From 7dd765256c0d479d9a0ca9dda726726d9a1572b1 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <florentvilmart@me.com>
Date: Thu, 25 Feb 2016 19:04:27 -0500
Subject: [PATCH] Refactors verify_email, adds public html

---
 public_html/choose_password.html        | 175 ++++++++++++++++++++++++
 public_html/invalid_link.html           |  43 ++++++
 public_html/password_reset_success.html |  27 ++++
 public_html/verify_email_success.html   |  27 ++++
 spec/ParseUser.spec.js                  |  14 +-
 src/Config.js                           |  25 +++-
 src/Controllers/AdaptableController.js  |   8 +-
 src/Controllers/MailController.js       |   3 +-
 src/Controllers/UserController.js       |  32 +++++
 src/PromiseRouter.js                    |  37 ++++-
 src/Routers/PublicAPIRouter.js          |  48 +++++++
 src/Routers/UsersRouter.js              |   8 +-
 src/index.js                            |  44 +++---
 src/verifyEmail.js                      |  27 ----
 14 files changed, 455 insertions(+), 63 deletions(-)
 create mode 100644 public_html/choose_password.html
 create mode 100644 public_html/invalid_link.html
 create mode 100644 public_html/password_reset_success.html
 create mode 100644 public_html/verify_email_success.html
 create mode 100644 src/Controllers/UserController.js
 create mode 100644 src/Routers/PublicAPIRouter.js
 delete mode 100644 src/verifyEmail.js

