Password reset and new email validation ID stored in DB for more security

This commit is contained in:
2024-12-17 17:51:12 +01:00
parent b24a083d2e
commit ec0afa9686
26 changed files with 1042 additions and 40 deletions

View File

@@ -71,18 +71,27 @@ export default defineEventHandler(async (e): Promise<Return> => {
db.insert(usersDataTable).values({ id: sql.placeholder('id') }).prepare().run({ id: id.id });
logSession(e, await setUserSession(e, { user: { id: id.id, username: body.data.username, email: body.data.email, state: 0, signin: new Date(), permissions: [] } }) as UserSessionRequired);
logSession(e, await setUserSession(e, { user: { id: id.id, username: body.data.username, email: body.data.email, state: 0, signin: new Date(), permissions: [], lastTimestamp: new Date(), logCount: 1 } }) as UserSessionRequired);
const emailId = Bun.hash('register' + id.id + hash, Date.now());
const timestamp = Date.now() + 1000 * 60 * 60;
await runTask('validation', {
payload: {
type: 'validation',
id: emailId, timestamp,
}
});
await runTask('mail', {
payload: {
type: 'mail',
to: [body.data.email],
template: 'registration',
data: {
id: emailId, timestamp,
userId: id,
username: body.data.username,
timestamp: Date.now(),
id: id.id,
}
},
}
});

View File

@@ -0,0 +1,55 @@
import { hash } from 'bun';
import { eq, or } from 'drizzle-orm';
import { z } from 'zod';
import useDatabase from '~/composables/useDatabase';
import { usersTable } from '~/db/schema';
const schema = z.object({
profile: z.string(),
});
export default defineEventHandler(async (e) => {
try
{
const db = useDatabase();
const body = await readValidatedBody(e, schema.safeParse);
if (!body.success)
{
setResponseStatus(e, 406);
return { success: false, error: body.error };
}
const result = db.select({ id: usersTable.id, email: usersTable.email, username: usersTable.username, hash: usersTable.hash }).from(usersTable).where(or(eq(usersTable.email, body.data.profile), eq(usersTable.username, body.data.profile))).get();
if(result && result.id)
{
const id = hash('reset' + result.id + result.hash, Date.now());
const timestamp = Date.now() + 1000 * 60 * 60;
await runTask('validation', {
payload: {
type: 'validation',
id, timestamp,
}
});
await runTask('mail', {
payload: {
type: 'mail',
data: {
id, timestamp,
userId: result.id,
username: result.username,
},
template: 'reset-password',
to: [result.email],
}
});
}
}
catch(err: any)
{
console.error(err);
return { success: false, error: err as Error };
}
});

View File

@@ -0,0 +1,99 @@
import { count, eq, sql } from 'drizzle-orm';
import { ZodError, type ZodIssue } from 'zod';
import useDatabase from '~/composables/useDatabase';
import { usersDataTable, usersTable } from '~/db/schema';
import { schema } from '~/schemas/registration';
import { checkSession, logSession } from '~/server/utils/user';
import type { UserSession, UserSessionRequired } from '~/types/auth';
interface SuccessHandler
{
success: true;
session: UserSession;
}
interface ErrorHandler
{
success: false;
error: Error | ZodError<{
username: string;
email: string;
password: string;
}>;
}
type Return = SuccessHandler | ErrorHandler;
export default defineEventHandler(async (e): Promise<Return> => {
try
{
const session = await getUserSession(e);
const db = useDatabase();
const checkedSession = await checkSession(e, session);
if(checkedSession !== undefined)
return checkedSession;
const body = await readValidatedBody(e, schema.safeParse);
if (!body.success)
{
await clearUserSession(e);
setResponseStatus(e, 406);
return { success: false, error: body.error };
}
const checkUsername = db.select({ count: count() }).from(usersTable).where(eq(usersTable.username, sql.placeholder('username'))).prepare().get({ username: body.data.username });
const checkEmail = db.select({ count: count() }).from(usersTable).where(eq(usersTable.email, sql.placeholder('email'))).prepare().get({ email: body.data.email });
const errors: ZodIssue[] = [];
if(!checkUsername || checkUsername.count !== 0)
errors.push({ code: 'custom', path: ['username'], message: "Ce nom d'utilisateur est déjà utilisé" });
if(!checkEmail || checkEmail.count !== 0)
errors.push({ code: 'custom', path: ['email'], message: "Cette adresse mail est déjà utilisée" });
if(errors.length > 0)
{
setResponseStatus(e, 406);
return { success: false, error: new ZodError(errors) };
}
else
{
const hash = await Bun.password.hash(body.data.password);
db.insert(usersTable).values({ username: sql.placeholder('username'), email: sql.placeholder('email'), hash: sql.placeholder('hash'), state: sql.placeholder('state') }).prepare().run({ username: body.data.username, email: body.data.email, hash, state: 0 });
const id = db.select({ id: usersTable.id }).from(usersTable).where(eq(usersTable.username, sql.placeholder('username'))).prepare().get({ username: body.data.username });
if(!id || !id.id)
{
setResponseStatus(e, 406);
return { success: false, error: new Error('Erreur de création de compte') };
}
db.insert(usersDataTable).values({ id: sql.placeholder('id') }).prepare().run({ id: id.id });
logSession(e, await setUserSession(e, { user: { id: id.id, username: body.data.username, email: body.data.email, state: 0, signin: new Date(), permissions: [], lastTimestamp: new Date(), logCount: 1 } }) as UserSessionRequired);
await runTask('mail', {
payload: {
type: 'mail',
to: [body.data.email],
template: 'registration',
data: {
username: body.data.username,
timestamp: Date.now(),
id: id.id,
}
}
});
setResponseStatus(e, 201);
return { success: true, session };
}
}
catch(err: any)
{
console.error(err);
return { success: false, error: err as Error };
}
});

