Finished up with email password reset system.

config.example.json

@@ -11,5 +11,12 @@
         "database": "canopy",
         "user": "canopy",
         "pass": "CHANGE_ME"
+    },
+    "mail":{
+        "host": "mail.42069.weed",
+        "port": 465,
+        "secure": true,
+        "address": "toke@42069.weed",
+        "pass": "CHANGE_ME"
     }
 }

package.json

@@ -14,6 +14,7 @@
     "express-validator": "^7.2.0",
     "mongoose": "^8.4.3",
     "node-cron": "^3.0.3",
+    "nodemailer": "^6.9.16",
     "socket.io": "^4.8.1"
   },
   "scripts": {

src/controllers/api/account/passwordResetController.js

@@ -14,18 +14,16 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
-//Config
-const config = require('../../../../config.json');
-
 //NPM Imports
 const {validationResult, matchedData} = require('express-validator');
 
 //local imports
 const passwordResetModel = require('../../../schemas/passwordResetSchema');
-const altchaUtils = require('../../../utils/altchaUtils');
 const sessionUtils = require('../../../utils/sessionUtils');
+const altchaUtils = require('../../../utils/altchaUtils');
 const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
 
+//gateway for resetting password
 module.exports.post = async function(req, res){
     try{
         //Check for validation errors

src/controllers/api/account/passwordResetRequestController.js

@@ -0,0 +1,88 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//Config
+const config = require('../../../../config.json');
+
+//NPM Imports
+const {validationResult, matchedData} = require('express-validator');
+
+//local imports
+const {userModel} = require('../../../schemas/userSchema');
+const passwordResetModel = require('../../../schemas/passwordResetSchema');
+const mailUtils = require('../../../utils/mailUtils');
+const altchaUtils = require('../../../utils/altchaUtils');
+const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
+
+//Gateway for generating request token and having it emailed to the user
+module.exports.post = async function(req, res){
+    try{
+        //Check for validation errors
+        const validResult = validationResult(req);
+
+        //If there are none
+        if(validResult.isEmpty()){
+            //Get sanatized/validated data
+            const {user} = matchedData(req);
+            //Verify Altcha Payload
+            const verified = await altchaUtils.verify(req.body.verification);
+
+            //If altcha verification failed
+            if(!verified){
+                return errorHandler(res, 'Altcha verification failed, Please refresh the page!', 'unauthorized');
+            }
+
+            //Play dumb, don't let them know how long this request takes or what happens.
+            res.sendStatus(200);
+
+            //Find user model from DB
+            const userDB = await userModel.findOne({user});
+
+            //If we have an invalid user
+            if(userDB == null){
+                return;
+            }
+
+            //If this user has no registered email
+            if(userDB.email == null || userDB.email == ""){
+                //Play dumb
+                return;
+            }
+
+            //Generate the password reset link
+            const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: req.ip});
+
+            //Send the reset url via email
+            const mailInfo = await mailUtils.mailem(
+                userDB.email,
+                `Password Reset Request - ${userDB.user}`,
+                `<h1>Password Reset Request</h1>
+                <p>A password reset request for the ${config.instanceName} account '${userDB.user}' has been requested.<br>
+                <a href="${requestDB.getResetURL()}">Click here</a> to reset your password.</p>
+                <sup>If you received this email without request, please contact the server adminsitrator! -Tokebot</sup>`,
+                true
+            );
+
+            //Wash our hands of the request
+            return;
+        }else{
+            res.status(400);
+            return res.send({errors: validResult.array()});
+        }
+    }catch(err){
+        return exceptionHandler(res, err);
+    }
+}

src/controllers/api/admin/passwordResetController.js

@@ -41,9 +41,9 @@ module.exports.post = async function(req, res){
             }
 
             //Generate the password reset link
-            const requestDB = await passwordResetModel.create({user: userDB._id});
+            const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: req.ip});
 
-            //send successful response
+            //send URL
             res.status(200);
             return res.send({url: requestDB.getResetURL()});
         //otherwise scream

src/routers/api/accountRouter.js

@@ -24,6 +24,7 @@ const logoutController = require("../../controllers/api/account/logoutController
 const registerController = require("../../controllers/api/account/registerController");
 const updateController = require("../../controllers/api/account/updateController");
 const rankEnumController = require("../../controllers/api/account/rankEnumController");
+const passwordResetRequestController = require("../../controllers/api/account/passwordResetRequestController");
 const passwordResetController = require("../../controllers/api/account/passwordResetController");
 const deleteController = require("../../controllers/api/account/deleteController");
 
