pixelplanet/src/core/mail.js

/*
 * functions for mail verify
 */

/* eslint-disable max-len */

import { randomUUID } from 'crypto';
import nodemailer from 'nodemailer';

import logger from './logger';
import { HOUR, MINUTE } from './constants';
import { DailyCron, HourlyCron } from '../utils/cron';
import { getTTag } from './ttag';
import { USE_MAILER, MAIL_ADDRESS } from './config';

import { RegUser } from '../data/sql';


// TODO make code expire
class MailProvider {
  constructor() {
    this.enabled = !!USE_MAILER;
    if (this.enabled) {
      this.transporter = nodemailer.createTransport({
        sendmail: true,
        newline: 'unix',
        path: '/usr/sbin/sendmail',
      });

      this.clearCodes = this.clearCodes.bind(this);

      this.verifyCodes = {};
      HourlyCron.hook(this.clearCodes);
      DailyCron.hook(MailProvider.cleanUsers);
    }
  }

  sendMail(to, subject, html) {
    if (!this.enabled) {
      return;
    }
    this.transporter.sendMail({
      from: `PixelPlanet <${MAIL_ADDRESS}>`,
      to,
      replyTo: MAIL_ADDRESS,
      subject,
      html,
    }, (err) => {
      if (err) {
        logger.error(err);
      }
    });
  }

  sendVerifyMail(to, name, host, lang) {
    if (!this.enabled) {
      return null;
    }

    const { t } = getTTag(lang);

    const pastMail = this.verifyCodes[to];
    if (pastMail) {
      const minLeft = Math.floor(
        pastMail.timestamp / MINUTE + 2 - Date.now() / MINUTE,
      );
      if (minLeft > 0) {
        logger.info(
          `Verify mail for ${to} - already sent, ${minLeft} minutes left`,
        );
        return t`We already sent you a verification mail, you can request another one in ${minLeft} minutes.`;
      }
    }

    logger.info(`Sending verification mail to ${to} / ${name}`);
    const code = this.setCode(to);
    const verifyUrl = `${host}/api/auth/verify?token=${code}`;
    const subject = t`Welcome ${name} to PixelPlanet, plese verify your mail`;
    const html = `<em>${t`Hello ${name}`}</em>,<br />
      ${t`welcome to our little community of pixelplacers, to use your account, you have to verify your mail. You can do that here: `} <a href="${verifyUrl}">${t`Click to Verify`}</a>. ${t`Or by copying following url:`}<br />${verifyUrl}\n<br />
      ${t`Have fun and don't hesitate to contact us if you encouter any problems :)`}<br />
      ${t`Thanks`}<br /><br />
      <img alt="" src="https://assets.pixelplanet.fun/tile.png" style="height:64px; width:64px" />`;
    this.sendMail(to, subject, html);
    return null;
  }

  async sendPasswdResetMail(to, ip, host, lang) {
    const { t } = getTTag(lang);

    if (!this.enabled) {
      return t`Mail is not configured on the server`;
    }

    const pastMail = this.verifyCodes[to];
    if (pastMail) {
      if (Date.now() < pastMail.timestamp + 15 * MINUTE) {
        logger.info(
          `Password reset mail for ${to} requested by ${ip} - already sent`,
        );
        return t`We already sent you a mail with instructions. Please wait before requesting another mail.`;
      }
    }
    const reguser = await RegUser.findOne({ where: { email: to } });
    if (pastMail || !reguser) {
      logger.info(
        `Password reset mail for ${to} requested by ${ip} - mail not found`,
      );
      return t`Couldn't find this mail in our database`;
    }

