From 4a3f35cf554b11ca4ee8c065b86950f0eab8f07c Mon Sep 17 00:00:00 2001
From: HF <hf@pixelplanet.fun>
Date: Sun, 11 Sep 2022 02:21:49 +0200
Subject: [PATCH] fix password reset

---
 src/core/MailProvider.js     |  2 +-
 src/routes/reset_password.js | 24 ++++++++++++------------
 src/ssr/PasswordReset.jsx    |  1 +
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/src/core/MailProvider.js b/src/core/MailProvider.js
index d9095fd..9d85ab2 100644
--- a/src/core/MailProvider.js
+++ b/src/core/MailProvider.js
@@ -99,7 +99,7 @@ export class MailProvider {
   postPasswdResetMail(to, ip, host, lang, code) {
     const { t } = getTTag(lang);
     logger.info(`Sending Password reset mail to ${to}`);
-    const restoreUrl = `${host}/reset_password?token=${code}`;
+    const restoreUrl = `${host}/reset_password?token=${code}&email=${encodeURIComponent(to)}`;
     const subject = t`You forgot your password for PixelPlanet? Get a new one here`;
     const html = `<em>${t`Hello`}</em>,<br />
       ${t`You requested to get a new password. You can change your password within the next 30min here: `} <a href="${restoreUrl}">${t`Reset Password`}</a>. ${t`Or by copying following url:`}<br />${restoreUrl}\n<br />
diff --git a/src/routes/reset_password.js b/src/routes/reset_password.js
index 7d4c0ef..eecbf61 100644
--- a/src/routes/reset_password.js
+++ b/src/routes/reset_password.js
@@ -7,8 +7,8 @@ import express from 'express';
 
 import logger from '../core/logger';
 import getPasswordResetHtml from '../ssr/PasswordReset';
-
-import mailProvider from '../core/MailProvider';
+import { validateEMail } from '../utils/validation';
+import { checkCode } from '../data/redis/mailCodes';
 import { RegUser } from '../data/sql';
 
 
@@ -25,7 +25,9 @@ router.use(express.urlencoded({ extended: true }));
  * if invalid password is given, ignore it and go to next
  */
 router.post('/', async (req, res) => {
-  const { pass, passconf, code } = req.body;
+  const {
+    pass, passconf, code, name: email,
+  } = req.body;
   const { lang } = req;
   const { t } = req.ttag;
 
@@ -40,8 +42,8 @@ router.post('/', async (req, res) => {
     return;
   }
 
-  const email = mailProvider.checkCode(code);
-  if (!email) {
+  const ret = await checkCode(email, code);
+  if (!ret) {
     const html = getPasswordResetHtml(
       null,
       null,
@@ -94,7 +96,7 @@ router.post('/', async (req, res) => {
  * Check GET parameters for action to execute
  */
 router.get('/', async (req, res) => {
-  const { token } = req.query;
+  const { email, token } = req.query;
   const { lang } = req;
   const { t } = req.ttag;
 
@@ -109,21 +111,19 @@ router.get('/', async (req, res) => {
     return;
   }
 
-  const email = mailProvider.checkCode(token);
-  if (!email) {
+  const error = validateEMail(email);
+  if (error) {
     const html = getPasswordResetHtml(
       null,
       null,
       lang,
-      // eslint-disable-next-line max-len
-      t`This passwort reset link is wrong or already expired, please request a new one (Note: you can use those links just once)`,
+      error,
     );
     res.status(401).send(html);
     return;
   }
 
-  const code = mailProvider.setCode(email);
-  const html = getPasswordResetHtml(email, code);
+  const html = getPasswordResetHtml(email, token, lang);
   res.status(200).send(html);
 });
 
diff --git a/src/ssr/PasswordReset.jsx b/src/ssr/PasswordReset.jsx
index b48effc..41dba2b 100644
--- a/src/ssr/PasswordReset.jsx
+++ b/src/ssr/PasswordReset.jsx
@@ -61,6 +61,7 @@ export default function getPasswordResetHtml(name, code, lang, message = null) {
               style="max-width:35em"
             />
             <input type="hidden" name="code" value=${code} />
+            <input type="hidden" name="name" value=${name} />
             <button type="submit" name="submit">${t`Submit`}</button>
           </form>
         </body>