Account creation

agent/src/util.ts

@@ -47,8 +47,8 @@ const setRateLimitHeaders = (limiterRes: RateLimiterRes | null, res: Response) =
 // key configured statically - we aren't locking out people for typos
 const requestRateLimiter = new RateLimiterMemory({
   keyPrefix: 'ratelimit_auth_failures',
-  points: 1, // 1 requests
-  duration: 5, // per 5 seconds
+  points: 10, // 1 requests
+  duration: 1, // per 5 seconds
 });
 
 export const denyRateLimited: RequestHandler = catchErrors(async (req, res, next) => {

emailTemplates/createAccount.html

@@ -0,0 +1,22 @@
+<html>
+  <head> </head>
+  <body>
+    <p>Hi there!</p>
+    <p>Start creating your sccs account </strong>.</p>
+    <p>
+      To continue creating your sccs account:
+      <a href="${domain}/account/init?id=${resetId}&key=${resetKey}">this link</a>. Or, copy and
+      paste this link into your browser:
+    </p>
+    <p>${domain}/account/init?id=${resetId}&key=${resetKey}</p>
+    <p>
+      (This link will stay active for seven days; after that, you'll have to
+      <a href="${domain}/account/forgot">request a new link</a>.)
+    </p>
+    <p>
+      Enjoy your new SCCS account! We hope you'll find our services useful. If you have any
+      questions, comments, or suggestions, feel free to contact us at
+      <a href="mailto:[email protected]">[email protected]</a>
+    </p>
+  </body>
+</html>

emailTemplates/verification.html

@@ -0,0 +1,24 @@
+<html>
+  <head> </head>
+  <body>
+    <p>Hi there!</p>
+    <p>You are receiving this message to verify the email associated with your new SCCS account! Your username is: <strong>${username}</strong>.</p>
+    <p>
+      To access SCCS services, confirm your email by clicking: 
+      <!-- insert link with proper id and key -->
+      <a href="${domain}/account/init?id=${verifyId}&key=${verifyKey}">this link</a>. Or, copy and
+      <!-- account/init -->
+      paste this link into your browser:
+    </p>
+    <p>${domain}/account/init?id=${resetId}&key=${resetKey}</p>
+    <p>
+      (This link will stay active for seven days; after that, you'll have to
+      <a href="${domain}/account/create">request a new link</a>.)
+    </p>
+    <p>
+      Enjoy your new SCCS account! We hope you'll find our services useful. If you have any
+      questions, comments, or suggestionsx, feel free to contact us at
+      <a href="mailto:[email protected]">[email protected]</a>
+    </p>
+  </body>
+</html>

emailTemplates/verifyEmail.html

@@ -0,0 +1,24 @@
+<html>
+  <head> </head>
+  <body>
+    <p>Hi there!</p>
+    <p>You are recieving this email because you signed up for SCCS account</strong>.</p>
+    <p>
+        To finish setting up your account, confirm your email by clicking
+      <!-- insert link with proper id and key -->
+      <a href="${domain}/account/init?id=${verifyId}&key=${verifyKey}">this link</a>. Or, copy and
+      <!-- account/init -->
+      paste this link into your browser:
+    </p>
+    <p>${domain}/account/init?id=${verifyId}&key=${verifyKey}</p>
+    <p>
+      (This link will stay active for seven days; after that, you'll have to
+      <a href="${domain}/account/create">request a new link</a>.)
+    </p>
+    <p>
+      Enjoy your new SCCS account! We hope you'll find our services useful. If you have any
+      questions, comments, or suggestionsx, feel free to contact us at
+      <a href="mailto:[email protected]">[email protected]</a>
+    </p>
+  </body>
+</html>

package.json

@@ -97,7 +97,6 @@
       "prettier --write"
     ],
     "*.js": [
-      "eslint --fix",
       "prettier --write"
     ],
     "*.pug": [

src/controllers/accountController.ts

@@ -10,13 +10,21 @@ import { HttpException } from '../error/httpException';
 import { mailTransporter } from '../integration/email';
 import { ldapClient } from '../integration/ldap';
 import { modifyForwardFile } from '../integration/localAgent';
-import { PasswordResetRequest, PasswordResetRequestModel, TaskModel } from '../integration/models';
+import {
+  PasswordResetRequest,
+  PasswordResetRequestModel,
+  TaskModel,
+  VerifyEmailRequest,
+  VerifyEmailRequestModel,
+} from '../integration/models';
 import { generateEmail } from '../util/emailTemplates';
 import { sendTaskNotification } from '../util/emailUtils';
 import { modifyLdap, searchAsync, searchAsyncUid } from '../util/ldapUtils';
 import { logger } from '../util/logging';
 import { createPasswordResetRequest } from '../util/passwordReset';
 import { testPassword } from '../util/passwordStrength';
+import { createVerifyAccountRequest } from '../util/accountVerify';
+import { verify } from 'crypto';
 
