You've already forked obsidian-visualiser
Password reset and new email validation ID stored in DB for more security
This commit is contained in:
78
server/api/users/[id]/reset-password.post.ts
Normal file
78
server/api/users/[id]/reset-password.post.ts
Normal file
@@ -0,0 +1,78 @@
|
||||
import { eq, getTableColumns, lte } from 'drizzle-orm';
|
||||
import { z } from 'zod';
|
||||
import useDatabase from '~/composables/useDatabase';
|
||||
import { emailValidationTable, usersTable } from '~/db/schema';
|
||||
|
||||
const querySchema = z.object({
|
||||
h: z.coerce.string(),
|
||||
i: z.coerce.string(),
|
||||
u: z.coerce.number(),
|
||||
t: z.coerce.number(),
|
||||
});
|
||||
|
||||
const bodySchema = z.object({
|
||||
password: z.string(),
|
||||
});
|
||||
|
||||
export default defineEventHandler(async (e) => {
|
||||
try
|
||||
{
|
||||
const query = await getValidatedQuery(e, querySchema.safeParse);
|
||||
|
||||
if(!query.success)
|
||||
throw query.error;
|
||||
|
||||
if(Bun.hash('2' + query.data.u.toString(), query.data.t).toString() !== query.data.h)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'Requete incorrecte',
|
||||
});
|
||||
}
|
||||
if(Date.now() > query.data.t + (60 * 60 * 1000))
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'La requete a expirée',
|
||||
});
|
||||
}
|
||||
|
||||
const body = await readValidatedBody(e, bodySchema.safeParse);
|
||||
|
||||
if(!body.success)
|
||||
throw body.error;
|
||||
|
||||
const db = useDatabase();
|
||||
db.delete(emailValidationTable).where(lte(emailValidationTable.timestamp, new Date())).run();
|
||||
const validate = db.select(getTableColumns(emailValidationTable)).from(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).get();
|
||||
|
||||
if(!validate || validate.timestamp <= new Date())
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'La requete a expirée',
|
||||
});
|
||||
}
|
||||
|
||||
db.delete(emailValidationTable).where(eq(emailValidationTable.id, query.data.i)).run();
|
||||
const result = db.select({ state: usersTable.state }).from(usersTable).where(eq(usersTable.id, query.data.u)).get();
|
||||
|
||||
if(result === undefined)
|
||||
{
|
||||
return createError({
|
||||
statusCode: 400,
|
||||
message: 'Aucune donnée utilisateur trouvée',
|
||||
});
|
||||
}
|
||||
|
||||
db.update(usersTable).set({ hash: await Bun.password.hash(body.data.password) }).where(eq(usersTable.id, query.data.u)).run();
|
||||
|
||||
return { success: true };
|
||||
}
|
||||
catch(err: any)
|
||||
{
|
||||
console.error(err);
|
||||
|
||||
return { success: false, error: err as Error };
|
||||
}
|
||||
});
|
||||
Reference in New Issue
Block a user