@@ -31,28 +32,30 @@ const deleteController = require("../../controllers/api/account/deleteController
 const router = Router();
 
 //routing functions
+//login
 router.post('/login', accountValidator.user(), accountValidator.pass(), loginController.post);
-
+//logout
 router.get('/logout', logoutController.get);
-
-
+//register
 router.post('/register', accountValidator.user(),
     accountValidator.securePass(),
     accountValidator.pass('passConfirm'),
     accountValidator.email(), registerController.post);
-
+//update profile
 router.post('/update', accountValidator.img(),
     accountValidator.bio(),
     accountValidator.signature(),
     accountValidator.pass('passChange.oldPass'),
     accountValidator.securePass('passChange.newPass'),
     accountValidator.pass('passChange.confirmPass'), updateController.post);
-
+//rankEnum
 //This might seem silly, but it allows us to cleanly get the current rank list to compare against, without storing it in multiple places
 router.get('/rankEnum', rankEnumController.get);
-
-router.post('/passwordReset', accountValidator.securityToken(), accountValidator.securePass(), accountValidator.pass('confirmPass'), passwordResetController.post)
-
+//password reset request
+router.post('/passwordResetRequest', accountValidator.user(), passwordResetRequestController.post);
+//password reset
+router.post('/passwordReset', accountValidator.securityToken(), accountValidator.securePass(), accountValidator.pass('confirmPass'), passwordResetController.post);
+//account deletion
 router.post('/delete', accountValidator.pass(), deleteController.post);
 
 module.exports = router;

src/schemas/passwordResetSchema.js

@@ -26,6 +26,9 @@ const crypto = require("node:crypto");
 //NPM Imports
 const {mongoose} = require('mongoose');
 
+//Local Imports
+const hashUtil = require('../utils/hashUtils');
+
 const daysToExpire = 7;
 
 const passwordResetSchema = new mongoose.Schema({
@@ -40,19 +43,35 @@ const passwordResetSchema = new mongoose.Schema({
         //Use a cryptographically secure algorythm to create a random hex string from 16 bytes as our reset token
         default: ()=>{return crypto.randomBytes(16).toString('hex')}
     },
+    ipHash: {
+        type: mongoose.SchemaTypes.String,
+        required: true
+    },
     date: {
-
         type: mongoose.SchemaTypes.Date,
         required: true,
         default: new Date()
     }
 });
 
+
+//Presave function
+passwordResetSchema.pre('save', async function (next){
+    //If we're saving an ip
+    if(this.isModified('ipHash')){
+        //Hash that sunnuvabitch
+        this.ipHash = hashUtil.hashIP(this.ipHash);
+    }
+
+    next();
+});
+
 //statics
 passwordResetSchema.statics.processExpiredRequests = async function(){
     //Pull all requests from the DB
     const requestDB = await this.find({});
 
+    //Fire em all off at once without waiting for the last one to complete since we don't fuckin' need to
     requestDB.forEach(async (request) => {
         //If the request hasn't been processed and it's been expired
         if(request.getDaysUntilExpiration() <= 0){
@@ -97,11 +116,11 @@ passwordResetSchema.methods.getResetURL = function(){
 }
 
 passwordResetSchema.methods.getDaysUntilExpiration = function(){
-        //Get ban date
+        //Get request date
         const expirationDate = new Date(this.date);
         //Get expiration days and calculate expiration date
         expirationDate.setDate(expirationDate.getDate() + daysToExpire);
-        //Calculate and return days until ban expiration
+        //Calculate and return days until request expiration
         return ((expirationDate - new Date()) / (1000 * 60 * 60 * 24)).toFixed(1);
 }
 

src/schemas/userSchema.js

@@ -14,10 +14,6 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
-
-//Built-In Imports
-const crypto = require('node:crypto');
-
 //NPM Imports
 const {mongoose} = require('mongoose');
 
@@ -515,14 +511,8 @@ userSchema.methods.deleteEmote = async function(name){
 }
 
 userSchema.methods.tattooIPRecord = async function(ip){
-    //Create hash
-    const hashObj = crypto.createHash('md5');
-
-    //add IP to the hash
-    hashObj.update(ip);
-
-    //Store the IP hash as a string
-    const ipHash = hashObj.digest('hex');
+    //Hash the users ip
+    const ipHash = hashUtil.hashIP(ip);
    
