Skip to content
Snippets Groups Projects
Normal view History Permalink
complete_reverify.js 2.11 KiB
Newer Older
Zachary Carter's avatar
perform rigorous validation on all API parameters, cleanup redundancy in...
Zachary Carter committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

const
db = require('../db.js'),
logger = require('../logging.js').logger,
wsapi = require('../wsapi.js'),
bcrypt = require('../bcrypt.js'),
httputils = require('../httputils.js');

exports.method = 'post';
exports.writes_db = true;
exports.authed = false;
exports.args = {
  'token': 'token',
  // NOTE: 'pass' is required when a user is not authenticated
  'pass': {
    type: 'password',
    optional: true
  }
};
exports.i18n = false;

exports.process = function(req, res) {
  // in order to complete an email re-verification, one of the following must be true:
  //
  // 1. you must already be authenticated as the user who initiated the verification
  // 2. you must provide the password of the initiator.

  db.authForVerificationSecret(req.params.token, function(err, initiator_hash, initiator_uid) {
    if (err) {
      logger.info("unknown verification secret: " + err);
      return wsapi.databaseDown(res, err);
    }

    if (req.session.userid === initiator_uid) {
      postAuthentication();
    } else if (typeof req.params.pass === 'string') {
      bcrypt.compare(req.params.pass, initiator_hash, function (err, success) {
        if (err) {
          logger.warn("max load hit, failing on auth request with 503: " + err);
          return httputils.serviceUnavailable(res, "server is too busy");
        } else if (!success) {
          return httputils.authRequired(res, "password mismatch");
        } else {
          postAuthentication();
        }
      });
    } else {
      return httputils.authRequired(res, "password required");
    }

    function postAuthentication() {
      db.completeReverify(req.params.token, function(e, email, uid) {
        if (e) {
          logger.warn("couldn't complete email verification: " + e);
          wsapi.databaseDown(res, e);
        } else {
          wsapi.authenticateSession(req.session, uid, 'password');
          res.json({ success: true });
        }
      });
    };
  });
};