From 8580f5486111618c32edcf09bc4095130a9cc0aa Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Wed, 16 May 2018 15:49:12 -0700 Subject: [PATCH] Fixed email validation on server and web page --- common.js | 4 +- meshuser.js | 68 +++++++++++++++++----------------- package.json | 2 +- views/default.handlebars | 79 +++++++++++++++++----------------------- views/login.handlebars | 32 ++++------------ webserver.js | 2 +- 6 files changed, 79 insertions(+), 108 deletions(-) diff --git a/common.js b/common.js index e7ec77d4..02c044b8 100644 --- a/common.js +++ b/common.js @@ -132,4 +132,6 @@ module.exports.validateString = function(str, minlen, maxlen) { return ((str != module.exports.validateInt = function(int, minval, maxval) { return ((int != null) && (typeof int == 'number') && ((minval == null) || (int >= minval)) && ((maxval == null) || (int <= maxval))); } module.exports.validateArray = function (array, minlen, maxlen) { return ((array != null) && Array.isArray(array) && ((minlen == null) || (array.length >= minlen)) && ((maxlen == null) || (array.length <= maxlen))); } module.exports.validateStrArray = function (array, minlen, maxlen) { if (((array != null) && Array.isArray(array)) == false) return false; for (var i in array) { if ((typeof array[i] != 'string') && ((minlen == null) || (array[i].length >= minlen)) && ((maxlen == null) || (array[i].length <= maxlen))) return false; } return true; } -module.exports.validateObject = function(obj) { return ((obj != null) && (typeof obj == 'object')); } +module.exports.validateObject = function (obj) { return ((obj != null) && (typeof obj == 'object')); } +module.exports.validateEmail = function (email, minlen, maxlen) { if (module.exports.validateString(email, minlen, maxlen) == false) return false; var emailReg = /^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$/; return emailReg.test(email); } +module.exports.validateUsername = function (username, minlen, maxlen) { return (module.exports.validateString(username, minlen, maxlen) && (username.indexOf(' ') == -1)); } \ No newline at end of file diff --git a/meshuser.js b/meshuser.js index 00df9846..f5fcba73 100644 --- a/meshuser.js +++ b/meshuser.js @@ -341,41 +341,38 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain) { case 'changeemail': { // Change the email address - if (obj.common.validateString(command.email, 3, 1024) == false) return; - var x = command.email.split('@'); - if ((x.length == 2) && (x[0].length > 0) && (x[1].split('.').length > 1) && (x[1].length > 2)) { - if (obj.parent.users[req.session.userid].email != command.email) { - // Check if this email is already validated on a different account - obj.db.GetUserWithVerifiedEmail(domain.id, command.email, function (err, docs) { - if (docs.length > 0) { - // Notify the duplicate email error - ws.send(JSON.stringify({ action: 'msg', type: 'notify', value: 'Failed to change email address, another account already using: ' + EscapeHtml(command.email) + '.' })); - } else { - // Update the user's email - var oldemail = user.email; - user.email = command.email; - user.emailVerified = false; - obj.parent.db.SetUser(user); + if (obj.common.validateEmail(command.email, 1, 256) == false) return; + if (obj.parent.users[req.session.userid].email != command.email) { + // Check if this email is already validated on a different account + obj.db.GetUserWithVerifiedEmail(domain.id, command.email, function (err, docs) { + if (docs.length > 0) { + // Notify the duplicate email error + ws.send(JSON.stringify({ action: 'msg', type: 'notify', value: 'Failed to change email address, another account already using: ' + EscapeHtml(command.email) + '.' })); + } else { + // Update the user's email + var oldemail = user.email; + user.email = command.email; + user.emailVerified = false; + obj.parent.db.SetUser(user); - // Event the change - var userinfo = obj.common.Clone(user); - delete userinfo.hash; - delete userinfo.passhint; - delete userinfo.salt; - delete userinfo.type; - delete userinfo.domain; - delete userinfo.subscriptions; - delete userinfo.passtype; - var message = { etype: 'user', username: userinfo.name, account: userinfo, action: 'accountchange', domain: domain.id }; - if (oldemail != null) { - message.msg = 'Changed email of user ' + userinfo.name + ' from ' + oldemail + ' to ' + user.email; - } else { - message.msg = 'Set email of user ' + userinfo.name + ' to ' + user.email; - } - obj.parent.parent.DispatchEvent(['*', 'server-users', user._id], obj, message); + // Event the change + var userinfo = obj.common.Clone(user); + delete userinfo.hash; + delete userinfo.passhint; + delete userinfo.salt; + delete userinfo.type; + delete userinfo.domain; + delete userinfo.subscriptions; + delete userinfo.passtype; + var message = { etype: 'user', username: userinfo.name, account: userinfo, action: 'accountchange', domain: domain.id }; + if (oldemail != null) { + message.msg = 'Changed email of user ' + userinfo.name + ' from ' + oldemail + ' to ' + user.email; + } else { + message.msg = 'Set email of user ' + userinfo.name + ' to ' + user.email; } - }); - } + obj.parent.parent.DispatchEvent(['*', 'server-users', user._id], obj, message); + } + }); } break; } @@ -435,13 +432,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain) { { // Add a new user account if ((user.siteadmin & 2) == 0) break; - if (obj.common.validateString(command.username, 1, 64) == false) break; // Username is between 1 and 64 characters + if (obj.common.validateUsername(command.username, 1, 64) == false) break; // Username is between 1 and 64 characters, no spaces if (obj.common.validateString(command.pass, 1, 256) == false) break; // Password is between 1 and 256 characters + if ((command.email != null) && (obj.common.validateEmail(command.email, 1, 256) == false)) break; // Check if this is a valid email address var newusername = command.username, newuserid = 'user/' + domain.id + '/' + command.username.toLowerCase(); if (newusername == '~') break; // This is a reserved user name if (!obj.parent.users[newuserid]) { var newuser = { type: 'user', _id: newuserid, name: newusername, creation: Date.now(), domain: domain.id }; - if (obj.common.validateString(command.email, 1, 256) == true) { newuser.email = command.email; } // Email is between 1 and 256 characters + if (command.email != null) { newuser.email = command.email; } // Email obj.parent.users[newuserid] = newuser; // Create a user, generate a salt and hash the password require('./pass').hash(command.pass, function (err, salt, hash) { diff --git a/package.json b/package.json index 815d0aef..12992712 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.1.7-i", + "version": "0.1.7-k", "keywords": [ "Remote Management", "Intel AMT", diff --git a/views/default.handlebars b/views/default.handlebars index 99f5c95f..3f0c4f39 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -1952,7 +1952,7 @@ x += ""; // Linux agent install - x += ""; // Linux agent uninstall - x += "