joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactors verify_email, adds public html

Browse Source
This commit is contained in:
Florent Vilmart
2016-02-25 19:04:27 -05:00
parent 0b307bc22f
commit 7dd765256c
14 changed files with 455 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
public_html/choose_password.html Normal file
View File

@@ -0,0 +1,175 @@
<!DOCTYPE html>
<html>
<!-- This page is displayed when someone clicks a valid 'reset password' link.
Users should feel free to add to this page (i.e. branding or security widgets)
but should be sure not to delete any of the form inputs or the javascript from the
template file. This javascript is what adds the necessary values to authenticate
this session with Parse.
The query params 'username' and 'app' hold the friendly names for your current user and
your app. You should feel free to incorporate their values to make the page more personal.
If you are missing form parameters in your POST, Parse will navigate back to this page and
add an 'error' query parameter.
-->
<head>
<title>Password Reset</title>
<style type='text/css'>
h1 {
display: block;
font: inherit;
font-size: 30px;
font-weight: 600;
height: 30px;
line-height: 30px;
margin: 45px 0px 45px 0px;
padding: 0px 8px 0px 8px;
}
.error {
color: red;
padding: 0px 8px 0px 8px;
margin: -25px 0px -20px 0px;
}
body {
font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
color: #0067AB;
margin: 15px 99px 0px 98px;
}
label {
color: #666666;
}
form {
margin: 0px 0px 45px 0px;
padding: 0px 8px 0px 8px;
}
form > * {
display: block;
margin-top: 25px;
margin-bottom: 7px;
}
button {
font-size: 22px;
color: white;
background: #0067AB;
-moz-border-radius: 5px;
-webkit-border-radius: 5px;
-o-border-radius: 5px;
-ms-border-radius: 5px;
-khtml-border-radius: 5px;
border-radius: 5px;
background-image: -webkit-gradient(linear,50% 0,50% 100%,color-stop(0%,#0070BA),color-stop(100%,#00558C));
background-image: -webkit-linear-gradient(#0070BA,#00558C);
background-image: -moz-linear-gradient(#0070BA,#00558C);
background-image: -o-linear-gradient(#0070BA,#00558C);
background-image: -ms-linear-gradient(#0070BA,#00558C);
background-image: linear-gradient(#0070BA,#00558C);
-moz-box-shadow: inset 0 1px 0 0 #0076c4;
-webkit-box-shadow: inset 0 1px 0 0 #0076c4;
-o-box-shadow: inset 0 1px 0 0 #0076c4;
box-shadow: inset 0 1px 0 0 #0076c4;
border: 1px solid #005E9C;
padding: 10px 14px;
cursor: pointer;
outline: none;
display: block;
font-family: "Helvetica Neue",Helvetica;
-webkit-box-align: center;
text-align: center;
box-sizing: border-box;
letter-spacing: normal;
word-spacing: normal;
line-height: normal;
text-transform: none;
text-indent: 0px;
text-shadow: none;
}
button:hover {
background-image: -webkit-gradient(linear,50% 0,50% 100%,color-stop(0%,#0079CA),color-stop(100%,#005E9C));
background-image: -webkit-linear-gradient(#0079CA,#005E9C);
background-image: -moz-linear-gradient(#0079CA,#005E9C);
background-image: -o-linear-gradient(#0079CA,#005E9C);
background-image: -ms-linear-gradient(#0079CA,#005E9C);
background-image: linear-gradient(#0079CA,#005E9C);
-moz-box-shadow: inset 0 0 0 0 #0076c4;
-webkit-box-shadow: inset 0 0 0 0 #0076c4;
-o-box-shadow: inset 0 0 0 0 #0076c4;
box-shadow: inset 0 0 0 0 #0076c4;
}
button:active {
background-image: -webkit-gradient(linear,50% 0,50% 100%,color-stop(0%,#00395E),color-stop(100%,#005891));
background-image: -webkit-linear-gradient(#00395E,#005891);
background-image: -moz-linear-gradient(#00395E,#005891);
background-image: -o-linear-gradient(#00395E,#005891);
background-image: -ms-linear-gradient(#00395E,#005891);
background-image: linear-gradient(#00395E,#005891);
}
input {
color: black;
cursor: auto;
display: inline-block;
font-family: 'Helvetica Neue', Helvetica;
font-size: 25px;
height: 30px;
letter-spacing: normal;
line-height: normal;
margin: 2px 0px 2px 0px;
padding: 5px;
text-transform: none;
vertical-align: baseline;
width: 500px;
word-spacing: 0px;
}
</style>
</head>
<body>
<h1>Reset Your Password<span id='app'></span></h1>
<noscript>We apologize, but resetting your password requires javascript</noscript>
<div class='error' id='error'></div>
<form id='form' action='#' method='POST'>
<label>New Password for <span id='username_label'></span></label>
<input name="new_password" type="password" />
<input name='utf-8' type='hidden' value='✓' />
<input name="username" id="username" type="hidden" />
<input name="token" id="token" type="hidden" />
<button>Change Password</button>
</form>
<script language='javascript' type='text/javascript'>
<!--
window.onload = function() {
var urlParams = {};
(function () {
var pair, // Really a match. Index 0 is the full match; 1 & 2 are the key & val.
tokenize = /([^&=]+)=?([^&]*)/g,
// decodeURIComponents escapes everything but will leave +s that should be ' '
re_space = function (s) { return decodeURIComponent(s.replace(/\+/g, " ")); },
// Substring to cut off the leading '?'
querystring = window.location.search.substring(1);
while (pair = tokenize.exec(querystring))
urlParams[re_space(pair[1])] = re_space(pair[2]);
})();
var id = urlParams['id'];
document.getElementById('form').setAttribute('action', '/apps/' + id + '/request_password_reset');
document.getElementById('username').value = urlParams['username'];
document.getElementById('username_label').appendChild(document.createTextNode(urlParams['username']));
document.getElementById('token').value = urlParams['token'];
if (urlParams['error']) {
document.getElementById('error').appendChild(document.createTextNode(urlParams['error']));
}
if (urlParams['app']) {
document.getElementById('app').appendChild(document.createTextNode(' for ' + urlParams['app']));
}
}
//-->
</script>
</body>

