Merge branch 'master' into caching

2025-08-04 10:14:36 +02:00 · 2023-11-24 14:38:27 -06:00 · 2023-11-24 14:38:27 -06:00 · 1a046a9bcb
commit 1a046a9bcb
parent 7a9c869ac5 9beee3ed65
20 changed files with 258 additions and 14 deletions
--- a/server/Auth.js
+++ b/server/Auth.js
@ -566,6 +566,69 @@ class Auth {
      Source: global.Source
    }
  }
+
+  /**
+   * 
+   * @param {string} password 
+   * @param {*} user 
+   * @returns {boolean}
+   */
+  comparePassword(password, user) {
+    if (user.type === 'root' && !password && !user.pash) return true
+    if (!password || !user.pash) return false
+    return bcrypt.compare(password, user.pash)
+  }
+
+  /**
+   * User changes their password from request
+   * 
+   * @param {import('express').Request} req 
+   * @param {import('express').Response} res 
+   */
+  async userChangePassword(req, res) {
+    let { password, newPassword } = req.body
+    newPassword = newPassword || ''
+    const matchingUser = req.user
+
+    // Only root can have an empty password
+    if (matchingUser.type !== 'root' && !newPassword) {
+      return res.json({
+        error: 'Invalid new password - Only root can have an empty password'
+      })
+    }
+
+    // Check password match
+    const compare = await this.comparePassword(password, matchingUser)
+    if (!compare) {
+      return res.json({
+        error: 'Invalid password'
+      })
+    }
+
+    let pw = ''
+    if (newPassword) {
+      pw = await this.hashPass(newPassword)
+      if (!pw) {
+        return res.json({
+          error: 'Hash failed'
+        })
+      }
+    }
+
+    matchingUser.pash = pw
+
+    const success = await Database.updateUser(matchingUser)
+    if (success) {
+      Logger.info(`[Auth] User "${matchingUser.username}" changed password`)
+      res.json({
+        success: true
+      })
+    } else {
+      res.json({
+        error: 'Unknown error'
+      })
+    }
+  }
 }

 module.exports = Auth
--- a/server/Server.js
+++ b/server/Server.js
@ -140,11 +140,13 @@ class Server {
     * The mobile app ereader is using fetch api in Capacitor that is currently difficult to switch to native requests
     * so we have to allow cors for specific origins to the /api/items/:id/ebook endpoint
     * @see https://ionicframework.com/docs/troubleshooting/cors
+     * 
+     * Running in development allows cors to allow testing the mobile apps in the browser 
     */
    app.use((req, res, next) => {
-      if (req.path.match(/\/api\/items\/([a-z0-9-]{36})\/ebook(\/[0-9]+)?/)) {
+      if (Logger.isDev || req.path.match(/\/api\/items\/([a-z0-9-]{36})\/ebook(\/[0-9]+)?/)) {
        const allowedOrigins = ['capacitor://localhost', 'http://localhost']
-        if (allowedOrigins.some(o => o === req.get('origin'))) {
+        if (Logger.isDev || allowedOrigins.some(o => o === req.get('origin'))) {
          res.header('Access-Control-Allow-Origin', req.get('origin'))
          res.header("Access-Control-Allow-Methods", 'GET, POST, PATCH, PUT, DELETE, OPTIONS')
          res.header('Access-Control-Allow-Headers', '*')