mirror of https://github.com/calzoneman/sync.git
Misc fixes for password reset
* Remove messaging about asking an administrator for help if no email is associated with the account (no longer correct or relevant) * Compare user-provided email with registered email case-insensitively (#755) * Replace antiquated hash generator with cryptographically secure random byte string generator
This commit is contained in:
parent
3db751b65f
commit
db2361aee9
|
@ -2,7 +2,7 @@
|
|||
"author": "Calvin Montgomery",
|
||||
"name": "CyTube",
|
||||
"description": "Online media synchronizer and chat",
|
||||
"version": "3.56.3",
|
||||
"version": "3.56.4",
|
||||
"repository": {
|
||||
"url": "http://github.com/calzoneman/sync"
|
||||
},
|
||||
|
|
|
@ -13,6 +13,7 @@ var Config = require("../config");
|
|||
var session = require("../session");
|
||||
var csrf = require("./csrf");
|
||||
const url = require("url");
|
||||
import crypto from 'crypto';
|
||||
|
||||
const LOGGER = require('@calzoneman/jsli')('web/accounts');
|
||||
|
||||
|
@ -536,24 +537,38 @@ function handlePasswordReset(req, res) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (actualEmail !== email.trim()) {
|
||||
if (actualEmail === '') {
|
||||
sendPug(res, "account-passwordreset", {
|
||||
reset: false,
|
||||
resetEmail: "",
|
||||
resetErr: `Username ${name} cannot be recovered because it ` +
|
||||
"doesn't have an email address associated with it."
|
||||
});
|
||||
return;
|
||||
} else if (actualEmail.toLowerCase() !== email.trim().toLowerCase()) {
|
||||
sendPug(res, "account-passwordreset", {
|
||||
reset: false,
|
||||
resetEmail: "",
|
||||
resetErr: "Provided email does not match the email address on record for " + name
|
||||
});
|
||||
return;
|
||||
} else if (actualEmail === "") {
|
||||
}
|
||||
|
||||
crypto.randomBytes(20, (err, bytes) => {
|
||||
if (err) {
|
||||
LOGGER.error(
|
||||
'Could not generate random bytes for password reset: %s',
|
||||
err.stack
|
||||
);
|
||||
sendPug(res, "account-passwordreset", {
|
||||
reset: false,
|
||||
resetEmail: "",
|
||||
resetErr: name + " doesn't have an email address on record. Please contact an " +
|
||||
"administrator to manually reset your password."
|
||||
resetEmail: email,
|
||||
resetErr: "Internal error when generating password reset"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
var hash = $util.sha1($util.randomSalt(64));
|
||||
var hash = bytes.toString('hex');
|
||||
// 24-hour expiration
|
||||
var expire = Date.now() + 86400000;
|
||||
var ip = req.realIP;
|
||||
|
@ -561,7 +576,7 @@ function handlePasswordReset(req, res) {
|
|||
db.addPasswordReset({
|
||||
ip: ip,
|
||||
name: name,
|
||||
email: email,
|
||||
email: actualEmail,
|
||||
hash: hash,
|
||||
expire: expire
|
||||
}, function (err, _dbres) {
|
||||
|
@ -610,6 +625,7 @@ function handlePasswordReset(req, res) {
|
|||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Loading…
Reference in New Issue