diff --git a/src/routes/api/routes/users.js b/src/routes/api/routes/users.js index 36b83b6..d82e486 100644 --- a/src/routes/api/routes/users.js +++ b/src/routes/api/routes/users.js @@ -1,7 +1,7 @@ const { UserModel, BanModel } = require("../../../models"); const { Router } = require("express"); const multer = require("multer"); -const { themes } = require("../../../lib") +const { themes, emailRegEx } = require("../../../lib") const app = Router(); const { join } = require("path"); app.param("id", async (req, res, next, id) => { @@ -37,7 +37,7 @@ app.patch("/:id", async (req, res) => { if (req.user.id !== member.id && !user.admin) return res.error(403, "You have not got permission for this."); if (!Object.keys(req.body).some(Boolean)) return res.error(400, "Missing member informations in request body."); - const { name, about, admin, deleted, hideLastSeen, theme } = req.body; + const { name, about, admin, deleted, hideLastSeen, theme, email } = req.body; if ((admin?.length || "deleted" in req.body) && !req.user.admin) return res.error(403, "You have not got permission for edit 'admin' and 'deleted' information, or bad request."); const { names, desp } = req.app.get("limits"); @@ -54,6 +54,12 @@ app.patch("/:id", async (req, res) => { if (theme && themes.some(t => t.codename === theme.codename)) member.theme = theme; + if (email) { + if (!emailRegEx.test(email)) return res.error(400, "E-mail is not valid"); + if (await UserModel.exists({ email })) return res.error(400, "E-mail is already in use"); + member.email = email; + } + if (typeof admin === "boolean" || ["false", "true"].includes(admin)) member.admin = admin; if (deleted === false) member.deleted = false; diff --git a/src/routes/security.js b/src/routes/security.js new file mode 100644 index 0000000..8c455aa --- /dev/null +++ b/src/routes/security.js @@ -0,0 +1,28 @@ +const { UserModel } = require("../models"); +const { Router } = require("express") +const bcrypt = require("bcrypt"); +const { RL} = require('../lib'); +const app = Router(); + +app.use(async (req, res, next) => { + if (!req.user) return res.error(403, "You are not logged in"); + next(); +}); + +app.get("/", (req, res) => res.reply("security")); + +app.post("/", RL(24 * 60 * 60_000, 5), async (req, res) => { + + let { old_password, password } = req.body; + if (!old_password || !password) return res.error(400, "You forgot entering some values"); + const { names } = req.app.get("limits"); + if (password.length < 3 || password.length > names) return res.error(400, "Password must be between 3 - 25 characters"); + const user = await UserModel.get(req.user.id, "+password"); + if (!await bcrypt.compare(old_password, user.password)) return res.error(401, 'Incorrect password!'); + user.password = await bcrypt.hash(password, 10); + await user.save(); + res.send("Password changed"); + +}); + +module.exports = app; \ No newline at end of file diff --git a/src/themes/common/views/edit_user.ejs b/src/themes/common/views/edit_user.ejs index 05d1cab..7440d11 100644 --- a/src/themes/common/views/edit_user.ejs +++ b/src/themes/common/views/edit_user.ejs @@ -15,8 +15,8 @@
- - + + <% if (user?.admin){ %> Is Admin? > @@ -40,7 +40,8 @@ const res = await request("/api/users/<%=member.id%>", "PATCH", { name: formdata.get("name"), about: simplemde.value(), - admin: formdata.get("admin") + admin: formdata.get("admin"), + email: formdata.get("email") }); simplemde.clearAutosavedValue(); diff --git a/src/themes/common/views/security.ejs b/src/themes/common/views/security.ejs new file mode 100644 index 0000000..4f6113a --- /dev/null +++ b/src/themes/common/views/security.ejs @@ -0,0 +1,23 @@ + + + +<%- include(dataset.getFile(dataset.theme.codename +"/views/extra/meta"), {title: "Log in!" }) %> + + + + <%- include(dataset.getFile(dataset.theme.codename +"/views/extra/navbar")) %> + + +

Change password

+ + + + + +
+ + <%- include(dataset.getFile(dataset.theme.codename +"/views/extra/footer")) %> + + + + \ No newline at end of file