From 658d7753300dd2c1c32718dddda8d2face4b085a Mon Sep 17 00:00:00 2001 From: Thiago Borges Abdnur Date: Fri, 18 May 2018 14:27:12 -0300 Subject: [PATCH] Add suport for resending verification email - Tighten security overriding unused methods - Disable rendering of unused routes - Add option to disable unsecure method configureLoginService (https://github.com/meteor/meteor/issues/7745) - Fix .eslintrc json syntax - Update docs with new features - Still missing tests --- .eslintrc | 16 ++-- README.md | 13 ++- lib/AccountsReact.js | 95 +++++++++++++++---- lib/AccountsReactComponent/forgotPwd.js | 2 +- lib/AccountsReactComponent/index.js | 10 +- .../methods/ARResendVerificationEmail.js | 42 ++++++++ lib/AccountsReactComponent/methods/index.js | 6 ++ .../resendVerification.js | 86 +++++++++++++++++ lib/AccountsReactComponent/signIn.js | 27 ++++-- lib/AccountsReactComponent/signUp.js | 28 ++++-- package.js | 3 +- 11 files changed, 278 insertions(+), 50 deletions(-) create mode 100644 lib/AccountsReactComponent/methods/ARResendVerificationEmail.js create mode 100644 lib/AccountsReactComponent/resendVerification.js diff --git a/.eslintrc b/.eslintrc index 7751b12..3f9efd0 100644 --- a/.eslintrc +++ b/.eslintrc @@ -9,17 +9,15 @@ "experimentalObjectRestSpread": true } }, - "plugins": [ - "react" - ], + "plugins": ["react"], "extends": ["eslint:recommended", "plugin:react/recommended"], - globals: { - 'Meteor': true, - 'document': true, - 'describe': true, - 'it': true + "globals": { + "Meteor": true, + "document": true, + "describe": true, + "it": true }, - rules: { + "rules": { "react/prop-types": 0 } } diff --git a/README.md b/README.md index c1028b0..d323081 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,7 @@ class Authentication extends Component { + ) } @@ -149,6 +150,7 @@ Currently available states are: | resetPwd | Set a new password (After reset, a "token" prop must be passed to AccountsReactComponent) | signIn | Login form | signUp | Registration form +| resendVerification | Resend email with verification link @@ -175,12 +177,14 @@ The following is a list with details about each configurable option. | lowercaseUsername | Boolean | false | Transform username field to lowercase upon registration | loginAfterSignup | Boolean | true | Login automatically after sign up | overrideLoginErrors | Boolean | true | Show general error on failed login (without specifying which field was wrong) -| sendVerificationEmail | Boolean | false | Send email verification after successful registration +| sendVerificationEmail | Boolean | true | Send email verification after successful registration | setDenyRules | Boolean | true | Apply default deny rules on Meteor.users collection +| disableConfigureLoginService | Boolean | true | Disable `configureLoginService()` insecure method | **Appearance** | | | | hideSignInLink | Boolean | false | When set to true, asks to never show the link to the sign in page | hideSignUpLink | Boolean | false | When set to true, asks to never show the link to the sign up page | showForgotPasswordLink | Boolean | false | Specifies whether to display a link to the forgot password page/form +| showResendVerificationLink | Boolean | false | Specifies whether to display a link to the resend verification page/form | showLabels | Boolean | true | Specifies whether to display text labels above input elements | showPlaceholders | Boolean | true | Specifies whether to display place-holder text inside input elements | **Client side validation** | | | @@ -351,7 +355,8 @@ The default object used is the following signUp: '/sign-up', forgotPwd: '/forgot-password', changePwd: '/change-password', - resetPwd: '/reset-password' + resetPwd: '/reset-password', + resendVerification: '/resend-verification' } ``` @@ -391,6 +396,7 @@ The supported properties are listed in the following table. | placeholder | String | | The field's (input) placeholder text. The place-holder is shown only if showPlaceholders option is set to true | re | RegExp | | Specify a regular expression to validate against. (example below) | required | Boolean | | If set to true the corresponding field cannot be left blank +| autocomplete | String | | `` autocomplete tag value **The original user accounts package supports several more properties. Pull requests are more then welcome!