npm - @waline/vercel - Versions diffs - 1.11.0 → 1.13.1 - Mend

@waline/vercel 1.11.0 → 1.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/package.json +2 -1
package/src/controller/db.js +8 -3
package/src/controller/token/2fa.js +62 -0
package/src/controller/token.js +15 -3
package/src/controller/user/password.js +46 -0
package/src/controller/user.js +5 -0
package/src/logic/base.js +1 -0
package/src/logic/token/2fa.js +27 -0
package/src/logic/user/password.js +11 -0
package/src/service/markdown/xss.js +1 -1
package/src/service/notify.js +1 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@waline/vercel",
-  "version": "1.11.0",
+  "version": "1.13.1",
   "description": "vercel server for waline comment system",
   "repository": "https://github.com/walinejs/waline",
   "license": "MIT",
@@ -27,6 +27,7 @@
     "prismjs": "^1.27.0",
     "request": "^2.88.2",
     "request-promise-native": "^1.0.9",
+    "speakeasy": "^2.0.0",
     "think-logger3": "^1.3.1",
     "think-model": "^1.5.4",
     "think-model-mysql": "^1.1.7",

package/src/controller/db.js CHANGED Viewed

@@ -1,6 +1,8 @@
-const fs = require('fs/promises');
+const fs = require('fs');
+const util = require('util');
 const BaseRest = require('./rest');
+const readFileAsync = util.promisify(fs.readFile);
 module.exports = class extends BaseRest {
   async getAction() {
     const exportData = {
@@ -17,7 +19,10 @@ module.exports = class extends BaseRest {
     for (let i = 0; i < exportData.tables.length; i++) {
       const tableName = exportData.tables[i];
-      const model = this.model(tableName);
+      const model = this.service(
+        `storage/${this.config('storage')}`,
+        tableName
+      );
       const data = await model.select({});
       exportData.data[tableName] = data;
     }
@@ -28,7 +33,7 @@ module.exports = class extends BaseRest {
   async postAction() {
     const file = this.file('file');
     try {
-      const jsonText = await fs.readFile(file.path, 'utf-8');
+      const jsonText = await readFileAsync(file.path, 'utf-8');
       const importData = JSON.parse(jsonText);
       if (!importData || importData.type !== 'waline') {
         return this.fail('import data format not support!');

package/src/controller/token/2fa.js ADDED Viewed

@@ -0,0 +1,62 @@
+const speakeasy = require('speakeasy');
+const BaseRest = require('../rest');
+module.exports = class extends BaseRest {
+  async getAction() {
+    const { userInfo } = this.ctx.state;
+    const { email } = this.get();
+    if (think.isEmpty(userInfo) && email) {
+      const userModel = this.service(
+        `storage/${this.config('storage')}`,
+        'Users'
+      );
+      const user = await userModel.select(
+        { email },
+        {
+          field: ['2fa'],
+        }
+      );
+      const is2FAEnabled = !think.isEmpty(user) && Boolean(user[0]['2fa']);
+      return this.success({ enable: is2FAEnabled });
+    }
+    const name = `waline_${userInfo.objectId}`;
+    if (userInfo['2fa'] && userInfo['2fa'].length == 32) {
+      return this.success({
+        otpauth_url: `otpauth://totp/${name}?secret=${userInfo['2fa']}`,
+        secret: userInfo['2fa'],
+      });
+    }
+    const { otpauth_url, base32: secret } = speakeasy.generateSecret({
+      length: 20,
+      name,
+    });
+    return this.success({ otpauth_url, secret });
+  }
+  async postAction() {
+    const data = this.post();
+    const verified = speakeasy.totp.verify({
+      secret: data.secret,
+      encoding: 'base32',
+      token: data.code,
+      window: 2,
+    });
+    if (!verified) {
+      return this.fail('TWO_FACTOR_AUTH_ERROR_DETAIL');
+    }
+    const userModel = this.service(
+      `storage/${this.config('storage')}`,
+      'Users'
+    );
+    const { objectId } = this.ctx.state.userInfo;
+    await userModel.update({ ['2fa']: data.secret }, { objectId });
+    return this.success();
+  }
+};

package/src/controller/token.js CHANGED Viewed

@@ -1,3 +1,4 @@
+const speakeasy = require('speakeasy');
 const jwt = require('jsonwebtoken');
 const helper = require('think-helper');
 const { PasswordHash } = require('phpass');
@@ -17,7 +18,7 @@ module.exports = class extends BaseRest {
   }
   async postAction() {
-    const { email, password } = this.post();
+    const { email, password, code } = this.post();
     const user = await this.modelInstance.select({ email });
     if (think.isEmpty(user) || /^verify:/i.test(user[0].type)) {
@@ -33,13 +34,24 @@ module.exports = class extends BaseRest {
       return this.fail();
     }
-    let avatar = user[0].avatar;
+    const twoFactorAuthSecret = user[0]['2fa'];
+    if (twoFactorAuthSecret) {
+      const verified = speakeasy.totp.verify({
+        secret: twoFactorAuthSecret,
+        encoding: 'base32',
+        token: code,
+        window: 2,
+      });
+      if (!verified) {
+        return this.fail();
+      }
+    }
+    let avatar = user[0].avatar;
     if (/(github)/i.test(avatar)) {
       avatar =
         this.config('avatarProxy') + '?url=' + encodeURIComponent(avatar);
     }
     user[0].avatar = avatar;
     return this.success({

