first batch of requested changes

author: Puyodead1 <puyodead@protonmail.com> 2023-02-24 06:52:01 -0500
committer: Puyodead1 <puyodead@protonmail.com> 2023-02-24 06:52:01 -0500
commit: 91e9d6004066fcb533ae95d2789a1c1b3533d0ac (patch)
tree: 1d22cd75635af4159312537c0a309c605781dba3 /src/api
parent: don't return token on register if verification required (diff)
download: server-91e9d6004066fcb533ae95d2789a1c1b3533d0ac.tar.xz
2 files changed, 67 insertions, 44 deletions
diff --git a/src/api/routes/auth/reset.ts b/src/api/routes/auth/reset.ts
index 94053e1a..9ab25dca 100644
--- a/src/api/routes/auth/reset.ts
+++ b/src/api/routes/auth/reset.ts
@@ -10,7 +10,6 @@ import {
 } from "@fosscord/util";
 import bcrypt from "bcrypt";
 import { Request, Response, Router } from "express";
-import { HTTPError } from "lambert-server";
 
 const router = Router();
 
@@ -20,37 +19,37 @@ router.post(
 	async (req: Request, res: Response) => {
 		const { password, token } = req.body as PasswordResetSchema;
 
-		try {
-			const { jwtSecret } = Config.get().security;
-			const { user } = await checkToken(token, jwtSecret, true);
-
-			// the salt is saved in the password refer to bcrypt docs
-			const hash = await bcrypt.hash(password, 12);
+		const { jwtSecret } = Config.get().security;
 
-			const data = {
-				data: {
-					hash,
-					valid_tokens_since: new Date(),
+		let user;
+		try {
+			const userTokenData = await checkToken(token, jwtSecret, true);
+			user = userTokenData.user;
+		} catch {
+			throw FieldErrors({
+				password: {
+					message: req.t("auth:password_reset.INVALID_TOKEN"),
+					code: "INVALID_TOKEN",
 				},
-			};
-			await User.update({ id: user.id }, data);
-
-			// come on, the user has to have an email to reset their password in the first place
-			// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-			await Email.sendPasswordChanged(user, user.email!);
-
-			res.json({ token: await generateToken(user.id) });
-		} catch (e) {
-			if ((e as Error).toString() === "Invalid Token")
-				throw FieldErrors({
-					password: {
-						message: req.t("auth:password_reset.INVALID_TOKEN"),
-						code: "INVALID_TOKEN",
-					},
-				});
-
-			throw new HTTPError((e as Error).toString(), 400);
+			});
 		}
+
+		// the salt is saved in the password refer to bcrypt docs
+		const hash = await bcrypt.hash(password, 12);
+
+		const data = {
+			data: {
+				hash,
+				valid_tokens_since: new Date(),
+			},
+		};
+		await User.update({ id: user.id }, data);
+
+		// come on, the user has to have an email to reset their password in the first place
+		// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+		await Email.sendPasswordChanged(user, user.email!);
+
+		res.json({ token: await generateToken(user.id) });
 	},
 );
 
diff --git a/src/api/routes/auth/verify/index.ts b/src/api/routes/auth/verify/index.ts
index 91ff9b93..cdbd371a 100644
--- a/src/api/routes/auth/verify/index.ts
+++ b/src/api/routes/auth/verify/index.ts
@@ -16,10 +16,15 @@
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
-import { route, verifyCaptcha } from "@fosscord/api";
-import { checkToken, Config, generateToken, User } from "@fosscord/util";
+import { getIpAdress, route, verifyCaptcha } from "@fosscord/api";
+import {
+	checkToken,
+	Config,
+	FieldErrors,
+	generateToken,
+	User,
+} from "@fosscord/util";
 import { Request, Response, Router } from "express";
-import { HTTPError } from "lambert-server";
 const router = Router();
 
 async function getToken(user: User) {
@@ -38,9 +43,21 @@ router.post(
 	async (req: Request, res: Response) => {
 		const { captcha_key, token } = req.body;
 
-		if (captcha_key) {
-			const { sitekey, service } = Config.get().security.captcha;
-			const verify = await verifyCaptcha(captcha_key);
+		const config = Config.get();
+
+		if (config.register.requireCaptcha) {
+			const { sitekey, service } = config.security.captcha;
+
+			if (!captcha_key) {
+				return res.status(400).json({
+					captcha_key: ["captcha-required"],
+					captcha_sitekey: sitekey,
+					captcha_service: service,
+				});
+			}
+
+			const ip = getIpAdress(req);
+			const verify = await verifyCaptcha(captcha_key, ip);
 			if (!verify.success) {
 				return res.status(400).json({
 					captcha_key: verify["error-codes"],
@@ -50,19 +67,26 @@ router.post(
 			}
 		}
 
-		try {
-			const { jwtSecret } = Config.get().security;
+		const { jwtSecret } = Config.get().security;
+		let user;
 
-			const { user } = await checkToken(token, jwtSecret, true);
+		try {
+			const userTokenData = await checkToken(token, jwtSecret, true);
+			user = userTokenData.user;
+		} catch {
+			throw FieldErrors({
+				password: {
+					message: req.t("auth:password_reset.INVALID_TOKEN"),
+					code: "INVALID_TOKEN",
+				},
+			});
+		}
 
-			if (user.verified) return res.json(await getToken(user));
+		if (user.verified) return res.json(await getToken(user));
 
-			await User.update({ id: user.id }, { verified: true });
+		await User.update({ id: user.id }, { verified: true });
 
-			return res.json(await getToken(user));
-		} catch (error) {
-			throw new HTTPError((error as Error).toString(), 400);
-		}
+		return res.json(await getToken(user));
 	},
 );
author	Puyodead1 <puyodead@protonmail.com>	2023-02-24 06:52:01 -0500
committer	Puyodead1 <puyodead@protonmail.com>	2023-02-24 06:52:01 -0500
commit	91e9d6004066fcb533ae95d2789a1c1b3533d0ac (patch)
tree	1d22cd75635af4159312537c0a309c605781dba3 /src/api
parent	don't return token on register if verification required (diff)
download	server-91e9d6004066fcb533ae95d2789a1c1b3533d0ac.tar.xz