jschan/models/forms/login.js

'use strict';

const bcrypt = require('bcrypt')
	, dynamicResponse = require(__dirname+'/../../lib/misc/dynamic.js')
	, { Accounts } = require(__dirname+'/../../db/');

module.exports = async (req, res) => {

	const username = req.body.username.toLowerCase();
	const password = req.body.password;
	let goto = req.body.goto;
	// we don't want to redirect the user to random sites
	if (goto == null || !/^\/[0-9a-zA-Z][0-9a-zA-Z._/-]*$/.test(goto)) {
		goto = '/account.html';
	}
	const failRedirect = `/login.html${goto ? '?goto='+encodeURIComponent(goto) : ''}`;

	//fetch an account
	const account = await Accounts.findOne(username);

	//if the account doesnt exist, reject
	if (!account) {
		return dynamicResponse(req, res, 403, 'message', {
			'title': 'Forbidden',
			'message': 'Incorrect username or password',
			'redirect': failRedirect
		});
	}

	// bcrypt compare input to saved hash
	const passwordMatch = await bcrypt.compare(password, account.passwordHash);

	//if hashes matched
	if (passwordMatch === true) {

		// add the account to the session and authenticate if password was correct
		req.session.user = account._id;

		//successful login
		await Accounts.updateLastActiveDate(username);
		return res.redirect(goto);

	}

	return dynamicResponse(req, res, 403, 'message', {
		'title': 'Forbidden',
		'message': 'Incorrect username or password',
		'redirect': failRedirect
	});

};
Basic registration and login with model and controllers 5 years ago			`'use strict';`

			`const bcrypt = require('bcrypt')`
"helpers" -> "lib god help anybody who gets serious merge conflicts from this close #434 2 years ago			`, dynamicResponse = require(__dirname+'/../../lib/misc/dynamic.js')`
add db index file and destructure to reduce repetitive imports 5 years ago			`, { Accounts } = require(__dirname+'/../../db/');`
Basic registration and login with model and controllers 5 years ago
eslint lib, migrations, db, models, test, schedules and root dir 2 years ago			`module.exports = async (req, res) => {`
Basic registration and login with model and controllers 5 years ago
			`const username = req.body.username.toLowerCase();`
			`const password = req.body.password;`
safer redirects with login/logout * properly escape goto parameter * do not redirect to anywhere, only to the same server, no query parameters This should still allow valid targets, like `/account.html`, `/boardname/manage/whatever` while disallow things like `https://othersite.com`. 4 years ago			`let goto = req.body.goto;`
			`// we don't want to redirect the user to random sites`
			`if (goto == null \|\| !/^\/[0-9a-zA-Z][0-9a-zA-Z._/-]*$/.test(goto)) {`
			`goto = '/account.html';`
			`}`
eslint lib, migrations, db, models, test, schedules and root dir 2 years ago			const failRedirect = `/login.html${goto ? '?goto='+encodeURIComponent(goto) : ''}`;
Basic registration and login with model and controllers 5 years ago
			`//fetch an account`
refactor, all orm controllers now separate ^-^ 5 years ago			`const account = await Accounts.findOne(username);`
Basic registration and login with model and controllers 5 years ago
			`//if the account doesnt exist, reject`
			`if (!account) {`
dynamicresponse everything 4 years ago			`return dynamicResponse(req, res, 403, 'message', {`
Basic registration and login with model and controllers 5 years ago			`'title': 'Forbidden',`
			`'message': 'Incorrect username or password',`
redirect to correct page on login or manage 5 years ago			`'redirect': failRedirect`
Basic registration and login with model and controllers 5 years ago			`});`
			`}`

			`// bcrypt compare input to saved hash`
refactor, all orm controllers now separate ^-^ 5 years ago			`const passwordMatch = await bcrypt.compare(password, account.passwordHash);`
Basic registration and login with model and controllers 5 years ago
			`//if hashes matched`
			`if (passwordMatch === true) {`

			`// add the account to the session and authenticate if password was correct`
remove unnecessary user object from session It only had a single property, username. 4 years ago			`req.session.user = account._id;`
Basic registration and login with model and controllers 5 years ago
			`//successful login`
show last active date for accounts in globalnamage accounts page close #236 NOTE: based on last time session was refreshed and updated from db ~1h, or when a user logs in 4 years ago			`await Accounts.updateLastActiveDate(username);`
accounts page, list owned and mod boards in accounts, show on global manage and accounts page 5 years ago			`return res.redirect(goto);`
Basic registration and login with model and controllers 5 years ago
			`}`

dynamicresponse everything 4 years ago			`return dynamicResponse(req, res, 403, 'message', {`
Basic registration and login with model and controllers 5 years ago			`'title': 'Forbidden',`
			`'message': 'Incorrect username or password',`
redirect to correct page on login or manage 5 years ago			`'redirect': failRedirect`
Basic registration and login with model and controllers 5 years ago			`});`

eslint lib, migrations, db, models, test, schedules and root dir 2 years ago			`};`