43
public_html/invalid_link.html Normal file
View File

@@ -0,0 +1,43 @@
<!DOCTYPE html>
<!-- This page is displayed when someone navigates to a verify email or reset password link
but their security token is wrong. This can either mean the user has clicked on a
stale link (i.e. re-click on a password reset link after resetting their password) or
(rarely) this could be a sign of a malicious user trying to tamper with your app.
-->
<html>
<head>
<title>Invalid Link</title>
<style type='text/css'>
.container {
border-width: 0px;
display: block;
font: inherit;
font-family: 'Helvetica Neue', Helvetica;
font-size: 16px;
height: 30px;
line-height: 16px;
margin: 45px 0px 0px 45px;
padding: 0px 8px 0px 8px;
position: relative;
vertical-align: baseline;
}
h1, h2, h3, h4, h5 {
color: #0067AB;
display: block;
font: inherit;
font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
font-size: 30px;
font-weight: 600;
height: 30px;
line-height: 30px;
margin: 0 0 15px 0;
padding: 0 0 0 0;
}
</style>
<body>
<div class="container">
<h1>Invalid Link</h1>
</div>
</body>
</html>

27
public_html/password_reset_success.html Normal file
View File

@@ -0,0 +1,27 @@
<!DOCTYPE html>
<html>
<!-- This page is displayed whenever someone has successfully reset their password.
Pro and Enterprise accounts may edit this page and tell Parse to use that custom
version in their Parse app. See the App Settigns page for more information.
This page will be called with the query param 'username'
-->
<head>
<title>Password Reset</title>
<style type='text/css'>
h1 {
color: #0067AB;
display: block;
font: inherit;
font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
font-size: 30px;
font-weight: 600;
height: 30px;
line-height: 30px;
margin: 45px 0px 0px 45px;
padding: 0px 8px 0px 8px;
}
</style>
<body>
<h1>Successfully updated your password!</h1>
</body>
</html>

