From cb5ee1ca637f191b6beeacb491ae0cadc353773d Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor@ccxvii.net>
Date: Fri, 2 May 2025 10:50:22 +0200
Subject: Put account management pages under "/account" URL prefix.

---
 server.js         | 96 +++++++++++++++++++++++++------------------------------
 views/head.pug    |  2 +-
 views/login.pug   |  2 +-
 views/profile.pug | 38 +++++++++++-----------
 views/webhook.pug |  4 +--
 5 files changed, 66 insertions(+), 76 deletions(-)

diff --git a/server.js b/server.js
index 72dfec2..bbf3c59 100644
--- a/server.js
+++ b/server.js
@@ -139,6 +139,11 @@ if (process.env.MAIL_HOST && process.env.MAIL_PORT && process.env.MAIL_FROM) {
 	console.log("Mail notifications enabled: ", mailer.options)
 } else {
 	console.log("Mail notifications disabled.")
+	mailer = {
+		sendMail(mail) {
+			console.log("MAIL (DEBUG):", mail)
+		}
+	}
 }
 
 /*
@@ -427,7 +432,7 @@ function must_pass_altcha(req, res, next) {
 	return next()
 }
 
-app.get("/altcha-challenge", function (_req, res) {
+app.get("/api/altcha-challenge", function (_req, res) {
 	return res.json(altcha_create_challenge())
 })
 
@@ -598,20 +603,16 @@ function create_and_mail_verification_token(user) {
 		mail_verification_token(user, SQL_CREATE_TOKEN.get(user.user_id))
 }
 
-app.get("/verify-mail", must_be_logged_in, function (req, res) {
-	if (SQL_SELECT_USER_VERIFIED.get(req.user.user_id))
-		return res.redirect("/profile")
-	create_and_mail_verification_token(req.user)
-	res.render("verify_mail.pug", { user: req.user })
-})
-
-app.get("/verify-mail/:token", must_be_logged_in, function (req, res) {
+app.get("/account/mail/verify", must_be_logged_in, function (req, res) {
+	var token = req.query.token
 	if (SQL_SELECT_USER_VERIFIED.get(req.user.user_id))
 		return res.redirect("/profile")
-	res.render("verify_mail.pug", { user: req.user, token: req.params.token })
+	if (!token)
+		create_and_mail_verification_token(req.user)
+	res.render("verify_mail.pug", { user: req.user, token })
 })
 
-app.post("/verify-mail", must_be_logged_in, function (req, res) {
+app.post("/account/mail/verify", must_be_logged_in, function (req, res) {
 	if (SQL_VERIFY_TOKEN.get(req.user.user_id, req.body.token)) {
 		SQL_UPDATE_USER_VERIFIED.run(1, req.user.user_id)
 		res.redirect("/profile")
@@ -621,13 +622,13 @@ app.post("/verify-mail", must_be_logged_in, function (req, res) {
 	}
 })
 
-app.get("/forgot-password", function (req, res) {
+app.get("/account/forgot-password", function (req, res) {
 	if (req.user)
 		return res.redirect("/")
 	res.render("forgot_password.pug")
 })
 
-app.post("/forgot-password", must_pass_altcha, function (req, res) {
+app.post("/account/forgot-password", must_pass_altcha, function (req, res) {
 	let mail = req.body.mail
 	let user = SQL_SELECT_LOGIN_BY_MAIL.get(mail)
 	if (user) {
@@ -636,33 +637,20 @@ app.post("/forgot-password", must_pass_altcha, function (req, res) {
 			token = SQL_CREATE_TOKEN.get(user.user_id)
 			mail_password_reset_token(user, token)
 		}
-		return res.redirect("/reset-password/" + mail)
+		return res.redirect("/account/reset-password?mail=" + mail)
 	}
 	res.render("forgot_password.pug", { flash: "User not found." })
 })
 
