fix(auth): add single-use token login recovery flow

2026-02-20 20:20:40 -05:00
parent c6d9dfd3c1
commit 469962d03c
4 changed files with 150 additions and 86 deletions
--- a/auth/authEmail.js
+++ b/auth/authEmail.js
@@ -10,6 +10,38 @@ const Notifications = require("../notifications");
 const Post = require("../def/post.js")
 const Profile = require("../def/profile.js");
 const DUMMY_BCRYPT_HASH = '$2b$10$2zQfAaxK0cN13N7V2Q5hAOL3wxY5E9OQj1YxDCEV4VpWw2X2gYd6C';
+const PASSWORD_TOKEN_TTL_MINUTES = parseInt(process.env.PASSWORD_TOKEN_TTL_MINUTES || '20', 10);
+const PASSWORD_TOKEN_PATH = process.env.PASSWORD_TOKEN_PATH || '/token-login';
+const FRONTEND_URL = (process.env.FRONTEND_URL || 'https://social.emmint.com').replace(/\/+$/, '');
+
+const createPasswordTokenHash = (rawToken) =>
+    crypto.createHash('sha256').update(rawToken).digest('hex');
+
+const createSessionFromUser = async ({ DB, user, req, res }) => {
+    const sessionObj = await DB.newSession(user._id);
+    res.cookie('user_sid', user._id, cookiesOptions);
+    res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
+    const latestUpdatedProfile = await DB.latestProfile(user._id);
+    if (latestUpdatedProfile && latestUpdatedProfile._id) {
+        res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
+    }
+    client_logger.identify({
+        distinctId: user._id,
+        properties: {
+            name: latestUpdatedProfile?.profile?.firstName || '',
+        }
+    });
+    client_logger.capture({
+        distinctId: user._id,
+        event: 'server@' + req.method + '@' + req.originalUrl,
+    });
+    return {
+        status: "ok",
+        user_sid: user._id,
+        session_id: sessionObj.insertedId,
+        profile_id: latestUpdatedProfile?._id
+    };
+};

 // Function to Singup new users. An user is a combination of a user obj and a profile.
 // When new users are subscribed, they have a single profile, which is the personal one.
@@ -103,30 +135,7 @@ const login = async function (req, res) {
    // SECURITY FIX (#4): same response for non-existing user and wrong password.
    if (!user || !isSamePassword) return invalidCredentials();
    try {
-        // Store a new session loging on DB, and use ID as session ID
-        const sessionObj = await DB.newSession(user._id);
-        // Create coockies with information for Auth
-        res.cookie('user_sid', user._id, cookiesOptions);
-        res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
-        // Chooses the most recent update profile as current active profile
-        const latestUpdatedProfile = await DB.latestProfile(user._id);
-        res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
-        client_logger.identify({
-            distinctId: user._id,
-            properties: {
-                name: latestUpdatedProfile.profile.firstName,
-            }
-        });
-        client_logger.capture({
-            distinctId: user._id,
-            event: 'server@' + req.method + '@' + req.originalUrl,
-        });
-        return res.json({
-            status: "ok",
-            user_sid: user._id,
-            session_id: sessionObj.insertedId,
-            profile_id: latestUpdatedProfile._id
-        });
+        return res.json(await createSessionFromUser({ DB, user, req, res }));
    } catch (error) {
        console.error(error);
        client_logger.capture({
@@ -158,38 +167,10 @@ const logout = async function (req, res) {
    }
 }

