added reset password flow

Author: dstpierre

function/runtime.go

@@ -328,7 +328,6 @@ func (env *ExecutionEnvironment) addVolatileFunctions(vm *goja.Runtime) {
 		if err != nil {
 			return vm.ToValue(Result{Content: fmt.Sprintf("error converting your data: %v", err)})
 		}
-		fmt.Println("DEBUG: ", string(b))
 
 		msg := internal.Command{
 			SID:     env.Data.ID.Hex(),

internal/account.go

@@ -2,6 +2,7 @@ package internal
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -50,6 +51,7 @@ type Token struct {
 	Email     string             `bson:"email" json:"email"`
 	Password  string             `bson:"pw" json:"-"`
 	Role      int                `bson:"role" json:"role"`
+	ResetCode string             `bson:"resetCode" json:"-"`
 }
 
 type Login struct {
@@ -107,6 +109,26 @@ func FindTokenByEmail(db *mongo.Database, email string) (tok Token, err error) {
 	return
 }
 
+func SetPasswordResetCode(db *mongo.Database, id primitive.ObjectID, code string) error {
+	update := bson.M{"$set": bson.M{"resetCode": code}}
+	if _, err := db.Collection("sb_tokens").UpdateByID(ctx, id, update); err != nil {
+		return err
+	}
+	return nil
+}
+
+func ResetPassword(db *mongo.Database, email, code, password string) error {
+	filter := bson.M{"email": email, "resetCode": code}
+	update := bson.M{"$set": bson.M{"pw": password}}
+	res, err := db.Collection("sb_tokens").UpdateOne(ctx, filter, update)
+	if err != nil {
+		return err
+	} else if res.ModifiedCount != 1 {
+		return errors.New("cannot find document")
+	}
+	return nil
+}
+
 func FindAccount(db *mongo.Database, accountID primitive.ObjectID) (cus Customer, err error) {
 	filter := bson.M{FieldID: accountID}
 	sr := db.Collection("accounts").FindOne(ctx, filter)

membership.go

@@ -11,7 +11,6 @@ import (
 	"time"
 
 	"staticbackend/cache"
-	"staticbackend/email"
 	"staticbackend/internal"
 	"staticbackend/middleware"
 
@@ -246,165 +245,134 @@ func (m *membership) createUser(db *mongo.Database, accountID primitive.ObjectID
 	return jwtBytes, tok, nil
 }
 
-func (m *membership) setRole(w http.ResponseWriter, r *http.Request) {
-	conf, a, err := middleware.Extract(r, true)
-	if err != nil || a.Role < 100 {
-		http.Error(w, "insufficient priviledges", http.StatusUnauthorized)
+func (m *membership) setResetCode(w http.ResponseWriter, r *http.Request) {
+	email := strings.ToLower(r.URL.Query().Get("e"))
+	if len(email) == 0 || strings.Index(email, "@") <= 0 {
+		http.Error(w, "invalid email", http.StatusBadRequest)
 		return
 	}
 
-	var data = new(struct {
-		Email string `json:"email"`
-		Role  int    `json:"role"`
-	})
-	if err := parseBody(r.Body, &data); err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
+	code := randStringRunes(10)
+
+	conf, _, err := middleware.Extract(r, false)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 
-	db := client.Database(conf.Name)
+	curDB := client.Database(conf.Name)
 
-	ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
-	filter := bson.M{"email": data.Email}
-	update := bson.M{"$set": bson.M{"role": data.Role}}
-	if _, err := db.Collection("sb_tokens").UpdateOne(ctx, filter, update); err != nil {
+	tok, err := internal.FindTokenByEmail(curDB, email)
+	if err != nil {
+		http.Error(w, "email not found", http.StatusNotFound)
+		return
+	}
+
+	if err := internal.SetPasswordResetCode(curDB, tok.ID, code); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
-	respond(w, http.StatusOK, true)
+	respond(w, http.StatusOK, code)
 }
 
-func (m *membership) setPassword(w http.ResponseWriter, r *http.Request) {
-	conf, a, err := middleware.Extract(r, true)
-	if err != nil || a.Role < 100 {
-		http.Error(w, "insufficient priviledges", http.StatusUnauthorized)
+func (m *membership) resetPassword(w http.ResponseWriter, r *http.Request) {
+	conf, _, err := middleware.Extract(r, false)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 
+	curDB := client.Database(conf.Name)
+
 	var data = new(struct {
-		Email       string `json:"email"`
-		OldPassword string `json:"oldPassword"`
-		NewPassword string `json:"newPassword"`
+		Email    string `json:"email"`
+		Code     string `json:"code"`
+		Password string `json:"password"`
 	})
 	if err := parseBody(r.Body, &data); err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
 
-	db := client.Database(conf.Name)
+	data.Email = strings.ToLower(data.Email)
 
