Implement forget password.

libs/email.js

@@ -0,0 +1,16 @@
+const Promise = require('bluebird');
+const sendmail = Promise.promisify(require('sendmail')());
+
+async function send_sendmail(to, subject, body) {
+    await sendmail({
+        from: `${syzoj.config.title} <${syzoj.config.register_mail.address}>`,
+        to: to,
+        type: 'text/html',
+        subject: subject,
+        html: body
+    });
+}
+
+module.exports.send = async function sendEmail(to, subject, body) {
+    await send_sendmail(to, subject, body);
+}

models/user.js

@@ -79,6 +79,14 @@ class User extends Model {
     }, val)));
   }
 
+  static async fromEmail(email) {
+    return User.fromRecord(User.model.findOne({
+      where: {
+        email: email
+      }
+    }));
+  }
+  
   static async fromName(name) {
     return User.fromRecord(User.model.findOne({
       where: {

modules/api.js

@@ -22,6 +22,8 @@
 let User = syzoj.model('user');
 let Problem = syzoj.model('problem');
 let File = syzoj.model('file');
+const Email = require('../libs/email');
+const jwt = require('jsonwebtoken');
 
 function setLoginCookie(username, password, res) {
   res.cookie('login', JSON.stringify([username, password]));
@@ -46,6 +48,40 @@ app.post('/api/login', async (req, res) => {
   }
 });
 
+app.post('/api/forget', async (req, res) => {
+  try {
+    res.setHeader('Content-Type', 'application/json');
+    let user = await User.fromEmail(req.body.email);
+    if (!user) res.send({ error_code: 1001 });
+    let sendObj = {
+      userId: user.id,
+    };
+
+    const token = jwt.sign(sendObj, syzoj.config.register_mail.key, {
+      subject: 'forget',
+      expiresIn: '12h'
+    });
+
+    const vurl = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'forget_confirm'], { token: token });
+    try {
+      await Email.send(req.body.email,
+        `${req.body.username} 的 ${syzoj.config.title} 密码重置邮件`,
+        `<p>请点击该链接来重置密码：</p><p><a href="${vurl}">${vurl}</a></p><p>链接有效期为 12h。如果您不是 ${req.body.username}，请忽略此邮件。</p>`
+      );
+    } catch (e) {
+      return res.send({
+        error_code: 2010,
+        message: require('util').inspect(e)
+      });
+    }
+
+    if (!user) res.send({ error_code: 1 });
+  } catch (e) {
+    syzoj.log(e);
+    res.send(JSON.stringify({ error_code: e }));
+  }
+});
+
 // Sign up
 app.post('/api/sign_up', async (req, res) => {
   try {
@@ -64,24 +100,23 @@ app.post('/api/sign_up', async (req, res) => {
     if (!syzoj.utils.isValidUsername(req.body.username)) throw 2002;
 
     if (syzoj.config.register_mail.enabled) {
-      let sendmail = Promise.promisify(require('sendmail')());
       let sendObj = {
         username: req.body.username,
         password: req.body.password,
         email: req.body.email,
-        prevUrl: req.body.prevUrl,
-        r: Math.random()
       };
-      let encrypted = encodeURIComponent(syzoj.utils.encrypt(JSON.stringify(sendObj), syzoj.config.register_mail.key).toString('base64'));
+
-      let url = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'sign_up', encrypted]);
+      const token = jwt.sign(sendObj, syzoj.config.register_mail.key, {
+        subject: 'register',
+        expiresIn: '2d'
+      });
+
+      const vurl = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'sign_up_confirm'], { token: token });
       try {
-        await sendmail({
+        await Email.send(req.body.email,
-          from: `${syzoj.config.title} <${syzoj.config.register_mail.address}>`,
+          `${req.body.username} 的 ${syzoj.config.title} 注册验证邮件`,
-          to: req.body.email,
+          `<p>请点击该链接完成您在 ${syzoj.config.title} 的注册：</p><p><a href="${vurl}">${vurl}</a></p><p>如果您不是 ${req.body.username}，请忽略此邮件。</p>`
-          type: 'text/html',
+        );
-          subject: `${req.body.username} 的 ${syzoj.config.title} 注册验证邮件`,
-          html: `<p>请点击该链接完成您在 ${syzoj.config.title} 的注册：</p><p><a href="${url}">${url}</a></p><p>如果您不是 ${req.body.username}，请忽略此邮件。</p>`
-        });
       } catch (e) {
         return res.send({
           error_code: 2010,
@@ -110,6 +145,83 @@ app.post('/api/sign_up', async (req, res) => {
   }
 });
 