diff --git a/public_html/choose_password.html b/public_html/choose_password.html
new file mode 100644
index 00000000..b487862a
--- /dev/null
+++ b/public_html/choose_password.html
@@ -0,0 +1,175 @@
+<!DOCTYPE html>
+<html>
+  <!-- This page is displayed when someone clicks a valid 'reset password' link.
+       Users should feel free to add to this page (i.e. branding or security widgets)
+       but should be sure not to delete any of the form inputs or the javascript from the
+       template file. This javascript is what adds the necessary values to authenticate
+       this session with Parse.
+       The query params 'username' and 'app' hold the friendly names for your current user and
+       your app. You should feel free to incorporate their values to make the page more personal.
+       If you are missing form parameters in your POST, Parse will navigate back to this page and
+       add an 'error' query parameter.
+  -->
+  <head>
+  <title>Password Reset</title>
+  <style type='text/css'>
+    h1 {
+      display: block;
+      font: inherit;
+      font-size: 30px;
+      font-weight: 600;
+      height: 30px;
+      line-height: 30px;
+      margin: 45px 0px 45px 0px;
+      padding: 0px 8px 0px 8px;
+    }
+
+    .error {
+      color: red;
+      padding: 0px 8px 0px 8px;
+      margin: -25px 0px -20px 0px;
+    }
+
+    body {
+      font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
+      color: #0067AB;
+      margin: 15px 99px 0px 98px;
+    }
+
+    label {
+      color: #666666;
+    }
+    form {
+      margin: 0px 0px 45px 0px;
+      padding: 0px 8px 0px 8px;
+    }
+    form > * {
+      display: block;
+      margin-top: 25px;
+      margin-bottom: 7px;
+    }
+
+    button {
+      font-size: 22px;
+      color: white;
+      background: #0067AB;
+      -moz-border-radius: 5px;
+      -webkit-border-radius: 5px;
+      -o-border-radius: 5px;
+      -ms-border-radius: 5px;
+      -khtml-border-radius: 5px;
+      border-radius: 5px;
+      background-image: -webkit-gradient(linear,50% 0,50% 100%,color-stop(0%,#0070BA),color-stop(100%,#00558C));
+      background-image: -webkit-linear-gradient(#0070BA,#00558C);
+      background-image: -moz-linear-gradient(#0070BA,#00558C);
+      background-image: -o-linear-gradient(#0070BA,#00558C);
+      background-image: -ms-linear-gradient(#0070BA,#00558C);
+      background-image: linear-gradient(#0070BA,#00558C);
+      -moz-box-shadow: inset 0 1px 0 0 #0076c4;
+      -webkit-box-shadow: inset 0 1px 0 0 #0076c4;
+      -o-box-shadow: inset 0 1px 0 0 #0076c4;
+      box-shadow: inset 0 1px 0 0 #0076c4;
+      border: 1px solid #005E9C;
+      padding: 10px 14px;
+      cursor: pointer;
+      outline: none;
+      display: block;
+      font-family: "Helvetica Neue",Helvetica;
+
+      -webkit-box-align: center;
+      text-align: center;
+      box-sizing: border-box;
+      letter-spacing: normal;
+      word-spacing: normal;
+      line-height: normal;
+      text-transform: none;
+      text-indent: 0px;
+      text-shadow: none;
+    }
+
+    button:hover {
+      background-image: -webkit-gradient(linear,50% 0,50% 100%,color-stop(0%,#0079CA),color-stop(100%,#005E9C));
+      background-image: -webkit-linear-gradient(#0079CA,#005E9C);
+      background-image: -moz-linear-gradient(#0079CA,#005E9C);
+      background-image: -o-linear-gradient(#0079CA,#005E9C);
+      background-image: -ms-linear-gradient(#0079CA,#005E9C);
+      background-image: linear-gradient(#0079CA,#005E9C);
+      -moz-box-shadow: inset 0 0 0 0 #0076c4;
+      -webkit-box-shadow: inset 0 0 0 0 #0076c4;
+      -o-box-shadow: inset 0 0 0 0 #0076c4;
+      box-shadow: inset 0 0 0 0 #0076c4;
+    }
+
+    button:active {
+      background-image: -webkit-gradient(linear,50% 0,50% 100%,color-stop(0%,#00395E),color-stop(100%,#005891));
+      background-image: -webkit-linear-gradient(#00395E,#005891);
+      background-image: -moz-linear-gradient(#00395E,#005891);
+      background-image: -o-linear-gradient(#00395E,#005891);
+      background-image: -ms-linear-gradient(#00395E,#005891);
+      background-image: linear-gradient(#00395E,#005891);
+    }
+
+    input {
+      color: black;
+      cursor: auto;
+      display: inline-block;
+      font-family: 'Helvetica Neue', Helvetica;
+      font-size: 25px;
+      height: 30px;
+      letter-spacing: normal;
+      line-height: normal;
+      margin: 2px 0px 2px 0px;
+      padding: 5px;
+      text-transform: none;
+      vertical-align: baseline;
+      width: 500px;
+      word-spacing: 0px; 
+    }
+
+  </style>
+</head>
+<body>
+  <h1>Reset Your Password<span id='app'></span></h1>
+  <noscript>We apologize, but resetting your password requires javascript</noscript>
+  <div class='error' id='error'></div>
+  <form id='form' action='#' method='POST'>
+    <label>New Password for <span id='username_label'></span></label>
+    <input name="new_password" type="password" />
+    <input name='utf-8' type='hidden' value='✓' />
+    <input name="username" id="username" type="hidden" />
+    <input name="token" id="token" type="hidden" />
+    <button>Change Password</button>
+  </form>
+
+<script language='javascript' type='text/javascript'>
+  <!--
+  window.onload = function() {
+    var urlParams = {};
+    (function () {
+        var pair, // Really a match. Index 0 is the full match; 1 & 2 are the key & val.
