Misc fixes for password reset

* Remove messaging about asking an administrator for help if no email
    is associated with the account (no longer correct or relevant)
  * Compare user-provided email with registered email case-insensitively
    (#755)
  * Replace antiquated hash generator with cryptographically secure
    random byte string generator
This commit is contained in:
Calvin Montgomery 2018-07-11 19:21:32 -07:00
parent 3db751b65f
commit db2361aee9
2 changed files with 69 additions and 53 deletions

View File

@ -2,7 +2,7 @@
"author": "Calvin Montgomery", "author": "Calvin Montgomery",
"name": "CyTube", "name": "CyTube",
"description": "Online media synchronizer and chat", "description": "Online media synchronizer and chat",
"version": "3.56.3", "version": "3.56.4",
"repository": { "repository": {
"url": "http://github.com/calzoneman/sync" "url": "http://github.com/calzoneman/sync"
}, },

View File

@ -13,6 +13,7 @@ var Config = require("../config");
var session = require("../session"); var session = require("../session");
var csrf = require("./csrf"); var csrf = require("./csrf");
const url = require("url"); const url = require("url");
import crypto from 'crypto';
const LOGGER = require('@calzoneman/jsli')('web/accounts'); const LOGGER = require('@calzoneman/jsli')('web/accounts');
@ -536,24 +537,38 @@ function handlePasswordReset(req, res) {
return; return;
} }
if (actualEmail !== email.trim()) { if (actualEmail === '') {
sendPug(res, "account-passwordreset", {
reset: false,
resetEmail: "",
resetErr: `Username ${name} cannot be recovered because it ` +
"doesn't have an email address associated with it."
});
return;
} else if (actualEmail.toLowerCase() !== email.trim().toLowerCase()) {
sendPug(res, "account-passwordreset", { sendPug(res, "account-passwordreset", {
reset: false, reset: false,
resetEmail: "", resetEmail: "",
resetErr: "Provided email does not match the email address on record for " + name resetErr: "Provided email does not match the email address on record for " + name
}); });
return; return;
} else if (actualEmail === "") { }
crypto.randomBytes(20, (err, bytes) => {
if (err) {
LOGGER.error(
'Could not generate random bytes for password reset: %s',
err.stack
);
sendPug(res, "account-passwordreset", { sendPug(res, "account-passwordreset", {
reset: false, reset: false,
resetEmail: "", resetEmail: email,
resetErr: name + " doesn't have an email address on record. Please contact an " + resetErr: "Internal error when generating password reset"
"administrator to manually reset your password."
}); });
return; return;
} }
var hash = $util.sha1($util.randomSalt(64)); var hash = bytes.toString('hex');
// 24-hour expiration // 24-hour expiration
var expire = Date.now() + 86400000; var expire = Date.now() + 86400000;
var ip = req.realIP; var ip = req.realIP;
@ -561,7 +576,7 @@ function handlePasswordReset(req, res) {
db.addPasswordReset({ db.addPasswordReset({
ip: ip, ip: ip,
name: name, name: name,
email: email, email: actualEmail,
hash: hash, hash: hash,
expire: expire expire: expire
}, function (err, _dbres) { }, function (err, _dbres) {
@ -610,6 +625,7 @@ function handlePasswordReset(req, res) {
}); });
}); });
}); });
});
} }
/** /**