Paßwort vergessen modernisiert
This commit is contained in:
Torsten Schulz (local)
@@ -1,10 +1,45 @@
|
||||
import { readUsers, hashPassword, writeUsers, revokeRefreshSessionsForUser } from '../../utils/auth.js'
|
||||
import { readUsers, writeUsers } from '../../utils/auth.js'
|
||||
import nodemailer from 'nodemailer'
|
||||
import crypto from 'crypto'
|
||||
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
|
||||
import { writeAuditLog } from '../../utils/audit-log.js'
|
||||
import { maskResetEmail, normalizeResetEmail, writePasswordResetLog } from '../../utils/password-reset-log.js'
|
||||
|
||||
const RESET_TOKEN_TTL_MINUTES = Number(process.env.PASSWORD_RESET_TTL_MIN || 60)
|
||||
const RESET_TOKEN_MAX_AGE_MS = RESET_TOKEN_TTL_MINUTES * 60 * 1000
|
||||
|
||||
function generateResetToken() {
|
||||
return crypto.randomBytes(32).toString('base64url')
|
||||
}
|
||||
|
||||
function hashResetToken(token) {
|
||||
return crypto.createHash('sha256').update(String(token), 'utf8').digest('hex')
|
||||
}
|
||||
|
||||
function getResetBaseUrl(event) {
|
||||
const configured = process.env.NUXT_PUBLIC_BASE_URL
|
||||
if (configured) return configured.replace(/\/$/, '')
|
||||
|
||||
const requestUrl = getRequestURL(event)
|
||||
return `${requestUrl.protocol}//${requestUrl.host}`
|
||||
}
|
||||
|
||||
function prunePasswordResetTokens(user) {
|
||||
const now = Date.now()
|
||||
user.passwordResetTokens = (Array.isArray(user.passwordResetTokens) ? user.passwordResetTokens : [])
|
||||
.filter(token => !token.usedAt && new Date(token.expiresAt).getTime() > now)
|
||||
.slice(-4)
|
||||
}
|
||||
|
||||
function escapeHtml(value) {
|
||||
return String(value || '')
|
||||
.replace(/&/g, '&')
|
||||
.replace(/</g, '<')
|
||||
.replace(/>/g, '>')
|
||||
.replace(/"/g, '"')
|
||||
.replace(/'/g, ''')
|
||||
}
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const requestId = crypto.randomUUID()
|
||||
let emailKey = ''
|
||||
@@ -34,7 +69,6 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
}
|
||||
|
||||
// Rate Limiting (IP + Account)
|
||||
await logStep('rate_limit', 'checking')
|
||||
try {
|
||||
assertRateLimit(event, {
|
||||
@@ -57,7 +91,6 @@ export default defineEventHandler(async (event) => {
|
||||
}
|
||||
await logStep('rate_limit', 'passed')
|
||||
|
||||
// Find user
|
||||
let users
|
||||
try {
|
||||
users = await readUsers()
|
||||
@@ -67,7 +100,6 @@ export default defineEventHandler(async (event) => {
|
||||
}
|
||||
const user = users.find(u => normalizeResetEmail(u.email) === emailKey)
|
||||
|
||||
// Always return success (security: don't reveal if email exists)
|
||||
if (!user) {
|
||||
await logStep('user_lookup', 'not_found')
|
||||
await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
|
||||
@@ -81,82 +113,84 @@ export default defineEventHandler(async (event) => {
|
||||
}
|
||||
await logStep('user_lookup', 'found', { userId: user.id })
|
||||
|
||||
// Generate temporary password
|
||||
const tempPassword = crypto.randomBytes(8).toString('hex')
|
||||
const hashedPassword = await hashPassword(tempPassword)
|
||||
await logStep('temporary_password', 'generated', { userId: user.id })
|
||||
|
||||
// Send email with temporary password
|
||||
const smtpUser = process.env.SMTP_USER
|
||||
const smtpPass = process.env.SMTP_PASS
|
||||
|
||||
|
||||
if (!smtpUser || !smtpPass) {
|
||||
await logStep('mail_configuration', 'failed', { userId: user.id, reason: 'smtp_credentials_missing' })
|
||||
console.warn('SMTP-Credentials fehlen! E-Mail-Versand wird übersprungen.')
|
||||
console.warn(`SMTP_USER=${smtpUser ? 'gesetzt' : 'FEHLT'}, SMTP_PASS=${smtpPass ? 'gesetzt' : 'FEHLT'}`)
|
||||
throw new Error('SMTP-Konfiguration fuer Passwort-Reset fehlt')
|
||||
} else {
|
||||
await logStep('mail_configuration', 'passed', { userId: user.id })
|
||||
const transporter = nodemailer.createTransport({
|
||||
host: process.env.SMTP_HOST || 'smtp.gmail.com',
|
||||
port: process.env.SMTP_PORT || 587,
|
||||
secure: false,
|
||||
auth: {
|
||||
user: smtpUser,
|
||||
pass: smtpPass
|
||||
}
|
||||
})
|
||||
|
||||
const mailOptions = {
|
||||
from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
|
||||
to: user.email,
|
||||
subject: 'Passwort zurücksetzen - Harheimer TC',
|
||||
html: `
|
||||
<h2>Passwort zurücksetzen</h2>
|
||||
<p>Hallo ${user.name},</p>
|
||||
<p>Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt.</p>
|
||||
<p>Ihr temporäres Passwort lautet: <strong>${tempPassword}</strong></p>
|
||||
<p>Bitte melden Sie sich damit an und ändern Sie Ihr Passwort im Mitgliederbereich.</p>
|
||||
<br>
|
||||
<p>Falls Sie diese Anfrage nicht gestellt haben, ignorieren Sie diese E-Mail.</p>
|
||||
<br>
|
||||
<p>Mit sportlichen Grüßen,<br>Ihr Harheimer TC</p>
|
||||
`
|
||||
}
|
||||
|
||||
await logStep('mail_send', 'started', { userId: user.id })
|
||||
try {
|
||||
await transporter.sendMail(mailOptions)
|
||||
} catch (error) {
|
||||
await logStep('mail_send', 'failed', { userId: user.id, error })
|
||||
throw error
|
||||
}
|
||||
await logStep('mail_send', 'completed', { userId: user.id })
|
||||
}
|
||||
|
||||
// Erst nach erfolgreichem Versand das zugesandte Passwort aktivieren.
