Merge branch 'master' of github.com:coralproject/talk into passport

This commit is contained in:
Belen Curcio
2016-11-18 06:08:23 -03:00
12 changed files with 233 additions and 82 deletions
+1 -1
View File
@@ -1,7 +1,7 @@
root = true
[*]
indent_style = tab
indent_style = space
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
-24
View File
@@ -106,27 +106,3 @@ export const logout = () => dispatch => {
.catch(error => dispatch(logOutFailure(error)));
};
// Availability Checks Actions
const availabilityRequest = () => ({type: actions.FETCH_AVAILABILITY_REQUEST});
const availabilitySuccess = () => ({type: actions.FETCH_AVAILABILITY_SUCCESS});
const availabilityFailure = () => ({type: actions.FETCH_AVAILABILITY_FAILURE});
const availableField = field => ({type: actions.AVAILABLE_FIELD, field});
const unavailableField = field => ({type: actions.UNAVAILABLE_FIELD, field});
export const fetchCheckAvailability = formData => dispatch => {
dispatch(availabilityRequest());
fetch(`${base}/user/availability`, getInit('POST', formData))
.then(handleResp)
.then(({status}) => {
const [field] = Object.keys(formData);
dispatch(availabilitySuccess());
if (status === 'available') {
return dispatch(availableField(field));
}
return dispatch(unavailableField(field));
})
.catch((error) => availabilityFailure(error));
};
-6
View File
@@ -66,12 +66,6 @@ export default function auth (state = initialState, action) {
return state
.set('loggedIn', false)
.set('user', null);
case actions.AVAILABLE_FIELD:
return state
.set(`${action.field}Available`, true);
case actions.UNAVAILABLE_FIELD:
return state
.set(`${action.field}Available`, false);
default :
return state;
}
+7
View File
@@ -1,6 +1,13 @@
const mongoose = require('../mongoose');
const Schema = mongoose.Schema;
/**
* this Schema manages application settings that get used on front- and backend
* NOTE: when you set a setting here, it will not automatically be exposed to
* the front end. You must add it to the whitelist in the settings route
* in /routes/api/settings/index.js
* @type {Schema}
*/
const SettingSchema = new Schema({
id: {type: String, default: '1'},
moderation: {type: String, enum: ['pre', 'post'], default: 'pre'},
+67 -17
View File
@@ -1,6 +1,7 @@
const mongoose = require('../mongoose');
const uuid = require('uuid');
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');
// SALT_ROUNDS is the number of rounds that the bcrypt algorithm will run
// through during the salting process.
@@ -12,6 +13,13 @@ const USER_ROLES = [
'moderator'
];
if (!process.env.TALK_SESSION_SECRET) {
throw new Error('\n////////////////////////////////////////////////////////////\n' +
'/// TALK_SESSION_SECRET must be defined to encode ///\n' +
'/// JSON Web Tokens and other auth functionality ///\n' +
'////////////////////////////////////////////////////////////');
}
// UserSchema is the mongoose schema defined as the representation of a User in
// MongoDB.
const UserSchema = new mongoose.Schema({
@@ -130,10 +138,14 @@ const UserService = module.exports = {};
* @param {Function} done [description]
*/
UserService.findLocalUser = (email, password) => {
if (!email || typeof email !== 'string') {
return Promise.reject('email is required for findLocalUser');
}
return UserModel.findOne({
profiles: {
$elemMatch: {
id: email,
id: email.toLowerCase(),
provider: 'local'
}
}
@@ -237,6 +249,7 @@ UserService.changePassword = (id, password) => {
})
.then((hashedPassword) => {
return UserModel.update({id}, {
$inc: {__v: 1},
$set: {
password: hashedPassword
}
@@ -268,6 +281,8 @@ UserService.createLocalUser = (email, password, displayName) => {
return Promise.reject('email is required');
}
email = email.toLowerCase();
if (!password) {
return Promise.reject('password is required');
}
@@ -393,6 +408,57 @@ UserService.findByIdArray = (ids) => {
});
};
/**
* Creates a JWT from a user email. Only works for local accounts.