 export const VALID_CLASSES = ['24', '25', '26', '27', 'faculty', 'staff'];
 // TODO: do we have accounts in the system that don't match this username pattern?
@@ -27,55 +35,70 @@ const USERNAME_REGEX = /^[a-z][-a-z0-9]*$/;
 export class CreateAccountReq {
   // usernames must comply with debian/ubuntu standards so we can give them
   // Heron accounts
-  @jf
-    .string()
-    .regex(/^[a-z][-a-z0-9]*$/, 'POSIX username')
-    .required()
-  username: string;
 
   @jf
     .string()
     .email()
-    .regex(/.+@swarthmore\.edu/, 'Swarthmore email address')
+    // .regex(/.+@swarthmore\.edu/, 'Swarthmore email address')
     .required()
   email: string;
-
-  @jf.string().required()
-  name: string;
-
-  // FIXME would be nice to not manually update this every year
-  // TODO for that matter, can't we pull this from Cygnet?
-  @jf.string().valid(VALID_CLASSES).required()
-  classYear: string;
 }
 
 export const submitCreateAccountRequest = async (req: CreateAccountReq) => {
   // TODO how do we handle someone going to create an account if they're
   // already logged in?
 
-  if (!(await isUsernameAvailable(req.username))) {
-    throw new HttpException(400, { message: `Username ${req.username} already exists` });
-  }
-
   if (!(await isEmailAvailable(req.email))) {
     throw new HttpException(400, {
       message: `Email ${req.email} is already associated with an account`,
     });
   }
 
-  logger.info(`Submitting CreateAccountReq ${JSON.stringify(req)}`);
-  const operation = new TaskModel({
-    _id: uuidv4(),
-    operation: 'createAccount',
-    createdTimestamp: Date.now(),
-    data: req,
+  const email = req.email;
+
+  const [verifyId, verifyKey] = await createVerifyAccountRequest(email);
+
+  logger.info(`Creating email verification ${JSON.stringify(req)}`);
+
+  const [emailText, transporter] = await Promise.all([
+    generateEmail('verifyEmail.html', {
+      email: email,
+      domain: process.env.EXTERNAL_ADDRESS,
+      verifyKey: verifyKey,
+      verifyId: verifyId,
+    }),
+    mailTransporter,
+  ]);
+
+  const info = await transporter.sendMail({
+    from: process.env.EMAIL_FROM,
+    to: email,
+    subject: 'Your SCCS Account',
+    html: emailText,
   });
 
-  await operation.save();
+  const msgUrl = nodemailer.getTestMessageUrl(info);
+  if (msgUrl) {
+    logger.debug(`View message at ${msgUrl}`);
+  }
 
-  sendTaskNotification(operation);
+  // logger.info(`Submitting CreateAccountReq ${JSON.stringify(req)}`);
+
+  // const operation = new TaskModel({
+  //   _id: uuidv4(),
+  //   operation: 'createAccount',
+  //   createdTimestamp: Date.now(),
+  //   data: req,
+  // });
 };
 
+export class InitCredentials {
+  @jf.string().required()
+  id: string;
+  @jf.string().required()
+  key: string;
+}
+
 export const doPasswordResetRequest = async (identifier: string) => {
   try {
     let account: any = null;
@@ -125,7 +148,7 @@ export const doPasswordResetRequest = async (identifier: string) => {
 
 /**
  */
-export class PasswordResetCredentials {
+export class ResetCredentials {
   @jf.string().required()
   id: string;
   @jf.string().required()
@@ -134,7 +157,7 @@ export class PasswordResetCredentials {
 
