secret auth

pacoccino · Feb 13, 2022 · 47874e1 · 47874e1
1 parent 701c807
commit 47874e1
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 4 deletions.
diff --git a/.env.defaults b/.env.defaults
@@ -31,6 +31,8 @@ SESSION_SECRET=MEunmKDPUzsMLf4r9tEXGg52ifgP68NboQMGdY8Ku6hRDMonE6YvZsG99yEnvY9r
 
 #######
 
+SIGNUP_SECRET=secret
+
 FILESYSTEM_FOLDER=./fs
 PHOTOS_URL=/s3/photos
 MINIATURES_URL=/s3/miniatures

diff --git a/.env.example b/.env.example
@@ -3,3 +3,4 @@
 # DATABASE_URL="postgresql://postgres:postgres@localhost:5432/redwood_dev?connection_limit=1"
 # GMAPS_API_KEY=
 # SESSION_SECRET=
+# SIGNUP_SECRET=
diff --git a/api/src/functions/auth.ts b/api/src/functions/auth.ts
@@ -16,7 +16,9 @@ export const handler = async (event, context) => {
     // address in a toast message so the user will know it worked and where
     // to look for the email.
     handler: (user) => {
-      return user.email
+      return {
+        username: user.username,
+      }
     },
 
     // How long the resetToken is valid for, in seconds (default is 24 hours)
@@ -67,7 +69,7 @@ export const handler = async (event, context) => {
     // in. Return `false` otherwise, and in the Reset Password page redirect the
     // user to the login page.
     handler: (user) => {
-      return user.email
+      return user.username
     },
 
     // If `false` then the new password MUST be different than the current one
@@ -102,12 +104,14 @@ export const handler = async (event, context) => {
     // If this returns anything else, it will be returned by the
     // `signUp()` function in the form of: `{ message: 'String here' }`.
     handler: ({ username, hashedPassword, salt, userAttributes }) => {
+      if (userAttributes.secret !== process.env['SIGNUP_SECRET'])
+        throw new Error('Invalid secret')
+
       return db.user.create({
         data: {
           username: username,
           hashedPassword: hashedPassword,
           salt: salt,
-          // name: userAttributes.name
         },
       })
     },

diff --git a/web/src/pages/ForgotPasswordPage/ForgotPasswordPage.tsx b/web/src/pages/ForgotPasswordPage/ForgotPasswordPage.tsx
@@ -28,7 +28,9 @@ const ForgotPasswordPage = () => {
       // The function `forgotPassword.handler` in api/src/functions/auth.js has
       // been invoked, let the user know how to get the link to reset their
       // password (sent in email, perhaps?)
-      toast.success('A link to reset your password was sent to ' + response.email)
+      toast.success(
+        'A link to reset your password was sent to ' + response.username
+      )
       navigate(routes.login())
     }
   }

diff --git a/web/src/pages/SignupPage/SignupPage.tsx b/web/src/pages/SignupPage/SignupPage.tsx
@@ -98,6 +98,26 @@ const SignupPage = () => {
                   />
                   <FieldError name="password" className="rw-field-error" />
 
+                  <Label
+                    name="secret"
+                    className="rw-label"
+                    errorClassName="rw-label rw-label-error"
+                  >
+                    Secret
+                  </Label>
+                  <PasswordField
+                    name="secret"
+                    className="rw-input"
+                    errorClassName="rw-input rw-input-error"
+                    validation={{
+                      required: {
+                        value: true,
+                        message: 'Secret is required',
+                      },
+                    }}
+                  />
+                  <FieldError name="secret" className="rw-field-error" />
+
                   <div className="rw-button-group">
                     <Submit className="rw-button rw-button-blue">
                       Sign Up