boogerlad/mj - Change 7XVW32MMBBIGWQZ3QRD365TBIJU4DYN6T4VO2E46WFDCFHGO2BMAC

"update profile" endpoint. so far just email and password, but trivial to add more fields. admin edit user not done yet allow login via magic link

Created by boogerlad on June 23, 2020

7XVW32MMBBIGWQZ3QRD365TBIJU4DYN6T4VO2E46WFDCFHGO2BMAC

Dependencies

In channels

main

Change contents

Replacement in dotenv at line 16 [6.45]
B:BD[5.94] → [5.94:112]
```
ANTICAPTCHA_TOKEN=
```
[5.94]
```
ANTICAPTCHA_TOKEN=
SENDGRID=
```
Replacement in initialize.sql at line 203 [8.17]
B:BD[7.3143] → [7.3143:3167]
```
	cyp2c19_17 cyp2c19_17
```
[7.3143]
[8.4805]
```
	cyp2c19_17 cyp2c19_17,
	otp_hash bytea,
	otp_expiry timestamptz
```

Replacement in package.json at line 8 [6.29376]

B:BD[6.29526] → [2.9765:9819]

    "@googlemaps/google-maps-services-js": "^2.6.0",

[6.29526]

    "@googlemaps/google-maps-services-js": "^3.1.2",
    "@sendgrid/mail": "^7.2.0",

Insertion in server.js at line 25 [11.590]

[9.4645]

[10.245]

const sgMail = require('@sendgrid/mail');
sgMail.setApiKey(process.env.SENDGRID);

Insertion in server.js at line 109 [11.590]

[3.1195]

			} else if(parameters.otp) {
				//click link && original tab closed(sharedworker dead, so no preexisting connection)
				//debating whether or not I should implement this...

Insertion in server.js at line 126 [11.590]

[4.71]

[11.1554]

			case 'request_otp':
				if(isLoggedIn(ws)) {
					ws.send(JSON.stringify({
						response_ID: request_ID,
						data: "already logged in"
					}));
				} else {
					let token = await randomBytes(128);
					if((await pool.query(`update usr set otp_expiry = now() + interval '5 minute', otp_hash = $2 where email = $1`, [parameters.email, crypto.createHash('BLAKE2b512').update(token).digest()])).rowCount === 1) {
						sgMail.send({
							to: parameters.email,
							from: 'lobojane <support@lobojane.com>',
							subject: `Click this link to finish logging in`,
							html: `<a href="https://www.lobojane.com/user?otp=${token.toString('base64')}">idk</a><div>Alternatively, copy and paste <code>${token.toString('base64')}</code> into the input field</div>if this wasn't you, let us know by replying to this email.`
						}).then(() => ws.send(JSON.stringify({
							response_ID: request_ID
						})), error => {
							console.error(error);
							ws.send(JSON.stringify({
								response_ID: request_ID,
								data: 'failed to send email'
							}));
						});
					} else {
						ws.send(JSON.stringify({
							response_ID: request_ID,
							data: 'user not found'
						}))
					}
				}
				break;
			case 'login_otp'://if paste in code || click link && original tab still open(sharedworker active, preexisting connection)
				if(isLoggedIn(ws)) {
					ws.send(JSON.stringify({
						response_ID: request_ID,
						data: "already logged in"
					}));
				} else {
					let token = await randomBytes(128);
					let user = (await pool.query('update usr set otp_hash = null, token_hash = $1 where otp_hash = $2 and now() < otp_expiry returning user_id, email, type, comt, akt1, cyp2c9, cyp2c19_2, cyp2c19_3, cyp2c19_17', [crypto.createHash('BLAKE2b512').update(token).digest(), crypto.createHash('BLAKE2b512').update(Buffer.from(parameters.otp, 'base64')).digest()])).rows[0];//possible timing attack?
					if(user === undefined) {
						ws.send(JSON.stringify({
							response_ID: request_ID,
							data: 'invalid otp'
						}));
					} else {
						ws.user_ID = user.user_id;
						ws.user_type = user.type;
						desensitize(user);
						user.token = token.toString('base64');
						ws.send(JSON.stringify({
							response_ID: request_ID,
							data: user
						}));
						//disallow multiple sockets with same credentials
						let old = authenticated.get(user.user_id);
						if(old !== undefined) {
							delete old.user_ID;
							delete old.user_type;
							old.send('{"what":"logout"}');
						}
						authenticated.set(user.user_id, ws);
						ws.publish('user/authenticated', JSON.stringify({
							what: 'user/authenticated',//tbd
							how: 'update',
							data: authenticated.size
						}));
					}
				}
				break;

Insertion in server.js at line 257 [11.590]

[11.2427]

[12.5396]

					//think maybe todo: if remember_me false, don't generate new token. this is so that if user "remember me" at home computer, but they for whatever reason need to log in elsewhere, won't invalidate home "remember me". but then while they're logged in elsewhere, if lose connection or refresh page (and no other tabs so sharedworker will be recreated), they'll need to log in again :(

Insertion in server.js at line 383 [11.590]

[10.4576]

[13.3100]

			case 'update_profile':
				if(isLoggedIn(ws)) {
					let dawg = [];
					let poop = [ws.user_ID];
					if(typeof parameters.email === 'string') {
						dawg.push(`email = $${poop.push(parameters.email)}`);
					}
					if(typeof parameters.passphrase === 'string') {
						dawg.push(`passphrase_hash = $${poop.push(await argon2.hash(parameters.passphrase))}`);
					}
					if(dawg.length) {
						try {
							await pool.query(`update usr set ${dawg.join(',')} where user_id = $1`, poop);
							ws.send(JSON.stringify({
								response_ID: request_ID
							}));
						} catch(e) {
							let error = 'this email address is in use';
							if(e.constraint !== 'usr_email_key') {
								console.error(e);
								error = 'error';
							}
							ws.send(JSON.stringify({
								response_ID: request_ID,
								data: error
							}));
						}
					} else {
						ws.send(JSON.stringify({
							response_ID: request_ID,
							data: 'WHAT DO U WANT ME 2 DO???'
						}));
					}
				} else {
					ws.send(JSON.stringify({
						response_ID: request_ID,
						data: 'not logged in'
					}));
				}
				break;