src/user/reset.js

'use strict';

const nconf = require('nconf');
const winston = require('winston');

const user = require('./index');
const groups = require('../groups');
const utils = require('../utils');
const batch = require('../batch');

const db = require('../database');
const meta = require('../meta');
const emailer = require('../emailer');
const Password = require('../password');

const UserReset = module.exports;

const twoHours = 7200000;

UserReset.minSecondsBetweenEmails = 60;

UserReset.validate = async function (code) {
	const uid = await db.getObjectField('reset:uid', code);
	if (!uid) {
		return false;
	}
	const issueDate = await db.sortedSetScore('reset:issueDate', code);
	return parseInt(issueDate, 10) > Date.now() - twoHours;
};

UserReset.generate = async function (uid) {
	const code = utils.generateUUID();

	// Invalidate past tokens (must be done prior)
	await UserReset.cleanByUid(uid);

	await Promise.all([
		db.setObjectField('reset:uid', code, uid),
		db.sortedSetAdd('reset:issueDate', Date.now(), code),
	]);
	return code;
};

UserReset.send = async function (email) {
	const uid = await user.getUidByEmail(email);
	if (!uid) {
		throw new Error('[[error:invalid-email]]');
	}
	await lockReset(uid, '[[error:reset-rate-limited]]');
	try {
		await canGenerate(uid);
		await db.sortedSetAdd('reset:issueDate:uid', Date.now(), uid);
		const code = await UserReset.generate(uid);
		await emailer.send('reset', uid, {
			reset_link: `${nconf.get('url')}/reset/${code}`,
			subject: '[[email:password-reset-requested]]',
			template: 'reset',
			uid: uid,
		}).catch(err => winston.error(`[emailer.send] ${err.stack}`));

		return code;
	} finally {
		db.deleteObjectField('locks', `reset${uid}`);
	}
};

async function lockReset(uid, error) {
	const value = `reset${uid}`;
	const count = await db.incrObjectField('locks', value);
	if (count > 1) {
		throw new Error(error);
	}
	return value;
}

async function canGenerate(uid) {
	const score = await db.sortedSetScore('reset:issueDate:uid', uid);
	if (score > Date.now() - (UserReset.minSecondsBetweenEmails * 1000)) {
		throw new Error('[[error:reset-rate-limited]]');
	}
}

UserReset.commit = async function (code, password) {
	user.isPasswordValid(password);
	const validated = await UserReset.validate(code);
	if (!validated) {
		throw new Error('[[error:reset-code-not-valid]]');
	}
	const uid = await db.getObjectField('reset:uid', code);
	if (!uid) {
		throw new Error('[[error:reset-code-not-valid]]');
	}
	const userData = await db.getObjectFields(
		`user:${uid}`,
		['password', 'passwordExpiry', 'password:shaWrapped']
	);
	const ok = await Password.compare(password, userData.password, !!parseInt(userData['password:shaWrapped'], 10));
	if (ok) {
		throw new Error('[[error:reset-same-password]]');
	}
	const hash = await user.hashPassword(password);
	const data = {
		password: hash,
		'password:shaWrapped': 1,
	};

	// don't verify email if password reset is due to expiry
	const isPasswordExpired = userData.passwordExpiry && userData.passwordExpiry < Date.now();
	if (!isPasswordExpired) {
		data['email:confirmed'] = 1;
		await groups.join('verified-users', uid);
		await groups.leave('unverified-users', uid);
	}

	await Promise.all([
		user.setUserFields(uid, data),
		db.deleteObjectField('reset:uid', code),
		db.sortedSetRemoveBulk([
			['reset:issueDate', code],
			['reset:issueDate:uid', uid],
		]),
		user.reset.updateExpiry(uid),
		user.auth.resetLockout(uid),
		user.auth.revokeAllSessions(uid),
		user.email.expireValidation(uid),
	]);
};

UserReset.updateExpiry = async function (uid) {
	const expireDays = meta.config.passwordExpiryDays;
	if (expireDays > 0) {
		const oneDay = 1000 * 60 * 60 * 24;
		const expiry = Date.now() + (oneDay * expireDays);
		await user.setUserField(uid, 'passwordExpiry', expiry);
	} else {
		await db.deleteObjectField(`user:${uid}`, 'passwordExpiry');
	}
};