** @@ -463,7 +469,8 @@ AccountsReact.addFields('signUp', [ minLength: 4, maxLength: 70, required: true, - errStr: 'This field must contain at least 4 characters and no more than 70' + errStr: 'This field must contain at least 4 characters and no more than 70', + autocomplete: 'name' } ]) ``` diff --git a/lib/AccountsReact.js b/lib/AccountsReact.js index 449134d..c966016 100644 --- a/lib/AccountsReact.js +++ b/lib/AccountsReact.js @@ -2,6 +2,7 @@ import { Meteor } from 'meteor/meteor' import { Accounts } from 'meteor/accounts-base' import regExp from './utils/regExp' import merge from './utils/deepmerge' +import './AccountsReactComponent/methods' class AccountsReact_ { constructor () { @@ -15,7 +16,7 @@ class AccountsReact_ { confirmPassword: true, defaultState: 'signIn', disableForgotPassword: false, - enablePasswordChange: false, + enablePasswordChange: true, focusFirstInput: !Meteor.isCordova, forbidClientAccountCreation: false, lowercaseUsername: false, @@ -24,6 +25,7 @@ class AccountsReact_ { passwordSignupFields: 'EMAIL_ONLY', sendVerificationEmail: true, setDenyRules: true, + disableConfigureLoginService: true, /* ----------------------------- Appearance @@ -32,6 +34,7 @@ class AccountsReact_ { hideSignInLink: false, hideSignUpLink: false, showForgotPasswordLink: false, + showResendVerificationLink: false, showLabels: true, showPlaceholders: true, @@ -63,11 +66,12 @@ class AccountsReact_ { ----------------------------- */ mapStateToRoute: { - signIn: '/sign-in', - signUp: '/sign-up', - forgotPwd: '/forgot-password', - changePwd: '/change-password', - resetPwd: '/reset-password' + signIn: '/sign-in', + signUp: '/sign-up', + forgotPwd: '/forgot-password', + changePwd: '/change-password', + resetPwd: '/reset-password', + resendVerification: '/resend-verification' }, @@ -95,7 +99,8 @@ class AccountsReact_ { _id: 'password', displayName: 'Password', type: 'password', - placeholder: 'Enter your password' + placeholder: 'Enter your password', + autocomplete: 'current-password' } ], @@ -125,7 +130,8 @@ class AccountsReact_ { placeholder: 'Enter your password', minLength: 6, maxLength: 32, - errStr: 'Please enter a strong password between 6 and 32 characters' + errStr: 'Please enter a strong password between 6 and 32 characters', + autocomplete: 'new-password' }, { _id: 'confirmPassword', @@ -134,6 +140,7 @@ class AccountsReact_ { placeholder: 'Re-enter your password', errStr: 'Password doesn\'t match', exclude: true, + autocomplete: 'new-password', func: (fields, fieldObj, value, model, errorsArray) => { if (!this.config.confirmPassword) { return true @@ -174,7 +181,8 @@ class AccountsReact_ { _id: 'currentPassword', displayName: 'Current password', type: 'password', - placeholder: 'Enter your current password' + placeholder: 'Enter your current password', + autocomplete: 'current-password' }, { _id: 'password', @@ -183,7 +191,8 @@ class AccountsReact_ { placeholder: 'Enter a new password', minLength: 6, maxLength: 32, - errStr: 'Please enter a strong password between 6 and 32 characters' + errStr: 'Please enter a strong password between 6 and 32 characters', + autocomplete: 'new-password' } ], @@ -194,7 +203,20 @@ class AccountsReact_ { _id: 'password', displayName: 'New password', type: 'password', - placeholder: 'Enter a new password' + placeholder: 'Enter a new password', + autocomplete: 'new-password' + } + ], + + /* Resend email verification */ + + resendVerification: [ + { + _id: 'email', + displayName: 'Email', + placeholder: 'Enter your email', + re: regExp.Email, + errStr: 'Please enter a valid email' } ] }, @@ -209,14 +231,16 @@ class AccountsReact_ { forgotPwd: 