package/src/controller/user/password.js ADDED Viewed

@@ -0,0 +1,46 @@
+const jwt = require('jsonwebtoken');
+const BaseRest = require('../rest');
+module.exports = class extends BaseRest {
+  async putAction() {
+    const {
+      SMTP_HOST,
+      SMTP_SERVICE,
+      SENDER_EMAIL,
+      SENDER_NAME,
+      SMTP_USER,
+      SITE_NAME,
+    } = process.env;
+    const hasMailServie = SMTP_HOST || SMTP_SERVICE;
+    if (!hasMailServie) {
+      return this.fail();
+    }
+    const { email } = this.post();
+    const userModel = this.service(
+      `storage/${this.config('storage')}`,
+      'Users'
+    );
+    const user = await userModel.select({ email });
+    if (think.isEmpty(user)) {
+      return this.fail();
+    }
+    const notify = this.service('notify');
+    const { protocol, host } = this.ctx;
+    const token = jwt.sign(user[0].email, this.config('jwtKey'));
+    const profileUrl = `${protocol}://${host}/ui/profile?token=${token}`;
+    await notify.transporter.sendMail({
+      from:
+        SENDER_EMAIL && SENDER_NAME
+          ? `"${SENDER_NAME}" <${SENDER_EMAIL}>`
+          : SMTP_USER,
+      to: user[0].email,
+      subject: `【${SITE_NAME || 'Waline'}】Reset Password`,
+      html: `Please click <a href="${profileUrl}">${profileUrl}</a> to login and change your password as soon as possible!`,
+    });
+    return this.success();
+  }
+};

package/src/controller/user.js CHANGED Viewed

@@ -80,6 +80,7 @@ module.exports = class extends BaseRest {
   async putAction() {
     const { display_name, url, avatar, password } = this.post();
     const { objectId } = this.ctx.state.userInfo;
+    const twoFactorAuth = this.post('2fa');
     const updateData = {};
@@ -99,6 +100,10 @@ module.exports = class extends BaseRest {
       updateData.password = new PasswordHash().hashPassword(password);
     }
+    if (think.isString(twoFactorAuth)) {
+      updateData['2fa'] = twoFactorAuth;
+    }
     const socials = ['github', 'twitter', 'facebook', 'google', 'weibo', 'qq'];
     socials.forEach((social) => {
       const nextSocial = this.post(social);

package/src/logic/base.js CHANGED Viewed

@@ -63,6 +63,7 @@ module.exports = class extends think.Logic {
           'weibo',
           'qq',
           'avatar',
+          '2fa',
         ],
       }
     );

package/src/logic/token/2fa.js ADDED Viewed

@@ -0,0 +1,27 @@
+const Base = require('../base');
+module.exports = class extends Base {
+  async getAction() {
+    const { email } = this.get();
+    const { userInfo } = this.ctx.state;
+    if (think.isEmpty(userInfo) && !email) {
+      return this.fail(401);
+    }
+  }
+  async postAction() {
+    const { userInfo } = this.ctx.state;
+    if (think.isEmpty(userInfo)) {
+      return this.fail(401);
+    }
+    this.rules = {
+      code: {
+        required: true,
+        string: true,
+        length: 6,
+      },
+    };
+  }
+};

package/src/logic/user/password.js ADDED Viewed

@@ -0,0 +1,11 @@
+const Base = require('../base');
+module.exports = class extends Base {
+  async putAction() {
+    this.rules = {
+      email: {
+        required: true,
+      },
+    };
+  }
+};

package/src/service/markdown/xss.js CHANGED Viewed

@@ -9,7 +9,7 @@ const DOMPurify = createDOMPurify(new JSDOM('').window);
  */
 DOMPurify.addHook('afterSanitizeAttributes', function (node) {
   // set all elements owning target to target=_blank
-  if ('target' in node) {
+  if ('target' in node && node.href && !node.href.startsWith('about:blank#')) {
     node.setAttribute('target', '_blank');
     node.setAttribute('rel', 'noreferrer noopener');
   }

package/src/service/notify.js CHANGED Viewed

@@ -335,7 +335,7 @@ module.exports = class extends think.Service {
     title = nunjucks.renderString(title, data);
     content = nunjucks.renderString(
       think.config('DiscordTemplate') ||
-        `💬 {{site.name|safe}}的文章《{{postName}}》有新评论啦
+        `💬 {{site.name|safe}} 有新评论啦
     【评论者昵称】：{{self.nick}}
     【评论者邮箱】：{{self.mail}}
     【内容】：{{self.comment}}