+            tokenize = /([^&=]+)=?([^&]*)/g,
+            // decodeURIComponents escapes everything but will leave +s that should be ' '
+            re_space = function (s) { return decodeURIComponent(s.replace(/\+/g, " ")); },
+            // Substring to cut off the leading '?'
+            querystring = window.location.search.substring(1);
+
+        while (pair = tokenize.exec(querystring))
+           urlParams[re_space(pair[1])] = re_space(pair[2]);
+    })();
+
+    var id = urlParams['id'];
+    document.getElementById('form').setAttribute('action', '/apps/' + id + '/request_password_reset');
+    document.getElementById('username').value = urlParams['username'];
+    document.getElementById('username_label').appendChild(document.createTextNode(urlParams['username']));
+
+    document.getElementById('token').value = urlParams['token'];
+    if (urlParams['error']) {
+      document.getElementById('error').appendChild(document.createTextNode(urlParams['error']));
+    }
+    if (urlParams['app']) {
+      document.getElementById('app').appendChild(document.createTextNode(' for ' + urlParams['app']));
+    }
+  }
+  //-->
+</script>
+</body>
diff --git a/public_html/invalid_link.html b/public_html/invalid_link.html
new file mode 100644
index 00000000..66bdc788
--- /dev/null
+++ b/public_html/invalid_link.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- This page is displayed when someone navigates to a verify email or reset password link
+     but their security token is wrong. This can either mean the user has clicked on a
+     stale link (i.e. re-click on a password reset link after resetting their password) or
+     (rarely) this could be a sign of a malicious user trying to tamper with your app.
+ -->
+<html>
+  <head>
+  <title>Invalid Link</title>
+  <style type='text/css'>
+    .container {
+      border-width: 0px;
+      display: block;
+      font: inherit;
+      font-family: 'Helvetica Neue', Helvetica;
+      font-size: 16px;
+      height: 30px;
+      line-height: 16px;
+      margin: 45px 0px 0px 45px;
+      padding: 0px 8px 0px 8px;
+      position: relative;
+      vertical-align: baseline;
+    }
+
+    h1, h2, h3, h4, h5 {
+      color: #0067AB;
+      display: block;
+      font: inherit;
+      font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
+      font-size: 30px;
+      font-weight: 600;
+      height: 30px;
+      line-height: 30px;
+      margin: 0 0 15px 0;
+      padding: 0 0 0 0;
+    }
+  </style>
+  <body> 
+    <div class="container">
+      <h1>Invalid Link</h1>
+    </div> 
+  </body>
+</html>
diff --git a/public_html/password_reset_success.html b/public_html/password_reset_success.html
new file mode 100644
index 00000000..774cbb35
--- /dev/null
+++ b/public_html/password_reset_success.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+  <!-- This page is displayed whenever someone has successfully reset their password.
+       Pro and Enterprise accounts may edit this page and tell Parse to use that custom
+       version in their Parse app. See the App Settigns page for more information.
+       This page will be called with the query param 'username'
+    -->
+  <head>
+  <title>Password Reset</title>
+  <style type='text/css'>
+    h1 {
+      color: #0067AB;
+      display: block;
+      font: inherit;
+      font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
+      font-size: 30px;
+      font-weight: 600;
+      height: 30px;
+      line-height: 30px;
+      margin: 45px 0px 0px 45px;
+      padding: 0px 8px 0px 8px;
+    }
+  </style>
+  <body>
+    <h1>Successfully updated your password!</h1>
+  </body>
+</html>
diff --git a/public_html/verify_email_success.html b/public_html/verify_email_success.html
new file mode 100644
index 00000000..774ea38a
--- /dev/null
+++ b/public_html/verify_email_success.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+  <!-- This page is displayed whenever someone has successfully reset their password.
+       Pro and Enterprise accounts may edit this page and tell Parse to use that custom
+       version in their Parse app. See the App Settigns page for more information.
+       This page will be called with the query param 'username'
+   -->
+  <head>
+  <title>Email Verification</title>
+  <style type='text/css'>
+    h1 {
+      color: #0067AB;
+      display: block;
+      font: inherit;
+      font-family: 'Open Sans', 'Helvetica Neue', Helvetica;
+      font-size: 30px;
+      font-weight: 600;
+      height: 30px;
+      line-height: 30px;
+      margin: 45px 0px 0px 45px;
+      padding: 0px 8px 0px 8px;
+    }
+  </style>
+  <body>
+    <h1>Successfully verified your email!</h1>
+  </body>
+</html>
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
index 64477074..475622cf 100644
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -171,7 +171,7 @@ describe('Parse.User testing', () => {
           followRedirect: false,
         }, (error, response, body) => {
           expect(response.statusCode).toEqual(302);
-          expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/verify_email_success.html?username=zxcv');
+          expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=zxcv');
           user.fetch()
           .then(() => {
             expect(user.get('emailVerified')).toEqual(true);
@@ -202,21 +202,21 @@ describe('Parse.User testing', () => {
   });
 