'Send Reset Link', resetPwd: 'Save New Password', signIn: 'Login', - signUp: 'Register' + signUp: 'Register', + resendVerification: 'Send Verification Link' }, title: { changePwd: 'Change Password', forgotPwd: 'Forgot Password', resetPwd: 'Reset Password', signIn: 'Login', - signUp: 'Create Your Account' + signUp: 'Create Your Account', + resendVerification: 'Resend Verification Link' }, links: { toChangePwd: 'Change your password', @@ -224,7 +248,7 @@ class AccountsReact_ { toForgotPwd: 'Forgot your password?', toSignIn: 'Already have an account? Sign in!', toSignUp: 'Don\'t have an account? Register', - toResendVerification: 'Resend email verification' + toResendVerification: 'Verification email lost? Resend' }, info: { emailSent: 'An email has been sent to your inbox', @@ -237,7 +261,9 @@ class AccountsReact_ { }, errors: { loginForbidden: 'There was a problem with your login', - captchaVerification: 'There was a problem with the recaptcha verification, please try again' + captchaVerification: 'There was a problem with the recaptcha verification, please try again', + userNotFound: 'User not found', + userAlreadyVerified: 'User already verified!' }, forgotPwdSubmitSuccess: 'A password reset link has been sent to your email!', loginForbiddenMessage: 'There was a problem with your login' @@ -268,7 +294,7 @@ class AccountsReact_ { this.loadReCaptcha() this.setAccountCreationPolicy() this.overrideLoginErrors() - this.disableForgotPassword() + this.disableMethods() this.setDenyRules() this._init = true @@ -378,10 +404,39 @@ class AccountsReact_ { } } - disableForgotPassword () { - if (this.config.disableForgotPassword && Meteor.isServer) { - Meteor.server.method_handlers.forgotPassword = () => { // Override forgotPassword method directly. - throw new Meteor.Error('Forgot password is disabled') + disableMethods () { + if (Meteor.isServer) { + // Override methods directly. + if (this.config.disableForgotPassword) { + Meteor.server.method_handlers.forgotPassword = () => { + throw new Meteor.Error('forgotPassword is disabled') + } + + Meteor.server.method_handlers.resetPassword = () => { + throw new Meteor.Error('resetPassword is disabled') + } + } + + if (!this.config.enablePasswordChange) { + Meteor.server.method_handlers.changePassword = () => { + throw new Meteor.Error('changePassword is disabled') + } + } + + if (!this.config.sendVerificationEmail) { + Meteor.server.method_handlers.verifyEmail = () => { + throw new Meteor.Error('verifyEmail is disabled') + } + + Accounts.sendVerificationEmail = () => { + throw new Meteor.Error('disabled', 'sendVerificationEmail is disabled') + } + } + + if (this.config.disableConfigureLoginService) { + Meteor.server.method_handlers.configureLoginService = () => { + throw new Meteor.Error('configureLoginService is disabled') + } } } } diff --git a/lib/AccountsReactComponent/forgotPwd.js b/lib/AccountsReactComponent/forgotPwd.js index ba35b33..15aaa81 100644 --- a/lib/AccountsReactComponent/forgotPwd.js +++ b/lib/AccountsReactComponent/forgotPwd.js @@ -46,7 +46,7 @@ class ForgotPassword extends Component { errors={errors} /> - {emailSent &&

{texts.info.emailSent}

} + {emailSent &&

{texts.forgotPwdSubmitSuccess}

} {!hideSignInLink && (
diff --git a/lib/AccountsReactComponent/index.js b/lib/AccountsReactComponent/index.js index 036cb07..720f472 100644 --- a/lib/AccountsReactComponent/index.js +++ b/lib/AccountsReactComponent/index.js @@ -5,6 +5,7 @@ import SignUp from './signUp' import ForgotPwd from './forgotPwd' import ChangePwd from './changePwd' import ResetPwd from './resetPwd' +import ResendVerification from './resendVerification' import AccountsReact from '../AccountsReact' import merge from '../utils/deepmerge' @@ -16,7 +17,7 @@ class AccountsReactComponent extends React.Component { render () { ensureComponentsExist() - + // State priority -> 1.internal 2. provided by route/state prop (from parent component) 3. default state from config let state = this.state.internalState || this.props.state if (!state) { @@ -37,6 +38,7 @@ class AccountsReactComponent extends React.Component { case 'forgotPwd': form = ForgotPwd; break; case 'changePwd': form = ChangePwd; break; case 'resetPwd': form = ResetPwd; break; + case 'resendVerification': form = ResendVerification; break; default: return null } @@ -45,7 +47,11 @@ class AccountsReactComponent extends React.Component { this.props.config ]) - if (!defaults.enablePasswordChange && state === 'changePwd') { + if ((defaults.forbidClientAccountCreation && state === 'signUp') || + (defaults.disableForgotPassword && (state === 'forgotPwd' || state === 'resetPwd')) || + (!defaults.enablePasswordChange && state === 'changePwd') || + (!defaults.sendVerificationEmail && state === 'resendVerification')) + { return null } diff --git a/lib/AccountsReactComponent/methods/ARResendVerificationEmail.js b/lib/AccountsReactComponent/methods/ARResendVerificationEmail.js new file mode 100644 index 0000000..86f01bf --- /dev/null +++ b/lib/AccountsReactComponent/methods/ARResendVerificationEmail.js @@ -0,0 +1,42 @@ +import { Accounts } from 'meteor/accounts-base' +import { ValidatedMethod } from 'meteor/mdg:validated-method' +import { check } from 'meteor/check' +import AccountsReact from '../../AccountsReact' + +// Based on https://github.com/meteor-useraccounts/core/blob/2e8986813b51f321f908d2f6211f6f81f76cd627/lib/server_methods.js#L124 +const ARResendVerificationEmail = new ValidatedMethod({ + name: 'ARResendVerificationEmail', + validate: ({ email }) => { + /* This validation runs on both client and server */ + + if (Meteor.userId()) { + throw new Meteor.Error('Error', 'Already logged in') + } + + check(email, String); + }, + run ({ email }) { + if (Meteor.isServer) { + var user = Meteor.users.findOne({ "emails.address": email }); + + // Send the standard error back to the client if no user exist with this e-mail + if (!user) { + throw new Meteor.Error('UserNotFound', AccountsReact.config.texts.errors.userNotFound); + } + + try { + Accounts.sendVerificationEmail(user._id); + } catch (error) { + if (error.error === 'disabled') { + throw error; + } else { + // Handle error when email already verified + // https://github.com/dwinston/send-verification-email-bug + throw new Meteor.Error('UserAlreadyVerified', AccountsReact.config.texts.errors.userAlreadyVerified); + } + } + } + } +}) + +export default ARResendVerificationEmail diff --git a/lib/AccountsReactComponent/methods/index.js b/lib/AccountsReactComponent/methods/index.js index 77c778f..e5fa84b 100644 --- a/lib/AccountsReactComponent/methods/index.js +++ b/lib/AccountsReactComponent/methods/index.js @@ -1,6 +1,7 @@ /* globals Meteor: true */ import { Accounts } from 'meteor/accounts-base' import ARCreateAccount from './ARCreateAccount' +import ARResendVerificationEmail from './ARResendVerificationEmail' import AccountsReact from '../../AccountsReact' // Create user export const createUser = (newUser, callback) => { @@ -28,3 +29,8 @@ export const changePassword = (oldPassword, newPassword, callback) => { export const resetPassword = (token, newPassword, callback) => { Accounts.resetPassword(token, newPassword, callback) } + +// Resend verification link +export const resendVerification = (email, callback) => { + ARResendVerificationEmail.call({ email }, callback) +} diff --git a/lib/AccountsReactComponent/resendVerification.js b/lib/AccountsReactComponent/resendVerification.js new file mode 100644 index 0000000..39ef29e --- /dev/null +++ b/lib/AccountsReactComponent/resendVerification.js @@ -0,0 +1,86 @@ +import React, { Component, Fragment } from 'react' +import BaseForm from './baseForm' +import { validateForm } from '../utils/' +import { getModel, redirect } from './commonUtils' +import { resendVerification } from './methods' + +class ResendVerification extends Component { + constructor () { + super() + this.state = { + emailSent: false, + errors: [] + } + + this.getModel = getModel.bind(this) + this.redirect = redirect.bind(this) + } + + render () { + const { + currentState, + defaults + } = this.props + + const { + texts, + hideSignInLink + } = defaults + + const { + errors, + emailSent + } = this.state + + const model = this.getModel() + + return ( + + + + + {emailSent &&