View File

@@ -0,0 +1,75 @@
import { and, count, eq } from 'drizzle-orm';
import { z } from 'zod';
import { usersTable } from '~/db/schema';
import { schema as registration } from '~/schemas/registration';
import useDatabase from '~/composables/useDatabase';
const schema = z.object({
newPassword: registration.shape.password,
oldPassword: registration.shape.password,
});
export default defineEventHandler(async (e) => {
try
{
const session = await getUserSession(e);
if(!session || !session.user || !session.user.id)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
const id = getRouterParam(e, 'id');
if(!id)
{
return createError({
statusCode: 403,
message: 'Forbidden',
});
}
if(session.user.id.toString() !== id)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
const body = await readValidatedBody(e, schema.safeParse);
if(!body.success)
throw body.error;
const db = useDatabase();
console.log(body.data.oldPassword, await Bun.password.hash(body.data.oldPassword));
const check = db.select({ hash: usersTable.hash }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
if(!check || !check.hash)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
if(!await Bun.password.verify(body.data.oldPassword, check.hash))
{
return { success: false, error: "Ancien mot de passe incorrect" };
}
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.newPassword) }).where(eq(usersTable.id, session.user.id)).run();
return { success: true };
}
catch(err: any)
{
console.error(err);
return createError({
statusCode: 500,
});
}
});

View File

@@ -0,0 +1,78 @@
import { eq, getTableColumns, lte } from 'drizzle-orm';
import { z } from 'zod';
import useDatabase from '~/composables/useDatabase';
import { emailValidationTable, usersTable } from '~/db/schema';
const querySchema = z.object({
h: z.coerce.string(),
i: z.coerce.string(),
u: z.coerce.number(),
t: z.coerce.number(),
});
const bodySchema = z.object({
password: z.string(),
});
export default defineEventHandler(async (e) => {
try
{
const query = await getValidatedQuery(e, querySchema.safeParse);
if(!query.success)
throw query.error;
if(Bun.hash('2' + query.data.u.toString(), query.data.t).toString() !== query.data.h)
{
return createError({
statusCode: 400,
message: 'Requete incorrecte',
});
}
if(Date.now() > query.data.t + (60 * 60 * 1000))
{
return createError({
statusCode: 400,
message: 'La requete a expirée',
});
}
const body = await readValidatedBody(e, bodySchema.safeParse);
if(!body.success)
throw body.error;
const db = useDatabase();
db.delete(emailValidationTable).where(lte(emailValidationTable.timestamp, new Date())).run();
const validate = db.select(getTableColumns(emailValidationTable)).from(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).get();
if(!validate || validate.timestamp <= new Date())
{
return createError({
statusCode: 400,
message: 'La requete a expirée',
});
}
db.delete(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).run();
const result = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, query.data.u)).get();
if(result === undefined)
{
return createError({
statusCode: 400,
message: 'Aucune donnée utilisateur trouvée',
});
}
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.password) }).where(eq(usersTable.id, query.data.u)).run();
return { success: true };
}
catch(err: any)
{
console.error(err);
return { success: false, error: err as Error };
}
});

View File

@@ -1,3 +1,4 @@
import { hash } from "bun";
import { eq } from "drizzle-orm";
import useDatabase from "~/composables/useDatabase";
import { usersTable } from "~/db/schema";
@@ -31,7 +32,7 @@ export default defineEventHandler(async (e) => {
}
const db = useDatabase();
const data = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
const data = db.select({ id: usersTable.id, email: usersTable.email, username: usersTable.username, hash: usersTable.hash, state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
if(!data)
{
@@ -46,16 +47,25 @@ export default defineEventHandler(async (e) => {
return;
}
const emailId = hash('register' + data.id + data.hash, Date.now());
const timestamp = Date.now() + 1000 * 60 * 60;
await runTask('validation', {
payload: {
type: 'validation',
id: emailId, timestamp,
}
});
await runTask('mail', {
payload: {
type: 'mail',
to: [session.user.email],
template: 'registration', //@TODO
to: [data.email],
template: 'registration',
data: {
username: session.user.username,
timestamp: Date.now(),
id: session.user.id,
}
id: emailId, timestamp,
userId: id,
username: data.username,
},
}
});

