Merged in add-alternative-password-reset-url (pull request auth0#26)

Add alternative password reset url

Author: David Lenton

models/account.js

@@ -999,59 +999,63 @@ class User {
   sendReset(resetKey, options, done) {
     // Send the invitation
     const _this = this;
-    const subject = options.sitename + ': Reset password';
-    const message = '<p>You are receiving this email because you asked for your password to be reset for the ' +
-      options.sitename +
-      ' site. If you did not ask for your password to be reset you can ignore this email.</p>\n\n' +
-      // 'Your unique key: \n\n' +
-      // '\t' + obj.key + '\n\n' +
-      '<p>To reset your password follow the link below:</p>\n\n' +
-      '<p>\t' +
-      options.protocol +
-      '://' +
-      options.hostname +
-      '/account/reset/' +
-      this.ref +
-      '/' +
-      resetKey +
-      '/</p>\n\n<p>' +
-      options.email +
-      '<br>\nvia the ' +
-      options.sitename +
-      ' site</p>';
-    // HTML text
-    let htmlText = '';
-    const replacementsArray = [];
-    replacementsArray.push(['<!--PROTOCOL-->', options.protocol]);
-    replacementsArray.push(['<!--HOST-->', options.hostname]);
-    replacementsArray.push(['<!--SITENAME-->', options.sitename]);
-    replacementsArray.push(['<!--TITLE-->', subject]);
-    replacementsArray.push(['<!--BODY-->', message]);
-    replacementsArray.push(['<!--EMAIL-->', options.email]);
-    replacementsArray.push(['<!--CODA-->', '']);
-    replacementsArray.push([
-      '<p>',
-      '<p style="margin-bottom: 10px; font-weight: normal; font: 13px/ 18px Arial, sans-serif; color: #000000;">'
-    ]);
-    fs.readFile('./templates/mail/default.html', 'utf8', (err, f) => {
-      if (err)
-        debug(err);
-      htmlText = f;
-      for (let i = 0; i < replacementsArray.length; i++) {
-        const re = new RegExp(replacementsArray[i][0], 'gi');
-        htmlText = htmlText.replace(re, replacementsArray[i][1]);
-      }
-      // Plain text
-      const plainText = h2p(message);
-      const msg = {
-        to: _this.email,
-        from: options.email,
-        subject: subject,
-        text: plainText,
-        html: htmlText
-      };
-      sendMail(msg, options.hostname);
-      done(null);
+    settings.load(options.appId, (err, config) => {
+      if (err) console.log(err);
+      const host = config.web_host || options.hostname;
+      const subject = options.sitename + ': Reset password';
+      const message = '<p>You are receiving this email because you asked for your password to be reset for the ' +
+        options.sitename +
+        ' site. If you did not ask for your password to be reset you can ignore this email.</p>\n\n' +
+        // 'Your unique key: \n\n' +
+        // '\t' + obj.key + '\n\n' +
+        '<p>To reset your password follow the link below:</p>\n\n' +
+        '<p>\t' +
+        options.protocol +
+        '://' +
+        host +
+        '/account/reset/' +
+        this.ref +
+        '/' +
+        resetKey +
+        '/</p>\n\n<p>' +
+        options.email +
+        '<br>\nvia the ' +
+        options.sitename +
+        ' site</p>';
+      // HTML text
+      let htmlText = '';
+      const replacementsArray = [];
+      replacementsArray.push(['<!--PROTOCOL-->', options.protocol]);
+      replacementsArray.push(['<!--HOST-->', options.hostname]);
+      replacementsArray.push(['<!--SITENAME-->', options.sitename]);
+      replacementsArray.push(['<!--TITLE-->', subject]);
+      replacementsArray.push(['<!--BODY-->', message]);
+      replacementsArray.push(['<!--EMAIL-->', options.email]);
+      replacementsArray.push(['<!--CODA-->', '']);
+      replacementsArray.push([
+        '<p>',
+        '<p style="margin-bottom: 10px; font-weight: normal; font: 13px/ 18px Arial, sans-serif; color: #000000;">'
+      ]);
+      fs.readFile('./templates/mail/default.html', 'utf8', (err, f) => {
+        if (err)
+          debug(err);
+        htmlText = f;
+        for (let i = 0; i < replacementsArray.length; i++) {
+          const re = new RegExp(replacementsArray[i][0], 'gi');
+          htmlText = htmlText.replace(re, replacementsArray[i][1]);
+        }
+        // Plain text
+        const plainText = h2p(message);
+        const msg = {
+          to: _this.email,
+          from: options.email,
+          subject: subject,
+          text: plainText,
+          html: htmlText
+        };
+        sendMail(msg, options.hostname);
+        done(null);
+      });
     });
   }
   sendResetNotification(options, done) {

