-01-24 11:20:16 -06:00
|
|
|
|
|
|
|
|
db.lookupPasswordReset(hash, function (err, row) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordrecover", {
|
2014-01-24 11:20:16 -06:00
|
|
|
recovered: false,
|
2015-02-15 21:56:00 -06:00
|
|
|
recoverErr: err
|
2014-01-24 11:20:16 -06:00
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Date.now() >= row.expire) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordrecover", {
|
2014-01-24 11:20:16 -06:00
|
|
|
recovered: false,
|
|
|
|
|
recoverErr: "This password recovery link has expired. Password " +
|
|
|
|
|
"recovery links are valid only for 24 hours after " +
|
2015-02-15 21:56:00 -06:00
|
|
|
"submission."
|
2014-01-24 11:20:16 -06:00
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-27 18:23:31 -06:00
|
|
|
var newpw = "";
|
|
|
|
|
const avail = "abcdefgihkmnpqrstuvwxyz0123456789";
|
|
|
|
|
for (var i = 0; i < 10; i++) {
|
|
|
|
|
newpw += avail[Math.floor(Math.random() * avail.length)];
|
|
|
|
|
}
|
|
|
|
|
db.users.setPassword(row.name, newpw, function (err) {
|
|
|
|
|
if (err) {
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordrecover", {
|
2014-01-27 18:23:31 -06:00
|
|
|
recovered: false,
|
|
|
|
|
recoverErr: "Database error. Please contact an administrator if " +
|
2015-02-15 21:56:00 -06:00
|
|
|
"this persists."
|
|
|
|
|
|
2014-01-27 18:23:31 -06:00
|
|
|
});
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
db.deletePasswordReset(hash);
|
2014-02-07 10:45:28 -06:00
|
|
|
Logger.eventlog.log("[account] " + ip + " recovered password for " + row.name);
|
2014-01-27 18:23:31 -06:00
|
|
|
|
2016-07-07 01:11:56 -07:00
|
|
|
sendPug(res, "account-passwordrecover", {
|
2014-01-27 18:23:31 -06:00
|
|
|
recovered: true,
|
2015-02-15 21:56:00 -06:00
|
|
|
recoverPw: newpw
|
2014-01-27 18:23:31 -06:00
|
|
|
});
|
|
|
|
|
});
|
2014-01-24 11:20:16 -06:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-12 14:48:23 -06:00
|
|
|
module.exports = {
|
|
|
|
|
/**
|
2013-12-26 23:38:35 -05:00
|
|
|
* Initialize the module
|
2013-12-12 14:48:23 -06:00
|
|
|
*/
|
2017-08-15 18:23:03 -07:00
|
|
|
init: function (app, _globalMessageBus) {
|
|
|
|
|
globalMessageBus = _globalMessageBus;
|
|
|
|
|
|
2014-01-24 11:20:16 -06:00
|
|
|
app.get("/account/edit", handleAccountEditPage);
|
|
|
|
|
app.post("/account/edit", handleAccountEdit);
|
|
|
|
|
app.get("/account/channels", handleAccountChannelPage);
|
|
|
|
|
app.post("/account/channels", handleAccountChannel);
|
|
|
|
|
app.get("/account/profile", handleAccountProfilePage);
|
|
|
|
|
app.post("/account/profile", handleAccountProfile);
|
2014-01-23 22:59:08 -06:00
|
|
|
app.get("/account/passwordreset", handlePasswordResetPage);
|
|
|
|
|
app.post("/account/passwordreset", handlePasswordReset);
|
2014-02-01 13:03:08 -06:00
|
|
|
app.get("/account/passwordrecover/:hash", handlePasswordRecover);
|
2014-02-05 18:08:20 -06:00
|
|
|
app.get("/account", function (req, res) {
|
|
|
|
|
res.redirect("/login");
|
|
|
|
|
});
|
2013-12-12 14:48:23 -06:00
|
|
|
}
|
|
|
|
|
};
|
