You've already forked obsidian-visualiser
Password reset and new email validation ID stored in DB for more security
This commit is contained in:
75
server/api/users/[id]/change-password.post.ts
Normal file
75
server/api/users/[id]/change-password.post.ts
Normal file
@@ -0,0 +1,75 @@
|
||||
import { and, count, eq } from 'drizzle-orm';
|
||||
import { z } from 'zod';
|
||||
import { usersTable } from '~/db/schema';
|
||||
import { schema as registration } from '~/schemas/registration';
|
||||
import useDatabase from '~/composables/useDatabase';
|
||||
|
||||
const schema = z.object({
|
||||
newPassword: registration.shape.password,
|
||||
oldPassword: registration.shape.password,
|
||||
});
|
||||
|
||||
export default defineEventHandler(async (e) => {
|
||||
try
|
||||
{
|
||||
const session = await getUserSession(e);
|
||||
|
||||
if(!session || !session.user || !session.user.id)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 401,
|
||||
message: 'Unauthorized',
|
||||
});
|
||||
}
|
||||
|
||||
const id = getRouterParam(e, 'id');
|
||||
|
||||
if(!id)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 403,
|
||||
message: 'Forbidden',
|
||||
});
|
||||
}
|
||||
if(session.user.id.toString() !== id)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 401,
|
||||
message: 'Unauthorized',
|
||||
});
|
||||
}
|
||||
|
||||
const body = await readValidatedBody(e, schema.safeParse);
|
||||
|
||||
if(!body.success)
|
||||
throw body.error;
|
||||
|
||||
const db = useDatabase();
|
||||
console.log(body.data.oldPassword, await Bun.password.hash(body.data.oldPassword));
|
||||
const check = db.select({ hash: usersTable.hash }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
|
||||
|
||||
if(!check || !check.hash)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 401,
|
||||
message: 'Unauthorized',
|
||||
});
|
||||
}
|
||||
if(!await Bun.password.verify(body.data.oldPassword, check.hash))
|
||||
{
|
||||
return { success: false, error: "Ancien mot de passe incorrect" };
|
||||
}
|
||||
|
||||
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.newPassword) }).where(eq(usersTable.id, session.user.id)).run();
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
catch(err: any)
|
||||
{
|
||||
console.error(err);
|
||||
|
||||
return createError({
|
||||
statusCode: 500,
|
||||
});
|
||||
}
|
||||
});
|
||||
78
server/api/users/[id]/reset-password.post.ts
Normal file
78
server/api/users/[id]/reset-password.post.ts
Normal file
@@ -0,0 +1,78 @@
|
||||
import { eq, getTableColumns, lte } from 'drizzle-orm';
|
||||
import { z } from 'zod';
|
||||
import useDatabase from '~/composables/useDatabase';
|
||||
import { emailValidationTable, usersTable } from '~/db/schema';
|
||||
|
||||
const querySchema = z.object({
|
||||
h: z.coerce.string(),
|
||||
i: z.coerce.string(),
|
||||
u: z.coerce.number(),
|
||||
t: z.coerce.number(),
|
||||
});
|
||||
|
||||
const bodySchema = z.object({
|
||||
password: z.string(),
|
||||
});
|
||||
|
||||
export default defineEventHandler(async (e) => {
|
||||
try
|
||||
{
|
||||
const query = await getValidatedQuery(e, querySchema.safeParse);
|
||||
|
||||
if(!query.success)
|
||||
throw query.error;
|
||||
|
||||
if(Bun.hash('2' + query.data.u.toString(), query.data.t).toString() !== query.data.h)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'Requete incorrecte',
|
||||
});
|
||||
}
|
||||
if(Date.now() > query.data.t + (60 * 60 * 1000))
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'La requete a expirée',
|
||||
});
|
||||
}
|
||||
|
||||
const body = await readValidatedBody(e, bodySchema.safeParse);
|
||||
|
||||
if(!body.success)
|
||||
throw body.error;
|
||||
|
||||
const db = useDatabase();
|
||||
db.delete(emailValidationTable).where(lte(emailValidationTable.timestamp, new Date())).run();
|
||||
const validate = db.select(getTableColumns(emailValidationTable)).from(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).get();
|
||||
|
||||
if(!validate || validate.timestamp <= new Date())
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'La requete a expirée',
|
||||
});
|
||||
}
|
||||
|
||||
db.delete(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).run();
|
||||
const result = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, query.data.u)).get();
|
||||
|
||||
if(result === undefined)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'Aucune donnée utilisateur trouvée',
|
||||
});
|
||||
}
|
||||
|
||||
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.password) }).where(eq(usersTable.id, query.data.u)).run();
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
catch(err: any)
|
||||
{
|
||||
console.error(err);
|
||||
|
||||
return { success: false, error: err as Error };
|
||||
}
|
||||
});
|
||||
@@ -1,3 +1,4 @@
|
||||
import { hash } from "bun";
|
||||
import { eq } from "drizzle-orm";
|
||||
import useDatabase from "~/composables/useDatabase";
|
||||
import { usersTable } from "~/db/schema";
|
||||
@@ -31,7 +32,7 @@ export default defineEventHandler(async (e) => {
|
||||
}
|
||||
|
||||
const db = useDatabase();
|
||||
const data = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
|
||||
const data = db.select({ id: usersTable.id, email: usersTable.email, username: usersTable.username, hash: usersTable.hash, state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
|
||||
|
||||
if(!data)
|
||||
{
|
||||
@@ -46,16 +47,25 @@ export default defineEventHandler(async (e) => {
|
||||
return;
|
||||
}
|
||||
|
||||
const emailId = hash('register' + data.id + data.hash, Date.now());
|
||||
const timestamp = Date.now() + 1000 * 60 * 60;
|
||||
|
||||
await runTask('validation', {
|
||||
payload: {
|
||||
type: 'validation',
|
||||
id: emailId, timestamp,
|
||||
}
|
||||
});
|
||||
await runTask('mail', {
|
||||
payload: {
|
||||
type: 'mail',
|
||||
to: [session.user.email],
|
||||
template: 'registration', //@TODO
|
||||
to: [data.email],
|
||||
template: 'registration',
|
||||
data: {
|
||||
username: session.user.username,
|
||||
timestamp: Date.now(),
|
||||
id: session.user.id,
|
||||
}
|
||||
id: emailId, timestamp,
|
||||
userId: id,
|
||||
username: data.username,
|
||||
},
|
||||
}
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user