From 16ba3ca438ab26789be4d6dfec3ed2d9168bd2d9 Mon Sep 17 00:00:00 2001 From: tycrek Date: Sat, 24 Dec 2022 16:54:46 -0700 Subject: [PATCH] feat: allow password resets over the API --- src/ass.ts | 6 +++++- src/routers/api.ts | 13 ++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/ass.ts b/src/ass.ts index b5b38d4..097812f 100644 --- a/src/ass.ts +++ b/src/ass.ts @@ -3,7 +3,7 @@ import { Config, MagicNumbers, Package } from 'ass-json'; //#region Imports import fs from 'fs-extra'; -import express, { Request, Response } from 'express'; +import express, { Request, Response, json as BodyParserJson } from 'express'; import nofavicon from '@tycrek/express-nofavicon'; import { epcss } from '@tycrek/express-postcss'; import tailwindcss from 'tailwindcss'; @@ -80,6 +80,10 @@ app.get(['/'], bruteforce.prevent, (_req, _res, next) => next()); // Express logger middleware app.use(log.middleware()); +// Body parser for API POST requests +// (I really don't like this being top level but it does not work inside the API Router as of 2022-12-24) +app.use(BodyParserJson()); + // Helmet security middleware app.use(helmet.noSniff()); app.use(helmet.ieNoOpen()); diff --git a/src/routers/api.ts b/src/routers/api.ts index ce086a2..a7a0675 100644 --- a/src/routers/api.ts +++ b/src/routers/api.ts @@ -5,7 +5,7 @@ */ import { Router, Request, Response, NextFunction } from 'express'; -import { findFromToken, users } from '../auth'; +import { findFromToken, setUserPassword, users } from '../auth'; import { data } from '../data'; import { User } from '../types/auth'; @@ -45,6 +45,17 @@ function buildUserRouter() { userRouter.get('/token/:token', (req: Request, res: Response) => userFinder(res, users.find(user => user.token === req.params.token))); + // Reset password (new plaintext password in form data; HOST SHOULD BE USING HTTPS) + // Admin only + userRouter.post('/reset', adminAuthMiddleware, (req: Request, res: Response) => { + const id = req.body.id; + const newPassword = req.body.password; + + setUserPassword(id, newPassword) + .then(() => res.sendStatus(200)) + .catch(() => res.sendStatus(500)); + }); + // Get a user (must be last as it's a catch-all) // Admin only userRouter.get('/:id', adminAuthMiddleware, (req: Request, res: Response) =>