closes #14

5 years ago · 514b55a506
parent c1468e74a0
commit 514b55a506
6 changed files with 137 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 node_modules/
 configs/*.json
 uploads/img/*
+gulp/dist/
--- a/controllers/forms.js
+++ b/controllers/forms.js
@ -18,6 +18,7 @@ const express  = require('express')
 	, dismissReports = require(__dirname+'/../models/forms/dismiss-report.js')
 	, dismissGlobalReports = require(__dirname+'/../models/forms/dismissglobalreport.js')
 	, loginAccount = require(__dirname+'/../models/forms/login.js')
+	, changePassword = require(__dirname+'/../models/forms/changepassword.js')
 	, registerAccount = require(__dirname+'/../models/forms/register.js')
 	, hasPerms = require(__dirname+'/../helpers/haspermsmiddleware.js')
 	, numberConverter = require(__dirname+'/../helpers/number-converter.js')
@ -56,6 +57,58 @@ router.post('/login', (req, res, next) => {

 });

+//change password
+router.post('/changepassword', async (req, res, next) => {
+
+	const errors = [];
+
+	//check exist
+	if (!req.body.username || req.body.username.length <= 0) {
+		errors.push('Missing username');
+	}
+	if (!req.body.password || req.body.password.length <= 0) {
+		errors.push('Missing password');
+	}
+	if (!req.body.newpassword || req.body.newpassword.length <= 0) {
+		errors.push('Missing new password');
+	}
+	if (!req.body.newpasswordconfirm || req.body.newpasswordconfirm.length <= 0) {
+		errors.push('Missing new password confirmation');
+	}
+
+	//check too long
+	if (req.body.username && req.body.username.length > 50) {
+		errors.push('Username must be 50 characters or less');
+	}
+	if (req.body.password && req.body.password.length > 100) {
+		errors.push('Password must be 100 characters or less');
+	}
+	if (req.body.newpassword && req.body.newpassword.length > 100) {
+		errors.push('Password must be 100 characters or less');
+	}
+	if (req.body.newpasswordconfirm && req.body.newpasswordconfirm.length > 100) {
+		errors.push('Password confirmation must be 100 characters or less');
+	}
+	if (req.body.newpassword != req.body.newpasswordconfirm) {
+		errors.push('New password and password confirmation must match');
+	}
+
+	if (errors.length > 0) {
+		return res.status(400).render('message', {
+			'title': 'Bad request',
+			'errors': errors,
+			'redirect': '/changepassword'
+		})
+	}
+
+	try {
+		await changePassword(req, res, next);
+	} catch (err) {
+		return next(err);
+	}
+
+});
+
 //register account
 router.post('/register', (req, res, next) => {

--- a/db/accounts.js
+++ b/db/accounts.js
@ -31,6 +31,17 @@ module.exports = {
 		});
 	},

+	changePassword: async (username, newPassword) => {
+		const passwordHash = await bcrypt.hash(newPassword, 12);
+		return db.updateOne({
+            '_id': username
+        }, {
+            '$set': {
+                'passwordHash': passwordHash
+            }
+        })
+	},
+
 	promoteUser: (username, newlevel) => {
 		//increase users auth level
 		return db.updateOne({
--- a/models/forms/changepassword.js
+++ b/models/forms/changepassword.js
@ -0,0 +1,40 @@
+'use strict';
+
+const bcrypt = require('bcrypt')
+	, Accounts = require(__dirname+'/../../db/accounts.js');
+
+module.exports = async (req, res, next) => {
+
+	const username = req.body.username.toLowerCase();
+	const password = req.body.password;
+	const newPassword = req.body.newpassword;
+
+	//fetch an account
+	const account = await Accounts.findOne(username);
+
+	//if the account doesnt exist, reject
+	if (!account) {
+		return res.status(403).render('message', {
+			'title': 'Forbidden',
+			'message': 'Incorrect username or password',
+			'redirect': redirect ? `/login?redirect=${redirect}` : '/changepassword'
+		});
+	}
+
+	// bcrypt compare input to saved hash
+	const passwordMatch = await bcrypt.compare(password, account.passwordHash);
+
+	//if hashes matched
+	if (passwordMatch === true) {
+		//change the password
+		await Accounts.changePassword(username, newPassword);
+		return res.redirect('/login');
+	}
+
+	return res.status(403).render('message', {
+		'title': 'Forbidden',
+		'message': 'Incorrect username or password',
+		'redirect': redirect ? `/login?redirect=${redirect}` : '/login'
+	});
+
+}
--- a/models/pages/changepassword.js
+++ b/models/pages/changepassword.js
@ -0,0 +1,10 @@
+'use strict';
+
+module.exports = (req, res, next) => {
+
+	//render the page
+	res.render('changepassword', {
+		csrf: req.csrfToken()
+	});
+
+}
--- a/views/pages/changepassword.pug
+++ b/views/pages/changepassword.pug
@ -0,0 +1,22 @@
+extends ../layout.pug
+
+block head
+	title Login
+
+block content
+	section.form-wrapper
+		form.form-post(action='/forms/changepassword' method='POST')
+			input(type='hidden' name='_csrf' value=csrf)
+			section.postform-section
+				.postform-label Username
+				input#username(type='text', name='username', placeholder='username' maxlength='50')
+			section.postform-section
+				.postform-label Existing Password
+				input#password(type='password', name='password', maxlength='100')
+			section.postform-section
+				.postform-label New Password
+				input#password(type='password', name='newpassword', maxlength='100')
+			section.postform-section
+				.postform-label Confirm New Password
+				input#password(type='password', name='newpasswordconfirm', maxlength='100')
+			input(type='submit', value='submit')