|
||||
user.password = hashedPassword
|
||||
user.passwordResetRequired = true
|
||||
await logStep('mail_configuration', 'passed', { userId: user.id })
|
||||
|
||||
const token = generateResetToken()
|
||||
const tokenHash = hashResetToken(token)
|
||||
const nowIso = new Date().toISOString()
|
||||
const expiresAt = new Date(Date.now() + RESET_TOKEN_MAX_AGE_MS).toISOString()
|
||||
prunePasswordResetTokens(user)
|
||||
user.passwordResetTokens.push({
|
||||
tokenHash,
|
||||
createdAt: nowIso,
|
||||
expiresAt,
|
||||
usedAt: null
|
||||
})
|
||||
await logStep('reset_token', 'generated', { userId: user.id, expiresAt })
|
||||
|
||||
const updatedUsers = users.map(u => u.id === user.id ? user : u)
|
||||
let passwordStored = false
|
||||
let tokenStored = false
|
||||
try {
|
||||
passwordStored = await writeUsers(updatedUsers)
|
||||
tokenStored = await writeUsers(updatedUsers)
|
||||
} catch (error) {
|
||||
await logStep('password_storage', 'failed', { userId: user.id, error })
|
||||
await logStep('token_storage', 'failed', { userId: user.id, error })
|
||||
throw error
|
||||
}
|
||||
if (!passwordStored) {
|
||||
await logStep('password_storage', 'failed', { userId: user.id, reason: 'write_failed' })
|
||||
throw new Error('Passwort konnte nach E-Mail-Versand nicht gespeichert werden')
|
||||
if (!tokenStored) {
|
||||
await logStep('token_storage', 'failed', { userId: user.id, reason: 'write_failed' })
|
||||
throw new Error('Reset-Token konnte nicht gespeichert werden')
|
||||
}
|
||||
await logStep('password_storage', 'completed', { userId: user.id })
|
||||
await logStep('token_storage', 'completed', { userId: user.id })
|
||||
|
||||
const transporter = nodemailer.createTransport({
|
||||
host: process.env.SMTP_HOST || 'smtp.gmail.com',
|
||||
port: process.env.SMTP_PORT || 587,
|
||||
secure: process.env.SMTP_SECURE === 'true',
|
||||
auth: {
|
||||
user: smtpUser,
|
||||
pass: smtpPass
|
||||
}
|
||||
})
|
||||
|
||||
const resetUrl = `${getResetBaseUrl(event)}/passwort-zuruecksetzen?token=${encodeURIComponent(token)}`
|
||||
const displayName = escapeHtml(user.name || 'Mitglied')
|
||||
|
||||
const mailOptions = {
|
||||
from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
|
||||
to: user.email,
|
||||
subject: 'Passwort zurücksetzen - Harheimer TC',
|
||||
html: `
|
||||
<h2>Passwort zurücksetzen</h2>
|
||||
<p>Hallo ${displayName},</p>
|
||||
<p>Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt.</p>
|
||||
<p>Bitte klicken Sie auf den folgenden Link und vergeben Sie dort ein neues Passwort. Der Link ist ${RESET_TOKEN_TTL_MINUTES} Minuten gültig:</p>
|
||||
<p><a href="${resetUrl}">Neues Passwort setzen</a></p>
|
||||
<p>Ihr bisheriges Passwort bleibt gültig, bis Sie über diesen Link ein neues Passwort gesetzt haben.</p>
|
||||
<br>
|
||||
<p>Falls Sie diese Anfrage nicht gestellt haben, ignorieren Sie diese E-Mail.</p>
|
||||
<br>
|
||||
<p>Mit sportlichen Grüßen,<br>Ihr Harheimer TC</p>
|
||||
`
|
||||
}
|
||||
|
||||
await logStep('mail_send', 'started', { userId: user.id })
|
||||
try {
|
||||
await revokeRefreshSessionsForUser(user.id, 'password_reset')
|
||||
await transporter.sendMail(mailOptions)
|
||||
} catch (error) {
|
||||
await logStep('session_revocation', 'failed', { userId: user.id, error })
|
||||
await logStep('mail_send', 'failed', { userId: user.id, error })
|
||||
throw error
|
||||
}
|
||||
await logStep('session_revocation', 'completed', { userId: user.id })
|
||||
await logStep('mail_send', 'completed', { userId: user.id })
|
||||
|
||||
registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
|
||||
await writeAuditLog('auth.reset.request', { ip, emailMasked: maskResetEmail(emailKey), userFound: true, userId: user.id, requestId })
|
||||
@@ -168,7 +202,6 @@ export default defineEventHandler(async (event) => {
|
||||
} catch (error) {
|
||||
await logStep('request_completed', 'failed', { error })
|
||||
console.error('Password-Reset-Fehler:', { requestId, code: error?.code || error?.name || 'Error' })
|
||||
// Don't reveal errors to prevent email enumeration
|
||||
return {
|
||||
success: true,
|
||||
message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
|
||||
|
||||
Reference in New Issue
Block a user