From 3a34d78712fbd7b625d5ce02dff561173b2fd791 Mon Sep 17 00:00:00 2001 From: Kayne Ruse Date: Wed, 8 May 2019 17:15:17 +1000 Subject: [PATCH] Fixed security hole, token now needed to change password --- server/accounts.js | 60 ++++++++++++++-------- src/components/pages/home.jsx | 28 ++++++++--- src/components/panels/password_change.jsx | 14 +++--- src/components/panels/signup.jsx | 61 +++++++++++++++++------ 4 files changed, 111 insertions(+), 52 deletions(-) diff --git a/server/accounts.js b/server/accounts.js index 7f4934a..a7b6fdc 100644 --- a/server/accounts.js +++ b/server/accounts.js @@ -20,7 +20,7 @@ function signup(connection) { //validate email, username and password if (!validateEmail(fields.email) || fields.username.length < 4 || fields.username.length > 100 || fields.password.length < 8 || fields.password !== fields.retype) { - res.write('

Invalid signup data

'); + res.status(400).write('Invalid signup data'); res.end(); return; } @@ -31,13 +31,13 @@ function signup(connection) { if (err) throw err; if (results[0].email !== 0) { - res.write('

Email already registered!

'); + res.status(400).write('Email already registered!'); res.end(); return; } if (results[0].username !== 0) { - res.write('

Username already registered!

'); + res.status(400).write('Username already registered!'); res.end(); return; } @@ -76,7 +76,7 @@ function signup(connection) { return; } - res.write('

Verification email sent!

'); + res.status(200).write('Verification email sent!'); res.end(); }); }) @@ -209,36 +209,52 @@ function passwordChange(connection) { //validate password, retype if (!validateEmail(fields.email) || fields.password.length < 8 || fields.password !== fields.retype) { - res.write('

Invalid password change data

'); + res.status(400).write('Invalid password change data'); res.end(); return; } - //generate the new salt, hash - bcrypt.genSalt(11, (err, salt) => { + //validate token + query = 'SELECT sessions.token FROM sessions WHERE sessions.accountId IN (SELECT id FROM accounts WHERE email = ?);'; + connection.query(query, [fields.email], (err, results) => { if (err) throw err; - bcrypt.hash(fields.password, salt, (err, hash) => { - if (err) throw err; - let query = 'UPDATE accounts SET salt = ?, hash = ? WHERE email = ?;'; - connection.query(query, [salt, hash, fields.email], (err) => { + let found = false; + + results.map((result) => { if (result.token == fields.token) found = true; }); + + if (!found) { + res.status(400).write('Invalid password change authentication'); + res.end(); + return; + } + + //generate the new salt, hash + bcrypt.genSalt(11, (err, salt) => { + if (err) throw err; + bcrypt.hash(fields.password, salt, (err, hash) => { if (err) throw err; - //clear all session data for this user (a 'feature') - let query = 'DELETE FROM sessions WHERE sessions.accountId IN (SELECT accounts.id FROM accounts WHERE email = ?);'; - connection.query(query, [fields.email], (err) => { + let query = 'UPDATE accounts SET salt = ?, hash = ? WHERE email = ?;'; + connection.query(query, [salt, hash, fields.email], (err) => { if (err) throw err; - //create the new session - let rand = Math.floor(Math.random() * 100000); - - let query = 'INSERT INTO sessions (accountId, token) VALUES ((SELECT accounts.id FROM accounts WHERE email = ?), ?);'; - connection.query(query, [fields.email, rand], (err) => { + //clear all session data for this user (a 'feature') + let query = 'DELETE FROM sessions WHERE sessions.accountId IN (SELECT accounts.id FROM accounts WHERE email = ?);'; + connection.query(query, [fields.email], (err) => { if (err) throw err; - //send json containing the account info - res.status(200).json({ - token: rand + //create the new session + let rand = Math.floor(Math.random() * 100000); + + let query = 'INSERT INTO sessions (accountId, token) VALUES ((SELECT accounts.id FROM accounts WHERE email = ?), ?);'; + connection.query(query, [fields.email, rand], (err) => { + if (err) throw err; + + //send json containing the account info + res.status(200).json({ + token: rand + }); }); }); }); diff --git a/src/components/pages/home.jsx b/src/components/pages/home.jsx index 0f767e1..ba04d88 100644 --- a/src/components/pages/home.jsx +++ b/src/components/pages/home.jsx @@ -13,7 +13,9 @@ class Home extends React.Component { constructor(props) { super(props); this.state = { - changedPassword: false + changedPassword: false, + signedUp: false, + signupMsg: '' }; } @@ -27,7 +29,7 @@ class Home extends React.Component { if (!this.state.changedPassword) { PasswordChangePanel = () => { - return ( { this.setState({changedPassword: true}) }} />); + return ( { this.setState({changedPassword: true}) }} />); } } else { PasswordChangePanel = () => { @@ -48,12 +50,22 @@ class Home extends React.Component { if (this.state.changedPassword) { this.setState({changedPassword: false}); } - return ( -
- - -
- ); + + if (!this.state.signedUp) { + return ( +
+ this.setState( {signedUp: true, signupMsg: msg} )} /> + +
+ ); + } else { + return ( +
+

