kamp/anything-llm
1
0
Fork 0
mirror of https://github.com/Mintplex-Labs/anything-llm.git synced 2024-11-11 09:10:13 +01:00
Code Issues Packages Projects Releases Wiki Activity
0935127fd9
anything-llm/server/utils/PasswordRecovery/index.js
Timothy Carambat 1b35bcbeab
Strengthen field validations on user Updates (#1201) 
* Strengthen field validations on user Updates

* update writables
2024-04-26 16:46:04 -07:00

104 lines
3.4 KiB
JavaScript
Raw Blame History

const bcrypt = require("bcrypt");
const { v4, validate } = require("uuid");
const { User } = require("../../models/user");
const {
RecoveryCode,
PasswordResetToken,
} = require("../../models/passwordRecovery");
async function generateRecoveryCodes(userId) {
const newRecoveryCodes = [];
const plainTextCodes = [];
for (let i = 0; i < 4; i++) {
const code = v4();
const hashedCode = bcrypt.hashSync(code, 10);
newRecoveryCodes.push({
user_id: userId,
code_hash: hashedCode,
});
plainTextCodes.push(code);
}
const { error } = await RecoveryCode.createMany(newRecoveryCodes);
if (!!error) throw new Error(error);
const { user: success } = await User._update(userId, {
seen_recovery_codes: true,
});
if (!success) throw new Error("Failed to generate user recovery codes!");
return plainTextCodes;
}
async function recoverAccount(username = "", recoveryCodes = []) {
const user = await User.get({ username: String(username) });
if (!user) return { success: false, error: "Invalid recovery codes." };
// If hashes do not exist for a user
// because this is a user who has not logged out and back in since upgrade.
const allUserHashes = await RecoveryCode.hashesForUser(user.id);
if (allUserHashes.length < 4)
return { success: false, error: "Invalid recovery codes" };
// If they tried to send more than two unique codes, we only take the first two
const uniqueRecoveryCodes = [...new Set(recoveryCodes)]
.map((code) => code.trim())
.filter((code) => validate(code)) // we know that any provided code must be a uuid v4.
.slice(0, 2);
if (uniqueRecoveryCodes.length !== 2)
return { success: false, error: "Invalid recovery codes." };
const validCodes = uniqueRecoveryCodes.every((code) => {
let valid = false;
allUserHashes.forEach((hash) => {
if (bcrypt.compareSync(code, hash)) valid = true;
});
return valid;
});
if (!validCodes) return { success: false, error: "Invalid recovery codes" };
const { passwordResetToken, error } = await PasswordResetToken.create(
user.id
);
if (!!error) return { success: false, error };
return { success: true, resetToken: passwordResetToken.token };
}
async function resetPassword(token, _newPassword = "", confirmPassword = "") {
const newPassword = String(_newPassword).trim(); // No spaces in passwords
if (!newPassword) throw new Error("Invalid password.");
if (newPassword !== String(confirmPassword))
throw new Error("Passwords do not match");
const resetToken = await PasswordResetToken.findUnique({
token: String(token),
});
if (!resetToken || resetToken.expiresAt < new Date()) {
return { success: false, message: "Invalid reset token" };
}
// JOI password rules will be enforced inside .update.
const { error } = await User.update(resetToken.user_id, {
password: newPassword,
});
// seen_recovery_codes is not publicly writable
// so we have to do direct update here
await User._update(resetToken.user_id, {
seen_recovery_codes: false,
});
if (error) return { success: false, message: error };
await PasswordResetToken.deleteMany({ user_id: resetToken.user_id });
await RecoveryCode.deleteMany({ user_id: resetToken.user_id });
// New codes are provided on first new login.
return { success: true, message: "Password reset successful" };
}
module.exports = {
recoverAccount,
resetPassword,
generateRecoveryCodes,
};
Reference in New Issue View Git Blame Copy Permalink