Add ability to reset our password

author: Chocobozzz <me@florianbigard.com> 2018-01-30 13:27:07 +0100
committer: Chocobozzz <me@florianbigard.com> 2018-01-30 13:27:07 +0100
commit: ecb4e35f4e6c7304cb274593c13cb47fd5078b75 (patch)
tree: 1e238002340bc521afde59d52f406e41298a7aac /server/middlewares/validators/users.ts
parent: 80d1057bfcd3582af0dacf5ccd5a7a93ef95410b (diff)
download: PeerTube-ecb4e35f4e6c7304cb274593c13cb47fd5078b75.tar.gz
PeerTube-ecb4e35f4e6c7304cb274593c13cb47fd5078b75.tar.zst
PeerTube-ecb4e35f4e6c7304cb274593c13cb47fd5078b75.zip
1 files changed, 78 insertions, 15 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index b6591c9e1..5f44c3b99 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -1,18 +1,25 @@
+import * as Bluebird from 'bluebird'
 import * as express from 'express'
 import 'express-validator'
 import { body, param } from 'express-validator/check'
+import { omit } from 'lodash'
 import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc'
 import {
-  isAvatarFile, isUserAutoPlayVideoValid, isUserDisplayNSFWValid, isUserPasswordValid, isUserRoleValid, isUserUsernameValid,
+  isAvatarFile,
+  isUserAutoPlayVideoValid,
+  isUserDisplayNSFWValid,
+  isUserPasswordValid,
+  isUserRoleValid,
+  isUserUsernameValid,
  isUserVideoQuotaValid
 } from '../../helpers/custom-validators/users'
 import { isVideoExist } from '../../helpers/custom-validators/videos'
 import { logger } from '../../helpers/logger'
 import { isSignupAllowed } from '../../helpers/utils'
 import { CONSTRAINTS_FIELDS } from '../../initializers'
+import { Redis } from '../../lib/redis'
 import { UserModel } from '../../models/account/user'
 import { areValidationErrors } from './utils'
-import { omit } from 'lodash'
 const usersAddValidator = [
  body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'),
@@ -167,6 +174,49 @@ const ensureUserRegistrationAllowed = [
  }
 ]
+const usersAskResetPasswordValidator = [
+  body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    logger.debug('Checking usersAskResetPassword parameters', { parameters: req.body })
+    if (areValidationErrors(req, res)) return
+    const exists = await checkUserEmailExist(req.body.email, res, false)
+    if (!exists) {
+      logger.debug('User with email %s does not exist (asking reset password).', req.body.email)
+      // Do not leak our emails
+      return res.status(204).end()
+    }
+    return next()
+  }
+]
+const usersResetPasswordValidator = [
+  param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
+  body('verificationString').not().isEmpty().withMessage('Should have a valid verification string'),
+  body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    logger.debug('Checking usersResetPassword parameters', { parameters: req.params })
+    if (areValidationErrors(req, res)) return
+    if (!await checkUserIdExist(req.params.id, res)) return
+    const user = res.locals.user as UserModel
+    const redisVerificationString = await Redis.Instance.getResetPasswordLink(user.id)
+    if (redisVerificationString !== req.body.verificationString) {
+      return res
+        .status(403)
+        .send({ error: 'Invalid verification string.' })
+        .end
+    }
+    return next()
+  }
+]
 // ---------------------------------------------------------------------------
 export {
@@ -178,24 +228,19 @@ export {
  usersVideoRatingValidator,
  ensureUserRegistrationAllowed,
  usersGetValidator,
-  usersUpdateMyAvatarValidator
+  usersUpdateMyAvatarValidator,
+  usersAskResetPasswordValidator,
+  usersResetPasswordValidator
 }
 // ---------------------------------------------------------------------------
-async function checkUserIdExist (id: number, res: express.Response) {
+function checkUserIdExist (id: number, res: express.Response) {
-  const user = await UserModel.loadById(id)
+  return checkUserExist(() => UserModel.loadById(id), res)
+}
-  if (!user) {
-    res.status(404)
-              .send({ error: 'User not found' })
-              .end()
-    return false
-  }
-  res.locals.user = user
+function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
-  return true
+  return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
 }
 async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
@@ -210,3 +255,21 @@ async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email:
  return true
 }
+async function checkUserExist (finder: () => Bluebird<UserModel>, res: express.Response, abortResponse = true) {
+  const user = await finder()
+  if (!user) {
+    if (abortResponse === true) {
+      res.status(404)
+        .send({ error: 'User not found' })
+        .end()
+    }
+    return false
+  }
+  res.locals.user = user
+  return true
+}
author	Chocobozzz <me@florianbigard.com>	2018-01-30 13:27:07 +0100
committer	Chocobozzz <me@florianbigard.com>	2018-01-30 13:27:07 +0100
commit	ecb4e35f4e6c7304cb274593c13cb47fd5078b75 (patch)
tree	1e238002340bc521afde59d52f406e41298a7aac /server/middlewares/validators/users.ts
parent	80d1057bfcd3582af0dacf5ccd5a7a93ef95410b (diff)
download	PeerTube-ecb4e35f4e6c7304cb274593c13cb47fd5078b75.tar.gz PeerTube-ecb4e35f4e6c7304cb274593c13cb47fd5078b75.tar.zst PeerTube-ecb4e35f4e6c7304cb274593c13cb47fd5078b75.zip

diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index b6591c9e1..5f44c3b99 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts
@@ -1,18 +1,25 @@
		1	import * as Bluebird from 'bluebird'
