From 26636d5f2fa53c53e27f7379a640dd0f33ad2c08 Mon Sep 17 00:00:00 2001
From: BurnyLlama <burnyllama@protonmail.com>
Date: Thu, 21 Apr 2022 20:48:02 +0200
Subject: [PATCH] Password changing now works!

---
 index.js                 |  6 +++---
 package.json             |  6 +++---
 routes/auth.js           | 41 ++++++++++++++++++++++++++++++++++--
 static/index.html        | 45 ----------------------------------------
 views/pages/manager.njk  | 24 +++++++++++++++++++--
 views/pages/register.njk |  4 ++++
 6 files changed, 71 insertions(+), 55 deletions(-)
 delete mode 100644 static/index.html

diff --git a/index.js b/index.js
index 04e8885..b422e5b 100644
--- a/index.js
+++ b/index.js
@@ -30,10 +30,10 @@ APP.use('/', ROUTES)
 njk.configure(
     'views',
     {
-        autoescape: true,
+        autoescape:   true,
         lstripBlocks: true,
-        trimBlocks: true,
-        express: APP,
+        trimBlocks:   true,
+        express:      APP,
     }
 )
 
diff --git a/package.json b/package.json
index 7c9ba61..8553bef 100644
--- a/package.json
+++ b/package.json
@@ -12,10 +12,10 @@
   "dependencies": {
     "bcrypt": "^5.0.1",
     "cookie-parser": "^1.4.6",
-    "dotenv": "^12.0.3",
-    "express": "^4.17.2",
+    "dotenv": "^12.0.4",
+    "express": "^4.17.3",
     "jsonwebtoken": "^8.5.1",
     "nunjucks": "^3.2.3",
-    "pg": "^8.7.1"
+    "pg": "^8.7.3"
   }
 }
diff --git a/routes/auth.js b/routes/auth.js
index be36bec..9fef1b1 100644
--- a/routes/auth.js
+++ b/routes/auth.js
@@ -48,7 +48,7 @@ AUTH.post('/register', async (req, res) => {
     if ((await glauth.query("SELECT * FROM users WHERE name = $1::text", [ username ])).rowCount)
         return(res.send("User already exists"))
 
-    bcrypt.hash(password, 10).then(
+    bcrypt.hash(password, 12).then(
         hash => {
             const hexHash = hash2hex(hash)
             glauth.query(
@@ -106,12 +106,49 @@ AUTH.post('/login', async (req, res) => {
     )
 })
 
+AUTH.post('/changePass', async (req, res) => {
+    const { newPass, oldPass } = req.body
+
+    // Was input sent?
+    if (!newPass|| !oldPass )
+        return(res.send(`Not entered:${newPass ? '' : ' new password,'}${oldPass ? '' : ' old password'}`))
+
+    const token = jwt.verify(req.signedCookies["api-token"], SECRET)
+
+    if (!token)
+        return res.send("Token error! Please sign in ag    ain anusername = token.named retry...")
+
+    const username = token.name
+
+    const user = (await glauth.query("SELECT * FROM users WHERE name = $1::text", [ username ])).rows[0]
+
+    if (!user)
+        return(res.send("User doesn't exist!"))
+
+    bcrypt.compare(oldPass, user.qam_pass).then(
+        async match => {
+            if (!match)
+                return res.send("Password's is incorrect!")
+            
+            const newPassHash = await bcrypt.hash(newPass, 12)
+            const newPassHexHash = hash2hex(newPassHash)
+
+            glauth.query("UPDATE users SET qam_pass = $1::text, passbcrypt = $2::text WHERE name = $3::text", [ newPassHash, newPassHexHash, username ])
+                .then(
+                    () => res.send("Successfully changed password!")
+                ).catch(
+                    () => res.send("Database error while changing password!")
+                )
+        }
+    )
+})
+
 AUTH.get('/captcha', async (req, res) => {
     const captcha = crypto.randomBytes(3).toString('hex')
     await execawait(`./captcha.sh ${captcha} > captcha.png`)
 
     // Make it valid for 10 minutes
-    valid[captcha] = new Date()
+    valid[captcha] = new Date(Date.now() + 10 * 60 * 1000)
 
