2017-02-26 21:28:05 -07:00
/* jslint node: true */
'use strict';
2018-06-22 21:26:46 -06:00
// ENiGMA½
2022-06-05 14:04:25 -06:00
const Config = require('./config.js').get;
const Errors = require('./enig_error.js').Errors;
const getServer = require('./listening_server.js').getServer;
const webServerPackageName = require('./servers/content/web.js').moduleInfo.packageName;
const User = require('./user.js');
const userDb = require('./database.js').dbs.user;
2018-06-22 21:26:46 -06:00
const getISOTimestampString = require('./database.js').getISOTimestampString;
2022-06-05 14:04:25 -06:00
const Log = require('./logger.js').log;
const UserProps = require('./user_property.js');
2018-06-22 21:26:46 -06:00
// deps
2022-06-05 14:04:25 -06:00
const async = require('async');
const crypto = require('crypto');
const fs = require('graceful-fs');
const url = require('url');
const querystring = require('querystring');
const _ = require('lodash');
2019-06-11 21:20:34 -06:00
A password reset has been requested for your account on %BOARDNAME%.
2022-12-29 00:56:10 -07:00
2018-06-22 21:26:46 -06:00
* If this was not you, please ignore this email.
* Otherwise, follow this link: %RESET_URL%
2017-02-26 21:28:05 -07:00
function getWebServer() {
2018-06-21 23:15:04 -06:00
return getServer(webServerPackageName);
2017-02-26 21:28:05 -07:00
class WebPasswordReset {
2018-06-21 23:15:04 -06:00
static startup(cb) {
2022-06-05 14:04:25 -06:00
WebPasswordReset.registerRoutes(err => {
2018-06-21 23:15:04 -06:00
return cb(err);
static sendForgotPasswordEmail(username, cb) {
const webServer = getServer(webServerPackageName);
2022-06-05 14:04:25 -06:00
if (!webServer || !webServer.instance.isEnabled()) {
2018-06-21 23:15:04 -06:00
return cb(Errors.General('Web server is not enabled'));
function getEmailAddress(callback) {
2022-06-05 14:04:25 -06:00
if (!username) {
2018-06-21 23:15:04 -06:00
return callback(Errors.MissingParam('Missing "username"'));
User.getUserIdAndName(username, (err, userId) => {
2022-06-05 14:04:25 -06:00
if (err) {
2018-06-21 23:15:04 -06:00
return callback(err);
User.getUser(userId, (err, user) => {
2022-06-05 14:04:25 -06:00
if (err || !user.properties[UserProps.EmailAddress]) {
return callback(
'No email address associated with this user'
2018-06-21 23:15:04 -06:00
return callback(null, user);
function generateAndStoreResetToken(user, callback) {
2018-06-22 21:26:46 -06:00
// Reset "token" is simply HEX encoded cryptographically generated bytes
2018-06-21 23:15:04 -06:00
crypto.randomBytes(256, (err, token) => {
2022-06-05 14:04:25 -06:00
if (err) {
2018-06-21 23:15:04 -06:00
return callback(err);
token = token.toString('hex');
const newProperties = {
2022-06-05 14:04:25 -06:00
[UserProps.EmailPwResetToken]: token,
[UserProps.EmailPwResetTokenTs]: getISOTimestampString(),
2018-06-21 23:15:04 -06:00
2018-06-22 21:26:46 -06:00
// we simply place the reset token in the user's properties
2018-06-21 23:15:04 -06:00
user.persistProperties(newProperties, err => {
return callback(err, user);
function getEmailTemplates(user, callback) {
const config = Config();
2022-06-05 14:04:25 -06:00
(err, textTemplate) => {
if (err) {
2018-06-21 23:15:04 -06:00
2022-06-05 14:04:25 -06:00
(err, htmlTemplate) => {
return callback(
