CODEWITHSUNDEEP
javascriptnode.jscookies
Diogo Antunes
Diogo Antunes

Reputation: 2291

NodeJS Sessions

Hy and thanks in advance, So im working on a project, where part of the requirements, is to have a field where the user can insert is e-email, and then receive a custom url on his e-mail account, from there he can access the site. This is like the example of a "password-reset", where a custom url is generated and sent to u with a time-stamp validation. Im very new to nodejs, and my question here is if anyone has some type of guidlines to start doing this. My idea was to generate a sessionID, then generate a custom url, send the email, and then the users goes to the webpage. Im using express, and the whole site is already assembled, its just this feature tha is killing me! :(

Upvotes: 2

Views: 249

Answers (2)

Sunil More
Sunil More

Reputation: 248

As of my understanding you want how to implement password reset functionality using expressjs.

Here are steps 1. for forgot password create an API

   app.post('/forgotpassword',function(req,res){
     var email = req.body.email;
      // validation
      // your custom url creation logic here
      // someurl/:resetpasswordtoken
      // store this in user data
      // for this I'll suggest to use any unique string creation logic*

   }

  1. to show reset password page

     app.get('/someurl/:resetpasswordtoken, function(req,res) {
   //check token exist
   // render the page for reset like current passwor,new password
 }

  2. Action for reset password

     app.post('/someurl/:resetpasswordtoken , function(req,res){
    var currentPwd = //get current pwd
    var newPwd = //get new pwd
    //check token 
    //then reset password  for user
 }

Upvotes: 0

AlbertEngelB
AlbertEngelB

Reputation: 16436

I'm not sure what you need, but here is what I'd suggest (spoke about this on Reddit earlier).

// If you want the user to **have** to be a custom URL
req.param('userId', function(req, res, next) {
    db.getUser(userId, function(e, usr) {
        if (e) throw new Error(e);

        req.user = usr;
    });
});

req.all("*", function(req, res, next) {
    if (!req.user) return res.redirect('/login');
});

// Rest of routes
req.get()
req.post()

That being said, you normally shouldn't have user login this way. Normally you would set the user in the session and validate it that way. Here's a good article on setting up sessions in Express.

If you do it this way, you would do something like this:

req.all("*", function(req, res, next) {
    var userId = req.session('userid');
    if (!userId) res.redirect('/login');

    db.getUser(userId, function(e, usr) {
        if (e) throw new Error(e);
        if (!usr) return res.redirect('/login');

        // Now the user is accessbile through its session
        req.session.user = usr;
    });
});

// Rest of routes
req.get()
req.post()

Password resetting requires what's called a nonce. This will be a small object in your DB that has a created date. You email them a link to your site that uses that nonce.

Whenever the route is hit that uses the password reset nonce, you look it up in the DB, verify it's new enough (within X hours or days), then give them access to the route that resets their password.

Your project requirements are pretty vague, so I'm not exactly sure what you need.

Upvotes: 1

Related Questions