27
public_html/verify_email_success.html Normal file
View File

@@ -0,0 +1,27 @@
<!DOCTYPE html>
<html>
<!-- This page is displayed whenever someone has successfully reset their password.
Pro and Enterprise accounts may edit this page and tell Parse to use that custom
version in their Parse app. See the App Settigns page for more information.
This page will be called with the query param 'username'
-->
<head>
<title>Email Verification</title>
<style type='text/css'>
h1 {
color: #0067AB;
display: block;
font: inherit;
font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
font-size: 30px;
font-weight: 600;
height: 30px;
line-height: 30px;
margin: 45px 0px 0px 45px;
padding: 0px 8px 0px 8px;
}
</style>
<body>
<h1>Successfully verified your email!</h1>
</body>
</html>

14
spec/ParseUser.spec.js
View File

@@ -171,7 +171,7 @@ describe('Parse.User testing', () => {
followRedirect: false,
}, (error, response, body) => {
expect(response.statusCode).toEqual(302);
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/verify_email_success.html?username=zxcv');
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=zxcv');
user.fetch()
.then(() => {
expect(user.get('emailVerified')).toEqual(true);
@@ -202,21 +202,21 @@ describe('Parse.User testing', () => {
});
it('redirects you to invalid link if you try to verify email incorrecly', done => {
request.get('http://localhost:8378/1/verify_email', {
request.get('http://localhost:8378/1/apps/test/verify_email', {
followRedirect: false,
}, (error, response, body) => {
expect(response.statusCode).toEqual(302);
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/invalid_link.html');
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/invalid_link.html');
done()
});
});
it('redirects you to invalid link if you try to validate a nonexistant users email', done => {
request.get('http://localhost:8378/1/verify_email?token=asdfasdf&username=sadfasga', {
request.get('http://localhost:8378/1/apps/test/verify_email?token=asdfasdf&username=sadfasga', {
followRedirect: false,
}, (error, response, body) => {
expect(response.statusCode).toEqual(302);
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/invalid_link.html');
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/invalid_link.html');
done();
});
});
@@ -225,11 +225,11 @@ describe('Parse.User testing', () => {
var user = new Parse.User();
var emailAdapter = {
sendVerificationEmail: options => {
request.get('http://localhost:8378/1/verify_email?token=invalid&username=zxcv', {
request.get('http://localhost:8378/1/apps/test/verify_email?token=invalid&username=zxcv', {
followRedirect: false,
}, (error, response, body) => {
expect(response.statusCode).toEqual(302);
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/invalid_link.html');
expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/invalid_link.html');
user.fetch()
.then(() => {
expect(user.get('emailVerified')).toEqual(false);

25
src/Config.js
View File

@@ -25,6 +25,8 @@ export class Config {
this.database = DatabaseAdapter.getDatabaseConnection(applicationId, cacheInfo.collectionPrefix);
this.mailController = cacheInfo.mailController;
this.serverURL = cacheInfo.serverURL;
this.verifyUserEmails = cacheInfo.verifyUserEmails;
this.appName = cacheInfo.appName;
@@ -32,11 +34,32 @@ export class Config {
this.filesController = cacheInfo.filesController;
this.pushController = cacheInfo.pushController;
this.loggerController = cacheInfo.loggerController;
this.mailController = cacheInfo.mailController;
this.oauth = cacheInfo.oauth;
this.mount = mount;
}
}
get invalidLinkURL() {
return `${this.serverURL}/apps/invalid_link.html`;
}
get verifyEmailSuccessURL() {
return `${this.serverURL}/apps/verify_email_success.html`;
}
get choosePasswordURL() {
return `${this.serverURL}/apps/choose_password`;
}
get passwordResetSuccessURL() {
return `${this.serverURL}/apps/password_reset_success.html`;
}
get verifyEmailURL() {
return `${this.serverURL}/apps/${this.applicationId}/verify_email`;
}
};
export default Config;
module.exports = Config;

