X-Git-Url: https://git.auder.net/?p=vchess.git;a=blobdiff_plain;f=routes%2Fusers.js;h=297072dd0d3bd9c62ef1956f2b640e61fbde9bea;hp=dd9914ec39761785e925f4c5831604588df33c49;hb=0bd5933d97a90473233d0f90f465a43aba430ffa;hpb=b57dbd126734b4398861292c611197c6991ed3eb

diff --git a/routes/users.js b/routes/users.js
index dd9914ec..297072dd 100644
--- a/routes/users.js
+++ b/routes/users.js
@@ -1,25 +1,23 @@
 var router = require("express").Router();
 var UserModel = require('../models/User');
-var maild = require('../utils/mailer');
+var sendEmail = require('../utils/mailer');
 var TokenGen = require("../utils/tokenGenerator");
 var access = require("../utils/access");
+var params = require("../config/parameters");
 
 // to: object user
 function setAndSendLoginToken(subject, to, res)
 {
 	// Set login token and send welcome(back) email with auth link
 	let token = TokenGen.generate(params.token.length);
-	UserModel.setLoginToken(token, to._id, to.ip, (err,ret) => {
+	UserModel.setLoginToken(token, to._id, (err,ret) => {
 		access.checkRequest(res, err, ret, "Cannot set login token", () => {
-			maild.send({
-				from: params.mail.from,
-				to: to.email,
-				subject: subject,
-				body: "Hello " + to.initials + "!\n" +
-					"Access your account here: " +
-					params.siteURL + "/authenticate?token=" + token + "\\n" +
-					"Token will expire in " + params.token.expire/(1000*60) + " minutes."
-			}, err => {
+			const body =
+				"Hello " + to.initials + "!\n" +
+				"Access your account here: " +
+				params.siteURL + "/authenticate?token=" + token + "\\n" +
+				"Token will expire in " + params.token.expire/(1000*60) + " minutes."
+			sendEmail(params.mail.from, to.email, subject, body, err => {
 				res.json(err || {});
 			});
 		});
@@ -36,7 +34,6 @@ router.post('/register', access.unlogged, access.ajax, (req,res) => {
 		return res.json({errmsg: error});
 	UserModel.create(name, email, (err,user) => {
 		access.checkRequest(res, err, user, "Registration failed", () => {
-			user.ip = req.ip;
 			setAndSendLoginToken("Welcome to " + params.siteURL, user, res);
 		});
 	});
@@ -45,10 +42,9 @@ router.post('/register', access.unlogged, access.ajax, (req,res) => {
 router.put('/sendtoken', access.unlogged, access.ajax, (req,res) => {
 	let email = decodeURIComponent(req.body.email);
 	let error = checkObject({email:email}, "User");
-	console.log(email)
 	if (error.length > 0)
 		return res.json({errmsg: error});
-	UserModel.getByEmail(email, (err,user) => {
+	UserModel.getOne("email", email, (err,user) => {
 		access.checkRequest(res, err, user, "Unknown user", () => {
 			setAndSendLoginToken("Token for " + params.siteURL, user, res);
 		});
@@ -58,21 +54,18 @@ router.put('/sendtoken', access.unlogged, access.ajax, (req,res) => {
 router.get('/authenticate', access.unlogged, (req,res) => {
 	UserModel.getByLoginToken(req.query.token, (err,user) => {
 		access.checkRequest(res, err, user, "Invalid token", () => {
-			if (user.loginToken.ip != req.ip)
-				return res.json({errmsg: "IP address mismatch"});
-			let now = new Date();
-			let tsNow = now.getTime();
+			let tsNow = Date.now();
 			// If token older than params.tokenExpire, do nothing
-			if (user.loginToken.timestamp + params.token.expire < tsNow)
+			if (Date.now() > user.loginTime + params.token.expire)
 				return res.json({errmsg: "Token expired"});
-			// Generate and update session token + destroy login token
-			let token = TokenGen.generate(params.token.length);
-			UserModel.setSessionToken(token, user._id, (err,ret) => {
+			// Generate session token (if not exists) + destroy login token
+			UserModel.trySetSessionToken(user._id, (err,token) => {
 				if (!!err)
 					return res.json(err);
 				// Set cookie
 				res.cookie("token", token, {
 					httpOnly: true,
+					secure: true,
 					maxAge: params.cookieExpire
 				});
 				res.redirect("/");
@@ -82,11 +75,12 @@ router.get('/authenticate', access.unlogged, (req,res) => {
 });
 
 router.put('/settings', access.logged, access.ajax, (req,res) => {
-	let user = JSON.parse(req.body.user);
-	let error = checkObject(user, "User");
-	if (error.length > 0)
-		return res.json({errmsg: error});
-	user._id = ObjectID(req.user._id);
+	const user = JSON.parse(req.body.user);
+	// TODO: either verify email + name, or re-apply the following logic:
+	//let error = checkObject(user, "User");
+	//if (error.length > 0)
+	//	return res.json({errmsg: error});
+	user._id = req.user._id; //TODO:
 	UserModel.updateSettings(user, (err,ret) => {
 		access.checkRequest(res, err, ret, "Settings update failed", () => {
 			res.json({});
@@ -94,16 +88,10 @@ router.put('/settings', access.logged, access.ajax, (req,res) => {
 	});
 });
 
+// Logout on server because the token cookie is secured + http-only
 router.get('/logout', access.logged, (req,res) => {
-	// TODO: cookie + redirect is enough (https, secure cookie
-	// https://www.information-security.fr/securite-sites-web-lutilite-flags-secure-httponly/ )
-	UserModel.logout(req.cookies.token, (err,ret) => {
-		access.checkRequest(res, err, ret, "Logout failed", () => {
-			res.clearCookie("token");
-			req.user = null;
-			res.redirect('/');
-		});
-	});
+	res.clearCookie("token");
+	res.redirect('/');
 });
 
 module.exports = router;