+app.get('/api/forget_confirm', async (req, res) => {
+  try {
+    res.render('forget_confirm', {
+      token: req.query.token
+    });
+  } catch (e) {
+    syzoj.log(e);
+    res.render('error', {
+      err: e
+    });
+  }
+});
+
+app.post('/api/reset_password', async (req, res) => {
+  try {
+    let obj;
+    try {
+      obj = jwt.verify(req.query.token, syzoj.config.register_mail.key, { subject: 'forget' });
+    } catch (e) {
+      throw 3001;
+    }
+
+    let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';
+    if (req.query.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');
+    const user = await User.fromId(obj.id);
+    user.password = req.query.password;
+    await user.save();
+
+    res.send(JSON.stringify({ error_code: 1 }));
+  } catch (e) {
+    syzoj.log(e);
+    res.send(JSON.stringify({ error_code: e }));
+  }
+});
+
+app.get('/api/sign_up_confirm', async (req, res) => {
+  try {
+    let obj;
+    try {
+      obj = jwt.verify(req.query.token, syzoj.config.register_mail.key, { subject: 'register' });
+    } catch (e) {
+      throw new ErrorMessage('无效的注册验证链接。');
+    }
+
+    let user = await User.fromName(obj.username);
+    if (user) throw new ErrorMessage('用户名已被占用。');
+    user = await User.findOne({ where: { email: obj.email } });
+    if (user) throw new ErrorMessage('邮件地址已被占用。');
+
+    // Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."
+    // the empty password 's md5 will equal "59cb.."
+    let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';
+    if (obj.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');
+    if (!(obj.email = obj.email.trim())) throw new ErrorMessage('邮件地址不能为空。');
+    if (!syzoj.utils.isValidUsername(obj.username)) throw new ErrorMessage('用户名不合法。');
+
+    user = await User.create({
+      username: obj.username,
+      password: obj.password,
+      email: obj.email,
+      public_email: true
+    });
+    await user.save();
+
+    req.session.user_id = user.id;
+    setLoginCookie(user.username, user.password, res);
+
+    res.redirect(obj.prevUrl || '/');
+  } catch (e) {
+    syzoj.log(e);
+    res.render('error', {
+      err: e
+    });
+  }
+});
+
+// Obslete!!!
 app.get('/api/sign_up/:token', async (req, res) => {
   try {
     let obj;

modules/user.js

@@ -167,6 +167,12 @@ app.get('/user/:id/edit', async (req, res) => {
   }
 });
 
+app.get('/forget', async (req, res) => {
+  res.render('forget');
+});
+
+
+
 app.post('/user/:id/edit', async (req, res) => {
   let user;
   try {

