Skip to content
This repository was archived by the owner on May 16, 2026. It is now read-only.

Commit 899475f

Browse files
committed
שימוש במספר רנדומלי אמיתי לקוד אימות דוא"ל ובUUID כמזהה סשנים - מספריית crypto המובנית
https://nodejs.org/api/crypto.html#cryptorandomintmin-max-callback https://nodejs.org/api/crypto.html#cryptorandomuuidoptions
1 parent 85cfd0b commit 899475f

3 files changed

Lines changed: 12 additions & 44 deletions

File tree

src/controllers/users.js

Lines changed: 6 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -5,16 +5,9 @@ const bcrypt = require('bcrypt');
55
const { zxcvbn } = require('@zxcvbn-ts/core');
66
const ms = require('ms');
77
const { validate: emailValidator } = require('deep-email-validator');
8+
const crypto = require('crypto');
89
const emailSends = require('@services/email');
910

10-
/**
11-
* @returns number random in 5 digit in string format
12-
*/
13-
function randomCode () {
14-
const numberRandom = Math.floor((Math.random() * 5000), 0);
15-
return numberRandom.toString().padStart(5, Math.floor(Math.random() * 10 + 1)).toString();
16-
}
17-
1811
/**
1912
* נרמול כתובת מייל - הסרת נקודות מיותרות, מה שאחרי הפלוס, וכדומה
2013
* לצורך וידוא שהמייל לא רשום כבר
@@ -82,7 +75,7 @@ async function signup (req, res) {
8275
});
8376
}
8477

85-
const verifyEmailCode = randomCode();
78+
const verifyEmailCode = crypto.randomInt(0, 99999);
8679
const userID = new mongoose.Types.ObjectId();
8780

8881
const user = new User({
@@ -129,12 +122,13 @@ async function login (req, res) {
129122

130123
const session = await Session.create({
131124
_id: new mongoose.Types.ObjectId(),
125+
uuid: crypto.randomUUID(),
132126
userId: user._id
133127
});
134128

135-
res.status(200).cookie('session', session._id, { path: '/', secure: true, httpOnly: true, maxAge: ms('30d') }).json({
129+
res.status(200).cookie('session', session.uuid, { path: '/', secure: true, httpOnly: true, maxAge: ms('30d') }).json({
136130
message: 'Auth successful',
137-
sessionId: session._id,
131+
sessionUuid: session.uuid,
138132
user: {
139133
name: user.name,
140134
email: user.emailFront,
@@ -220,35 +214,8 @@ async function resendVerificationEmail (req, res) {
220214
async function resetPassword (req, res) {
221215
const { email } = req.body;
222216

223-
/**
224-
* normalize-email by regex
225-
*/
226217
const emailProcessed = normalizeEmail(email);
227218

228-
/**
229-
* validate email
230-
*/
231-
const validateEmail = await emailValidator({
232-
email: emailProcessed,
233-
validateRegex: true,
234-
validateMx: true,
235-
validateTypo: false,
236-
validateDisposable: true,
237-
validateSMTP: false
238-
});
239-
240-
if (!validateEmail.valid) {
241-
if (validateEmail.reason === 'disposable') {
242-
return res.status(400).json({
243-
message: 'disposable email not allowed'
244-
});
245-
} else {
246-
return res.status(400).json({
247-
message: 'email is not valid'
248-
});
249-
}
250-
}
251-
252219
const user = await User.findOne({ emailProcessed });
253220
if (!user) {
254221
return res.status(404).json({
@@ -264,7 +231,7 @@ async function resetPassword (req, res) {
264231
});
265232
}
266233

267-
const resetPasswordToken = randomCode();
234+
const resetPasswordToken = crypto.randomInt(0, 99999);
268235
await emailSends.resetPassword({
269236
code: resetPasswordToken,
270237
address: user.emailFront,

src/middlewares/checkLogin.js

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,12 @@ const User = require('@models/user');
22
const Session = require('@models/session');
33

44
const checkLogin = async (req, res, next) => {
5-
let sessionId = req.cookies.session || req.headers.authorization;
6-
if (!sessionId) return res.status(401).header('action-required', 'login').json({ message: 'session is required. please login' });
5+
let sessionUuid = req.cookies.session || req.headers.authorization;
6+
if (!sessionUuid) return res.status(401).header('action-required', 'login').json({ message: 'session is required. please login' });
77

8-
sessionId = sessionId.replace('Bearer ', '');
8+
sessionUuid = sessionUuid.replace('Bearer ', '');
99

10-
const session = await Session.findById(sessionId);
10+
const session = await Session.findOne({ uuid: sessionUuid });
1111
if (!session) {
1212
if (req.url !== '/logout') res.header('action-required', 'login');
1313
return res.clearCookie('session').status(401).json({
@@ -24,7 +24,7 @@ const checkLogin = async (req, res, next) => {
2424
}
2525

2626
res.locals.user = user;
27-
res.locals.sessionId = sessionId;
27+
res.locals.sessionId = session._id;
2828
next();
2929
};
3030

src/models/session.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ const mongoose = require('mongoose');
22

33
const sessionSchema = mongoose.Schema({
44
_id: mongoose.Schema.Types.ObjectId,
5+
uuid: { type: String, required: true },
56
userId: { type: mongoose.Schema.Types.ObjectId, required: true },
67
createdAt: { type: Date, default: Date.now },
78
expires: { type: Date, default: Date.now, expires: 60 * 60 * 24 * 45 } // 45 days

0 commit comments

Comments
 (0)