8
src/Controllers/AdaptableController.js
View File

@@ -10,11 +10,13 @@ based on the parameters passed
// _adapter is private, use Symbol
var _adapter = Symbol();
import cache from '../cache';
export class AdaptableController {
constructor(adapter) {
constructor(adapter, appId) {
this.adapter = adapter;
this.appId = appId;
}
set adapter(adapter) {
@@ -26,6 +28,10 @@ export class AdaptableController {
return this[_adapter];
}
get config() {
return cache.apps[this.appId];
}
expectedAdapterType() {
throw new Error("Subclasses should implement expectedAdapterType()");
}

3
src/Controllers/MailController.js
View File

@@ -13,7 +13,8 @@ export class MailController extends AdaptableController {
sendVerificationEmail(user, config) {
const token = encodeURIComponent(user._email_verify_token);
const username = encodeURIComponent(user.username);
let link = `${config.mount}/verify_email?token=${token}&username=${username}`;
let link = `${config.verifyEmailURL}?token=${token}&username=${username}`;
this.adapter.sendVerificationEmail({
appName: config.appName,
link: link,

32
src/Controllers/UserController.js Normal file
View File

@@ -0,0 +1,32 @@
var DatabaseAdapter = require('../DatabaseAdapter');
export class UserController {
constructor(appId) {
this.appId = appId;
}
verifyEmail(username, token) {
var database = DatabaseAdapter.getDatabaseConnection(this.appId);
return new Promise((resolve, reject) => {
database.collection('_User').then(coll => {
// Need direct database access because verification token is not a parse field
return coll.findAndModify({
username: username,
_email_verify_token: token,
}, null, {$set: {emailVerified: true}}, (err, doc) => {
if (err || !doc.value) {
reject();
} else {
resolve();
}
});
});
});
}
}
export default UserController;

37
src/PromiseRouter.js
View File

@@ -5,6 +5,8 @@
// themselves use our routing information, without disturbing express
// components that external developers may be modifying.
import express from 'express';
export default class PromiseRouter {
// Each entry should be an object with:
// path: the path to route, in express format
@@ -15,8 +17,8 @@ export default class PromiseRouter {
// status: optional. the http status code. defaults to 200
// response: a json object with the content of the response
// location: optional. a location header
constructor() {
this.routes = [];
constructor(routes = []) {
this.routes = routes;
this.mountRoutes();
}
@@ -125,6 +127,29 @@ export default class PromiseRouter {
}
}
};
expressApp() {
var expressApp = express();
for (var route of this.routes) {
switch(route.method) {
case 'POST':
expressApp.post(route.path, makeExpressHandler(route.handler));
break;
case 'GET':
expressApp.get(route.path, makeExpressHandler(route.handler));
break;
case 'PUT':
expressApp.put(route.path, makeExpressHandler(route.handler));
break;
case 'DELETE':
expressApp.delete(route.path, makeExpressHandler(route.handler));
break;
default:
throw 'unexpected code branch';
}
}
return expressApp;
}
}
// Global flag. Set this to true to log every request and response.
@@ -142,15 +167,19 @@ function makeExpressHandler(promiseHandler) {
JSON.stringify(req.body, null, 2));
}
promiseHandler(req).then((result) => {
if (!result.response) {
console.log('BUG: the handler did not include a "response" field');
if (!result.response && !result.location) {
console.log('BUG: the handler did not include a "response" or a "location" field');
throw 'control should not get here';
}
if (PromiseRouter.verbose) {
console.log('response:', JSON.stringify(result.response, null, 2));
}
var status = result.status || 200;
res.status(status);
if (result.location && !result.response) {
return res.redirect(result.location);
}
if (result.location) {
res.set('Location', result.location);
}

