Merge pull request #485 from curveball/client-set-one-time-token

Allow client to set expiry time of one-time tokens

changelog.md

@@ -1,6 +1,12 @@
 Changelog
 =========
 
+0.25.1 (????-??-??)
+-------------------
+
+* Clients can now specify how long a one-time-token should be valid for.
+
+
 0.25.0 (2023-11-22)
 -------------------
 

schemas/one-time-token.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "https://curveballjs.org/schemas/a12nserver/one-time-token-generate.json",
+  "type": "object",
+  "description": "The request made to the one-time-token generate endpoint.",
+  "required": [],
+  "additionalProperties": false,
+
+  "properties": {
+    "expiresIn": {
+      "description": "Specify how long the token is valid for, in seconds.",
+      "type": "number"
+    }
+  }
+}

src/one-time-token/controller/generate.ts

@@ -5,16 +5,24 @@ import { createToken } from '../service';
 import * as hal from '../formats/hal';
 import { resolve } from 'url';
 
+type GenerateRequest = {
+  expiresIn?: number;
+}
+
 class OneTimeTokenController extends Controller {
 
   async post(ctx: Context<any>) {
 
+    ctx.request.validate<GenerateRequest>('https://curveballjs.org/schemas/a12nserver/one-time-token-generate.json');
     ctx.privileges.require('a12n:one-time-token:generate');
 
     const principalService = new PrincipalService(ctx.privileges);
     const user = await principalService.findByExternalId(ctx.params.id, 'user');
 
-    const token = await createToken(user);
+    const token = await createToken(
+      user,
+      ctx.request.body.expiresIn ?? null,
+    );
     const url = resolve(ctx.request.origin, 'reset-password/token/' + token.token);
 
     ctx.response.body = hal.oneTimeToken(user, url, token);

src/one-time-token/service.ts

@@ -13,16 +13,16 @@ const tokenTTL = 7200;
 /**
  * This function will create a unique token then store it in the database
  */
-export async function createToken(user: User): Promise<OneTimeToken> {
+export async function createToken(user: User, expiresIn: number | null): Promise<OneTimeToken> {
   const token = await generateSecretToken();
-  const query = 'INSERT INTO reset_password_token (user_id, token, expires_at, created_at) VALUES (?, ?, ?, ?)';
+  const expiresAt = Math.floor(Date.now() / 1000) + (expiresIn ?? tokenTTL);
 
-  await db.raw(query, [
-    user.id,
+  await db('reset_password_token').insert({
+    user_id: user.id,
     token,
-    Math.floor(Date.now() / 1000) + tokenTTL,
-    Math.floor(Date.now() / 1000),
-  ]);
+    expires_at: expiresAt,
+    created_at: Math.floor(Date.now() / 1000)
+  });
   return {
     token,
     expires: new Date(Date.now() + tokenTTL*1000),

src/reset-password/service.ts

@@ -17,7 +17,7 @@ export async function sendResetPasswordEmail(user: User) {
   const smtpUrl = requireSetting('smtp.url')!;
 
   const transporter = nodemailer.createTransport(smtpUrl);
-  const token = await createToken(user);
+  const token = await createToken(user, null);
   const emailTemplate = render('emails/reset-password-email', {
     name: user.nickname,
     url: process.env.PUBLIC_URI + 'reset-password/token/' + token.token,