Misc fixes for password reset

* Remove messaging about asking an administrator for help if no email is associated with the account (no longer correct or relevant) * Compare user-provided email with registered email case-insensitively (#755) * Replace antiquated hash generator with cryptographically secure random byte string generator
2018-07-11 19:21:32 -07:00 · 2018-07-11 19:21:32 -07:00 · db2361aee9
parent 3db751b65f
commit db2361aee9
2 changed files with 69 additions and 53 deletions
--- a/package.json
+++ b/package.json
@ -2,7 +2,7 @@
  "author": "Calvin Montgomery",
  "name": "CyTube",
  "description": "Online media synchronizer and chat",
-  "version": "3.56.3",
+  "version": "3.56.4",
  "repository": {
    "url": "http://github.com/calzoneman/sync"
  },
--- a/src/web/account.js
+++ b/src/web/account.js
@ -13,6 +13,7 @@ var Config = require("../config");
 var session = require("../session");
 var csrf = require("./csrf");
 const url = require("url");
+import crypto from 'crypto';

 const LOGGER = require('@calzoneman/jsli')('web/accounts');

@ -536,24 +537,38 @@ function handlePasswordReset(req, res) {
            return;
        }

-        if (actualEmail !== email.trim()) {
+        if (actualEmail === '') {
+            sendPug(res, "account-passwordreset", {
+                reset: false,
+                resetEmail: "",
+                resetErr: `Username ${name} cannot be recovered because it ` +
+                          "doesn't have an email address associated with it."
+            });
+            return;
+        } else if (actualEmail.toLowerCase() !== email.trim().toLowerCase()) {
            sendPug(res, "account-passwordreset", {
                reset: false,
                resetEmail: "",
                resetErr: "Provided email does not match the email address on record for " + name
            });
            return;
-        } else if (actualEmail === "") {
+        }
+
+        crypto.randomBytes(20, (err, bytes) => {
+            if (err) {
+                LOGGER.error(
+                    'Could not generate random bytes for password reset: %s',
+                    err.stack
+                );
                sendPug(res, "account-passwordreset", {
                    reset: false,
-                resetEmail: "",
-                resetErr: name + " doesn't have an email address on record.  Please contact an " +
-                          "administrator to manually reset your password."
+                    resetEmail: email,
+                    resetErr: "Internal error when generating password reset"
                });
                return;
            }

-        var hash = $util.sha1($util.randomSalt(64));
+            var hash = bytes.toString('hex');
            // 24-hour expiration
            var expire = Date.now() + 86400000;
            var ip = req.realIP;
@ -561,7 +576,7 @@ function handlePasswordReset(req, res) {
            db.addPasswordReset({
                ip: ip,
                name: name,
-            email: email,
+                email: actualEmail,
                hash: hash,
                expire: expire
            }, function (err, _dbres) {
@ -610,6 +625,7 @@ function handlePasswordReset(req, res) {
                });
            });
        });
+    });
 }

 /**