Email verification works

- Added /auth/verify to authenticated route whitelist
- Updated /auth/verify to properly mark a user as verified, return a response, and fix expiration time check
- Implemented /auth/verify/resend
- Moved verification email sending to a helper method
- Fixed VerifyEmailSchema requiring captcha_key

src/api/middlewares/Authentication.ts

@@ -16,10 +16,10 @@
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
-import { NextFunction, Request, Response } from "express";
-import { HTTPError } from "lambert-server";
 import { checkToken, Config, Rights } from "@fosscord/util";
 import * as Sentry from "@sentry/node";
+import { NextFunction, Request, Response } from "express";
+import { HTTPError } from "lambert-server";
 
 export const NO_AUTHORIZATION_ROUTES = [
 	// Authentication routes
@@ -28,6 +28,7 @@ export const NO_AUTHORIZATION_ROUTES = [
 	"/auth/location-metadata",
 	"/auth/mfa/totp",
 	"/auth/mfa/webauthn",
+	"/auth/verify",
 	// Routes with a seperate auth system
 	"/webhooks/",
 	// Public information endpoints

src/api/routes/auth/verify/index.ts

@@ -17,7 +17,11 @@
 */
 
 import { route, verifyCaptcha } from "@fosscord/api";
-import { Config, FieldErrors, verifyToken } from "@fosscord/util";
+import {
+	Config,
+	FieldErrors,
+	verifyTokenEmailVerification,
+} from "@fosscord/util";
 import { Request, Response, Router } from "express";
 import { HTTPError } from "lambert-server";
 const router = Router();
@@ -43,9 +47,13 @@ router.post(
 		try {
 			const { jwtSecret } = Config.get().security;
 
-			const { decoded, user } = await verifyToken(token, jwtSecret);
+			const { decoded, user } = await verifyTokenEmailVerification(
+				token,
+				jwtSecret,
+			);
+
 			// toksn should last for 24 hours from the time they were issued
-			if (decoded.exp < Date.now() / 1000) {
+			if (new Date().getTime() > decoded.iat * 1000 + 86400 * 1000) {
 				throw FieldErrors({
 					token: {
 						code: "TOKEN_INVALID",
@@ -53,7 +61,16 @@ router.post(
 					},
 				});
 			}
+
+			if (user.verified) return res.send(user);
+
+			// verify email
 			user.verified = true;
+			await user.save();
+
+			// TODO: invalidate token after use?
+
+			return res.send(user);
 		} catch (error: any) {
 			throw new HTTPError(error?.toString(), 400);
 		}

src/api/routes/auth/verify/resend.ts

@@ -0,0 +1,49 @@
+/*
+	Fosscord: A FOSS re-implementation and extension of the Discord.com backend.
+	Copyright (C) 2023 Fosscord and Fosscord Contributors
+	
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published
+	by the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+	
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+	
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import { route } from "@fosscord/api";
+import { Email, User } from "@fosscord/util";
+import { Request, Response, Router } from "express";
+import { HTTPError } from "lambert-server";
+const router = Router();
+
+router.post("/", route({}), async (req: Request, res: Response) => {
+	const user = await User.findOneOrFail({
+		where: { id: req.user_id },
+		select: ["email"],
+	});
+
+	if (!user.email) {
+		// TODO: whats the proper error response for this?
+		throw new HTTPError("User does not have an email address", 400);
+	}
+
+	await Email.sendVerificationEmail(req.user_id, user.email)
+		.then((info) => {
+			console.log("Message sent: %s", info.messageId);
+			return res.sendStatus(204);
+		})
+		.catch((e) => {
+			console.error(
+				`Failed to send verification email to ${user.username}#${user.discriminator}: ${e}`,
+			);
+			throw new HTTPError("Failed to send verification email", 500);
+		});
+});
+
+export default router;