{this.state.signupMsg}

+ +
+ ); + } }; } diff --git a/src/components/panels/password_change.jsx b/src/components/panels/password_change.jsx index 2ebfddd..ae39a12 100644 --- a/src/components/panels/password_change.jsx +++ b/src/components/panels/password_change.jsx @@ -55,12 +55,18 @@ class PasswordChange extends React.Component { let xhr = new XMLHttpRequest(); formData.append('email', this.props.email); + formData.append('token', this.props.token); xhr.onreadystatechange = () => { if (xhr.readyState === 4) { if (xhr.status === 200) { let json = JSON.parse(xhr.responseText); this.props.sessionChange(json.token); + + //DEBUGGING + if (this.props.onPasswordChange) { + this.props.onPasswordChange(); + } } else if (xhr.status === 400) { @@ -72,11 +78,6 @@ class PasswordChange extends React.Component { //send the XHR xhr.open('POST', form.action, true); xhr.send(formData); - - //DEBUGGING - if (this.props.onSubmit) { - this.props.onSubmit(); - } } validateInput(e) { @@ -122,7 +123,8 @@ class PasswordChange extends React.Component { function mapStoreToProps(store) { return { - email: store.account.email + email: store.account.email, + token: store.account.token } } diff --git a/src/components/panels/signup.jsx b/src/components/panels/signup.jsx index a2d2259..c02fc2b 100644 --- a/src/components/panels/signup.jsx +++ b/src/components/panels/signup.jsx @@ -26,7 +26,7 @@ export default class Signup extends React.Component {

{this.state.warning}

-
this.validateInput(e)}> + this.submit(e)}>
@@ -53,31 +53,60 @@ export default class Signup extends React.Component { ); } - validateInput(e) { + submit(e) { + e.preventDefault(); + + if (!this.validateInput()) { + return; + } + + //build the XHR + let form = e.target; + let formData = new FormData(form); + let xhr = new XMLHttpRequest(); + + xhr.onreadystatechange = () => { + if (xhr.readyState === 4) { + if (xhr.status === 200) { + if (this.props.onSignup) { + this.props.onSignup(xhr.responseText); + } + } + + else if (xhr.status === 400) { + this.setWarning(xhr.responseText); + } + } + }; + + //send the XHR + xhr.open('POST', form.action, true); + xhr.send(formData); + } + + validateInput() { if (!validateEmail(this.state.email)) { - e.preventDefault(); this.setWarning('Invalid Email'); + return false; } - - else if (this.state.username.length < 4) { - e.preventDefault(); + if (this.state.username.length < 4) { this.setWarning('Minimum username length is 4 characters'); + return false; } - - else if (this.state.username.length > 100) { - e.preventDefault(); + if (this.state.username.length > 100) { this.setWarning('Maximum username length is 100 characters'); + return false; } - - else if (this.state.password.length < 8) { - e.preventDefault(); + if (this.state.password.length < 8) { this.setWarning('Minimum password length is 8 characters'); + return false; + } + if (this.state.password !== this.state.retype) { + this.setWarning('Passwords do not match'); + return false; } - else if (this.state.password !== this.state.retype) { - e.preventDefault(); - this.setWarning('Passwords do not match'); - } + return true; } setWarning(s) {