From f76135f00fcacdd174da41739b21b2b1e9f18e29 Mon Sep 17 00:00:00 2001
From: Evert <imsonotsleepy@gmail.com>
Date: Thu, 30 Nov 2017 23:26:41 +0200
Subject: [PATCH] Token expiry checking, limit amount of resets in a day

---
 server/api/admin.js |  4 ++--
 server/api/index.js | 19 ++++++++++++++++---
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/server/api/admin.js b/server/api/admin.js
index e2ec69a..79f8b80 100644
--- a/server/api/admin.js
+++ b/server/api/admin.js
@@ -84,7 +84,7 @@ const API = {
   getAllUsers: async function (page, adminId) {
     let count = await Models.User.query().count('id as ids')
     if (!count.length || !count[0]['ids'] || isNaN(page)) {
-      throw new Error('No users found')
+      return { error: 'No users found in database' }
     }
 
     count = count[0].ids
@@ -198,7 +198,7 @@ const API = {
   getAllBans: async function (page) {
     let count = await Models.Ban.query().count('id as ids')
     if (!count.length || !count[0]['ids'] || isNaN(page)) {
-      throw new Error('No bans on record')
+      return { error: 'No bans on record' }
     }
 
     count = count[0].ids
diff --git a/server/api/index.js b/server/api/index.js
index 3c29c76..d359ce2 100644
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -252,11 +252,15 @@ const API = {
         let getToken = await models.Token.query().where('token', token).andWhere('type', 1)
         if (!getToken || !getToken.length) return false
 
-        let user = await API.User.get(getToken[0].user_id)
+        getToken = getToken[0]
+
+        if (getToken.expires_at && new Date(getToken.expires_at).getTime() < Date.now()) return false
+
+        let user = await API.User.get(getToken.user_id)
         if (!user) return false
 
         await models.User.query().patchAndFetchById(user.id, {activated: 1})
-        await models.Token.query().delete().where('id', getToken[0].id)
+        await models.Token.query().delete().where('id', getToken.id)
         return true
       },
       totpTokenRequired: async function (user) {
@@ -407,6 +411,11 @@ const API = {
         if (!user) throw new Error('This email address does not match any user in our database.')
         if (!user.password && passRequired) throw new Error('The user associated with this email address has used an external website to log in, thus the password cannot be reset.')
 
+        let recentTokens = await models.Token.query().where('user_id', user.id).andWhere('expires_at', '>', new Date()).andWhere('type', 2)
+        if (recentTokens.length >= 2) {
+          throw new Error('You\'ve made too many reset requests recently. Please slow down.')
+        }
+
         let resetToken = API.Hash(16)
         await models.Token.query().insert({
           expires_at: new Date(Date.now() + 86400000), // 1 day
@@ -438,7 +447,11 @@ const API = {
         let getToken = await models.Token.query().where('token', token).andWhere('type', 2)
         if (!getToken || !getToken.length) return null
 
-        let user = await API.User.get(getToken[0].user_id)
+        getToken = getToken[0]
+
+        if (getToken.expires_at && new Date(getToken.expires_at).getTime() < Date.now()) return null
+
+        let user = await API.User.get(getToken.user_id)
         if (!user) return null
 
         return user