diff --git a/web/lib/auth.js b/web/lib/auth.js index 233a9c1..e9d51b5 100644 --- a/web/lib/auth.js +++ b/web/lib/auth.js @@ -84,7 +84,7 @@ export function* signup(email, password, ip) { const existingUser = yield Users.findOne({email: email, status: {'$ne': 'deleted'}}); if (existingUser) { debug('Email already in use.'); - return 'Email already in use.'; + throw new Error('Email already in use.'); } const cryptedPassword = yield passwords.crypt(password); var user = { @@ -151,7 +151,7 @@ Visit ${process.env.BASE_URL + '/forgot/' + token} to set a new one. ] }}); } else { - return 'There was an error looking up your email address.'; + throw new Error('There was an error looking up your email address.'); } } @@ -180,7 +180,7 @@ export function* validateResetToken() { export function* updatePassword(userId, password) { const Users = this.db.Users; const cryptedPassword = yield passwords.crypt(password); - yield Users.update({_id: userId}, {'$set': {'salted_password': cryptedPassword}}); + yield Users.updateOne({_id: userId}, {'$set': {'salted_password': cryptedPassword}}); } diff --git a/web/routes/user.js b/web/routes/user.js index 677bae7..bae1f1c 100644 --- a/web/routes/user.js +++ b/web/routes/user.js @@ -1,4 +1,6 @@ import { authenticate, setupSession, signup as signupUser, activateUser, sendResetToken, validateResetToken, updatePassword } from '../lib/auth'; +import debugname from 'debug'; +const debug = debugname('hostr-web:user'); export function* signin() { if (!this.request.body.email) { @@ -50,30 +52,22 @@ export function* signup() { export function* forgot() { const Reset = this.db.Reset; const Users = this.db.Users; - if (this.request.body) { - return yield this.render('forgot', {token: null, csrf: this.csrf}); - } const token = this.params.token; - this.assertCSRF(this.request.body); - if (this.request.body.email) { - var email = this.request.body.email; - yield sendResetToken.call(this, email); - this.statsd.incr('auth.reset.request', 1); - return yield this.render('forgot', {message: 'We\'ve sent an email with a link to reset your password. Be sure to check your spam folder if you it doesn\'t appear within a few minutes', token: null, csrf: this.csrf}); - } else if (token && this.request.body.password) { + if (this.request.body.password) { if (this.request.body.password.length < 7) { return yield this.render('forgot', {error: 'Password needs to be at least 7 characters long.', token: token, csrf: this.csrf}); } + this.assertCSRF(this.request.body); const tokenUser = yield validateResetToken.call(this, token); var userId = tokenUser._id; yield updatePassword.call(this, userId, this.request.body.password); - yield Reset.remove({_id: userId}); + yield Reset.deleteOne({_id: userId}); const user = yield Users.findOne({_id: userId}); yield setupSession.call(this, user); this.statsd.incr('auth.reset.success', 1); this.redirect('/'); - } else if (token.length) { + } else if (token) { const tokenUser = yield validateResetToken.call(this, token); if (!tokenUser) { this.statsd.incr('auth.reset.fail', 1); @@ -81,8 +75,18 @@ export function* forgot() { } else { return yield this.render('forgot', {token: token, csrf: this.csrf}); } + } else if (this.request.body.email) { + this.assertCSRF(this.request.body); + try { + var email = this.request.body.email; + yield sendResetToken.call(this, email); + this.statsd.incr('auth.reset.request', 1); + return yield this.render('forgot', {message: 'We\'ve sent an email with a link to reset your password. Be sure to check your spam folder if you it doesn\'t appear within a few minutes', token: null, csrf: this.csrf}); + } catch (error) { + debug(error); + } } else { - return yield this.render('forgot', {token: null, csrf: this.csrf}); + yield this.render('forgot', {token: null, csrf: this.csrf}); } }