23

I use Passport.js in Node.js to create a login system. Everything is ok, but I do not know how to reset user password when they forget their password or they want to change it.

User model in MongoDB

var UserSchema = new Schema({
    email: String,
    username: String,
    provider: String,
    hashed_password: String,
    salt: String,
});
Samuel Philipp
  • 10,631
  • 12
  • 36
  • 56
user3044147
  • 1,374
  • 5
  • 14
  • 23

5 Answers5

32

Didn't really like the idea of hitting my database to store tokens, especially when you want to be creating and verifying tokens for many actions.

Instead I decided to copy how Django does it:

  • convert timestamp_today to base36 as today
  • convert user.id to base36 as ident
  • create hash containing:
    • timestamp_today
    • user.id
    • user.last_login
    • user.password
    • user.email
  • salt the hash with a hidden secret
  • create a route like : /change-password/:ident/:today-:hash

We test the req.params.timestamp in order to simply test if it's valid for today, cheapest test first. fail first.

Then we find the user, fail if it doesn't exist.

Then we generate the hash again from above, but with the timestamp from req.params

The reset link becomes invalid if :

  • they remember their password and login (last_login changes)
  • they're actually still logged in and:
    • just change their password (password changes)
    • just change their email (email changes)
  • tomorrow arrives (timestamp changes too much)

This way:

  • you're not storing these ephemeral things in your database
  • when the purpose of the token is to change the state of a thing, and that things state changed, then the purpose of the token is no longer securely relevant.
airtonix
  • 4,772
  • 2
  • 38
  • 36
  • I like this idea, however, if you were to create a cipher (with a salt) of the hash, wouldn't you end up getting an extremely long route url given that the hash would be quite long? – Bryan Nov 26 '15 at 20:39
  • A long hash? It depends on what level of possible collisions you're comfortable with. In most cases, we don't support broken software that can't render long links, doing so just trains users to ignore security risks. – airtonix Mar 01 '16 at 22:14
  • 6
    I implemented this w/ node/express. It works well, thanks. The URLs end up being under 200 chars - not too long. The idea of just using 'today' I don't think will work given timezones/time of day, but it's not hard to implement a time window w/ moment.js: var timeStamp = base36.decode(req.body.timeHash); var then = moment(timeStamp); var now = moment().utc(); var timeSince = now.diff(then, 'hours'); – imjosh Jun 25 '16 at 04:52
18

I tried to use node-password-reset as Matt617 suggested but didn't really care for it. It's about the only thing that's coming up in searches currently.

So some hours digging around, I found it easier to implement this on my own. In the end it took me about a day to get all the routes, UI, emails and everything working. I still need to enhance security a bit (reset counters to prevent abuse, etc.) but got the basics working:

  1. Created two new routes, /forgot and /reset, which don't require the user to be logged in to access.
  2. A GET on /forgot displays a UI with one input for email.
  3. A POST on /forgot checks that there is a user with that address and generates a random token.
    • Update the user's record with the token and expiry date
    • Send an email with a link to /reset/{token}
  4. A GET on /reset/{token} checks that there is a user with that token which hasn't expired then shows the UI with new password entry.
  5. A POST on /reset (sends new pwd and token) checks that there is a user with that token which hasn't expired.
    • Update the user's password.
    • Set the user's token and expiry date to null

Here's my code for generating a token (taken from node-password-reset):

function generateToken() {
    var buf = new Buffer(16);
    for (var i = 0; i < buf.length; i++) {
        buf[i] = Math.floor(Math.random() * 256);
    }
    var id = buf.toString('base64');
    return id;
}

Hope this helps.

