Fixed server-side password checking
parent
8effc47206
commit
76e2d31c46
|
@ -99,14 +99,14 @@ router.route('/')
|
||||||
|
|
||||||
// Check if unchanged
|
// Check if unchanged
|
||||||
} else if (req.user.slug === slug(xss(req.body.slug))) resolve()
|
} else if (req.user.slug === slug(xss(req.body.slug))) resolve()
|
||||||
|
|
||||||
// Check uniqueness
|
// Check uniqueness
|
||||||
else {
|
else {
|
||||||
User.findOne({ slug: req.body.slug })
|
User.findOne({ slug: req.body.slug })
|
||||||
.then((existingUser) => {
|
.then((existingUser) => {
|
||||||
// Not unique!
|
// Not unique!
|
||||||
if (existingUser && existingUser.id !== req.user.id) {
|
if (existingUser && existingUser.id !== req.user.id) {
|
||||||
req.flash( 'warning',
|
req.flash( 'warning',
|
||||||
`That slug, <u>${req.body.slug}</u>, is already in use by another user! `
|
`That slug, <u>${req.body.slug}</u>, is already in use by another user! `
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -292,29 +292,39 @@ router.route('/password/:token')
|
||||||
|
|
||||||
// Set new password
|
// Set new password
|
||||||
.post((req, res, next) => {
|
.post((req, res, next) => {
|
||||||
// Validate password
|
debug('/settings/password/:token .post() called')
|
||||||
|
|
||||||
|
// Validate password strength
|
||||||
let zxcvbnResult = zxcvbn(req.body.password)
|
let zxcvbnResult = zxcvbn(req.body.password)
|
||||||
if (zxcvbnResult.crack_times_seconds.online_no_throttling_10_per_second < 864000) { // Less than ten days
|
if (zxcvbnResult.crack_times_seconds.online_no_throttling_10_per_second < 864000) { // Less than ten days
|
||||||
mw.throwErr(new Error(`That password could be cracked in ${zxcvbnResult.crack_times_display.online_no_throttling_10_per_second}! Come up with a more complex password that would take at least 10 days to crack. `))
|
req.flash( 'danger',
|
||||||
|
`That password could be cracked in ${zxcvbnResult.crack_times_display.online_no_throttling_10_per_second}! Come up with a more complex password that would take at least 10 days to crack. `
|
||||||
|
)
|
||||||
res.redirect(`/settings/password/${req.params.token}`)
|
res.redirect(`/settings/password/${req.params.token}`)
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
// Create hashed password and save to db
|
// Create hashed password and save to db
|
||||||
res.locals.passwordUser.generateHashedPassword(req.body.password, (err) => {
|
res.locals.passwordUser.generateHashedPassword(req.body.password, (err) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
|
debug('Error creating hashed password and saving to db')
|
||||||
mw.throwErr(err, req)
|
mw.throwErr(err, req)
|
||||||
res.redirect(`/password/${req.params.token}`)
|
res.redirect(`/settings/password/${req.params.token}`)
|
||||||
|
|
||||||
// User changed password
|
// User changed password
|
||||||
} else if (req.user) {
|
} else if (req.user) {
|
||||||
|
debug('User saved password')
|
||||||
req.flash('success', 'Your password has been changed. ')
|
req.flash('success', 'Your password has been changed. ')
|
||||||
res.redirect('/settings')
|
res.redirect('/settings')
|
||||||
|
|
||||||
// New user created password
|
// New user created password
|
||||||
} else {
|
} else {
|
||||||
|
debug('New user created password')
|
||||||
req.flash('success', 'Password set. You can use it to log in now. ')
|
req.flash('success', 'Password set. You can use it to log in now. ')
|
||||||
res.redirect('/login?next=/map?new=1')
|
res.redirect('/login?next=/map?new=1')
|
||||||
}
|
}
|
||||||
|
|
||||||
})
|
})
|
||||||
|
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue