Ratstail91/kingdombattles
Archived
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed security hole, token now needed to change password

Browse Source
This commit is contained in:
Kayne Ruse
2019-05-08 17:15:17 +10:00
parent 6c15bbc4a3
commit 3a34d78712
4 changed files with 111 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/accounts.js
+21 -5
View File
@@ -20,7 +20,7 @@ function signup(connection) {
//validate email, username and password //validate email, username and password
if (!validateEmail(fields.email) || fields.username.length < 4 || fields.username.length > 100 || fields.password.length < 8 || fields.password !== fields.retype) { if (!validateEmail(fields.email) || fields.username.length < 4 || fields.username.length > 100 || fields.password.length < 8 || fields.password !== fields.retype) {
res.write('<p>Invalid signup data</p>'); res.status(400).write('Invalid signup data');
res.end(); res.end();
return; return;
} }
@@ -31,13 +31,13 @@ function signup(connection) {
if (err) throw err; if (err) throw err;
if (results[0].email !== 0) { if (results[0].email !== 0) {
res.write('<p>Email already registered!</p>'); res.status(400).write('Email already registered!');
res.end(); res.end();
return; return;
} }
if (results[0].username !== 0) { if (results[0].username !== 0) {
res.write('<p>Username already registered!</p>'); res.status(400).write('Username already registered!');
res.end(); res.end();
return; return;
} }
@@ -76,7 +76,7 @@ function signup(connection) {
return; return;
} }
res.write('<p>Verification email sent!</p>'); res.status(200).write('Verification email sent!');
res.end(); res.end();
}); });
}) })
@@ -209,7 +209,22 @@ function passwordChange(connection) {
//validate password, retype //validate password, retype
if (!validateEmail(fields.email) || fields.password.length < 8 || fields.password !== fields.retype) { if (!validateEmail(fields.email) || fields.password.length < 8 || fields.password !== fields.retype) {
res.write('<p>Invalid password change data</p>'); res.status(400).write('Invalid password change data');
res.end();
return;
}
//validate token
query = 'SELECT sessions.token FROM sessions WHERE sessions.accountId IN (SELECT id FROM accounts WHERE email = ?);';
connection.query(query, [fields.email], (err, results) => {
if (err) throw err;
let found = false;
results.map((result) => { if (result.token == fields.token) found = true; });
if (!found) {
res.status(400).write('Invalid password change authentication');
res.end(); res.end();
return; return;
} }
@@ -246,6 +261,7 @@ function passwordChange(connection) {
}); });
}); });
}); });
});
} }
} }
src/components/pages/home.jsx
+15 -3
View File
@@ -13,7 +13,9 @@ class Home extends React.Component {
constructor(props) { constructor(props) {
super(props); super(props);
this.state = { this.state = {
changedPassword: false changedPassword: false,
signedUp: false,
signupMsg: ''
}; };
} }
@@ -27,7 +29,7 @@ class Home extends React.Component {
if (!this.state.changedPassword) { if (!this.state.changedPassword) {
PasswordChangePanel = () => { PasswordChangePanel = () => {
return (<PasswordChange onSubmit={() => { this.setState({changedPassword: true}) }} />); return (<PasswordChange onPasswordChange={() => { this.setState({changedPassword: true}) }} />);
} }
} else { } else {
PasswordChangePanel = () => { PasswordChangePanel = () => {
@@ -48,12 +50,22 @@ class Home extends React.Component {
if (this.state.changedPassword) { if (this.state.changedPassword) {
this.setState({changedPassword: false}); this.setState({changedPassword: false});
} }
if (!this.state.signedUp) {
return ( return (
<div> <div>
<Signup /> <Signup onSignup={(msg) => this.setState( {signedUp: true, signupMsg: msg} )} />
<Login /> <Login />
</div> </div>
); );
} else {
return (
<div>
