Password reset and new email validation ID stored in DB for more security

This commit is contained in:
2024-12-17 17:51:12 +01:00
parent b24a083d2e
commit ec0afa9686
26 changed files with 1042 additions and 40 deletions

View File

@@ -71,18 +71,27 @@ export default defineEventHandler(async (e): Promise<Return> => {
db.insert(usersDataTable).values({ id: sql.placeholder('id') }).prepare().run({ id: id.id });
logSession(e, await setUserSession(e, { user: { id: id.id, username: body.data.username, email: body.data.email, state: 0, signin: new Date(), permissions: [] } }) as UserSessionRequired);
logSession(e, await setUserSession(e, { user: { id: id.id, username: body.data.username, email: body.data.email, state: 0, signin: new Date(), permissions: [], lastTimestamp: new Date(), logCount: 1 } }) as UserSessionRequired);
const emailId = Bun.hash('register' + id.id + hash, Date.now());
const timestamp = Date.now() + 1000 * 60 * 60;
await runTask('validation', {
payload: {
type: 'validation',
id: emailId, timestamp,
}
});
await runTask('mail', {
payload: {
type: 'mail',
to: [body.data.email],
template: 'registration',
data: {
id: emailId, timestamp,
userId: id,
username: body.data.username,
timestamp: Date.now(),
id: id.id,
}
},
}
});

View File

@@ -0,0 +1,55 @@
import { hash } from 'bun';
import { eq, or } from 'drizzle-orm';
import { z } from 'zod';
import useDatabase from '~/composables/useDatabase';
import { usersTable } from '~/db/schema';
const schema = z.object({
profile: z.string(),
});
export default defineEventHandler(async (e) => {
try
{
const db = useDatabase();
const body = await readValidatedBody(e, schema.safeParse);
if (!body.success)
{
setResponseStatus(e, 406);
return { success: false, error: body.error };
}
const result = db.select({ id: usersTable.id, email: usersTable.email, username: usersTable.username, hash: usersTable.hash }).from(usersTable).where(or(eq(usersTable.email, body.data.profile), eq(usersTable.username, body.data.profile))).get();
if(result && result.id)
{
const id = hash('reset' + result.id + result.hash, Date.now());
const timestamp = Date.now() + 1000 * 60 * 60;
await runTask('validation', {
payload: {
type: 'validation',
id, timestamp,
}
});
await runTask('mail', {
payload: {
type: 'mail',
data: {
id, timestamp,
userId: result.id,
username: result.username,
},
template: 'reset-password',
to: [result.email],
}
});
}
}
catch(err: any)
{
console.error(err);
return { success: false, error: err as Error };
}
});

View File

@@ -0,0 +1,99 @@
import { count, eq, sql } from 'drizzle-orm';
import { ZodError, type ZodIssue } from 'zod';
import useDatabase from '~/composables/useDatabase';
import { usersDataTable, usersTable } from '~/db/schema';
import { schema } from '~/schemas/registration';
import { checkSession, logSession } from '~/server/utils/user';
import type { UserSession, UserSessionRequired } from '~/types/auth';
interface SuccessHandler
{
success: true;
session: UserSession;
}
interface ErrorHandler
{
success: false;
error: Error | ZodError<{
username: string;
email: string;
password: string;
}>;
}
type Return = SuccessHandler | ErrorHandler;
export default defineEventHandler(async (e): Promise<Return> => {
try
{
const session = await getUserSession(e);
const db = useDatabase();
const checkedSession = await checkSession(e, session);
if(checkedSession !== undefined)
return checkedSession;
const body = await readValidatedBody(e, schema.safeParse);
if (!body.success)
{
await clearUserSession(e);
setResponseStatus(e, 406);
return { success: false, error: body.error };
}
const checkUsername = db.select({ count: count() }).from(usersTable).where(eq(usersTable.username, sql.placeholder('username'))).prepare().get({ username: body.data.username });
const checkEmail = db.select({ count: count() }).from(usersTable).where(eq(usersTable.email, sql.placeholder('email'))).prepare().get({ email: body.data.email });
const errors: ZodIssue[] = [];
if(!checkUsername || checkUsername.count !== 0)
errors.push({ code: 'custom', path: ['username'], message: "Ce nom d'utilisateur est déjà utilisé" });
if(!checkEmail || checkEmail.count !== 0)
errors.push({ code: 'custom', path: ['email'], message: "Cette adresse mail est déjà utilisée" });
if(errors.length > 0)
{
setResponseStatus(e, 406);
return { success: false, error: new ZodError(errors) };
}
else
{
const hash = await Bun.password.hash(body.data.password);
db.insert(usersTable).values({ username: sql.placeholder('username'), email: sql.placeholder('email'), hash: sql.placeholder('hash'), state: sql.placeholder('state') }).prepare().run({ username: body.data.username, email: body.data.email, hash, state: 0 });
const id = db.select({ id: usersTable.id }).from(usersTable).where(eq(usersTable.username, sql.placeholder('username'))).prepare().get({ username: body.data.username });
if(!id || !id.id)
{
setResponseStatus(e, 406);
return { success: false, error: new Error('Erreur de création de compte') };
}
db.insert(usersDataTable).values({ id: sql.placeholder('id') }).prepare().run({ id: id.id });
logSession(e, await setUserSession(e, { user: { id: id.id, username: body.data.username, email: body.data.email, state: 0, signin: new Date(), permissions: [], lastTimestamp: new Date(), logCount: 1 } }) as UserSessionRequired);
await runTask('mail', {
payload: {
type: 'mail',
to: [body.data.email],
template: 'registration',
data: {
username: body.data.username,
timestamp: Date.now(),
id: id.id,
}
}
});
setResponseStatus(e, 201);
return { success: true, session };
}
}
catch(err: any)
{
console.error(err);
return { success: false, error: err as Error };
}
});

