diff options
Diffstat (limited to 'server.js')
| -rw-r--r-- | server.js | 33 |
1 files changed, 23 insertions, 10 deletions
@@ -338,6 +338,12 @@ function format_minutes(mins) { return mins + " minutes" } +function is_valid_password(password) { + if (password.length < 4 || password.length > 100) + return false + return true +} + function is_valid_email(email) { return REGEX_MAIL.test(email) } @@ -370,6 +376,14 @@ function hash_password(password, salt) { return hash.digest("hex") } +function verify_password(user, password) { + var user_login = SQL_SELECT_LOGIN.get(user.user_id) + var hash = hash_password(password, user_login.salt) + if (hash !== user_login.password) + return false + return true +} + /* * ALTCHA ANTI-BOT SIGNUP */ @@ -657,10 +671,8 @@ app.post("/account/reset-password", must_pass_altcha, function (req, res) { let user = SQL_SELECT_LOGIN_BY_MAIL.get(mail) if (!user) return err("User not found.") - if (password.length < 4) - return err("Password is too short!") - if (password.length > 100) - return err("Password is too long!") + if (!is_valid_password(password)) + return err("New password is invalid!") if (!SQL_VERIFY_TOKEN.get(user.user_id, token)) return err("Invalid or expired token!") let salt = crypto.randomBytes(32).toString("hex") @@ -680,12 +692,9 @@ app.post("/account/change-password", must_be_logged_in, function (req, res) { let newpass = req.body.newpass // Get full user record including password and salt let user = SQL_SELECT_LOGIN.get(req.user.user_id) - if (newpass.length < 4) - return res.render("change_password.pug", { flash: "Password is too short!" }) - if (newpass.length > 100) - return res.render("change_password.pug", { flash: "Password is too long!" }) - let oldhash = hash_password(oldpass, user.salt) - if (oldhash !== user.password) + if (!is_valid_password(newpass)) + return res.render("change_password.pug", { flash: "New password is invalid!" }) + if (!verify_password(req.user, oldpass)) return res.render("change_password.pug", { flash: "Wrong password!" }) let salt = crypto.randomBytes(32).toString("hex") let hash = hash_password(newpass, salt) @@ -792,6 +801,8 @@ app.post("/account/change-name", must_be_logged_in, function (req, res) { return res.render("change_name.pug", { flash: "Invalid user name!" }) if (SQL_EXISTS_USER_NAME.get(newname)) return res.render("change_name.pug", { flash: "That name is already taken!" }) + if (!verify_password(req.user, req.body.password)) + return res.render("change_name.pug", { flash: "Wrong password!" }) SQL_UPDATE_USER_NAME.run(newname, req.user.user_id) return res.redirect("/profile") }) @@ -806,6 +817,8 @@ app.post("/account/change-mail", must_be_logged_in, function (req, res) { return res.render("change_mail.pug", { flash: "Invalid mail address!" }) if (SQL_EXISTS_USER_MAIL.get(newmail)) return res.render("change_mail.pug", { flash: "That mail address is already taken!" }) + if (!verify_password(req.user, req.body.password)) + return res.render("change_mail.pug", { flash: "Wrong password!" }) SQL_UPDATE_USER_MAIL.run(newmail, req.user.user_id) SQL_UPDATE_USER_VERIFIED.run(0, req.user.user_id) SQL_UPDATE_USER_NOTIFY.run(0, req.user.user_id) |