     //Look for a pre-existing entry for this ipHash
     const foundIndex = this.recentIPs.findIndex(checkHash);

src/utils/hashUtils.js

@@ -14,6 +14,10 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
+//Node Imports
+const crypto = require('node:crypto');
+
+//NPM Imports
 const bcrypt = require('bcrypt');
 
 module.exports.hashPassword = function(pass){
@@ -24,3 +28,14 @@ module.exports.hashPassword = function(pass){
 module.exports.comparePassword = function(pass, hash){
     return bcrypt.compareSync(pass, hash);
 }
+
+module.exports.hashIP = function(ip){
+    //Create hash object
+    const hashObj = crypto.createHash('md5');
+
+    //add IP to the hash
+    hashObj.update(ip);
+
+    //return the IP hash as a string
+    return hashObj.digest('hex');
+}

src/utils/mailUtils.js

@@ -0,0 +1,57 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//Config
+const config = require('../../config.json');
+
+//NPM imports
+const nodeMailer = require("nodemailer");
+
+//Setup mail transport
+const transporter = nodeMailer.createTransport({
+    host: config.mail.host,
+    port: config.mail.port,
+    secure: config.mail.secure,
+    auth: {
+        user: config.mail.address,
+        pass: config.mail.pass
+    }
+});
+
+module.exports.mailem = async function(to, subject, body, htmlBody = false){
+    //Create mail object
+    const mailObj = {
+        from: `"Tokebot🤖💨"<${config.mail.address}>`,
+        to,
+        subject
+    };
+
+    //If we're sending HTML
+    if(htmlBody){
+        //set body as html
+        mailObj.html = body;
+    //If we're sending plaintext
+    }else{
+        //Set body as plaintext
+        mailObj.text = body
+    }
+
+    //Send mail based on mail object
+    const sentMail = await transporter.sendMail(mailObj);
+
+    //return the mail info
+    return sentMail;
+}

www/js/passwordReset.js

@@ -54,7 +54,7 @@ class registerPrompt{
         this.verification = event.detail.payload;
     }
 
-    register(){
+    async register(){
         //If altcha verification isn't complete
         if(this.verification == null){
             //don't bother
@@ -63,7 +63,7 @@ class registerPrompt{
 
         //If we're initiating a password change request
         if(this.initiating){
-
+            await utils.ajax.requestPasswordReset(this.user.value, this.verification);
         //If we're completing a password change
         }else{
             //if the confirmation password doesn't match
@@ -74,7 +74,7 @@ class registerPrompt{
             }
 
             //Send the registration informaiton off to the server
-            utils.ajax.resetPassword(this.token , this.pass.value , this.passConfirm.value , this.verification);
+            await utils.ajax.resetPassword(this.token , this.pass.value , this.passConfirm.value , this.verification);
         }
     }
 }

www/js/register.js

@@ -66,4 +66,4 @@ class registerPrompt{
     }
 }
 
-const registerForm = new resetPrompt();
+const registerForm = new registerPrompt();

www/js/utils.js

@@ -481,6 +481,27 @@ class canopyAjaxUtils{
         }
     }
 
+    async requestPasswordReset(user, verification){
+        const response = await fetch(`/api/account/passwordResetRequest`,{
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json"
+            },
+            body: JSON.stringify({user, verification})
+        });
+
+        //If we received a successful response
+        if(response.status == 200){
+            //Create pop-up
+            const popup = new canopyUXUtils.popup("A password reset link has been sent to the email associated with the account requested assuming it has one!");
+            //Go to home-page on pop-up closure
+            popup.popupDiv.addEventListener("close", ()=>{window.location = '/'});
+        //Otherwise
+        }else{
+            utils.ux.displayResponseError(await response.json());
+        }
+    }
+
     async resetPassword(token, pass, confirmPass, verification){
         const response = await fetch(`/api/account/passwordReset`,{
             method: "POST",
@@ -493,7 +514,7 @@ class canopyAjaxUtils{
         //If we received a successful response
         if(response.status == 200){
             //Create pop-up
-            const popup = new canopyUXUtils.popup("Your password has been reset!");
+            const popup = new canopyUXUtils.popup("Your password has been reset, and all devices have been logged out of your account!");
             //Go to home-page on pop-up closure
             popup.popupDiv.addEventListener("close", ()=>{window.location = '/'});
         //Otherwise