{texts.info.emailSent}

} + + {!hideSignInLink && ( +
+ {texts.links.toSignIn} + + )} + + ) + } + + onSubmit = () => { + // Validate form + if (!validateForm(this.getModel(), this)) return + + this.sendVerificationLink() + } + + sendVerificationLink = () => { + // Send the verification link to the desired email + + resendVerification(this.state.email, err => { + if (err) { + this.setState({ errors: [{ _id: '__globals', errStr: err.reason }], emailSent: false }) + } else { + this.setState({ errors: [], emailSent: true }) + } + + this.props.defaults.onSubmitHook(err, this.props.currentState) + }) + } + + redirectToSignIn = () => { + this.redirect('signIn', this.props.defaults.redirects.toSignIn) + } +} + +export default ResendVerification diff --git a/lib/AccountsReactComponent/signIn.js b/lib/AccountsReactComponent/signIn.js index b25bdab..6bd2663 100644 --- a/lib/AccountsReactComponent/signIn.js +++ b/lib/AccountsReactComponent/signIn.js @@ -25,7 +25,11 @@ class SignIn extends Component { const { texts, hideSignUpLink, - showForgotPasswordLink + showForgotPasswordLink, + showResendVerificationLink, + sendVerificationEmail, + forbidClientAccountCreation, + disableForgotPassword } = defaults const model = this.getModel() @@ -41,20 +45,27 @@ class SignIn extends Component { errors={this.state.errors} /> - + {!forbidClientAccountCreation && ( + + )} - {!hideSignUpLink && ( + {!forbidClientAccountCreation && !hideSignUpLink && ( {texts.links.toSignUp} )} - {showForgotPasswordLink && ( + {!disableForgotPassword && showForgotPasswordLink && ( {texts.links.toForgotPwd} )} + {sendVerificationEmail && showResendVerificationLink && ( + + {texts.links.toResendVerification} + + )} ) } @@ -88,6 +99,10 @@ class SignIn extends Component { redirectToForgotPwd = () => { this.redirect('forgotPwd', this.props.defaults.redirects.toForgotPwd) } + + redirectToResendVerification = () => { + this.redirect('resendVerification', this.props.defaults.redirects.toResendVerification) + } } const linkStyle = { diff --git a/lib/AccountsReactComponent/signUp.js b/lib/AccountsReactComponent/signUp.js index 4cc687e..a84aef9 100644 --- a/lib/AccountsReactComponent/signUp.js +++ b/lib/AccountsReactComponent/signUp.js @@ -10,7 +10,8 @@ class SignUp extends Component { constructor () { super() this.state = { - errors: [] + errors: [], + signUpSuccessful: false } this.getModel = getModel.bind(this) @@ -26,9 +27,14 @@ class SignUp extends Component { const { texts, hideSignInLink, - showReCaptcha + showReCaptcha, + sendVerificationEmail } = defaults + const { + signUpSuccessful + } = this.state + return ( + {signUpSuccessful && sendVerificationEmail &&

{texts.info.signUpVerifyEmail}

} + {!hideSignInLink && ( {texts.links.toSignIn} @@ -93,13 +101,17 @@ class SignUp extends Component { } else { this.setState({ errors: [{ _id: '__globals', errStr: err.reason }] }) } - } else if (loginAfterSignup) { - const { password } = this.getModel() - const { username, email } = newUser + } else { + this.setState({ signUpSuccessful: true }) + + if (loginAfterSignup) { + const { password } = this.getModel() + const { username, email } = newUser - login(username, email, password, err => { - if (err) { return } // ? - }) + login(username, email, password, err => { + if (err) { return } // ? + }) + } } onSubmitHook(err, this.props.currentState) diff --git a/package.js b/package.js index e2a8b30..38ec98e 100644 --- a/package.js +++ b/package.js @@ -13,7 +13,8 @@ Package.onUse(api => { 'ecmascript', 'accounts-base', 'accounts-password', - 'mdg:validated-method@1.1.0' + 'mdg:validated-method@1.1.0', + 'check' ], ['client', 'server']) api.use('react-meteor-data@0.2.16', 'client')