Skip to content

Commit

Permalink
fix: password reset API to delete expired requests
Browse files Browse the repository at this point in the history
  • Loading branch information
atsu1125 committed Aug 15, 2024
1 parent 9975186 commit d4793ed
Showing 1 changed file with 20 additions and 4 deletions.
24 changes: 20 additions & 4 deletions src/server/api/endpoints/reset-password.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import $ from 'cafy';
import * as bcrypt from 'bcryptjs';
import * as ms from 'ms';
import { publishMainStream } from '../../../services/stream';
import define from '../define';
import { Users, UserProfiles, PasswordResetRequests } from '../../../models';
Expand All @@ -10,6 +11,11 @@ export const meta = {

requireCredential: false as const,

limit: {
duration: ms('1hour'),
max: 3
},

params: {
token: {
validator: $.str
Expand All @@ -21,18 +27,28 @@ export const meta = {
},

errors: {

noSuchResetRequest: {
message: 'No such reset request.',
code: 'NO_SUCH_RESET_REQUEST',
id: '6382759d-294c-43de-89b3-4e825006ca43',
}
}
};

export default define(meta, async (ps, user) => {
const req = await PasswordResetRequests.findOneOrFail({
const req = await PasswordResetRequests.findOne({
token: ps.token,
});
if (req == null) throw new ApiError(meta.errors.noSuchResetRequest);

// 発行してから30分以上経過していたら無効
// expires after 30 minutes
// This is a secondary check just in case the expiry task is broken,
// the expiry task is badly aligned with this expiration or something
// else strange is going on.
if (Date.now() - req.createdAt.getTime() > 1000 * 60 * 30) {
throw new Error(); // TODO
await PasswordResetRequests.delete(req.id);
if (req == null) throw new ApiError(meta.errors.noSuchResetRequest);
}

// Generate hash of password
Expand All @@ -43,5 +59,5 @@ export default define(meta, async (ps, user) => {
password: hash
});

PasswordResetRequests.delete(req.id);
await PasswordResetRequests.delete(req.id);
});

0 comments on commit d4793ed

Please sign in to comment.