From b80b2197480acb5fcad5009408635893bfcf6c6c Mon Sep 17 00:00:00 2001
From: Paul Bienkowski <pb@opatut.de>
Date: Sun, 28 Feb 2021 22:57:43 +0100
Subject: [PATCH] api: Use baseUrl in email links

---
 api/src/accounts/account.service.js | 59 +++++++++++------------------
 api/src/routes/auth.js              |  4 +-
 2 files changed, 25 insertions(+), 38 deletions(-)

diff --git a/api/src/accounts/account.service.js b/api/src/accounts/account.service.js
index d8b4843..72608d6 100644
--- a/api/src/accounts/account.service.js
+++ b/api/src/accounts/account.service.js
@@ -2,6 +2,9 @@ const crypto = require('crypto');
 const mongoose = require('mongoose');
 const sendEmail = require('../_helpers/send-email');
 const User = mongoose.model('User');
+const config = require('../config');
+
+const baseUrl = config.baseUrl.replace(/\/+$/, '');
 
 module.exports = {
   register,
@@ -11,12 +14,12 @@ module.exports = {
   resetPassword,
 };
 
-async function register(params, origin) {
+async function register(params) {
   const user = await User.findOne({ email: params.email });
 
   if (user) {
     // send already registered error in email to prevent account enumeration
-    return await sendAlreadyRegisteredEmail(params.email, origin);
+    return await sendAlreadyRegisteredEmail(params.email);
   }
 
   const newUser = new User();
@@ -30,7 +33,7 @@ async function register(params, origin) {
   await newUser.save();
 
   // send email
-  await sendVerificationEmail(newUser, origin);
+  await sendVerificationEmail(newUser);
 }
 
 async function verifyEmail({ token }) {
@@ -45,7 +48,7 @@ async function verifyEmail({ token }) {
   await account.save();
 }
 
-async function forgotPassword({ email }, origin) {
+async function forgotPassword({ email }) {
   const account = await User.findOne({ email });
 
   console.log('forgotPassword', account, email);
@@ -63,7 +66,7 @@ async function forgotPassword({ email }, origin) {
   console.log('forgotPassword account saved', account);
 
   // send email
-  await sendPasswordResetEmail(account, origin);
+  await sendPasswordResetEmail(account);
 }
 
 async function validateResetToken({ token }) {
@@ -97,33 +100,24 @@ function randomTokenString() {
   return crypto.randomBytes(40).toString('hex');
 }
 
-async function sendVerificationEmail(account, origin) {
-  let message;
-  if (origin) {
-    const verifyUrl = `${origin}/verify-email?token=${account.verificationToken}`;
-    message = `<p>Please click the below link to verify your email address:</p>
-                   <p><a href="${verifyUrl}">${verifyUrl}</a></p>`;
-  } else {
-    message = `<p>Please use the below token to verify your email address with the <code>/verify-email</code> api route:</p>
-                   <p><code>${account.verificationToken}</code></p>`;
-  }
+async function sendVerificationEmail(account) {
+  const verifyUrl = `${baseUrl}/verify-email?token=${account.verificationToken}`;
+  const html = [
+    '<h4>Verify Email</h4>',
+    '<p>Thanks for registering!</p>',
+    '<p>Please click the below link to verify your email address:</p>',
+    `<p><a href="${verifyUrl}">${verifyUrl}</a></p>`,
+  ].join('\n')
 
   await sendEmail({
     to: account.email,
     subject: 'Sign-up Verification API - Verify Email',
-    html: `<h4>Verify Email</h4>
-               <p>Thanks for registering!</p>
-               ${message}`,
+    html,
   });
 }
 
-async function sendAlreadyRegisteredEmail(email, origin) {
-  let message;
-  if (origin) {
-    message = `<p>If you don't know your password please visit the <a href="${origin}/forgot-password">forgot password</a> page.</p>`;
-  } else {
-    message = `<p>If you don't know your password you can reset it via the <code>/forgot-password</code> api route.</p>`;
-  }
+async function sendAlreadyRegisteredEmail(email) {
+  const message = `<p>If you don't know your password please visit the <a href="${baseUrl}/forgot-password">forgot password</a> page.</p>`;
 
   await sendEmail({
     to: email,
@@ -134,17 +128,10 @@ async function sendAlreadyRegisteredEmail(email, origin) {
   });
 }
 
-async function sendPasswordResetEmail(account, origin) {
-  let message;
-  if (origin) {
-    const resetUrl = `${origin}/reset-password?token=${account.resetToken.token}`;
-    message = `<p>Please click the below link to reset your password, the link will be valid for 1 day:</p>
-                   <p><a href="${resetUrl}">${resetUrl}</a></p>`;
-  } else {
-    message = `<p>Please use the below token to reset your password with the <code>/reset-password</code> api route:</p>
-                   <p><code>${account.resetToken.token}</code></p>`;
-  }
-
+async function sendPasswordResetEmail(account) {
+  const resetUrl = `${baseUrl}/reset-password?token=${account.resetToken.token}`;
+  const message = `<p>Please click the below link to reset your password, the link will be valid for 1 day:</p>
+                 <p><a href="${resetUrl}">${resetUrl}</a></p>`;
   await sendEmail({
     to: account.email,
     subject: 'Sign-up Verification API - Reset Password',
diff --git a/api/src/routes/auth.js b/api/src/routes/auth.js
index 86498d3..19d99d4 100644
--- a/api/src/routes/auth.js
+++ b/api/src/routes/auth.js
@@ -447,7 +447,7 @@ router
       }),
     ),
     wrapRoute(async (req, res) => {
-      await accountService.register(req.body, req.get('origin'));
+      await accountService.register(req.body);
 
       return res.render('message', {
         type: 'success',
@@ -486,7 +486,7 @@ router
       }),
     ),
     wrapRoute(async (req, res) => {
-      await accountService.forgotPassword(req.body, req.get('origin'));
+      await accountService.forgotPassword(req.body);
       res.render('message', {
         type: 'success',
         title: 'Recovery mail sent',