Implement reset token validation and change password page

Author: dmitrizagidulin

default-views/account/register.hbs

@@ -55,7 +55,10 @@
 
         <div class="col-md-10">
           <div>Already have an account?
-            <a href="/login?returnToUrl={{{returnToUrl}}}">Log In</a>
+            <a class="btn btn-xs btn-default"
+               href="/login{{#if returnToUrl}}?returnToUrl={{{returnToUrl}}}{{/if}}">
+              Log In
+            </a>
           </div>
         </div>
       </div>

default-views/auth/change-password.hbs

@@ -0,0 +1,65 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Change Password</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <h4>Change Password</h4>
+</div>
+<div class="container">
+  <form method="post" action="/account/password/change">
+    {{#if error}}
+      <div class="form-group">
+        <div class="row">
+          <div class="col-md-12">
+            <p class="text-danger"><strong>{{error}}</strong></p>
+          </div>
+        </div>
+      </div>
+    {{/if}}
+
+    {{#if validToken}}
+      <div class="form-group">
+        <div class="row">
+          <div class="col-md-12">
+            <label for="newPassword">New Password:</label>
+
+            <input type="password" class="form-control" name="newPassword" />
+          </div>
+        </div>
+      </div>
+
+      <div class="form-group">
+        <div class="row">
+          <div class="col-md-2">
+            <button type="submit" class="btn btn-primary">Change Password</button>
+          </div>
+        </div>
+
+        <input type="hidden" name="returnToUrl" value="{{{returnToUrl}}}" />
+        <input type="hidden" name="token" value="{{token}}" />
+      </div>
+    {{else}}
+      <div class="form-group">
+        <div class="row">
+          <div class="col-md-12">
+            <div>
+              <strong>
+              <a class="btn btn-xs btn-primary"
+                 href="/account/password/reset{{#if returnToUrl}}?returnToUrl={{{returnToUrl}}}{{/if}}">
+                Email password reset link
+              </a>
+              </strong>
+            </div>
+          </div>
+        </div>
+      </div>
+    {{/if}}
+  </form>
+</div>
+</body>
+</html>

default-views/auth/login.hbs

@@ -37,18 +37,24 @@
     <div class="form-group">
       <div class="row">
         <div class="col-md-2">
-          <button type="submit" class="btn btn-primary" id="login">Login</button>
+          <button type="submit" class="btn btn-primary" id="login">Log In</button>
         </div>
 
         <div class="col-md-4">
           <div>Don't have an account?
-            <a href="/register?returnToUrl={{{postRegisterUrl}}}">Register</a>
+            <a class="btn btn-xs btn-default"
+               href="/register{{#if returnToUrl}}?returnToUrl={{{returnToUrl}}}{{/if}}">
+              Register
+            </a>
           </div>
         </div>
 
         <div class="col-md-6">
           <div>Forgot password?
-            <a href="/account/password/reset?returnToUrl={{{postRegisterUrl}}}">Reset password</a>
+            <a class="btn btn-xs btn-default"
+               href="/account/password/reset{{#if returnToUrl}}?returnToUrl={{{returnToUrl}}}{{/if}}">
+              Reset password
+            </a>
           </div>
         </div>
       </div>

default-views/auth/password-changed.hbs

@@ -0,0 +1,23 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Password Changed</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <h4>Password Changed</h4>
+</div>
+<div class="container">
+  <p>Your password has been changed.</p>
+
+  <p><strong>
+    <a class="btn btn-default" href="/login{{#if returnToUrl}}?returnToUrl={{{returnToUrl}}}{{/if}}">
+      Log in
+    </a>
+  </strong></p>
+</div>
+</body>
+</html>

default-views/auth/reset-password.hbs

@@ -45,7 +45,8 @@
 
         <div class="col-md-4">
           <div>Don't have an account?
-            <a href="/register?returnToUrl={{{returnToUrl}}}">Register</a>
+            <a class="btn btn-xs btn-default"
+               href="/register{{#if returnToUrl}}?returnToUrl={{{returnToUrl}}}{{/if}}">Register</a>
           </div>
         </div>
       </div>

lib/api/authn/webid-oidc.js

@@ -9,6 +9,7 @@ const bodyParser = require('body-parser').urlencoded({ extended: false })
 const { LoginByPasswordRequest } = require('../../requests/login-request')
 
 const PasswordResetEmailRequest = require('../../requests/password-reset-email-request')
+const PasswordChangeRequest = require('../../requests/password-change-request')
 
 const {
   AuthCallbackRequest,
@@ -38,6 +39,9 @@ function middleware (oidc) {
   router.get('/account/password/reset', PasswordResetEmailRequest.get)
   router.post('/account/password/reset', bodyParser, PasswordResetEmailRequest.post)
 
