api: Registration, password recovery, verification flows

2021-02-26 15:20:13 +01:00 · 2021-02-26 15:20:13 +01:00 · 45bbde1037
parent d1d7921808
commit 45bbde1037
13 changed files with 264 additions and 20 deletions
--- a/api/src/_middleware/validate-request.js
+++ b/api/src/_middleware/validate-request.js
@ -1,4 +1,4 @@
-const validateRequest = (schema) => (req, res, next) => {
+const validateRequest = (schema, property = 'body') => (req, res, next) => {
  console.log('validateRequest');

  const options = {
@ -6,12 +6,12 @@ const validateRequest = (schema) => (req, res, next) => {
    allowUnknown: true, // ignore unknown props
    stripUnknown: true, // remove unknown props
  };
-  const { error, value } = schema.validate(req.body, options);
+  const { error, value } = schema.validate(req[property], options);
  if (error) {
    console.log('error: ', error);
    next(`Validation error: ${error.details.map((x) => x.message).join(', ')}`);
  } else {
-    req.body = value;
+    req[property] = value;
    next();
  }
 };
--- a/api/src/accounts/account.service.js
+++ b/api/src/accounts/account.service.js
@ -100,11 +100,11 @@ function randomTokenString() {
 async function sendVerificationEmail(account, origin) {
  let message;
  if (origin) {
-    const verifyUrl = `${origin}/account/verify-email?token=${account.verificationToken}`;
+    const verifyUrl = `${origin}/verify-email?token=${account.verificationToken}`;
    message = `<p>Please click the below link to verify your email address:</p>
                   <p><a href="${verifyUrl}">${verifyUrl}</a></p>`;
  } else {
-    message = `<p>Please use the below token to verify your email address with the <code>/account/verify-email</code> api route:</p>
+    message = `<p>Please use the below token to verify your email address with the <code>/verify-email</code> api route:</p>
                   <p><code>${account.verificationToken}</code></p>`;
  }

@ -120,9 +120,9 @@ async function sendVerificationEmail(account, origin) {
 async function sendAlreadyRegisteredEmail(email, origin) {
  let message;
  if (origin) {
-    message = `<p>If you don't know your password please visit the <a href="${origin}/account/forgot-password">forgot password</a> page.</p>`;
+    message = `<p>If you don't know your password please visit the <a href="${origin}/forgot-password">forgot password</a> page.</p>`;
  } else {
-    message = `<p>If you don't know your password you can reset it via the <code>/account/forgot-password</code> api route.</p>`;
+    message = `<p>If you don't know your password you can reset it via the <code>/forgot-password</code> api route.</p>`;
  }

  await sendEmail({
@ -137,11 +137,11 @@ async function sendAlreadyRegisteredEmail(email, origin) {
 async function sendPasswordResetEmail(account, origin) {
  let message;
  if (origin) {
-    const resetUrl = `${origin}/account/reset-password?token=${account.resetToken.token}`;
+    const resetUrl = `${origin}/reset-password?token=${account.resetToken.token}`;
    message = `<p>Please click the below link to reset your password, the link will be valid for 1 day:</p>
                   <p><a href="${resetUrl}">${resetUrl}</a></p>`;
  } else {
-    message = `<p>Please use the below token to reset your password with the <code>/account/reset-password</code> api route:</p>
+    message = `<p>Please use the below token to reset your password with the <code>/reset-password</code> api route:</p>
                   <p><code>${account.resetToken.token}</code></p>`;
  }

--- a/api/src/config/oauth2orize.js
+++ b/api/src/config/oauth2orize.js
--- a/api/src/config/passport.js
+++ b/api/src/config/passport.js
@ -24,7 +24,13 @@ async function loginWithPassword(email, password, done) {
  try {
    const user = await User.findOne({ email: email });
    if (!user || !user.validPassword(password)) {
-      return done(null, false, { errors: { 'email or password': 'is invalid' } });
+      return done(new Error('invalid credentials'), false);
+    }
+
+    // Regardless of whether login is required, if you're logged in as an
+    // unverified user, produce an error.
+    if (user.needsEmailValidation) {
+      return done(new Error('email not verified'), false);
    }

    return done(null, user);
@ -117,7 +123,7 @@ passport.use(
      const refreshToken = await RefreshToken.findOne({ token }).populate('user');
      if (refreshToken && refreshToken.user) {
        // TODO: scope
-        return done(null, user, { scope: 'auth.refresh' });
+        return done(null, refreshToken.user, { scope: 'auth.refresh' });
      } else {
        return done(null, false);
      }
@ -181,7 +187,6 @@ function createMiddleware(strategies, required = true, session = false) {
      }

      req.user = user;
-      req.authInfo = info;
      req.scope = (info && info.scope) || '*';

      return next();
--- a/api/src/index.js
+++ b/api/src/index.js
@ -16,8 +16,8 @@ const app = express();
 app.use(cors());