views/forget.ejs

@@ -0,0 +1,71 @@
+<% this.title = '忘记密码' %>
+<% include header %>
+<div class="ui message" id="msgBox" hidden>
+    <p id="msgContent"></p>
+</div>
+<div class="ui middle aligned center aligned grid">
+  <div class="row">
+    <div class="column" style="max-width: 450px">
+      <h2 class="ui image header">
+        <div class="content">
+          忘记密码
+        </div>
+      </h2>
+      <form class="ui large form">
+        <div class="ui existing segment">
+          <div class="field">
+            <div class="ui left icon input">
+              <i class="at icon"></i>
+              <input name="email" placeholder="电子邮件地址" type="text" id="email" onkeydown="key_login(event)">
+            </div>
+          </div>
+          <div class="ui fluid large submit button" id="sendEmail">找回密码</div>
+        </div>
+        <div class="ui error message"></div>
+      </form>
+    </div>
+  </div>
+</div>
+<script type="text/javascript">
+function showMessage(mclass, content) {
+    $("#msgBox").addClass(mclass);
+    $("#msgContent").text(content);
+    $("#msgBox").show();
+}
+function submitForm() {
+    $("#sendEmail").addClass("loading");
+    $.ajax({
+        url: "/api/forget",
+        type: 'POST',
+        data: {
+            "email": $("#email").val(),
+            "_csrf": document.head.getAttribute('data-csrf-token')
+        },
+        async: true,
+        success: function(data) {
+            error_code = data.error_code;
+            switch (error_code) {
+                case 1:
+                    showMessage("positive", "找回密码邮件已经发至你电子邮箱的垃圾邮件文件夹。");
+                    return;
+                case 1002:
+                    showMessage("error", "用户不存在");
+                    break;
+                default:
+                    showMessage("error", "未知错误" + error_code);
+                    break;
+            }
+            $("#resetPassword").removeClass("loading");
+        },
+        error:  function(XMLHttpRequest, textStatus, errorThrown) {
+            alert(XMLHttpRequest.responseText);
+        }
+    });
+}
+$(document).ready(function() {
+    $("#sendEmail").click(function() {
+        submitForm();
+    });
+});
+</script>
+<% include footer %>

views/forget_confirm.ejs

@@ -0,0 +1,74 @@
+<% this.title = '重设密码' %>
+<% include header %>
+<div class="ui error message" id="error" hidden></div>
+<div class="ui middle aligned center aligned grid">
+  <div class="row">
+    <div class="column" style="max-width: 450px">
+      <h2 class="ui image header">
+        <div class="content">
+          重设密码
+        </div>
+      </h2>
+      <form class="ui large form">
+        <div class="ui existing segment">
+            <div class="two fields">
+                <div class="field">
+                <label class="ui header">密码</label>
+                    <input type="password" placeholder="" id="password1">
+                </div>
+                <div class="field">
+                    <label class="ui header">确认密码</label>
+                    <input type="password" placeholder="" id="password2">
+                </div>
+            </div>
+            <div class="ui fluid large submit button" id="reset">重设</div>
+        </div>
+      </form>
+    </div>
+  </div>
+</div>
+<script src="/libs/blueimp-md5/js/md5.min.js"></script>
+<script type="text/javascript">
+function showMessage(mclass, content) {
+    $("#msgBox").addClass(mclass);
+    $("#msgContent").text(content);
+    $("#msgBox").show();
+}
+function submitForm() {
+    if ($("#password1").val() != $("#password2").val()) {
+        showMessage("两次输入的密码不一致");
+        return;
+    }
+    password = md5($("#password1").val() + "syzoj2_xxx");
+    $("#resetPassword").addClass("loading");
+    $.ajax({
+        url: "/api/reset_password",
+        type: 'POST',
+        data: {
+            "token": <%- JSON.stringify(token) %>,
+            "password": password
+        },
+        async: true,
+        success: function(data) {
+            error_code = data.error_code;
+            switch (error_code) {
+                case 1:
+                    showMessage("positive", "密码重置成功。");
+                    return;
+                default:
+                    showMessage("error", "未知错误" + error_code);
+                    break;
+            }
+            $("#resetPassword").removeClass("loading");
+        },
+        error:  function(XMLHttpRequest, textStatus, errorThrown) {
+            alert(XMLHttpRequest.responseText);
+        }
+    });
+}
+$(document).ready(function() {
+    $("#reset").click(function() {
+        submitForm();
+    });
+});
+</script>

views/login.ejs

@@ -31,7 +31,8 @@
       </form>
 
       <div class="ui message">
-        新用户？ <a href="/sign_up">注册</a>
+        <a href="/sign_up">注册</a>
+        <a href="<%= syzoj.utils.makeUrl(['forget']) %>">忘记密码</a>
       </div>
     </div>
   </div>