View File

@@ -3,12 +3,12 @@
<p style="font-variant: small-caps; margin-bottom: 1rem; font-size: 1.25rem; line-height: 1.75rem;">Bienvenue sur d[any], <span>{{ username }}</span>.</p>
<p>Nous vous invitons à valider votre compte afin de profiter de toutes les fonctionnalités de d[any].</p>
<div style="padding-top: 1rem; padding-bottom: 1rem; text-align: center;">
<a :href="`https://d-any.com/user/mailvalidation?u=${id}&t=${timestamp}&h=${hash}`" target="_blank"><span style="display: inline-block; border-width: 1px; border-color: #525252; background-color: #e5e5e5; padding-left: 0.75rem; padding-right: 0.75rem; padding-top: 0.25rem; padding-bottom: 0.25rem; font-weight: 200; color: #171717; text-decoration: none;">Je valide mon compte</span></a>
<a :href="`https://d-any.com/user/mailvalidation?u=${userId}&i=${id}&t=${timestamp}&h=${hash}`" target="_blank"><span style="display: inline-block; border-width: 1px; border-color: #525252; background-color: #e5e5e5; padding-left: 0.75rem; padding-right: 0.75rem; padding-top: 0.25rem; padding-bottom: 0.25rem; font-weight: 200; color: #171717; text-decoration: none;">Je valide mon compte</span></a>
<span style="display: block; padding-top: 0.5rem; font-size: 0.75rem; line-height: 1rem;">Ce lien est valable 1 heure.</span>
</div>
<div>
<span>Vous pouvez egalement copier le lien suivant pour valider votre compte: </span>
<pre style="display: inline-block; border-bottom-width: 1px; font-size: 0.75rem; line-height: 1rem; color: #171717; font-weight: 400; text-decoration: none;">{{ `https://d-any.com/user/mailvalidation?u=${id}&t=${timestamp}&h=${hash}` }}</pre>
<pre style="display: inline-block; border-bottom-width: 1px; font-size: 0.75rem; line-height: 1rem; color: #171717; font-weight: 400; text-decoration: none;">{{ `https://d-any.com/user/mailvalidation?u=${userId}&i=${id}&t=${timestamp}&h=${hash}` }}</pre>
</div>
</div>
</template>
@@ -17,10 +17,11 @@
import { computed } from 'vue';
import Bun from 'bun';
const { id, username, timestamp } = defineProps<{
const { id, userId, username, timestamp } = defineProps<{
id: number
userId: number
username: string
timestamp: number
}>();
const hash = computed(() => Bun.hash(id.toString(), timestamp));
const hash = computed(() => Bun.hash('1' + userId.toString(), timestamp));
</script>

View File

@@ -0,0 +1,29 @@
<template>
<div style="max-width: 800px; margin-left: auto; margin-right: auto;">
<p style="font-variant: small-caps; margin-bottom: 1rem; font-size: 1.25rem; line-height: 1.75rem;">Bonjour <span>{{ username }}</span>.</p>
<p>Vous avez demandé à réinitialiser votre mot de passe aujourd'hui à {{ format(new Date(timestamp), 'HH:mm') }}.</p>
<div style="padding-top: 1rem; padding-bottom: 1rem; text-align: center;">
<a :href="`https://d-any.com/user/resetting-password?u=${userId}&i=${id}&t=${timestamp}&h=${hash}`" target="_blank"><span style="display: inline-block; border-width: 1px; border-color: #525252; background-color: #e5e5e5; padding-left: 0.75rem; padding-right: 0.75rem; padding-top: 0.25rem; padding-bottom: 0.25rem; font-weight: 200; color: #171717; text-decoration: none;">Je change mon mot de passe.</span></a>
<span style="display: block; padding-top: 0.5rem; font-size: 0.75rem; line-height: 1rem;">Ce lien est valable 1 heure.</span>
</div>
<div>
<span>Vous pouvez egalement copier le lien suivant pour changer votre mot de passe: </span>
<pre style="display: inline-block; border-bottom-width: 1px; font-size: 0.75rem; line-height: 1rem; color: #171717; font-weight: 400; text-decoration: none;">{{ `https://d-any.com/user/resetting-password?u=${userId}&i=${id}&t=${timestamp}&h=${hash}` }}</pre>
</div>
<span>Si vous n'êtes pas à l'origine de cette demande, vous n'avez pas à modifier votre mot de passe, ce dernier est conservé tant que vous n'interagissez pas avec le lien ci-dessus.</span>
</div>
</template>
<script setup lang="ts">
import { computed } from 'vue';
import Bun from 'bun';
import { format } from '~/shared/general.utils';
const { id, userId, username, timestamp } = defineProps<{
id: number
userId: number
username: string
timestamp: number
}>();
const hash = computed(() => Bun.hash('2' + userId.toString(), timestamp));
</script>

