canopy/src/controllers/passwordResetController.js

/*Canopy - The next generation of stoner streaming software
Copyright (C) 2024-2025 Rainbownapkin and the TTN Community

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.*/

//Config
const config = require('../../config.json');

//npm imports
const {validationResult, matchedData} = require('express-validator');

//Local Imports
const altchaUtils = require('../utils/altchaUtils');
const csrfUtils = require('../utils/csrfUtils');

//register page functions
module.exports.get = async function(req, res){
    try{
        //check for validation errors
        const validResult = validationResult(req);

        //Generate captcha
        const challenge = await altchaUtils.genCaptcha();

        //if none
        if(validResult.isEmpty()){
            //grab validated/sanatized data
            const {token} = matchedData(req);

            /*
                The decision to not check the token against the database here is a conscious security decision that should be kept.
                This way, attackers would only be able to detect valid keys by requesting password resets against them.
                A process which, unlike fetching this page, is checked against a captcha.

                Instead we should render this page, so long as the token fits the formatting rules for a token, regardless of DB presence.
            */

            //Render page
            return res.render('passwordReset', {instance: config.instanceName, user: req.session.user, challenge, token, csrfToken: csrfUtils.generateToken(req)});
        //If we didn't get a valid token
        }else{
            //otherwise render generic page
            return res.render('passwordReset', {instance: config.instanceName, user: req.session.user, challenge, token: null, csrfToken: csrfUtils.generateToken(req)});
        }
    }catch(err){
        return exceptionHandler(res, err);
    }
}