View File

@@ -0,0 +1,75 @@
import { and, count, eq } from 'drizzle-orm';
import { z } from 'zod';
import { usersTable } from '~/db/schema';
import { schema as registration } from '~/schemas/registration';
import useDatabase from '~/composables/useDatabase';
const schema = z.object({
newPassword: registration.shape.password,
oldPassword: registration.shape.password,
});
export default defineEventHandler(async (e) => {
try
{
const session = await getUserSession(e);
if(!session || !session.user || !session.user.id)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
const id = getRouterParam(e, 'id');
if(!id)
{
return createError({
statusCode: 403,
message: 'Forbidden',
});
}
if(session.user.id.toString() !== id)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
const body = await readValidatedBody(e, schema.safeParse);
if(!body.success)
throw body.error;
const db = useDatabase();
console.log(body.data.oldPassword, await Bun.password.hash(body.data.oldPassword));
const check = db.select({ hash: usersTable.hash }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
if(!check || !check.hash)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
if(!await Bun.password.verify(body.data.oldPassword, check.hash))
{
return { success: false, error: "Ancien mot de passe incorrect" };
}
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.newPassword) }).where(eq(usersTable.id, session.user.id)).run();
return { success: true };
}
catch(err: any)
{
console.error(err);
return createError({
statusCode: 500,
});
}
});

View File

@@ -0,0 +1,78 @@
import { eq, getTableColumns, lte } from 'drizzle-orm';
import { z } from 'zod';
import useDatabase from '~/composables/useDatabase';
import { emailValidationTable, usersTable } from '~/db/schema';
const querySchema = z.object({
h: z.coerce.string(),
i: z.coerce.string(),
u: z.coerce.number(),
t: z.coerce.number(),
});
const bodySchema = z.object({
password: z.string(),
});
export default defineEventHandler(async (e) => {
try
{
const query = await getValidatedQuery(e, querySchema.safeParse);
if(!query.success)
throw query.error;
if(Bun.hash('2' + query.data.u.toString(), query.data.t).toString() !== query.data.h)
{
return createError({
statusCode: 400,
message: 'Requete incorrecte',
});
}
if(Date.now() > query.data.t + (60 * 60 * 1000))
{
return createError({
statusCode: 400,
message: 'La requete a expirée',
});
}
const body = await readValidatedBody(e, bodySchema.safeParse);
if(!body.success)
throw body.error;
const db = useDatabase();
db.delete(emailValidationTable).where(lte(emailValidationTable.timestamp, new Date())).run();
const validate = db.select(getTableColumns(emailValidationTable)).from(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).get();
if(!validate || validate.timestamp <= new Date())
{
return createError({
statusCode: 400,
message: 'La requete a expirée',
});
}
db.delete(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).run();
const result = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, query.data.u)).get();
if(result === undefined)
{
return createError({
statusCode: 400,
message: 'Aucune donnée utilisateur trouvée',
});
}
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.password) }).where(eq(usersTable.id, query.data.u)).run();
return { success: true };
}
catch(err: any)
{
console.error(err);
return { success: false, error: err as Error };
}
});

View File

@@ -1,3 +1,4 @@
import { hash } from "bun";
import { eq } from "drizzle-orm";
import useDatabase from "~/composables/useDatabase";
import { usersTable } from "~/db/schema";
@@ -31,7 +32,7 @@ export default defineEventHandler(async (e) => {
}
const db = useDatabase();
const data = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
const data = db.select({ id: usersTable.id, email: usersTable.email, username: usersTable.username, hash: usersTable.hash, state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
if(!data)
{
@@ -46,16 +47,25 @@ export default defineEventHandler(async (e) => {
return;
}
const emailId = hash('register' + data.id + data.hash, Date.now());
const timestamp = Date.now() + 1000 * 60 * 60;
await runTask('validation', {
payload: {
type: 'validation',
id: emailId, timestamp,
}
});
await runTask('mail', {
payload: {
type: 'mail',
to: [session.user.email],
template: 'registration', //@TODO
to: [data.email],
template: 'registration',
data: {
username: session.user.username,
timestamp: Date.now(),
id: session.user.id,
}
id: emailId, timestamp,
userId: id,
username: data.username,
},
}
});