   it('redirects you to invalid link if you try to verify email incorrecly', done => {
-    request.get('http://localhost:8378/1/verify_email', {
+    request.get('http://localhost:8378/1/apps/test/verify_email', {
       followRedirect: false,
     }, (error, response, body) => {
       expect(response.statusCode).toEqual(302);
-      expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/invalid_link.html');
+      expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/invalid_link.html');
       done()
     });
   });
 
   it('redirects you to invalid link if you try to validate a nonexistant users email', done => {
-    request.get('http://localhost:8378/1/verify_email?token=asdfasdf&username=sadfasga', {
+    request.get('http://localhost:8378/1/apps/test/verify_email?token=asdfasdf&username=sadfasga', {
       followRedirect: false,
     }, (error, response, body) => {
       expect(response.statusCode).toEqual(302);
-      expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/invalid_link.html');
+      expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/invalid_link.html');
       done();
     });
   });
@@ -225,11 +225,11 @@ describe('Parse.User testing', () => {
     var user = new Parse.User();
     var emailAdapter = {
       sendVerificationEmail: options => {
-        request.get('http://localhost:8378/1/verify_email?token=invalid&username=zxcv', {
+        request.get('http://localhost:8378/1/apps/test/verify_email?token=invalid&username=zxcv', {
           followRedirect: false,
         }, (error, response, body) => {
           expect(response.statusCode).toEqual(302);
-          expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/invalid_link.html');
+          expect(response.body).toEqual('Found. Redirecting to http://localhost:8378/1/apps/invalid_link.html');
           user.fetch()
           .then(() => {
             expect(user.get('emailVerified')).toEqual(false);
diff --git a/src/Config.js b/src/Config.js
index 1203b0a3..c31f62eb 100644
--- a/src/Config.js
+++ b/src/Config.js
@@ -25,6 +25,8 @@ export class Config {
     this.database = DatabaseAdapter.getDatabaseConnection(applicationId, cacheInfo.collectionPrefix);
     
     this.mailController = cacheInfo.mailController;
+    
+    this.serverURL = cacheInfo.serverURL;
     this.verifyUserEmails = cacheInfo.verifyUserEmails;
     this.appName = cacheInfo.appName;
 
@@ -32,11 +34,32 @@ export class Config {
     this.filesController = cacheInfo.filesController;
     this.pushController = cacheInfo.pushController;
     this.loggerController = cacheInfo.loggerController;
+    this.mailController = cacheInfo.mailController;
     this.oauth = cacheInfo.oauth;
 
     this.mount = mount;
   }
-}
+  
+  get invalidLinkURL() {
+    return `${this.serverURL}/apps/invalid_link.html`;
+  }
+  
+  get verifyEmailSuccessURL() {
+    return `${this.serverURL}/apps/verify_email_success.html`;
+  }
+  
+  get choosePasswordURL() {
+    return `${this.serverURL}/apps/choose_password`;
+  }
+  
+  get passwordResetSuccessURL() {
+    return `${this.serverURL}/apps/password_reset_success.html`;
+  }
+  
+  get verifyEmailURL() {
+    return `${this.serverURL}/apps/${this.applicationId}/verify_email`;
+  }
+};
 
 export default Config;
 module.exports = Config;
diff --git a/src/Controllers/AdaptableController.js b/src/Controllers/AdaptableController.js
index 83f3f0a0..cfb0b9af 100644
--- a/src/Controllers/AdaptableController.js
+++ b/src/Controllers/AdaptableController.js
@@ -10,11 +10,13 @@ based on the parameters passed
 
 // _adapter is private, use Symbol
 var _adapter = Symbol();
+import cache from '../cache';
 
 export class AdaptableController {
 
-  constructor(adapter) {
+  constructor(adapter, appId) {
     this.adapter = adapter;
+    this.appId = appId;
   }
 
   set adapter(adapter) {
@@ -26,6 +28,10 @@ export class AdaptableController {
     return this[_adapter];
   }
   