 // Express configuration
-app.set('views', './views')
-app.set('view engine', 'pug')
+app.set('views', './views');
+app.set('view engine', 'pug');

 // Normal express config defaults
 app.use(require('morgan')('dev'));
@ -27,7 +27,7 @@ app.use(bodyParser.urlencoded({ limit: '50mb', extended: false }));
 app.use(require('method-override')());
 app.use(express.static(path.join(__dirname, 'public')));

-app.use(session({ secret: 'obsobs', cookie: { maxAge: 60000 }, resave: false, saveUninitialized: false }));
+app.use(session({ secret: 'obsobs', cookie: { maxAge: 10 * 60 * 1000 }, resave: false, saveUninitialized: false }));
 app.use(passport.initialize());
 app.use(passport.session());

--- a/api/src/routes/auth.js
+++ b/api/src/routes/auth.js
@ -4,6 +4,7 @@ const { URL } = require('url');
 const { createChallenge } = require('pkce');

 const { AuthorizationCode, AccessToken, RefreshToken, Client } = require('../models');
+const auth = require('../config/passport');
 const wrapRoute = require('../_helpers/wrapRoute');

 // Check whether the "bigScope" fully includes the "smallScope".
@ -45,9 +46,30 @@ function isValidScope(scope) {
  return scope === '*' || scopeIncludes(scope, ALL_SCOPE_NAMES.join(' '));
 }

+router.use((req, res, next) => {
+  res.locals.user = req.user;
+  next();
+});
+
 router.post(
  '/login',
-  passport.authenticate('usernameAndPasswordSession'),
+  passport.authenticate('usernameAndPasswordSession', { session: true }),
+  (err, req, res, next) => {
+    if (!err) {
+      next();
+    }
+
+    if (err.message === 'invalid credentials') {
+      return res.render('login', { badCredentials: true });
+    }
+
+    let description = 'Unknown error while processing your login.';
+    if (err.message === 'email not verified') {
+      description = 'Your account is not yet verified, please check your email or start the password recovery.';
+    }
+
+    return res.render('message', { type: 'error', title: 'Login failed', description });
+  },
  wrapRoute((req, res, next) => {
    if (!req.user) {
      return res.redirect('/login');
@ -69,10 +91,21 @@ router.get(
      return res.render('message', { type: 'success', title: 'You are already logged in.' });
    }

-    res.render('login');
+    return res.render('login');
  }),
 );

+router
+  .route('/logout')
+  .post(
+    auth.usernameAndPasswordSession,
+    wrapRoute(async (req, res) => {
+      req.logout();
+      return res.redirect('/login');
+    }),
+  )
+  .get((req, res) => res.render('logout'));
+
 const isIp = (ip) =>
  typeof ip === 'string' &&
  /^([0-9]{1,3}\.)[0-9]{1,3}$/.test(ip) &&
@ -115,7 +148,6 @@ router.get(
  passport.authenticate('session'),
  wrapRoute(async (req, res) => {
    if (!req.user) {
-      console.log(req);
      req.session.next = req.url;
      return res.redirect('/login');
    }
@ -208,7 +240,6 @@ router.get(

      res.render('authorize', { clientTitle: client.title, scope, redirectUri });
    } catch (err) {
-      console.error(err);
      res.status(400).json({ error: 'invalid_request', error_description: 'unknown error' });
    }
  }),
@ -385,3 +416,104 @@ router.get(
 );