48
src/Routers/PublicAPIRouter.js Normal file
View File

@@ -0,0 +1,48 @@
import PromiseRouter from '../PromiseRouter';
import UserController from '../Controllers/UserController';
import Config from '../Config';
import express from 'express';
import path from 'path';
export class PublicAPIRouter extends PromiseRouter {
verifyEmail(req) {
var token = req.query.token;
var username = req.query.username;
var appId = req.params.appId;
var config = new Config(appId);
if (!token || !username) {
return Promise.resolve({
status: 302,
location: config.invalidLinkURL
});
}
let userController = new UserController(appId);
return userController.verifyEmail(username, token, appId).then( () => {
return Promise.resolve({
status: 302,
location: `${config.verifyEmailSuccessURL}?username=${username}`
});
}, ()=> {
return Promise.resolve({
status: 302,
location: config.invalidLinkURL
});
})
}
mountRoutes() {
this.route('GET','/apps/:appId/verify_email', req => { return this.verifyEmail(req); });
}
expressApp() {
var router = express();
router.use("/apps", express.static(path.resolve(__dirname, "../../public")));
router.use(super.expressApp());
return router;
}
}
export default PublicAPIRouter;

8
src/Routers/UsersRouter.js
View File

@@ -154,6 +154,11 @@ export class UsersRouter extends ClassesRouter {
}
return Promise.resolve(success);
}
handleReset(req) {
let userController = req.config.userController;
return userController.requestPasswordReset();
}
mountRoutes() {
this.route('GET', '/users', req => { return this.handleFind(req); });
@@ -164,9 +169,6 @@ export class UsersRouter extends ClassesRouter {
this.route('DELETE', '/users/:objectId', req => { return this.handleDelete(req); });
this.route('GET', '/login', req => { return this.handleLogIn(req); });
this.route('POST', '/logout', req => { return this.handleLogOut(req); });
this.route('POST', '/requestPasswordReset', () => {
throw new Parse.Error(Parse.Error.COMMAND_UNAVAILABLE, 'This path is not implemented yet.');
});
this.route('POST', '/requestPasswordReset', req => this.handleReset(req));
}
}

