SECURITY UPDATE

* Handle failed login attempts via Telnet * New lockout features for >= N failed attempts * New auto-unlock over email feature * New auto-unlock after N minutes feature * Code cleanup in users * Add user_property.js - start using consts for user properties. Clean up over time. * Update email docs
2025-06-11 07:04:32 +02:00 · 2018-11-22 23:07:37 -07:00 · 2018-11-22 23:07:37 -07:00 · df2bf4477e
commit df2bf4477e
parent f18b023652
18 changed files with 401 additions and 100 deletions
--- a/core/web_password_reset.js
+++ b/core/web_password_reset.js
@ -10,6 +10,7 @@ const User                  = require('./user.js');
 const userDb                = require('./database.js').dbs.user;
 const getISOTimestampString = require('./database.js').getISOTimestampString;
 const Log                   = require('./logger.js').log;
+const UserProps             = require('./user_property.js');

 //  deps
 const async                 = require('async');
@ -17,6 +18,7 @@ const crypto                = require('crypto');
 const fs                    = require('graceful-fs');
 const url                   = require('url');
 const querystring           = require('querystring');
+const _                     = require('lodash');

 const PW_RESET_EMAIL_TEXT_TEMPLATE_DEFAULT =
    `%USERNAME%:
@ -283,8 +285,11 @@ class WebPasswordReset {
                    }

                    //  delete assoc properties - no need to wait for completion
-                    user.removeProperty('email_password_reset_token');
-                    user.removeProperty('email_password_reset_token_ts');
+                    user.removeProperties([ UserProps.EmailPwResetToken, UserProps.EmailPwResetTokenTs ]);
+
+                    if(true === _.get(config, 'users.unlockAtEmailPwReset')) {
+                        user.unlockAccount( () => { /* dummy */ } );
+                    }

                    resp.writeHead(200);
                    return resp.end('Password changed successfully');