-	tok, err := m.validateUserPassword(db, data.Email, data.OldPassword)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusUnauthorized)
-		return
-	}
-
-	newpw, err := bcrypt.GenerateFromPassword([]byte(data.NewPassword), bcrypt.DefaultCost)
+	b, err := bcrypt.GenerateFromPassword([]byte(data.Password), bcrypt.DefaultCost)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
-	ctx := context.Background()
-	filter := bson.M{"_id": tok.ID}
-	update := bson.M{"$set": bson.M{"pw": string(newpw)}}
-	if _, err := db.Collection("sb_tokens").UpdateOne(ctx, filter, update); err != nil {
+	if err := internal.ResetPassword(curDB, data.Email, data.Code, string(b)); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
 	respond(w, http.StatusOK, true)
 }
 
-func (m *membership) resetPassword(w http.ResponseWriter, r *http.Request) {
-	conf, _, err := middleware.Extract(r, false)
-	if err != nil {
-		http.Error(w, "invalid StaticBackend key", http.StatusUnauthorized)
+func (m *membership) setRole(w http.ResponseWriter, r *http.Request) {
+	conf, a, err := middleware.Extract(r, true)
+	if err != nil || a.Role < 100 {
+		http.Error(w, "insufficient priviledges", http.StatusUnauthorized)
 		return
 	}
 
-	db := client.Database(conf.Name)
-
 	var data = new(struct {
 		Email string `json:"email"`
+		Role  int    `json:"role"`
 	})
 	if err := parseBody(r.Body, &data); err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
 
-	filter := bson.M{"email": strings.ToLower(data.Email)}
-	count, err := db.Collection("sb_tokens").CountDocuments(context.Background(), filter)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	} else if count == 0 {
-		http.Error(w, "not found", http.StatusNotFound)
-		return
-	}
-
-	code := randStringRunes(6)
-	update := bson.M{"%set": bson.M{"sb_reset_code": code}}
-	if _, err := db.Collection("sb_tokens").UpdateOne(context.Background(), filter, update); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	//TODO: have HTML template for those
-	body := fmt.Sprintf(`Your reset code is: %s`, code)
+	db := client.Database(conf.Name)
 
-	ed := internal.SendMailData{
-		From:     FromEmail,
-		FromName: FromName,
-		To:       data.Email,
-		Subject:  "Your password reset code",
-		HTMLBody: body,
-		TextBody: email.StripHTML(body),
-	}
-	if err := emailer.Send(ed); err != nil {
+	ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
+	filter := bson.M{"email": data.Email}
+	update := bson.M{"$set": bson.M{"role": data.Role}}
+	if _, err := db.Collection("sb_tokens").UpdateOne(ctx, filter, update); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
 	respond(w, http.StatusOK, true)
 }
 
-func (m *membership) changePassword(w http.ResponseWriter, r *http.Request) {
-	conf, _, err := middleware.Extract(r, false)
-	if err != nil {
-		http.Error(w, "invalid StaticBackend key", http.StatusUnauthorized)
+func (m *membership) setPassword(w http.ResponseWriter, r *http.Request) {
+	conf, a, err := middleware.Extract(r, true)
+	if err != nil || a.Role < 100 {
+		http.Error(w, "insufficient priviledges", http.StatusUnauthorized)
 		return
 	}
 
-	db := client.Database(conf.Name)
-
 	var data = new(struct {
-		Email    string `json:"email"`
-		Code     string `json:"code"`
-		Password string `json:"password"`
+		Email       string `json:"email"`
+		OldPassword string `json:"oldPassword"`
+		NewPassword string `json:"newPassword"`
 	})
 	if err := parseBody(r.Body, &data); err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
 
-	filter := bson.M{"email": strings.ToLower(data.Email), "sb_reset_code": data.Code}
-	var tok internal.Token
-	sr := db.Collection("sb_tokens").FindOne(context.Background(), filter)
-	if err := sr.Decode(&tok); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+	db := client.Database(conf.Name)
+
+	tok, err := m.validateUserPassword(db, data.Email, data.OldPassword)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 
-	newpw, err := bcrypt.GenerateFromPassword([]byte(data.Password), bcrypt.DefaultCost)
+	newpw, err := bcrypt.GenerateFromPassword([]byte(data.NewPassword), bcrypt.DefaultCost)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
 	ctx := context.Background()
-	filter = bson.M{internal.FieldID: tok.ID}
+	filter := bson.M{"_id": tok.ID}
 	update := bson.M{"$set": bson.M{"pw": string(newpw)}}
 	if _, err := db.Collection("sb_tokens").UpdateOne(ctx, filter, update); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)

server.go

@@ -124,6 +124,8 @@ func Start(dbHost, port string) {
 	http.Handle("/login", middleware.Chain(http.HandlerFunc(m.login), pubWithDB...))
 	http.Handle("/register", middleware.Chain(http.HandlerFunc(m.register), pubWithDB...))
 	http.Handle("/email", middleware.Chain(http.HandlerFunc(m.emailExists), pubWithDB...))
+	http.Handle("/password/resetcode", middleware.Chain(http.HandlerFunc(m.setResetCode), pubWithDB...))
+	http.Handle("/password/reset", middleware.Chain(http.HandlerFunc(m.resetPassword), pubWithDB...))
 	//http.Handle("/setrole", chain(http.HandlerFunc(setRole), withDB))
 
 	http.Handle("/sudogettoken/", middleware.Chain(http.HandlerFunc(m.sudoGetTokenFromAccountID), stdRoot...))