Add a POST flow to password recovery (#871)

calzoneman · Aug 20, 2021 · edb5f94 · edb5f94
1 parent d563a85
commit edb5f94
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
   "author": "Calvin Montgomery",
   "name": "CyTube",
   "description": "Online media synchronizer and chat",
-  "version": "3.82.1",
+  "version": "3.82.2",
   "repository": {
     "url": "http://github.com/calzoneman/sync"
   },

diff --git a/src/web/account.js b/src/web/account.js
@@ -631,7 +631,45 @@ function handlePasswordReset(req, res) {
 /**
  * Handles a request for /account/passwordrecover/<hash>
  */
-function handlePasswordRecover(req, res) {
+function handleGetPasswordRecover(req, res) {
+    var hash = req.params.hash;
+    if (typeof hash !== "string") {
+        res.send(400);
+        return;
+    }
+
+    var ip = req.realIP;
+
+    db.lookupPasswordReset(hash, function (err, row) {
+        if (err) {
+            sendPug(res, "account-passwordrecover", {
+                recovered: false,
+                recoverErr: err
+            });
+            return;
+        }
+
+        if (Date.now() >= row.expire) {
+            sendPug(res, "account-passwordrecover", {
+                recovered: false,
+                recoverErr: "This password recovery link has expired.  Password " +
+                            "recovery links are valid only for 24 hours after " +
+                            "submission."
+            });
+            return;
+        }
+
+        sendPug(res, "account-passwordrecover", {
+            confirm: true,
+            recovered: false
+        });
+    });
+}
+
+/**
+ * Handles a POST request for /account/passwordrecover/<hash>
+ */
+function handlePostPasswordRecover(req, res) {
     var hash = req.params.hash;
     if (typeof hash !== "string") {
         res.send(400);
@@ -703,7 +741,8 @@ module.exports = {
         app.post("/account/profile", handleAccountProfile);
         app.get("/account/passwordreset", handlePasswordResetPage);
         app.post("/account/passwordreset", handlePasswordReset);
-        app.get("/account/passwordrecover/:hash", handlePasswordRecover);
+        app.get("/account/passwordrecover/:hash", handleGetPasswordRecover);
+        app.post("/account/passwordrecover/:hash", handlePostPasswordRecover);
         app.get("/account", function (req, res) {
             res.redirect("/login");
         });

diff --git a/templates/account-passwordrecover.pug b/templates/account-passwordrecover.pug
@@ -7,6 +7,9 @@ block content
       .alert.alert-success.center.messagebox
         strong Your password has been changed
         p Your account has been assigned the temporary password <code>#{recoverPw}</code>.  You may now use this password to log in and choose a new password by visiting the <a href="/account/edit">change password/email</a> page.
+    else if confirm
+      form(role="form", method="POST")
+        button.btn.btn-primary.btn-block(type="submit") Click here to reset password
     else
       .alert.alert-danger.center.messagebox
         strong Password recovery failed