2018-06-21 23:15:04 -06:00
function buildAndSendEmail(user, textTemplate, htmlTemplate, callback) {
const sendMail = require('./email.js').sendMail;
2022-06-05 14:04:25 -06:00
const resetUrl = webServer.instance.buildUrl(
2022-12-29 00:56:10 -07:00
2022-06-05 14:04:25 -06:00
2018-06-21 23:15:04 -06:00
function replaceTokens(s) {
return s
2022-06-05 14:04:25 -06:00
.replace(/%BOARDNAME%/g, Config().general.boardName)
.replace(/%USERNAME%/g, user.username)
.replace(/%RESET_URL%/g, resetUrl);
2018-06-21 23:15:04 -06:00
textTemplate = replaceTokens(textTemplate);
2022-06-05 14:04:25 -06:00
if (htmlTemplate) {
2018-06-21 23:15:04 -06:00
htmlTemplate = replaceTokens(htmlTemplate);
const message = {
2022-06-05 14:04:25 -06:00
to: `${user.properties[UserProps.RealName] || user.username} <${
2018-06-22 21:26:46 -06:00
// from will be filled in
2022-06-05 14:04:25 -06:00
subject: 'Forgot Password',
text: textTemplate,
html: htmlTemplate,
2018-06-21 23:15:04 -06:00
sendMail(message, (err, info) => {
2022-06-05 14:04:25 -06:00
if (err) {
{ error: err.message },
'Failed sending password reset email'
2018-06-21 23:15:04 -06:00
} else {
2022-06-05 14:04:25 -06:00
{ info: info },
'Successfully sent password reset email'
2018-06-21 23:15:04 -06:00
return callback(err);
2022-06-05 14:04:25 -06:00
2018-06-21 23:15:04 -06:00
err => {
return cb(err);
static scheduleEvents(cb) {
2018-06-22 21:26:46 -06:00
// :TODO: schedule ~daily cleanup task
2018-06-21 23:15:04 -06:00
return cb(null);
static registerRoutes(cb) {
const webServer = getWebServer();
2022-06-05 14:04:25 -06:00
if (!webServer) {
return cb(null); // no webserver enabled
2018-06-21 23:15:04 -06:00
2022-06-05 14:04:25 -06:00
if (!webServer.instance.isEnabled()) {
return cb(null); // no error, but we're not serving web stuff
2018-06-21 23:15:04 -06:00
2018-06-22 21:26:46 -06:00
// this is the page displayed to user when they GET it
2022-06-05 14:04:25 -06:00
method: 'GET',
2022-12-29 00:56:10 -07:00
path: /^\/_internal\/reset_password\?token=[a-f0-9]+$/,
2022-06-05 14:04:25 -06:00
handler: WebPasswordReset.routeResetPasswordGet,
2018-06-21 23:15:04 -06:00
2018-06-22 21:26:46 -06:00
// POST handler for performing the actual reset
2018-06-21 23:15:04 -06:00
2022-06-05 14:04:25 -06:00
method: 'POST',
2022-12-29 00:56:10 -07:00
path: /^\/_internal\/reset_password$/,
2022-06-05 14:04:25 -06:00
handler: WebPasswordReset.routeResetPasswordPost,
2018-06-21 23:15:04 -06:00
].forEach(r => {
return cb(null);
static fileNotFound(webServer, resp) {
return webServer.instance.fileNotFound(resp);
static accessDenied(webServer, resp) {
return webServer.instance.accessDenied(resp);
static getUserByToken(token, cb) {
function validateToken(callback) {
2022-06-05 14:04:25 -06:00
(err, userIds) => {
if (userIds && userIds.length === 1) {
return callback(null, userIds[0]);
2018-06-21 23:15:04 -06:00
2022-06-05 14:04:25 -06:00
return callback(
Errors.Invalid('Invalid password reset token')
2018-06-21 23:15:04 -06:00
function getUser(userId, callback) {
User.getUser(userId, (err, user) => {
return callback(null, user);
(err, user) => {
return cb(err, user);
static routeResetPasswordGet(req, resp) {
2022-06-05 14:04:25 -06:00
const webServer = getWebServer(); // must be valid, we just got a req!
