learn-javascript-the-hard-way
/
bandolier-template
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This is the template project that's checked out and configured when you run the bando-up command from ljsthw-bandolier. This is where the code really lives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16 Commits
1 Branch
1 Tag
7.0 MiB
Tag: Branch: Tree: 7c6c810efc
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7c6c810efc'
${ noResults }
bandolier-template/api/password_reset.js

69 lines
2.4 KiB
Raw Normal View History Unescape

Initial big commit that brings over all of the latest development from my sites. This will be refined and released soon, but right now I'm testing how it installs with ljsthw-bandolier's installer.
2 years ago
import { API } from "../lib/api.js";
import logging from "../lib/logging.js";
import assert from "assert";
import { User } from "../lib/models.js";
import { send_reset, send_reset_finished } from '../lib/queues.js';
import differenceInHours from 'date-fns/differenceInHours/index.js';
const rules_request = {
email: 'required|email',
}
const rules_finish = {
code: 'required',
password: 'required|same:password_repeat',
password_repeat: 'required',
}
const log = logging.create("/api/password_reset.js");
// this doesn't change so just do it here
const RESET_MAX = 10;
const RESET_HOURS_MAX = 10;
export const post = async (req, res) => {
const api = new API(req, res);
const finalize = req.body.finalize;
const rules = finalize ? rules_finish : rules_request
const form = api.validate(rules);
try {
if(!form._valid) {
// abort with errors
return api.validation_error(res, form);
} else {
assert(form._valid, "Form is invalid but shouldn't be.");
const { email } = form;
const user = await User.first({email});
if(!user) {
return api.error(400, "User with that email doesn't exist.");
} else if(finalize) {
const { code, password } = form;
if(user.reset_count > RESET_MAX) {
return api.error(400, "Too many reset attempts in a short time. Contact support to unlock your account.");
} else if(user.reset_code !== code.trim()) {
await User.update({id: user.id}, { reset_count: user.reset_count + 1 });
return api.error(400, "Reset code doesn't match.");
} else {
// SECURITY: encrypt the password here so that it's not left in the queue unencrypted
user.password = User.encrypt_password(password);
send_reset_finished(user, req.ip, req.headers['user-agent']);
return api.reply(200, {message: "OK"});
}
} else if(user.reset_sent_at && differenceInHours(Date.now(), user.reset_sent_at) < RESET_HOURS_MAX) {
return api.error(400, `Only one request every ${RESET_HOURS_MAX} hours allowed.`);
} else {
// new request, send out a code
const user_req = { email, id: user.id};
send_reset(user_req, req.ip, req.headers['user-agent']);
return api.reply(200, {message: "OK"});
}
}
} catch(error) {
log.error(error);
return api.error(500, "Internal Server Error");
}
}