espe/backend
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

[mod] password change: Anpassungen

Browse source
This commit is contained in:
roydfalk 2024-05-20 14:06:54 +02:00
parent 0ed5457e3e
commit d0d28cb445
2 changed files with 98 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
source/api/actions/member_password_change_execute.ts
View file

@ -13,7 +13,12 @@ namespace _espe.api
token : string;
password_new : string;
},
null
Array<
{
incident : string;
details : Record<string, any>;
}
>
>(
rest_subject,
lib_plankton.http.enum_method.patch,
@ -41,20 +46,53 @@ namespace _espe.api
]
}),
"output_schema": () => ({
"nullable": true
"nullable": false,
"type": "array",
"items": {
"nullable": false,
"type": "object",
"properties": {
"incident": {
"nullable": false,
"type": "string"
},
"details": {
"nullable": false,
"type": "object",
"properties": {},
"additionalProperties": {
"nullable": true
},
"required": []
},
},
"additionalProperties": false,
"required": [
"incident",
"details",
]
}
}),
"restriction": restriction_none,
"execution": async ({"path_parameters": path_parameters, "input": input}) => {
"execution": ({"path_parameters": path_parameters, "input": input}) => {
const member_id : _espe.type.member_id = parseInt(path_parameters["id"]);
await _espe.service.member.password_change_execute(
member_id,
input.token,
input.password_new
return (
_espe.service.member.password_change_execute(
member_id,
input.token,
input.password_new
)
.then(
flaws => Promise.resolve({
"status_code": (
(flaws.length <= 0)
? 200
: 409
),
"data": flaws
})
)
);
return Promise.resolve({
"status_code": 200,
"data": null
});
},
}
)

81
source/services/member.ts
View file

@ -573,7 +573,8 @@ namespace _espe.service.member
};
await _espe.repository.member.update(member_id, member_object_new);
// notify_change();
await _espe.helpers.email_send(
// do NOT wait in order to reduce information for potential attackers
/*await*/ _espe.helpers.email_send(
[
member_object_old.email_address_private,
],
@ -581,7 +582,7 @@ namespace _espe.service.member
lib_plankton.string.coin(
_espe.conf.get().settings.password_change.initialization_email.body,
{
"name": member_object_old.name_real_value,
"name": name_display(member_object_old),
"url": lib_plankton.string.coin(
"{{base}}{{rest}}",
{
@ -614,10 +615,15 @@ namespace _espe.service.member
member_id : _espe.type.member_id,
token : string,
password_new : string
) : Promise<void>
) : Promise<Array<{incident : string; details : Record<string, any>;}>>
{
const member_object_old : _espe.type.member_object = await _espe.repository.member.read(member_id);
if (! (token === member_object_old.password_change_token)) {
let flaws : Array<{incident : string; details : Record<string, any>;}> = [];
if (
(member_object_old.password_change_token === null)
||
(! (token === member_object_old.password_change_token))
) {
lib_plankton.log.notice(
"member_password_change_token_invalid",
{
@ -625,38 +631,49 @@ namespace _espe.service.member
"token_sent": token,
}
);
throw (new Error("password change token is invalid"));
flaws.push({"incident": "token_invalid", "details": {}});
}
else {
const member_object_new : _espe.type.member_object = {
"membership_number": member_object_old.membership_number,
"name_real_value": member_object_old.name_real_value,
"name_real_index": member_object_old.name_real_index,
"email_address_private": member_object_old.email_address_private,
"registered": member_object_old.registered,
"enabled": member_object_old.enabled,
"email_use_veiled_address": member_object_old.email_use_veiled_address,
"email_use_nominal_address": member_object_old.email_use_nominal_address,
"email_redirect_to_private_address": member_object_old.email_redirect_to_private_address,
"email_allow_sending": member_object_old.email_allow_sending,
"password_image": await password_image(password_new),
"password_change_last_attempt": member_object_old.password_change_last_attempt,
"password_change_token": null,
};
await _espe.repository.member.update(member_id, member_object_new);
notify_change();
await _espe.helpers.email_send(
[
member_object_old.email_address_private,
],
_espe.conf.get().settings.password_change.execution_email.subject,
lib_plankton.string.coin(
_espe.conf.get().settings.password_change.execution_email.body,
{
}
)
flaws = flaws.concat(
validate_password(password_new)
.map(flaw => ({"incident": ("password_" + flaw.incident), "details": flaw.details}))
);
if (flaws.length > 0) {
// do nothing
}
else {
const member_object_new : _espe.type.member_object = {
"membership_number": member_object_old.membership_number,
"name_real_value": member_object_old.name_real_value,
"name_real_index": member_object_old.name_real_index,
"email_address_private": member_object_old.email_address_private,
"registered": member_object_old.registered,
"enabled": member_object_old.enabled,
"email_use_veiled_address": member_object_old.email_use_veiled_address,
"email_use_nominal_address": member_object_old.email_use_nominal_address,
"email_redirect_to_private_address": member_object_old.email_redirect_to_private_address,
"email_allow_sending": member_object_old.email_allow_sending,
"password_image": await password_image(password_new),
"password_change_last_attempt": member_object_old.password_change_last_attempt,
"password_change_token": null,
};
await _espe.repository.member.update(member_id, member_object_new);
notify_change();
await _espe.helpers.email_send(
[
member_object_old.email_address_private,
],
_espe.conf.get().settings.password_change.execution_email.subject,
lib_plankton.string.coin(
_espe.conf.get().settings.password_change.execution_email.body,
{
"name": name_display(member_object_old),
}
)
);
}
}
return flaws;
}