mirror of
https://github.com/spacebarchat/server.git
synced 2024-09-20 01:31:34 +02:00
Email verification works
- Added /auth/verify to authenticated route whitelist - Updated /auth/verify to properly mark a user as verified, return a response, and fix expiration time check - Implemented /auth/verify/resend - Moved verification email sending to a helper method - Fixed VerifyEmailSchema requiring captcha_key
This commit is contained in:
parent
cc6bf066b1
commit
a47d80b255
@ -16,10 +16,10 @@
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { HTTPError } from "lambert-server";
|
||||
import { checkToken, Config, Rights } from "@fosscord/util";
|
||||
import * as Sentry from "@sentry/node";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { HTTPError } from "lambert-server";
|
||||
|
||||
export const NO_AUTHORIZATION_ROUTES = [
|
||||
// Authentication routes
|
||||
@ -28,6 +28,7 @@ export const NO_AUTHORIZATION_ROUTES = [
|
||||
"/auth/location-metadata",
|
||||
"/auth/mfa/totp",
|
||||
"/auth/mfa/webauthn",
|
||||
"/auth/verify",
|
||||
// Routes with a seperate auth system
|
||||
"/webhooks/",
|
||||
// Public information endpoints
|
||||
|
@ -17,7 +17,11 @@
|
||||
*/
|
||||
|
||||
import { route, verifyCaptcha } from "@fosscord/api";
|
||||
import { Config, FieldErrors, verifyToken } from "@fosscord/util";
|
||||
import {
|
||||
Config,
|
||||
FieldErrors,
|
||||
verifyTokenEmailVerification,
|
||||
} from "@fosscord/util";
|
||||
import { Request, Response, Router } from "express";
|
||||
import { HTTPError } from "lambert-server";
|
||||
const router = Router();
|
||||
@ -43,9 +47,13 @@ router.post(
|
||||
try {
|
||||
const { jwtSecret } = Config.get().security;
|
||||
|
||||
const { decoded, user } = await verifyToken(token, jwtSecret);
|
||||
const { decoded, user } = await verifyTokenEmailVerification(
|
||||
token,
|
||||
jwtSecret,
|
||||
);
|
||||
|
||||
// toksn should last for 24 hours from the time they were issued
|
||||
if (decoded.exp < Date.now() / 1000) {
|
||||
if (new Date().getTime() > decoded.iat * 1000 + 86400 * 1000) {
|
||||
throw FieldErrors({
|
||||
token: {
|
||||
code: "TOKEN_INVALID",
|
||||
@ -53,7 +61,16 @@ router.post(
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
if (user.verified) return res.send(user);
|
||||
|
||||
// verify email
|
||||
user.verified = true;
|
||||
await user.save();
|
||||
|
||||
// TODO: invalidate token after use?
|
||||
|
||||
return res.send(user);
|
||||
} catch (error: any) {
|
||||
throw new HTTPError(error?.toString(), 400);
|
||||
}
|
||||
|
49
src/api/routes/auth/verify/resend.ts
Normal file
49
src/api/routes/auth/verify/resend.ts
Normal file
@ -0,0 +1,49 @@
|
||||
/*
|
||||
Fosscord: A FOSS re-implementation and extension of the Discord.com backend.
|
||||
Copyright (C) 2023 Fosscord and Fosscord Contributors
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as published
|
||||
by the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
import { route } from "@fosscord/api";
|
||||
import { Email, User } from "@fosscord/util";
|
||||
import { Request, Response, Router } from "express";
|
||||
import { HTTPError } from "lambert-server";
|
||||
const router = Router();
|
||||
|
||||
router.post("/", route({}), async (req: Request, res: Response) => {
|
||||
const user = await User.findOneOrFail({
|
||||
where: { id: req.user_id },
|
||||
select: ["email"],
|
||||
});
|
||||
|
||||
if (!user.email) {
|
||||
// TODO: whats the proper error response for this?