44
src/index.js
View File

@@ -15,7 +15,6 @@ import cache from './cache';
import ParsePushAdapter from './Adapters/Push/ParsePushAdapter';
//import passwordReset from './passwordReset';
import PromiseRouter from './PromiseRouter';
import verifyEmail from './verifyEmail';
import { AnalyticsRouter } from './Routers/AnalyticsRouter';
import { ClassesRouter } from './Routers/ClassesRouter';
import { FileLoggerAdapter } from './Adapters/Logger/FileLoggerAdapter';
@@ -27,8 +26,10 @@ import { GridStoreAdapter } from './Adapters/Files/GridStoreAdapter';
import { IAPValidationRouter } from './Routers/IAPValidationRouter';
import { LogsRouter } from './Routers/LogsRouter';
import { HooksRouter } from './Routers/HooksRouter';
import { PublicAPIRouter } from './Routers/PublicAPIRouter';
import { HooksController } from './Controllers/HooksController';
import { UserController } from './Controllers/UserController';
import { InstallationsRouter } from './Routers/InstallationsRouter';
import { loadAdapter } from './Adapters/AdapterLoader';
import { LoggerController } from './Controllers/LoggerController';
@@ -134,16 +135,23 @@ function ParseServer({
const filesControllerAdapter = loadAdapter(filesAdapter, GridStoreAdapter);
const pushControllerAdapter = loadAdapter(push, ParsePushAdapter);
const loggerControllerAdapter = loadAdapter(loggerAdapter, FileLoggerAdapter);
const emailControllerAdapter = loadAdapter(emailAdapter);
// We pass the options and the base class for the adatper,
// Note that passing an instance would work too
const filesController = new FilesController(filesControllerAdapter);
const pushController = new PushController(pushControllerAdapter);
const loggerController = new LoggerController(loggerControllerAdapter);
const filesController = new FilesController(filesControllerAdapter, appId);
const pushController = new PushController(pushControllerAdapter, appId);
const loggerController = new LoggerController(loggerControllerAdapter, appId);
const hooksController = new HooksController(appId, collectionPrefix);
const userController = new UserController(appId);
let mailController;
if (verifyUserEmails) {
mailController = new MailController(loadAdapter(emailAdapter));
}
cache.apps.set(appId, {
masterKey: masterKey,
serverURL: serverURL,
collectionPrefix: collectionPrefix,
clientKey: clientKey,
javascriptKey: javascriptKey,
@@ -155,18 +163,14 @@ function ParseServer({
pushController: pushController,
loggerController: loggerController,
hooksController: hooksController,
mailController: mailController,
verifyUserEmails: verifyUserEmails,
enableAnonymousUsers: enableAnonymousUsers,
allowClientClassCreation: allowClientClassCreation,
oauth: oauth,
appName: appName,
});
if (verifyUserEmails && (process.env.PARSE_EXPERIMENTAL_EMAIL_VERIFICATION_ENABLED || process.env.TESTING == 1)) {
let mailController = new MailController(loadAdapter(emailAdapter));
cache.apps[appId].mailController = mailController;
cache.apps[appId].verifyUserEmails = verifyUserEmails;
}
// To maintain compatibility. TODO: Remove in some version that breaks backwards compatability
if (process.env.FACEBOOK_APP_ID) {
cache.apps.get(appId)['facebookAppIds'].push(process.env.FACEBOOK_APP_ID);
@@ -175,18 +179,17 @@ function ParseServer({
// This app serves the Parse API directly.
// It's the equivalent of https://api.parse.com/1 in the hosted Parse API.
var api = express();
//api.use("/apps", express.static(__dirname + "/public"));
// File handling needs to be before default middlewares are applied
api.use('/', new FilesRouter().getExpressRouter({
maxUploadSize: maxUploadSize
}));
if (process.env.PARSE_EXPERIMENTAL_EMAIL_VERIFICATION_ENABLED || process.env.TESTING == 1) {
//api.use('/request_password_reset', passwordReset.reset(appName, appId));
//api.get('/password_reset_success', passwordReset.success);
api.get('/verify_email', verifyEmail(appId, serverURL));
api.use('/', new PublicAPIRouter().expressApp());
}
// TODO: separate this from the regular ParseServer object
if (process.env.TESTING == 1) {
api.use('/', require('./testing-routes').router);
@@ -218,13 +221,16 @@ function ParseServer({
if (process.env.PARSE_EXPERIMENTAL_HOOKS_ENABLED || process.env.TESTING) {
routers.push(new HooksRouter());
}
let routes = routers.reduce((memo, router) => {
return memo.concat(router.routes);
}, []);
let appRouter = new PromiseRouter();
routers.forEach((router) => {
appRouter.merge(router);
});
let appRouter = new PromiseRouter(routes);
batch.mountOnto(appRouter);
api.use(appRouter.expressApp());
appRouter.mountOnto(api);
api.use(middlewares.handleParseErrors);

27
src/verifyEmail.js
View File

@@ -1,27 +0,0 @@
function verifyEmail(appId, serverURL) {
var DatabaseAdapter = require('./DatabaseAdapter');
var database = DatabaseAdapter.getDatabaseConnection(appId);
return (req, res) => {
var token = req.query.token;
var username = req.query.username;
if (!token || !username) {
res.redirect(302, serverURL + '/invalid_link.html');
return;
}
database.collection('_User').then(coll => {
// Need direct database access because verification token is not a parse field
coll.findAndModify({
username: username,
_email_verify_token: token,
}, null, {$set: {emailVerified: true}}, (err, doc) => {
if (err || !doc.value) {
res.redirect(302, serverURL + '/invalid_link.html');
} else {
res.redirect(302, serverURL + '/verify_email_success.html?username=' + username);
}
});
});
}
}
module.exports = verifyEmail;