bitkompagniet · slytter · Jul 3, 2017 · Aug 1, 2017
diff --git a/api/controllers/confirmRecovery.js b/api/controllers/confirmRecovery.js
@@ -0,0 +1,12 @@
+module.exports = function(store) {
+	return async function(req, res, next) {
+		const { email, password } = req.body;
+		const recoveryToken = req.params.token;
+		try {
+			await store.changePasswordWithRecovery(email, recoveryToken, password);
+			return res.success();
+		} catch (e) {
+			return next(e);
+		}
+	};
+};
diff --git a/api/controllers/recovery.js b/api/controllers/recovery.js
@@ -3,7 +3,14 @@ const _ = require('lodash');
 const mail = require('../../lib/mail');
 
 module.exports = function(store, config) {
-	return function(req, res) {
-		res.params
+	return async function(req, res) {
+		try {
+			const recoveryToken = await store.requestRecoveryToken(req.params.email);
+			const user = await store.getByEmail(req.params.email);
+			mail.recover(config.smtp, recoveryToken, config.appName, config.passwordRecoveryUrl, config.logoLink, user);
+			res.success();
+		} catch (e) {
+			res.failure(e);
+		}
 	};
 };
diff --git a/api/routes/index.js b/api/routes/index.js
@@ -15,6 +15,8 @@ const removeRole = require('../controllers/remove-role');
 const addRole = require('../controllers/add-role');
 const modifyUserData = require('../controllers/modify-user-data');
 const changePassword = require('../controllers/change-password');
+const recovery = require('../controllers/recovery');
+const confirmRecovery = require('../controllers/confirmRecovery');
 
 module.exports = function createRouter(store, config) {
 	const router = express.Router();
@@ -31,6 +33,10 @@ module.exports = function createRouter(store, config) {
 	router.post('/login', login(store));
 
 	// Password recovery
+	router.get('/recovery/:email', recovery(store, config));
+	router.post('/recovery/:token', confirmRecovery(store));
+
+
 	router.get('/verify/:token', verify());
 
 	// User data

diff --git a/get-config.js b/get-config.js
@@ -19,6 +19,7 @@ module.exports = function(source) {
 		appUrl: optional('appUrl', source, 'http://localhost:3000/'),
 		redirectConfirmUrl: optional('redirectConfirmUrl', source, 'http://localhost:3000/redirect'),
 		port: optional('port', 3000),
+		passwordRecoveryUrl: optional('passwordRecoveryUrl', source, 'http://localhost:3000/passwordrecovery'),
 	};
 
 	return config;

diff --git a/lib/mail/index.js b/lib/mail/index.js
@@ -1,11 +1,11 @@
 const sendEmail = require('./sendEmail');
 
 module.exports = {
-	recover: (smtp, resetPasswordToken, appName, appUrl, logoLink, user) => {
+	recover: (smtp, resetPasswordToken, appName, passwordRecoveryUrl, logoLink, user) => {
 		const templatePath = '/email_templates/recoverpass.hbs';
 
 		const emailData = {
-			resetPasswordLink: appUrl + resetPasswordToken,
+			resetPasswordLink: `${passwordRecoveryUrl}/${resetPasswordToken}`,
 			appName,
 			logoLink,
 			user,

diff --git a/store/createModels/index.js b/store/createModels/index.js
@@ -21,6 +21,7 @@ const deleteUser = require('../query/delete');
 const configureDefaultRoles = require('../query/configure-default-roles');
 const modifyUserData = require('../query/modify-user-data');
 const changePassword = require('../query/change-password');
+const changePasswordWithRecovery = require('../query/changePasswordWithRecovery');
 
 
 const Schema = mongoose.Schema;
@@ -83,6 +84,7 @@ module.exports = function (db) {
 	userSchema.statics.configureDefaultRoles = configureDefaultRoles;
 	userSchema.statics.modifyUserData = modifyUserData;
 	userSchema.statics.changePassword = changePassword;
+	userSchema.statics.changePasswordWithRecovery = changePasswordWithRecovery;
 
 	return {
 		users: db.model('User', userSchema),

diff --git a/store/index.js b/store/index.js
@@ -34,6 +34,7 @@ module.exports = function (uri) {
 	store.configureDefaultRoles = id => models.users.configureDefaultRoles(id);
 	store.modifyUserData = (id, data) => models.users.modifyUserData(id, data);
 	store.changePassword = (id, password, repeated, newPassword) => models.users.changePassword(id, password, repeated, newPassword);
+	store.changePasswordWithRecovery = (email, recoveryToken, newPassword) => models.users.changePasswordWithRecovery(email, recoveryToken, newPassword);
 	store.initialized = initialize(store);
 
 	return store;

diff --git a/store/query/changePasswordWithRecovery.js b/store/query/changePasswordWithRecovery.js
@@ -0,0 +1,18 @@
+const passwordHash = require('../util/passwordHash');
+
+module.exports = async function(email, recoveryToken, newPassword) {
+	const user = await this.getByEmail(email);
+	const rawUser = await this.findById(user.id);
+	if (rawUser.resetPasswordToken && recoveryToken == rawUser.resetPasswordToken) {
+		try {
+			rawUser.password = newPassword;
+			rawUser.resetPasswordToken = null;
+			await rawUser.validateSync();
+			await rawUser.save();
+		} catch (e) {
+			throw new Error(e);
+		}
+	} else {
+		throw new Error('Recovery token was wrong or expired.');
+	}
+};