<p>{this.state.signupMsg}</p>
<Login />
</div>
);
}
}; };
} }
src/components/panels/password_change.jsx
+8 -6
View File
@@ -55,12 +55,18 @@ class PasswordChange extends React.Component {
let xhr = new XMLHttpRequest(); let xhr = new XMLHttpRequest();
formData.append('email', this.props.email); formData.append('email', this.props.email);
formData.append('token', this.props.token);
xhr.onreadystatechange = () => { xhr.onreadystatechange = () => {
if (xhr.readyState === 4) { if (xhr.readyState === 4) {
if (xhr.status === 200) { if (xhr.status === 200) {
let json = JSON.parse(xhr.responseText); let json = JSON.parse(xhr.responseText);
this.props.sessionChange(json.token); this.props.sessionChange(json.token);
//DEBUGGING
if (this.props.onPasswordChange) {
this.props.onPasswordChange();
}
} }
else if (xhr.status === 400) { else if (xhr.status === 400) {
@@ -72,11 +78,6 @@ class PasswordChange extends React.Component {
//send the XHR //send the XHR
xhr.open('POST', form.action, true); xhr.open('POST', form.action, true);
xhr.send(formData); xhr.send(formData);
//DEBUGGING
if (this.props.onSubmit) {
this.props.onSubmit();
}
} }
validateInput(e) { validateInput(e) {
@@ -122,7 +123,8 @@ class PasswordChange extends React.Component {
function mapStoreToProps(store) { function mapStoreToProps(store) {
return { return {
email: store.account.email email: store.account.email,
token: store.account.token
} }
} }
src/components/panels/signup.jsx
+45 -16
View File
@@ -26,7 +26,7 @@ export default class Signup extends React.Component {
<p>{this.state.warning}</p> <p>{this.state.warning}</p>
</div> </div>
<form action='/signup' method='post' onSubmit={(e) => this.validateInput(e)}> <form action='/signup' method='post' onSubmit={(e) => this.submit(e)}>
<div> <div>
<label>Email:</label> <label>Email:</label>
<input type='text' name='email' value={this.state.email} onChange={this.updateEmail.bind(this)} /> <input type='text' name='email' value={this.state.email} onChange={this.updateEmail.bind(this)} />
@@ -53,31 +53,60 @@ export default class Signup extends React.Component {
); );
} }
validateInput(e) { submit(e) {
e.preventDefault();
if (!this.validateInput()) {
return;
}
//build the XHR
let form = e.target;
let formData = new FormData(form);
let xhr = new XMLHttpRequest();
xhr.onreadystatechange = () => {
if (xhr.readyState === 4) {
if (xhr.status === 200) {
if (this.props.onSignup) {
this.props.onSignup(xhr.responseText);
}
}
else if (xhr.status === 400) {
this.setWarning(xhr.responseText);
}
}
};
//send the XHR
xhr.open('POST', form.action, true);
xhr.send(formData);
}
validateInput() {
if (!validateEmail(this.state.email)) { if (!validateEmail(this.state.email)) {
e.preventDefault();
this.setWarning('Invalid Email'); this.setWarning('Invalid Email');
return false;
} }
if (this.state.username.length < 4) {
else if (this.state.username.length < 4) {
e.preventDefault();
this.setWarning('Minimum username length is 4 characters'); this.setWarning('Minimum username length is 4 characters');
return false;
} }
if (this.state.username.length > 100) {
else if (this.state.username.length > 100) {
e.preventDefault();
this.setWarning('Maximum username length is 100 characters'); this.setWarning('Maximum username length is 100 characters');
return false;
} }
if (this.state.password.length < 8) {
else if (this.state.password.length < 8) {
e.preventDefault();
this.setWarning('Minimum password length is 8 characters'); this.setWarning('Minimum password length is 8 characters');
return false;
}
if (this.state.password !== this.state.retype) {
this.setWarning('Passwords do not match');
return false;
} }
else if (this.state.password !== this.state.retype) { return true;
e.preventDefault();
this.setWarning('Passwords do not match');
}
} }
setWarning(s) { setWarning(s) {