src/util/entities/User.ts

@@ -383,28 +383,17 @@ export class User extends BaseClass {
 
 		user.validate();
 		await Promise.all([user.save(), settings.save()]);
-		// send verification email
-		if (Email.transporter && email) {
-			const token = (await generateToken(user.id, email)) as string;
-			const link = `http://localhost:3001/verify#token=${token}`;
-			const message = {
-				from:
-					Config.get().general.correspondenceEmail ||
-					"noreply@localhost",
-				to: email,
-				subject: `Verify Email Address for ${
-					Config.get().general.instanceName
-				}`,
-				html: `Please verify your email address by clicking the following link: <a href="${link}">Verify Email</a>`,
-			};
 
-			await Email.transporter
+		// send verification email if users aren't verified by default and we have an email
-				.sendMail(message)
+		if (!Config.get().defaults.user.verified && email) {
+			await Email.sendVerificationEmail(user.id, email)
 				.then((info) => {
 					console.log("Message sent: %s", info.messageId);
 				})
 				.catch((e) => {
-					console.error(`Failed to send email to ${email}: ${e}`);
+					console.error(
+						`Failed to send verification email to ${user.username}#${user.discriminator}: ${e}`,
+					);
 				});
 		}
 

src/util/schemas/VerifyEmailSchema.ts

@@ -17,6 +17,6 @@
 */
 
 export interface VerifyEmailSchema {
-	captcha_key: string | null;
+	captcha_key?: string | null;
 	token: string;
 }

src/util/util/Email.ts

@@ -16,6 +16,10 @@
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
+import nodemailer, { Transporter } from "nodemailer";
+import { Config } from "./Config";
+import { generateToken } from "./Token";
+
 export const EMAIL_REGEX =
 	/^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
 
@@ -47,6 +51,7 @@ export function adjustEmail(email?: string): string | undefined {
 export const Email: {
 	transporter: Transporter | null;
 	init: () => Promise<void>;
+	sendVerificationEmail: (id: string, email: string) => Promise<any>;
 } = {
 	transporter: null,
 	init: async function () {
@@ -73,4 +78,25 @@ export const Email: {
 			console.log(`[SMTP] Ready`);
 		});
 	},
+	sendVerificationEmail: async function (
+		id: string,
+		email: string,
+	): Promise<any> {
+		if (!this.transporter) return;
+		const token = (await generateToken(id, email)) as string;
+		const instanceUrl =
+			Config.get().general.frontPage || "http://localhost:3001";
+		const link = `${instanceUrl}/verify#token=${token}`;
+		const message = {
+			from:
+				Config.get().general.correspondenceEmail || "noreply@localhost",
+			to: email,
+			subject: `Verify Email Address for ${
+				Config.get().general.instanceName
+			}`,
+			html: `Please verify your email address by clicking the following link: <a href="${link}">Verify Email</a>`,
+		};
+
+		return this.transporter.sendMail(message);
+	},
 };

src/util/util/Token.ts

@@ -72,6 +72,30 @@ export function checkToken(
 	});
 }
 
+/**
+ * Puyodead1 (1/19/2023): I made a copy of this function because I didn't want to break anything with the other one.
+ * this version of the function doesn't use select, so we can update the user. with select causes constraint errors.
+ */
+export function verifyTokenEmailVerification(
+	token: string,
+	jwtSecret: string,
+): Promise<{ decoded: any; user: User }> {
+	return new Promise((res, rej) => {
+		jwt.verify(token, jwtSecret, JWTOptions, async (err, decoded: any) => {
+			if (err || !decoded) return rej("Invalid Token");
+
+			const user = await User.findOne({
+				where: { id: decoded.id },
+			});
+			if (!user) return rej("Invalid Token");
+			if (user.disabled) return rej("User disabled");
+			if (user.deleted) return rej("User not found");
+
+			return res({ decoded, user });
+		});
+	});
+}
+
 export function verifyToken(
 	token: string,
 	jwtSecret: string,