Account functionality extended, API authentication implemented

- Can now add a second email address to your account and delete one of your email addresses - Reset password now works - Resetting the password of an account without a password set will set one - Email templates overhauled - Login tokens limited to close previously devastating ($800 database bill) security hole - Login with REST API now works - Once logged in, authentication of API calls with token works - Creatures can now be fetched using the API
2022-02-10 19:02:18 +02:00
parent 3948d20f46
commit 359f18988c
27 changed files with 852 additions and 11 deletions
--- a/app/imports/api/users/methods/removeEmail.js
+++ b/app/imports/api/users/methods/removeEmail.js
@@ -0,0 +1,37 @@
+import SimpleSchema from 'simpl-schema';
+import { ValidatedMethod } from 'meteor/mdg:validated-method';
+import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
+
+const removeEmail = new ValidatedMethod({
+	name: 'users.removeEmail',
+	validate: new SimpleSchema({
+    email: {
+      type: String,
+      regEx: SimpleSchema.RegEx.Email,
+    },
+  }).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 1,
+    timeInterval: 5000,
+  },
+	run({email}){
+    const userId = Meteor.userId();
+    const user = Meteor.users.findOne(userId);
+    if (!user) throw new Meteor.Error('No user',
+    'You must be logged in to remove an email address');
+    if (!user.emails){
+      throw new Meteor.Error('No email to remove',
+      'No email addresses are associated with this account');
+    }
+    if (user.emails.length == 1){
+      throw new Meteor.Error('Can\'t remove last email',
+      'You may not remove the last email address from your account');
+    }
+    if (Meteor.isServer){
+      Accounts.removeEmail(userId, email);
+    }
+	}
+});
+
+export default removeEmail;