1	import * as express from 'express'	2	import * as express from 'express'
2	import 'express-validator'	3	import 'express-validator'
3	import { body, param } from 'express-validator/check'	4	import { body, param } from 'express-validator/check'
		5	import { omit } from 'lodash'
4	import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc'	6	import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc'
5	import {	7	import {
6	isAvatarFile, isUserAutoPlayVideoValid, isUserDisplayNSFWValid, isUserPasswordValid, isUserRoleValid, isUserUsernameValid,	8	isAvatarFile,
		9	isUserAutoPlayVideoValid,
		10	isUserDisplayNSFWValid,
		11	isUserPasswordValid,
		12	isUserRoleValid,
		13	isUserUsernameValid,
7	isUserVideoQuotaValid	14	isUserVideoQuotaValid
8	} from '../../helpers/custom-validators/users'	15	} from '../../helpers/custom-validators/users'
9	import { isVideoExist } from '../../helpers/custom-validators/videos'	16	import { isVideoExist } from '../../helpers/custom-validators/videos'
10	import { logger } from '../../helpers/logger'	17	import { logger } from '../../helpers/logger'
11	import { isSignupAllowed } from '../../helpers/utils'	18	import { isSignupAllowed } from '../../helpers/utils'
12	import { CONSTRAINTS_FIELDS } from '../../initializers'	19	import { CONSTRAINTS_FIELDS } from '../../initializers'
		20	import { Redis } from '../../lib/redis'
13	import { UserModel } from '../../models/account/user'	21	import { UserModel } from '../../models/account/user'
14	import { areValidationErrors } from './utils'	22	import { areValidationErrors } from './utils'
15	import { omit } from 'lodash'
16		23
17	const usersAddValidator = [	24	const usersAddValidator = [
18	body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'),	25	body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'),
@@ -167,6 +174,49 @@ const ensureUserRegistrationAllowed = [
167	}	174	}
168	]	175	]
169		176
		177	const usersAskResetPasswordValidator = [
		178	body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),
		179
		180	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
		181	logger.debug('Checking usersAskResetPassword parameters', { parameters: req.body })
		182
		183	if (areValidationErrors(req, res)) return
		184	const exists = await checkUserEmailExist(req.body.email, res, false)
		185	if (!exists) {
		186	logger.debug('User with email %s does not exist (asking reset password).', req.body.email)
		187	// Do not leak our emails
		188	return res.status(204).end()
		189	}
		190
		191	return next()
		192	}
		193	]
		194
		195	const usersResetPasswordValidator = [
		196	param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
		197	body('verificationString').not().isEmpty().withMessage('Should have a valid verification string'),
		198	body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
		199
		200	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
		201	logger.debug('Checking usersResetPassword parameters', { parameters: req.params })
		202
		203	if (areValidationErrors(req, res)) return
		204	if (!await checkUserIdExist(req.params.id, res)) return
		205
		206	const user = res.locals.user as UserModel
		207	const redisVerificationString = await Redis.Instance.getResetPasswordLink(user.id)
		208
		209	if (redisVerificationString !== req.body.verificationString) {
		210	return res
		211	.status(403)
		212	.send({ error: 'Invalid verification string.' })
		213	.end
		214	}
		215
		216	return next()
		217	}
		218	]
		219
170	// ---------------------------------------------------------------------------	220	// ---------------------------------------------------------------------------
171		221
172	export {	222	export {
@@ -178,24 +228,19 @@ export {
178	usersVideoRatingValidator,	228	usersVideoRatingValidator,
179	ensureUserRegistrationAllowed,	229	ensureUserRegistrationAllowed,
180	usersGetValidator,	230	usersGetValidator,
181	usersUpdateMyAvatarValidator	231	usersUpdateMyAvatarValidator,
		232	usersAskResetPasswordValidator,
		233	usersResetPasswordValidator
182	}	234	}
183		235
184	// ---------------------------------------------------------------------------	236	// ---------------------------------------------------------------------------
185		237
186	async function checkUserIdExist (id: number, res: express.Response) {	238	function checkUserIdExist (id: number, res: express.Response) {
187	const user = await UserModel.loadById(id)	239	return checkUserExist(() => UserModel.loadById(id), res)
188		240	}
189	if (!user) {
190	res.status(404)
191	.send({ error: 'User not found' })
192	.end()
193
194	return false
195	}
196		241
197	res.locals.user = user	242	function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
198	return true	243	return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
199	}	244	}
200		245
201	async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {	246	async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
@@ -210,3 +255,21 @@ async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email:
210		255
211	return true	256	return true
212	}	257	}
		258
		259	async function checkUserExist (finder: () => Bluebird<UserModel>, res: express.Response, abortResponse = true) {
		260	const user = await finder()
		261
		262	if (!user) {
		263	if (abortResponse === true) {
		264	res.status(404)
		265	.send({ error: 'User not found' })
		266	.end()
		267	}
		268
		269	return false
		270	}
		271
		272	res.locals.user = user
		273
		274	return true
		275	}