-app.get("/reset-password", function (req, res) {
-	if (req.user)
-		return res.redirect("/")
-	res.render("reset_password.pug", { mail: "", token: "" })
-})
-
-app.get("/reset-password/:mail", function (req, res) {
-	if (req.user)
-		return res.redirect("/")
-	let mail = req.params.mail
-	res.render("reset_password.pug", { mail: mail, token: "" })
-})
-
-app.get("/reset-password/:mail/:token", function (req, res) {
+app.get("/account/reset-password", function (req, res) {
 	if (req.user)
 		return res.redirect("/")
-	let mail = req.params.mail
-	let token = req.params.token
-	res.render("reset_password.pug", { mail: mail, token: token })
+	var mail = req.query.mail
+	var token = req.query.token
+	res.render("reset_password.pug", { mail, token })
 })
 
-app.post("/reset-password", must_pass_altcha, function (req, res) {
+app.post("/account/reset-password", must_pass_altcha, function (req, res) {
 	let mail = req.body.mail
 	let token = req.body.token
 	let password = req.body.password
@@ -686,11 +674,11 @@ app.post("/reset-password", must_pass_altcha, function (req, res) {
 	return res.redirect("/profile")
 })
 
-app.get("/change-password", must_be_logged_in, function (req, res) {
+app.get("/account/change-password", must_be_logged_in, function (req, res) {
 	res.render("change_password.pug", { user: req.user })
 })
 
-app.post("/change-password", must_be_logged_in, function (req, res) {
+app.post("/account/change-password", must_be_logged_in, function (req, res) {
 	let oldpass = req.body.password
 	let newpass = req.body.newpass
 	// Get full user record including password and salt
@@ -720,7 +708,7 @@ function may_delete_account(user_id) {
 	return true
 }
 
-app.get("/delete-account", must_be_logged_in, function (req, res) {
+app.get("/account/delete", must_be_logged_in, function (req, res) {
 	if (!may_delete_account(req.user.user_id))
 		return res.status(401).send("You may not delete your account while you have unfinished games.")
 	res.render("delete_account.pug", { user: req.user })
@@ -730,7 +718,7 @@ const SQL_SELECT_GAME_ROLE_FOR_DELETED_USER = SQL(`
 	select game_id, role from players where user_id = ? and game_id in (select game_id from games where status <= 1)
 `)
 
-app.post("/delete-account", must_be_logged_in, function (req, res) {
+app.post("/account/delete", must_be_logged_in, function (req, res) {
 	if (!may_delete_account(req.user.user_id))
 		res.status(401).send("You may not delete your account while you have unfinished games.")
 
@@ -765,27 +753,27 @@ app.get("/admin/unban-user/:who", must_be_administrator, function (req, res) {
  * USER PROFILE
  */
 
-app.get("/subscribe", must_be_logged_in, function (req, res) {
+app.get("/account/mail/subscribe", must_be_logged_in, function (req, res) {
 	SQL_UPDATE_USER_NOTIFY.run(1, req.user.user_id)
 	res.redirect("/profile")
 })
 
-app.get("/unsubscribe", must_be_logged_in, function (req, res) {
+app.get("/account/mail/unsubscribe", must_be_logged_in, function (req, res) {
 	SQL_UPDATE_USER_NOTIFY.run(0, req.user.user_id)
 	res.redirect("/profile")
 })
 
-app.get("/webhook", must_be_logged_in, function (req, res) {
+app.get("/account/webhook", must_be_logged_in, function (req, res) {
 	let webhook = SQL_SELECT_WEBHOOK.get(req.user.user_id)
 	res.render("webhook.pug", { user: req.user, webhook: webhook })
 })
 
-app.post("/api/webhook/delete", must_be_logged_in, function (req, res) {
+app.post("/account/webhook/delete", must_be_logged_in, function (req, res) {
 	SQL_DELETE_WEBHOOK.run(req.user.user_id)
 	res.redirect("/webhook")
 })
 
-app.post("/api/webhook/update", must_be_logged_in, function (req, res) {
+app.post("/account/webhook/update", must_be_logged_in, function (req, res) {
 	let url = req.body.url
 	let prefix = req.body.prefix
 	let format = req.body.format
@@ -797,11 +785,11 @@ app.post("/api/webhook/update", must_be_logged_in, function (req, res) {
 	res.send("Testing Webhook. Please wait...")
 })
 
