Fixed server-side password checking

2017-12-19 06:42:43 +00:00 · 2017-12-19 06:42:43 +00:00 · 76e2d31c46
parent 8effc47206
commit 76e2d31c46
1 changed files with 15 additions and 5 deletions
--- a/config/routes/settings.js
+++ b/config/routes/settings.js
@ -99,14 +99,14 @@ router.route('/')

      // Check if unchanged
      } else if (req.user.slug === slug(xss(req.body.slug))) resolve()
-      
+
      // Check uniqueness
      else {
        User.findOne({ slug: req.body.slug })
        .then((existingUser) => {
          // Not unique!
          if (existingUser && existingUser.id !== req.user.id) {
-            req.flash( 'warning', 
+            req.flash( 'warning',
            `That slug, <u>${req.body.slug}</u>, is already in use by another user! `
            )

@ -292,29 +292,39 @@ router.route('/password/:token')

  // Set new password
  .post((req, res, next) => {
-    // Validate password
+    debug('/settings/password/:token .post() called')
+
+    // Validate password strength
    let zxcvbnResult = zxcvbn(req.body.password)
    if (zxcvbnResult.crack_times_seconds.online_no_throttling_10_per_second < 864000) { // Less than ten days
-      mw.throwErr(new Error(`That password could be cracked in ${zxcvbnResult.crack_times_display.online_no_throttling_10_per_second}!  Come up with a more complex password that would take at least 10 days to crack. `))
+      req.flash( 'danger',
+				`That password could be cracked in ${zxcvbnResult.crack_times_display.online_no_throttling_10_per_second}!  Come up with a more complex password that would take at least 10 days to crack. `
+			)
      res.redirect(`/settings/password/${req.params.token}`)
    } else {
+
      // Create hashed password and save to db
      res.locals.passwordUser.generateHashedPassword(req.body.password, (err) => {
        if (err) {
+          debug('Error creating hashed password and saving to db')
          mw.throwErr(err, req)
-          res.redirect(`/password/${req.params.token}`)
+          res.redirect(`/settings/password/${req.params.token}`)

        // User changed password
        } else if (req.user) {
+          debug('User saved password')
          req.flash('success', 'Your password has been changed. ')
          res.redirect('/settings')

        // New user created password
        } else {
+          debug('New user created password')
          req.flash('success', 'Password set.  You can use it to log in now. ')
          res.redirect('/login?next=/map?new=1')
        }
+
      })
+
    }
  })