    /*
     * not sure if this is needed yet
     * does it matter if spaming password reset mails or verifications mails?
     *
    if(!reguser.verified) {
      logger.info(`Password reset mail for ${to} requested by ${ip} - mail not verified`);
      return "Can't reset password of unverified account.";
    }
    */

    logger.info(`Sending Password reset mail to ${to}`);
    const code = this.setCode(to);
    const restoreUrl = `${host}/reset_password?token=${code}`;
    const subject = t`You forgot your password for PixelPlanet? Get a new one here`;
    const html = `<em>${t`Hello`}</em>,<br />
      ${t`You requested to get a new password. You can change your password within the next 30min here: `} <a href="${restoreUrl}">${t`Reset Password`}</a>. ${t`Or by copying following url:`}<br />${restoreUrl}\n<br />
      ${t`If you did not request this mail, please just ignore it (the ip that requested this mail was ${ip}).`}<br />
      ${t`Thanks`}<br /><br />\n<img alt="" src="https://assets.pixelplanet.fun/tile.png" style="height:64px; width:64px" />`;
    this.sendMail(to, subject, html);
    return null;
  }

  setCode(email) {
    const code = MailProvider.createCode();
    this.verifyCodes[email] = {
      code,
      timestamp: Date.now(),
    };
    return code;
  }

  async clearCodes() {
    const curTime = Date.now();
    const toDelete = [];

    const mails = Object.keys(this.verifyCodes);
    for (let i = 0; i < mails.length; i += 1) {
      const iteremail = mails[i];
      if (curTime > this.verifyCodes[iteremail].timestamp + HOUR) {
        toDelete.push(iteremail);
      }
    }
    toDelete.forEach((email) => {
      logger.info(`Mail Code for ${email} expired`);
      delete this.verifyCodes[email];
    });
  }

  // Note: code gets deleted on check
  checkCode(code) {
    let email = null;
    const mails = Object.keys(this.verifyCodes);
    for (let i = 0; i < mails.length; i += 1) {
      const iteremail = mails[i];
      if (this.verifyCodes[iteremail].code === code) {
        email = iteremail;
        break;
      }
    }
    if (!email) {
      logger.info(`Mail Code ${code} not found.`);
      return false;
    }
    logger.info(`Got Mail Code from ${email}.`);
    delete this.verifyCodes[email];
    return email;
  }

  async verify(code) {
    const email = this.checkCode(code);
    if (!email) return false;

    const reguser = await RegUser.findOne({ where: { email } });
    if (!reguser) {
      logger.error(`${email} does not exist in database`);
      return false;
    }
    await reguser.update({
      mailVerified: true,
      verificationReqAt: null,
    });
    return reguser.name;
  }

  static createCode() {
    return randomUUID();
  }

  static cleanUsers() {
    // delete users that requier verification for more than 4 days
    /*
    RegUser.destroy({
      where: {
        verificationReqAt: {
          [Sequelize.Op.lt]:
            Sequelize.literal('CURRENT_TIMESTAMP - INTERVAL 4 DAY'),
        },
        verified: 0,
      },
    });
    */
  }
}

const mailProvider = new MailProvider();

export default mailProvider;
Mirror repository for github 2020-01-02 16:58:06 +00:00			`/*`
			`* functions for mail verify`
			`*/`

more translations 2021-01-30 12:32:46 +00:00			`/* eslint-disable max-len */`

fix password-reset-code vulnerability 2022-07-15 14:23:48 +00:00			`import { randomUUID } from 'crypto';`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`import nodemailer from 'nodemailer';`
Mirror repository for github 2020-01-02 16:58:06 +00:00
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`import logger from './logger';`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`import { HOUR, MINUTE } from './constants';`
			`import { DailyCron, HourlyCron } from '../utils/cron';`
more translations 2021-01-30 12:32:46 +00:00			`import { getTTag } from './ttag';`
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			`import { USE_MAILER, MAIL_ADDRESS } from './config';`
Mirror repository for github 2020-01-02 16:58:06 +00:00
refactor /data directory 2022-06-19 21:19:10 +00:00			`import { RegUser } from '../data/sql';`
Mirror repository for github 2020-01-02 16:58:06 +00:00
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00
Mirror repository for github 2020-01-02 16:58:06 +00:00			`// TODO make code expire`
			`class MailProvider {`
			`constructor() {`
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			`this.enabled = !!USE_MAILER;`
			`if (this.enabled) {`
			`this.transporter = nodemailer.createTransport({`
			`sendmail: true,`
			`newline: 'unix',`
			`path: '/usr/sbin/sendmail',`
			`});`