View File

@@ -1,10 +1,11 @@
import { eq } from "drizzle-orm";
import { eq, getTableColumns, lte } from "drizzle-orm";
import { z } from "zod";
import useDatabase from "~/composables/useDatabase";
import { usersTable } from "~/db/schema";
import { emailValidationTable, usersTable } from "~/db/schema";
const schema = z.object({
h: z.coerce.string(),
i: z.coerce.string(),
u: z.coerce.number(),
t: z.coerce.number(),
});
@@ -15,22 +16,33 @@ export default defineEventHandler(async (e) => {
if(!query.success)
throw query.error;
if(Bun.hash(query.data.u.toString(), query.data.t).toString() !== query.data.h)
if(Bun.hash('1' + query.data.u.toString(), query.data.t).toString() !== query.data.h)
{
return createError({
statusCode: 400,
message: 'Lien incorrect',
})
});
}
if(Date.now() > query.data.t + (60 * 60 * 1000))
{
return createError({
statusCode: 400,
message: 'Le lien a expiré',
})
});
}
const db = useDatabase();
const validate = db.select(getTableColumns(emailValidationTable)).from(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).get();
if(!validate || validate.timestamp <= new Date())
{
return createError({
statusCode: 400,
message: 'Le lien a expiré',
});
}
db.delete(emailValidationTable).where(lte(emailValidationTable.timestamp, new Date())).run();
const result = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, query.data.u)).get();
if(result === undefined)
@@ -38,14 +50,14 @@ export default defineEventHandler(async (e) => {
return createError({
statusCode: 400,
message: 'Aucune donnée utilisateur trouvée',
})
});
}
if(result?.state === 1)
{
return createError({
statusCode: 400,
message: 'Votre compte a déjà été validé',
})
});
}
db.update(usersTable).set({ state: 1 }).where(eq(usersTable.id, query.data.u)).run();

View File

@@ -3,28 +3,24 @@ import { createSSRApp, h } from 'vue';
import { renderToString } from 'vue/server-renderer';
import base from '../components/mail/base.vue';
import registration from '../components/mail/registration.vue';
//import revalidation from '../components/mail/revalidation.vue';
import Registration from '../components/mail/registration.vue';
import ResetPassword from '../components/mail/reset-password.vue';
const config = useRuntimeConfig();
const [domain, selector, dkim] = config.mail.dkim.split(":");
export const templates: Record<string, { component: any, subject: string }> = {
"registration": { component: registration, subject: 'Bienvenue sur d[any] 😎' },
// "revalidate-mail": { component: revalidation, subject: 'd[any]: Valider votre email' },
"registration": { component: Registration, subject: 'Bienvenue sur d[any] 😎' },
"reset-password": { component: ResetPassword, subject: 'Réinitialisation de votre mot de passe' },
};
import 'nitropack/types';
import type Mail from 'nodemailer/lib/mailer';
declare module 'nitropack/types'
interface MailPayload
{
interface TaskPayload
{
type: 'mail'
to: string[]
template: string
data: Record<string, any>
}
type: 'mail'
to: string[]
template: string
data: Record<string, any>
}
const transport = nodemailer.createTransport({
@@ -57,7 +53,7 @@ export default defineTask({
throw new Error(`Données inconnues`);
}
const payload = e.payload;
const payload = e.payload as MailPayload;
const template = templates[payload.template];
if(!template)

View File

@@ -0,0 +1,39 @@
import { lt } from "drizzle-orm";
import { emailValidationTable } from "~/db/schema";
import useDatabase from '~/composables/useDatabase';
interface ValidationPayload
{
type: 'validation'
id: string
timestamp: number
}
export default defineTask({
meta: {
name: 'validation',
description: 'Add email ID to DB',
},
async run(e) {
try {
if(e.payload.type !== 'validation')
{
throw new Error(`Données inconnues`);
}
const payload = e.payload as ValidationPayload;
const db = useDatabase();
db.delete(emailValidationTable).where(lt(emailValidationTable.timestamp, new Date())).run();
db.insert(emailValidationTable).values({ id: payload.id, timestamp: new Date(payload.timestamp) }).run();
return { result: true };
}
catch(e)
{
console.error(e);
return { result: false, error: e };
}
},
})