Started work on URL-Token based password reset system. Email not yet implemented.

src/controllers/api/account/passwordResetController.js

@@ -0,0 +1,67 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//Config
+const config = require('../../../../config.json');
+
+//NPM Imports
+const {validationResult, matchedData} = require('express-validator');
+
+//local imports
+const passwordResetModel = require('../../../schemas/passwordResetSchema');
+const altchaUtils = require('../../../utils/altchaUtils');
+const sessionUtils = require('../../../utils/sessionUtils');
+const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
+
+module.exports.post = async function(req, res){
+    try{
+        //Check for validation errors
+        const validResult = validationResult(req);
+
+        //If there are none
+        if(validResult.isEmpty()){
+            //Get sanatized/validated data
+            const {token, pass, confirmPass} = matchedData(req);
+            //Verify Altcha Payload
+            const verified = await altchaUtils.verify(req.body.verification);
+
+            //If altcha verification failed
+            if(!verified){
+                return errorHandler(res, 'Altcha verification failed, Please refresh the page!', 'unauthorized');
+            }
+
+            //Kill users session since it *might* be the logged in user.
+            //Though realisitcally this shouldn't matter since most people wouldn't be logged in when resetting passwords
+            sessionUtils.killSession(req.session);
+
+            //Consume the password reset token using given input
+            const requestDB = await passwordResetModel.findOne({token});
+
+            //If we have an invalid request
+            if(requestDB == null){
+                return errorHandler(res, 'Invalid request token!', 'unauthorized');
+            }
+            await requestDB.consume(pass, confirmPass);
+
+            return res.sendStatus(200);
+        }else{
+            res.status(400);
+            return res.send({errors: validResult.array()});
+        }
+    }catch(err){
+        return exceptionHandler(res, err);
+    }
+}

src/controllers/api/account/updateController.js

@@ -67,7 +67,7 @@ module.exports.post = async function(req, res){
                 if(data.passChange){
                     //kill active session to prevent connect-mongo from freaking out
                     accountUtils.killSession(req.session);
-                    await userDB.passwordReset(data.passChange);
+                    await userDB.changePassword(data.passChange);
                 }
 
                 await userDB.save();

src/controllers/api/admin/passwordResetController.js

@@ -0,0 +1,57 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//npm imports
+const {validationResult, matchedData} = require('express-validator');
+
+//local imports
+const {userModel} = require('../../../schemas/userSchema');
+const passwordResetModel = require("../../../schemas/passwordResetSchema");
+const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
+
+module.exports.post = async function(req, res){
+    try{
+        //check for validation errors
+        const validResult = validationResult(req);
+
+        //if none
+        if(validResult.isEmpty()){
+            //grab validated/sanatized data
+            const {user} = matchedData(req);
+            //Find user from input
+            const userDB = await userModel.findOne({user});
+
+            //If there is no user
+            if(userDB == null){
+                //Scream
+                return errorHandler(res, "User not found.", "Bad Query.");
+            }
+
+            //Generate the password reset link
+            const requestDB = await passwordResetModel.generateResetToken(userDB);
+
+            //send successful response
+            res.status(200);
+            return res.send({url: requestDB.getResetURL()});
+        //otherwise scream
+        }else{
+            res.status(400);
+            return res.send({errors: validResult.array()})
+        }
+    }catch(err){
+        return exceptionHandler(res, err);
+    }
+}

src/controllers/passwordResetController.js

@@ -0,0 +1,58 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//Config
+const config = require('../../config.json');
+
+//npm imports
+const {validationResult, matchedData} = require('express-validator');
+
+//Local Imports
+const altchaUtils = require('../utils/altchaUtils');
+
+//register page functions
+module.exports.get = async function(req, res){
+    try{
+        //check for validation errors
+        const validResult = validationResult(req);
+
+        //Generate captcha
+        const challenge = await altchaUtils.genCaptcha();
+
+        //if none
+        if(validResult.isEmpty()){
+            //grab validated/sanatized data
+            const {token} = matchedData(req);
+
+            /*
+                The decision to not check the token against the database here is a conscious security decision that should be kept.
+                This way, attackers would only be able to detect valid keys by requesting password resets against them.
+                A process which, unlike fetching this page, is checked against a captcha.
+
+                Instead we should render this page, so long as the token fits the formatting rules for a token, regardless of DB presence.
+            */
+
+            //Render page
+            return res.render('passwordReset', {instance: config.instanceName, user: req.session.user, challenge, token});
+        //If we didn't get a valid token
+        }else{
+            //otherwise render generic page
+            return res.render('passwordReset', {instance: config.instanceName, user: req.session.user, challenge, token: null});
+        }
+    }catch(err){
+        return exceptionHandler(res, err);
+    }
+}