Skip to content

Commit

Permalink
Add a POST flow to password recovery (#871)
Browse files Browse the repository at this point in the history
  • Loading branch information
calzoneman committed Aug 20, 2021
1 parent d563a85 commit edb5f94
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 3 deletions.
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": "Calvin Montgomery",
"name": "CyTube",
"description": "Online media synchronizer and chat",
"version": "3.82.1",
"version": "3.82.2",
"repository": {
"url": "http://github.com/calzoneman/sync"
},
Expand Down
43 changes: 41 additions & 2 deletions src/web/account.js
Original file line number Diff line number Diff line change
Expand Up @@ -631,7 +631,45 @@ function handlePasswordReset(req, res) {
/**
* Handles a request for /account/passwordrecover/<hash>
*/
function handlePasswordRecover(req, res) {
function handleGetPasswordRecover(req, res) {
var hash = req.params.hash;
if (typeof hash !== "string") {
res.send(400);
return;
}

var ip = req.realIP;

db.lookupPasswordReset(hash, function (err, row) {
if (err) {
sendPug(res, "account-passwordrecover", {
recovered: false,
recoverErr: err
});
return;
}

if (Date.now() >= row.expire) {
sendPug(res, "account-passwordrecover", {
recovered: false,
recoverErr: "This password recovery link has expired. Password " +
"recovery links are valid only for 24 hours after " +
"submission."
});
return;
}

sendPug(res, "account-passwordrecover", {
confirm: true,
recovered: false
});
});
}

/**
* Handles a POST request for /account/passwordrecover/<hash>
*/
function handlePostPasswordRecover(req, res) {
var hash = req.params.hash;
if (typeof hash !== "string") {
res.send(400);
Expand Down Expand Up @@ -703,7 +741,8 @@ module.exports = {
app.post("/account/profile", handleAccountProfile);
app.get("/account/passwordreset", handlePasswordResetPage);
app.post("/account/passwordreset", handlePasswordReset);
app.get("/account/passwordrecover/:hash", handlePasswordRecover);
app.get("/account/passwordrecover/:hash", handleGetPasswordRecover);
app.post("/account/passwordrecover/:hash", handlePostPasswordRecover);
app.get("/account", function (req, res) {
res.redirect("/login");
});
Expand Down
3 changes: 3 additions & 0 deletions templates/account-passwordrecover.pug
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ block content
.alert.alert-success.center.messagebox
strong Your password has been changed
p Your account has been assigned the temporary password <code>#{recoverPw}</code>. You may now use this password to log in and choose a new password by visiting the <a href="/account/edit">change password/email</a> page.
else if confirm
form(role="form", method="POST")
button.btn.btn-primary.btn-block(type="submit") Click here to reset password
else
.alert.alert-danger.center.messagebox
strong Password recovery failed
Expand Down

0 comments on commit edb5f94

Please sign in to comment.