diff --git a/config.example.json b/config.example.json
index 00ad4a1..5cdac66 100644
--- a/config.example.json
+++ b/config.example.json
@@ -11,5 +11,12 @@
"database": "canopy",
"user": "canopy",
"pass": "CHANGE_ME"
+ },
+ "mail":{
+ "host": "mail.42069.weed",
+ "port": 465,
+ "secure": true,
+ "address": "toke@42069.weed",
+ "pass": "CHANGE_ME"
}
}
\ No newline at end of file
diff --git a/package.json b/package.json
index 542ebd2..01ab99a 100644
--- a/package.json
+++ b/package.json
@@ -14,6 +14,7 @@
"express-validator": "^7.2.0",
"mongoose": "^8.4.3",
"node-cron": "^3.0.3",
+ "nodemailer": "^6.9.16",
"socket.io": "^4.8.1"
},
"scripts": {
diff --git a/src/controllers/api/account/passwordResetController.js b/src/controllers/api/account/passwordResetController.js
index 5bae3ed..771afbf 100644
--- a/src/controllers/api/account/passwordResetController.js
+++ b/src/controllers/api/account/passwordResetController.js
@@ -14,18 +14,16 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see .*/
-//Config
-const config = require('../../../../config.json');
-
//NPM Imports
const {validationResult, matchedData} = require('express-validator');
//local imports
const passwordResetModel = require('../../../schemas/passwordResetSchema');
-const altchaUtils = require('../../../utils/altchaUtils');
const sessionUtils = require('../../../utils/sessionUtils');
+const altchaUtils = require('../../../utils/altchaUtils');
const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
+//gateway for resetting password
module.exports.post = async function(req, res){
try{
//Check for validation errors
diff --git a/src/controllers/api/account/passwordResetRequestController.js b/src/controllers/api/account/passwordResetRequestController.js
new file mode 100644
index 0000000..eced020
--- /dev/null
+++ b/src/controllers/api/account/passwordResetRequestController.js
@@ -0,0 +1,88 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024 Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .*/
+
+//Config
+const config = require('../../../../config.json');
+
+//NPM Imports
+const {validationResult, matchedData} = require('express-validator');
+
+//local imports
+const {userModel} = require('../../../schemas/userSchema');
+const passwordResetModel = require('../../../schemas/passwordResetSchema');
+const mailUtils = require('../../../utils/mailUtils');
+const altchaUtils = require('../../../utils/altchaUtils');
+const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
+
+//Gateway for generating request token and having it emailed to the user
+module.exports.post = async function(req, res){
+ try{
+ //Check for validation errors
+ const validResult = validationResult(req);
+
+ //If there are none
+ if(validResult.isEmpty()){
+ //Get sanatized/validated data
+ const {user} = matchedData(req);
+ //Verify Altcha Payload
+ const verified = await altchaUtils.verify(req.body.verification);
+
+ //If altcha verification failed
+ if(!verified){
+ return errorHandler(res, 'Altcha verification failed, Please refresh the page!', 'unauthorized');
+ }
+
+ //Play dumb, don't let them know how long this request takes or what happens.
+ res.sendStatus(200);
+
+ //Find user model from DB
+ const userDB = await userModel.findOne({user});
+
+ //If we have an invalid user
+ if(userDB == null){
+ return;
+ }
+
+ //If this user has no registered email
+ if(userDB.email == null || userDB.email == ""){
+ //Play dumb
+ return;
+ }
+
+ //Generate the password reset link
+ const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: req.ip});
+
+ //Send the reset url via email
+ const mailInfo = await mailUtils.mailem(
+ userDB.email,
+ `Password Reset Request - ${userDB.user}`,
+ `Password Reset Request
+ A password reset request for the ${config.instanceName} account '${userDB.user}' has been requested.
+ Click here to reset your password.
