Started work on URL-Token based password reset system. Email not yet implemented.

2024-12-28 04:30:08 -05:00 · 2024-12-28 04:30:08 -05:00 · ed698f40c7
commit ed698f40c7
parent 8ee92541de
22 changed files with 580 additions and 16 deletions
--- a/src/schemas/passwordResetSchema.js
+++ b/src/schemas/passwordResetSchema.js
@ -0,0 +1,121 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//You could make an argument for making this part of the userModel
+//However, this is so rarely used the preformance benefits aren't worth the extra clutter
+
+//Config
+const config = require('../../config.json');
+
+//Node Imports
+const crypto = require("node:crypto");
+
+//NPM Imports
+const {mongoose} = require('mongoose');
+
+const daysToExpire = 7;
+
+const passwordResetSchema = new mongoose.Schema({
+    user: {
+        type: mongoose.SchemaTypes.ObjectID,
+        ref: "user",
+        required: true
+    },
+    token: {
+        type: mongoose.SchemaTypes.String,
+        required: true
+    },
+    date: {
+
+        type: mongoose.SchemaTypes.Date,
+        required: true,
+        default: new Date()
+    }
+});
+
+//statics
+passwordResetSchema.statics.generateResetToken = async function(userDB){
+    //Use a cryptographically secure algorythm to create a random hex string from 16 bytes as our reset token
+    const token = crypto.randomBytes(16).toString('hex');
+
+    //Create request object
+    const request = {
+        user: userDB._id,
+        token,
+        date: new Date()
+    }
+
+    //Create the request entry in the DB and return the newly created record
+    return await this.create(request);
+}
+
+passwordResetSchema.statics.processExpiredRequests = async function(){
+    //Pull all requests from the DB
+    const requestDB = await this.find({});
+
+    requestDB.forEach(async (request) => {
+        //If the request hasn't been processed and it's been expired
+        if(request.getDaysUntilExpiration() <= 0){
+            //Delete the request
+            await this.deleteOne({_id: request._id});
+        }
+    });
+}
+
+//methods
+passwordResetSchema.methods.consume = async function(pass, confirmPass){
+    //Check confirmation pass
+    if(pass != confirmPass){
+        throw new Error("Confirmation password does not match!");
+    }
+
+    //Populate the user reference
+    await this.populate('user');
+
+    //Set the users password
+    this.user.pass = pass;
+    
+    //Save the user
+    await this.user.save();
+
+    //Kill all authed sessions for security purposes
+    await this.user.killAllSessions("Your password has been reset.");
+
+    //Delete the request token now that it has been consumed
+    await this.deleteOne();
+}
+
+passwordResetSchema.methods.getResetURL = function(){
+    //Check for default port based on protocol
+    if((config.protocol == 'http' && config.port == 80) || (config.protocol == 'https' && config.port == 443)){
+        //Return path
+        return `${config.protocol}://${config.domain}/passwordReset?token=${this.token}`;
+    }else{
+        //Return path
+        return `${config.protocol}://${config.domain}:${config.port}/passwordReset?token=${this.token}`;
+    }
+}
+
+passwordResetSchema.methods.getDaysUntilExpiration = function(){
+        //Get ban date
+        const expirationDate = new Date(this.date);
+        //Get expiration days and calculate expiration date
+        expirationDate.setDate(expirationDate.getDate() + daysToExpire);
+        //Calculate and return days until ban expiration
+        return ((expirationDate - new Date()) / (1000 * 60 * 60 * 24)).toFixed(1);
+}
+
+module.exports = mongoose.model("passwordReset", passwordResetSchema);
--- a/src/schemas/userSchema.js
+++ b/src/schemas/userSchema.js
@ -16,7 +16,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/


 //Built-In Imports
-const crypto = require('crypto');
+const crypto = require('node:crypto');

 //NPM Imports
 const {mongoose} = require('mongoose');
@ -604,7 +604,7 @@ userSchema.methods.killAllSessions = async function(reason = "A full log-out fro
    server.channelManager.kickConnections(this.user, reason);
 }

-userSchema.methods.passwordReset = async function(passChange){
+userSchema.methods.changePassword = async function(passChange){
    if(this.checkPass(passChange.oldPass)){
        if(passChange.newPass == passChange.confirmPass){
            //Note: We don't have to worry about hashing here because the schema is written to do it auto-magically