Add optional email address verification

8 years ago · 424c98e02d
5 changed files with 112 additions and 12 deletions
--- a/config-example.json
+++ b/config-example.json
@ -10,6 +10,11 @@
    "dialect": "sqlite",
    "storage": "syzoj.db"
  },
+  "register_mail": {
+    "enabled": true,
+    "address": "test@test.domain",
+    "key": "test"
+  },
  "upload_dir": "uploads",
  "default": {
    "problem": {
--- a/modules/api.js
+++ b/modules/api.js
@ -54,6 +54,9 @@ app.post('/api/sign_up', async (req, res) => {
    res.setHeader('Content-Type', 'application/json');
    let user = await User.fromName(req.body.username);
    if (user) throw 2008;
+    user = await User.findOne({ where: { email: req.body.email } });
+    if (user) throw 2009;
+

    // Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."
    // the empty password 's md5 will equal "59cb.."
@ -62,6 +65,31 @@ app.post('/api/sign_up', async (req, res) => {
    if (!(req.body.email = req.body.email.trim())) throw 2006;
    if (!syzoj.utils.isValidUsername(req.body.username)) throw 2002;

+    if (syzoj.config.register_mail.enabled) {
+      let sendmail = Promise.promisify(require('sendmail')());
+      let sendObj = {
+        username: req.body.username,
+        password: req.body.password,
+        email: req.body.email,
+        prevUrl: req.body.prevUrl,
+        r: Math.random()
+      };
+      let encrypted = encodeURIComponent(syzoj.utils.encrypt(JSON.stringify(sendObj), syzoj.config.register_mail.key).toString('base64'));
+      let url = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'sign_up', encrypted]);
+      try {
+        await sendmail({
+          from: syzoj.config.register_mail.address,
+          to: req.body.email,
+          type: 'text/html',
+          subject: `${req.body.username} 的 ${syzoj.config.title} 注册验证邮件`,
+          html: `<p>请点击该链接完成您在 ${syzoj.config.title} 的注册：<a href="${url}">${url}</a>。</p><p>如果您不是 ${req.body.username}，请忽略此邮件。</p>`
+        });
+      } catch (e) {
+        throw 2010
+      }
+
+      res.send(JSON.stringify({ error_code: 2 }));
+    } else {
      user = await User.create({
        username: req.body.username,
        password: req.body.password,
@ -73,12 +101,54 @@ app.post('/api/sign_up', async (req, res) => {
      setLoginCookie(user.username, user.password, res);

      res.send(JSON.stringify({ error_code: 1 }));
+    }
  } catch (e) {
    syzoj.log(e);
    res.send(JSON.stringify({ error_code: e }));
  }
 });

+app.get('/api/sign_up/:token', async (req, res) => {
+  try {
+    let obj;
+    try {
+      let decrypted = syzoj.utils.decrypt(Buffer.from(req.params.token, 'base64'), syzoj.config.register_mail.key).toString();
+      obj = JSON.parse(decrypted);
+    } catch (e) {
+      throw new ErrorMessage('无效的注册验证链接。');
+    }
+
+    let user = await User.fromName(obj.username);
+    if (user) throw new ErrorMessage('用户名已被占用。');
+    user = await User.findOne({ where: { email: obj.email } });
+    if (user) throw new ErrorMessage('邮件地址已被占用。');
+
+    // Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."
+    // the empty password 's md5 will equal "59cb.."
+    let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';
+    if (obj.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');
+    if (!(obj.email = obj.email.trim())) throw new ErrorMessage('邮件地址不能为空。');
+    if (!syzoj.utils.isValidUsername(obj.username)) throw new ErrorMessage('用户名不合法。');
+
+    user = await User.create({
+      username: obj.username,
+      password: obj.password,
+      email: obj.email
+    });
+    await user.save();
+
+    req.session.user_id = user.id;
+    setLoginCookie(user.username, user.password, res);
+
+    res.redirect(obj.prevUrl || '/');
+  } catch (e) {
+    syzoj.log(e);
+    res.render('error', {
+      err: e
+    });
+  }
+});
+
 // Markdown
 app.post('/api/markdown', async (req, res) => {
  try {
--- a/package.json
+++ b/package.json
@ -44,6 +44,7 @@
    "pygmentize-bundled-cached": "^1.1.0",
    "request": "^2.74.0",
    "request-promise": "^4.1.1",
+    "sendmail": "^1.1.1",
    "sequelize": "^3.24.3",
    "session-file-store": "^1.0.0",
    "sqlite3": "^3.1.4",
--- a/utility.js
+++ b/utility.js
@ -329,5 +329,16 @@ module.exports = {
    let s = JSON.stringify(key);
    if (!this.locks[s]) this.locks[s] = new AsyncLock();
    return this.locks[s].acquire(s, cb);
+  },
+  encrypt(buffer, password) {
+    if (typeof buffer === 'string') buffer = Buffer.from(buffer);
+    let crypto = require('crypto');
+    let cipher = crypto.createCipher('aes-256-ctr', password);
+    return Buffer.concat([cipher.update(buffer), cipher.final()]);
+  },
+  decrypt(buffer, password) {
+    let crypto = require('crypto');
+    let decipher = crypto.createDecipher('aes-256-ctr', password);
+    return Buffer.concat([decipher.update(buffer), decipher.final()]);
  }
 };
--- a/views/sign_up.ejs
+++ b/views/sign_up.ejs
@ -14,10 +14,6 @@
                    <label for="email">邮箱</label>
                    <input type="email" placeholder="" id="email">
                </div>
-                <!--div class="field">
-                    <label for="email">邀请码</label>
-                    <input type="text" placeholder="Invitation code" id="invitation_code">
-                </div-->
                <div class="two fields">
                    <div class="field">
                    <label class="ui header">密码</label>
@ -37,10 +33,20 @@ function show_error(error) {
    $("#error_info").text(error);
    $("#error").show();
 }
+
 function success() {
-    alert("注册成功!");
+    alert("注册成功！");
    window.location.href = <%- JSON.stringify(req.query.url || '/') %>;
 }
+
+function mail_required() {
+    alert("注册确认邮件已经发送到您的邮箱的垃圾箱，点击邮件内的链接即可完成注册。");
+    var s = $("#email").val();
+    var mailWebsite = 'https://mail.' + s.substring(s.indexOf('@') + 1, s.length);
+    if (mailWebsite === 'https://mail.gmail.com') mailWebsite = 'https://mail.google.com';
+    window.location.href = mailWebsite;
+}
+
 function submit() {
    if ($("#password1").val() != $("#password2").val()) {
        show_error("两次输入的密码不一致");
@ -55,7 +61,8 @@ function submit() {
        data: {
          username: $("#username").val(),
          password: password,
-          email: $("#email").val()
+          email: $("#email").val(),
+          prevUrl: <%- JSON.stringify(req.query.url || '/') %>
        },
        success: function(data) {
            error_code = data.error_code;
@ -79,11 +86,17 @@ function submit() {
                    show_error("已经有人用过这个用户名了");
                    break;
                case 2009:
-                    show_error("邀请码错误，请联系管理员索要");
+                    show_error("邮箱地址已被占用");
+                    break;
+                case 2010:
+                    show_error("验证邮件发送失败");
                    break;
                case 1:
                    success();
                    break;
+                case 2:
+                    mail_required();
+                    break;
                default:
                    show_error("未知错误");
                    break;