models/tokens.js

@@ -29,9 +29,15 @@ exports.getAccessToken = function getAccessToken(obj, done) {
 };
 
 exports.getRefreshToken = function getRefreshToken(obj, done) {
+  let query = 'SELECT * FROM refresh_token WHERE token = ? AND device_id is null ';
+  const params = [obj.token];
+  if (obj.deviceId) {
+    query = 'SELECT * FROM refresh_token WHERE token = ? AND device_id = ? ';
+    params.push(obj.deviceId);
+  }
   db.get().query(
-    'SELECT * FROM refresh_token WHERE token = ? AND device_id = ?',
-    [obj.token, obj.deviceId],
+    query,
+    params,
     (err, rows) => {
       if (err) return done(err);
       if (rows.length === 0) return done(null, null);

mysql/database.mwb

@@ -47,13 +47,68 @@ module.exports = function (app) {
   be authenticated before they are
   */
 
+  const ONE_DAY = 60 * 60 * 1000 * 24; /* ms */
+
+  /* GET reset details */
+  router.get('/reset/:ref/:key/', cors(), (req, res, next) => {
+    const ref = req.params.ref;
+    const appId = req.site.server.client_id;
+    const account = new User(appId);
+    account.loadByRef(ref, (err, json) => {
+      if (err) {
+        return next(new JsonError('This reset key is not valid'));
+      }
+      if (json.reset_key !== req.params.key)
+        return next(new JsonError('This reset key is not valid'));
+      if (json.reset_date) {
+        if (new Date() - new Date(json.reset_date) > ONE_DAY) {
+          return next(new JsonError('This reset key is out of date'));
+        }
+      }
+      account.sanitise();
+      return res.json(account);
+    });
+  });
+
+  /* POST reset details */
+  router.post('/reset/:ref/:key/', cors(), (req, res, next) => {
+    const ref = req.params.ref;
+    const password = req.body.password ? req.body.password : '';
+    const passwordConfirm = req.body.passwordConfirm
+      ? req.body.passwordConfirm
+      : '';
+    const appId = req.site.server.client_id;
+    const account = new User(appId);
+    account.loadByRef(ref, (err, json) => {
+      if (err) {
+        return next(new JsonError('This reset key is not valid', 400));
+      }
+      if (json.reset_key !== req.params.key)
+        return next(new JsonError('This reset key is not valid', 400));
+      if (json.reset_date) {
+        if (new Date() - new Date(json.reset_date) > ONE_DAY) {
+          return next(new JsonError('This reset key is out of date', 400));
+        }
+      }
+      if (password.length === 0) return next(new JsonError('Password is missing', 400));
+      if (passwordConfirm.length === 0) return next(new JsonError('Password confirmation is missing', 400));
+      if (password !== passwordConfirm) return next(new JsonError('Your passwords do not match', 400));
+      account.setPassword(password, (err) => {
+        if (err) return next(new JsonError('There was a problem setting your password'));
+      });
+      return res.json(new JsonInfo('Your password was successfully updated'));
+    });
+  });
+
   /* POST forgot page */
   router.post('/forgot', cors(), (req, res, next) => {
     if (!req.body || !req.body.username)
       throw new JsonError('You must specify an email address', 400);
+    if (!isEmail(req.body.username))
+      throw new JsonError('You must specify a valid email address', 400);
     let account = new User(req.site.server.client_id);
     account.loadByUsername(req.body.username, (err, user) => {
-      if (err) return next(new JsonError('Unable to find the specified email address'));
+      if (err || !user) return next(new JsonError('Unable to find the specified email address', 400));
       account = Object.assign(account, user);
       const appId = req.site.server.client_id;
       const options = {