+ If you received this email without request, please contact the server adminsitrator! -Tokebot`,
+ true
+ );
+
+ //Wash our hands of the request
+ return;
+ }else{
+ res.status(400);
+ return res.send({errors: validResult.array()});
+ }
+ }catch(err){
+ return exceptionHandler(res, err);
+ }
+}
\ No newline at end of file
diff --git a/src/controllers/api/admin/passwordResetController.js b/src/controllers/api/admin/passwordResetController.js
index a49d1f3..2c5aa88 100644
--- a/src/controllers/api/admin/passwordResetController.js
+++ b/src/controllers/api/admin/passwordResetController.js
@@ -41,9 +41,9 @@ module.exports.post = async function(req, res){
}
//Generate the password reset link
- const requestDB = await passwordResetModel.create({user: userDB._id});
+ const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: req.ip});
- //send successful response
+ //send URL
res.status(200);
return res.send({url: requestDB.getResetURL()});
//otherwise scream
diff --git a/src/routers/api/accountRouter.js b/src/routers/api/accountRouter.js
index 5192dad..c16f6fd 100644
--- a/src/routers/api/accountRouter.js
+++ b/src/routers/api/accountRouter.js
@@ -24,6 +24,7 @@ const logoutController = require("../../controllers/api/account/logoutController
const registerController = require("../../controllers/api/account/registerController");
const updateController = require("../../controllers/api/account/updateController");
const rankEnumController = require("../../controllers/api/account/rankEnumController");
+const passwordResetRequestController = require("../../controllers/api/account/passwordResetRequestController");
const passwordResetController = require("../../controllers/api/account/passwordResetController");
const deleteController = require("../../controllers/api/account/deleteController");
@@ -31,28 +32,30 @@ const deleteController = require("../../controllers/api/account/deleteController
const router = Router();
//routing functions
+//login
router.post('/login', accountValidator.user(), accountValidator.pass(), loginController.post);
-
+//logout
router.get('/logout', logoutController.get);
-
-
+//register
router.post('/register', accountValidator.user(),
accountValidator.securePass(),
accountValidator.pass('passConfirm'),
accountValidator.email(), registerController.post);
-
+//update profile
router.post('/update', accountValidator.img(),
accountValidator.bio(),
accountValidator.signature(),
accountValidator.pass('passChange.oldPass'),
accountValidator.securePass('passChange.newPass'),
accountValidator.pass('passChange.confirmPass'), updateController.post);
-
+//rankEnum
//This might seem silly, but it allows us to cleanly get the current rank list to compare against, without storing it in multiple places
router.get('/rankEnum', rankEnumController.get);
-
-router.post('/passwordReset', accountValidator.securityToken(), accountValidator.securePass(), accountValidator.pass('confirmPass'), passwordResetController.post)
-
+//password reset request
+router.post('/passwordResetRequest', accountValidator.user(), passwordResetRequestController.post);
+//password reset
+router.post('/passwordReset', accountValidator.securityToken(), accountValidator.securePass(), accountValidator.pass('confirmPass'), passwordResetController.post);
+//account deletion
router.post('/delete', accountValidator.pass(), deleteController.post);
module.exports = router;
\ No newline at end of file
diff --git a/src/schemas/passwordResetSchema.js b/src/schemas/passwordResetSchema.js
index c4dfdf7..d6e076a 100644
--- a/src/schemas/passwordResetSchema.js
+++ b/src/schemas/passwordResetSchema.js
@@ -26,6 +26,9 @@ const crypto = require("node:crypto");
//NPM Imports
const {mongoose} = require('mongoose');
+//Local Imports
+const hashUtil = require('../utils/hashUtils');
+
const daysToExpire = 7;
const passwordResetSchema = new mongoose.Schema({
@@ -40,19 +43,35 @@ const passwordResetSchema = new mongoose.Schema({
//Use a cryptographically secure algorythm to create a random hex string from 16 bytes as our reset token
default: ()=>{return crypto.randomBytes(16).toString('hex')}
},
+ ipHash: {
+ type: mongoose.SchemaTypes.String,
+ required: true
+ },
date: {
-
type: mongoose.SchemaTypes.Date,
required: true,
default: new Date()
}
});
+
+//Presave function
+passwordResetSchema.pre('save', async function (next){
+ //If we're saving an ip
+ if(this.isModified('ipHash')){
+ //Hash that sunnuvabitch
+ this.ipHash = hashUtil.hashIP(this.ipHash);
+ }
+
+ next();
+});
+
//statics
passwordResetSchema.statics.processExpiredRequests = async function(){
//Pull all requests from the DB
const requestDB = await this.find({});
+ //Fire em all off at once without waiting for the last one to complete since we don't fuckin' need to
requestDB.forEach(async (request) => {
//If the request hasn't been processed and it's been expired
if(request.getDaysUntilExpiration() <= 0){
@@ -97,11 +116,11 @@ passwordResetSchema.methods.getResetURL = function(){
}
passwordResetSchema.methods.getDaysUntilExpiration = function(){
- //Get ban date
+ //Get request date
const expirationDate = new Date(this.date);
//Get expiration days and calculate expiration date
expirationDate.setDate(expirationDate.getDate() + daysToExpire);
- //Calculate and return days until ban expiration
+ //Calculate and return days until request expiration
return ((expirationDate - new Date()) / (1000 * 60 * 60 * 24)).toFixed(1);
}
diff --git a/src/schemas/userSchema.js b/src/schemas/userSchema.js