+  get config() {
+    return cache.apps[this.appId];
+  }
+  
   expectedAdapterType() {
     throw new Error("Subclasses should implement expectedAdapterType()");
   }
diff --git a/src/Controllers/MailController.js b/src/Controllers/MailController.js
index ee467fe6..47d008cc 100644
--- a/src/Controllers/MailController.js
+++ b/src/Controllers/MailController.js
@@ -13,7 +13,8 @@ export class MailController extends AdaptableController {
   sendVerificationEmail(user, config) {
     const token = encodeURIComponent(user._email_verify_token);
     const username = encodeURIComponent(user.username);
-    let link = `${config.mount}/verify_email?token=${token}&username=${username}`;
+   
+    let link = `${config.verifyEmailURL}?token=${token}&username=${username}`;
     this.adapter.sendVerificationEmail({
       appName: config.appName,
       link: link,
diff --git a/src/Controllers/UserController.js b/src/Controllers/UserController.js
new file mode 100644
index 00000000..62d6dd39
--- /dev/null
+++ b/src/Controllers/UserController.js
@@ -0,0 +1,32 @@
+
+var DatabaseAdapter = require('../DatabaseAdapter');
+
+export class UserController {
+  
+  constructor(appId) {
+    this.appId = appId;
+  }
+  
+  verifyEmail(username, token) {
+    var database = DatabaseAdapter.getDatabaseConnection(this.appId);
+    return new Promise((resolve, reject) => {
+      database.collection('_User').then(coll => {
+      // Need direct database access because verification token is not a parse field
+      return coll.findAndModify({
+        username: username,
+        _email_verify_token: token,
+      }, null, {$set: {emailVerified: true}}, (err, doc) => {
+        if (err || !doc.value) {
+          reject();
+        } else {
+          resolve();
+        }
+      });
+    });
+      
+    });
+    
+  }
+}
+
+export default UserController;
diff --git a/src/PromiseRouter.js b/src/PromiseRouter.js
index 8155c796..c3ca10ec 100644
--- a/src/PromiseRouter.js
+++ b/src/PromiseRouter.js
@@ -5,6 +5,8 @@
 // themselves use our routing information, without disturbing express
 // components that external developers may be modifying.
 
+import express from 'express';
+
 export default class PromiseRouter {
   // Each entry should be an object with:
   // path: the path to route, in express format
@@ -15,8 +17,8 @@ export default class PromiseRouter {
   //     status: optional. the http status code. defaults to 200
   //     response: a json object with the content of the response
   //     location: optional. a location header
-  constructor() {
-    this.routes = [];
+  constructor(routes = []) {
+    this.routes = routes;
     this.mountRoutes();
   }
   
@@ -125,6 +127,29 @@ export default class PromiseRouter {
       }
     }
   };
+  
+  expressApp() {
+    var expressApp = express();
+    for (var route of this.routes) {
+      switch(route.method) {
+      case 'POST':
+        expressApp.post(route.path, makeExpressHandler(route.handler));
+        break;
+      case 'GET':
+        expressApp.get(route.path, makeExpressHandler(route.handler));
+        break;
+      case 'PUT':
+        expressApp.put(route.path, makeExpressHandler(route.handler));
+        break;
+      case 'DELETE':
+        expressApp.delete(route.path, makeExpressHandler(route.handler));
+        break;
+      default:
+        throw 'unexpected code branch';
+      }
+    }
+    return expressApp;
+  }
 }
 
 // Global flag. Set this to true to log every request and response.
@@ -142,15 +167,19 @@ function makeExpressHandler(promiseHandler) {
                     JSON.stringify(req.body, null, 2));
       }
       promiseHandler(req).then((result) => {
-        if (!result.response) {
-          console.log('BUG: the handler did not include a "response" field');
+        if (!result.response && !result.location) {
+          console.log('BUG: the handler did not include a "response" or a "location" field');
           throw 'control should not get here';
         }
         if (PromiseRouter.verbose) {
           console.log('response:', JSON.stringify(result.response, null, 2));
         }
+        
         var status = result.status || 200;
         res.status(status);
+        if (result.location && !result.response) {
+          return res.redirect(result.location);
+        }
         if (result.location) {
           res.set('Location', result.location);
         }
diff --git a/src/Routers/PublicAPIRouter.js b/src/Routers/PublicAPIRouter.js
new file mode 100644
index 00000000..2b75d3f5
--- /dev/null
+++ b/src/Routers/PublicAPIRouter.js
@@ -0,0 +1,48 @@
+import PromiseRouter from '../PromiseRouter';
+import UserController from '../Controllers/UserController';
+import Config from '../Config';
+import express from 'express';
+import path from 'path';
+
+export class PublicAPIRouter extends PromiseRouter {
+  
+  verifyEmail(req) {
+    var token = req.query.token;
+    var username = req.query.username;
+    var appId = req.params.appId;
+    var config = new Config(appId);
+    
+    if (!token || !username) {
+      return Promise.resolve({
+        status: 302,
+        location: config.invalidLinkURL
+      });
+    }
+
+    let userController = new UserController(appId);
+    return userController.verifyEmail(username, token, appId).then( () => {
+      return Promise.resolve({
+        status: 302,
+        location: `${config.verifyEmailSuccessURL}?username=${username}`
+      });
+    }, ()=> {
+      return Promise.resolve({
+        status: 302,
+        location: config.invalidLinkURL
+      });
+    })
+  }
+  
+  mountRoutes() {
+    this.route('GET','/apps/:appId/verify_email', req => { return this.verifyEmail(req); });
+  }
+  
+  expressApp() {
+    var router = express();
+    router.use("/apps", express.static(path.resolve(__dirname, "../../public")));
+    router.use(super.expressApp());
+    return router;
+  }
+}
+
+export default PublicAPIRouter;
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
index 1e329734..70a76bf5 100644
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -154,6 +154,11 @@ export class UsersRouter extends ClassesRouter {
     }
     return Promise.resolve(success);
   }
+  
+  handleReset(req) {
+     let userController = req.config.userController;
+     return userController.requestPasswordReset();
+  }
 
