Add a POST flow to password recovery (#871)

This commit is contained in:
Calvin Montgomery 2021-08-19 20:55:02 -07:00
parent d563a85092
commit edb5f94b7c
3 changed files with 45 additions and 3 deletions

View File

@ -2,7 +2,7 @@
"author": "Calvin Montgomery",
"name": "CyTube",
"description": "Online media synchronizer and chat",
"version": "3.82.1",
"version": "3.82.2",
"repository": {
"url": "http://github.com/calzoneman/sync"
},

View File

@ -631,7 +631,45 @@ function handlePasswordReset(req, res) {
/**
* Handles a request for /account/passwordrecover/<hash>
*/
function handlePasswordRecover(req, res) {
function handleGetPasswordRecover(req, res) {
var hash = req.params.hash;
if (typeof hash !== "string") {
res.send(400);
return;
}
var ip = req.realIP;
db.lookupPasswordReset(hash, function (err, row) {
if (err) {
sendPug(res, "account-passwordrecover", {
recovered: false,
recoverErr: err
});
return;
}
if (Date.now() >= row.expire) {
sendPug(res, "account-passwordrecover", {
recovered: false,
recoverErr: "This password recovery link has expired. Password " +
"recovery links are valid only for 24 hours after " +
"submission."
});
return;
}
sendPug(res, "account-passwordrecover", {
confirm: true,
recovered: false
});
});
}
/**
* Handles a POST request for /account/passwordrecover/<hash>
*/
function handlePostPasswordRecover(req, res) {
var hash = req.params.hash;
if (typeof hash !== "string") {
res.send(400);
@ -703,7 +741,8 @@ module.exports = {
app.post("/account/profile", handleAccountProfile);
app.get("/account/passwordreset", handlePasswordResetPage);
app.post("/account/passwordreset", handlePasswordReset);
app.get("/account/passwordrecover/:hash", handlePasswordRecover);
app.get("/account/passwordrecover/:hash", handleGetPasswordRecover);
app.post("/account/passwordrecover/:hash", handlePostPasswordRecover);
app.get("/account", function (req, res) {
res.redirect("/login");
});

View File

@ -7,6 +7,9 @@ block content
.alert.alert-success.center.messagebox
strong Your password has been changed
p Your account has been assigned the temporary password <code>#{recoverPw}</code>. You may now use this password to log in and choose a new password by visiting the <a href="/account/edit">change password/email</a> page.
else if confirm
form(role="form", method="POST")
button.btn.btn-primary.btn-block(type="submit") Click here to reset password
else
.alert.alert-danger.center.messagebox
strong Password recovery failed