npm - @stamhoofd/backend - Versions diffs - 2.30.4 → 2.30.5 - Mend

@stamhoofd/backend 2.30.4 → 2.30.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +10 -10
package/src/endpoints/auth/ForgotPasswordEndpoint.ts +2 -0
package/src/endpoints/auth/SignupEndpoint.ts +33 -25
package/src/endpoints/global/registration/PatchUserMembersEndpoint.ts +2 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.30.4",
+    "version": "2.30.5",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -36,14 +36,14 @@
         "@simonbackx/simple-encoding": "2.15.1",
         "@simonbackx/simple-endpoints": "1.14.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.30.4",
-        "@stamhoofd/backend-middleware": "2.30.4",
-        "@stamhoofd/email": "2.30.4",
-        "@stamhoofd/models": "2.30.4",
-        "@stamhoofd/queues": "2.30.4",
-        "@stamhoofd/sql": "2.30.4",
-        "@stamhoofd/structures": "2.30.4",
-        "@stamhoofd/utility": "2.30.4",
+        "@stamhoofd/backend-i18n": "2.30.5",
+        "@stamhoofd/backend-middleware": "2.30.5",
+        "@stamhoofd/email": "2.30.5",
+        "@stamhoofd/models": "2.30.5",
+        "@stamhoofd/queues": "2.30.5",
+        "@stamhoofd/sql": "2.30.5",
+        "@stamhoofd/structures": "2.30.5",
+        "@stamhoofd/utility": "2.30.5",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -60,5 +60,5 @@
         "postmark": "4.0.2",
         "stripe": "^16.6.0"
     },
-    "gitHead": "5ac1ec0063d7697924cbae6dbbfe270949ab0dcd"
+    "gitHead": "3ebcff6728ea5d54e9c65509a14ddb10cd52a4f2"
 }

package/src/endpoints/auth/ForgotPasswordEndpoint.ts CHANGED Viewed

@@ -54,6 +54,8 @@ export class ForgotPasswordEndpoint extends Endpoint<Params, Query, Body, Respon
         await sendEmailTemplate(organization, {
             recipients: [
                 Recipient.create({
+                    firstName: user.firstName,
+                    lastName: user.lastName,
                     email: request.body.email,
                     replacements: [
                         Replacement.create({

package/src/endpoints/auth/SignupEndpoint.ts CHANGED Viewed

@@ -1,9 +1,8 @@
 import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Email } from '@stamhoofd/email';
-import { EmailVerificationCode, PasswordToken, User } from '@stamhoofd/models';
-import { NewUser, SignupResponse } from "@stamhoofd/structures";
+import { EmailVerificationCode, PasswordToken, sendEmailTemplate, User } from '@stamhoofd/models';
+import { EmailTemplateType, NewUser, Recipient, Replacement, SignupResponse } from "@stamhoofd/structures";
 import { Context } from '../../helpers/Context';
@@ -57,28 +56,37 @@ export class SignupEndpoint extends Endpoint<Params, Query, Body, ResponseBody>
             user = u
             if (u.hasAccount()) {
-                // Send an e-mail to say you already have an account + follow password forgot flow
-                const recoveryUrl = await PasswordToken.getPasswordRecoveryUrl(user, organization, request.i18n)
-                const { from, replyTo } = {
-                    from: (user.permissions || !organization ? Email.getInternalEmailFor(request.i18n) : organization.getDefaultFrom(request.i18n)),
-                    replyTo: undefined
-                }
-                const footer = (!user.permissions && organization ? "\n\n—\n\nOnze ledenadministratie werkt via het Stamhoofd platform, op maat van verenigingen. Probeer het ook via https://"+request.i18n.localizedDomains.marketing()+"/ledenadministratie\n\n" : '')
-                const name = organization ? organization.name : 'Stamhoofd'
-                // Send email
-                Email.send({
-                    from,
-                    replyTo,
-                    to: user.email,
-                    subject: `[${name}] Je hebt al een account`,
-                    type: "transactional",
-                    text: (user.firstName ? "Hey "+user.firstName : "Hey") + ", \n\nJe probeerde een account aan te maken, maar je hebt eigenlijk al een account met e-mailadres "+user.email+". Als je jouw wachtwoord niet meer weet, kan je een nieuw wachtwoord instellen door op de volgende link te klikken of door deze te kopiëren in de adresbalk van jouw browser:\n"+recoveryUrl+"\n\nWachtwoord al teruggevonden of heb je helemaal niet proberen te registreren? Dan mag je deze e-mail veilig negeren.\n\nMet vriendelijke groeten,\n"+(user.permissions ? "Stamhoofd" : name)+footer
-                });
                 // Don't send the code
-                sendCode = false
+                sendCode = false;
+                // We don't await this block to avoid user enumeration attack using request response time
+                (async () => {
+                    // Send an e-mail to say you already have an account + follow password forgot flow
+                    const recoveryUrl = await PasswordToken.getPasswordRecoveryUrl(user, organization, request.i18n)
+                    // Create e-mail builder
+                    await sendEmailTemplate(organization, {
+                        recipients: [
+                            Recipient.create({
+                                firstName: user.firstName,
+                                lastName: user.lastName,
+                                email: request.body.email,
+                                replacements: [
+                                    Replacement.create({
+                                        token: 'resetUrl',
+                                        value: recoveryUrl
+                                    })
+                                ]
+                            })
+                        ],
+                        template: {
+                            type: EmailTemplateType.SignupAlreadyHasAccount,
+                        },
+                        type: 'transactional'
+                    })
+                })().catch(console.error);
             } else {
                 // This is safe, because we are the first one. There is no password yet.
                 // If a hacker tries this, he won't be able to sign in, because he needs to
@@ -97,7 +105,7 @@ export class SignupEndpoint extends Endpoint<Params, Query, Body, ResponseBody>
         const code = await EmailVerificationCode.createFor(user, user.email)
         if (sendCode) {
-            code.send(user, organization, request.i18n)
+            code.send(user, organization, request.i18n).catch(console.error)
         }
         return new Response(SignupResponse.create({

package/src/endpoints/global/registration/PatchUserMembersEndpoint.ts CHANGED Viewed

@@ -108,7 +108,7 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
                 })
             }
-            const duplicate = await this.checkDuplicate(member, securityCode)
+            /*const duplicate = await this.checkDuplicate(member, securityCode)
             if (duplicate) {
                 // Remove the member from the list
                 members.splice(members.findIndex(m => m.id === member.id), 1)
@@ -116,7 +116,7 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
                 // Add new
                 addedMembers.push(duplicate)
                 continue
-            }
+            }*/
             await member.save();
             await MemberUserSyncer.onChangeMember(member)