 /**
  */
-export class PasswordResetRequestParams extends PasswordResetCredentials {
+export class PasswordResetRequestParams extends ResetCredentials {
   // we'll properly validate it later
   @jf.string().required()
   password: string;
@@ -146,7 +169,7 @@ export class PasswordResetRequestParams extends PasswordResetCredentials {
  * @param {PasswordResetCredentials} creds The credentials to check
  */
 export const verifyPasswordReset = async (
-  creds: PasswordResetCredentials,
+  creds: ResetCredentials,
 ): Promise<PasswordResetRequest> => {
   const invalidProps = {
     friendlyMessage:
@@ -170,6 +193,29 @@ export const verifyPasswordReset = async (
   return resetRequest;
 };
 
+export const verifyEmail = async (creds: ResetCredentials): Promise<VerifyEmailRequest> => {
+  const invalidProps = {
+    friendlyMessage:
+      'This email verification link is invalid or expired. <a href="/account/create">Request a new one</a>.',
+  };
+
+  const verifyRequest = await VerifyEmailRequestModel.findById(creds.id);
+  if (!verifyRequest) {
+    throw new HttpException(400, {
+      ...invalidProps,
+      message: `Email verification ID ${creds.id} did not match any request`,
+    });
+  }
+
+  if (!(await argon2.verify(verifyRequest.key, creds.key as string))) {
+    throw new HttpException(400, {
+      ...invalidProps,
+      message: 'Email verification key did not match database',
+    });
+  }
+  return verifyRequest;
+};
+
 export const doPasswordReset = async (params: PasswordResetRequestParams) => {
   const resetRequest = await verifyPasswordReset(params);
 
@@ -268,6 +314,7 @@ export const isEmailAvailable = async (email: string): Promise<boolean> => {
   const [inDatabase, inPending] = await Promise.all([
     searchAsync(ldapClient, ldapEscape.filter`(swatmail=${email})`),
     TaskModel.exists({ 'data.email': email, status: 'pending' }),
+    VerifyEmailRequestModel.exists({ 'data.email': email }),
   ]);
 
   if (inDatabase || inPending) {

src/functions/createAccount.ts

@@ -11,6 +11,7 @@ import { generateEmail } from '../util/emailTemplates';
 import { addLdap, searchAsyncMultiple } from '../util/ldapUtils';
 import { logger } from '../util/logging';
 import { createPasswordResetRequest } from '../util/passwordReset';
+import { createVerifyAccountRequest } from '../util/accountVerify';
 
 export interface CreateAccountData {
   username: string;
@@ -96,4 +97,22 @@ export const createAccount = async (data: any) => {
   } else {
     throw new Error('CreateAccount data not properly formatted');
   }
+
+  const [verifyId, verifyKey] = await createVerifyAccountRequest(data.email, 24 * 7, true);
+  const [emailText, transporter] = await Promise.all([
+    generateEmail('verification.html', {
+      email: data.email,
+      domain: process.env.EXTERNAL_ADDRESS,
+      verifyKey: verifyKey,
+      verifyId: verifyId,
+    }),
+    mailTransporter,
+  ]);
+
+  const info = await transporter.sendMail({
+    from: process.env.EMAIL_FROM,
+    to: data.email,
+    subject: 'Verify your SCCS account',
+    html: emailText,
+  });
 };

src/integration/models.ts

@@ -84,6 +84,49 @@ export const PasswordResetRequestModel = mongoose.model<PasswordResetRequest>(
   passwordResetRequestSchema,
 );
 
+// new interface for email verification
+export interface VerifyEmailRequest {
+  // verification email links generate two keys: the ID, which is stored plain, and the key, which is
+  // hashed with argon2 before being stored.
+  // Both are provided to the user and they make a request;
+  // then we look up the request for the ID and compare hashed keys, basically exactly like a normal
+  // username/password login flow.
+  _id: string;
+  key: string;
+  email: string;
+  timestamp: Date;
+  suppressEmail?: boolean;
+}
+
+const verifyEmailRequestSchema = new mongoose.Schema<VerifyEmailRequest>({
+  _id: {
+    type: String,
+    required: true,
+  },
+  key: {
+    type: String,
+    required: true,
+  },
+  email: {
+    type: String,
+    required: true,
+    index: true,
+  },
+  timestamp: {
+    type: Date,
+    expires: 0,
+  },
+  suppressEmail: {
+    type: Boolean,
+    required: false,
+  },
+});
+
+export const VerifyEmailRequestModel = mongoose.model<VerifyEmailRequest>(
+  'VerifyEmail',
+  verifyEmailRequestSchema,
+);
+
 export interface MinecraftWhitelist {
   _id: string;
   mcUuid: string;