TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-05 18:34:39 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #4490 from thisishugo/url-safe-tokens

Browse Source 
Make tokens URL safe
This commit is contained in:
Sebastian Gierlinger 2014-11-21 11:30:30 +01:00
commit 3fd6c80bb7
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core/server/models/user.js
View File

@ -706,7 +706,7 @@ User = ghostBookshelf.Model.extend({
text = '';
// Token:
// BASE64(TIMESTAMP + email + HASH(TIMESTAMP + email + oldPasswordHash + dbHash ))
// BASE64(TIMESTAMP + email + HASH(TIMESTAMP + email + oldPasswordHash + dbHash )).replace('=', '-')
hash.update(String(expires));
hash.update(email.toLocaleLowerCase());
@ -715,13 +715,19 @@ User = ghostBookshelf.Model.extend({
text += [expires, email, hash.digest('base64')].join('|');
return new Buffer(text).toString('base64');
// it's possible that the token might get URI encoded, which breaks it
// we replace any `=`s with `-`s as they aren't valid base64 characters
// but are valid in a URL, so won't suffer encoding issues
return new Buffer(text).toString('base64').replace('=', '-');
});
},
validateToken: function (token, dbHash) {
/*jslint bitwise:true*/
// TODO: Is there a chance the use of ascii here will cause problems if oldPassword has weird characters?
// We replaced `=`s with `-`s when we sent the token via email, so
// now we reverse that change to get a valid base64 string to decode
token = token.replace('-', '=');
var tokenText = new Buffer(token, 'base64').toString('ascii'),
parts,
expires,