set validity duration for email link

Author: soorajarsn

backend/controllers/getControllers/sendVerificationEmail.js

@@ -2,37 +2,37 @@ const crypto = require("crypto");
 const User = require("../../models/userModal");
 const sendEmail = require("../../utils/smtpTransport");
 const encrypt = (text) => {
-  var cipher = crypto.createCipher(process.env.ENCRYPTION_ALGO, process.env.CRYPTOJS_SECRET);
+  var cipher = crypto.createCipher(
+    process.env.ENCRYPTION_ALGO,
+    process.env.CRYPTOJS_SECRET
+  );
   var encrypted = cipher.update(text, "utf8", "hex") + cipher.final("hex");
-//   var decipher = crypto.createDecipher(algorithm, key);
-//   var decrypted = decipher.update(encrypted, "hex", "utf8") + decipher.final("utf8");
   return encrypted;
 };
 const sendVerificationEmail = async (req, res) => {
   const id = req.session.userId;
+  //check if email is already verified
   const user = await User.findById(id).exec();
   if (user.emailVerified)
     return res.status(400).send({ error: "Your email is already verified" });
+  //encrypt the id and current time
   var encryptedID = encrypt(id);
-  const host = req.get("host");
-  req.session.host = host; //to use while verifying through provided link
-  const protocol = req.protocol;
-  req.session.protocol = protocol; //to use while verifying email through provided link
-  const link = `${protocol}://${host}/verifyEmail?id=${encryptedID}`;
+  var encryptedTime = encrypt(date.now());
+  //construct link with the encrypted ID and current time
+  //a = id && b = time, used bad naming so that verification link do not get very obivious to user or third party
+  const link = `${process.env.PROTOCOL}://${process.env.HOST}/verifyEmail?a=${encryptedID}&b=${encryptedTime}`;
+  //create the email
   const mailOptions = {
     to: user.email,
     subject: "Please confirm your Email Address",
-    html: `Hello,<br> Please Click on the link to verify your email.<br><a href=${link}>Click here to verify</a>`,
+    html: `<img src="https://media-exp1.licdn.com/dms/image/sync/C4E22AQG4zTDlyguaNQ/feedshare-shrink_800/0/1602572271436?e=1623888000&v=beta&t=Aq2jU_LLoM8lK5Mq7TgYxdf-9tkVZJs3Bc2m0HK68tw" /><br><br>Hello,<br> Please Click on the link to verify your email.<br><a href=${link}>Click here to verify</a><br>The above link is valid for ${process.env.EMAIL_LINK_VALIDITY} minutes only`,
   };
   try {
+    //send email to the user
     let response = await sendEmail(mailOptions);
     console.log(response);
-    // return res
-    //   .status(200)
-    //   .send({
-    //     msg: "An email has been sent to your email address. Click on the provided link to verify your email address",
-    //   });
-    return res.render("verifyEmail");
+    //render verifyEmail page to inform user that an email has been sent at his registered mobile number now
+    return res.render("verifyEmailMsg");
   } catch (err) {
     console.log(err);
     return res.status(500).send(err);

backend/controllers/getControllers/verifyEmail.js

@@ -1,42 +1,52 @@
 const crypto = require("crypto");
 const User = require("../../models/userModal");
-const decrypt = (cipher) => { 
-  const decipher = crypto.createDecipher(process.env.ENCRYPTION_ALGO, process.env.CRYPTOJS_SECRET);
-  var decrypted = decipher.update(cipher, "hex", "utf8") + decipher.final("utf8"); 
+const decrypt = (cipher) => {
+  const decipher = crypto.createDecipher(
+    process.env.ENCRYPTION_ALGO,
+    process.env.CRYPTOJS_SECRET
+  );
+  var decrypted =
+    decipher.update(cipher, "hex", "utf8") + decipher.final("utf8");
   return decrypted;
-}
+};
 const verifyEmail = async (req, res) => {
-  const host = req.get('host');
-  if(`${req.protocol}://${host}` == `${req.session.protocol}://${req.session.host}`){//domain matched
-    //now we don't need protocol and host in our session variables;
-    req.session.protocol = null;
-    req.session.host = null;
-    const encryptedID = req.query.id;
+  const host = req.get("host");
+  if (
+    `${req.protocol}://${host}` ==
+    `${process.env.PROTOCOL}://${process.env.HOST}`
+  ) {
+    //domain matched
+    const encryptedID = req.query.a; //since a = id
+    const encryptedTime = req.query.b; //since b = time
     console.log(encryptedID);
-    // const decryptedBytes = CryptoJS.AES.decrypt(
-    //   encryptedID,
-    //   process.env.CRYPTOJS_SECRET
-    // );
-    // console.log(decryptedBytes);
-    // const decryptedID = decryptedBytes.toString(CryptoJS.enc.Utf8);
+    console.log(encryptedTime);
+    //decrypt ID and Time
     const decryptedID = decrypt(encryptedID);
-    console.log("decryptedID : ", decryptedID);
+    const decryptedTime = decrypt(encryptedTime);
+    console.log("decryptedID : ",decryptedID," decryptedTime : ",decryptedTime);
     const user = await User.findById(decryptedID).exec();
     if (user) {
+      const timeElapsed = (Date.now() - decryptedTime) / (1000 * 60); //in minutes;
       console.log(user);
-      user.emailVerified = true;
-      user.save();
-      console.log("email verified");
-      res.redirect('home');
-    }else{
-        res.status(400).send({error:"Invalid request!"});
+      if (timeElapsed < process.env.EMAIL_LINK_VALIDITY) {
+        //email link is clicked in valid time duration
+        user.emailVerified = true;
+        user.save();
+        console.log("email verified");
+        res.redirect("home");
+      } else {
+        //link not clicked in valid time duration
+        res.render("sentEmailLinkAgain");
+      }
+    } else {
+      res.status(400).send({ error: "Invalid request!" });
     }
-  }else{
-      //domain didn't matched
-      //now we need to reset req.session.host, req.session.protocol
-      req.session.protocol = null;
-      req.session.host = null;
-      res.status(400).send({error:"Invalid request!"});
+  } else {
+    //domain didn't matched
+    //now we need to reset req.session.host, req.session.protocol
+    req.session.protocol = null;
+    req.session.host = null;
+    res.status(400).send({ error: "Invalid request!" });
   }
 };
 module.exports = verifyEmail;