From f76135f00fcacdd174da41739b21b2b1e9f18e29 Mon Sep 17 00:00:00 2001 From: Evert Date: Thu, 30 Nov 2017 23:26:41 +0200 Subject: [PATCH] Token expiry checking, limit amount of resets in a day --- server/api/admin.js | 4 ++-- server/api/index.js | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/server/api/admin.js b/server/api/admin.js index e2ec69a..79f8b80 100644 --- a/server/api/admin.js +++ b/server/api/admin.js @@ -84,7 +84,7 @@ const API = { getAllUsers: async function (page, adminId) { let count = await Models.User.query().count('id as ids') if (!count.length || !count[0]['ids'] || isNaN(page)) { - throw new Error('No users found') + return { error: 'No users found in database' } } count = count[0].ids @@ -198,7 +198,7 @@ const API = { getAllBans: async function (page) { let count = await Models.Ban.query().count('id as ids') if (!count.length || !count[0]['ids'] || isNaN(page)) { - throw new Error('No bans on record') + return { error: 'No bans on record' } } count = count[0].ids diff --git a/server/api/index.js b/server/api/index.js index 3c29c76..d359ce2 100644 --- a/server/api/index.js +++ b/server/api/index.js @@ -252,11 +252,15 @@ const API = { let getToken = await models.Token.query().where('token', token).andWhere('type', 1) if (!getToken || !getToken.length) return false - let user = await API.User.get(getToken[0].user_id) + getToken = getToken[0] + + if (getToken.expires_at && new Date(getToken.expires_at).getTime() < Date.now()) return false + + let user = await API.User.get(getToken.user_id) if (!user) return false await models.User.query().patchAndFetchById(user.id, {activated: 1}) - await models.Token.query().delete().where('id', getToken[0].id) + await models.Token.query().delete().where('id', getToken.id) return true }, totpTokenRequired: async function (user) { @@ -407,6 +411,11 @@ const API = { if (!user) throw new Error('This email address does not match any user in our database.') if (!user.password && passRequired) throw new Error('The user associated with this email address has used an external website to log in, thus the password cannot be reset.') + let recentTokens = await models.Token.query().where('user_id', user.id).andWhere('expires_at', '>', new Date()).andWhere('type', 2) + if (recentTokens.length >= 2) { + throw new Error('You\'ve made too many reset requests recently. Please slow down.') + } + let resetToken = API.Hash(16) await models.Token.query().insert({ expires_at: new Date(Date.now() + 86400000), // 1 day @@ -438,7 +447,11 @@ const API = { let getToken = await models.Token.query().where('token', token).andWhere('type', 2) if (!getToken || !getToken.length) return null - let user = await API.User.get(getToken[0].user_id) + getToken = getToken[0] + + if (getToken.expires_at && new Date(getToken.expires_at).getTime() < Date.now()) return null + + let user = await API.User.get(getToken.user_id) if (!user) return null return user