* @param {String} email of the local user
*/
UserService.createPasswordResetToken = function (email) {
if (!email || typeof email !== 'string') {
return Promise.reject('email is required when creating a JWT for resetting passord');
}
email = email.toLowerCase();
return UserModel.findOne({profiles: {$elemMatch: {id: email}}})
.then(user => {
if (user === null) {
// since we don't want to reveal that the email does/doesn't exist
// just go ahead and resolve the Promise with null and check in the endpoint
return Promise.resolve(null);
}
const payload = {email, jti: uuid.v4(), userId: user.id, version: user.__v};
const token = jwt.sign(payload, process.env.TALK_SESSION_SECRET, {expiresIn: '1d'});
return token;
});
};
/**
* verifies a jwt and returns the associated user
* @param {String} token the JSON Web Token to verify
*/
UserService.verifyPasswordResetToken = token => {
return new Promise((resolve, reject) => {
jwt.verify(token, process.env.TALK_SESSION_SECRET, (error, decoded) => {
if (error) {
return reject(error);
}
resolve(decoded);
});
})
.then(decoded => {
/**
* TODO: check the jti from this decoded token in redis
* and make an entry if it does not exist.
* reject if entry already exists.
*/
return UserService.findById(decoded.userId);
});
};
/**
* Finds a user using a value which gets compared using a prefix match against
* the user's email address and/or their display name.
@@ -427,22 +493,6 @@ UserService.search = (value) => {
});
};
/**
* Finds users by email and returns the count. The result should be 1 or 0 (bool) indicating email availability
* @param {String} email to search by
* @return {Promise}
*/
UserService.availabilityCheck = (email) => {
return UserModel.count({
profiles: {
$elemMatch: {
id: email,
provider: 'local'
}
}
});
};
/**
* Returns a count of the current users.
* @return {Promise}
+6 -13
View File
@@ -16,13 +16,8 @@
"config": {
"pre-git": {
"commit-msg": [],
"pre-commit": [
"npm run lint",
"npm test"
],
"pre-push": [
"npm test"
],
"pre-commit": ["npm run lint", "npm test"],
"pre-push": ["npm test"],
"post-commit": [],
"post-merge": []
}
@@ -31,12 +26,7 @@
"type": "git",
"url": "git+https://github.com/coralproject/talk.git"
},
"keywords": [
"talk",
"coral",
"coralproject",
"ask"
],
"keywords": ["talk", "coral", "coralproject", "ask"],
"author": "",
"license": "Apache-2.0",
"bugs": {
@@ -55,11 +45,14 @@
"express-session": "^1.14.2",
"helmet": "^3.1.0",
"lodash.debounce": "^4.0.8",
"jsonwebtoken": "^7.1.9",
"lodash": "^4.16.6",
"mongoose": "^4.6.5",
"morgan": "^1.7.0",
"passport": "^0.3.2",
"passport-facebook": "^2.1.1",
"passport-local": "^1.0.0",
"nodemailer": "^2.6.4",
"prompt": "^1.0.0",
"redis": "^2.6.3",
"uuid": "^2.0.3"
+5 -1
View File
@@ -1,11 +1,15 @@
const express = require('express');
const router = express.Router();
router.get('/embed/stream/preview', (req, res) => {
res.render('embed-stream', {basePath: '/client/embed/stream'});
});
router.get('/password-reset/:token', (req, res, next) => {
// render a page or something?
