Fix login from ios and probably other email clients, also add key in the email itself. According to https://security.stackexchange.com/questions/177643/is-emailing-sign-in-links-bad-practice having any keys in the email is not secure anyway, so we are unsafe already anyway, at least now users have a chance to copy the key and delete the email
This commit is contained in:
parent
909b76f167
commit
140b68b2c8
|
@ -181,16 +181,7 @@ router.get(
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
router.get("/login", { public: true }, (_req, res) => {
|
const doLogin = async (submittedKey, res) => {
|
||||||
res.render("shared/login", { mode });
|
|
||||||
});
|
|
||||||
|
|
||||||
router.post("/login", { public: true }, async (req, res) => {
|
|
||||||
const submittedKey =
|
|
||||||
req.files && req.files.ssb_key
|
|
||||||
? req.files.ssb_key.data.toString()
|
|
||||||
: req.body.ssb_key || req.body.x_ssb_key; // x_ssb_key is because hotmail for some reason appends the x_
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const decodedKey = reconstructKeys(submittedKey);
|
const decodedKey = reconstructKeys(submittedKey);
|
||||||
res.cookie("ssb_key", JSON.stringify(decodedKey), cookieOptions);
|
res.cookie("ssb_key", JSON.stringify(decodedKey), cookieOptions);
|
||||||
|
@ -205,6 +196,24 @@ router.post("/login", { public: true }, async (req, res) => {
|
||||||
debug("Error on login", e);
|
debug("Error on login", e);
|
||||||
res.send("Invalid key");
|
res.send("Invalid key");
|
||||||
}
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
router.get("/login", { public: true }, async (req, res) => {
|
||||||
|
const login_key =
|
||||||
|
req.query.key && Buffer.from(req.query.key, "base64").toString("utf8");
|
||||||
|
|
||||||
|
if (login_key) {
|
||||||
|
await doLogin(JSON.parse(login_key), res);
|
||||||
|
} else {
|
||||||
|
res.render("shared/login", { mode });
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
router.post("/login", { public: true }, async (req, res) => {
|
||||||
|
const submittedKey =
|
||||||
|
req.files && req.files.ssb_key && req.files.ssb_key.data.toString();
|
||||||
|
|
||||||
|
await doLogin(submittedKey, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
router.get("/download", { public: true }, (_req, res) => {
|
router.get("/download", { public: true }, (_req, res) => {
|
||||||
|
@ -267,24 +276,38 @@ router.get("/keys", (req, res) => {
|
||||||
});
|
});
|
||||||
|
|
||||||
router.post("/keys/email", async (req, res) => {
|
router.post("/keys/email", async (req, res) => {
|
||||||
|
/* According to https://security.stackexchange.com/questions/177643/is-emailing-sign-in-links-bad-practice
|
||||||
|
* having any keys in the email is not secure, but the alternative to just ask users to copy their key on
|
||||||
|
* sign up will not work because users tend to press Next > Next > Next > Done without reading, and it will
|
||||||
|
* lead to loss of account access.
|
||||||
|
* Solution is to put an email field which they fill without thinking and send them the key by email, asking
|
||||||
|
* on the email body to copy the key and delete it later.
|
||||||
|
*/
|
||||||
const email = req.body.email;
|
const email = req.body.email;
|
||||||
const origin = req.body.origin;
|
const origin = req.body.origin;
|
||||||
|
const ssb_key = req.signedCookies["ssb_key"];
|
||||||
|
const login_key = Buffer.from(JSON.stringify(ssb_key)).toString("base64");
|
||||||
|
|
||||||
let html = await ejs.renderFile("views/shared/email_sign_in.ejs", {
|
if (process.env.NODE_ENV == "production") {
|
||||||
origin,
|
let html = await ejs.renderFile("views/shared/email_sign_in.ejs", {
|
||||||
ssb_key: req.signedCookies["ssb_key"],
|
origin,
|
||||||
});
|
ssb_key,
|
||||||
|
login_key,
|
||||||
|
});
|
||||||
|
|
||||||
sgMail.setApiKey(process.env.SENDGRID_API_KEY);
|
sgMail.setApiKey(process.env.SENDGRID_API_KEY);
|
||||||
const msg = {
|
const msg = {
|
||||||
to: email,
|
to: email,
|
||||||
from: "Feedless <rgrchvs@gmail.com>",
|
from: "Feedless <rgrchvs@gmail.com>",
|
||||||
subject: `Login button for ${req.context.profile.name}`,
|
subject: `Login button for ${req.context.profile.name}`,
|
||||||
html,
|
html,
|
||||||
};
|
};
|
||||||
await sgMail.send(msg);
|
await sgMail.send(msg);
|
||||||
|
|
||||||
res.redirect("/");
|
res.redirect("/");
|
||||||
|
} else {
|
||||||
|
res.render("shared/email_sign_in", { origin, ssb_key, login_key });
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
router.get("/keys/copy", (req, res) => {
|
router.get("/keys/copy", (req, res) => {
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
<div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; line-height: 1.3em; font-size: 16px; padding: 30px 0">
|
<div style="font-family: Helvetica, Arial, sans-serif; line-height: 1.3em; font-size: 16px; padding: 30px 0; max-width: 600px; margin: 0 auto;">
|
||||||
<h1 style="font-weight: bold; line-height: 1.3em; margin: 0; padding: 10px 0 0 0; font-weight: 200;">Login button</h1>
|
<h1 style="font-family: 'Lucida Grande', sans-serif; font-weight: bold; line-height: 1.3em; margin: 0; padding: 10px 0 0 0; font-weight: 200;">Login button</h1>
|
||||||
<p>Welcome to Feedless, please use the button below to login to your account:</p>
|
<p>Welcome to Feedless, please use the button below to login to your account:</p>
|
||||||
<form action="<%= origin %>/login" method="POST" style="padding: 20px 0">
|
<a href="<%= origin %>/login?key=<%= login_key %>" style="background: #7fe7e7; color: #044; border-radius: 3px; margin-bottom: 10px; border: 1px solid #5f5f5f; cursor: pointer; text-decoration: none; display: inline-block; padding: 16px 20px; font-size: 18px; -webkit-appearance: none;">
|
||||||
<input type="hidden" name="ssb_key" value="<%= ssb_key %>" />
|
Login to Feedless
|
||||||
<input type="submit" value="Login to Feedless" style="background: #08d; color: #fff; border-radius: 3px; padding: 8px 10px; border: none; cursor: pointer; text-decoration: none; display: inline-block; padding: 16px 20px; font-size: 18px; -webkit-appearance: none;">
|
</a>
|
||||||
</form>
|
<p>Alternatively, you can copy the key to somewhere safe and delete this email:</p>
|
||||||
|
<pre style="word-wrap: break-word; white-space: pre-wrap; background: #f5f5f5; border: 1px solid #ccc; border-radius: 3px; padding: 10px;"><%= ssb_key %></pre>
|
||||||
<p>
|
<p>
|
||||||
Never delete or forward this email, it is they key to accessing your account
|
Never share those keys and never forward this email
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
From your friends at Feedless 😉
|
From your friends at Feedless 😉
|
||||||
|
|
Loading…
Reference in New Issue