index 7e33b5d..4019baa 100644
--- a/src/schemas/userSchema.js
+++ b/src/schemas/userSchema.js
@@ -14,10 +14,6 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see .*/
-
-//Built-In Imports
-const crypto = require('node:crypto');
-
//NPM Imports
const {mongoose} = require('mongoose');
@@ -515,14 +511,8 @@ userSchema.methods.deleteEmote = async function(name){
}
userSchema.methods.tattooIPRecord = async function(ip){
- //Create hash
- const hashObj = crypto.createHash('md5');
-
- //add IP to the hash
- hashObj.update(ip);
-
- //Store the IP hash as a string
- const ipHash = hashObj.digest('hex');
+ //Hash the users ip
+ const ipHash = hashUtil.hashIP(ip);
//Look for a pre-existing entry for this ipHash
const foundIndex = this.recentIPs.findIndex(checkHash);
diff --git a/src/utils/hashUtils.js b/src/utils/hashUtils.js
index 79f6709..bac9bb8 100644
--- a/src/utils/hashUtils.js
+++ b/src/utils/hashUtils.js
@@ -14,6 +14,10 @@ GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see .*/
+//Node Imports
+const crypto = require('node:crypto');
+
+//NPM Imports
const bcrypt = require('bcrypt');
module.exports.hashPassword = function(pass){
@@ -23,4 +27,15 @@ module.exports.hashPassword = function(pass){
module.exports.comparePassword = function(pass, hash){
return bcrypt.compareSync(pass, hash);
+}
+
+module.exports.hashIP = function(ip){
+ //Create hash object
+ const hashObj = crypto.createHash('md5');
+
+ //add IP to the hash
+ hashObj.update(ip);
+
+ //return the IP hash as a string
+ return hashObj.digest('hex');
}
\ No newline at end of file
diff --git a/src/utils/mailUtils.js b/src/utils/mailUtils.js
new file mode 100644
index 0000000..78026b0
--- /dev/null
+++ b/src/utils/mailUtils.js
@@ -0,0 +1,57 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024 Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .*/
+
+//Config
+const config = require('../../config.json');
+
+//NPM imports
+const nodeMailer = require("nodemailer");
+
+//Setup mail transport
+const transporter = nodeMailer.createTransport({
+ host: config.mail.host,
+ port: config.mail.port,
+ secure: config.mail.secure,
+ auth: {
+ user: config.mail.address,
+ pass: config.mail.pass
+ }
+});
+
+module.exports.mailem = async function(to, subject, body, htmlBody = false){
+ //Create mail object
+ const mailObj = {
+ from: `"Tokebot🤖💨"<${config.mail.address}>`,
+ to,
+ subject
+ };
+
+ //If we're sending HTML
+ if(htmlBody){
+ //set body as html
+ mailObj.html = body;
+ //If we're sending plaintext
+ }else{
+ //Set body as plaintext
+ mailObj.text = body
+ }
+
+ //Send mail based on mail object
+ const sentMail = await transporter.sendMail(mailObj);
+
+ //return the mail info
+ return sentMail;
+}
\ No newline at end of file
diff --git a/www/js/passwordReset.js b/www/js/passwordReset.js
index 7d67c27..da6109a 100644
--- a/www/js/passwordReset.js
+++ b/www/js/passwordReset.js
@@ -54,7 +54,7 @@ class registerPrompt{
this.verification = event.detail.payload;
}
- register(){
+ async register(){
//If altcha verification isn't complete
if(this.verification == null){
//don't bother
@@ -63,7 +63,7 @@ class registerPrompt{
//If we're initiating a password change request
if(this.initiating){
-
+ await utils.ajax.requestPasswordReset(this.user.value, this.verification);
//If we're completing a password change
}else{
//if the confirmation password doesn't match
@@ -74,7 +74,7 @@ class registerPrompt{
}
//Send the registration informaiton off to the server
- utils.ajax.resetPassword(this.token , this.pass.value , this.passConfirm.value , this.verification);
+ await utils.ajax.resetPassword(this.token , this.pass.value , this.passConfirm.value , this.verification);
}
}
}
diff --git a/www/js/register.js b/www/js/register.js
index 1ed53dd..fa56868 100644
--- a/www/js/register.js
+++ b/www/js/register.js
@@ -66,4 +66,4 @@ class registerPrompt{
}
}
-const registerForm = new resetPrompt();
\ No newline at end of file
+const registerForm = new registerPrompt();
\ No newline at end of file
diff --git a/www/js/utils.js b/www/js/utils.js
index eb042bb..9b7c69c 100644
--- a/www/js/utils.js
+++ b/www/js/utils.js
@@ -481,6 +481,27 @@ class canopyAjaxUtils{
}
}
+ async requestPasswordReset(user, verification){
+ const response = await fetch(`/api/account/passwordResetRequest`,{
+ method: "POST",
+ headers: {
+ "Content-Type": "application/json"
+ },
+ body: JSON.stringify({user, verification})
+ });
+
+ //If we received a successful response
+ if(response.status == 200){
+ //Create pop-up
+ const popup = new canopyUXUtils.popup("A password reset link has been sent to the email associated with the account requested assuming it has one!");
+ //Go to home-page on pop-up closure
+ popup.popupDiv.addEventListener("close", ()=>{window.location = '/'});
+ //Otherwise
+ }else{
+ utils.ux.displayResponseError(await response.json());
+ }
+ }
+
async resetPassword(token, pass, confirmPass, verification){
const response = await fetch(`/api/account/passwordReset`,{
method: "POST",
@@ -493,7 +514,7 @@ class canopyAjaxUtils{
//If we received a successful response
if(response.status == 200){
//Create pop-up
- const popup = new canopyUXUtils.popup("Your password has been reset!");
+ const popup = new canopyUXUtils.popup("Your password has been reset, and all devices have been logged out of your account!");
//Go to home-page on pop-up closure
popup.popupDiv.addEventListener("close", ()=>{window.location = '/'});
//Otherwise