EDIT: Here's the app.js. Note I'm keeping the entire user object in the session. I plan on moving to couchbase or similar in the future.

var express = require('express');
var path = require('path');
var favicon = require('static-favicon');
var flash = require('connect-flash');
var morgan = require('morgan');
var cookieParser = require('cookie-parser');
var cookieSession = require('cookie-session');
var bodyParser = require('body-parser');
var http = require('http');
var https = require('https');
var fs = require('fs');
var path = require('path');
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;

var app = express();
app.set('port', 3000);
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade');

var cookies = cookieSession({
    name: 'abc123',
    secret: 'mysecret',
    maxage: 10 * 60 * 1000
});
app.use(cookies);
app.use(favicon());
app.use(flash());
app.use(morgan());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded());
app.use(cookieParser());
app.use(passport.initialize());
app.use(passport.session());
app.use(express.static(path.join(__dirname, 'public')));

module.exports = app;

passport.use(new LocalStrategy(function (username, password, done) {
    return users.validateUser(username, password, done);
}));

//KEEP ENTIRE USER OBJECT IN THE SESSION
passport.serializeUser(function (user, done) {
    done(null, user);
});
passport.deserializeUser(function (user, done) {
    done(null, user);
});

//Error handling after everything else
app.use(logErrors); //log all errors
app.use(clientErrorHandler); //special handler for xhr
app.use(errorHandler); //basic handler

http.createServer(app).listen(app.get('port'), function () {
    console.log('Express server listening on HTTP port ' + app.get('port'));
});

EDIT: Here are the routes.

app.get('/forgot', function (req, res) {
    if (req.isAuthenticated()) {
        //user is alreay logged in
        return res.redirect('/');
    }

    //UI with one input for email
    res.render('forgot');
});

app.post('/forgot', function (req, res) {
    if (req.isAuthenticated()) {
        //user is alreay logged in
        return res.redirect('/');
    }
    users.forgot(req, res, function (err) {
        if (err) {
            req.flash('error', err);
        }
        else {
            req.flash('success', 'Please check your email for further instructions.');
        }
        res.redirect('/');
    });
});

app.get('/reset/:token', function (req, res) {
    if (req.isAuthenticated()) {
        //user is alreay logged in
        return res.redirect('/');
    }
    var token = req.params.token;
    users.checkReset(token, req, res, function (err, data) {
        if (err)
            req.flash('error', err);

        //show the UI with new password entry
        res.render('reset');
    });
});

app.post('/reset', function (req, res) {
    if (req.isAuthenticated()) {
        //user is alreay logged in
        return res.redirect('/');
    }
    users.reset(req, res, function (err) {
        if (err) {
            req.flash('error', err);
            return res.redirect('/reset');
        }
        else {
            req.flash('success', 'Password successfully reset.  Please login using new password.');
            return res.redirect('/login');
        }
    });
});
james
  • 618
  • 7
  • 9
4

Here the implementation of airtonix

const base64Encode = (data) => {
    let buff = new Buffer.from(data);
    return buff.toString('base64');
}

const base64Decode = (data) => {
    let buff = new Buffer.from(data, 'base64');
    return buff.toString('ascii');
}

const sha256 = (salt, password) => {
    var hash = crypto.createHash('sha512', password);
    hash.update(salt);
    var value = hash.digest('hex');
    return value;
}

   api.post('/password-reset', (req, res) => {

        try {
            const email = req.body.email;

            // Getting the user, only if active
            let query = AccountModel.where( {username: email, active: true} );
            query.select("_id salt username lastLoginDate");
            query.findOne((err, account) => {
                if(err) {
                    writeLog("ERROR", req.url + " - Error: -1 " + err.message);
                    res.status(500).send( { error: err.message, errnum: -1 } );
                    return;
                }
                if(!account){
                    writeLog("TRACE",req.url + " - Account not found!");
                    res.status(404).send( { error: "Account not found!", errnum: -2 } );
                    return;
                }

                // Generate the necessary data for the link
                const today = base64Encode(new Date().toISOString());
                const ident = base64Encode(account._id.toString());
                const data = {
                    today: today,
                    userId: account._id,
                    lastLogin: account.lastLoginDate.toISOString(),
                    password: account.salt,
                    email: account.username
                };
                const hash = sha256(JSON.stringify(data), process.env.TOKENSECRET);