UserReset.clean = async function () {
	const tokens = await db.getSortedSetRangeByScore('reset:issueDate', 0, -1, '-inf', Date.now() - twoHours);
	if (!tokens.length) {
		return;
	}

	winston.verbose(`[UserReset.clean] Removing ${tokens.length} reset tokens from database`);
	await cleanTokens(tokens);
};

UserReset.cleanByUid = async function (uid) {
	const tokensToClean = [];
	uid = parseInt(uid, 10);

	await batch.processSortedSet('reset:issueDate', async (tokens) => {
		const results = await db.getObjectFields('reset:uid', tokens);
		for (const [code, result] of Object.entries(results)) {
			if (parseInt(result, 10) === uid) {
				tokensToClean.push(code);
			}
		}
	}, { batch: 500 });

	if (!tokensToClean.length) {
		winston.verbose(`[UserReset.cleanByUid] No tokens found for uid (${uid}).`);
		return;
	}

	winston.verbose(`[UserReset.cleanByUid] Found ${tokensToClean.length} token(s), removing...`);
	await Promise.all([
		cleanTokens(tokensToClean),
		db.deleteObjectField('locks', `reset${uid}`),
	]);
};

async function cleanTokens(tokens) {
	await Promise.all([
		db.deleteObjectFields('reset:uid', tokens),
		db.sortedSetRemove('reset:issueDate', tokens),
	]);
}
refactored user.js took out notifications, email and reset code to separate files 2014-03-12 18:00:27 -04:00			`'use strict';`

fix: #8781 2020-10-21 16:30:14 -04:00			`const nconf = require('nconf');`
			`const winston = require('winston');`
refactored user.js took out notifications, email and reset code to separate files 2014-03-12 18:00:27 -04:00
fix: #8781 2020-10-21 16:30:14 -04:00			`const user = require('./index');`
Admin/users (#8762) * feat: wip admin/users * feat: more work * feat: more fixes * feat: #8662, verified/unverified user groups * feat: add filter * feat: change user search to use filters array * refactor: remove unused search call * fix: tests * fix: cant join system groups * fix: upgrade script 2020-10-13 22:42:50 -04:00			`const groups = require('../groups');`
fix: #8781 2020-10-21 16:30:14 -04:00			`const utils = require('../utils');`
			`const batch = require('../batch');`
refactored user.js took out notifications, email and reset code to separate files 2014-03-12 18:00:27 -04:00
fix: #8781 2020-10-21 16:30:14 -04:00			`const db = require('../database');`
			`const meta = require('../meta');`
			`const emailer = require('../emailer');`
fix: #8991, logout on password reset, dont verify email if password expired dont allow same password on reset 2020-11-29 21:55:07 -05:00			`const Password = require('../password');`
refactored user.js took out notifications, email and reset code to separate files 2014-03-12 18:00:27 -04:00
fix: #8781 2020-10-21 16:30:14 -04:00			`const UserReset = module.exports;`
style changes 2017-05-27 01:44:26 -04:00
fix: #8781 2020-10-21 16:30:14 -04:00			`const twoHours = 7200000;`
style changes 2017-05-27 01:44:26 -04:00
Fix for #11119, restore password reset rate limiting (#11120) * chore: incrementing version number - v2.8.1 * chore: update changelog for v2.8.1 * fix: accidental clearing of reset rate limiting on reset send * test: move user reset tests to its own file, add failing test for user reset locks * fix: #11119, counter attempted flooding of user reset route * test: fix password reset socket test to check for error now * test: same user sending multiple reset emails should work after waiting the correct amount of time * lint: fixes * chore: rename outdated `cleanTokensAndUids` method * test: no need to create user for new test Co-authored-by: Misty Release Bot <deploy@nodebb.org> Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2023-01-04 11:24:46 -05:00			`UserReset.minSecondsBetweenEmails = 60;`

feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`UserReset.validate = async function (code) {`
			`const uid = await db.getObjectField('reset:uid', code);`
			`if (!uid) {`
			`return false;`
			`}`
			`const issueDate = await db.sortedSetScore('reset:issueDate', code);`
			`return parseInt(issueDate, 10) > Date.now() - twoHours;`
style changes 2017-05-27 01:44:26 -04:00			`};`

feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`UserReset.generate = async function (uid) {`
			`const code = utils.generateUUID();`
fix: #9605, expire all active reset tokens for a uid if that uid generates a new one 2021-06-11 14:38:56 -04:00
			`// Invalidate past tokens (must be done prior)`
			`await UserReset.cleanByUid(uid);`

feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`await Promise.all([`
			`db.setObjectField('reset:uid', code, uid),`
			`db.sortedSetAdd('reset:issueDate', Date.now(), code),`
			`]);`
			`return code;`
style changes 2017-05-27 01:44:26 -04:00			`};`

feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`UserReset.send = async function (email) {`
			`const uid = await user.getUidByEmail(email);`
			`if (!uid) {`
			`throw new Error('[[error:invalid-email]]');`
			`}`
Fix for #11119, restore password reset rate limiting (#11120) * chore: incrementing version number - v2.8.1 * chore: update changelog for v2.8.1 * fix: accidental clearing of reset rate limiting on reset send * test: move user reset tests to its own file, add failing test for user reset locks * fix: #11119, counter attempted flooding of user reset route * test: fix password reset socket test to check for error now * test: same user sending multiple reset emails should work after waiting the correct amount of time * lint: fixes * chore: rename outdated `cleanTokensAndUids` method * test: no need to create user for new test Co-authored-by: Misty Release Bot <deploy@nodebb.org> Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2023-01-04 11:24:46 -05:00			`await lockReset(uid, '[[error:reset-rate-limited]]');`
			`try {`
			`await canGenerate(uid);`
			`await db.sortedSetAdd('reset:issueDate:uid', Date.now(), uid);`
			`const code = await UserReset.generate(uid);`
			`await emailer.send('reset', uid, {`
			reset_link: `${nconf.get('url')}/reset/${code}`,
			`subject: '[[email:password-reset-requested]]',`
			`template: 'reset',`
			`uid: uid,`
			}).catch(err => winston.error(`[emailer.send] ${err.stack}`));

			`return code;`
			`} finally {`
			db.deleteObjectField('locks', `reset${uid}`);
			`}`
style changes 2017-05-27 01:44:26 -04:00			`};`

Fix for #11119, restore password reset rate limiting (#11120) * chore: incrementing version number - v2.8.1 * chore: update changelog for v2.8.1 * fix: accidental clearing of reset rate limiting on reset send * test: move user reset tests to its own file, add failing test for user reset locks * fix: #11119, counter attempted flooding of user reset route * test: fix password reset socket test to check for error now * test: same user sending multiple reset emails should work after waiting the correct amount of time * lint: fixes * chore: rename outdated `cleanTokensAndUids` method * test: no need to create user for new test Co-authored-by: Misty Release Bot <deploy@nodebb.org> Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2023-01-04 11:24:46 -05:00			`async function lockReset(uid, error) {`
			const value = `reset${uid}`;
			`const count = await db.incrObjectField('locks', value);`
			`if (count > 1) {`
			`throw new Error(error);`
			`}`
			`return value;`
			`}`

			`async function canGenerate(uid) {`
			`const score = await db.sortedSetScore('reset:issueDate:uid', uid);`
			`if (score > Date.now() - (UserReset.minSecondsBetweenEmails * 1000)) {`
			`throw new Error('[[error:reset-rate-limited]]');`
			`}`
			`}`

feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`UserReset.commit = async function (code, password) {`
refactor: remove async from isPasswordValid, function is sync 2019-09-11 00:28:42 -04:00			`user.isPasswordValid(password);`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`const validated = await UserReset.validate(code);`
			`if (!validated) {`
			`throw new Error('[[error:reset-code-not-valid]]');`
			`}`
			`const uid = await db.getObjectField('reset:uid', code);`
			`if (!uid) {`
			`throw new Error('[[error:reset-code-not-valid]]');`
			`}`
fix: #8991, logout on password reset, dont verify email if password expired dont allow same password on reset 2020-11-29 21:55:07 -05:00			`const userData = await db.getObjectFields(`
chore: eslint prefer-template 2021-02-03 23:59:08 -07:00			`user:${uid}`,
fix: #8991, logout on password reset, dont verify email if password expired dont allow same password on reset 2020-11-29 21:55:07 -05:00			`['password', 'passwordExpiry', 'password:shaWrapped']`
			`);`
			`const ok = await Password.compare(password, userData.password, !!parseInt(userData['password:shaWrapped'], 10));`
			`if (ok) {`
			`throw new Error('[[error:reset-same-password]]');`
			`}`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`const hash = await user.hashPassword(password);`
fix: #8991, logout on password reset, dont verify email if password expired dont allow same password on reset 2020-11-29 21:55:07 -05:00			`const data = {`
			`password: hash,`
			`'password:shaWrapped': 1,`
			`};`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00
fix: #8991, logout on password reset, dont verify email if password expired dont allow same password on reset 2020-11-29 21:55:07 -05:00			`// don't verify email if password reset is due to expiry`
			`const isPasswordExpired = userData.passwordExpiry && userData.passwordExpiry < Date.now();`
			`if (!isPasswordExpired) {`
refactor: tab rules 2021-11-18 16:42:18 -05:00			`data['email:confirmed'] = 1;`
fix: #8991, logout on password reset, dont verify email if password expired dont allow same password on reset 2020-11-29 21:55:07 -05:00			`await groups.join('verified-users', uid);`
			`await groups.leave('unverified-users', uid);`
			`}`
chore: org; merge consecutive await calls into one Promise.all 2022-01-12 11:08:34 -05:00
			`await Promise.all([`
			`user.setUserFields(uid, data),`
			`db.deleteObjectField('reset:uid', code),`
			`db.sortedSetRemoveBulk([`
			`['reset:issueDate', code],`
			`['reset:issueDate:uid', uid],`
			`]),`
			`user.reset.updateExpiry(uid),`
			`user.auth.resetLockout(uid),`
feat: revoke user sessions on successful password reset 2022-01-12 11:09:02 -05:00			`user.auth.revokeAllSessions(uid),`
chore: org; merge consecutive await calls into one Promise.all 2022-01-12 11:08:34 -05:00			`user.email.expireValidation(uid),`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`]);`
style changes 2017-05-27 01:44:26 -04:00			`};`

feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`UserReset.updateExpiry = async function (uid) {`
			`const expireDays = meta.config.passwordExpiryDays;`
fix: remove unused data from post/topic/user hashes 2019-10-07 23:13:43 -04:00			`if (expireDays > 0) {`
fix: #8781 2020-10-21 16:30:14 -04:00			`const oneDay = 1000 * 60 * 60 * 24;`
			`const expiry = Date.now() + (oneDay * expireDays);`
fix: remove unused data from post/topic/user hashes 2019-10-07 23:13:43 -04:00			`await user.setUserField(uid, 'passwordExpiry', expiry);`
fix: #8781 2020-10-21 16:30:14 -04:00			`} else {`
chore: eslint prefer-template 2021-02-03 23:59:08 -07:00			await db.deleteObjectField(`user:${uid}`, 'passwordExpiry');
fix: remove unused data from post/topic/user hashes 2019-10-07 23:13:43 -04:00			`}`
style changes 2017-05-27 01:44:26 -04:00			`};`

feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`UserReset.clean = async function () {`
Fix for #11119, restore password reset rate limiting (#11120) * chore: incrementing version number - v2.8.1 * chore: update changelog for v2.8.1 * fix: accidental clearing of reset rate limiting on reset send * test: move user reset tests to its own file, add failing test for user reset locks * fix: #11119, counter attempted flooding of user reset route * test: fix password reset socket test to check for error now * test: same user sending multiple reset emails should work after waiting the correct amount of time * lint: fixes * chore: rename outdated `cleanTokensAndUids` method * test: no need to create user for new test Co-authored-by: Misty Release Bot <deploy@nodebb.org> Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2023-01-04 11:24:46 -05:00			`const tokens = await db.getSortedSetRangeByScore('reset:issueDate', 0, -1, '-inf', Date.now() - twoHours);`
			`if (!tokens.length) {`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`return;`
			`}`

