jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Separate invite and password reset token

Browse Source
This commit is contained in:
Johannes Zellner
2021-10-01 12:27:22 +02:00
parent c7b668b3a4
commit cb31e5ae8b
4 changed files with 37 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/routes/cloudron.js
View File

@@ -123,16 +123,16 @@ async function passwordReset(req, res, next) {
async function setupAccount(req, res, next) {
assert.strictEqual(typeof req.body, 'object');
if (!req.body.resetToken || typeof req.body.resetToken !== 'string') return next(new HttpError(400, 'resetToken must be a non-empty string'));
if (!req.body.inviteToken || typeof req.body.inviteToken !== 'string') return next(new HttpError(400, 'inviteToken must be a non-empty string'));
if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be a non-empty string'));
// only sent if profile is not locked
if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be a non-empty string'));
if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be a non-empty string'));
const [error, userObject] = await safe(users.getByResetToken(req.body.resetToken));
if (error) return next(new HttpError(401, 'Invalid resetToken'));
if (!userObject) return next(new HttpError(401, 'Invalid resetToken'));
const [error, userObject] = await safe(users.getByInviteToken(req.body.inviteToken));
if (error) return next(new HttpError(401, 'Invalid inviteToken'));
if (!userObject) return next(new HttpError(401, 'Invalid inviteToken'));
// if you fix the duration here, the emails and UI have to be fixed as well
if (Date.now() - userObject.resetTokenCreationTime > 7 * 24 * 60 * 60 * 1000) return next(new HttpError(401, 'Token expired'));