 module.exports = router;
+
+const accountService = require('../accounts/account.service');
+const validateRequest = require('../_middleware/validate-request');
+const Joi = require('joi');
+
+router
+  .route('/register')
+  .post(
+    validateRequest(
+      Joi.object({
+        username: Joi.string().required(),
+        email: Joi.string().email().required(),
+        password: Joi.string().min(6).required(),
+        confirmPassword: Joi.string().valid(Joi.ref('password')).required(),
+      }),
+    ),
+    wrapRoute(async (req, res) => {
+      await accountService.register(req.body, req.get('origin'));
+
+      return res.render('message', {
+        type: 'success',
+        title: 'Registration successful',
+        description: 'Please check your email for verification instructions.',
+      });
+    }),
+  )
+  .get((req, res) => res.render('register'));
+
+router.get(
+  '/verify-email',
+  validateRequest(
+    Joi.object({
+      token: Joi.string().required(),
+    }),
+    'query',
+  ),
+  wrapRoute(async (req, res) => {
+    await accountService.verifyEmail(req.query);
+    return res.render('message', {
+      type: 'success',
+      title: 'Verification successful',
+      description: 'You can now log in.',
+      showLoginButton: true,
+    });
+  }),
+);
+
+router
+  .route('/forgot-password')
+  .post(
+    validateRequest(
+      Joi.object({
+        email: Joi.string().email().required(),
+      }),
+    ),
+    wrapRoute(async (req, res) => {
+      await accountService.forgotPassword(req.body, req.get('origin'));
+      res.render('message', {
+        type: 'success',
+        title: 'Recovery mail sent',
+        description: 'Please check your inbox for password recovery instructions.',
+      });
+    }),
+  )
+  .get((req, res) => res.render('forgot-password'));
+
+router
+  .route('/reset-password')
+  .post(
+    validateRequest(
+      Joi.object({
+        token: Joi.string().required(),
+        password: Joi.string().min(6).required(),
+        confirmPassword: Joi.string().valid(Joi.ref('password')).required(),
+      }),
+    ),
+    wrapRoute(async (req, res) => {
+      await accountService.resetPassword(req.body);
+      return res.render('message', {
+        type: 'success',
+        title: 'Password reset successful',
+        description: 'You can now log in.',
+        showLoginButton: true,
+      });
+    }),
+  )
+  .get(
+    validateRequest(
+      Joi.object({
+        token: Joi.string().required(),
+      }),
+      'query',
+    ),
+    wrapRoute(async (req, res) => {
+      const { token } = req.query;
+      await accountService.validateResetToken({ token });
+      res.render('reset-password', { token });
+    }),
+  );
+
+module.exports = router;
--- a/api/views/forgot-password.pug
+++ b/api/views/forgot-password.pug
@ -0,0 +1,12 @@
+extends layout.pug
+
+block title
+  | Reset Password
+
+block content
+  form(method="post")
+    fieldset
+      label(for="email") E-Mail Address
+      input(id="email", name="email")
+
+    button(type="submit") Send recovery mail
--- a/api/views/layout.pug
+++ b/api/views/layout.pug
@ -97,8 +97,45 @@ html
        background: #83d283;
      }

+      nav ul {
+        list-style: none;
+        margin: 0;
+        padding: 0;
+        display: flex;
+        align-items: center;
+        padding-bottom: 1rem;
+        margin-bottom: 1rem;
+        border-bottom: 1px solid #DDD;
+      }
+      nav ul li {
+        flex: 1 1 0;
+        text-align: center;
+      }
+      nav ul li a {
+        color: #999;
+        text-decoration: none;
+      }
+      nav ul li a:hover {
+        color: #444;
+      }
+
+      nav header {
+        text-align: center;
+        font-weight: 500;
+        margin-bottom: 1rem;
+      }
+
  body
    main
+      nav
+        header OpenBikeSensor Account Pages
+        ul
+          li: a(href="/") Back to Portal
+          if !user
+            li: a(href="/login") Login
+            li: a(href="/register") Register
+          if user
+            li: a(href="/logout") Logout
      header: h1
        block title
      block content
--- a/api/views/login.pug
+++ b/api/views/login.pug
@ -13,4 +13,8 @@ block content
      label(for="password") Password
      input(name="password", type="password")

-    button(type="submit") Login
+    if badCredentials
+      p.message.error Invalid login credentials, please try again.
+
+    button(type="submit", style="margin-right: 2rem") Login
+    a(href="/forgot-password") I forgot my password
--- a/api/views/logout.pug
+++ b/api/views/logout.pug
@ -0,0 +1,8 @@
+extends layout.pug
+
+block title
+  | Logout
+
+block content
+  form(method="post", action="/logout")
+    button(type="submit", class="red") Log out now
--- a/api/views/message.pug
+++ b/api/views/message.pug
@ -6,3 +6,6 @@ block title
 block content
  if description
    div(class="message " + type)= description
+
+  if showLoginButton
+    p: a(href="/login") Go to login
--- a/api/views/register.pug
+++ b/api/views/register.pug
@ -0,0 +1,25 @@
+extends layout.pug
+
+block title
+  | Register
+
+block content
+  form(method="post")
+    fieldset
+      label(for="username") Username
+      input(id="username", name="username")
+      p.form-hint At least 3 characters, alphanumerical, must be unique
+
+    fieldset
+      label(for="email") E-Mail Address
+      input(id="email", name="email", type="email")
+
+    fieldset
+      label(for="password") Password
+      input(id="password", name="password", type="password")
+
+    fieldset
+      label(for="confirmPassword") Confirm Password
+      input(id="confirmPassword", name="confirmPassword", type="password")
+
+    button(type="submit") Register
--- a/api/views/reset-password.pug
+++ b/api/views/reset-password.pug
@ -0,0 +1,18 @@
+extends layout.pug
+
+block title
+  | Reset Password
+
+block content
+  form(method="post")
+    input(type="hidden", name="token", value=token)
+
+    fieldset
+      label(for="password") New Password
+      input(id="password", name="password", type="password")
+
+    fieldset
+      label(for="confirmPassword") Confirm Password
+      input(id="confirmPassword", name="confirmPassword", type="password")
+
+    button(type="submit") Set new password