swat-sccs · adic2023 · Oct 1, 2023 · Oct 2, 2023 · Oct 2, 2023 · Oct 2, 2023
diff --git a/emailTemplates/verification.html b/emailTemplates/verification.html
@@ -0,0 +1,23 @@
+<html>
+  <head> </head>
+  <body>
+    <p>Hi there!</p>
+    <p>You are receiving this message to verify the email associated with your new SCCS account! Your username is: <strong>${username}</strong>.</p>
+    <p>
+      To access SCCS services, confirm your email by clicking: 
+      <!-- insert link with proper id and key -->
+      <a href="${domain}/account/reset?id=${resetId}&key=${resetKey}">this link</a>. Or, copy and
+      paste this link into your browser:
+    </p>
+    <p>${domain}/account/reset?id=${resetId}&key=${resetKey}</p>
+    <p>
+      (This link will stay active for seven days; after that, you'll have to
+      <a href="${domain}/account/forgot">request a new link</a>.)
+    </p>
+    <p>
+      Enjoy your new SCCS account! We hope you'll find our services useful. If you have any
+      questions, comments, or suggestionsx, feel free to contact us at
+      <a href="mailto:[email protected]">[email protected]</a>
+    </p>
+  </body>
+</html>
diff --git a/src/functions/createAccount.ts b/src/functions/createAccount.ts
@@ -11,6 +11,7 @@ import { generateEmail } from '../util/emailTemplates';
 import { addLdap, searchAsyncMultiple } from '../util/ldapUtils';
 import { logger } from '../util/logging';
 import { createPasswordResetRequest } from '../util/passwordReset';
+import { verifyAccountRequest } from '../util/accountVerify'
 
 export interface CreateAccountData {
   username: string;

diff --git a/src/integration/models.ts b/src/integration/models.ts
@@ -84,6 +84,50 @@ export const PasswordResetRequestModel = mongoose.model<PasswordResetRequest>(
   passwordResetRequestSchema,
 );
 
+// new interface for email verification
+export interface VerifyEmailRequest {
+  // verification email links generate two keys: the ID, which is stored plain, and the key, which is
+  // hashed with argon2 before being stored.
+  // good chance the rest of this shit is wrong in this implementation: 
+  // Both are provided to the user and they make a request;
+  // then we look up the request for the ID and compare hashed keys, basically exactly like a normal
+  // username/password login flow.
+  _id: string;
+  key: string;
+  user: string;
+  timestamp: Date;
+  suppressEmail?: boolean;
+}
+
+const verifyEmailRequestSchema = new mongoose.Schema<VerifyEmailRequest>({
+  _id: {
+    type: String,
+    required: true,
+  },
+  key: {
+    type: String,
+    required: true,
+  },
+  user: {
+    type: String,
+    required: true,
+    index: true, // we'll search by user to invalidate previous reset requests
+  },
+  timestamp: {
+    type: Date,
+    expires: 0,
+  },
+  suppressEmail: {
+    type: Boolean,
+    required: false,
+  },
+});
+
+export const VerifyEmailRequestModel = mongoose.model<VerifyEmailRequest>(
+  'VerifyEmail',
+  verifyEmailRequestSchema,
+);
+
 export interface MinecraftWhitelist {
   _id: string;
   mcUuid: string;

diff --git a/src/util/accountVerify.ts b/src/util/accountVerify.ts
@@ -0,0 +1,30 @@
+import argon2 from 'argon2';
+import { nanoid } from 'nanoid';
+
+import { VerifyEmailRequestModel } from '../integration/models';
+import { logger } from './logging';
+
+const USERNAME_REGEX = /^[a-z][-a-z0-9]*$/;
+
+export const verifyAccountRequest = async (
+  uid: string,
+  expireHours = 1,
+  suppressEmail = false,
+): Promise<[string, string]> => {
+  logger.debug(`Creating account verification ID/key pair for ${uid}`);
+  const verifyId = nanoid();
+  const verifyKey = nanoid();
+
+  const expireDate = new Date();
+  expireDate.setHours(expireDate.getHours() + expireHours);
+
+  await new VerifyEmailRequestModel({
+    _id: verifyId,
+    key: await argon2.hash(verifyKey, { raw: false }),
+    user: uid,
+    timestamp: expireDate,
+    suppressEmail: suppressEmail,
+  }).save();
+
+  return [verifyId, verifyKey];
+};