     // Send the captcha image
     res.contentType('image/png')
diff --git a/static/index.html b/static/index.html
deleted file mode 100644
index 7e36df9..0000000
--- a/static/index.html
+++ /dev/null
@@ -1,45 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-
-    <link rel="apple-touch-icon" sizes="180x180" href="https://qwik.space/assets/favicons/apple-touch-icon.png">
-    <link rel="icon" type="image/png" sizes="32x32" href="https://qwik.space/assets/favicons/favicon-32x32.png">
-    <link rel="icon" type="image/png" sizes="16x16" href="https://qwik.space/assets/favicons/favicon-16x16.png">
-    <link rel="manifest" href="https://qwik.space/assets/favicons/site.webmanifest">
-    <link rel="mask-icon" href="https://qwik.space/assets/favicons/safari-pinned-tab.svg" color="#3ddf89">
-    <link rel="shortcut icon" href="https://qwik.space/assets/favicons/favicon.ico">
-    <meta name="msapplication-TileColor" content="#181833">
-    <meta name="msapplication-config" content="https://qwik.space/assets/favicons/browserconfig.xml">
-    <meta name="theme-color" content="#3ddf89">
-
-    <link rel="stylesheet" type="text/css" href="https://qwik.space/assets/css/scaling.css">
-    <link rel="stylesheet" type="text/css" href="https://qwik.space/assets/css/colors.css">
-    <link rel="stylesheet" type="text/css" href="https://qwik.space/assets/css/fonts.css">
-    <link rel="stylesheet" type="text/css" href="https://qwik.space/assets/css/theme.css">
-    <link rel="stylesheet" type="text/css" href="https://qwik.space/assets/css/landing.css">
-    <title>qwik</title>
-</head>
-<body>
-    <img class="logo" src="https://qwik.space/assets/images/logo.svg" alt="">
-    <ul>
-        <li>2-20 character in length</li>
-        <li>only a-zA-Z0-9 characters only</li>
-    </ul>
-    <form method="POST" action="/auth/register">
-        <label for="username">Username:</label><br>
-        <input type="text" id="username" name="username"><br>
-        <label for="password">Password:</label><br>
-        <input type="password" id="password" name="password">
-        <br>
-        <img src="/auth/captcha"> 
-        <label for="captcha">Captcha:</label><br>
-        <input type="text" id="captcha" name="captcha">
-        <br>
-        <input type="submit" value="Register!" />
-    </form>
-</body>
-</html>
-
-
diff --git a/views/pages/manager.njk b/views/pages/manager.njk
index a3d26dc..98a1b5c 100644
--- a/views/pages/manager.njk
+++ b/views/pages/manager.njk
@@ -9,7 +9,27 @@
     <header>Welcome {{ user.name }}! :D</header>
     <h1>This is your account manager!</h1>
     <p>
-        Currently no features are implemented, but we want to implement at least password changing.
-        It would also be nice to have proper account deletion. (For now, if you want to delete your account contact an admin!)
+        Here you can manage your account...
+    </p>
+
+    <h2>Change password:</h2>
+    <form action="/auth/changePass" method="post">
+        <label for="oldPass">Current password:</label>
+        <input type="password" name="oldPass">
+
+        <label for="newPass">New password:</label>
+        <input type="password" name="newPass">
+        
+        <input type="submit" value="Change password!">
+    </form>
+
+    <h2>I want to change my username</h2>
+    <p>
+        That is sadly not doable through this manager. Try messaging BurnyLlama (XMPP: burnyllama@qwik.space) and see if there are any options. (You can also just create a new account...)
+    </p>
+
+    <h2>I want to delete my account!</h2>
+    <p>
+        Contact mew, BurnyLlama (XMPP: burnyllama@qwik.space), and I will help you delete your account.
     </p>
 {% endblock %}
\ No newline at end of file
diff --git a/views/pages/register.njk b/views/pages/register.njk
index cd20e89..b48f628 100644
--- a/views/pages/register.njk
+++ b/views/pages/register.njk
@@ -20,6 +20,10 @@
         <input type="text" id="captcha" name="captcha" placeholder="xxxxxx">
         <p class="hint">Enter the text you see in the image.</p>
 
+        <p>
+            By registering you agree to qwik's <a href="https://qwik.space/articles/privacy_policy">Privacy Policy</a> and <a href="https://qwik.space/articles/terms_of_service">Terms of Service</a>.
+        </p>
+
         <input type="submit" value="Register!">
     </form>
 {% endblock %}
\ No newline at end of file