   mountRoutes() {
     this.route('GET', '/users', req => { return this.handleFind(req); });
@@ -164,9 +169,6 @@ export class UsersRouter extends ClassesRouter {
     this.route('DELETE', '/users/:objectId', req => { return this.handleDelete(req); });
     this.route('GET', '/login', req => { return this.handleLogIn(req); });
     this.route('POST', '/logout', req => { return this.handleLogOut(req); });
-    this.route('POST', '/requestPasswordReset', () => {
-      throw new Parse.Error(Parse.Error.COMMAND_UNAVAILABLE, 'This path is not implemented yet.');
-    });
     this.route('POST', '/requestPasswordReset', req => this.handleReset(req));
   }
 }
diff --git a/src/index.js b/src/index.js
index 74a63bf9..219ec156 100644
--- a/src/index.js
+++ b/src/index.js
@@ -15,7 +15,6 @@ import cache                   from './cache';
 import ParsePushAdapter        from './Adapters/Push/ParsePushAdapter';
 //import passwordReset           from './passwordReset';
 import PromiseRouter           from './PromiseRouter';
-import verifyEmail             from './verifyEmail';
 import { AnalyticsRouter }     from './Routers/AnalyticsRouter';
 import { ClassesRouter }       from './Routers/ClassesRouter';
 import { FileLoggerAdapter }   from './Adapters/Logger/FileLoggerAdapter';
@@ -27,8 +26,10 @@ import { GridStoreAdapter }    from './Adapters/Files/GridStoreAdapter';
 import { IAPValidationRouter } from './Routers/IAPValidationRouter';
 import { LogsRouter }          from './Routers/LogsRouter';
 import { HooksRouter }         from './Routers/HooksRouter';
+import { PublicAPIRouter }     from './Routers/PublicAPIRouter';
 
 import { HooksController }     from './Controllers/HooksController';
+import { UserController }      from './Controllers/UserController';
 import { InstallationsRouter } from './Routers/InstallationsRouter';
 import { loadAdapter }         from './Adapters/AdapterLoader';
 import { LoggerController }    from './Controllers/LoggerController';
@@ -134,16 +135,23 @@ function ParseServer({
   const filesControllerAdapter = loadAdapter(filesAdapter, GridStoreAdapter);
   const pushControllerAdapter = loadAdapter(push, ParsePushAdapter);
   const loggerControllerAdapter = loadAdapter(loggerAdapter, FileLoggerAdapter);
-
+  const emailControllerAdapter = loadAdapter(emailAdapter);
   // We pass the options and the base class for the adatper,
   // Note that passing an instance would work too
-  const filesController = new FilesController(filesControllerAdapter);
-  const pushController = new PushController(pushControllerAdapter);
-  const loggerController = new LoggerController(loggerControllerAdapter);
+  const filesController = new FilesController(filesControllerAdapter, appId);
+  const pushController = new PushController(pushControllerAdapter, appId);
+  const loggerController = new LoggerController(loggerControllerAdapter, appId);
   const hooksController = new HooksController(appId, collectionPrefix);
+  const userController = new UserController(appId);
+  let mailController;
+  
+  if (verifyUserEmails) {
+    mailController = new MailController(loadAdapter(emailAdapter));
+  }
   
