From 8a80412cd65bc0aa86487d81b612ebc1494faf3f Mon Sep 17 00:00:00 2001 From: Robbie Antenesse Date: Wed, 5 Jun 2019 12:45:05 -0600 Subject: [PATCH] Finish up password reset --- package.json | 4 +-- src/js/account/passwordReset.js | 51 ++++++++++++++++++++++++++-- src/php/api/User.php | 9 ++--- src/php/api/index.php | 4 +-- src/php/passwordreset.php | 26 ++++++++++++++ src/structure.sql | 2 +- template-passwordreset.html | 60 +++++++++++++++++++++++++++++++++ 7 files changed, 144 insertions(+), 12 deletions(-) create mode 100644 src/php/passwordreset.php create mode 100644 template-passwordreset.html diff --git a/package.json b/package.json index 8bdd3d8..d3929a8 100644 --- a/package.json +++ b/package.json @@ -8,9 +8,9 @@ "license": "UNLICENCED", "scripts": { "start": "concurrently \"npm run watch-js\" \"npm run watch-php\"", - "watch-js": "parcel watch index.html view.html --no-hmr --public-url ./", + "watch-js": "parcel watch index.html template-view.html template-passwordreset.html --no-hmr --public-url ./", "watch-php": "cpx \"src/php/**/{*,.*}\" dist -v -w", - "bundle": "parcel build index.html && cpx \"src/php/**/{*,.*}\" dist", + "bundle": "parcel build index.html template-view.html template-passwordreset.html && cpx \"src/php/**/{*,.*}\" dist", "serve-frontend-only": "parcel index.html", "clear": "npm run clear-dist && npm run clear-cache", "clear-dist": "rimraf dist/*", diff --git a/src/js/account/passwordReset.js b/src/js/account/passwordReset.js index 3b5b730..2d7eb4c 100644 --- a/src/js/account/passwordReset.js +++ b/src/js/account/passwordReset.js @@ -25,10 +25,10 @@ export function renderForgotPasswordForm() { } function setupStartResetForm() { - document.getElementById('forgotPasswordSubmit').addEventListener('click', sendPasswordReset); + document.getElementById('forgotPasswordSubmit').addEventListener('click', startPasswordReset); } -function sendPasswordReset() { +function startPasswordReset() { const email = document.getElementById('forgotPasswordEmailField').value.trim(); const errorMessageElement = document.getElementById('forgotPasswordErrorMessages'); let errorMessage = ''; @@ -56,4 +56,49 @@ function sendPasswordReset() { } }); } -} \ No newline at end of file +} + +function setupPasswordResetForm() { + document.getElementById('newPasswordSubmit').addEventListener('click', submitPasswordReset); +} + +function submitPasswordReset() { + const password = document.getElementById('newPassword').value; + const confirm = document.getElementById('newConfirm').value; + const account = document.getElementById('account').value; + const errorMessageElement = document.getElementById('newPasswordErrorMessages'); + let errorMessage = ''; + + if (password === '') { + errorMessage += '

Please enter a password.

'; + } else if (password !== confirm) { + errorMessage += '

The passwords do not match.

'; + } + + errorMessageElement.innerHTML = errorMessage; + + if (errorMessage === '') { + request({ + action: 'password-reset', + account, + password, + }, success => { + console.log(success); + }, error => { + errorMessage += '

' + error + '

'; + }).then(() => { + errorMessageElement.innerHTML = errorMessage; + if (errorMessage === '') { + document.getElementById('detailsPanel').innerHTML = `

Your password has been reset

+

You can now Return to Lexiconga and log in using your new password.

`; + } + }); + } +} + +window.onload = (function (oldLoad) { + return function () { + oldLoad && oldLoad(); + setupPasswordResetForm(); + } +})(window.onload); \ No newline at end of file diff --git a/src/php/api/User.php b/src/php/api/User.php index 0f5857e..ad2ed94 100644 --- a/src/php/api/User.php +++ b/src/php/api/User.php @@ -284,7 +284,7 @@ VALUES (?, ?, ?, ?, ?)'; $to = $email; $subject = "Here's your Lexiconga password reset link"; $message = "Hello " . $user_data['public_name'] . "\r\n\r\nSomeone has requested a password reset link for your Lexiconga account. If it was you, you can reset your password by going to the link below and entering a new password for yourself:\r\n"; - $message .= "http://lexicon.ga/passwordreset?account=" . $user_data['id'] . "&code=" . $reset_code_hash . "\r\n\r\n"; + $message .= "https://lexicon.ga/passwordreset.php?account=" . $user_data['id'] . "&code=" . $reset_code_hash . "\r\n\r\n"; $message .= "If it wasn't you who requested the link, you can ignore this email since it was only sent to you, but you might want to consider changing your password when you have a chance.\r\n\r\n"; $message .= "The password link will only be valid for today until you use it.\r\n\r\n"; $message .= "Thanks!\r\nThe Lexiconga Admins"; @@ -326,12 +326,13 @@ VALUES (?, ?, ?, ?, ?)'; } } - public function resetPassword($password, $email) { + public function resetPassword($password, $id) { + $id = intval($id); $password_hash = password_hash($password, PASSWORD_DEFAULT); - $query = "UPDATE `users` SET `password`=?, `password_reset_date`='0000-00-00 00:00:00' WHERE `email`=?;"; + $query = "UPDATE `users` SET `password`=?, `old_password`=null, `password_reset_code`=null WHERE `id`=?;"; return $this->db->execute($query, array( $password_hash, - $email, + $id, )); } diff --git a/src/php/api/index.php b/src/php/api/index.php index f58d8b0..80d6e7a 100644 --- a/src/php/api/index.php +++ b/src/php/api/index.php @@ -445,9 +445,9 @@ switch ($action) { ), 400); } case 'password-reset': { - if (isset($request['code']) && isset($request['password'])) { + if (isset($request['account']) && isset($request['password'])) { $user = new User(); - $password_reset = $user->setPasswordReset($request['email']); + $password_reset = $user->resetPassword($request['password'], $request['account']); if ($password_reset === true) { return Response::json(array( 'data' => $password_reset, diff --git a/src/php/passwordreset.php b/src/php/passwordreset.php new file mode 100644 index 0000000..4317a7e --- /dev/null +++ b/src/php/passwordreset.php @@ -0,0 +1,26 @@ +Sorry, this password reset link is not valid.

'; + +if (isset($_GET['account']) && isset($_GET['code'])) { + $user = new User(); + if ($user->checkPasswordReset($_GET['account'], $_GET['code'])) { + $content = ' + + +
+ '; + } +} + +$html = str_replace('{{content}}', $content, $html); +return Response::html($html); diff --git a/src/structure.sql b/src/structure.sql index bf722a3..41301a1 100644 --- a/src/structure.sql +++ b/src/structure.sql @@ -64,7 +64,7 @@ CREATE TABLE IF NOT EXISTS `users` ( `allow_email` tinyint(1) NOT NULL DEFAULT 1, `last_login` int(11) DEFAULT NULL, `password_reset_code` varchar(20) COLLATE utf8_unicode_ci DEFAULT NULL, - `password_reset_date` int(11) DEFAULT NULL, + `password_reset_date` datetime DEFAULT NULL, `created_on` int(11) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`) diff --git a/template-passwordreset.html b/template-passwordreset.html new file mode 100644 index 0000000..625f338 --- /dev/null +++ b/template-passwordreset.html @@ -0,0 +1,60 @@ + + + + + + + Password Reset | Lexiconga + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + +
+
+
+
+

Reset your Password

+
+ {{content}} +
+
+
+
+ + + \ No newline at end of file