diff options
author | Puyodead1 <puyodead@proton.me> | 2023-01-19 11:15:12 -0500 |
---|---|---|
committer | Puyodead1 <puyodead@protonmail.com> | 2023-02-23 21:35:51 -0500 |
commit | a47d80b255f1501e39bebd7ad7e80119c8ed1697 (patch) | |
tree | eca3d1ff4a837efb8dfcc1571279c2f72f529e99 /src | |
parent | add missing copyright headers (diff) | |
download | server-a47d80b255f1501e39bebd7ad7e80119c8ed1697.tar.xz |
Email verification works
- Added /auth/verify to authenticated route whitelist - Updated /auth/verify to properly mark a user as verified, return a response, and fix expiration time check - Implemented /auth/verify/resend - Moved verification email sending to a helper method - Fixed VerifyEmailSchema requiring captcha_key
Diffstat (limited to 'src')
-rw-r--r-- | src/api/middlewares/Authentication.ts | 5 | ||||
-rw-r--r-- | src/api/routes/auth/verify/index.ts | 23 | ||||
-rw-r--r-- | src/api/routes/auth/verify/resend.ts | 49 | ||||
-rw-r--r-- | src/util/entities/User.ts | 25 | ||||
-rw-r--r-- | src/util/schemas/VerifyEmailSchema.ts | 2 | ||||
-rw-r--r-- | src/util/util/Email.ts | 26 | ||||
-rw-r--r-- | src/util/util/Token.ts | 24 |
7 files changed, 130 insertions, 24 deletions
diff --git a/src/api/middlewares/Authentication.ts b/src/api/middlewares/Authentication.ts index ea0aa312..f4c33963 100644 --- a/src/api/middlewares/Authentication.ts +++ b/src/api/middlewares/Authentication.ts @@ -16,10 +16,10 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */ -import { NextFunction, Request, Response } from "express"; -import { HTTPError } from "lambert-server"; import { checkToken, Config, Rights } from "@fosscord/util"; import * as Sentry from "@sentry/node"; +import { NextFunction, Request, Response } from "express"; +import { HTTPError } from "lambert-server"; export const NO_AUTHORIZATION_ROUTES = [ // Authentication routes @@ -28,6 +28,7 @@ export const NO_AUTHORIZATION_ROUTES = [ "/auth/location-metadata", "/auth/mfa/totp", "/auth/mfa/webauthn", + "/auth/verify", // Routes with a seperate auth system "/webhooks/", // Public information endpoints diff --git a/src/api/routes/auth/verify/index.ts b/src/api/routes/auth/verify/index.ts index 4c076d09..d61b8d16 100644 --- a/src/api/routes/auth/verify/index.ts +++ b/src/api/routes/auth/verify/index.ts @@ -17,7 +17,11 @@ */ import { route, verifyCaptcha } from "@fosscord/api"; -import { Config, FieldErrors, verifyToken } from "@fosscord/util"; +import { + Config, + FieldErrors, + verifyTokenEmailVerification, +} from "@fosscord/util"; import { Request, Response, Router } from "express"; import { HTTPError } from "lambert-server"; const router = Router(); @@ -43,9 +47,13 @@ router.post( try { const { jwtSecret } = Config.get().security; - const { decoded, user } = await verifyToken(token, jwtSecret); + const { decoded, user } = await verifyTokenEmailVerification( + token, + jwtSecret, + ); + // toksn should last for 24 hours from the time they were issued - if (decoded.exp < Date.now() / 1000) { + if (new Date().getTime() > decoded.iat * 1000 + 86400 * 1000) { throw FieldErrors({ token: { code: "TOKEN_INVALID", @@ -53,7 +61,16 @@ router.post( }, }); } + + if (user.verified) return res.send(user); + + // verify email user.verified = true; + await user.save(); + + // TODO: invalidate token after use? + + return res.send(user); } catch (error: any) { throw new HTTPError(error?.toString(), 400); } diff --git a/src/api/routes/auth/verify/resend.ts b/src/api/routes/auth/verify/resend.ts new file mode 100644 index 00000000..0c8c4ed9 --- /dev/null +++ b/src/api/routes/auth/verify/resend.ts @@ -0,0 +1,49 @@ +/* + Fosscord: A FOSS re-implementation and extension of the Discord.com backend. + Copyright (C) 2023 Fosscord and Fosscord Contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. +*/ + +import { route } from "@fosscord/api"; +import { Email, User } from "@fosscord/util"; +import { Request, Response, Router } from "express"; +import { HTTPError } from "lambert-server"; +const router = Router(); + +router.post("/", route({}), async (req: Request, res: Response) => { + const user = await User.findOneOrFail({ + where: { id: req.user_id }, + select: ["email"], + }); + + if (!user.email) { + // TODO: whats the proper error response for this? + throw new HTTPError("User does not have an email address", 400); + } + + await Email.sendVerificationEmail(req.user_id, user.email) + .then((info) => { + console.log("Message sent: %s", info.messageId); + return