Forgot password and reset password

2018-03-22 14:56:39 -07:00
parent 82fbd88dab
commit 06ae76047e
15 changed files with 324 additions and 205 deletions
--- a/server/config/templates/accountDeleted.txt
+++ b/server/config/templates/accountDeleted.txt
@@ -1,6 +1,6 @@
 Hello {{recipientFullName}}.

-This email is for your records to indicated that your account for the Deighton AR system has been deleted.
+Your account for the Deighton AR system has been deleted.

 Please contact {{supportEmail}} if you have any questions.

--- a/server/config/templates/changeEmailNew.txt
+++ b/server/config/templates/changeEmailNew.txt
@@ -1,8 +1,8 @@
 Hello {{recipientFullName}},

-This message allows you to complete the process of changing your email.  If you did not make this request please do not worry.  Just ignore this email and your account will remain unchanged.
+This message allows you to complete the process of changing your email on the Deighton AR system.  If you did not make this request please do not worry, but we would request that you change your password immediately just to be safe.  If you ignore this email your account will remain unchanged.

-If you did make this request, please click on the following link to confirm your new email:
+If you _did_ make this request, please click on the following link to confirm your new email:

 {{confirmEmailLink}}

@@ -10,4 +10,4 @@ If you have any questions, please contact us at {{supportEmail}}.

 Regards,

-Deighton
+{{senderFullName}}
--- a/server/config/templates/changeEmailOld.txt
+++ b/server/config/templates/changeEmailOld.txt
@@ -1,6 +1,6 @@
 Hello {{recipientFullName}},

-This message is to inform you that a request was made to change your email to {{recipientNewEmail}}.  If you did not make this request please do not worry.  Just ignore this email and your account will remain unchanged.
+This message is to inform you that a request was made to change your email to {{recipientNewEmail}}.    If you did not make this request please do not worry, but we would request that you change your password immediately just to be safe.

 If you did make this request, please see the message sent to your new email account for further instructions.

@@ -8,4 +8,4 @@ If you have any questions, please contact us at {{supportEmail}}.

 Regards,

-Deighton
+{{senderFullName}}
--- a/server/config/templates/forgotPassword.txt
+++ b/server/config/templates/forgotPassword.txt
@@ -1,6 +1,6 @@
 Hello {{recipientFullName}},

-The following link will allow you to reset your password.  Please paste it into your browser and you will be redirected to the Deighton AR site to set your new password:
+The following link will allow you to reset your password.  Please click on it or paste it into your browser and you will be redirected to the Deighton AR site to set your new password:

 {{resetPasswordLink}}

@@ -8,4 +8,4 @@ Please contact {{supportEmail}} if you have any questions or problems.

 Regards,

-Deighton
+{{senderFullName}}
--- a/server/src/api/routes/AuthRoutes.js
+++ b/server/src/api/routes/AuthRoutes.js
@@ -317,59 +317,60 @@ export class AuthRoutes {
    })
  }

-  changePassword(req, res, next) {
+  async changePassword(req, res, next) {
    let User = this.db.User
    let cr = credential()
-    User.findById({ _id: req.user._id }).then((user) => {
+
+    try {
+      const user = await User.findById({ _id: req.user._id })
+
      if (!user) {
-        return next(createError.NotFound(`User ${req.user._id} not found`))
+        throw createError.NotFound(`User ${req.user._id} not found`)
      }
-      return Promise.all([
-        Promise.resolve(user),
-        cr.verify(JSON.stringify(user.passwordHash), req.body.oldPassword)
-      ])
-    }).then((arr) => {
-      const [user, ok] = arr
-      return Promise.all([Promise.resolve(user), cr.hash(req.body.newPassword)])
-    }).then((arr) => {
-      const [user, obj] = arr
+
+      const ok = await cr.verify(JSON.stringify(user.passwordHash), req.body.oldPassword)
+      const obj = await cr.hash(req.body.newPassword)
+
      user.passwordHash = JSON.parse(obj)
-      return user.save()
-    }).then((savedUser) => {
+      await user.save()
      res.json({})
-    }).catch((err) => {
-      return next(createError.InternalServerError(err.message))
-    })
+    } catch(err) {
+      if (err instanceof createError.HttpError) {
+        next(err)
+      } else {
+        next(createError.InternalServerError(err.message))
+      }
+    }
  }

-  sendPasswordResetEmail(req, res, next){
+  async sendPasswordResetEmail(req, res, next){
    const email = req.body.email
    let User = this.db.User

-    if (!email) {
-      return next(createError.BadRequest('Invalid request parameters'))
-    }
-
-    User.findOne({ email }).then((user) => {
-      // User must exist their email must be confirmed
-      if (!user || user.emailToken) {
-        // Don't give away any information about why we rejected the request
-        return Promise.reject(createError.BadRequest('Not a valid request'))
-      } else if (user.passwordToken && (new Date() - user.emailToken.created) < this.sendEmailDelayInSeconds) {
-        return Promise.reject(createError.BadRequest('Cannot request password reset so soon'))
+    try {
+      if (!email) {
+        throw createError.BadRequest('Invalid request parameters')
      }

-      return Promise.all([Promise.resolve(user), util.promisify(crypto.randomBytes)(32)])
-    }).then((arr) => {
-      let [ user, buf ] = arr
+      const user = await User.findOne({ email })
+
+      // User must exist and their email must be confirmed
+      if (!user || user.emailToken) {
+        // Don't give away any information about why we rejected the request
+        throw createError.BadRequest('Not a valid request')
+      } else if (user.passwordToken && user.passwordToken.created &&
+          (new Date() - user.passwordToken.created) < this.sendEmailDelayInSeconds) {
+        throw createError.BadRequest('Cannot request password reset so soon')
+      }
+
+      const buf = await util.promisify(crypto.randomBytes)(32)

      user.passwordToken = {
        value: urlSafeBase64.encode(buf),
        created: new Date()
      }

-      return user.save()
-    }).then((savedUser) => {
+      const savedUser = await user.save()
      const userFullName = `${savedUser.firstName} ${savedUser.lastName}`
      const siteUrl = url.parse(req.headers.referer)
      const msg = {
@@ -381,15 +382,17 @@ export class AuthRoutes {
          supportEmail: this.supportEmail
        }
      }
-      return this.sendEmail ? this.mq.request('dar-email', 'sendEmail', msg) : Promise.resolve()
-    }).then(() => {
+      if (this.sendEmail) {
+        await this.mq.request('dar-email', 'sendEmail', msg)
+      }
+
      res.json({})
-    }).catch((err) => {
+    } catch(err) {
      if (err instanceof createError.HttpError) {
        next(err)
      } else {
        next(createError.InternalServerError(`Unable to send password reset email. ${err.message}`))
      }
-    })
+    }
  }
 }