Token expiry checking, limit amount of resets in a day

2017-11-30 23:26:41 +02:00 · 2017-11-30 23:26:41 +02:00 · f76135f00f
parent 6e13dce845
commit f76135f00f
2 changed files with 18 additions and 5 deletions
--- a/server/api/admin.js
+++ b/server/api/admin.js
@ -84,7 +84,7 @@ const API = {
  getAllUsers: async function (page, adminId) {
    let count = await Models.User.query().count('id as ids')
    if (!count.length || !count[0]['ids'] || isNaN(page)) {
-      throw new Error('No users found')
+      return { error: 'No users found in database' }
    }

    count = count[0].ids
@ -198,7 +198,7 @@ const API = {
  getAllBans: async function (page) {
    let count = await Models.Ban.query().count('id as ids')
    if (!count.length || !count[0]['ids'] || isNaN(page)) {
-      throw new Error('No bans on record')
+      return { error: 'No bans on record' }
    }

    count = count[0].ids
--- a/server/api/index.js
+++ b/server/api/index.js
@ -252,11 +252,15 @@ const API = {
        let getToken = await models.Token.query().where('token', token).andWhere('type', 1)
        if (!getToken || !getToken.length) return false

-        let user = await API.User.get(getToken[0].user_id)
+        getToken = getToken[0]
+
+        if (getToken.expires_at && new Date(getToken.expires_at).getTime() < Date.now()) return false
+
+        let user = await API.User.get(getToken.user_id)
        if (!user) return false

        await models.User.query().patchAndFetchById(user.id, {activated: 1})
-        await models.Token.query().delete().where('id', getToken[0].id)
+        await models.Token.query().delete().where('id', getToken.id)
        return true
      },
      totpTokenRequired: async function (user) {
@ -407,6 +411,11 @@ const API = {
        if (!user) throw new Error('This email address does not match any user in our database.')
        if (!user.password && passRequired) throw new Error('The user associated with this email address has used an external website to log in, thus the password cannot be reset.')

+        let recentTokens = await models.Token.query().where('user_id', user.id).andWhere('expires_at', '>', new Date()).andWhere('type', 2)
+        if (recentTokens.length >= 2) {
+          throw new Error('You\'ve made too many reset requests recently. Please slow down.')
+        }
+
        let resetToken = API.Hash(16)
        await models.Token.query().insert({
          expires_at: new Date(Date.now() + 86400000), // 1 day
@ -438,7 +447,11 @@ const API = {
        let getToken = await models.Token.query().where('token', token).andWhere('type', 2)
        if (!getToken || !getToken.length) return null

-        let user = await API.User.get(getToken[0].user_id)
+        getToken = getToken[0]
+
+        if (getToken.expires_at && new Date(getToken.expires_at).getTime() < Date.now()) return null
+
+        let user = await API.User.get(getToken.user_id)
        if (!user) return null

        return user