[英]Multi user password reset concurrency issue in NodeJS and ExpressJS
Unable to reset password for multiple users.无法为多个用户重置密码。 I am stuck while multiple users trying to reset the password当多个用户尝试重置密码时我被卡住了
How I do capture the exact reset token sent to specific user in email as link?我如何捕获在电子邮件中作为链接发送给特定用户的确切重置令牌? Lets say when two user are trying to reset the password, the resetQueryParameter
will be overridden.假设当两个用户尝试重置密码时, resetQueryParameter
将被覆盖。 How do I handle this?我该如何处理?
Get the token from query parameters when users clicks on the reset link in email:当用户单击电子邮件中的重置链接时,从查询参数中获取令牌:
// global variable
var resetQueryParameters = '';
//CAPTURE TOKEN (QUERY PARAMS) FROM LINK
app.get('/resetQuery/', function (req, res) {
//SET THE TOKEN TO VARIABLE
resetQueryParameters = req.query.token;
r.db('myDB').table('Reset_Password').filter(r.row('auth_key').eq(req.query.token)).
run(myConnection, function (err, cursor) {
if (err) {
return next(err);
}
cursor.toArray(function (err, result) {
if (err) {
throw err;
} else {
if (result.length > 0) {
res.redirect(redirectResetPage);
} else {
res.redirect(redirectLoginPage);
}
return result;
console.log("printing reset link from db.....", JSON.stringify(result, null, 2));
}
});
});
});
getting the token when user clicks on link and verify the signature:当用户点击链接并验证签名时获取令牌:
function resetPassword(req, res, next) {
console.log('reset password called from external link.....');
nJwt.verify(resetQueryParameters, secretKey, function (err, verifiedJwt) {
if (err) {
console.log('reset token not valid...', err);
} else {
var params = {
'username': verifiedJwt.body.details,
'newPassword': req.params.newPassword
};
getApiResponse(resetURL, params, function (res1) {
console.log('sending reset params to server...', params);
if (res1.error) {
console.log('Could not reset password......', res1.error);
} else {
console.log('reset password success.....');
resetQueryParameters = '';
res.json(res1);
}
});
}
});
}
It's not a good practice to use global variables here and not for any scenario.在这里使用全局变量而不是任何场景都不是一个好习惯。
When you do the redirect, you should pass the req.query.token
to the redirectResetPage
as below,当您进行重定向时,您应该将req.query.token
传递给redirectResetPage
,如下所示,
if (result.length > 0) {
res.redirect(redirectResetPage + '?token=' + req.query.token);
} else {
res.redirect(redirectLoginPage);
}
and let the page pass the same token back to the resetPassword
method and use it there from the request.query
or request.body
but not from the global variable.并让页面将相同的令牌传递回resetPassword
方法,并在request.query
或request.body
使用它,而不是从全局变量中使用它。
function resetPassword(req, res, next) {
console.log('reset password called from external link.....');
nJwt.verify(req.query.token, secretKey, function (err, verifiedJwt) {
if (err) {
console.log('reset token not valid...', err);
} else {
var params = {
'username': verifiedJwt.body.details,
'newPassword': req.params.newPassword
};
getApiResponse(resetURL, params, function (res1) {
console.log('sending reset params to server...', params);
if (res1.error) {
console.log('Could not reset password......', res1.error);
} else {
console.log('reset password success.....');
resetQueryParameters = '';
res.json(res1);
}
});
}
});
}
Note: The best practise is, store this token in the database if possible or store it in the cookie/jwt token.注意:最佳实践是,如果可能,将此令牌存储在数据库中或将其存储在 cookie/jwt 令牌中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.