-// Util function for generating new random password for users.
-function generatePassword(length = 12) {
-    const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+";
-    return Array.from(crypto.randomFillSync(new Uint8Array(length)))
-        .map((x) => charset[x % charset.length])
-        .join("");
-}
-
 const resetPassword = async function (req, res) {
-    const session_id = getSessionId(req);
-    const user_sid = getUserId(req);
    const DB = await MongoDB.getDB;
-    if (session_id && user_sid) {
-        // Sadly reusing this endpoint to change password to legged in users.
-        // TODO: Move change password logic to its own endpoint.
-        const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
-        if (userInfo) {
-            const password = req.body.password;
-            const hashedPassword = await bcrypt.hash(password, 10);
-            // TODO: Add salt to password here as well.
-            DB.resetUserPassword(userInfo.username, hashedPassword);
-            return res.json({
-                status: "ok",
-                details: 'password changed!' // This should be an enum that syncs with clients.
-            });
-        }
-    }
-    // SECURITY PLAN (point #1):
-    // Replace this entire non-authenticated branch with reset-token flow:
-    // request-reset(email) -> email link -> confirm-reset(token, newPassword).
-    // Do not generate/send plaintext passwords by email.
-    // SECURITY FIX (#4): return generic response regardless of account existence.
+
+    // SECURITY FIX (#1): issue a single-use token instead of sending/changing passwords.
    const genericResetResponse = {
        status: "ok",
        details: "If the account exists, check your email for next steps"
@@ -206,20 +187,24 @@ const resetPassword = async function (req, res) {
        });
        return res.json(genericResetResponse);
    }
-    const password = generatePassword();
-    const hashedPassword = await bcrypt.hash(password, 10);
-    // TODO: Add salt to password here as well.
-    // TODO: We need to limit this to every 2 hours or something like this.
-    // TODO: Move this template to the Notif file.
-    DB.resetUserPassword(username, hashedPassword);
-    Notifications.sendEmail(username, "Your new credentials",
+    const rawToken = crypto.randomBytes(32).toString('hex');
+    const tokenHash = createPasswordTokenHash(rawToken);
+    const expiresAt = new Date(Date.now() + PASSWORD_TOKEN_TTL_MINUTES * 60 * 1000);
+    const tokenStored = await DB.createPasswordLoginToken(user._id, tokenHash, expiresAt);
+    if (!tokenStored) {
+        return res.json(genericResetResponse);
+    }
+    const loginUrl = `${FRONTEND_URL}${PASSWORD_TOKEN_PATH}?token=${rawToken}`;
+    Notifications.sendEmail(username, "Your secure sign-in link",
        `
-<p> Hello,</p>
-<p> This is your new password: ${password}</p>
-<p><a href="https://social.emmint.com/">Log in</a></p>
+<p>Hello,</p>
+<p>Use this one-time sign-in link to access your account:</p>
+<p><a href="${loginUrl}">${loginUrl}</a></p>
+<p>This link expires in ${PASSWORD_TOKEN_TTL_MINUTES} minutes and can only be used once.</p>
+<p>If you did not request this, you can ignore this email.</p>
 <p>Blessings</p>
 <p>Emmanuel International Ministries</p>
-`)
+`);
    client_logger.capture({
        distinctId: user._id,
        event: 'server@' + req.method + '@' + req.originalUrl,
@@ -230,10 +215,34 @@ const resetPassword = async function (req, res) {
    return res.json(genericResetResponse);
 }

+const loginWithPasswordToken = async function (req, res) {
+    const DB = await MongoDB.getDB;
+    const token = (req.body.token || "").trim();
+    if (!token || token.length < 32) {
+        return res.status(401).json({ status: "Invalid or expired token" });
+    }
+    const tokenHash = createPasswordTokenHash(token);
+    const tokenDoc = await DB.consumePasswordLoginToken(tokenHash);
+    if (!tokenDoc || !tokenDoc.userId) {
+        return res.status(401).json({ status: "Invalid or expired token" });
+    }
+    const user = await DB.getUserById(tokenDoc.userId);
+    if (!user || !user._id) {
+        return res.status(401).json({ status: "Invalid or expired token" });
+    }
+    try {
+        return res.json(await createSessionFromUser({ DB, user, req, res }));
+    } catch (error) {
+        console.error("Token login error", error);
+        return res.status(500).json({ status: "Internal server error" });
+    }
+}
+

 module.exports = {
    signup,
    login,
    logout,
    resetPassword,
+    loginWithPasswordToken,
 }