Password reset and new email validation ID stored in DB for more security

This commit is contained in:
2024-12-17 17:51:12 +01:00
parent b24a083d2e
commit ec0afa9686
26 changed files with 1042 additions and 40 deletions

View File

@@ -0,0 +1,75 @@
import { and, count, eq } from 'drizzle-orm';
import { z } from 'zod';
import { usersTable } from '~/db/schema';
import { schema as registration } from '~/schemas/registration';
import useDatabase from '~/composables/useDatabase';
const schema = z.object({
newPassword: registration.shape.password,
oldPassword: registration.shape.password,
});
export default defineEventHandler(async (e) => {
try
{
const session = await getUserSession(e);
if(!session || !session.user || !session.user.id)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
const id = getRouterParam(e, 'id');
if(!id)
{
return createError({
statusCode: 403,
message: 'Forbidden',
});
}
if(session.user.id.toString() !== id)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
const body = await readValidatedBody(e, schema.safeParse);
if(!body.success)
throw body.error;
const db = useDatabase();
console.log(body.data.oldPassword, await Bun.password.hash(body.data.oldPassword));
const check = db.select({ hash: usersTable.hash }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
if(!check || !check.hash)
{
return createError({
statusCode: 401,
message: 'Unauthorized',
});
}
if(!await Bun.password.verify(body.data.oldPassword, check.hash))
{
return { success: false, error: "Ancien mot de passe incorrect" };
}
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.newPassword) }).where(eq(usersTable.id, session.user.id)).run();
return { success: true };
}
catch(err: any)
{
console.error(err);
return createError({
statusCode: 500,
});
}
});

View File

@@ -0,0 +1,78 @@
import { eq, getTableColumns, lte } from 'drizzle-orm';
import { z } from 'zod';
import useDatabase from '~/composables/useDatabase';
import { emailValidationTable, usersTable } from '~/db/schema';
const querySchema = z.object({
h: z.coerce.string(),
i: z.coerce.string(),
u: z.coerce.number(),
t: z.coerce.number(),
});
const bodySchema = z.object({
password: z.string(),
});
export default defineEventHandler(async (e) => {
try
{
const query = await getValidatedQuery(e, querySchema.safeParse);
if(!query.success)
throw query.error;
if(Bun.hash('2' + query.data.u.toString(), query.data.t).toString() !== query.data.h)
{
return createError({
statusCode: 400,
message: 'Requete incorrecte',
});
}
if(Date.now() > query.data.t + (60 * 60 * 1000))
{
return createError({
statusCode: 400,
message: 'La requete a expirée',
});
}
const body = await readValidatedBody(e, bodySchema.safeParse);
if(!body.success)
throw body.error;
const db = useDatabase();
db.delete(emailValidationTable).where(lte(emailValidationTable.timestamp, new Date())).run();
const validate = db.select(getTableColumns(emailValidationTable)).from(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).get();
if(!validate || validate.timestamp <= new Date())
{
return createError({
statusCode: 400,
message: 'La requete a expirée',
});
}
db.delete(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).run();
const result = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, query.data.u)).get();
if(result === undefined)
{
return createError({
statusCode: 400,
message: 'Aucune donnée utilisateur trouvée',
});
}
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.password) }).where(eq(usersTable.id, query.data.u)).run();
return { success: true };
}
catch(err: any)
{
console.error(err);
return { success: false, error: err as Error };
}
});

View File

@@ -1,3 +1,4 @@
import { hash } from "bun";
import { eq } from "drizzle-orm";
import useDatabase from "~/composables/useDatabase";
import { usersTable } from "~/db/schema";
@@ -31,7 +32,7 @@ export default defineEventHandler(async (e) => {
}
const db = useDatabase();
const data = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
const data = db.select({ id: usersTable.id, email: usersTable.email, username: usersTable.username, hash: usersTable.hash, state: usersTable.state }).from(usersTable).where(eq(usersTable.id, session.user.id)).get();
if(!data)
{
@@ -46,16 +47,25 @@ export default defineEventHandler(async (e) => {
return;
}
const emailId = hash('register' + data.id + data.hash, Date.now());
const timestamp = Date.now() + 1000 * 60 * 60;
await runTask('validation', {
payload: {
type: 'validation',
id: emailId, timestamp,
}
});
await runTask('mail', {
payload: {
type: 'mail',
to: [session.user.email],
template: 'registration', //@TODO
to: [data.email],
template: 'registration',
data: {
username: session.user.username,
timestamp: Date.now(),
id: session.user.id,
}
id: emailId, timestamp,
userId: id,
username: data.username,
},
}
});