${msg}${addr}
`; //send the verification email sendmail({ from: `signup@${process.env.WEB_ADDRESS}`, to: fields.email, subject: 'Email Verification', text: msg + addr, html: msgHtml }, (err, reply) => { //final check if (err) { res.write(`Something went wrong (did you use a valid email?)
${err}
`); res.end(); return; } res.status(200).write('Verification email sent!'); res.end(); }); }); }); }); }); }); } const verify = (connection) => (req, res) => { //get the saved data let query = 'SELECT email, username, salt, hash, verify FROM signups WHERE email = ?;'; connection.query(query, [req.query.email], (err, results) => { if (err) throw err; //correct number of results if (results.length != 1) { res.write('That account does not exist or this link has already been used.
'); res.end(); return; } //verify the link if (req.query.verify != results[0].verify) { res.write('Verification failed!
'); res.end(); return; } //move the data from signups to accounts let query = 'INSERT INTO accounts (email, username, salt, hash) VALUES (?, ?, ?, ?);'; connection.query(query, [results[0].email, results[0].username, results[0].salt, results[0].hash], (err) => { if (err) throw err; //delete from signups let query = 'DELETE FROM signups WHERE email = ?;'; connection.query(query, [results[0].email], (err) => { if (err) throw err; res.write('Verification succeeded!
'); res.end(); }); }); }); } const login = (connection) => (req, res) => { //formidable handles forms let form = formidable.IncomingForm(); //parse form form.parse(req, (err, fields) => { if (err) throw err; //validate email, username and password if (!validateEmail(fields.email) || fields.password.length < 8) { res.write('Invalid login data
'); res.end(); return; } //find this email's information let query = 'SELECT id, username, salt, hash FROM accounts WHERE email = ?;'; connection.query(query, [fields.email], (err, results) => { if (err) throw err; //found this email? if (results.length === 0) { res.status(400).write('Incorrect email or password'); res.end(); return; } //gen a new hash from the salt and password bcrypt.hash(fields.password, results[0].salt, (err, newHash) => { if (err) throw err; //compare the passwords if (results[0].hash !== newHash) { res.status(400).write('Incorrect email or password'); res.end(); return; } //create the new session let rand = Math.floor(Math.random() * 100000); let query = 'INSERT INTO sessions (accountId, token) VALUES (?, ?);'; connection.query(query, [results[0].id, rand], (err) => { if (err) throw err; //send json containing the account info res.status(200).json({ id: results[0].id, email: fields.email, username: results[0].username, token: rand }); }); }); }); }); } const logout = (connection) => (req, res) => { let query = 'DELETE FROM sessions WHERE sessions.accountId IN (SELECT accounts.id FROM accounts WHERE email = ?) AND token = ?;'; connection.query(query, [req.body.email, req.body.token], (err) => { if (err) throw err; }); res.end(); } const passwordChange = (connection) => (req, res) => { //formidable handles forms let form = formidable.IncomingForm(); //parse form form.parse(req, (err, fields) => { if (err) throw err; //validate password, retype if (!validateEmail(fields.email) || fields.password.length < 8 || fields.password !== fields.retype) { res.status(400).write('Invalid password change data'); res.end(); return; } //validate token query = 'SELECT sessions.token FROM sessions WHERE sessions.accountId IN (SELECT id FROM accounts WHERE email = ?);'; connection.query(query, [fields.email], (err, results) => { if (err) throw err; let found = false; results.map((result) => { if (result.token == fields.token) found = true; }); if (!found) { res.status(400).write('Invalid password change authentication'); res.end(); return; } //generate the new salt, hash bcrypt.genSalt(11, (err, salt) => { if (err) throw err; bcrypt.hash(fields.password, salt, (err, hash) => { if (err) throw err; let query = 'UPDATE accounts SET salt = ?, hash = ? WHERE email = ?;'; connection.query(query, [salt, hash, fields.email], (err) => { if (err) throw err; //clear all session data for this user (a 'feature') let query = 'DELETE FROM sessions WHERE sessions.accountId IN (SELECT accounts.id FROM accounts WHERE email = ?);'; connection.query(query, [fields.email], (err) => { if (err) throw err; //create the new session let rand = Math.floor(Math.random() * 100000); let query = 'INSERT INTO sessions (accountId, token) VALUES ((SELECT accounts.id FROM accounts WHERE email = ?), ?);'; connection.query(query, [fields.email, rand], (err) => { if (err) throw err; //send json containing the account info res.status(200).json({ token: rand }); }); }); }); }); }); }); }); } const passwordRecover = (connection) => (req, res) => { //formidable handles forms let form = formidable.IncomingForm(); //parse form form.parse(req, (err, fields) => { if (err) throw err; //validate email, username and password if (!validateEmail(fields.email)) { res.status(400).write('Invalid recover data'); res.end(); return; } //ensure that this email is registered to an account let query = 'SELECT accounts.id FROM accounts WHERE email = ?;'; connection.query(query, [fields.email], (err, results) => { if (err) throw err; if (results.length !== 1) { res.status(400).write('Invalid recover data (did you use a registered email?)'); res.end(); return; } //create the new recover record let rand = Math.floor(Math.random() * 100000); let query = 'REPLACE INTO passwordRecover (accountId, token) VALUES (?, ?)'; connection.query(query, [results[0].id, rand], (err) => { if (err) throw err; //build the recovery email let addr = `http://${process.env.WEB_ADDRESS}/passwordreset?email=${fields.email}&token=${rand}`; let msg = 'Hello! Please visit the following address to set a new password (if you didn\'t request a password recovery, ignore this email): '; let msgHtml = `${msg}${addr}
`; //prevent too many clicks if (isThrottled(fields.email)) { res.status(400).write('recover throttled'); res.end(); return; } throttle(fields.email); //send the verification email sendmail({ from: `passwordrecover@${process.env.WEB_ADDRESS}`, to: fields.email, subject: 'Password Recovery', text: msg + addr, html: msgHtml }, (err, reply) => { //final check if (err) { res.write(`Something went wrong (did you use a valid email?)
${err}`) res.end(); return; } res.status(200).write('Recovery email sent!'); res.end(); }); }); }); }); } const passwordReset = (connection) => (req, res) => { //formidable handles forms let form = formidable.IncomingForm(); //parse form form.parse(req, (err, fields) => { if (err) throw err; //validate email, username and password if (!validateEmail(fields.email) || fields.password.length < 8 || fields.password !== fields.retype) { res.status(400).write('Invalid reset data (invalid email/password)'); res.end(); return; } //get the account based on this email, token let query = 'SELECT * FROM accounts WHERE email = ? AND id IN (SELECT passwordRecover.accountId FROM passwordRecover WHERE token = ?);'; connection.query(query, [fields.email, fields.token], (err, results) => { if (err) throw err; //results should be only 1 account if (results.length !== 1) { res.status(400).write('Invalid reset data (incorrect parameters/database state)'); res.end(); return; } //generate the new salt, hash bcrypt.genSalt(11, (err, salt) => { if (err) throw err; bcrypt.hash(fields.password, salt, (err, hash) => { if (err) throw err; //update the salt, hash let query = 'UPDATE accounts SET salt = ?, hash = ? WHERE email = ?;'; connection.query(query, [salt, hash, fields.email], (err) => { if (err) throw err; //delete the recover request from the database let query = 'DELETE FROM passwordRecover WHERE accountId IN (SELECT id FROM accounts WHERE email = ?);'; connection.query(query, [fields.email], (err) => { if (err) throw err; res.status(200).write('Password updated!'); res.end(); return; }); }); }); }); }); }); } module.exports = { signup: signup, verify: verify, login: login, logout: logout, passwordChange: passwordChange, passwordRecover: passwordRecover, passwordReset: passwordReset };