chore: eslint prefer-template 2021-02-03 23:59:08 -07:00			winston.verbose(`[UserReset.clean] Removing ${tokens.length} reset tokens from database`);
Fix for #11119, restore password reset rate limiting (#11120) * chore: incrementing version number - v2.8.1 * chore: update changelog for v2.8.1 * fix: accidental clearing of reset rate limiting on reset send * test: move user reset tests to its own file, add failing test for user reset locks * fix: #11119, counter attempted flooding of user reset route * test: fix password reset socket test to check for error now * test: same user sending multiple reset emails should work after waiting the correct amount of time * lint: fixes * chore: rename outdated `cleanTokensAndUids` method * test: no need to create user for new test Co-authored-by: Misty Release Bot <deploy@nodebb.org> Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2023-01-04 11:24:46 -05:00			`await cleanTokens(tokens);`
style changes 2017-05-27 01:44:26 -04:00			`};`
remove reset tokens if target user email changes 2017-08-16 14:36:51 -04:00
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`UserReset.cleanByUid = async function (uid) {`
			`const tokensToClean = [];`
remove reset tokens if target user email changes 2017-08-16 14:36:51 -04:00			`uid = parseInt(uid, 10);`

chore: eslint prefer-arrow-callback 2021-02-04 00:01:39 -07:00			`await batch.processSortedSet('reset:issueDate', async (tokens) => {`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`const results = await db.getObjectFields('reset:uid', tokens);`
chore: eslint no-restricted-syntax 2021-02-04 01:34:30 -07:00			`for (const [code, result] of Object.entries(results)) {`
			`if (parseInt(result, 10) === uid) {`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`tokensToClean.push(code);`
remove reset tokens if target user email changes 2017-08-16 14:36:51 -04:00			`}`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`}`
			`}, { batch: 500 });`
remove reset tokens if target user email changes 2017-08-16 14:36:51 -04:00
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`if (!tokensToClean.length) {`
chore: eslint prefer-template 2021-02-03 23:59:08 -07:00			winston.verbose(`[UserReset.cleanByUid] No tokens found for uid (${uid}).`);
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`return;`
			`}`

chore: eslint prefer-template 2021-02-03 23:59:08 -07:00			winston.verbose(`[UserReset.cleanByUid] Found ${tokensToClean.length} token(s), removing...`);
Fix for #11119, restore password reset rate limiting (#11120) * chore: incrementing version number - v2.8.1 * chore: update changelog for v2.8.1 * fix: accidental clearing of reset rate limiting on reset send * test: move user reset tests to its own file, add failing test for user reset locks * fix: #11119, counter attempted flooding of user reset route * test: fix password reset socket test to check for error now * test: same user sending multiple reset emails should work after waiting the correct amount of time * lint: fixes * chore: rename outdated `cleanTokensAndUids` method * test: no need to create user for new test Co-authored-by: Misty Release Bot <deploy@nodebb.org> Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2023-01-04 11:24:46 -05:00			`await Promise.all([`
			`cleanTokens(tokensToClean),`
			db.deleteObjectField('locks', `reset${uid}`),
			`]);`
remove reset tokens if target user email changes 2017-08-16 14:36:51 -04:00			`};`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00
Fix for #11119, restore password reset rate limiting (#11120) * chore: incrementing version number - v2.8.1 * chore: update changelog for v2.8.1 * fix: accidental clearing of reset rate limiting on reset send * test: move user reset tests to its own file, add failing test for user reset locks * fix: #11119, counter attempted flooding of user reset route * test: fix password reset socket test to check for error now * test: same user sending multiple reset emails should work after waiting the correct amount of time * lint: fixes * chore: rename outdated `cleanTokensAndUids` method * test: no need to create user for new test Co-authored-by: Misty Release Bot <deploy@nodebb.org> Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2023-01-04 11:24:46 -05:00			`async function cleanTokens(tokens) {`
feat: #7743, finish user module 2019-07-16 20:44:00 -04:00			`await Promise.all([`
			`db.deleteObjectFields('reset:uid', tokens),`
			`db.sortedSetRemove('reset:issueDate', tokens),`
			`]);`
			`}`