			`this.clearCodes = this.clearCodes.bind(this);`

			`this.verifyCodes = {};`
			`HourlyCron.hook(this.clearCodes);`
			`DailyCron.hook(MailProvider.cleanUsers);`
			`}`
			`}`
Mirror repository for github 2020-01-02 16:58:06 +00:00
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			`sendMail(to, subject, html) {`
			`if (!this.enabled) {`
			`return;`
			`}`
			`this.transporter.sendMail({`
			from: `PixelPlanet <${MAIL_ADDRESS}>`,
			`to,`
			`replyTo: MAIL_ADDRESS,`
			`subject,`
			`html,`
			`}, (err) => {`
			`if (err) {`
			`logger.error(err);`
			`}`
			`});`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`}`

more translations 2021-01-30 12:32:46 +00:00			`sendVerifyMail(to, name, host, lang) {`
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			`if (!this.enabled) {`
			`return null;`
			`}`

more translations 2021-01-30 12:32:46 +00:00			`const { t } = getTTag(lang);`

change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`const pastMail = this.verifyCodes[to];`
			`if (pastMail) {`
			`const minLeft = Math.floor(`
send verify mail limit to 2min 2020-01-13 04:37:12 +00:00			`pastMail.timestamp / MINUTE + 2 - Date.now() / MINUTE,`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`);`
			`if (minLeft > 0) {`
			`logger.info(`
			`Verify mail for ${to} - already sent, ${minLeft} minutes left`,
			`);`
more translations 2021-01-30 12:32:46 +00:00			return t`We already sent you a verification mail, you can request another one in ${minLeft} minutes.`;
Mirror repository for github 2020-01-02 16:58:06 +00:00			`}`
			`}`
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00
Mirror repository for github 2020-01-02 16:58:06 +00:00			logger.info(`Sending verification mail to ${to} / ${name}`);
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`const code = this.setCode(to);`
remove HOSTURL variable and instead get host from header 2020-01-09 14:54:55 +00:00			const verifyUrl = `${host}/api/auth/verify?token=${code}`;
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			const subject = t`Welcome ${name} to PixelPlanet, plese verify your mail`;
			const html = `<em>${t`Hello ${name}`}</em>,<br />
more translations 2021-01-30 12:32:46 +00:00			${t`welcome to our little community of pixelplacers, to use your account, you have to verify your mail. You can do that here: `} <a href="${verifyUrl}">${t`Click to Verify`}</a>. ${t`Or by copying following url:`}<br />${verifyUrl}\n<br />
			${t`Have fun and don't hesitate to contact us if you encouter any problems :)`}<br />
			${t`Thanks`}<br /><br />
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			<img alt="" src="https://assets.pixelplanet.fun/tile.png" style="height:64px; width:64px" />`;
			`this.sendMail(to, subject, html);`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`return null;`
			`}`

more translations 2021-01-30 12:32:46 +00:00			`async sendPasswdResetMail(to, ip, host, lang) {`
			`const { t } = getTTag(lang);`
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00
			`if (!this.enabled) {`
			return t`Mail is not configured on the server`;
			`}`

change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`const pastMail = this.verifyCodes[to];`
			`if (pastMail) {`
			`if (Date.now() < pastMail.timestamp + 15 * MINUTE) {`
			`logger.info(`
			`Password reset mail for ${to} requested by ${ip} - already sent`,
			`);`
more translations 2021-01-30 12:32:46 +00:00			return t`We already sent you a mail with instructions. Please wait before requesting another mail.`;
Mirror repository for github 2020-01-02 16:58:06 +00:00			`}`
			`}`
			`const reguser = await RegUser.findOne({ where: { email: to } });`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`if (pastMail \|\| !reguser) {`
			`logger.info(`
			`Password reset mail for ${to} requested by ${ip} - mail not found`,
			`);`
more translations 2021-01-30 12:32:46 +00:00			return t`Couldn't find this mail in our database`;
Mirror repository for github 2020-01-02 16:58:06 +00:00			`}`
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00
Mirror repository for github 2020-01-02 16:58:06 +00:00			`/*`
			`* not sure if this is needed yet`
			`* does it matter if spaming password reset mails or verifications mails?`
			`*`
			`if(!reguser.verified) {`
			logger.info(`Password reset mail for ${to} requested by ${ip} - mail not verified`);
			`return "Can't reset password of unverified account.";`
			`}`
			`*/`