+  router.get('/account/password/change', PasswordChangeRequest.get)
+  router.post('/account/password/change', bodyParser, PasswordChangeRequest.post)
+
   router.get('/logout', LogoutRequest.handle)
 
   router.get('/goodbye', (req, res) => { res.render('auth/goodbye') })

lib/models/account-manager.js

@@ -11,6 +11,7 @@ const AccountTemplate = require('./account-template')
 const debug = require('./../debug').accounts
 
 const DEFAULT_PROFILE_CONTENT_TYPE = 'text/turtle'
+const DEFAULT_ADMIN_USERNAME = 'admin'
 
 /**
  * Manages account creation (determining whether accounts exist, creating
@@ -192,7 +193,8 @@ class AccountManager {
    * @param [accountName] {string}
    *
    * @throws {Error} via accountUriFor()
-   * @return {string}
+   *
+   * @return {string|null}
    */
   accountWebIdFor (accountName) {
     let accountUri = this.accountUriFor(accountName)
@@ -343,12 +345,32 @@ class AccountManager {
       username: userData.username,
       email: userData.email,
       name: userData.name,
-      webId: userData.webid || this.accountWebIdFor(userData.username)
+      webId: userData.webid || userData.webId ||
+        this.accountWebIdFor(userData.username)
+    }
+
+    if (userConfig.webId && !userConfig.username) {
+      userConfig.username = this.usernameFromWebId(userConfig.webId)
+    }
+
+    if (!userConfig.webId && !userConfig.username) {
+      throw new Error('Username or web id is required')
     }
 
     return UserAccount.from(userConfig)
   }
 
+  usernameFromWebId (webId) {
+    if (!this.multiUser) {
+      return DEFAULT_ADMIN_USERNAME
+    }
+
+    let profileUrl = url.parse(webId)
+    let hostname = profileUrl.hostname
+
+    return hostname.split('.')[0]
+  }
+
   /**
    * Creates a user account storage folder (from a default account template).
    *
@@ -382,6 +404,27 @@ class AccountManager {
     return this.tokenService.generate({ webId: userAccount.webId })
   }
 
+  /**
+   * Validates that a token exists and is not expired, and returns the saved
+   * token contents, or throws an error if invalid.
+   * Does not consume / clear the token.
+   *
+   * @param token {string}
+   *
+   * @throws {Error} If missing or invalid token
+   *
+   * @return {Object} Saved token data object
+   */
+  validateResetToken (token) {
+    let tokenValue = this.tokenService.verify(token)
+
+    if (!tokenValue) {
+      throw new Error('Invalid or expired reset token')
+    }
+
+    return tokenValue
+  }
+
   /**
    * Returns a password reset URL (to be emailed to the user upon request)
    *
@@ -392,8 +435,11 @@ class AccountManager {
    */
   passwordResetUrl (token, returnToUrl) {
     let resetUrl = url.resolve(this.host.serverUri,
-      `/account/password/change?token=${token}` +
-      `&returnToUrl=${returnToUrl}`)
+      `/account/password/change?token=${token}`)
+
+    if (returnToUrl) {
+      resetUrl += `&returnToUrl=${returnToUrl}`
+    }
 
     return resetUrl
   }

lib/requests/login-request.js

@@ -4,7 +4,6 @@ const url = require('url')
 const validUrl = require('valid-url')
 
 const debug = require('./../debug').authentication
-const UserAccount = require('../models/user-account')
 
 /**
  * Models a Login request, a POST submit from a Login form with a username and
@@ -221,7 +220,7 @@ class LoginByPasswordRequest {
 
     if (validUrl.isUri(this.username)) {
       // A WebID URI was entered into the username field
-      userOptions = { webid: this.username }
+      userOptions = { webId: this.username }
     } else {
       // A regular username
       userOptions = { username: this.username }
@@ -246,14 +245,14 @@ class LoginByPasswordRequest {
       })
       .then(validUser => {
         if (!validUser) {
-          error = new Error('User found but no password found')
+          error = new Error('User found but no password match')
           error.statusCode = 400
           throw error
         }
 
         debug('User found, password matches')
 
-        return UserAccount.from(validUser)
+        return this.accountManager.userAccountFrom(validUser)
       })
   }