   cache.apps.set(appId, {
     masterKey: masterKey,
+    serverURL: serverURL,
     collectionPrefix: collectionPrefix,
     clientKey: clientKey,
     javascriptKey: javascriptKey,
@@ -155,18 +163,14 @@ function ParseServer({
     pushController: pushController,
     loggerController: loggerController,
     hooksController: hooksController,
+    mailController: mailController,
+    verifyUserEmails: verifyUserEmails,
     enableAnonymousUsers: enableAnonymousUsers,
     allowClientClassCreation: allowClientClassCreation,
     oauth: oauth,
     appName: appName,
   });
 
-  if (verifyUserEmails && (process.env.PARSE_EXPERIMENTAL_EMAIL_VERIFICATION_ENABLED || process.env.TESTING == 1)) {
-    let mailController = new MailController(loadAdapter(emailAdapter));
-    cache.apps[appId].mailController = mailController;
-    cache.apps[appId].verifyUserEmails = verifyUserEmails;
-  }
-
   // To maintain compatibility. TODO: Remove in some version that breaks backwards compatability
   if (process.env.FACEBOOK_APP_ID) {
     cache.apps.get(appId)['facebookAppIds'].push(process.env.FACEBOOK_APP_ID);
@@ -175,18 +179,17 @@ function ParseServer({
   // This app serves the Parse API directly.
   // It's the equivalent of https://api.parse.com/1 in the hosted Parse API.
   var api = express();
-
+  //api.use("/apps", express.static(__dirname + "/public"));
   // File handling needs to be before default middlewares are applied
   api.use('/', new FilesRouter().getExpressRouter({
     maxUploadSize: maxUploadSize
   }));
 
   if (process.env.PARSE_EXPERIMENTAL_EMAIL_VERIFICATION_ENABLED || process.env.TESTING == 1) {
-    //api.use('/request_password_reset', passwordReset.reset(appName, appId));
-    //api.get('/password_reset_success', passwordReset.success);
-    api.get('/verify_email', verifyEmail(appId, serverURL));
+    api.use('/', new PublicAPIRouter().expressApp());    
   }
 
+
   // TODO: separate this from the regular ParseServer object
   if (process.env.TESTING == 1) {
     api.use('/', require('./testing-routes').router);
@@ -218,13 +221,16 @@ function ParseServer({
   if (process.env.PARSE_EXPERIMENTAL_HOOKS_ENABLED || process.env.TESTING) {
     routers.push(new HooksRouter());
   }
+  
+  let routes = routers.reduce((memo, router) => {
+    return memo.concat(router.routes);
+  }, []);
 
-  let appRouter = new PromiseRouter();
-  routers.forEach((router) => {
-    appRouter.merge(router);
-  });
+  let appRouter = new PromiseRouter(routes);
+  
   batch.mountOnto(appRouter);
 
+  api.use(appRouter.expressApp());
   appRouter.mountOnto(api);
 
   api.use(middlewares.handleParseErrors);
diff --git a/src/verifyEmail.js b/src/verifyEmail.js
deleted file mode 100644
index 5bd1da32..00000000
--- a/src/verifyEmail.js
+++ /dev/null
@@ -1,27 +0,0 @@
-function verifyEmail(appId, serverURL) {
-  var DatabaseAdapter = require('./DatabaseAdapter');
-  var database = DatabaseAdapter.getDatabaseConnection(appId);
-  return (req, res) => {
-    var token = req.query.token;
-    var username = req.query.username;
-    if (!token || !username) {
-      res.redirect(302, serverURL + '/invalid_link.html');
-      return;
-    }
-    database.collection('_User').then(coll => {
-      // Need direct database access because verification token is not a parse field
-      coll.findAndModify({
-        username: username,
-        _email_verify_token: token,
-      }, null, {$set: {emailVerified: true}}, (err, doc) => {
-        if (err || !doc.value) {
-          res.redirect(302, serverURL + '/invalid_link.html');
-        } else {
-          res.redirect(302, serverURL + '/verify_email_success.html?username=' + username);
-        }
-      });
-    });
-  }
-}
-
-module.exports = verifyEmail;