			logger.info(`Sending Password reset mail to ${to}`);
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`const code = this.setCode(to);`
remove HOSTURL variable and instead get host from header 2020-01-09 14:54:55 +00:00			const restoreUrl = `${host}/reset_password?token=${code}`;
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			const subject = t`You forgot your password for PixelPlanet? Get a new one here`;
			const html = `<em>${t`Hello`}</em>,<br />
more translations 2021-01-30 12:32:46 +00:00			${t`You requested to get a new password. You can change your password within the next 30min here: `} <a href="${restoreUrl}">${t`Reset Password`}</a>. ${t`Or by copying following url:`}<br />${restoreUrl}\n<br />
			${t`If you did not request this mail, please just ignore it (the ip that requested this mail was ${ip}).`}<br />
Add option to turn off sending mails Remove GMAIL support (they shut down 3rd party apps anyway) and add note to ssmtp, which can be used to still send over other providers. 2022-06-30 09:47:36 +00:00			${t`Thanks`}<br /><br />\n<img alt="" src="https://assets.pixelplanet.fun/tile.png" style="height:64px; width:64px" />`;
			`this.sendMail(to, subject, html);`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`return null;`
			`}`

change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`setCode(email) {`
			`const code = MailProvider.createCode();`
			`this.verifyCodes[email] = {`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`code,`
			`timestamp: Date.now(),`
			`};`
			`return code;`
			`}`

change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`async clearCodes() {`
			`const curTime = Date.now();`
			`const toDelete = [];`

			`const mails = Object.keys(this.verifyCodes);`
			`for (let i = 0; i < mails.length; i += 1) {`
			`const iteremail = mails[i];`
			`if (curTime > this.verifyCodes[iteremail].timestamp + HOUR) {`
			`toDelete.push(iteremail);`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`}`
			`}`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`toDelete.forEach((email) => {`
Mirror repository for github 2020-01-02 16:58:06 +00:00			logger.info(`Mail Code for ${email} expired`);
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`delete this.verifyCodes[email];`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`});`
			`}`

			`// Note: code gets deleted on check`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`checkCode(code) {`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`let email = null;`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`const mails = Object.keys(this.verifyCodes);`
			`for (let i = 0; i < mails.length; i += 1) {`
			`const iteremail = mails[i];`
			`if (this.verifyCodes[iteremail].code === code) {`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`email = iteremail;`
			`break;`
			`}`
			`}`
			`if (!email) {`
			logger.info(`Mail Code ${code} not found.`);
			`return false;`
			`}`
			logger.info(`Got Mail Code from ${email}.`);
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`delete this.verifyCodes[email];`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`return email;`
			`}`

			`async verify(code) {`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`const email = this.checkCode(code);`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`if (!email) return false;`

			`const reguser = await RegUser.findOne({ where: { email } });`
			`if (!reguser) {`
			logger.error(`${email} does not exist in database`);
			`return false;`
			`}`
			`await reguser.update({`
			`mailVerified: true,`
			`verificationReqAt: null,`
			`});`
verifying email will cause websocket reconnect 2020-04-30 01:20:31 +00:00			`return reguser.name;`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`}`

fix password-reset-code vulnerability 2022-07-15 14:23:48 +00:00			`static createCode() {`
			`return randomUUID();`
			`}`

change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`static cleanUsers() {`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`// delete users that requier verification for more than 4 days`
deactivate user deletion when not verified 2020-01-05 23:34:34 +00:00			`/*`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`RegUser.destroy({`
			`where: {`
			`verificationReqAt: {`
change from sendmail to nodemailer fix eslint errors corresponding to mail sending 2020-01-06 10:46:11 +00:00			`[Sequelize.Op.lt]:`
			`Sequelize.literal('CURRENT_TIMESTAMP - INTERVAL 4 DAY'),`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`},`
			`verified: 0,`
			`},`
			`});`
deactivate user deletion when not verified 2020-01-05 23:34:34 +00:00			`*/`
Mirror repository for github 2020-01-02 16:58:06 +00:00			`}`
			`}`

fix auth-routes related eslint errors 2020-01-06 11:29:33 +00:00			`const mailProvider = new MailProvider();`
Mirror repository for github 2020-01-02 16:58:06 +00:00
			`export default mailProvider;`