From 76e2d31c467c66482b0027d6c472a6df7023a47c Mon Sep 17 00:00:00 2001 From: Keith Irwin Date: Tue, 19 Dec 2017 06:42:43 +0000 Subject: [PATCH] Fixed server-side password checking --- config/routes/settings.js | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/config/routes/settings.js b/config/routes/settings.js index 446a2e1..71b284f 100644 --- a/config/routes/settings.js +++ b/config/routes/settings.js @@ -99,14 +99,14 @@ router.route('/') // Check if unchanged } else if (req.user.slug === slug(xss(req.body.slug))) resolve() - + // Check uniqueness else { User.findOne({ slug: req.body.slug }) .then((existingUser) => { // Not unique! if (existingUser && existingUser.id !== req.user.id) { - req.flash( 'warning', + req.flash( 'warning', `That slug, ${req.body.slug}, is already in use by another user! ` ) @@ -292,29 +292,39 @@ router.route('/password/:token') // Set new password .post((req, res, next) => { - // Validate password + debug('/settings/password/:token .post() called') + + // Validate password strength let zxcvbnResult = zxcvbn(req.body.password) if (zxcvbnResult.crack_times_seconds.online_no_throttling_10_per_second < 864000) { // Less than ten days - mw.throwErr(new Error(`That password could be cracked in ${zxcvbnResult.crack_times_display.online_no_throttling_10_per_second}! Come up with a more complex password that would take at least 10 days to crack. `)) + req.flash( 'danger', + `That password could be cracked in ${zxcvbnResult.crack_times_display.online_no_throttling_10_per_second}! Come up with a more complex password that would take at least 10 days to crack. ` + ) res.redirect(`/settings/password/${req.params.token}`) } else { + // Create hashed password and save to db res.locals.passwordUser.generateHashedPassword(req.body.password, (err) => { if (err) { + debug('Error creating hashed password and saving to db') mw.throwErr(err, req) - res.redirect(`/password/${req.params.token}`) + res.redirect(`/settings/password/${req.params.token}`) // User changed password } else if (req.user) { + debug('User saved password') req.flash('success', 'Your password has been changed. ') res.redirect('/settings') // New user created password } else { + debug('New user created password') req.flash('success', 'Password set. You can use it to log in now. ') res.redirect('/login?next=/map?new=1') } + }) + } })