UNPKG

payload

Version:

Node, React, Headless CMS and Application Framework built on Next.js

payloadcms.com

payloadcms/payload

149 lines (148 loc) 6.48 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
// @ts-strict-ignore import crypto from 'crypto'; import { status as httpStatus } from 'http-status'; import { URL } from 'url'; import { buildAfterOperation } from '../../collections/operations/utils.js'; import { APIError } from '../../errors/index.js'; import { Forbidden } from '../../index.js'; import { commitTransaction } from '../../utilities/commitTransaction.js'; import { formatAdminURL } from '../../utilities/formatAdminURL.js'; import { initTransaction } from '../../utilities/initTransaction.js'; import { killTransaction } from '../../utilities/killTransaction.js'; import { getLoginOptions } from '../getLoginOptions.js'; export const forgotPasswordOperation = async (incomingArgs)=>{ const loginWithUsername = incomingArgs.collection.config.auth.loginWithUsername; const { data } = incomingArgs; const { canLoginWithEmail, canLoginWithUsername } = getLoginOptions(loginWithUsername); const sanitizedEmail = canLoginWithEmail && (incomingArgs.data.email || '').toLowerCase().trim() || null; const sanitizedUsername = 'username' in data && typeof data?.username === 'string' ? data.username.toLowerCase().trim() : null; let args = incomingArgs; if (incomingArgs.collection.config.auth.disableLocalStrategy) { throw new Forbidden(incomingArgs.req.t); } if (!sanitizedEmail && !sanitizedUsername) { throw new APIError(`Missing ${loginWithUsername ? 'username' : 'email'}.`, httpStatus.BAD_REQUEST); } try { const shouldCommit = await initTransaction(args.req); // ///////////////////////////////////// // beforeOperation - Collection // ///////////////////////////////////// if (args.collection.config.hooks?.beforeOperation?.length) { for (const hook of args.collection.config.hooks.beforeOperation){ args = await hook({ args, collection: args.collection?.config, context: args.req.context, operation: 'forgotPassword', req: args.req }) || args; } } const { collection: { config: collectionConfig }, disableEmail, expiration, req: { payload: { config, email }, payload }, req } = args; // ///////////////////////////////////// // Forget password // ///////////////////////////////////// let token = crypto.randomBytes(20).toString('hex'); if (!sanitizedEmail && !sanitizedUsername) { throw new APIError(`Missing ${loginWithUsername ? 'username' : 'email'}.`, httpStatus.BAD_REQUEST); } let whereConstraint = {}; if (canLoginWithEmail && sanitizedEmail) { whereConstraint = { email: { equals: sanitizedEmail } }; } else if (canLoginWithUsername && sanitizedUsername) { whereConstraint = { username: { equals: sanitizedUsername } }; } let user = await payload.db.findOne({ collection: collectionConfig.slug, req, where: whereConstraint }); // We don't want to indicate specifically that an email was not found, // as doing so could lead to the exposure of registered emails. // Therefore, we prefer to fail silently. if (!user) { await commitTransaction(args.req); return null; } user.resetPasswordToken = token; user.resetPasswordExpiration = new Date(Date.now() + (collectionConfig.auth?.forgotPassword?.expiration ?? expiration ?? 3600000)).toISOString(); user = await payload.update({ id: user.id, collection: collectionConfig.slug, data: user, req }); if (!disableEmail && user.email) { const protocol = new URL(req.url).protocol // includes the final : ; const serverURL = config.serverURL !== null && config.serverURL !== '' ? config.serverURL : `${protocol}//${req.headers.get('host')}`; const forgotURL = formatAdminURL({ adminRoute: config.routes.admin, path: `${config.admin.routes.reset}/${token}`, serverURL }); let html = `${req.t('authentication:youAreReceivingResetPassword')} <a href="${forgotURL}">${forgotURL}</a> ${req.t('authentication:youDidNotRequestPassword')}`; if (typeof collectionConfig.auth.forgotPassword?.generateEmailHTML === 'function') { html = await collectionConfig.auth.forgotPassword.generateEmailHTML({ req, token, user }); } let subject = req.t('authentication:resetYourPassword'); if (typeof collectionConfig.auth.forgotPassword?.generateEmailSubject === 'function') { subject = await collectionConfig.auth.forgotPassword.generateEmailSubject({ req, token, user }); } await email.sendEmail({ from: `"${email.defaultFromName}" <${email.defaultFromAddress}>`, html, subject, to: user.email }); } // ///////////////////////////////////// // afterForgotPassword - Collection // ///////////////////////////////////// if (collectionConfig.hooks?.afterForgotPassword?.length) { for (const hook of collectionConfig.hooks.afterForgotPassword){ await hook({ args, collection: args.collection?.config, context: req.context }); } } // ///////////////////////////////////// // afterOperation - Collection // ///////////////////////////////////// token = await buildAfterOperation({ args, collection: args.collection?.config, operation: 'forgotPassword', result: token }); if (shouldCommit) { await commitTransaction(req); } return token; } catch (error) { await killTransaction(args.req); throw error; } }; //# sourceMappingURL=forgotPassword.js.map