Merge pull request #4076 from weseek/imprv/gw6803-set-expiration-to-the-one-time-url

Imprv/gw6803 set expiration to the one time url

src/server/middlewares/password-reset.js

@@ -0,0 +1,19 @@
+module.exports = (crowi, app) => {
+  const PasswordResetOrder = crowi.model('PasswordResetOrder');
+
+  return async(req, res, next) => {
+    const { token } = req.params;
+
+    if (token == null) {
+      return res.redirect('/login');
+    }
+
+    const passwordResetOrder = await PasswordResetOrder.findOne({ token });
+    // check the oneTimeToken is valid
+    if (passwordResetOrder == null || passwordResetOrder.isExpired()) {
+      return res.redirect('/login');
+    }
+
+    return next();
+  };
+};

src/server/models/password-reset-order.js

@@ -17,7 +17,7 @@ class PasswordResetOrder {
 
   static generateOneTimeToken() {
     const buf = crypto.randomBytes(256);
-    const token = buf.toString('base64');
+    const token = buf.toString('hex');
 
     return token;
   }

src/server/routes/forgot-password.js

@@ -17,7 +17,6 @@ module.exports = function(crowi, app) {
     return res.render('reset-password');
   };
 
-
   async function sendPasswordResetEmail(email, url, i18n) {
     return mailService.send({
       to: email,
@@ -39,7 +38,7 @@ module.exports = function(crowi, app) {
 
     try {
       const passwordResetOrderData = await PasswordResetOrder.createPasswordResetOrder(email);
-      const url = new URL(`/forgot-password/token?${passwordResetOrderData.token}`, appUrl);
+      const url = new URL(`/forgot-password/${passwordResetOrderData.token}`, appUrl);
       const oneTimeUrl = url.href;
       await sendPasswordResetEmail(email, oneTimeUrl, i18n);
       return res.json(ApiResponse.success());

src/server/routes/index.js

@@ -13,6 +13,7 @@ module.exports = function(crowi, app) {
   const adminRequired = require('../middlewares/admin-required')(crowi);
   const certifySharedFile = require('../middlewares/certify-shared-file')(crowi);
   const csrf = require('../middlewares/csrf')(crowi);
+  const passwordReset = require('../middlewares/password-reset')(crowi);
 
   const uploads = multer({ dest: `${crowi.tmpDir}uploads` });
   const form = require('../form');
@@ -178,8 +179,7 @@ module.exports = function(crowi, app) {
 
   app.get('/forgot-password', forgotPassword.forgotPassword);
   app.post('/_api/forgot-password', forgotPassword.api.post);
-  // TODO: inserting middleware by GW-6926
-  app.get('/forgot-password/:token', forgotPassword.resetPassword);
+  app.get('/forgot-password/:token'      , passwordReset, forgotPassword.resetPassword);
 
   app.get('/share/:linkId', page.showSharedPage);