overleaf/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee

PasswordResetHandler = require("./PasswordResetHandler")
RateLimiter = require("../../infrastructure/RateLimiter")


module.exports =

	renderRequestResetForm: (req, res)->
		res.render "user/passwordReset", 
			title:"reset_password"

	requestReset: (req, res)->
		email = req.body.email.trim().toLowerCase()
		opts = 
			endpointName: "password_reset_rate_limit"
			timeInterval: 60
			subjectName: req.ip
			throttle: 6
		RateLimiter.addCount opts, (err, canCompile)->
			if !canCompile
				return res.send 500, { message: req.i18n.translate("rate_limit_hit_wait")}
			PasswordResetHandler.generateAndEmailResetToken email, (err)->
				if err?
					res.send 500, {message:err?.message}
				else
					res.send 200

	renderSetPasswordForm: (req, res)->
		res.render "user/setPassword", 
			title:"set_password"
			passwordResetToken:req.query.passwordResetToken

	setNewUserPassword: (req, res)->
		{passwordResetToken, password} = req.body
		if !password? or password.length == 0 or !passwordResetToken? or passwordResetToken.length == 0
			return res.send 500
		PasswordResetHandler.setNewUserPassword passwordResetToken?.trim(), password?.trim(), (err)->
			if err?
				res.send 500
			else
				res.send 200
written password reset controller 2014-05-15 11:50:38 -04:00			`PasswordResetHandler = require("./PasswordResetHandler")`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`RateLimiter = require("../../infrastructure/RateLimiter")`

written password reset handler 2014-05-15 11:20:23 -04:00
			`module.exports =`

written password reset controller 2014-05-15 11:50:38 -04:00			`renderRequestResetForm: (req, res)->`
			`res.render "user/passwordReset",`
sorted out titles 2014-08-01 08:47:14 -04:00			`title:"reset_password"`
written password reset handler 2014-05-15 11:20:23 -04:00
written password reset controller 2014-05-15 11:50:38 -04:00			`requestReset: (req, res)->`
lowercase password reset email 2014-06-10 12:54:29 -04:00			`email = req.body.email.trim().toLowerCase()`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`opts =`
Fix password reset rate limit to work on ip, not email which changes every request 2014-06-25 05:46:58 -04:00			`endpointName: "password_reset_rate_limit"`
			`timeInterval: 60`
			`subjectName: req.ip`
			`throttle: 6`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`RateLimiter.addCount opts, (err, canCompile)->`
			`if !canCompile`
Changed the error messages which are sent down to the client to be translated first fixed up tests from titles we check when rendering, deleted them as they never catch anything important, more hastle than they are worth imo. 2014-08-01 09:03:38 -04:00			`return res.send 500, { message: req.i18n.translate("rate_limit_hit_wait")}`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`PasswordResetHandler.generateAndEmailResetToken email, (err)->`
			`if err?`
hooked up the frount end ui to show the email can not be found, added client side valdidation on password, removed server side min length check. Just check that it is not 0 len 2014-05-16 06:04:48 -04:00			`res.send 500, {message:err?.message}`
added rate limiting to password reset endpoint 2014-05-16 05:31:33 -04:00			`else`
			`res.send 200`
written password reset handler 2014-05-15 11:20:23 -04:00
written password reset controller 2014-05-15 11:50:38 -04:00			`renderSetPasswordForm: (req, res)->`
			`res.render "user/setPassword",`
sorted out titles 2014-08-01 08:47:14 -04:00			`title:"set_password"`
added the token generator and its getNewToken function 2014-05-15 12:16:20 -04:00			`passwordResetToken:req.query.passwordResetToken`
written password reset handler 2014-05-15 11:20:23 -04:00
written password reset controller 2014-05-15 11:50:38 -04:00			`setNewUserPassword: (req, res)->`
added the token generator and its getNewToken function 2014-05-15 12:16:20 -04:00			`{passwordResetToken, password} = req.body`
hooked up the frount end ui to show the email can not be found, added client side valdidation on password, removed server side min length check. Just check that it is not 0 len 2014-05-16 06:04:48 -04:00			`if !password? or password.length == 0 or !passwordResetToken? or passwordResetToken.length == 0`
written password reset controller 2014-05-15 11:50:38 -04:00			`return res.send 500`
added the token generator and its getNewToken function 2014-05-15 12:16:20 -04:00			`PasswordResetHandler.setNewUserPassword passwordResetToken?.trim(), password?.trim(), (err)->`
written password reset controller 2014-05-15 11:50:38 -04:00			`if err?`
			`res.send 500`
			`else`
			`res.send 200`