res.sendStatus(204); + }) + .catch((e) => { + console.error( + `Failed to send verification email to ${user.username}#${user.discriminator}: ${e}`, + ); + throw new HTTPError("Failed to send verification email", 500); + }); +}); + +export default router; diff --git a/src/util/entities/User.ts b/src/util/entities/User.ts index f39fc19b..66e10297 100644 --- a/src/util/entities/User.ts +++ b/src/util/entities/User.ts @@ -383,28 +383,17 @@ export class User extends BaseClass { user.validate(); await Promise.all([user.save(), settings.save()]); - // send verification email - if (Email.transporter && email) { - const token = (await generateToken(user.id, email)) as string; - const link = `http://localhost:3001/verify#token=${token}`; - const message = { - from: - Config.get().general.correspondenceEmail || - "noreply@localhost", - to: email, - subject: `Verify Email Address for ${ - Config.get().general.instanceName - }`, - html: `Please verify your email address by clicking the following link: <a href="${link}">Verify Email</a>`, - }; - - await Email.transporter - .sendMail(message) + + // send verification email if users aren't verified by default and we have an email + if (!Config.get().defaults.user.verified && email) { + await Email.sendVerificationEmail(user.id, email) .then((info) => { console.log("Message sent: %s", info.messageId); }) .catch((e) => { - console.error(`Failed to send email to ${email}: ${e}`); + console.error( + `Failed to send verification email to ${user.username}#${user.discriminator}: ${e}`, + ); }); } diff --git a/src/util/schemas/VerifyEmailSchema.ts b/src/util/schemas/VerifyEmailSchema.ts index fa6a4c0d..d94fbbc1 100644 --- a/src/util/schemas/VerifyEmailSchema.ts +++ b/src/util/schemas/VerifyEmailSchema.ts @@ -17,6 +17,6 @@ */ export interface VerifyEmailSchema { - captcha_key: string | null; + captcha_key?: string | null; token: string; } diff --git a/src/util/util/Email.ts b/src/util/util/Email.ts index d45eb9a1..371ba827 100644 --- a/src/util/util/Email.ts +++ b/src/util/util/Email.ts @@ -16,6 +16,10 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */ +import nodemailer, { Transporter } from "nodemailer"; +import { Config } from "./Config"; +import { generateToken } from "./Token"; + export const EMAIL_REGEX = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; @@ -47,6 +51,7 @@ export function adjustEmail(email?: string): string | undefined { export const Email: { transporter: Transporter | null; init: () => Promise<void>; + sendVerificationEmail: (id: string, email: string) => Promise<any>; } = { transporter: null, init: async function () { @@ -73,4 +78,25 @@ export const Email: { console.log(`[SMTP] Ready`); }); }, + sendVerificationEmail: async function ( + id: string, + email: string, + ): Promise<any> { + if (!this.transporter) return; + const token = (await generateToken(id, email)) as string; + const instanceUrl = + Config.get().general.frontPage || "http://localhost:3001"; + const link = `${instanceUrl}/verify#token=${token}`; + const message = { + from: + Config.get().general.correspondenceEmail || "noreply@localhost", + to: email, + subject: `Verify Email Address for ${ + Config.get().general.instanceName + }`, + html: `Please verify your email address by clicking the following link: <a href="${link}">Verify Email</a>`, + }; + + return this.transporter.sendMail(message); + }, }; diff --git a/src/util/util/Token.ts b/src/util/util/Token.ts index b3ebcc07..e4b1fe41 100644 --- a/src/util/util/Token.ts +++ b/src/util/util/Token.ts @@ -72,6 +72,30 @@ export function checkToken( }); } +/** + * Puyodead1 (1/19/2023): I made a copy of this function because I didn't want to break anything with the other one. + * this version of the function doesn't use select, so we can update the user. with select causes constraint errors. + */ +export function verifyTokenEmailVerification( + token: string, + jwtSecret: string, +): Promise<{ decoded: any; user: User }> { + return new Promise((res, rej) => { + jwt.verify(token, jwtSecret, JWTOptions, async (err, decoded: any) => { + if (err || !decoded) return rej("Invalid Token"); + + const user = await User.findOne({ + where: { id: decoded.id }, + }); + if (!user) return rej("Invalid Token"); + if (user.disabled) return rej("User disabled"); + if (user.deleted) return rej("User not found"); + + return res({ decoded, user }); + }); + }); +} + export function verifyToken( token: string, jwtSecret: string, |