Support resetting passwords via email

mia-pi-git · mia-pi-git · commit aa19d54e9ec1 · 2021-11-03T17:15:47.000-05:00
diff --git a/config/config-example.js b/config/config-example.js
@@ -22,6 +22,7 @@ exports.passwordSalt = 10;
 // routes
 exports.routes = {
 	root: "pokemonshowdown.com",
+	client: "play.pokemonshowdown.com",
 };
 
 exports.mainserver = 'showdown';
@@ -120,4 +121,10 @@ exports.watchconfig = true;
  * An IP to allow restart requests from.
  * @type {null | string}
  */
-exports.restartip = null;
+exports.restartip = null;
+
+/** @type {{transportOpts: import('nodemailer').TransportOptions, from: string}} */
+exports.passwordemails = {
+	transportOpts: {},
+	from: 'passwords@pokemonshowdown.com',
+};
diff --git a/package.json b/package.json
@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "@types/node": "^15.12.4",
+    "@types/nodemailer": "^6.4.4",
     "bcrypt": "^5.0.1",
     "eslint-plugin-import": "^2.24.2",
     "google-auth-library": "^3.1.2",
@@ -27,7 +28,7 @@
     "eslint": "^7.32.0",
     "eslint-plugin-import": "^2.22.1",
     "mocha": "^6.0.2",
-    "nodemailer": "^6.6.5",
+    "nodemailer": "^6.7.0",
     "typescript": "^4.4.3"
   },
   "private": true
diff --git a/src/actions.ts b/src/actions.ts
@@ -13,6 +13,12 @@ import {NTBBLadder} from './ladder';
 import {Replays, md5} from './replays';
 import {toID} from './server';
 import * as tables from './tables';
+import * as nodemailer from 'nodemailer';
+
+// eslint-disable-next-line
+const EMAIL_REGEX = /(?:[a-z0-9!#$%&\'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&\'*+\/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])/i;
+
+const mailer = nodemailer.createTransport(Config.passwordemails.transportOpts);
 
 // shamelessly stolen from PS main
 function bash(command: string, cwd?: string): Promise<[number, string, string]> {
@@ -416,4 +422,86 @@ export const actions: {[k: string]: QueryHandler} = {
 		if (stderr) throw new ActionError(stderr);
 		return {updated: update, success: true};
 	},
+	async setemail(params) {
+		if (!this.user.loggedin) {
+			throw new ActionError(`You must be logged in to set an email.`);
+		}
+		if (!params.email || typeof params.email !== 'string') {
+			throw new ActionError(`You must send an email.`);
+		}
+		const email = EMAIL_REGEX.exec(params.email)?.[0];
+		if (!email) throw new ActionError(`Invalid email sent.`);
+		const data = await tables.users.get('*', this.user.id);
+		if (!data) throw new ActionError(`You are not registered.`);
+		if (data.email?.endsWith('@')) {
+			throw new ActionError(`You have 2FA, and do not need to set an email for password resets.`);
+		}
+		const result = await tables.users.update(this.user.id, {email});
+
+		delete (data as any).passwordhash;
+		return {
+			success: !!result.changedRows,
+			curuser: Object.assign(data, {email}),
+		};
+	},
+	async clearemail() {
+		if (!this.user.loggedin) {
+			throw new ActionError(`You must be logged in to edit your email.`);
+		}
+		const data = await tables.users.get('*', this.user.id);
+		if (!data) throw new ActionError(`You are not registered.`);
+		if (data.email?.endsWith('@')) {
+			throw new ActionError(
+				`You have 2FA, and need an administrator to set/unset your email manually.`
+			);
+		}
+		const result = await tables.users.update(this.user.id, {email: null});
+
+		delete (data as any).passwordhash;
+		return {
+			actionsuccess: !!result.changedRows,
+			curuser: Object.assign(data, {email: null}),
+		};
+	},
+	async resetpassword(params) {
+		if (typeof params.email !== 'string' || !params.email) {
+			throw new ActionError(`You must provide an email address.`);
+		}
+		const email = EMAIL_REGEX.exec(params.email)?.[0];
+		if (!email) {
+			throw new ActionError(`Invalid email sent.`);
+		}
+		const data = await tables.users.selectOne('*', SQL`email = ${email}`);
+		if (!data) {
+			// no user associated with that email.
+			// ...pretend like it succeeded (we don't wanna leak that it's in use, after all)
+			return {success: true};
+		}
+		if (!data.email) {
+			// should literally never happen
+			throw new Error(`Account data found with no email, but had an email match`);
+		}
+		if (data.email.endsWith('@')) {
+			throw new ActionError(`You have 2FA, and so do not need a password reset.`);
+		}
+		const token = await this.session.createPasswordResetToken(data.username);
+
+		await mailer.sendMail({
+			from: Config.passwordemails.from,
+			to: data.email,
+			subject: "Pokemon Showdown account password reset",
+			text: (
+				`You requested a password reset for the Pokemon Showdown account ${data.userid}. Click this link https://${Config.routes.root}/resetpassword/${token} and follow the instructions to change your password.\n` +
+				`Not you? Please contact staff by typing /ht in any chatroom on Pokemon Showdown. \n` +
+				`If you are unable to do so, visit the Help chatroom.`
+			),
+			html: (
+				`You requested a password reset for the Pokemon Showdown account ${data.userid}. ` +
+				`Click <a href="https://${Config.routes.root}/resetpassword/${token}">this link</a> and follow the instructions to change your password.<br />` +
+				`Not you? Please contact staff by typing <code>/ht</code> in any chatroom on Pokemon Showdown. <br />` +
+				`If you are unable to do so, visit the <a href="${Config.routes.client}/help">Help</a> chatroom.`
+			),
+		});
+		return {success: true};
+	},
 };
diff --git a/src/session.ts b/src/session.ts
@@ -446,4 +446,34 @@ export class Session {
 		}
 		return Promise.resolve(cachedSid === databaseSid);
 	}
+	async createPasswordResetToken(name: string, timeout: null | number = null) {
+		const ctime = time();
+		const userid = toID(name);
+		if (!timeout) {
+			timeout = 7 * 24 * 60 * 60;
+		}
+		timeout += ctime;
+		// todo throttle by checking to see if pending token exists in sid table?
+		if (await this.findPendingReset(name)) {
+			throw new ActionError(`A reset token is already pending to that account.`);
+		}
+
+		await usermodlog.insert({
+			userid, actorid: userid, ip: this.dispatcher.getIp(),
+			date: ctime, entry: "Password reset token requested",
+		});
+
+		// magical character string...
+		const token = crypto.randomBytes(15).toString('hex');
+		await sessions.insert({
+			userid, sid: token, time: ctime, timeout, ip: this.dispatcher.getIp(),
+		});
+		return token;
+	}
+	async findPendingReset(name: string) {
+		const id = toID(name);
+		const sids = await sessions.selectAll('*', SQL`userid = ${id}`);
+		// not a fan of this but sids are normally different lengths. have to be, iirc.
+		return sids.some(({sid}) => sid.length === 15);
+	}
 }