2018-06-21 23:15:04 -06:00
2022-06-05 14:04:25 -06:00
const urlParts = url.parse(req.url, true);
const token = urlParts.query && urlParts.query.token;
2018-06-21 23:15:04 -06:00
2022-06-05 14:04:25 -06:00
if (!token) {
2018-06-21 23:15:04 -06:00
return WebPasswordReset.accessDenied(webServer, resp);
WebPasswordReset.getUserByToken(token, (err, user) => {
2022-06-05 14:04:25 -06:00
if (err) {
2018-06-22 21:26:46 -06:00
// assume it's expired
2022-06-05 14:04:25 -06:00
return webServer.instance.respondWithError(
'Invalid or expired reset link.',
'Expired Link'
2018-06-21 23:15:04 -06:00
2022-12-29 00:56:10 -07:00
const postResetUrl = webServer.instance.buildUrl('/_internal/reset_password');
2018-06-21 23:15:04 -06:00
const config = Config();
return webServer.instance.routeTemplateFilePage(
(templateData, preprocessFinished) => {
const finalPage = templateData
2022-06-05 14:04:25 -06:00
.replace(/%BOARDNAME%/g, config.general.boardName)
.replace(/%USERNAME%/g, user.username)
.replace(/%TOKEN%/g, token)
.replace(/%RESET_URL%/g, postResetUrl);
2018-06-21 23:15:04 -06:00
return preprocessFinished(null, finalPage);
2017-02-26 21:28:05 -07:00
2018-06-21 23:15:04 -06:00
static routeResetPasswordPost(req, resp) {
2022-06-05 14:04:25 -06:00
const webServer = getWebServer(); // must be valid, we just got a req!
2017-02-26 21:28:05 -07:00
2018-06-21 23:15:04 -06:00
let bodyData = '';
req.on('data', data => {
bodyData += data;
2017-02-26 21:28:05 -07:00
2018-06-21 23:15:04 -06:00
function badRequest() {
2022-06-05 14:04:25 -06:00
return webServer.instance.respondWithError(
'Bad Request.',
'Bad Request'
2018-06-21 23:15:04 -06:00
2017-02-26 21:28:05 -07:00
2018-06-21 23:15:04 -06:00
req.on('end', () => {
const formData = querystring.parse(bodyData);
2017-02-26 21:28:05 -07:00
2018-06-21 23:15:04 -06:00
const config = Config();
2022-06-05 14:04:25 -06:00
if (
!formData.token ||
!formData.password ||
!formData.confirm_password ||
2018-06-22 21:26:46 -06:00
formData.password !== formData.confirm_password ||
2022-06-05 14:04:25 -06:00
formData.password.length < config.users.passwordMin ||
formData.password.length > config.users.passwordMax
) {
2018-06-21 23:15:04 -06:00
return badRequest();
WebPasswordReset.getUserByToken(formData.token, (err, user) => {
2022-06-05 14:04:25 -06:00
if (err) {
2018-06-21 23:15:04 -06:00
return badRequest();
user.setNewAuthCredentials(formData.password, err => {
2022-06-05 14:04:25 -06:00
if (err) {
2018-06-21 23:15:04 -06:00
return badRequest();
2018-06-22 21:26:46 -06:00
// delete assoc properties - no need to wait for completion
2022-06-05 14:04:25 -06:00
2018-11-22 23:07:37 -07:00
2022-06-05 14:04:25 -06:00
if (true === _.get(config, 'users.unlockAtEmailPwReset')) {
2018-11-23 11:44:46 -07:00
2022-06-05 14:04:25 -06:00
{ username: user.username, userId: user.userId },
2018-11-23 11:44:46 -07:00
'Remove any lock on account due to password reset policy'
2022-06-05 14:04:25 -06:00
user.unlockAccount(() => {
/* dummy */
2018-11-22 23:07:37 -07:00
2018-06-21 23:15:04 -06:00
return resp.end('Password changed successfully');
2017-02-26 21:28:05 -07:00
function performMaintenanceTask(args, cb) {
2018-06-21 23:15:04 -06:00
const forgotPassExpireTime = args[0] || '24 hours';
2017-02-26 21:28:05 -07:00
2018-06-22 21:26:46 -06:00
// remove all reset token associated properties older than |forgotPassExpireTime|
2018-06-21 23:15:04 -06:00
`DELETE FROM user_property
2018-06-22 21:26:46 -06:00
WHERE user_id IN (
SELECT user_id
FROM user_property
WHERE prop_name = "email_password_reset_token_ts"
AND DATETIME("now") >= DATETIME(prop_value, "+${forgotPassExpireTime}")
) AND prop_name IN ("email_password_reset_token_ts", "email_password_reset_token");`,
2018-06-21 23:15:04 -06:00
err => {
2022-06-05 14:04:25 -06:00
if (err) {
{ error: err.message },
'Failed deleting old email reset tokens'
2018-06-21 23:15:04 -06:00
return cb(err);
2017-02-26 21:28:05 -07:00
2022-06-05 14:04:25 -06:00
exports.WebPasswordReset = WebPasswordReset;
exports.performMaintenanceTask = performMaintenanceTask;