|
||||
throw new HTTPError("User does not have an email address", 400);
|
||||
}
|
||||
|
||||
await Email.sendVerificationEmail(req.user_id, user.email)
|
||||
.then((info) => {
|
||||
console.log("Message sent: %s", info.messageId);
|
||||
return res.sendStatus(204);
|
||||
})
|
||||
.catch((e) => {
|
||||
console.error(
|
||||
`Failed to send verification email to ${user.username}#${user.discriminator}: ${e}`,
|
||||
);
|
||||
throw new HTTPError("Failed to send verification email", 500);
|
||||
});
|
||||
});
|
||||
|
||||
export default router;
|
@ -383,28 +383,17 @@ export class User extends BaseClass {
|
||||
|
||||
user.validate();
|
||||
await Promise.all([user.save(), settings.save()]);
|
||||
// send verification email
|
||||
if (Email.transporter && email) {
|
||||
const token = (await generateToken(user.id, email)) as string;
|
||||
const link = `http://localhost:3001/verify#token=${token}`;
|
||||
const message = {
|
||||
from:
|
||||
Config.get().general.correspondenceEmail ||
|
||||
"noreply@localhost",
|
||||
to: email,
|
||||
subject: `Verify Email Address for ${
|
||||
Config.get().general.instanceName
|
||||
}`,
|
||||
html: `Please verify your email address by clicking the following link: <a href="${link}">Verify Email</a>`,
|
||||
};
|
||||
|
||||
await Email.transporter
|
||||
.sendMail(message)
|
||||
// send verification email if users aren't verified by default and we have an email
|
||||
if (!Config.get().defaults.user.verified && email) {
|
||||
await Email.sendVerificationEmail(user.id, email)
|
||||
.then((info) => {
|
||||
console.log("Message sent: %s", info.messageId);
|
||||
})
|
||||
.catch((e) => {
|
||||
console.error(`Failed to send email to ${email}: ${e}`);
|
||||
console.error(
|
||||
`Failed to send verification email to ${user.username}#${user.discriminator}: ${e}`,
|
||||
);
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -17,6 +17,6 @@
|
||||
*/
|
||||
|
||||
export interface VerifyEmailSchema {
|
||||
captcha_key: string | null;
|
||||
captcha_key?: string | null;
|
||||
token: string;
|
||||
}
|
||||
|
@ -16,6 +16,10 @@
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
import nodemailer, { Transporter } from "nodemailer";
|
||||
import { Config } from "./Config";
|
||||
import { generateToken } from "./Token";
|
||||
|
||||
export const EMAIL_REGEX =
|
||||
/^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
|
||||
|
||||
@ -47,6 +51,7 @@ export function adjustEmail(email?: string): string | undefined {
|
||||
export const Email: {
|
||||
transporter: Transporter | null;
|
||||
init: () => Promise<void>;
|
||||
sendVerificationEmail: (id: string, email: string) => Promise<any>;
|
||||
} = {
|
||||
transporter: null,
|
||||
init: async function () {
|
||||
@ -73,4 +78,25 @@ export const Email: {
|
||||
console.log(`[SMTP] Ready`);
|
||||
});
|
||||
},
|
||||
sendVerificationEmail: async function (
|
||||
id: string,
|
||||
email: string,
|
||||
): Promise<any> {
|
||||
if (!this.transporter) return;
|
||||
const token = (await generateToken(id, email)) as string;
|
||||
const instanceUrl =
|
||||
Config.get().general.frontPage || "http://localhost:3001";
|
||||
const link = `${instanceUrl}/verify#token=${token}`;
|
||||
const message = {
|
||||
from:
|
||||
Config.get().general.correspondenceEmail || "noreply@localhost",
|
||||
to: email,
|
||||
subject: `Verify Email Address for ${
|
||||
Config.get().general.instanceName
|
||||
}`,
|
||||
html: `Please verify your email address by clicking the following link: <a href="${link}">Verify Email</a>`,
|
||||
};
|
||||
|
||||
return this.transporter.sendMail(message);
|
||||
},
|
||||
};
|
||||
|
@ -72,6 +72,30 @@ export function checkToken(
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Puyodead1 (1/19/2023): I made a copy of this function because I didn't want to break anything with the other one.
|
||||
* this version of the function doesn't use select, so we can update the user. with select causes constraint errors.
|
||||
*/
|
||||
export function verifyTokenEmailVerification(
|
||||
token: string,
|
||||
jwtSecret: string,
|
||||
): Promise<{ decoded: any; user: User }> {
|
||||
return new Promise((res, rej) => {
|
||||
jwt.verify(token, jwtSecret, JWTOptions, async (err, decoded: any) => {
|
||||
if (err || !decoded) return rej("Invalid Token");
|
||||
|
||||
const user = await User.findOne({
|
||||
where: { id: decoded.id },
|
||||
});
|
||||
if (!user) return rej("Invalid Token");
|
||||
if (user.disabled) return rej("User disabled");
|
||||
if (user.deleted) return rej("User not found");
|
||||
|
||||
return res({ decoded, user });
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
export function verifyToken(
|
||||
token: string,
|
||||
jwtSecret: string,
|
||||
|
Loading…
Reference in New Issue
Block a user