-app.get("/change-name", must_be_logged_in, function (req, res) {
+app.get("/account/change-name", must_be_logged_in, function (req, res) {
 	res.render("change_name.pug", { user: req.user })
 })
 
-app.post("/change-name", must_be_logged_in, function (req, res) {
+app.post("/account/change-name", must_be_logged_in, function (req, res) {
 	let newname = clean_user_name(req.body.newname)
 	if (!is_valid_user_name(newname))
 		return res.render("change_name.pug", { user: req.user, flash: "Invalid user name!" })
@@ -811,11 +799,11 @@ app.post("/change-name", must_be_logged_in, function (req, res) {
 	return res.redirect("/profile")
 })
 
-app.get("/change-mail", must_be_logged_in, function (req, res) {
+app.get("/account/change-mail", must_be_logged_in, function (req, res) {
 	res.render("change_mail.pug", { user: req.user })
 })
 
-app.post("/change-mail", must_be_logged_in, function (req, res) {
+app.post("/account/change-mail", must_be_logged_in, function (req, res) {
 	let newmail = req.body.newmail
 	if (!is_valid_email(newmail) || is_forbidden_mail(newmail))
 		return res.render("change_mail.pug", { user: req.user, flash: "Invalid mail address!" })
@@ -826,12 +814,12 @@ app.post("/change-mail", must_be_logged_in, function (req, res) {
 	return res.redirect("/profile")
 })
 
-app.get("/change-about", must_be_logged_in, function (req, res) {
+app.get("/account/change-about", must_be_logged_in, function (req, res) {
 	let about = SQL_SELECT_USER_ABOUT.get(req.user.user_id)
 	res.render("change_about.pug", { user: req.user, about: about || "" })
 })
 
-app.post("/change-about", must_be_logged_in, function (req, res) {
+app.post("/account/change-about", must_be_logged_in, function (req, res) {
 	SQL_UPDATE_USER_ABOUT.run(req.user.user_id, req.body.about)
 	return res.redirect("/profile")
 })
@@ -1688,10 +1676,12 @@ function annotate_games(list, user_id, unread, unseen) {
 }
 
 app.get("/profile", must_be_logged_in, function (req, res) {
-	req.user.notify = SQL_SELECT_USER_NOTIFY.get(req.user.user_id)
-	req.user.is_verified = SQL_SELECT_USER_VERIFIED.get(req.user.user_id)
-	req.user.webhook = SQL_SELECT_WEBHOOK.get(req.user.user_id)
-	res.render("profile.pug", { user: req.user })
+	var mail = {
+		notify: SQL_SELECT_USER_NOTIFY.get(req.user.user_id),
+		is_verified: SQL_SELECT_USER_VERIFIED.get(req.user.user_id)
+	}
+	var webhook = SQL_SELECT_WEBHOOK.get(req.user.user_id)
+	res.render("profile.pug", { mail, webhook })
 })
 
 app.get("/games", function (_req, res) {
@@ -2473,7 +2463,7 @@ function mail_password_reset_token(user, token) {
 		let subject = "Password reset request"
 		let body =
 			"Your password reset token is: " + token + "\n\n" +
-			SITE_URL + "/reset-password/" + user.mail + "/" + token + "\n"
+			SITE_URL + "/account/reset-password?mail=" + user.mail + "&token=" + token + "\n"
 		console.log("SENT MAIL:", mail_addr(user), subject)
 		mailer.sendMail({ from: MAIL_FROM, to: mail_addr(user), subject: subject, text: body }, mail_callback)
 	}
@@ -2484,7 +2474,7 @@ function mail_verification_token(user, token) {
 		let subject = "Verify mail address"
 		let body =
 			"Your mail verification token is: " + token + "\n\n" +
-			SITE_URL + "/verify-mail/" + token + "\n"
+			SITE_URL + "/account/mail/verify?token=" + token + "\n"
 		console.log("SENT MAIL:", mail_addr(user), subject)
 		mailer.sendMail({ from: MAIL_FROM, to: mail_addr(user), subject: subject, text: body }, mail_callback)
 	}
diff --git a/views/head.pug b/views/head.pug
index eec1299..3707757 100644
--- a/views/head.pug
+++ b/views/head.pug
@@ -14,7 +14,7 @@ mixin altcha_script()
 