                //HERE SEND AN EMAIL TO THE ACCOUNT

                return;
            });          

        } catch (err) {
            writeLog("ERROR",req.url + " - Unexpected error during the password reset process. " + err.message);
            res.status(500).send( { error: "Unexpected error during the password reset process :| " + err.message, errnum: -99 } );
            return;
        }
    });

    api.get('/password-change/:ident/:today-:hash', (req, res) => {

        try {

            // Check if the link in not out of date
            const today = base64Decode(req.params.today); 
            const then = moment(today); 
            const now = moment().utc(); 
            const timeSince = now.diff(then, 'hours');
            if(timeSince > 2) {
                writeLog("ERROR", req.url + " - The link is invalid. Err -1");
                res.status(500).send( { error: "The link is invalid.", errnum: -1 } );
                return;
            }

            const userId = base64Decode(req.params.ident);

            // Getting the user, only if active
            let query = AccountModel.where( {_id: userId, active: true} );
            query.select("_id salt username lastLoginDate");
            query.findOne((err, account) => {
                if(err) {
                    writeLog("ERROR", req.url + " - Error: -2 " + err.message);
                    res.status(500).send( { error: err.message, errnum: -2 } );
                    return;
                }
                if(!account){
                    writeLog("TRACE", req.url + " - Account not found! Err -3");
                    res.status(404).send( { error: "Account not found!", errnum: -3 } );
                    return;
                }

                // Hash again all the data to compare it with the link
                // THe link in invalid when:
                // 1. If the lastLoginDate is changed, user has already do a login 
                // 2. If the salt is changed, the user has already changed the password
                const data = {
                    today: req.params.today,
                    userId: account._id,
                    lastLogin: account.lastLoginDate.toISOString(),
                    password: account.salt,
                    email: account.username
                };
                const hash = sha256(JSON.stringify(data), process.env.TOKENSECRET);

                if(hash !== req.params.hash) {
                    writeLog("ERROR", req.url + " - The link is invalid. Err -4");
                    res.status(500).send( { error: "The link is invalid.", errnum: -4 } );
                    return;
                }

                //HERE REDIRECT TO THE CHANGE PASSWORD FORM

            });

        } catch (err) {
            writeLog("ERROR",req.url + " - Unexpected error during the password reset process. " + err.message);
            res.status(500).send( { error: "Unexpected error during the password reset process :| " + err.message, errnum: -99 } );
            return;
        }
    });

In my application I'm using passport-local with this Account model

import mongoose from 'mongoose';
import passportLocalMongoose from 'passport-local-mongoose';

const Schema = mongoose.Schema;

let accountSchema = new Schema ({
   active: { type: Boolean, default: false },
   activationDate: { type: Date },
   signupDate: { type: Date },
   lastLoginDate: { type: Date },
   lastLogoutDate: { type: Date },
   salt: {type: String},
   hash: {type: String}
});

accountSchema.plugin(passportLocalMongoose); // attach the passport-local-mongoose plugin

module.exports = mongoose.model('Account', accountSchema);
Oscar TJ
  • 524
  • 3
  • 16
1

create a random reset key in your DB, persist it with a timestamp. then create a new route that accepts the reset key. verify the timestamp before changing the password to the new password from the route.

never tried this but i ran across this some time ago which is similar to what you need: https://github.com/substack/node-password-reset

Matt617
  • 458
  • 2
  • 14
0

i am not a professional or expert but this worked for me ,well if you are sending password reset email u, while using passport authentication then use

// here User is my model enter code here`

User.findOne({ username: req.body.email }, (err, user) => {
  user.setPassword( req.body.password, function(err, users) => { 
    User.updateOne({ _id: users._id },{ hash: users.hash, salt: users.salt },
(err,result) => {
      if (err) {

      } else {

      }
    })
  }) 
})

now here use id to update if you email instead of id in updateOne() it wont work

Tyler2P
  • 2,324
  • 26
  • 22
  • 31
Avin
  • 26
  • 4