Merge pull request #1193 from DEVTomatoCake/fix/forgot-password-security

2024-11-05 10:22:31 +01:00 · 2024-08-22 09:51:00 +10:00 · 2024-08-22 09:51:00 +10:00 · b63f285fc1
commit b63f285fc1
parent 4f19ee19bb 98c1b93133
1 changed files with 13 additions and 53 deletions
--- a/src/api/routes/auth/forgot.ts
+++ b/src/api/routes/auth/forgot.ts
@ -1,31 +1,24 @@
 /*
 	Spacebar: A FOSS re-implementation and extension of the Discord.com backend.
 	Copyright (C) 2023 Spacebar and Spacebar Contributors
-	
+
 	This program is free software: you can redistribute it and/or modify
 	it under the terms of the GNU Affero General Public License as published
 	by the Free Software Foundation, either version 3 of the License, or
 	(at your option) any later version.
-	
+
 	This program is distributed in the hope that it will be useful,
 	but WITHOUT ANY WARRANTY; without even the implied warranty of
 	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 	GNU Affero General Public License for more details.
-	
+
 	You should have received a copy of the GNU Affero General Public License
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

 import { getIpAdress, route, verifyCaptcha } from "@spacebar/api";
-import {
-	Config,
-	Email,
-	FieldErrors,
-	ForgotPasswordSchema,
-	User,
-} from "@spacebar/util";
+import { Config, Email, ForgotPasswordSchema, User } from "@spacebar/util";
 import { Request, Response, Router } from "express";
-import { HTTPError } from "lambert-server";
 const router = Router();

 router.post(
@ -37,9 +30,6 @@ router.post(
 			400: {
 				body: "APIErrorOrCaptchaResponse",
 			},
-			500: {
-				body: "APIErrorResponse",
-			},
 		},
 	}),
 	async (req: Request, res: Response) => {
@ -71,50 +61,20 @@ router.post(
 			}
 		}

-		const user = await User.findOneOrFail({
+		res.sendStatus(204);
+
+		const user = await User.findOne({
 			where: [{ phone: login }, { email: login }],
-			select: ["username", "id", "disabled", "deleted", "email"],
-			relations: ["security_keys"],
-		}).catch(() => {
-			throw FieldErrors({
-				login: {
-					message: req.t("auth:password_reset.EMAIL_DOES_NOT_EXIST"),
-					code: "EMAIL_DOES_NOT_EXIST",
-				},
-			});
-		});
+			select: ["username", "id", "email"],
+		}).catch(() => {});

-		if (!user.email)
-			throw FieldErrors({
-				login: {
-					message:
-						"This account does not have an email address associated with it.",
-					code: "NO_EMAIL",
-				},
-			});
-
-		if (user.deleted)
-			return res.status(400).json({
-				message: "This account is scheduled for deletion.",
-				code: 20011,
-			});
-
-		if (user.disabled)
-			return res.status(400).json({
-				message: req.t("auth:login.ACCOUNT_DISABLED"),
-				code: 20013,
-			});
-
-		return await Email.sendResetPassword(user, user.email)
-			.then(() => {
-				return res.sendStatus(204);
-			})
-			.catch((e) => {
+		if (user && user.email) {
+			Email.sendResetPassword(user, user.email).catch((e) => {
 				console.error(
-					`Failed to send password reset email to ${user.username}#${user.discriminator}: ${e}`,
+					`Failed to send password reset email to ${user.username}#${user.discriminator} (${user.id}): ${e}`,
 				);
-				throw new HTTPError("Failed to send password reset email", 500);
 			});
+		}
 	},
 );