 mixin altcha_widget()
 	if ALTCHA
-		altcha-widget(challengeurl="/altcha-challenge" hidelogo hidefooter auto="onsubmit" style="--altcha-border-radius:0")
+		altcha-widget(challengeurl="/api/altcha-challenge" hidelogo hidefooter auto="onsubmit" style="--altcha-border-radius:0")
 
 mixin social(title,description,game)
 	meta(property="og:title" content=title)
diff --git a/views/login.pug b/views/login.pug
index f91129e..ec8be48 100644
--- a/views/login.pug
+++ b/views/login.pug
@@ -33,4 +33,4 @@ html
 					p
 						button(type="submit") Login
 				p
-					a(href="/forgot-password") Forgot password
+					a(href="/account/forgot-password") Forgot password
diff --git a/views/profile.pug b/views/profile.pug
index 4ecf289..39f1977 100644
--- a/views/profile.pug
+++ b/views/profile.pug
@@ -13,38 +13,38 @@ html
 			p Your mail address is #{user.mail}
 
 			if ENABLE_MAIL
-				if !user.is_verified
-					p &#x26a0; <a href="/verify-mail">Verify your mail address!</a>
+				if !mail.is_verified
+					p &#x26a0; <a href="/account/mail/verify">Verify your mail address!</a>
 					p You must verify your mail address before you can enable notifications.
 				else
-					if !user.notify
-						p <a href="/subscribe">Enable mail notifications</a>
-				if user.notify
-					p <a href="/unsubscribe">Disable mail notifications</a>
+					if !mail.notify
+						p <a href="/account/mail/subscribe">Enable mail notifications</a>
+				if mail.notify
+					p <a href="/account/mail/unsubscribe">Disable mail notifications</a>
 
 			p
-				| <a href="/change-password">Change password</a>
+				| <a href="/account/change-password">Change password</a>
 				br
-				| <a href="/change-mail">Change mail address</a>
+				| <a href="/account/change-mail">Change mail address</a>
 				br
-				| <a href="/change-name">Change user name</a>
+				| <a href="/account/change-name">Change user name</a>
 				br
-				| <a href="/change-about">Change profile text</a>
+				| <a href="/account/change-about">Change profile text</a>
 				br
-				| <a href="/delete-account">Delete account</a>
+				| <a href="/account/delete">Delete account</a>
 
 			if ENABLE_WEBHOOKS
-				if !user.webhook
-					p <a href="/webhook">Configure webhook</a>
-				else if user.webhook.error
+				if !webhook
+					p <a href="/account/webhook">Configure webhook</a>
+				else if webhook.error
 					dl
-						dt <a href="/webhook">Configure webhook</a>
-						dd.error ERROR: #{user.webhook.error}
+						dt <a href="/account/webhook">Configure webhook</a>
+						dd.error ERROR: #{webhook.error}
 				else
 					dl
-						dt <a href="/webhook">Configure webhook</a>
-						dd= new URL(user.webhook.url).hostname
+						dt <a href="/account/webhook">Configure webhook</a>
+						dd= new URL(webhook.url).hostname
 
 			p
-				form(action="/logout" method="post")
+				form(action="/account/logout" method="post")
 					button(type="submit") Logout
diff --git a/views/webhook.pug b/views/webhook.pug
index 20d20ac..b9817ef 100644
--- a/views/webhook.pug
+++ b/views/webhook.pug
@@ -14,7 +14,7 @@ html(lang="en")
 			- var format = webhook && webhook.format || ""
 			- var prefix = webhook && webhook.prefix || ""
 
-			form(action="/api/webhook/update" method="post")
+			form(action="/account/webhook/update" method="post")
 				if webhook && webhook.error
 					p.error ERROR: #{webhook.error}
 				p Webhook URL:
@@ -34,7 +34,7 @@ html(lang="en")
 					button(type="submit") Create
 
 			if webhook
-				form(action="/api/webhook/delete" method="post")
+				form(action="/account/webhook/delete" method="post")
 					button(type="submit") Delete
 
 			h2 Discord Notifications
-- 
cgit v1.2.3