Working on password recovery

2021-07-28 23:02:04 +10:00
parent 72b3babfd8
commit 81da8ca422
9 changed files with 224 additions and 1 deletions
@@ -1,5 +1,6 @@
 WEB_PROTOCOL=http
 WEB_ADDRESS=localhost
 WEB_RESET_ADDRESS=localhost/reset
 WEB_PORT=3200
 DB_HOSTNAME=database
@@ -83,4 +83,28 @@ Content-Type: application/json
 {
 	"password": "helloworld"
 }
 //DOCS: Send the link to recover a forgotten password
 POST /auth/recover
 Content-Type: application/json
 {
 	"email": "kayneruse@gmail.com"
 }
 //DOCS: Redirect the link to recover a password to the front-end
 GET /auth/reset?token=<token>
 //Result
 301 -> ${WEB_RESET_ADDRESS}?email=<email>&token=<token>
 //DOCS: Resets a password for the given email, correct token is required
 PATCH /auth/reset?email=<email>&token=<token>
 {
 	"password": "password"
 }
 ```
@@ -30,6 +30,7 @@ const question = (prompt, def = null) => {
 	//project configuration
 	const appName = await question('App Name', 'auth');
 	const appWebAddress = await question('Web Addr', `${appName}.example.com`);
 	const resetAddress = await question('Reset Addr', `example.com/reset`);
 	const appPort = await question('App Port', '3200');
 	const appDBUser = await question('DB User', appName);
@@ -69,6 +70,7 @@ services:
    environment:
      - WEB_PROTOCOL=https
      - WEB_ADDRESS=${appWebAddress}
 	  - WEB_RESET_ADDRESS=${resetAddress}
      - WEB_PORT=${appPort}
      - DB_HOSTNAME=database
      - DB_DATABASE=${appName}
@@ -14,6 +14,11 @@ router.post('/login', require('./login'));
 //refresh token
 router.post('/token', require('./token'));
 //password recover and reset
 router.post('/recover', require('./password-recover'));
 router.get('/reset', require('./password-redirect'));
 router.patch('/reset', require('./password-reset'));
 //middleware
 router.use(tokenAuth);
@@ -0,0 +1,106 @@
 //libraries
 const nodemailer = require('nodemailer');
 const { accounts, recovery } = require('../database/models');
 //utilities
 const uuid = require('../utilities/uuid');
 const validateEmail = require('../utilities/validate-email');
 //auth/recover
 const route = async (req, res) => {
 	//validate details
 	const validateErr = await validateDetails(req.body);
 	if (validateErr) {
 		return res.status(401).end(validateErr);
 	}
 	//recovery token
 	const token = uuid(32);
 	//send the recovery email
 	const emailErr = await sendRecoveryEmail(req.body.email, token);
 	if (emailErr) {
 		return res.status(500).send(emailErr);
 	}
 	//save the token
 	recovery.upsert({
 		email: req.body.email,
 		token: token
 	});
 	//finally
 	res.status(200).send("Validation email sent!");
 	return null;
 };
 const validateDetails = async (body) => {
 	//basic formatting
 	if (!validateEmail(body.email)) {
 		return 'Invalid email';
 	}
 	//check for existing email
 	const emailRecord = await accounts.findOne({
 		where: {
 			email: body.email
 		}
 	});
 	if (!emailRecord) {
 		return 'Invalid email';
 	}
 	//OK
 	return null;
 };
 const sendRecoveryEmail = async (email, token) => {
 	const addr = `${process.env.WEB_PROTOCOL}://${process.env.WEB_ADDRESS}/auth/validation?token=${token}`;
 	const msg = `Hello,
 Please visit the following link to reset your password: ${addr}
 If you did not request a password reset, you can safely ignore this message.
 `;
 	let transporter, info;
 	//what exactly is a transport?
 	try {
 		transporter = nodemailer.createTransport({
 			host: process.env.MAIL_SMTP,
 			port: 465,
 			secure: true,
 			auth: {
 			  user: process.env.MAIL_USERNAME,
 			  pass: process.env.MAIL_PASSWORD
 			},
 		});
 	}
 	catch(e) {
 		return `failed to create a mail transport: ${e}`;
 	}
 	// send mail with defined transport object
 	try {
 		info = await transporter.sendMail({
 			from: `recovery@${process.env.WEB_ADDRESS}`, //WARNING: google overwrites this
 			to: email,
 			subject: 'Password Recovery',
 			text: msg
 		});
 	}
 	catch(e) {
 		return `failed to send validation mail: ${e}`;
 	}
 	if (info.accepted[0] != email) {
 		return 'recovery email failed to send';
 	}
 	return null;
 };
 module.exports = route;
@@ -0,0 +1,19 @@
 const { accounts, recovery } = require('../database/models');
 //auth/reset
 const route = async (req, res) => {
 	//verify the recovery record exists
 	const record = recovery.findOne({
 		token: req.query.token
 	});
 	if (!record) {
 		return res.status(401).end('Failed to recover a password');
 	}
 	//redirect to the front-end
 	res.redirect(`${process.env.WEB_PROTOCOL}${process.env.WEB_RESET_ADDRESS}?email=${record.email}&token=${record.token}`);
 	return null;
 };
 module.exports = route;
@@ -0,0 +1,59 @@
 //libraries
 const bcrypt = require('bcryptjs');
 const { accounts, recovery } = require('../database/models');
 //auth/reset
 const route = async (req, res) => {
 	//validate the given details
 	const validateErr = await validateDetails(req.query, req.body);
 	if (validateErr) {
 		return res.status(401).send(validateErr);
 	}
 	//generate the password hash
 	const hash = await bcrypt.hash(req.body.password, await bcrypt.genSalt(11));
 	//update the account data
 	accounts.update({
 		hash: hash
 	}, {
 		where: {
 			email: req.query.email
 		}
 	})
 	//delete from the recovery table
 	recovery.destroy({
 		where: {
 			email: req.query.email
 		}
 	});
 	return null;
 };
 const validateDetails = async (query, body) => {
 	//verify the recovery record exists
 	const record = recovery.findOne({
 		email: query.email,
 		token: query.token
 	});
 	if (!record) {
 		return 'Failed to recover a password';
 	}
 	//validate password
 	if (!body.password) {
 		return 'Missing password';
 	}
 	if (body.password.length < 8) {
 		return 'Password too short';
 	}
 	return null;
 };
 module.exports = route;
@@ -1,5 +1,6 @@
 module.exports = {
 	tokens: require('./tokens'),
 	accounts: require('./accounts'),
-	pendingSignups: require('./pending-signups')
+	pendingSignups: require('./pending-signups'),
 	recovery: require('./recovery')
 };
@@ -0,0 +1,6 @@
 const sequelize = require('..');
 module.exports = sequelize.define('recovery', {
 	token: 'varchar(320)',
 	email: 'varchar(320)'
 });