1 files changed, 94 insertions, 0 deletions
diff --git a/server/middlewares/validators/user-email-verification.ts b/server/middlewares/validators/user-email-verification.ts
new file mode 100644
index 000000000..74702a8f5
--- /dev/null
+++ b/server/middlewares/validators/user-email-verification.ts
@@ -0,0 +1,94 @@
+import express from 'express'
+import { body, param } from 'express-validator'
+import { toBooleanOrNull } from '@server/helpers/custom-validators/misc'
+import { HttpStatusCode } from '@shared/models'
+import { logger } from '../../helpers/logger'
+import { Redis } from '../../lib/redis'
+import { areValidationErrors, checkUserEmailExist, checkUserIdExist } from './shared'
+import { checkRegistrationEmailExist, checkRegistrationIdExist } from './shared/user-registrations'
+const usersAskSendVerifyEmailValidator = [
+  body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+    const [ userExists, registrationExists ] = await Promise.all([
+      checkUserEmailExist(req.body.email, res, false),
+      checkRegistrationEmailExist(req.body.email, res, false)
+    ])
+    if (!userExists && !registrationExists) {
+      logger.debug('User or registration with email %s does not exist (asking verify email).', req.body.email)
+      // Do not leak our emails
+      return res.status(HttpStatusCode.NO_CONTENT_204).end()
+    }
+    if (res.locals.user?.pluginAuth) {
+      return res.fail({
+        status: HttpStatusCode.CONFLICT_409,
+        message: 'Cannot ask verification email of a user that uses a plugin authentication.'
+      })
+    }
+    return next()
+  }
+]
+const usersVerifyEmailValidator = [
+  param('id')
+    .isInt().not().isEmpty().withMessage('Should have a valid id'),
+  body('verificationString')
+    .not().isEmpty().withMessage('Should have a valid verification string'),
+  body('isPendingEmail')
+    .optional()
+    .customSanitizer(toBooleanOrNull),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+    if (!await checkUserIdExist(req.params.id, res)) return
+    const user = res.locals.user
+    const redisVerificationString = await Redis.Instance.getUserVerifyEmailLink(user.id)
+    if (redisVerificationString !== req.body.verificationString) {
+      return res.fail({ status: HttpStatusCode.FORBIDDEN_403, message: 'Invalid verification string.' })
+    }
+    return next()
+  }
+]
+// ---------------------------------------------------------------------------
+const registrationVerifyEmailValidator = [
+  param('registrationId')
+    .isInt().not().isEmpty().withMessage('Should have a valid registrationId'),
+  body('verificationString')
+    .not().isEmpty().withMessage('Should have a valid verification string'),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+    if (!await checkRegistrationIdExist(req.params.registrationId, res)) return
+    const registration = res.locals.userRegistration
+    const redisVerificationString = await Redis.Instance.getRegistrationVerifyEmailLink(registration.id)
+    if (redisVerificationString !== req.body.verificationString) {
+      return res.fail({ status: HttpStatusCode.FORBIDDEN_403, message: 'Invalid verification string.' })
+    }
+    return next()
+  }
+]
+// ---------------------------------------------------------------------------
+export {
+  usersAskSendVerifyEmailValidator,
+  usersVerifyEmailValidator,
+  registrationVerifyEmailValidator
+}

diff --git a/server/middlewares/validators/user-email-verification.ts b/server/middlewares/validators/user-email-verification.ts new file mode 100644 index 000000000..74702a8f5 --- /dev/null +++ b/server/middlewares/validators/user-email-verification.ts
@@ -0,0 +1,94 @@
	1	import express from 'express'
	2	import { body, param } from 'express-validator'
	3	import { toBooleanOrNull } from '@server/helpers/custom-validators/misc'
	4	import { HttpStatusCode } from '@shared/models'
	5	import { logger } from '../../helpers/logger'
	6	import { Redis } from '../../lib/redis'
	7	import { areValidationErrors, checkUserEmailExist, checkUserIdExist } from './shared'
	8	import { checkRegistrationEmailExist, checkRegistrationIdExist } from './shared/user-registrations'
	9
	10	const usersAskSendVerifyEmailValidator = [
	11	body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),
	12
	13	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	14	if (areValidationErrors(req, res)) return
	15
	16	const [ userExists, registrationExists ] = await Promise.all([
	17	checkUserEmailExist(req.body.email, res, false),
	18	checkRegistrationEmailExist(req.body.email, res, false)
	19	])
	20
	21	if (!userExists && !registrationExists) {
	22	logger.debug('User or registration with email %s does not exist (asking verify email).', req.body.email)
	23	// Do not leak our emails
	24	return res.status(HttpStatusCode.NO_CONTENT_204).end()
	25	}
	26
	27	if (res.locals.user?.pluginAuth) {
	28	return res.fail({
	29	status: HttpStatusCode.CONFLICT_409,
	30	message: 'Cannot ask verification email of a user that uses a plugin authentication.'
	31	})
	32	}
	33
	34	return next()
	35	}
	36	]
	37
	38	const usersVerifyEmailValidator = [
	39	param('id')
	40	.isInt().not().isEmpty().withMessage('Should have a valid id'),
	41
	42	body('verificationString')
	43	.not().isEmpty().withMessage('Should have a valid verification string'),
	44	body('isPendingEmail')
	45	.optional()
	46	.customSanitizer(toBooleanOrNull),
	47
	48	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	49	if (areValidationErrors(req, res)) return
	50	if (!await checkUserIdExist(req.params.id, res)) return
	51
	52	const user = res.locals.user
	53	const redisVerificationString = await Redis.Instance.getUserVerifyEmailLink(user.id)
	54
	55	if (redisVerificationString !== req.body.verificationString) {
	56	return res.fail({ status: HttpStatusCode.FORBIDDEN_403, message: 'Invalid verification string.' })
	57	}
	58
	59	return next()
	60	}
	61	]
	62
	63	// ---------------------------------------------------------------------------
	64
	65	const registrationVerifyEmailValidator = [
	66	param('registrationId')
	67	.isInt().not().isEmpty().withMessage('Should have a valid registrationId'),
	68
	69	body('verificationString')
	70	.not().isEmpty().withMessage('Should have a valid verification string'),
	71
	72	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	73	if (areValidationErrors(req, res)) return
	74	if (!await checkRegistrationIdExist(req.params.registrationId, res)) return
	75
	76	const registration = res.locals.userRegistration
	77	const redisVerificationString = await Redis.Instance.getRegistrationVerifyEmailLink(registration.id)
	78
	79	if (redisVerificationString !== req.body.verificationString) {
	80	return res.fail({ status: HttpStatusCode.FORBIDDEN_403, message: 'Invalid verification string.' })
	81	}
	82
	83	return next()
	84	}
	85	]
	86
	87	// ---------------------------------------------------------------------------
	88
	89	export {
	90	usersAskSendVerifyEmailValidator,
	91	usersVerifyEmailValidator,
	92
	93	registrationVerifyEmailValidator
	94	}