res.send('ok');
});
router.get('*', (req, res) => {
res.render('admin', {basePath: '/client/coral-admin'});
});
+5 -1
View File
@@ -1,3 +1,4 @@
const _ = require('lodash');
const express = require('express');
const router = express.Router();
const Setting = require('../../../models/setting');
@@ -5,7 +6,10 @@ const Setting = require('../../../models/setting');
router.get('/', (req, res, next) => {
Setting
.getSettings()
.then(settings => res.json(settings))
.then(settings => {
const whitelist = ['moderation'];
res.json(_.pick(settings, whitelist));
})
.catch(next);
});
+69 -18
View File
@@ -1,6 +1,12 @@
const express = require('express');
const router = express.Router();
const User = require('../../../models/user');
const mailer = require('../../../services/mailer');
const ejs = require('ejs');
const fs = require('fs');
const path = require('path');
const resetEmailFile = fs.readFileSync(path.resolve(__dirname, '../../../views/password-reset-email.ejs'));
const resetEmailTemplate = ejs.compile(resetEmailFile.toString());
router.get('/', (req, res, next) => {
const {
@@ -52,6 +58,69 @@ router.post('/:user_id/role', (req, res, next) => {
.catch(next);
});
/**
* expects 2 fields in the body of the request
* 1) the token that was in the url of the email link {String}
* 2) the new password {String}
*/
router.post('/update-password', (req, res, next) => {
const {token, password} = req.body;
User.verifyPasswordResetToken(token)
.then(user => {
return User.changePassword(user.id, password);
})
.then(() => {
res.status(204).end();
})
.catch(error => {
console.error(error);
res.status(401).send('Not Authorized');
});
});
/**
* this endpoint takes an email (username) and checks if it belongs to a User account
* if it does, create a JWT and send an email
*/
router.post('/request-password-reset', (req, res, next) => {
const {email} = req.body;
if (!email) {
return next();
}
User
.createPasswordResetToken(email)
.then(token => {
if (token === null) {
return Promise.resolve('the email was not found in the db.');
}
const options = {
subject: 'Password Reset Requested - Talk',
from: 'noreply@coralproject.net',
to: email,
html: resetEmailTemplate({
token,
// probably more clear to explicitly pass this
rootURL: process.env.TALK_ROOT_URL
})
};
return mailer.sendSimple(options);
})
.then(() => {
// we want to send a 204 regardless of the user being found in the db
// if we fail on missing emails, it would reveal if people are registered or not.
res.status(204).send('OK');
})
.catch(error => {
const errorMsg = typeof error === 'string' ? error : error.message;
res.status(500).json({error: errorMsg});
});
});
router.post('/', (req, res, next) => {
const {email, password, displayName} = req.body;
@@ -65,22 +134,4 @@ router.post('/', (req, res, next) => {
});
});
router.post('/availability', (req, res, next) => {
const {email} = req.body;
if (email) {
return User.availabilityCheck(email)
.then(count => {
if (count) {
return res.json({status: 'unavailable'});
}
return res.json({status: 'available'});
})
.catch(err => {
next(err);
});
}
return res.status(404).send('Wrong parameters');
});
module.exports = router;
+36
View File
@@ -0,0 +1,36 @@
const nodemailer = require('nodemailer');
if (!process.env.TALK_SMTP_CONNECTION_URL) {
throw new Error('\n///////////////////////////////////////////////////////////////\n' +
'/// TALK_SMTP_CONNECTION_URL should be defined if you would ///\n' +
'/// like to send password reset emails from Talk ///\n' +
'///////////////////////////////////////////////////////////////');
}
const transporter = nodemailer.createTransport(process.env.TALK_SMTP_CONNECTION_URL);
const mailer = {
/**
* sendSimple
*
* @param {Object} {from, to, subject, text = '', html = ''}
* @returns
*/
sendSimple ({from, to, subject, text = '', html = ''}) {
return new Promise((resolve, reject) => {
if (!from) {
reject('sendSimple requires a from address');
}
if (!to) {
reject('sendSimple requires a comma-separated list of "to" addresses');
}
if (!subject) {
reject('sendSimple requires a subject for the email');
}
return resolve(transporter.sendMail({from, to, subject, text, html}));
});
}
};
module.exports = mailer;
+31 -1
View File
@@ -162,6 +162,36 @@ paths:
responses:
204:
description: OK
/user/request-password-reset:
post:
tags:
- Users
description: trigger a reset password email. sends a success code whether email was found or no.
responses:
204:
description: OK
/user/update-password:
post:
tags:
- Users
description: Update existing user password
parameters:
- name: token
type: string
in: body
description: JSON Web token taken taken from emailed link
required: true
- name: password
type: string
in: body
description: new password to be settings
required: true
responses:
204:
description: OK
/asset:
get:
tags:
@@ -276,7 +306,7 @@ definitions:
description: A summary of the asset, inferred on initial load.
section:
type: string
description: The section the asset is in.
description: The section the asset is in.
subsection:
type: string
description: The subsection that the asset is in.
+6
View File
@@ -0,0 +1,6 @@
<!-- extremely naive implementation of a password reset email -->
<p>We received a request to reset your password. If you did not request this change, you can ignore this email.<br />
If you did, <a href="<%= rootURL %>/admin/password-reset/<%= token %>">please click here to reset password</a>.</p>
<% if (process.env.NODE_ENV !== 'production') { %>
<p style="color: red"><%= token %></p>
<% } %>