feat: allow password resets over the API

2 years ago · 16ba3ca438
parent cb1d75ff1d
commit 16ba3ca438
2 changed files with 17 additions and 2 deletions
--- a/src/ass.ts
+++ b/src/ass.ts
@ -3,7 +3,7 @@ import { Config, MagicNumbers, Package } from 'ass-json';

 //#region Imports
 import fs from 'fs-extra';
-import express, { Request, Response } from 'express';
+import express, { Request, Response, json as BodyParserJson } from 'express';
 import nofavicon from '@tycrek/express-nofavicon';
 import { epcss } from '@tycrek/express-postcss';
 import tailwindcss from 'tailwindcss';
@ -80,6 +80,10 @@ app.get(['/'], bruteforce.prevent, (_req, _res, next) => next());
 // Express logger middleware
 app.use(log.middleware());

+// Body parser for API POST requests
+// (I really don't like this being top level but it does not work inside the API Router as of 2022-12-24)
+app.use(BodyParserJson());
+
 // Helmet security middleware
 app.use(helmet.noSniff());
 app.use(helmet.ieNoOpen());
--- a/src/routers/api.ts
+++ b/src/routers/api.ts
@ -5,7 +5,7 @@
 */

 import { Router, Request, Response, NextFunction } from 'express';
-import { findFromToken, users } from '../auth';
+import { findFromToken, setUserPassword, users } from '../auth';
 import { data } from '../data';
 import { User } from '../types/auth';

@ -45,6 +45,17 @@ function buildUserRouter() {
 	userRouter.get('/token/:token', (req: Request, res: Response) =>
 		userFinder(res, users.find(user => user.token === req.params.token)));

+	// Reset password (new plaintext password in form data; HOST SHOULD BE USING HTTPS)
+	// Admin only
+	userRouter.post('/reset', adminAuthMiddleware, (req: Request, res: Response) => {
+		const id = req.body.id;
+		const newPassword = req.body.password;
+
+		setUserPassword(id, newPassword)
+			.then(() => res.sendStatus(200))
+			.catch(() => res.sendStatus(500));
+	});
+
 	// Get a user (must be last as it's a catch-all)
 	// Admin only
 	userRouter.get('/:id', adminAuthMiddleware, (req: Request, res: Response) =>